TEMPEST Attack

Jun. 29th, 2015 01:38 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

There's a new paper on a low-cost TEMPEST attack against PC cryptography:

We demonstrate the extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The setup is compact and can operate untethered; it can be easily concealed, e.g., inside pita bread. Common laptops, and popular implementations of RSA and ElGamal encryptions, are vulnerable to this attack, including those that implement the decryption using modern exponentiation algorithms such as sliding-window, or even its side-channel resistant variant, fixed-window (m-ary) exponentiation.

We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP standard), within a few seconds. The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software. These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis.

From Wired:

Researchers at Tel Aviv University and Israel's Technion research institute have developed a new palm-sized device that can wirelessly steal data from a nearby laptop based on the radio waves leaked by its processor's power use. Their spy bug, built for less than $300, is designed to allow anyone to "listen" to the accidental radio emanations of a computer's electronics from 19 inches away and derive the user's secret decryption keys, enabling the attacker to read their encrypted communications. And that device, described in a paper they're presenting at the Workshop on Cryptographic Hardware and Embedded Systems in September, is both cheaper and more compact than similar attacks from the past -- so small, in fact, that the Israeli researchers demonstrated it can fit inside a piece of pita bread.

Another article. NSA article from 1972 on TEMPEST. Hacker News thread. Reddit thread.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Cybercriminals have long relied on compromised Web sites to host malicious software for use in drive-by download attacks, but at least one crime gang is taking it a step further: New research shows that crooks spreading the Dyre malware for use in cyberheists are leveraging hacked wireless routers to deliver their password-stealing crimeware.

Ubiquity Networks airRouter

Ubiquity Networks airRouter

Dyre (a.k.a. “Dyreza”) is generally installed by a downloader Trojan that is flagged by most tools under the name “Upatre.” The latter is most often delivered via malicious e-mails containing a link which directs unsuspecting users to servers hosting malicious javascript or a basic redirection to a malicious payload. If the user clicks the malicious link, it may serve a bogus file — such as an invoice or bank statement — that if extracted and opened reaches out to an Upatre control server to download Dyre.

According to a recent in-depth report from Symantec, Dyre is a highly developed piece of malware, capable of hijacking all three major web browsers and intercepting internet banking sessions in order to harvest the victim’s credentials and send them to the attackers. Dyre is often used to download additional malware on to the victim’s computer, and in many cases the victim machine is added to a botnet which is then used to send out thousands of spam emails in order to spread the threat.

Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers — particularly routers powered by MikroTik and Ubiquiti’s AirOS.

“We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”

airos

Campbell said it’s not clear why so many routers appear to be implicated in the botnet. Perhaps the attackers are merely exploiting routers with default credentials (e.g., “ubnt” for both username and password on most Ubiquiti AirOS routers). Fujitsu also found a disturbing number of the systems in the botnet had the port for telnet connections wide open.

In January 2015, KrebsOnSecurity broke the news that the botnet used to attack and briefly knock offline Microsoft’s Xbox and Sony Playstation’s networks relied entirely on hacked routers, all of which appeared to have been compromised remotely via telnet.

Whether you use a router from Ubiquiti or any other manufacturer, if you haven’t changed the default credentials on the device, it’s time to take care of that. If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t. Pop on over to routerpasswords.com and look up the make and model of your router.

To see whether your credentials are the default, you’ll need to open up a browser and enter the numeric address of your router’s administration page. For most routers, this will be 192.168.1.1 or 192.168.0.1. This page lists the default internal address for most routers. If you have no luck there, here’s a decent tutorial that should help most users find this address. And check out my Tools for a Safer PC primer for more tips on how to beef up the security of your router and your Web browser.

These Wrecks Have Got Your Number

Jun. 29th, 2015 01:01 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

So there's this hilarious wrecky outbreak happening across our nation's bakeries, but it requires a little explanation before you can truly appreciate how funny it is.

Here's the deal:

See that? That's an edible image sheet. These sheets are supposed to work like individual stickers: you cut them up and only use the numbers & phrases you need.

 

Instead, bakers just keep plastering the entire sheet on a cake.

At first I figured it HAD to be intentional. Maybe they give you an edible marker with the cake, so you circle the right numbers?

 

Then I saw this:

You've gotta wonder: what does the baker THINK is happening here?

 

Or how about this one:

That's right; the baker cut up the sheet so it would all (kind of) fit.

Love the random "th" sticking out of the bottom.

 

I think most people are too confused to understand what's wrong with these cakes, but enough of you are still sending them in. So, I've just been collecting them:

 

Biding my time...

 

Waiting for the right moment to finally ask:

Seriously, bakers?

SERIOUSLY??

 

Thanks to Heather W., Angela F., Heather C., Ashley M., Emily F., Melissa L., & Heather D. for the big pile of sheet... cakes.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

When you buy something expensive ...

Jun. 28th, 2015 03:42 pm
[syndicated profile] adulting_feed

… but don’t need to keep the packaging in case you move, do this:

I took pictures of the relevant bits, then sent them to myself AND included every single term I could think of that I would search for. Then threw that beautifully designed but oddly heavy box AWAY, because storage space, despite my wishes, is not infinite.

