- The most important thing to know today: ACA repeal is not over, not by a long shot. Andy Slavitt lays it out for us here.
- Facebook is blaming their AI for the fact that you can targets ads to "Jew Haters" on their platform.. On the one hand, between this and other betrayals of privacy, there is a good case for abandoning Facebook entirely. On the other, there is a case that Facebook's problems are just the tip of the iceberg. Remember Total Information Awareness? Do you think that's gone away? Or, on the other hand, do you think that maybe someone at Homeland Security is doing exactly the same analysis that Facebook is, but geared towards rooting out enemies of the state instead of selling advertising?
- Lots of people among my Facebook friends and anti-war buddies supported Trump on the grounds that he would be better for brown people overseas (even if worse for brown people in the United States)
than Clinton. This proposition looks silly yet again as Trump tries to do away with Obama-era restrictions on drone strikes.
- Today's award for Best Troll goes to Slashdot user phantomfive for this piece about weakly vs. strongly typed languages, wherein he adds a parting shot, "Does this make you want to avoid Python?" Why is this trolling, you ask? Because the definition of strongly typed is ambiguous and often misunderstood. Python, for example, is considered a strongly typed language, albeit a dynamic one. The resulting thread would make my programming languages professors want to drink to forget.
- If you're going to the H. P. Lovecraft Film Festival in a few weeks, you should know that Liv Rainey-Smith will have screenprints of Shub-Niggurath, Cthulhu, and Krampus for sale. These are not woodblock print originals, but screen prints on wood veneer!
Originally posted by bruce_schneier at Bizarre High-Tech Kidnapping
This is a story of a very high-tech kidnapping:
FBI court filings unsealed last week showed how Denise Huskins' kidnappers used anonymous remailers, image sharing sites, Tor, and other people's Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending. They tried to use computer spyware and a DropCam to monitor the aftermath of the abduction and had a Parrot radio-controlled drone standing by to pick up the ransom by remote control.
The story also demonstrates just how effective the FBI is tracing cell phone usage these days. They had a blocked call from the kidnappers to the victim's cell phone. First they used an search warrant to AT&T to get the actual calling number. After learning that it was an AT&T prepaid Trakfone, they called AT&T to find out where the burner was bought, what the serial numbers were, and the location where the calls were made from.
The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe.
Here's the criminal complaint. It borders on surreal. Were it an episode of CSI:Cyber, you would never believe it.
Originally posted by bruce_schneier at Stagefright Vulnerability in Android Phones
The Stagefright vulnerability for Android phones is a bad one. It's exploitable via a text message (details depend on auto downloading of the particular phone), it runs at an elevated privilege (again, the severity depends on the particular phone -- on some phones it's full privilege), and it's trivial to weaponize. Imagine a worm that infects a phone and then immediately sends a copy of itself to everyone on that phone's contact list.
The worst part of this is that it's an Android exploit, so most phones won't be patched anytime soon -- if ever. (The people who discovered the bug alerted Google in April. Google has sent patches to its phone manufacturer partners, but most of them have not sent the patch to Android phone users.)
Originally posted by bruce_schneier at "Unbreakable" Encryption Almost Certainly Isn't
This headline is provocative: "Human biology inspires 'unbreakable' encryption."
The article is similarly nonsensical:
Researchers at Lancaster University, UK have taken a hint from the way the human lungs and heart constantly communicate with each other, to devise an innovative, highly flexible encryption algorithm that they claim can't be broken using the traditional methods of cyberattack.
Information can be encrypted with an array of different algorithms, but the question of which method is the most secure is far from trivial. Such algorithms need a "key" to encrypt and decrypt information; the algorithms typically generate their keys using a well-known set of rules that can only admit a very large, but nonetheless finite number of possible keys. This means that in principle, given enough time and computing power, prying eyes can always break the code eventually.
The researchers, led by Dr. Tomislav Stankovski, created an encryption mechanism that can generate a truly unlimited number of keys, which they say vastly increases the security of the communication. To do so, they took inspiration from the anatomy of the human body.
Regularly, someone from outside cryptography -- who has no idea how crypto works -- pops up and says "hey, I can solve their problems." Invariably, they make some trivial encryption scheme because they don't know better.
