The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.
That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.
Some of my favorite new submissions this week.
It took me entirely too long to realize this IS in English:
Spacing: the Final Frontier of Wreckerating
Judging by the CW Facebook page, I see I've trained you wrecky minions well:
Ahh, THE SNARK IS STRONG WITH THIS ONE.
And just in time for Cheesecake Day (which was yesterday):
(Btw, if it's been a while since you've seen my FB updates, here's a new & easy fix: on the CW page, under "Liked" at the top, click "See First." You'll never miss the wrecky lolz again!)
At first I thought it was a hot dog.
Then maybe a bowel re-section.
Now I just want to stop looking at it:
Somebody help me stop looking at it.
To quote JoAnna, who sent this in, "Mmmm, rope fibers!"
And I agree, JoAnna; the clumps of gold glitter really DO make it extra "beachy."
And finally, while not professional, this made me laugh out loud:
Video game-specific apology cakes? YES, PLEASE.
Heck, I think this should become a trend. A few more suggestions:
"Sorry I Played Skyrim For 6 Weeks Straight"
"Sorry I Won't Play Portal Co-Op With You Because You're Better At It And It's Annoying"
"Sorry For Beating Your High Score On Angry Birds"
"Sorry I Woke You Up At 3AM Because BioShock Was Scary"
"Sorry I Keep Talking To Claptrap" (WUB WUB!)
Thanks to Nancy E., Kristen F., Annie B., Ashley R., JoAnna H., & Anony M. for the beat-boxin' giggles.
We are interested in the application of interactive storytelling to videogames. We want to improve story experiences in open-world adventure and role-playing games. A game that features an open world allows its players to move freely in a large space with few or no artificial barriers, choosing what to do and when. The flexibility of an open world and the fact that adventure and role-playing games tend to have strong story components make these genres an interesting place to explore interactive storytelling techniques.
Our central goal is to support the creation of open-world videogame stories that give players a sense of coherence. To achieve this, we take a structuralist approach and partition stories into two types of scenes inspired by the concept of kernels and satellites. First, a minimal set of fixed scenes form a core story with strong authorial control. A game’s most central plot points become fixed scenes, thus acting like kernels. The rest of the story emerges from a much larger collection of flexible scenes that can appear just about anywhere in story save a small set of preconditions. Most flexible scenes act like satellites: minor plot points, or opportunities to develop story elements like theme.
We want to give players the freedom to explore flexible scenes however they wish as they move through the fixed scenes as designed. A certain level of coherence is guaranteed when the content of the fixed scenes is itself coherent, but a story with few satellite scenes will have minimal aesthetic appeal. The challenge, then, is to maintain coherence no matter how a very large set of flexible scenes is experienced.
Instead of arranging flexible scenes according to a strict definition of causal coherence, we want to create a “sense of” coherence. By this we mean that not all events have to be causally related in explicitly obvious ways, but that players should have the sense that they could figure out the meaning of and relationships between events if they thought hard enough about it.
One of the major ways we achieve a sense of coherence is by managing the story’s progression. We keep track of when certain story elements, such as theme and character, are reflected. We then prioritize which scenes should be made available to players next according to a desired distribution of the story elements. For example, if a particular theme was developed very recently, we want to prioritize scenes that reflect some of the other themes. On the other hand, if it has been a long time since a theme was developed, scenes that reflect that theme strongly should have high priority. A good distribution of elements ensures that story elements don’t feel out of place when developed, and that reminders of previous scenes are made throughout the story.
Another facet of creating a sense of coherence is the emergence of structure at run-time through the use of conditions. Instead of defining causal relationships in a scene graph a priori, we allow authors to define prerequisites for their scenes. Using prerequisites is a common technique, but in our design we push for prerequisites based on story state values in addition to game state. For example, scenes might have prerequisites that only allow them to be seen once a particular theme has been developed sufficiently. Alternatively, a scene might be best suited for the early development of the theme, and should not appear later on. We want authors to think about flexible scenes in terms of how they function in a story’s development without having to worry about how they will fit within a series of causally related events.
