HAMMERTOSS: New Russian Malware

Jul. 31st, 2015 11:12 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

Fireeye has a detailed report of a sophisticated piece of Russian malware: HAMMERTOSS. It uses some clever techniques to hide:

The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.

That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.

Another article. Reddit thread.

Friday Favs 7/31/15

Jul. 31st, 2015 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Some of my favorite new submissions this week.


It took me entirely too long to realize this IS in English:

Spacing: the Final Frontier of Wreckerating


Judging by the CW Facebook page, I see I've trained you wrecky minions well:


I approve.


And just in time for Cheesecake Day (which was yesterday):

(Btw, if it's been a while since you've seen my FB updates, here's a new & easy fix: on the CW page, under "Liked" at the top, click "See First." You'll never miss the wrecky lolz again!)


At first I thought it was a hot dog.
Then maybe a bowel re-section.
Now I just want to stop looking at it:

Somebody help me stop looking at it.


To quote JoAnna, who sent this in, "Mmmm, rope fibers!"

And I agree, JoAnna; the clumps of gold glitter really DO make it extra "beachy."


And finally, while not professional, this made me laugh out loud:

Video game-specific apology cakes? YES, PLEASE.

Heck, I think this should become a trend. A few more suggestions:

"Sorry I Played Skyrim For 6 Weeks Straight"

"Sorry I Won't Play Portal Co-Op With You Because You're Better At It And It's Annoying"

"Sorry For Beating Your High Score On Angry Birds"

"Sorry I Woke You Up At 3AM Because BioShock Was Scary"

"Sorry I Keep Talking To Claptrap" (WUB WUB!)


Thanks to Nancy E., Kristen F., Annie B., Ashley R., JoAnna H., & Anony M. for the beat-boxin' giggles.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] female_cs_feed

Posted by Gail Carmichael

The following is my most recent explanation of my thesis project.

We are interested in the application of interactive storytelling to videogames.  We want to improve story experiences in open-world adventure and role-playing games.  A game that features an open world allows its players to move freely in a large space with few or no artificial barriers, choosing what to do and when.  The flexibility of an open world and the fact that adventure and role-playing games tend to have strong story components make these genres an interesting place to explore interactive storytelling techniques.

Our central goal is to support the creation of open-world videogame stories that give players a sense of coherence.  To achieve this, we take a structuralist approach and partition stories into two types of scenes inspired by the concept of kernels and satellites.  First, a minimal set of fixed scenes form a core story with strong authorial control.  A game’s most central plot points become fixed scenes, thus acting like kernels.  The rest of the story emerges from a much larger collection of flexible scenes that can appear just about anywhere in story save a small set of preconditions.  Most flexible scenes act like satellites: minor plot points, or opportunities to develop story elements like theme.

We want to give players the freedom to explore flexible scenes however they wish as they move through the fixed scenes as designed.  A certain level of coherence is guaranteed when the content of the fixed scenes is itself coherent, but a story with few satellite scenes will have minimal aesthetic appeal.  The challenge, then, is to maintain coherence no matter how a very large set of flexible scenes is experienced.

Instead of arranging flexible scenes according to a strict definition of causal coherence, we want to create a “sense of” coherence.  By this we mean that not all events have to be causally related in explicitly obvious ways, but that players should have the sense that they could figure out the meaning of and relationships between events if they thought hard enough about it.

One of the major ways we achieve a sense of coherence is by managing the story’s progression.  We keep track of when certain story elements, such as theme and character, are reflected.  We then prioritize which scenes should be made available to players next according to a desired distribution of the story elements.  For example, if a particular theme was developed very recently, we want to prioritize scenes that reflect some of the other themes.  On the other hand, if it has been a long time since a theme was developed, scenes that reflect that theme strongly should have high priority.  A good distribution of elements ensures that story elements don’t feel out of place when developed, and that reminders of previous scenes are made throughout the story.