Remember: anyone can create a cryptosystem that he himself cannot break. And this advice from 15 years ago is still relevant.
Originally posted by bruce_schneier at Mass Surveillance by Eavesdropping on Web Cookies
Abstract: We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the user’s IP address varies. Using simulated browsing profiles, we cluster network traffic by transitively linking shared unique cookies and estimate that for typical users over 90% of web sites with embedded trackers are located in a single connected component. Furthermore, almost half of the most popular web pages will leak a logged-in user’s real-world identity to an eavesdropper in unencrypted traffic. Together, these provide a novel method to link an identified individual to a large fraction of her entire web history. We discuss the privacy consequences of this attack and suggest mitigation strategies.
- Diane Feinstein, ever the advocate for shredding the Constitution to suit her precious morals, is offended, so offended that the American intelligence apparatus would dare spy on Congress. (Spying on other Americans is apparently fine.)
- The NSA is planning on distributing malware to millions of computers — including one near you? — with almost no human oversight.
- Speaking of which, Bruce Schneier just finished posting the last of the known NSA exploits in his "NSA Exploit of the Day" series. Read the whole thing here!
- My favorite new word: зомбоящик, English transliteration Zomboyaschik, or Zombie Box. As in, television set. Think of Fox News, CNN, MSNBC, RT — and apparently Lenta.ru in the near future (Google translation, original in Russian).
- Wherein Kacy Faulconer is informed that she does not in fact know that her children will have chaste courtships. Kids are unpredictable, and tend to do things like develop free will, think for themselves, and create plans of their own.
- The Canadian Women's Hockey Team goalie just signed a contract with a minor league professional team. A "men's" professional team. Let's see how she does.
Actually, no, it doesn't. While goto statements might be a bad idea (PDF), it's the proximate cause of the problem, but not the root cause. The root causes are much more difficult to fix:
- The SSL stack is actually very hard to unit-test thoroughly, and therefore even a proper test wouldn't necessarily have caught this bug.
- Programmers assume that code behaves according to its indentation, but it doesn't (unless its Python-like). So, even if another coder caught this errant goto, they might have assumed that the errant goto was tied to the previous if statement, and would thus never run.
Apple is deploying patches to fix the problem on iOS devices (iPhones, iPads, certain iPods). They have yet to deploy a patch to OS X, which, as a Mac user, I find personally irritating.
Last year’s breach at Target Corp. flooded underground markets with millions of stolen credit and debit cards. In the days surrounding the breach disclosure, the cards carried unusually high price tags — in large part because few banks had gotten around to canceling any of them yet. Today, two months after the breach, the number of unsold stolen cards that haven’t been cancelled by issuing banks is rapidly shrinking, forcing the miscreants behind this historic heist to unload huge volumes of cards onto underground markets and at cut-rate prices.
Earlier today, the underground card shop Rescator[dot]so moved at least 2.8 million cards stolen from U.S.-based shoppers during the Target breach. This chunk of cards, dubbed “Beaver Cage” by Rescator, was the latest of dozens of batches of cards stolen from Target that have gone on sale at the shop since early December.
The Beaver Cage batch of cards have fallen in price by as much as 70 percent compared to those in “Tortuga,” a huge chunk of several million cards stolen from Target that sold for between $26.60 and $44.80 apiece in the days leading up to Dec. 19 — the day that Target acknowledged a breach. Today, those same cards are now retailing for prices ranging from $8 to $28. The oldest batches of cards stolen in the Target breach –i.e., the first batches of stolen cards sold –are at the top of legend in the graphic above; the “newer,” albeit less fresh, batches are at the bottom.
The core reason for the price drop appears to be the falling “valid rate” associated with each batch. Cards in the Tortuga base were advertised as “100 percent valid,” meaning that customers who bought ten cards from the store could expect all 10 to work when they went to use them at retailers to purchase high-priced electronics, gift cards and other items that can be quickly resold for cash.
This latest batch of Beaver Cage cards, however, carries only a 60 percent valid rate, meaning that on average customers can expect at least 4 out of every 10 cards they buy to come back declined or canceled by the issuing bank.