In addition to controlling the path players take through a set of fixed and flexible scenes, we can improve the sense of coherence by adjusting the content of scenes. In so doing, we want to give players interpretative agency: they should feel like there are deeper layers in the story not being explicitly told, and they should feel like they can interpret those layers in a reasonable way.
We are exploring three ways of dynamically affecting the content of scenes. In the first, run-time criteria is used to choose a set of scenes that a recurring motif (say, an apple) can be featured in. Observant players will begin to notice the motif over time and assign meaning to why it appears in certain scenes. Eventually, they will expect something in particular to happen when a new scene with the motif begins.
Second, mix-ins give us pre-scripted opportunities to make connections to scenes the player happens to have already seen. As Keith Johnstone points out in the context of improvisation, “feeding something back in from earlier in the story adds ‘point’ and creates structure.” Characters, story elements, and dialog are all examples of source material that could be referred to in future mix-ins.
Finally, we can adjust the presentation of a scene to alter the player’s interpretation of otherwise unchanging events. Choice of lighting, background music, camera angles, and even the weather can all depend on the story’s state at the time a particular scene is reached. Perhaps the heroine of the story returns to the castle with the head of a dragon. The mood evoked during the scene might be bright and cheerful if the player saw the dragon as an evil menace. However, the mood might be more sombre if the player found out that the dragon was simply a loving mother trying to protect her hatchlings. The final event stays the same, but the interpretation of it changes.
In summary, our goal is to give players a sense of coherence when exploring stories in open-world adventure and role-playing games. We structure our stories as a set of fixed and flexible scenes. Players can traverse the set of flexible scenes freely, barring any prerequisites that deem certain scenes inaccessible. Flexible scenes are prioritized so that story elements are well distributed throughout the story. We encourage interpretative agency by dynamically introducing recurring motifs, using mix-ins to make connections to earlier points in the story, and modifying the presentation of a scene to affect interpretation. Through all of this, higher quality open-world stories will emerge while still maintaining a satisfactory level of interactivity.
I reprocessed it a few times to improve the result. Save image wasn't working for me so I resorted to screen caps. Perhaps the images would have been sharper and more detailed if they had saved properly.
( two more under the cut )
New paper: "'...no one can hack my mind': Comparing Expert and Non-Expert Security Practices," by Iulia Ion, Rob Reeder, and Sunny Consolvo.
Abstract: The state of advice given to people today on how to stay safe online has plenty of room for improvement. Too many things are asked of them, which may be unrealistic, time consuming, or not really worth the effort. To improve the security advice, our community must find out what practices people use and what recommendations, if messaged well, are likely to bring the highest benefit while being realistic to ask of people. In this paper, we present the results of a study which aims to identify which practices people do that they consider most important at protecting their security on-line. We compare self-reported security practices of non-experts to those of security experts (i.e., participants who reported having five or more years of experience working in computer security). We report on the results of two online surveys -- one with 231 security experts and one with 294 MTurk participants -- on what the practices and attitudes of each group are. Our findings show a discrepancy between the security practices that experts and non-experts report taking. For instance, while experts most frequently report installing software updates, using two-factor authentication and using a password manager to stay safe online, non-experts report using antivirus software, visiting only known websites, and changing passwords frequently.
Joanna H. ordered this cake for her 30th birthday:
The horse shoe is for luck.
BECAUSE SHE'S GONNA NEED IT, AMIRITE?
Here's what Joanna got instead:
Insert "the trots" joke here. BAHAA TOILET HUMOR.
Whitney M. wanted a cake that looked like Neuschwanstein castle for her husband's 30th birthday.
Here's a picture of the castle for reference:
Ha! Come on, now, you'd have to pay someone at least four hundred bucks for a cake like tha...
"I paid $400 for this cake," Whitney writes, "plus $100 for delivery!!!!!!"
Oh. Well, ok, then. Um...
And finally, here's the cake Terrisa K. ordered for her wedding:
So, ya know, that's gonna end well.
She writes: "I didn't see the cake until I was actually walking down the aisle, whispering to my dad, 'is that my f***ing cake?!'"