Another facet of creating a sense of coherence is the emergence of structure at run-time through the use of conditions.  Instead of defining causal relationships in a scene graph a priori, we allow authors to define prerequisites for their scenes.  Using prerequisites is a common technique, but in our design we push for prerequisites based on story state values in addition to game state.  For example, scenes might have prerequisites that only allow them to be seen once a particular theme has been developed sufficiently.  Alternatively, a scene might be best suited for the early development of the theme, and should not appear later on.  We want authors to think about flexible scenes in terms of how they function in a story’s development without having to worry about how they will fit within a series of causally related events.

In addition to controlling the path players take through a set of fixed and flexible scenes, we can improve the sense of coherence by adjusting the content of scenes.  In so doing, we want to give players interpretative agency: they should feel like there are deeper layers in the story not being explicitly told, and they should feel like they can interpret those layers in a reasonable way.

We are exploring three ways of dynamically affecting the content of scenes.  In the first, run-time criteria is used to choose a set of scenes that a recurring motif (say, an apple) can be featured in.  Observant players will begin to notice the motif over time and assign meaning to why it appears in certain scenes.  Eventually, they will expect something in particular to happen when a new scene with the motif begins.

Second, mix-ins give us pre-scripted opportunities to make connections to scenes the player happens to have already seen.  As Keith Johnstone points out in the context of improvisation, “feeding something back in from earlier in the story adds ‘point’ and creates structure.”  Characters, story elements, and dialog are all examples of source material that could be referred to in future mix-ins.

Finally, we can adjust the presentation of a scene to alter the player’s interpretation of otherwise unchanging events.  Choice of lighting, background music, camera angles, and even the weather can all depend on the story’s state at the time a particular scene is reached.  Perhaps the heroine of the story returns to the castle with the head of a dragon.  The mood evoked during the scene might be bright and cheerful if the player saw the dragon as an evil menace.  However, the mood might be more sombre if the player found out that the dragon was simply a loving mother trying to protect her hatchlings.  The final event stays the same, but the interpretation of it changes.

In summary, our goal is to give players a sense of coherence when exploring stories in open-world adventure and role-playing games.  We structure our stories as a set of fixed and flexible scenes.  Players can traverse the set of flexible scenes freely, barring any prerequisites that deem certain scenes inaccessible.  Flexible scenes are prioritized so that story elements are well distributed throughout the story.  We encourage interpretative agency by dynamically introducing recurring motifs, using mix-ins to make connections to earlier points in the story, and modifying the presentation of a scene to affect interpretation.  Through all of this, higher quality open-world stories will emerge while still maintaining a satisfactory level of interactivity.

Deep Dream Project

Jul. 30th, 2015 03:46 pm
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
[livejournal.com profile] drhoz recently posted a psychedelic image that had been transformed by something called Deep Dream project where the Google image search routine is asked to find images (which aren't there) within an image and output the result. I found the web-based input submitter, here, and tried it out on MLP:FIM images. It gave me results like this.


I reprocessed it a few times to improve the result. Save image wasn't working for me so I resorted to screen caps. Perhaps the images would have been sharper and more detailed if they had saved properly.

two more under the cut )
[syndicated profile] bruce_schneier_feed

Posted by schneier

New paper: "'...no one can hack my mind': Comparing Expert and Non-Expert Security Practices," by Iulia Ion, Rob Reeder, and Sunny Consolvo.

Abstract: The state of advice given to people today on how to stay safe online has plenty of room for improvement. Too many things are asked of them, which may be unrealistic, time consuming, or not really worth the effort. To improve the security advice, our community must find out what practices people use and what recommendations, if messaged well, are likely to bring the highest benefit while being realistic to ask of people. In this paper, we present the results of a study which aims to identify which practices people do that they consider most important at protecting their security on-line. We compare self-reported security practices of non-experts to those of security experts (i.e., participants who reported having five or more years of experience working in computer security). We report on the results of two online surveys -- ­one with 231 security experts and one with 294 MTurk participants­ -- on what the practices and attitudes of each group are. Our findings show a discrepancy between the security practices that experts and non-experts report taking. For instance, while experts most frequently report installing software updates, using two-factor authentication and using a password manager to stay safe online, non-experts report using antivirus software, visiting only known websites, and changing passwords frequently.