[syndicated profile] epbot_feed

Posted by Jen

Every now and then I get something fun sent to the Epbot P.O. box, but this latest surprise from reader Linda F. simply MUST be shared:

It's a Howler!

More specifically, it's Ron's Howler from Chamber of Secrets:


Linda made the paper Howler herself, then suspended it with clear fishing line in one of those crafty snap-together ornaments:
 
 You can't see the line at all, so it really looks like it's floating in there!

SO COOL.
 
 (This was a bugger to photograph! Finally resorted to a photo cube to cut most of the glare.)


Even the back side is perfect, with a little address label:
 

Linda finished it off with red ribbon bow and decorative wire hanger:

AHHHmazing.

Linda sent this along for our Harry Potter Christmas tree, of course, but 'til then I'm hanging it in my office! It's one of my new favorite things. Love.

 Linda has craft blog here, btw, but sadly I don't see any mention of this beauty, much less a tutorial. I've seen some Howler origami tutorials around online, though, so maybe you could modify and/or shrink one of those down to make an ornament of your own?

Thanks so much for the inspiration, Linda, and for the howling good addition to our Potter tree!


****

Time to announce this month's art winners!

So, the winner of the Wonder Woman print is... Buncha Stuffes!

And my wild-card winner, who gets her choice from the Pinterest give-away board, is the Jennifer with the blog "My Fur-Real Life!"

Congrats, you two, and please e-mail me your mailing addresses!

Sunday Sweets: Rainbow Connection

Jun. 28th, 2015 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Why are there
so many
songs...

By Wild Orchid Baking Co

 

...about rainbows?

By The Greedy Baker

 

And what's on the other side?

By Molly's Creative Cakes

 

Rainbows are visions,
but only illusions,

By Art2eatCakes

and rainbows have nothing
to hide.

 

So we've been told and some choose to believe it.

By Torta-Couture Cakes

 

I know they're wrong, wait and see.

Submitted by Dagbjört, made by Reddit user MaGNeTIX's father. Details here.

 

Someday we'll find it, the rainbow connection.

By it's a piece of cake

 

The lovers,

By Yummy Mummy Cake Creations

 

the dreamers,

By Kakes by Karen

 

and me.

By Iced Delights Cakes

 

Happy Sunday, everybody!

Note from john- This post reminded me of one of my favorite posts ever: The Rainbow Connection (wrecky version).

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

Sunday 28 June 2015

Jun. 28th, 2015 11:31 am
[syndicated profile] lecta_feed

Posted by Mary

We’ve had our used moving boxes picked up, and we’ve returned my overdue library books from Glebe. We’ve hung the pictures we haven’t seen in three years because the previous place didn’t have hooks. There’s things we aren’t on top of (at least two lights need electrical work) but on the basics we really are moved in now.

We had our housewarming party last weekend. That and my then-missing photos hard drive motivated the bulk of the box unpacking. I like to occasionally have parties and invite a huge number of people that I know. In lieu of culling the guest list, I give fairly short notice. We live in a short street, which made it easy to invite the new neighbours too. It fell on the solstice. I used to have solstice barbecues up at Balls Head Reserve and heat mulled wine in a pot on the electric barbecues in the dark. Not since V was born. But since the housewarming was on June 21, we made mulled wine in the crockpot and had heated party pies and sausage rolls. The latter used to be a welcome treat on dive boats, served with mugs of instant soup, restoring our body temperature between dives.

The next two weeks are school holidays, which will be less of a contrast for V than they were for us. He’s spending the two weeks in his usual after school care provider, in their full day vacation care program. They do a lot of excursions and activities and generally contribute to the school holiday crowding in public places. We’re visiting my family for a weekend but not otherwise going away because we’re going to the snow in September (if there is snow this year). For a while my life will be mainly house things.

We aren’t far from an adult education centre, so I’d like to enrol in a few courses over the next couple of years. Music, studio photography… And I’m excited about the possibilities of a house I can change over time. The biggest project I can imagine is getting the back courtyard substantially redesigned. There’s a lot of small stuff that can go before that though. I’ve even joined Pinterest to track inspiration; I’m reminded that in my Wikimania keynote in 2012 the issue of women using Pinterest rather than editing Wikipedia came up once or twice, which now seems mostly odd, since one is an encyclopedia and the other is a visual inspiration bookmarking site. Probably my “find interesting pictures of courtyards” moments will not overlap terribly much with my “find sources for recent Australian crimes” moments.

Sunday 28 June 2015

Jun. 28th, 2015 09:31 pm
puzzlement: (jelly)
[personal profile] puzzlement
Originally posted at http://puzzling.org.

We’ve had our used moving boxes picked up, and we’ve returned my overdue library books from Glebe. We’ve hung the pictures we haven’t seen in three years because the previous place didn’t have hooks. There’s things we aren’t on top of (at least two lights need electrical work) but on the basics we really are moved in now.