Yes, Terrisa. Yes, it is.
Thanks to Joanna H., Whitney M., & Terrisa K. for showing us what's black and white and wrecked all over.
It's common wisdom that the NSA was unable to intercept phone calls from Khalid al-Mihdhar in San Diego to Bin Ladin in Yemen because of legal restrictions. This has been used to justify the NSA's massive phone metadata collection programs. James Bamford argues that there were no legal restrictions, and that the NSA screwed up.
It’s been a sad day for many of us in the Geek Feminism community, as we process the news of Nóirín Plunkett’s passing.
Nóirín was a powerful force for positive change. We have lost a tremendous collaborator and friend, and they will be deeply missed.
Words are challenging in the face of a loss like this one; many thanks to those who have written in memoriam of Nóirín thus far.
The Apache Foundation: “Throughout Nóirín’s time at the Foundation she was an Apache httpd contributor, ASF board member, VP and ApacheCon organizer. Nóirín’s passionate contributions and warm personality will be sorely missed. Many considered Nóirín a friend and viewed Nóirín’s work to improving ‘Women in Technology’ as a great contribution to this cause.”
The Ada Initiative: “Nóirín will be remembered as a leading open source contributor; brilliant and compassionate and welcoming and funny. They were a long time leader in the Apache Software Foundation community, and a gifted speaker and documentation writer. Nóirín was key to the creation of the Ada Initiative in more ways than one. Since then they made invaluable contributions to the Ada Initiative as an advisor since February 2011, and a project manager in 2014. We are more grateful than we can say.”
Sumana Harihareswara: “When I was volunteering on the search for the Ada Initiative’s new Executive Director, I worked closely with Nóirín and could always count on their wisdom, compassion, and diligence. I am so grateful, now, that I had a chance to collaborate with them — I had hoped to work with them again, someday, in some organization or other. One of the last times I saw them, they were crying with happiness over the passage of the Irish same-sex marriage referendum. I don’t want to end this entry because there is no ending that can do justice to them.”
Rich Bowen: “Nóirín’s motto was Festina Lente – Hasten Slowly, and this embodies her approach to life. She considered things carefully, and rushed to get things done, because life is too short to get everything accomplished that we put our minds to. In the end, hers was far, far too short.”
Our thoughts are with everyone who shares our grief. Farewell, Nóirín.
The latest in identification by data:
Webber said a tipster had spotted recent activity from Nunn on the Spotify streaming service and alerted law enforcement. He scoured the Internet for other evidence of Nunn and Barr's movements, eventually filling out 12 search warrants for records at different technology companies. Those searches led him to an IP address that traced Nunn to Cabo San Lucas, Webber said.
Nunn, he said, had been avidly streaming television shows and children's programs on various online services, giving the sheriff's department a hint to the couple's location.
This is a terrible thing and I am still shocked and saddened to learn of their death. (Per their profile, please follow their pronoun preferences and use "they".)
Some things to know about them:
Their bold honesty about being sexually assaulted at an open source software event moved us to action; it helped spark the creation of the Ada Initiative.
They had just started a new role at Simply Secure, one that combined their open tech expertise with their writing and coordinating skills and their judgment and perspective.
When I was volunteering on the search for the Ada Initiative's new Executive Director, I worked closely with Nóirín and could always count on their wisdom, compassion, and diligence. I am so grateful, now, that I had a chance to collaborate with them -- I had hoped to work with them again, someday, in some organization or other.
One of the last times I saw them, they were crying with happiness over the passage of the Irish same-sex marriage referendum.
I don't want to end this entry because there is no ending that can do justice to them.
Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default prompt to you share access to WiFi networks to which you connect with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends.
This brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).
I first read about this over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default.
“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” the FAQ reads.
The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.
Update, July 30, 12:35 p.m. ET: Ed Bott over at ZDNet takes issue with the experience described in the stories referenced above, stating that while Wi-Fi Sense is turned on by default, users still have to explicitly choose to share a network. “When you first connect to a password-protected Wi-Fi network, you choose if you want to share access to that network with your contacts,” Bott writes. Nevertheless, many users are conditioned to click “yes” to these prompts, and shared networks will be shared to all Facebook, Outlook, and Skype contacts (users can’t pick individual contacts; the access is shared with all contacts on a social network). Updated the lead to clarify that users are prompted to share.