Good Luck Wrecking The Castle!

Jul. 30th, 2015 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by john (the hubby of Jen)

Joanna H. ordered this cake for her 30th birthday:

The horse shoe is for luck.




Here's what Joanna got instead:

Insert "the trots" joke here. BAHAA TOILET HUMOR.


Whitney M. wanted a cake that looked like Neuschwanstein castle for her husband's 30th birthday.

Here's a picture of the castle for reference:

Ha! Come on, now, you'd have to pay someone at least four hundred bucks for a cake like tha...

"I paid $400 for this cake," Whitney writes, "plus $100 for delivery!!!!!!"

Oh. Well, ok, then. Um...



And finally, here's the cake Terrisa K. ordered for her wedding:

So, ya know, that's gonna end well.


She writes: "I didn't see the cake until I was actually walking down the aisle, whispering to my dad, 'is that my f***ing cake?!'"

Yes, Terrisa. Yes, it is.


Thanks to Joanna H., Whitney M., & Terrisa K. for showing us what's black and white and wrecked all over.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] bruce_schneier_feed

Posted by schneier

It's common wisdom that the NSA was unable to intercept phone calls from Khalid al-Mihdhar in San Diego to Bin Ladin in Yemen because of legal restrictions. This has been used to justify the NSA's massive phone metadata collection programs. James Bamford argues that there were no legal restrictions, and that the NSA screwed up.

Mourning Nóirín Plunkett

Jul. 30th, 2015 03:32 am
[syndicated profile] geekfeminism_feed

Posted by addie

It’s been a sad day for many of us in the Geek Feminism community, as we process the news of Nóirín Plunkett’s passing.

Nóirín was a powerful force for positive change. We have lost a tremendous collaborator and friend, and they will be deeply missed.

Words are challenging in the face of a loss like this one; many thanks to those who have written in memoriam of Nóirín thus far.

The Apache Foundation: “Throughout Nóirín’s time at the Foundation she was an Apache httpd contributor, ASF board member, VP and ApacheCon organizer. Nóirín’s passionate contributions and warm personality will be sorely missed. Many considered Nóirín a friend and viewed Nóirín’s work to improving ‘Women in Technology’ as a great contribution to this cause.”

The Ada Initiative: “Nóirín will be remembered as a leading open source contributor; brilliant and compassionate and welcoming and funny. They were a long time leader in the Apache Software Foundation community, and a gifted speaker and documentation writer. Nóirín was key to the creation of the Ada Initiative in more ways than one. Since then they made invaluable contributions to the Ada Initiative as an advisor since February 2011, and a project manager in 2014. We are more grateful than we can say.”

Sumana Harihareswara: “When I was volunteering on the search for the Ada Initiative’s new Executive Director, I worked closely with Nóirín and could always count on their wisdom, compassion, and diligence. I am so grateful, now, that I had a chance to collaborate with them — I had hoped to work with them again, someday, in some organization or other. One of the last times I saw them, they were crying with happiness over the passage of the Irish same-sex marriage referendum. I don’t want to end this entry because there is no ending that can do justice to them.”

Rich Bowen: “Nóirín’s motto was Festina Lente – Hasten Slowly, and this embodies her approach to life. She considered things carefully, and rushed to get things done, because life is too short to get everything accomplished that we put our minds to. In the end, hers was far, far too short.”

Our thoughts are with everyone who shares our grief. Farewell, Nóirín.

Fugitive Located by Spotify

Jul. 29th, 2015 01:43 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

The latest in identification by data:

Webber said a tipster had spotted recent activity from Nunn on the Spotify streaming service and alerted law enforcement. He scoured the Internet for other evidence of Nunn and Barr's movements, eventually filling out 12 search warrants for records at different technology companies. Those searches led him to an IP address that traced Nunn to Cabo San Lucas, Webber said.