We had our housewarming party last weekend. That and my then-missing photos hard drive motivated the bulk of the box unpacking. I like to occasionally have parties and invite a huge number of people that I know. In lieu of culling the guest list, I give fairly short notice. We live in a short street, which made it easy to invite the new neighbours too. It fell on the solstice. I used to have solstice barbecues up at Balls Head Reserve and heat mulled wine in a pot on the electric barbecues in the dark. Not since V was born. But since the housewarming was on June 21, we made mulled wine in the crockpot and had heated party pies and sausage rolls. The latter used to be a welcome treat on dive boats, served with mugs of instant soup, restoring our body temperature between dives.

The next two weeks are school holidays, which will be less of a contrast for V than they were for us. He’s spending the two weeks in his usual after school care provider, in their full day vacation care program. They do a lot of excursions and activities and generally contribute to the school holiday crowding in public places. We’re visiting my family for a weekend but not otherwise going away because we’re going to the snow in September (if there is snow this year). For a while my life will be mainly house things.

We aren’t far from an adult education centre, so I’d like to enrol in a few courses over the next couple of years. Music, studio photography… And I’m excited about the possibilities of a house I can change over time. The biggest project I can imagine is getting the back courtyard substantially redesigned. There’s a lot of small stuff that can go before that though. I’ve even joined Pinterest to track inspiration; I’m reminded that in my Wikimania keynote in 2012 the issue of women using Pinterest rather than editing Wikipedia came up once or twice, which now seems mostly odd, since one is an encyclopedia and the other is a visual inspiration bookmarking site. Probably my “find interesting pictures of courtyards” moments will not overlap terribly much with my “find sources for recent Australian crimes” moments.

[syndicated profile] adulting_feed

… do it over the sink. Every time. 

If the thing on the move is solid (say, rice or beans or a shit-ton of those tiny metallic cake-decoration silver balls), do it over the garbage can.

This post is brought to you by Diet Coke floor-stickiness and the fact that I will be finding those fucking balls until I die.

A Busy Week for Ne’er-Do-Well News

Jun. 27th, 2015 08:24 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

We often hear about the impact of cybercrime, but too seldom do we read about the successes that law enforcement officials have in apprehending those responsible and bringing them to justice. Last week was an especially busy time for cybercrime justice, with authorities across the globe bringing arrests, prosecutions and some cases stiff sentences in connection with a broad range of cyber crimes, including ATM and bank account cashouts, malware distribution and “swatting” attacks.

Ercan Findikoglu, posing with piles of cash.

Ercan Findikoglu, posing with piles of cash.

Prosecutors in New York had a big week. Appearing in the U.S. court system for the first time last week was Ercan “Segate” Findikoglu, a 33-year-old Turkish man who investigators say was the mastermind behind a series of Oceans 11-type ATM heists between 2011 and 2013 that netted thieves more than $55 million.

According to prosecutors, Findikoglu organized the so-called “ATM cashouts” by hacking into networks of several credit and debit card payment processors. With each processor, the intruders were able to simultaneously lift the daily withdrawal limits on numerous prepaid accounts and dramatically increase the account balances on those cards to allow ATM withdrawals far in excess of the legitimate card balances.

The cards were then cloned and sent to dozens of co-conspirators around the globe, who used the cards at ATMs to withdraw millions in cash in the span of just a few hours. Investigators say these attacks are known in the cybercrime underground as “unlimited operations” because the manipulation of withdrawal limits lets the crooks steal literally unlimited amounts of cash until the operation is shut down.

Two of the attacks attributed to Findikoglu and his alleged associates were first reported on this blog, including a February 2011 attack against Fidelity National Information Services (FIS), and a $5 million heist in late 2012 involving a card network in India. The most brazen and lucrative heist, a nearly $40 million cashout against the Bank of Muscat in Oman, was covered in a May 2013 New York Times piece, which concludes with a vignette about the violent murder of alleged accomplice in the scheme.

Also in New York, a Manhattan federal judge sentenced the co-creator of the “Blackshades” Trojan to nearly five years in prison after pleading guilty to helping hundreds of people use and spread the malware. Twenty-five year old Swedish national Alexander Yucel was ordered to forfeit $200,000 and relinquish all of the computer equipment he used in commission of his crimes.

As detailed in this May 2014 piece, Blackshades Users Had It Coming, the malware was sophisticated but marketed mainly on English language cybecrime forums to young men who probably would have a hard time hacking their way out of a paper bag, let alone into someone’s computer. Initially sold via PayPal for just $40, Blackshades offered users a way to remotely spy on victims, and even included tools and tutorials to help users infect victim PCs. Many of Yucel’s customers also have been rounded up by law enforcement here in the U.S. an abroad.

Matthew Tollis

Matthew Tollis

In a small victory for people fed up with so-called “swatting” — the act of calling in a fake hostage or bomb threat to emergency services with the intention of prompting a heavily-armed police response to a specific address — 22-year-old Connecticut resident Matthew Tollis pleaded guilty last week to multiple swatting incidents. (In an unrelated incident in 2013, this reporter was the victim of swatting, which resulted in our home being surrounded by a dozen or so police and Yours Truly being handcuffed in front of the whole neighborhood).