El Reg says it well here:
That sounds wise – but we’re not convinced how it will be practically enforced: if a computer is connected to a protected Wi-Fi network, it must know the key. And if the computer knows the key, a determined user or hacker will be able to find it within the system and use it to log into the network with full access.
In theory, someone who wanted access to your company network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the wireless network. Some basic protections, specifically ones that safeguard against people sharing their passwords, should prevent this.
I should point out that Wi-Fi networks which use the centralized 802.1x Wi-Fi authentication — and these are generally tech-savvy large organizations — won’t have their Wi-Fi credentials shared by this new feature.
Microsoft’s solution for those concerned requires users to change the name (a.k.a. “SSID“) of their Wi-Fi network to include the text “_optout” somewhere in the network name (for example, “oldnetworknamehere_optout”).
It’s interesting to contrast Microsoft’s approach here with that of Apple, who offer an opt-in service called iCloud Keychain; this service allows users who decide to use the service to sync WiFi access information, email passwords, and other stored credentials amongst their own personal constellation of Apple computers and iDevices via Apple’s iCloud service, but which does not share this information with other users. Apple’s iCloud Keychain service encrypts the credentials prior to sharing them, as does Microsoft’s Wi-Fi Sense service; the difference is that it’s opt-in and that it only shares the credentials with your own devices.
Wi-Fi Sense has of course been a part of the latest Windows Phone for some time, yet it’s been less of a concern previously because Windows Phone has nowhere near the market share of mobile devices powered by Google’s Android or Apple’s iOS. But embedding this feature in an upgrade version of Windows makes it a serious concern for much of the planet.
Why? For starters, despite years of advice to the contrary, many people tend to re-use the same password for everything. Also, lots of people write down their passwords. And, as The Reg notes, if you personally share your Wi-Fi password with a friend — by telling it to them or perhaps accidentally leaving it on a sticky note on your fridge — and your friend enters the password into his phone, the friends of your friend now have access to the network.
An article in Ars Technica suggests the concern over this new feature is much ado about nothing. That story states: “First, a bit of anti-scaremongering. Despite what you may have read elsewhere, you should not be mortally afraid of Wi-Fi Sense. By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you’ll be asked if you want to share it with your friends/social networks.”
To my way of reading that, if I’m running Windows 10 in the default configuration and a contact of mine connects to my Wi-Fi network and say yes to sharing, Windows shares access to that network: The contact gets access automatically, because I’m running Windows 10 and we’re social media contacts. True, that contact doesn’t get to see my Wi-Fi password, but he can nonetheless connect to my network.
While you’re at it, consider keeping Google off your Wi-Fi network as well. It’s unclear whether the Wi-Fi Sense opt-out kludge will also let users opt-out of having their wireless network name indexed by Google, which requires the inclusion of the phrase “_nomap” in the Wi-Fi network name. The Register seems to think Windows 10 upgraders can avoid each by including both “_nomap” and “_optout” in the Wi-Fi network name, but this article at How-To Geek says users will need to choose the lesser of two evils.
Either way, Wi-Fi Sense combined with integrated Google mapping tells people where you live (and/or where your business is), meaning that they now know where to congregate to jump onto your Wi-Fi network without your permission.
- Prior to upgrade to Windows 10, change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout”.
- After the upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing.
- If you haven’t already done so, consider additional steps to harden the security of your Wi-Fi network.
If you're not one of the people complaining about the heat right now, then you're one of the people complaining about the people complaining about the heat.
Either way, we all have the same problem:
Bad bikini cakes.
Yep, this heat wave has clearly addled bakers' brains, my friends, and the results simply aren't pretty.
Unless maybe you're looking for two trees in a Seuss-ian landscape.
Whoah. It's like I can't even see the tomato soup skin!
[singing] The hills are ALIIIIVE...
With butterfly CENsor dots!