Nunn, he said, had been avidly streaming television shows and children's programs on various online services, giving the sheriff's department a hint to the couple's location.

On Nóirín Trouble Plunkett's Death

Jul. 29th, 2015 06:49 pm
[syndicated profile] sumana_feed
I was devastated today to learn of the death of my friend Nóirín Plunkett.

This is a terrible thing and I am still shocked and saddened to learn of their death. (Per their profile, please follow their pronoun preferences and use "they".)

Some things to know about them:

Their bold honesty about being sexually assaulted at an open source software event moved us to action; it helped spark the creation of the Ada Initiative.

As Geek Feminism's wiki documents, they were facing tremendous legal bills because of a legal conflict with an ex.

They had just started a new role at Simply Secure, one that combined their open tech expertise with their writing and coordinating skills and their judgment and perspective.

When I was volunteering on the search for the Ada Initiative's new Executive Director, I worked closely with Nóirín and could always count on their wisdom, compassion, and diligence. I am so grateful, now, that I had a chance to collaborate with them -- I had hoped to work with them again, someday, in some organization or other.

One of the last times I saw them, they were crying with happiness over the passage of the Irish same-sex marriage referendum.

I don't want to end this entry because there is no ending that can do justice to them.

Gimme shelter

Jul. 29th, 2015 11:12 am
badgerbag: (Default)
[personal profile] badgerbag
We all need shelter some of the time.

Hug or send your good thoughts to a feminist activist today

Or just anyone near or far.
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default prompt to you share access to WiFi networks to which you connect with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends.

msoptoutThis brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).

I first read about this over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default.

“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” the FAQ reads.

The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.

Update, July 30, 12:35 p.m. ET: Ed Bott over at ZDNet takes issue with the experience described in the stories referenced above, stating that while Wi-Fi Sense is turned on by default, users still have to explicitly choose to share a network. “When you first connect to a password-protected Wi-Fi network, you choose if you want to share access to that network with your contacts,” Bott writes. Nevertheless, many users are conditioned to click “yes” to these prompts, and shared networks will be shared to all Facebook, Outlook, and Skype contacts (users can’t pick individual contacts; the access is shared with all contacts on a social network). Updated the lead to clarify that users are prompted to share.

El Reg says it well here:

That sounds wise – but we’re not convinced how it will be practically enforced: if a computer is connected to a protected Wi-Fi network, it must know the key. And if the computer knows the key, a determined user or hacker will be able to find it within the system and use it to log into the network with full access.

In theory, someone who wanted access to your company network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the wireless network. Some basic protections, specifically ones that safeguard against people sharing their passwords, should prevent this.

I should point out that Wi-Fi networks which use the centralized 802.1x Wi-Fi authentication — and these are generally tech-savvy large organizations — won’t have their Wi-Fi credentials shared by this new feature.

Microsoft’s solution for those concerned requires users to change the name (a.k.a. “SSID“) of their Wi-Fi network to include the text “_optout” somewhere in the network name (for example, “oldnetworknamehere_optout”).

It’s interesting to contrast Microsoft’s approach here with that of Apple, who offer an opt-in service called iCloud Keychain; this service allows users who decide to use the service to sync WiFi access information, email passwords, and other stored credentials amongst their own personal constellation of Apple computers and iDevices via Apple’s iCloud service, but which does not share this information with other users. Apple’s iCloud Keychain service encrypts the credentials prior to sharing them, as does Microsoft’s Wi-Fi Sense service; the difference is that it’s opt-in and that it only shares the credentials with your own devices.

Wi-Fi Sense has of course been a part of the latest Windows Phone for some time, yet it’s been less of a concern previously because Windows Phone has nowhere near the market share of mobile devices powered by Google’s Android or Apple’s iOS. But embedding this feature in an upgrade version of Windows makes it a serious concern for much of the planet.