The most previous batch of Beaver Cage cards — pushed out by Rescator on Feb. 6 — included nearly 4 million cards stolen from Target and carried a 65 percent valid rate. Prior to Beaver Cage, the Target cards were code-named “Eagle Claw.” On Jan. 29, Rescator debuted 4 million cards bearing the Eagle Claw name and a 70 percent valid rate. The first two batches of Eagle Claw-branded cards — a chunk of 2 million cards — were released on Jan. 21 with a reported 83 percent valid rate.
The same pattern can be observed in another major breach from 2013. Relying on much the same method I used to validate the Target breach, I approached several financial institutions to determine if other batches of cards sold by Rescator’s various shops could be traced to specific breaches in 2013.
Sure enough, it didn’t take long to identify the midsummer 2013 breach at Harbor Freight Tools as the source of at least two major batches (they are called “bases” in the card shops, not batches) of cards sold by Rescator’s shops last year. Beginning in late June 2013, Rescator began selling a base called “Lepid,” moving new batches of Lepid cards onto the market almost every week in chunks of 100,000 cards at at time.
Just as with the Target breach, the Lepid cards initially were advertised as 100 percent valid, and came with a hefty price tag. But by mid-July 2013, the valid rates had begun to dip down to 95 percent, most likely because by that time banks had begun seeing the fraud and canceling cards. A month later, the valid rates were below 75 percent, and by the time the Target breach was disclosed in December, fewer than half of the cards were still active.
In late July, Harbor Freight disclosed a breach of its payment card system that lasted for seven weeks between May 6 and June 30, 2013. The company has not said how many customer cards were stolen, but from the volume of Lepid cards pushed onto Rescator’s shop as well as those from other bases tied to cards all used at Harbor Freight during the breach time frame (including bases “Laurentius” and “Sidonius”), it’s likely to have been several million.
The data from both Target and Harbor Freight Tools raise several questions. For starters, why did the valid rate decline so much faster with the Target cards than with those stolen from Harbor Freight? After all, it took nearly six months for the valid rates on cards stolen from Harbor Freight to reach 50 percent, while we’re already fast approaching that rate with the Target cards just two months after that breach was disclosed. I’m guessing the obvious answer is most likely the correct one: That the Target breach simply received a great deal more attention, both from the media and from card-issuing banks nationwide.
Does this mean the Target and Harbor Freight breaches are connected? I have no idea, although I strongly suspect that Rescator and his merry band of thieves played a key role in both breaches — beyond merely offloading stolen cards. In several instances, Rescator himself referred to Lepid as “our” base, indicating the batch was from a firsthand source.
The analysis of some of the malware used in the Target breach suggests that Rescator may have been directly involved in that attack. I don’t have any such clues from the Harbor Freight breach; the company has not responded to requests for comment, and Mandiant — the forensics firm which was called in to investigate the Harbor Freight breach — declined to comment.
Finally, a number of folks with whom I’ve shared this research wondered why any cards that were suspected as stolen in the breach at Target would not already have been canceled by issuing banks. It’s not clear how accurate Rescator’s valid rates are — certainly Rescator has a vested interest in fudging the numbers.
But assuming the percentages are relatively accurate, many factors could explain why some banks haven’t simply canceled and reissued all cards potentially impacted in the breach. One source I spoke with earlier this year from a fairly larger card issuer said his institution still had not reissued at least 40 percent of their cards affected by the Target breach. The source said those cards generally fell into two categories: Cards that had only recently been reissued prior to the Target breach discovery, and those that were expected to naturally reach their expiration dates in the next month or so.
I should note that the above analysis ignores several million non-US cards stolen from Target shoppers and sold under the international “Barbarossa” label (the outlier in orange from the first graphic above), which at one time fetched prices in excess of $120 per card.
Below, we are shown an example of how the NSA has exploited a commonly used firewall appliance.
By the way - if the NSA has this exploit, so does everyone to whom the NSA has divulged the details of this exploit, willingly or unwillingly, officially or unofficially.
Originally posted by bruce_schneier at HALLUXWATER: NSA Exploit of the Day
Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog:
(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.
Once installed, HALLUXWATER communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.
HALLUXWATER provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls. The HALLUXWATER back door survives OS upgrades and automatic bootROM upgrades.
Status: (U//FOUO) On the shelf, and has been deployed.
In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.