No, wait. I have a better song.
(Ahem hem hem.)
From the MOUNT-ains,
To the VAL-leys,
To the OH-shoot!
Is that a THOOOOONG?
GOOOOOD bless America!
Oooohhh soooo wroooong!
Thanks to Heather R., Melissa D., Heather H., Ellen G., & Ginny, who will never look at a heart cookie the same way again.
This is a story of a very high-tech kidnapping:
FBI court filings unsealed last week showed how Denise Huskins' kidnappers used anonymous remailers, image sharing sites, Tor, and other people's Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending. They tried to use computer spyware and a DropCam to monitor the aftermath of the abduction and had a Parrot radio-controlled drone standing by to pick up the ransom by remote control.
The story also demonstrates just how effective the FBI is tracing cell phone usage these days. They had a blocked call from the kidnappers to the victim's cell phone. First they used an search warrant to AT&T to get the actual calling number. After learning that it was an AT&T prepaid Trakfone, they called AT&T to find out where the burner was bought, what the serial numbers were, and the location where the calls were made from.
The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe.
Here's the criminal complaint. It borders on surreal. Were it an episode of CSI:Cyber, you would never believe it.
- TODO Group And Open Source Codes of Conduct | Model View Culture: “We’ve come up with some pretty great resources and tools, put them into practice, tested and iterated, and built community consensus. Yet TODO swoops in to erase and replace all of this work: without our consent or input, a group of massive companies with practically unlimited funds are branding and pushing a code of conduct that suits their needs, not ours.”
- That time the Internet sent a SWAT team to my mom’s house | Boing Boing: “As the reporter recounted all of this to me, I was living my research in real time. I was well-versed in the mechanics of a prank like this, but that didn’t abate the anxiety attacks I was having.”
- Managers beware of gender faultlines | EurekAlert! Science News: “In addition to gender divisions, the authors looked at a more benign kind of faultline: Those created by cliques centered on job types (that is, when people with similar job duties share not only that trait but other demographic qualities such as gender, age and time served.) When the diversity environment was positive, that kind of group identity actually led to stronger feelings of loyalty toward the firm. But the positive effect of job-function cliques disappeared when the diversity climate was unsatisfactory.”
We link to a variety of sources, some of which are personal blogs. If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.
You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).
Thanks to everyone who suggested links.
Earlier this year, I read Marie Kondo‘s bestselling book, “The Life-Changing Magic of Tidying Up” after reading a review in the New York Times. Her fantastic “KonMari” decluttering / home organization methodology was, for me and many others I know who’ve read it, life-changing. Asking yourself whether an item “sparks joy” and then thanking it for its service if you choose to discard it has had a transformative effect on how I think about the stuff in my space, and has been particularly useful as I whittle down my 1-bedroom-apartment’s worth of stuff into a more reasonable amount for my current studio.
Throughout the book, she directs the reader to embark on their tidying effort “all at once” and “in one go.” I found this extremely intimidating! I have a lot of crap from a decade of mostly living on my own, and there are many ~feels~ associated with said crap. Processing those feels is a lot of work – as Kondo puts it, “The question of what you want to own is actually the question of how you want to live your life.” So “all at once” felt, at times, super overwhelming to read.
Except that when she says “all at once,” she means six months. She only says this once in the whole book:
To achieve a sudden change like this, you need to use the most efficient method of tidying. Otherwise, before you know it, the day will be gone and you will have made no headway. The more time it takes, the more tired you feel, and the more likely you are to give up when you’re only halfway through. When things pile up again, you will be caught in a downward spiral. From my experience with private individual lessons, “quickly” means about half a year. That may seem like a long time, but it is only six months out of your entire life. Once the process is complete and you’ve experienced what it’s like to be perfectly tidy, you will have been freed forever from the mistaken assumption that you’re no good at tidying. (kindle link)
When I got to this passage I breathed a sigh of relief, and I wanted to share it in the hopes that it will encourage others to read her book and go a little easier on themselves in doing so. Here’s to sparking joy!