Why? For starters, despite years of advice to the contrary, many people tend to re-use the same password for everything. Also, lots of people write down their passwords. And, as The Reg notes, if you personally share your Wi-Fi password with a friend — by telling it to them or perhaps accidentally leaving it on a sticky note on your fridge — and your friend enters the password into his phone, the friends of your friend now have access to the network.

Source: How-To Geek

Source: How-To Geek

An article in Ars Technica suggests the concern over this new feature is much ado about nothing. That story states: “First, a bit of anti-scaremongering. Despite what you may have read elsewhere, you should not be mortally afraid of Wi-Fi Sense. By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you’ll be asked if you want to share it with your friends/social networks.”

To my way of reading that, if I’m running Windows 10 in the default configuration and a contact of mine connects to my Wi-Fi network and say yes to sharing, Windows shares access to that network: The contact gets access automatically, because I’m running Windows 10 and we’re social media contacts. True, that contact doesn’t get to see my Wi-Fi password, but he can nonetheless connect to my network.

While you’re at it, consider keeping Google off your Wi-Fi network as well. It’s unclear whether the Wi-Fi Sense opt-out kludge will also let users opt-out of having their wireless network name indexed by Google, which requires the inclusion of the phrase “_nomap” in the Wi-Fi network name. The Register seems to think Windows 10 upgraders can avoid each by including both “_nomap” and “_optout” in the Wi-Fi network name, but this article at How-To Geek says users will need to choose the lesser of two evils.

Either way, Wi-Fi Sense combined with integrated Google mapping tells people where you live (and/or where your business is), meaning that they now know where to congregate to jump onto your Wi-Fi network without your permission.

My suggestions:

  1. Prior to upgrade to Windows 10, change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout”.
  2. After the upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing.
  3. If you haven’t already done so, consider additional steps to harden the security of your Wi-Fi network.

Further reading:

What Is Wi-Fi Sense and Why Does it Want Your Facebook Account? 

UH OH: Windows 10 Will Share Your Wi-Fi Key With Your Friends’ Friends

Why Windows 10 Shares Your Wi-Fi Password and How to Stop it

Wi-Fi Sense in Windows 10: Yes, It Shares Your Passkeys, No You Shouldn’t Be Scared


Jul. 29th, 2015 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

If you're not one of the people complaining about the heat right now, then you're one of the people complaining about the people complaining about the heat.

Either way, we all have the same problem:

Bad bikini cakes.


Yep, this heat wave has clearly addled bakers' brains, my friends, and the results simply aren't pretty.

Unless maybe you're looking for two trees in a Seuss-ian landscape.


[head tilt]



Whoah. It's like I can't even see the tomato soup skin!


[singing] The hills are ALIIIIVE...

With butterfly CENsor dots!


No, wait. I have a better song.

(Ahem hem hem.)

From the MOUNT-ains,

To the VAL-leys,

To the OH-shoot!

Is that a THOOOOONG?

GOOOOOD bless America!


Oooohhh soooo wroooong!


Thanks to Heather R., Melissa D., Heather H., Ellen G., & Ginny, who will never look at a heart cookie the same way again.


Thank you for using our Amazon links to shop! USA, UK, Canada.

iOS: Getting a Thumbnail for a Video

Jul. 29th, 2015 12:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

smart phone taking a picture

Credit: Pixabay / SplitShire

Between various things being deprecated, and the new Photos framework (which looks cool but seemed a bit heavyweight for this purpose) finding this took me a while!

When the image picker returns with a video it has a url in info[UIImagePickerControllerMediaURL]. Then we can use AVAsset and AVAssetGenerator to get a thumbnail.

// Gets the asset - note ALAsset is deprecated, not AVAsset.
AVAsset *asset = [AVAsset assetWithURL:mediaUrl];

// Calculate a time for the snapshot - I'm using the half way mark.
CMTime duration = [asset duration];
CMTime snapshot = CMTimeMake(duration.value / 2, duration.timescale);

// Create a generator and copy image at the time.
// I'm not capturing the actual time or an error.
AVAssetImageGenerator *generator =
    [AVAssetImageGenerator assetImageGeneratorWithAsset:asset];
CGImageRef imageRef = [generator copyCGImageAtTime:snapshot

// Make a UIImage and release the CGImage.
UIImage *thumbnail = [UIImage imageWithCGImage:imageRef];

// TODO: Do something with the image!