Tollis admitted belonging to a group that called itself “TeAM CrucifiX or Die,” a loose-knit cadre of young Microsoft XBox and swatting enthusiasts which later renamed itself the “ISIS Gang.” Interestingly, these past few weeks have seen the prosecution of another alleged ISIS Gang member — 17-year-old Finnish miscreant who goes by the nicknames “Ryan” and “Zeekill.” Ryan, whose real name is Julius Kivimaki, was one of several individuals who claimed to be involved in the Lizard Squad attacks that brought down the XBox and Sony Playstation networks in December 2014.

Kivimaki is being prosecuted in Finland for multiple alleged offenses, including payment fraud, money laundering and telecommunications harassment. Under Finnish law, Kivimaki cannot be extradited, but prosecutors there are seeking at least two to three years of jail time for the young man, who will turn 18 in August.

Julius "Ryan" Kivimaki.

Julius “Ryan” Kivimaki.

Finally, investigators with Europol announced the arrest of five individuals in Ukraine who are suspected of developing, exploiting and distributing the ZeuS and SpyEye malware — well known banking Trojans that have been used to steal hundreds of millions of dollars from consumers and small businesses.

According to Europol, each cybercriminal in the group had their specialty, but that the group as a whole specialized in creating malware, infecting machines, harvesting bank credentials and laundering the money through so-called money mule networks.

“On the digital underground forums, they actively traded stolen credentials, compromised bank account information and malware, while selling their hacking ‘services’ and looking for new cooperation partners in other cybercriminal activities,” Europol said. “This was a very active criminal group that worked in countries across all continents, infecting tens of thousands of users’ computers with banking Trojans, and subsequently targeted many major banks

The Europol statement on the action is otherwise light on details, but says the group is suspected of using Zeus and SpyEye malware to steal at least EUR 2 million from banks and their customers.

Apology

Jun. 27th, 2015 08:29 pm
[syndicated profile] sumana_feed
Earlier today, during my stand-up comedy act at AlterConf Portland, I failed at living up to the AlterConf code of conduct and to my act's title, "Stand-Up Comedy that Doesn't Hurt". I made a joke that hurt members of the audience. The joke was in a section about attempts to be perceived as a cis ally:

I try to be intersectional in the media I consume, and sometimes that leads to carbon credit-style bargaining, like, "How many memoirs by trans women of color do I have to read before I go see 'Avengers: Age of Ultron'"? [laughter] And then sometimes there's cheating on that diet, like, "Does 'Mrs. Doubtfire' count?"

In this joke, it is not clear enough that the cis ally narrator is completely wrong to categorize "Mrs. Doubtfire" as having anything to do with the goal of reading and supporting trans narratives. I won't make it again and I'm sorry that I made a joke that hurt.

For this act I practiced in front of audiences that included trans people, and I asked them for feedback, but I was not thorough enough about checking beyond that for offensive material. In the future I'll be more thorough.

ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
pinkietrom

In the interest of Being Excellent and considerate of those who have yet to watch this episode, all references to the content of this episode are stashed under the cut and will remain so hidden for at least a month. Someponies like to watch MLP:FIM in herds and it can be a while before they get all their ponies together. 8^) As spoilers are also likely to be in any comments: don't read if you haven't yet seen the episode unless you like being spoiled. When you're ready, drop in a comment and say what you thought of this episode!

After a month, I hope Episode Discuss posts will be so far off the top page that it'll probably take the tag to find them, so about a month after posting the cut will be removed. 8^) Sometimes I go back and drop in little extras into the posts, like comics and links to the music.

The broadcast is at 11:30 am EDT, which works out as 4:30 pm UTC, 8:30 am PDT and 2:30 AM Down Under. Confused? Look at the PonyCountdown widget on the community page!

Like last week, we have yet another new writer in the MLP:FIM stable: Party Pooped was written by Nick Confalone and it's his only credit for MLP:FIM.

Also for you new-fangled "live-tweet" twitterers, Meghan McCarthy is a good possibility, and other twits in the early morning chorus may include the likes of Jayson Thiessen (Supervising Director of MLP:FIM) and Big Jim (storyboard work, voice of Troubleshoes and Director of MLP:FIM). The hashtag to watch is #MLPseason5.


Review for episode 11, Party Pooped, below the cut. )


Catch the show and throw in your two bits in the comments! Copy/paste your reviews into the comments, spread the wealth!


Watch Party Pooped on DailyMotion here, in HD, yes/yes, and a HD Youtube version too.

Download Party Pooped (later).

Read the transcript of Party Pooped on the MLP wiki of transcripts soon.