New research: "All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS," by Mathy Vanhoef and Frank Piessens:
Abstract: We present new biases in RC4, break the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP), and design a practical plaintext recovery attack against the Transport Layer Security (TLS) protocol. To empirically find new biases in the RC4 keystream we use statistical hypothesis tests. This reveals many new biases in the initial keystream bytes, as well as several new long-term biases. Our fixed-plaintext recovery algorithms are capable of using multiple types of biases, and return a list of plaintext candidates in decreasing likelihood.
To break WPA-TKIP we introduce a method to generate a large number of identical packets. This packet is decrypted by generating its plaintext candidate list, and using redundant packet structure to prune bad candidates. From the decrypted packet we derive the TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. We also attack TLS as used by HTTPS, where we show how to decrypt a secure cookie with a success rate of 94% using 9*227 ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin's ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack in merely 75 hours.
We need to deprecate the algorithm already.
Parents, are the kids making too much noise? Need to quiet them down a bit? Maybe get them rocking themselves in the fetal position for the next few hours, followed by a life-long enrollment in therapy?
THEN DO WE HAVE THE CAKES FOR YOU!!
"Hey, kids, that's not sunburn - it's pulverized entrails! Ho-ho!"
"My name's Murders-A-Lot, and I like warm hugs!
"... followed by murder."
"We're gonna wreck... [clap!]... YOU UP."
I know I usually blur out bakery labels to protect the guilty, but what the actual heck, Baskin Robbins:
Sleep sweet, kiddos.
Thanks to Sarah H., Tom S., Sarah Y., Erica K., & Carol V. for finding a cake that mirrors all of our faces right now.
The Stagefright vulnerability for Android phones is a bad one. It's exploitable via a text message (details depend on auto downloading of the particular phone), it runs at an elevated privilege (again, the severity depends on the particular phone -- on some phones it's full privilege), and it's trivial to weaponize. Imagine a worm that infects a phone and then immediately sends a copy of itself to everyone on that phone's contact list.
The worst part of this is that it's an Android exploit, so most phones won't be patched anytime soon -- if ever. (The people who discovered the bug alerted Google in April. Google has sent patches to its phone manufacturer partners, but most of them have not sent the patch to Android phone users.)
But hey, enough about Tonks.
Actually, it's time to announce this month's Art winners!
So, the winner of the Batman & Batgirl set is Chiana
The winner of Link & Wonder Woman set is Erin Schleif
And my wild-card winner, who gets to choose from anything off the Give-Away Board, is Raum!
Congrats, winners, and please e-mail me your mailing addresses!
P.S. Kaitlyn Nielson, Blogger kept eating my reply to your comment - though I tried many times! - so please e-mail me your choice from the board, too, k? Or message me on Twitter or FB, since your first one didn't go through.
My slides are up, as is demonstration code, from "HTTP Can Do That?!", my talk at Open Source Bridge last month. I am pleased to report that something like a hundred people crowded into the room to view that talk and that I've received lots of positive feedback about it. Thanks for help in preparing that talk, or inspiring it, to Leonard Richardson, Greg Hendershott, Zack Weinberg, the Recurse Center, Clay Hallock, Paul Tagliamonte, Julia Evans, Allison Kaptur, Amy Hanlon, and Katie Silverio.
Video is not yet up. Once the video recording is available, I'll probably get it transcribed and posted on the OSBridge session notes wiki page.
I've also taken this opportunity to update my talks and presentations page -- for instance, I've belatedly posted some rough facilitator's notes that I made when leading an Ada Initiative-created impostor syndrome training at AdaCamp Bangalore last year.
So I paused while John did some tedious surgery to fix them.
He had to pry them off the base, shave down the heels, and then re-epoxy them in place.
Next, many, MANY passes of the metallic gold and silver base coats:
Check out those glorious horse bellies: would you ever guess that's epoxy putty?
(Yeah, I'm bragging. GIVE ME THIS MOMENT.)
As-is, the plastic set hides a TON of impressive detail. Just look at the difference:
I, uh, promise not to include them all here, though.
I really love how heavy they are with those embedded lead weights.
You may have noticed I don't have a chess board yet.