This one is a big deal politically. For years we have been telling the Chinese not to install hardware back doors into Hauwei switches. Meanwhile, we have been doing exactly that. I wouldn't want to have been the State Department employee to receive that phone call.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.
In other words, if you used RSA products and the default random number generator, you basically gave the NSA the keys to your kingdom....not to mention anyone to whom the NSA disclosed this information, willingly or otherwise.
You would do well to dump RSA products and find an open source substitute immediately.
The main feature of LiveJournal, for me, is permanence. I can look back on my LJ going back to when I started it, and it's like reading old diaries and seeing old photos. I can convert my entire LJ to a book (as of now it's over 6000 pages long). John Crow, back when he was using LJ as his primary blogging platform, used to speak about saving each year of FaceBook into a book. The flip side is that I'm accountable for everything I've written unless I restrict my audience. This is why I post my predictions here, in fact; so that people can go back during the year, review them, and judge how I've done. (By "people," I mostly mean "me" right now. Such is life.)
The main feature of SnapChat, meanwhile, is that the photos and videos don't last. They disappear within seconds of being seen from the receiver's screen. SnapChat stories, a new feature being rolled out by the company, have a montage of photos and videos, each of which have a lifetime of 24 hours. It's about the ephemeral, claims the app sales language. Or maybe it's about lack of accountability.
Snapchat's user base is young. Younger than FaceBook's. Therefore, younger than LiveJournal's. And I'm thinking that it's that quality of impermanence, ephemerality, lack of accountability, that appeals most to the younger generation. If so, that speaks to an interesting generation gap.
Edit: Come to think of it, 4chan uses a similar model.
“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.
U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt — which could have potentially put him in jail.
By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”
A week later, prosecutors upped the ante and obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”
With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site, though the documents indicate the bureau still trying only to capture metadata on one user.
The complete document set can be found here.
So basically, in order to go after one person - and by all indications, that person is Edward Snowden - the FBI demanded the metadata for all Lavabit users, and then eventually demanded the keys to all Lavabit traffic, encrypted or not. In response, Lavabit shut their doors and risked criminal prosecution. I give them ten out of ten for integrity.
It's important not to read too much into this case with respect to the NSA's wiretapping program, by the way. The FBI and NSA are operating by different sets of rules with respect to how they are allowed to gather information, and the NSA in particular has their own secret court to approve their activities. Note, also, that the FBI is using a vacuum cleaner approach to go after one suspect, whereas the NSA is using a vacuum cleaner approach to profile literally everyone.
Dear government developers, at all levels: this is why you talk to your private sector colleagues. There are ways to load test your applications with artificial data, and with live data through beta testing. You're just too lazy to find them before the shit hits the fan, because you mistake your tenure for an excuse to be lazy as opposed to an opportunity to take risks. Hopefully this morning is a counterexample.
Turns out it's a long-running work of performance art (2).
Slashdot has a discussion.
Metaphysics question: what does it mean if a person deliberately fails the Turing test?
This phone has had a massive overhaul inside the case, despite its cosmetic similarity to its predecessor: A new camera, core chipset, motion processing system, even a fingerprint scanner for security and ease of use.
Got that? They just want to store your fingerprints on their device. It's as secure as a passcode because you only leave them around every time you touch something and they're really hard to change. It's good security. Really. Trust them.
- How the War on Drugs shredded the Fourth Amendment long before the War on Terror came along.
- Senator Ron Wyden (D-OR) explains that the surveillance state is absolutely as bad as Snowden says it is.
- "Be Strong, Be Wrong." Five people who did well by being absolutely wrong about the economy.
- Many ways you can tell that male privilege is a real thing. Save this for those who don't think it's so obvious.
- I somehow completely missed that Nate Silver (the statistics geek) is leaving the New York Times for a gig with ESPN. I'm guessing he'll show up on Keith Olbermann's show more than a few times.
- As you may have gathered from this post, I was at OSCON all last weekend. I'll write more on that later. First, I present to you the coolest presentation from last week, below. (This is what I wanted to work on for my doctorate, before depression basically shut me down.)
- Snowden revealed to us that our emails aren't safe from Big Brother. But did you know that they're not safe from Big Oil, either?
- Speaking of which, the US House is set to vote on an Amendment to gut funding for the NSA's data mining program.