Also useful when using the simulator: test videos. Download, open on the simulator, and then save via the share button as for images.

This is something I was working on for Digital Fan Clubs.

Bizarre High-Tech Kidnapping

Jul. 29th, 2015 06:34 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

This is a story of a very high-tech kidnapping:

FBI court filings unsealed last week showed how Denise Huskins' kidnappers used anonymous remailers, image sharing sites, Tor, and other people's Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending. They tried to use computer spyware and a DropCam to monitor the aftermath of the abduction and had a Parrot radio-controlled drone standing by to pick up the ransom by remote control.

The story also demonstrates just how effective the FBI is tracing cell phone usage these days. They had a blocked call from the kidnappers to the victim's cell phone. First they used an search warrant to AT&T to get the actual calling number. After learning that it was an AT&T prepaid Trakfone, they called AT&T to find out where the burner was bought, what the serial numbers were, and the location where the calls were made from.

The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe.

Here's the criminal complaint. It borders on surreal. Were it an episode of CSI:Cyber, you would never believe it.

The Lean Linkspam (28 July 2015)

Jul. 29th, 2015 04:11 am
[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • TODO Group And Open Source Codes of Conduct | Model View Culture: “We’ve come up with some pretty great resources and tools, put them into practice, tested and iterated, and built community consensus. Yet TODO swoops in to erase and replace all of this work: without our consent or input, a group of massive companies with practically unlimited funds are branding and pushing a code of conduct that suits their needs, not ours.”
  • That time the Internet sent a SWAT team to my mom’s house | Boing Boing: “As the reporter recounted all of this to me, I was living my research in real time. I was well-versed in the mechanics of a prank like this, but that didn’t abate the anxiety attacks I was having.”
  • Managers beware of gender faultlines | EurekAlert! Science News: “In addition to gender divisions, the authors looked at a more benign kind of faultline: Those created by cliques centered on job types (that is, when people with similar job duties share not only that trait but other demographic qualities such as gender, age and time served.) When the diversity environment was positive, that kind of group identity actually led to stronger feelings of loyalty toward the firm. But the positive effect of job-function cliques disappeared when the diversity climate was unsatisfactory.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

The Life-Changing Magic of Six Months

Jul. 28th, 2015 08:50 pm
[syndicated profile] hypatia_dot_ca_feed

Posted by Leigh Honeywell

Earlier this year, I read Marie Kondo‘s bestselling book, “The Life-Changing Magic of Tidying Up” after reading a review in the New York Times. Her fantastic “KonMari” decluttering / home organization methodology was, for me and many others I know who’ve read it, life-changing. Asking yourself whether an item “sparks joy” and then thanking it for its service if you choose to discard it has had a transformative effect on how I think about the stuff in my space, and has been particularly useful as I whittle down my 1-bedroom-apartment’s worth of stuff into a more reasonable amount for my current studio.

Throughout the book, she directs the reader to embark on their tidying effort “all at once” and “in one go.” I found this extremely intimidating! I have a lot of crap from a decade of mostly living on my own, and there are many ~feels~ associated with said crap. Processing those feels is a lot of work – as Kondo puts it, “The question of what you want to own is actually the question of how you want to live your life.” So “all at once” felt, at times, super overwhelming to read.

Except that when she says “all at once,” she means six months. She only says this once in the whole book:

To achieve a sudden change like this, you need to use the most efficient method of tidying. Otherwise, before you know it, the day will be gone and you will have made no headway. The more time it takes, the more tired you feel, and the more likely you are to give up when you’re only halfway through. When things pile up again, you will be caught in a downward spiral. From my experience with private individual lessons, “quickly” means about half a year. That may seem like a long time, but it is only six months out of your entire life. Once the process is complete and you’ve experienced what it’s like to be perfectly tidy, you will have been freed forever from the mistaken assumption that you’re no good at tidying. (kindle link)

When I got to this passage I breathed a sigh of relief, and I wanted to share it in the hopes that it will encourage others to read her book and go a little easier on themselves in doing so. Here’s to sparking joy!