The links to official channels and purchasing DVD's and episodes are now in the community sticky.
[syndicated profile] geekfeminism_feed

Posted by spam-spam

      • How NASA Broke The Gender Barrier In STEM | Fast Company (June 23): “The convergence of open data and female leadership has the potential to challenge traditional decision making across sectors and facilitate more data-driven and collaborative approaches in creating new ventures and solving problems. Datanauts was born out of NASA’s open-data priorities as a means to bring more women to the open-data table. While the program is intended for women and men, the founding class is made up entirely of women to encourage other female techies and makers to take the “data leap,” as Beth Beck, Open Innovation program manager at NASA’s Office of the Chief Information Officer, calls it. Future classes will include men.”
      • Fuck the Internet Shame Spiral | Gizmodo (June 23): “Once the tone police arrive, we’re no longer talking about how disturbing it is that one of the top scientists in the world thinks women shouldn’t be allowed to work in labs because he might fall in love with them. Instead, we’re talking about whether it’s appropriate for women to mock his comments by posting pictures of themselves on Instagram.”
      • I’m a female scientist, and I agree with Tim Hunt. | Medium (June 14): “Science is based on observations, which are the same thing as universal proof. Even I know that, and I’m just a woman whose brain is filled to capacity with yoga poses and recipes for gluten-free organic soap. Once, I was lured into a trap in the woods because I followed a trail of Sex and the City DVDs for three miles into a covered pit. Do you really think I could do something as complicated as thinking about science?”
      • Journalist Laurie Penny banned from Facebook for using pseudonym | The Guardian (June 24): “Facebook has been accused of putting users at risk “of rape and death threats” by a journalist who was banned from the social networking site for using a pseudonym.Laurie Penny, a contributing editor at the weekly political magazine the New Statesman, who also writes for the Guardian, said she had been kicked off Facebook for using a fake name to avoid being trolled.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Make Every Day Special

Jun. 26th, 2015 09:48 pm
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
makeeverydaymagical_by_drknz13
Source: http://drknz13.deviantart.com/art/Make-Every-Day-Magical-541781557

This is an animated gif. To see it in all its glory (in animated form), go below the cut.
This is the cut. Click it to go below. )
Fresh episode tomorrow, less than 14 hours from now. Consult the countdown widget!

Dreamwidth news: 26 June 2015

Jun. 26th, 2015 05:45 pm
dw_news: Drawing of newspaper labeled 'The News' with DW logo (Default)
[staff profile] denise posting in [site community profile] dw_news
Hello, Dreamwidth! Greetings from Portland, where Dreamwidth has assembled for this year's Open Source Bridge. (Which remains my favorite conference ever for how wonderfully welcoming and diverse it is.)

Behind the cut:

* A fond farewell
* HTTPS
* Email woes: mostly fixed
* Multiple sticky entries
* Rescreening screened comments when they're edited
* Other new features and tweaks
* Pretty pretty pictures

Friday 26 June 2015 )

*

That's it from us for another update! As always, if you're having problems with Dreamwidth, Support can help you; for notices of site problems and downtime, check the Twitter status page; if you've got an idea to make the site better, you can make a suggestion. (I'm still a lot behind on the suggestions queue, though, just as a warning.)

Comment notifications may be delayed for up to an hour or two, due to the high volume of notifications generated after an update is posted to [site community profile] dw_news. This was posted at 5:45PM PDT (see in your time zone). Please don't worry about delayed notifications until at least two hours after that.

Hair bear

Jun. 27th, 2015 09:04 am
[personal profile] puzzlement posting in [community profile] incrementum
Originally posted to incrementum.puzzling.org. Comment there unless you have a Dreamwidth login.

A few things happened in April:

  1. I went overseas for nearly two weeks
  2. A stopped nursing entirely
  3. A started pulling her hair out as a self-comfort mechanism

I was sad about the nursing. I left V for two weeks at 2½ years of age and he didn’t stop nursing, and so I didn’t really expect A to either, even though she was a bit younger and my supply with her has been more touchy. (That said, I definitely still had milk when I got home.) But she tried latching a few times after I came back, and cried in distress immediately and after that she would turn her face away angrily and yell at me if she thought I was trying to nurse her. I didn’t particularly want to wean her, but distress at nursing wasn’t really something I was willing to push on with a 16 month old, so, she’s done. We’re two months into no child having a dependency on me specifically for calories.

And around about the same time, she started twisting her hair in her hands while sucking her thumb. And the result is, she’s pulling her hair out.

Here’s a picture of her before I left:

Contemplative

Here’s a couple of recent pictures:

Refusing to nap. Cutely. Hard at work

She hasn’t had a hairtcut, and the lack of long curling hair and the loss of thickness isn’t an artifact of the pictures I chose: that’s fairly representative of how much less hair she has now.

We’re not quite sure what to do. I’ve had a look around Dr Internet, and it seems like self-comfort hair pulling is pretty common in babies and toddlers, especially in thumb suckers like A. There’s a lot of worry about it turning into trichotillomania, but it also often just stops as the child gets older. Most of the interventions for trichotillomania aren’t even possible at her current age (eg, CBT), let alone evidence-based.