- As Detroit declares Chapter 9 bankruptcy, another US city grits its teeth and sells its memorabilia to avoid the same fate: Harrisburg, Pennsylvania
- The Works of Aleister Crowley is now available as a facsimile reprint. Nice as this is, it does press the point that the process of editing the Crowley material seems to have suffered from scope creep and other delays.
- If I was single and could marry software, I'd at least ask Homebrew out on a date. (Yes, I'm the kind of geek who uses the terminal on his Mac.)
- In Egypt, we learn that the United States helped bankroll the anti-Morsi movement. Which means, in effect, that all this hand-wringing about whether Morsi's ouster was a coup is just kabuki. Justin Raimondo lays it out for us here.
- Meanwhile, Saudi Arabia and the UAE are throwing money at the interim Egyptian government ... probably with the tacit understanding that elections, civil liberties, and the like, should not be a priority. If there's anyone who's threatened by the Arab Spring, it's the arthritic monarchies of the Peninsula.
- A Q-poll of 2014 American voters shows that a majority view NSA leaker Snowden as a whistleblower, not a traitor; which once again goes to show that the political leadership and pundits are painfully out of touch.
- Microsoft is undergoing a massive reorganization after more than a decade of stagnation and losing ground to Apple, Google, Amazon, and others. And yet, Steve Ballmer remains at the helm, when any reputable analyst would suggest that his first move should be to fire himself. Still, there is good news - you can't get fired for buying Microsoft. (Parenthetically, remember when IBM was, you know, relevant?)
- Are you on the J. D. Holmes mailing list? You should be. If you were, then you'd know that the re-release of Cults of the Shadow is now available for pre-order.
- College students are really enthusiastic about math and science, until they realize that they're actually really hard. Draw your own parallels.
Then, Snowden revealed that the US has been hacking China for some time; that, in fact, they're hacking everyone, all the time. This may file under the heading of "Captain Obvious to the rescue," but stating it publicly like ends up benefiting China at the expense of the US Government. Between, that, and Snowden's enormous popularity with Chinese Internet users, I'm guessing that China is now motivated to give Snowden some more room.
I will confess, there is a part of me that thinks this might have too much of a Fitzmas feel to it. Stay tuned.
As for Java, Oracle was already threatening its future by trying to claim ownership of the Java APIs, which are basically the standards for what makes a Java implementation a "real" implementation. Now, they are taking the unprecedented step of charging its customers for bugfixes to some of the core Java libraries.
I think I understand what Oracle is doing. They figure that if they can charge for Java bugfixes, they can monetize the billions of lines of Java business code out there, and also have a shot at a piece of the Android market. (Java is required to write native apps for Android, at least for now.)
Unfortunately, this is bad news for the future of Java, which may soon itself relegated to the status of a legacy langage, COBOL-style, if IBM and other vendors can't pressure Oracle to change its tune. More unfortunately, there's not much else out there that matches Java's portability. If Oracle wanted to mess with millions of people's careers, they couldn't have picked a better technology to mess with.
The way I see it, IBM, Google, and others have three choices. The first is to give Oracle the finger and fork Java, the way MariaDB and SkySQL forked MySQL and LibreOffice forked OpenOffice. IBM and Oracle certainly have the talent to do it, and it would make Oracle's claims of copyright over the APIs all the more pressing. The second is to deprecate Java in favor of another widely adopted language, such as Python. (In fact, I think a good case could be made for Python to replace Java. Python is easy to learn, absolutely enterprise-grade, rather powerful in the right hands, and runs on Windows, Linux, various kinds of UNIX, and Mac. If you want Python on iSeries or Python on zOS, you're kinda taking your chances right now; but if IBM adopts Python, then it won't take long for them to get these ports up to speed. Ports of Python to Android already exist, and it would make sense for Google to make Python and Go into alternative languages for native Android development, just as they are now used for Google App Engine development. Several good IDEs for Python exist, including IDLE, Aptana, and classic Eclipse with PyDev.)
The third choice is to grin and bear it, paying Oracle a huge sum of money for bugfixes to distribute to their customers. Somehow, I don't see them, or Oracle, agreeing to this.
In the meanwhile, that ancient curse, "may you live in interesting times," seems to have re-asserted itself onto the computing world. Bummer.