I'm debating between just buying one and making one, and also which color scheme to go with. Plus I'm talking with John about making a wall-mounted display, which I think would be pretty sweet. (Maybe with a mirrored backing? OoooOOOOooh.)
On the evening March 14, 2013, a heavily-armed police force surrounded my home in Annandale, Va., after responding to a phony hostage situation that someone had alerted authorities to at our address. I’ve recently received a notice from the U.S. Justice Department stating that one of the individuals involving in that “swatting” incident had pleaded guilty to a felony conspiracy charge.
“A federal investigation has revealed that several individuals participated in a scheme to commit swatting in the course of which these individuals committed various federal criminal offenses,” reads the DOJ letter, a portion of which is here (PDF). “You were the victim of the criminal conduct which resulted in swattings in that you were swattted.”
The letter goes on to state that one of the individuals who participated in the scheme has pleaded guilty to conspiracy charges (Title 18, Section 371) in federal court in Washington, D.C.
The notice offers little additional information about the individual who pleaded guilty or about his co-conspirators, and the case against him is sealed. It could be the individual identified at the conclusion of this story, or someone else. In any case, my own digging on this investigation suggests the government is in the process of securing charges or guilty pleas in connection with a group of young men who ran the celebrity “doxing” Web site exposed[dot]su (later renamed exposed[dot]re).
As I noted in a piece published just days after my swatting incident, the attack came not long after I wrote a story about the site, which was posting the Social Security numbers, previous addresses, phone numbers and credit reports on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. Many of those individuals whose personal data were posted at the site also were the target of swatting attacks, including P. Diddy, Justin Timberlake and Ryan Seacrest.
Sources close to the investigation say Yours Truly was targeted because this site published a story correctly identifying the source of the personal data that the hackers posted on exposed[dot]su. According to my sources, the young men, nearly all of whom are based here in the United States, obtained the personal data after hacking into a now-defunct online identity theft service called ssndob[dot]ru.
Investigative reporting first published on KrebsOnSecurity in September 2013 revealed that the same miscreants controlling ssndob[dot]ru (later renamed ssndob[dot]ms) siphoned personal data from some of America’s largest consumer and business data aggregators, including LexisNexis, Dun & Bradstreet and Kroll Background America.I look forward to the day that the Justice Department releases the names of the individuals responsible for these swatting incidents, for running exposed[dot]su, and hacking the ssndob[dot]ru ID theft service. While that identity theft site went offline in 2013, several competing services have unfortunately sprung up in its wake, offering the ability to pull Social Security numbers, dates of birth, previous addresses and credit reports on virtually all Americans.
Warning: A supposedly naughty cake ahead. (But good luck seeing it.)
"We asked for Mike Wazowski from Monsters, Inc."
"This was our Hello Kitty cake:"
"They told us those were flames."
"Believe it or not, it's supposed to be a penis."
Thanks to Amy J., Cindy P., Sara W., & Sarah H., who all knew it was bound to happen sooner or later.
This is an interesting article that looks at Hacking Team's purchasing of zero-day (0day) vulnerabilities from a variety of sources:
Hacking Team's relationships with 0day vendors date back to 2009 when they were still transitioning from their information security consultancy roots to becoming a surveillance business. They excitedly purchased exploit packs from D2Sec and VUPEN, but they didn't find the high-quality client-side oriented exploits they were looking for. Their relationship with VUPEN continued to frustrate them for years. Towards the end of 2012, CitizenLab released their first report on Hacking Team's software being used to repress activists in the United Arab Emirates. However, a continuing stream of negative reports about the use of Hacking Team's software did not materially impact their relationships. In fact, by raising their profile these reports served to actually bring Hacking Team direct business. In 2013 Hacking Team's CEO stated that they had a problem finding sources of new exploits and urgently needed to find new vendors and develop in-house talent. That same year they made multiple new contacts, including Netragard, Vitaliy Toropov, Vulnerabilities Brokerage International, and Rosario Valotta. Though Hacking Team's internal capabilities did not significantly improve, they continued to develop fruitful new relationships. In 2014 they began a close partnership with Qavar Security.