Her daycare tried putting her in a hat all day:

En-hatted

But she’s able to reach under the hat to get at her hair. We’ve also considered mittens but they’d either inhibit her thumb sucking, which has been her primary self-calming technique since she was about 6 weeks old, or they’d leave her thumb free in which case she could still grip her hair.

Her daycare would like us to buzz cut her hair to break the habit, which we are reluctant to do for obvious reasons. (HER WEE NEVER-CUT BABY HAIR!)

It’s started to slow down, we think, as she has learned to walk and again now that she has her Big Bird toy with her all day (she seems not to care as much about Big Bird as she did a few months ago, but she will hug Big Bird in lieu of hair pulling). So we’re hoping for now that it’s slowly fading away. Her 18 month old checkup is coming up soon, so we can see what doctors think then too.

[syndicated profile] bruce_schneier_feed

Posted by schneier

I have always liked this one.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Other GCHQ News from Snowden

Jun. 26th, 2015 12:12 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

There are two other Snowden stories this week about GCHQ: one about its hacking practices, and the other about its propaganda and psychology research. The second is particularly disturbing:

While some of the unit's activities are focused on the claimed areas, JTRIG also appears to be intimately involved in traditional law enforcement areas and U.K.-specific activity, as previously unpublished documents demonstrate. An August 2009 JTRIG memo entitled "Operational Highlights" boasts of "GCHQ's first serious crime effects operation" against a website that was identifying police informants and members of a witness protection program. Another operation investigated an Internet forum allegedly "used to facilitate and execute online fraud." The document also describes GCHQ advice provided :to assist the UK negotiating team on climate change."

Particularly revealing is a fascinating 42-page document from 2011 detailing JTRIG's activities. It provides the most comprehensive and sweeping insight to date into the scope of this unit's extreme methods. Entitled "Behavioral Science Support for JTRIG's Effects and Online HUMINT [Human Intelligence] Operations," it describes the types of targets on which the unit focuses, the psychological and behavioral research it commissions and exploits, and its future organizational aspirations. It is authored by a psychologist, Mandeep K. Dhami.

Among other things, the document lays out the tactics the agency uses to manipulate public opinion, its scientific and psychological research into how human thinking and behavior can be influenced, and the broad range of targets that are traditionally the province of law enforcement rather than intelligence agencies.

Friday Favs 6/26/15

Jun. 26th, 2015 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Some of my favorite submissions this week:

 

They asked for mountains:

And never has "Good Luck" looked quite so sarcastic.

 

Tessa tells me this wedding cake was supposed to look like bark:

Bark, huh?

Well, it DOES look pretty "ruff."

Eh? EH?

Oh, who asked you.

 

Guess where they wanted the 10:

"What am I, a mind reader?"

 

Not since the fictional peanut butter truck collided with the fictional chocolate truck has such a brilliant combination been accidentally discovered!!!

Just kidding.

But let's be honest: Duck Dynasty Hunger Games? You'd watch it.

 

And finally, Kelley asked for this wedding cake design:

Except with red pearls and no flowers.

 

Unfortunately, her baker confused "pearls" with "Atomic Fireballs.*"

...and then apparently smoothed out the icing with a hairbrush.

Bummer.


*Anyone else remember Atomic Fireballs? Those spicy cinnamon jawbreakers?

I'm... I'm showing my age again, aren't I.

Drat.

 

Thanks to Jessica G., Tessa R., Lauren R., Lisa W., Andrea L., & Kelley T. for the giggles.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] bruce_schneier_feed

Posted by schneier

On Monday, the Intercept published a new story from the Snowden documents:

The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software. One security software maker repeatedly singled out in the documents is Moscow-based Kaspersky Lab, which has a holding registered in the U.K., claims more than 270,000 corporate clients, and says it protects more than 400 million people with its products.

British spies aimed to thwart Kaspersky software in part through a technique known as software reverse engineering, or SRE, according to a top-secret warrant renewal request. The NSA has also studied Kaspersky Lab's software for weaknesses, obtaining sensitive customer information by monitoring communications between the software and Kaspersky servers, according to a draft top-secret report. The U.S. spy agency also appears to have examined emails inbound to security software companies flagging new viruses and vulnerabilities.

Wired has a good article on the documents:

The documents...don't describe actual computer breaches against the security firms, but instead depict a systematic campaign to reverse-engineer their software in order to uncover vulnerabilities that could help the spy agencies subvert it.

[...]

An NSA slide describing "Project CAMBERDADA" lists at least 23 antivirus and security firms that were in that spy agency's sights. They include the Finnish antivirus firm F-Secure, the Slovakian firm Eset, Avast software from the Czech Republic. and Bit-Defender from Romania. Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos.

But antivirus wasn't the only target of the two spy agencies. They also targeted their reverse-engineering skills against CheckPoint, an Israeli maker of firewall software, as well as commercial encryption programs and software underpinning the online bulletin boards of numerous companies. GCHQ, for example, reverse-engineered both the CrypticDisk program made by Exlade and the eDataSecurity system from Acer. The spy agency also targeted web forum systems like vBulletin and Invision Power Board­used by Sony Pictures, Electronic Arts, NBC Universal and others­as well as CPanel, a software used by GoDaddy for configuring its servers, and PostfixAdmin, for managing the Postfix email server software But that's not all. GCHQ reverse-engineered Cisco routers, too, which allowed the agency's spies to access "almost any user of the internet" inside Pakistan and "to re-route selective traffic" straight into the mouth of GCHQ's collection systems.