New RC4 Attack

Jul. 28th, 2015 12:09 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

New research: "All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS," by Mathy Vanhoef and Frank Piessens:

Abstract: We present new biases in RC4, break the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP), and design a practical plaintext recovery attack against the Transport Layer Security (TLS) protocol. To empirically find new biases in the RC4 keystream we use statistical hypothesis tests. This reveals many new biases in the initial keystream bytes, as well as several new long-term biases. Our fixed-plaintext recovery algorithms are capable of using multiple types of biases, and return a list of plaintext candidates in decreasing likelihood.

To break WPA-TKIP we introduce a method to generate a large number of identical packets. This packet is decrypted by generating its plaintext candidate list, and using redundant packet structure to prune bad candidates. From the decrypted packet we derive the TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. We also attack TLS as used by HTTPS, where we show how to decrypt a secure cookie with a success rate of 94% using 9*227 ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin's ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack in merely 75 hours.

News articles.

We need to deprecate the algorithm already.

[syndicated profile] cakewrecks_feed

Posted by Jen

Parents, are the kids making too much noise? Need to quiet them down a bit? Maybe get them rocking themselves in the fetal position for the next few hours, followed by a life-long enrollment in therapy?


"Hey, kids, that's not sunburn - it's pulverized entrails! Ho-ho!"


"My name's Murders-A-Lot, and I like warm hugs!

"... followed by murder."


"We're gonna wreck... [clap!]... YOU UP."


[muffled screaming]


I know I usually blur out bakery labels to protect the guilty, but what the actual heck, Baskin Robbins:

Sleep sweet, kiddos.


Thanks to Sarah H., Tom S., Sarah Y., Erica K., & Carol V. for finding a cake that mirrors all of our faces right now.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] bruce_schneier_feed

Posted by schneier

The Stagefright vulnerability for Android phones is a bad one. It's exploitable via a text message (details depend on auto downloading of the particular phone), it runs at an elevated privilege (again, the severity depends on the particular phone -- on some phones it's full privilege), and it's trivial to weaponize. Imagine a worm that infects a phone and then immediately sends a copy of itself to everyone on that phone's contact list.

The worst part of this is that it's an Android exploit, so most phones won't be patched anytime soon -- if ever. (The people who discovered the bug alerted Google in April. Google has sent patches to its phone manufacturer partners, but most of them have not sent the patch to Android phone users.)

[syndicated profile] epbot_feed

Posted by Jen

I talk about Tonks so little here that most people are surprised to learn we even have two cats - but in my defense, Lily is vastly superior, and Tonks is John's cat.  :D

That said, I just got Tonks a new collar that I think merits a photo or two:


(It's from Purrfect Collars on Etsy, and the bow is the smaller size available.)

Tonks is a very cat-like cat; she's driven by catty instincts, like forever trying to cover up her food bowl or stick her nose right inside your mouth for a good sniff - which can make yawning with your eyes closed an alarming experience.

Tonks is also addicted to hair products, and will treat newly shampooed or gelled hair like her own personal catnip garden - albeit one that's attached to the tops of those pesky humans. When I do my back stretches on the floor, she'll actually roll in my long hair, before attempting to eat it. 

But if my hair is catnip, John's hair is Mega Kitty Crack. Tonks can't get enough of it, and will jump to the back of the couch, plant her paws on his shoulders, and dig right in.

Here's John proffering his newly washed-and-gelled locks:

"What heaven is this??"

And one second later:

She'd crawl right up there if he gave her half the chance. Ha!

But hey, enough about Tonks. 