There's also this article from Ars Technica. Slashdot thread.

Kaspersky recently announced that it was the victim of Duqu 2.0, probably from Israel.

[syndicated profile] bruce_schneier_feed

Posted by schneier

Wikileaks has published some NSA SIGINT documents describing intercepted French government communications. This seems not be from the Snowden documents. It could be one of the other NSA leakers, or it could be someone else entirely.

As leaks go, this isn't much. As I've said before, spying on foreign leaders is the kind of thing we want the NSA to do. I'm sure French Intelligence does the same to us.

EDITED TO ADD (6/25): To me, more interesting than the intercepts is the spreadsheet of NSA surveillance targets. That spreadsheet gives us a glimpse into the US process of surveillance: what US government office initially asked for the surveillance, what NSA office is tasked with analyzing the intelligence collected, where a particular target is on the priorities list, and so on.

[syndicated profile] bruce_schneier_feed

Posted by schneier

I think this is the first case of one professional sports team hacking another. No idea if it was an official operation, or a couple of employees doing it on their own initiative.

[syndicated profile] bruce_schneier_feed

Posted by schneier

In May, Admiral James A. Winnefeld, Jr., vice-chairman of the Joint Chiefs of Staff, gave an address at the Joint Service Academies Cyber Security Summit at West Point. After he spoke for twenty minutes on the importance of Internet security and a good national defense, I was able to ask him a question (32:42 mark) about security versus surveillance:

Bruce Schneier: I'd like to hear you talk about this need to get beyond signatures and the more robust cyber defense and ask the industry to provide these technologies to make the infrastructure more secure. My question is, the only definition of "us" that makes sense is the world, is everybody. Any technologies that we've developed and built will be used by everyone -- nation-state and non-nation-state. So anything we do to increase our resilience, infrastructure, and security will naturally make Admiral Rogers's both intelligence and attack jobs much harder. Are you okay with that?

Admiral James A. Winnefeld: Yes. I think Mike's okay with that, also. That's a really, really good question. We call that IGL. Anyone know what IGL stands for? Intel gain-loss. And there's this constant tension between the operational community and the intelligence community when a military action could cause the loss of a critical intelligence node. We live this every day. In fact, in ancient times, when we were collecting actual signals in the air, we would be on the operational side, "I want to take down that emitter so it'll make it safer for my airplanes to penetrate the airspace," and they're saying, "No, you've got to keep that emitter up, because I'm getting all kinds of intelligence from it." So this is a familiar problem. But I think we all win if our networks are more secure. And I think I would rather live on the side of secure networks and a harder problem for Mike on the intelligence side than very vulnerable networks and an easy problem for Mike. And part of that -- it's not only the right thing do, but part of that goes to the fact that we are more vulnerable than any other country in the world, on our dependence on cyber. I'm also very confident that Mike has some very clever people working for him. He might actually still be able to get some work done. But it's an excellent question. It really is.

It's a good answer, and one firmly on the side of not introducing security vulnerabilities, backdoors, key-escrow systems, or anything that weakens Internet systems. It speaks to what I have seen as a split in the the Second Crypto War, between the NSA and the FBI on building secure systems versus building systems with surveillance capabilities.

I have written about this before:

But here's the problem: technological capabilities cannot distinguish based on morality, nationality, or legality; if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents.

Even worse, modern computer technology is inherently democratizing. Today's NSA secrets become tomorrow's PhD theses and the next day's hacker tools. As long as we're all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.

We can't choose a world where the US gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.

NSA Director Admiral Mike Rogers was in the audience (he spoke earlier), and I saw him nodding at Winnefeld's answer. Two weeks later, at CyCon in Tallinn, Rogers gave the opening keynote, and he seemed to be saying the opposite.

"Can we create some mechanism where within this legal framework there's a means to access information that directly relates to the security of our respective nations, even as at the same time we are mindful we have got to protect the rights of our individual citizens?"

[...]

Rogers said a framework to allow law enforcement agencies to gain access to communications is in place within the phone system in the United States and other areas, so "why can't we create a similar kind of framework within the internet and the digital age?"

He added: "I certainly have great respect for those that would argue that they most important thing is to ensure the privacy of our citizens and we shouldn't allow any means for the government to access information. I would argue that's not in the nation's best long term interest, that we've got to create some structure that should enable us to do that mindful that it has to be done in a legal way and mindful that it shouldn't be something arbitrary."

Does Winnefeld know that Rogers is contradicting him? Can someone ask JCS about this?

Hayden Mocks NSA Reforms

Jun. 23rd, 2015 01:39 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

Former NSA Director Michael recently mocked the NSA reforms in the recently passed USA Freedom Act:

If somebody would come up to me and say, "Look, Hayden, here's the thing: This Snowden thing is going to be a nightmare for you guys for about two years. And when we get all done with it, what you're going to be required to do is that little 215 program about American telephony metadata -- and by the way, you can still have access to it, but you got to go to the court and get access to it from the companies, rather than keep it to yourself." I go: "And this is it after two years? Cool!"

The thing is, he's right. And Peter Swire is also right when he calls the law "the biggest pro-privacy change to U.S. intelligence law since the original enactment of the Foreign Intelligence Surveillance Act in 1978." I supported the bill not because it was the answer, but because it was a step in the right direction. And Hayden's comments demonstrate how much more work we have to do.

Why We Encrypt

Jun. 23rd, 2015 06:02 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

Encryption protects our data. It protects our data when it's sitting on our computers and in data centers, and it protects it when it's being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives.

This protection is important for everyone. It's easy to see how encryption protects journalists, human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from criminals. It protects it from competitors, neighbors, and family members. It protects it from malicious attackers, and it protects it from accidents.

Encryption works best if it's ubiquitous and automatic. The two forms of encryption you use most often -- https URLs on your browser, and the handset-to-tower link for your cell phone calls -- work so well because you don't even know they're there.

Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting.

This is important. If we only use encryption when we're working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.

It's important to remember that encryption doesn't magically convey security. There are many ways to get encryption wrong, and we regularly see them in the headlines. Encryption doesn't protect your computer or phone from being hacked, and it can't protect metadata, such as e-mail addresses that need to be unencrypted so your mail can be delivered.

But encryption is the most important privacy-preserving technology we have, and one that is uniquely suited to protect against bulk surveillance -- the kind done by governments looking to control their populations and criminals looking for vulnerable victims. By forcing both to target their attacks against individuals, we protect society.

Today, we are seeing government pushback against encryption. Many countries, from States like China and Russia to more democratic governments like the United States and the United Kingdom, are either talking about or implementing policies that limit strong encryption. This is dangerous, because it's technically impossible, and the attempt will cause incredible damage to the security of the Internet.

There are two morals to all of this. One, we should push companies to offer encryption to everyone, by default. And two, we should resist demands from governments to weaken encryption. Any weakening, even in the name of legitimate law enforcement, puts us all at risk. Even though criminals benefit from strong encryption, we're all much more secure when we all have strong encryption.

This originally appeared in Securing Safe Spaces Online.

EDITED TO ADD: Last month, I blogged about a UN report on the value of encryption technologies to human freedom worldwide. This essay is the foreword to a companion document:

To support the findings contained in the Special Rapporteur's report, Privacy International, the Harvard Law School's International Human Rights Law Clinic and ARTICLE 19 have published an accompanying booklet, Securing Safe Spaces Online: Encryption, online anonymity and human rights which explores the impact of measures to restrict online encryption and anonymity in four particular countries ­-- the United Kingdom, Morocco, Pakistan and South Korea.

History of the First Crypto War

Jun. 22nd, 2015 01:35 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

As we're all gearing up to fight the Second Crypto War over governments' demands to be able to back-door any cryptographic system, it pays for us to remember the history of the First Crypto War. The Open Technology Institute has written the story of those years in the mid-1990s.

The act that truly launched the Crypto Wars was the White House's introduction of the "Clipper Chip" in 1993. The Clipper Chip was a state-of-the-art microchip developed by government engineers which could be inserted into consumer hardware telephones, providing the public with strong cryptographic tools without sacrificing the ability of law enforcement and intelligence agencies to access unencrypted versions of those communications. The technology relied on a system of "key escrow," in which a copy of each chip's unique encryption key would be stored by the government. Although White House officials mobilized both political and technical allies in support of the proposal, it faced immediate backlash from technical experts, privacy advocates, and industry leaders, who were concerned about the security and economic impact of the technology in addition to obvious civil liberties concerns. As the battle wore on throughout 1993 and into 1994, leaders from across the political spectrum joined the fray, supported by a broad coalition that opposed the Clipper Chip. When computer scientist Matt Blaze discovered a flaw in the system in May 1994, it proved to be the final death blow: the Clipper Chip was dead.

Nonetheless, the idea that the government could find a palatable way to access the keys to encrypted communications lived on throughout the 1990s. Many policymakers held onto hopes that it was possible to securely implement what they called "software key escrow" to preserve access to phone calls, emails, and other communications and storage applications. Under key escrow schemes, a government-certified third party would keep a "key" to every device. But the government's shift in tactics ultimately proved unsuccessful; the privacy, security, and economic concerns continued to outweigh any potential benefits. By 1997, there was an overwhelming amount of evidence against moving ahead with any key escrow schemes.

The Second Crypto War is going to be harder and nastier, and I am less optimistic that strong cryptography will win in the short term.

Profile

terriko: (Default)
terriko

June 2015

S M T W T F S
  1 23 456
7 8910 111213
14 151617 1819 20
21222324252627
282930    

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jun. 29th, 2015 11:10 pm
Powered by Dreamwidth Studios