Let's get back to talking about Lily.  :D


Actually, it's time to announce this month's Art winners!

So, the winner of the Batman & Batgirl set is Chiana   
The winner of Link & Wonder Woman set is Erin Schleif
And my wild-card winner, who gets to choose from anything off the Give-Away Board, is Raum

Congrats, winners, and please e-mail me your mailing addresses!

P.S. Kaitlyn Nielson, Blogger kept eating my reply to your comment - though I tried many times! - so please e-mail me your choice from the board, too, k? Or message me on Twitter or FB, since your first one didn't go through.

Slides & Code from HTTP Can Do That?!

Jul. 27th, 2015 09:00 pm
[syndicated profile] sumana_feed

a bespoke header in an HTTP response My slides are up, as is demonstration code, from "HTTP Can Do That?!", my talk at Open Source Bridge last month. I am pleased to report that something like a hundred people crowded into the room to view that talk and that I've received lots of positive feedback about it. Thanks for help in preparing that talk, or inspiring it, to Leonard Richardson, Greg Hendershott, Zack Weinberg, the Recurse Center, Clay Hallock, Paul Tagliamonte, Julia Evans, Allison Kaptur, Amy Hanlon, and Katie Silverio.

Video is not yet up. Once the video recording is available, I'll probably get it transcribed and posted on the OSBridge session notes wiki page.

I've also taken this opportunity to update my talks and presentations page -- for instance, I've belatedly posted some rough facilitator's notes that I made when leading an Ada Initiative-created impostor syndrome training at AdaCamp Bangalore last year.

[syndicated profile] bruce_schneier_feed

Posted by schneier

This is significant.

News article.

EDITED TO ADD (7/28): Commentary, and former Director of the National Counterintelligence Center Michael Leiter's comments.

[syndicated profile] epbot_feed

Posted by Jen

It's done!

This may be one of my most labor-intensive projects yet, which is silly when you consider all I set out to do was re-paint a plastic chess set:

This set was produced over ten years ago, but you can still find used ones on ebay in the $30 range. I initially bought mine to turn into ornaments for our Harry Potter tree, but decided to instead spiff it up for year-round display in our steampunk room.

I debated matching the set in Sorcerer's Stone, but since they already sell a high-end version in a more realistic stone finish, I decided to go with a wholly unique gold-and-silver scheme.

So just a few blasts of spray paint, right? 

Er... as it turned out, not so much.

Here's what it took:

First I filled the hollow horse bodies with aluminum foil & epoxy putty:

I also used epoxy putty to inset lead fishing weights into the hollow bottoms of ALL the pieces:

This gives them a delightful heft, and helps sell the metal illusion.

Smoothing out the epoxied bottoms:

Next, a solid week of testing different primers before FINALLY finding one that sticks to the rubbery sections of the pieces:

The winning primer was a shellac-based spray called BIN, btw. Even that isn't perfect, though; it's so rigid that the slightly-flexible horse legs and maces have already flaked a little.  >.<

At this stage I realized both Kings were doing a funky Michael Jackson lean:

So I paused while John did some tedious surgery to fix them.
He had to pry them off the base, shave down the heels, and then re-epoxy them in place.

Next, many, MANY passes of the metallic gold and silver base coats:

Every time I thought I was done, I'd find another nook or cranny I missed. I had to keep the coats light, to avoid filling in all that fabulous detail.

But here's where it gets tedious. 
(Yes, it's only NOW getting tedious. Ha!)

Next I used a teensy-tiny brush to apply contrasting liquid leaf in certain areas. Really helps bring out some of the detail, right?

The hand-painting was SUPER fun... for about the first 8 pieces. The whole set took me about 4 evenings to paint, and I was extremely ready to be done by the end. Urg.

Starting to look like metal?

I paused here for a good week or two, because the next step was kind of painful. I mean, look at that beautiful shine!

Still, I was convinced it needed aging to bring out the rest of the detail, so eventually:

Here we go: I painted small sections with raw umber acrylic paint, then quickly wiped it off again with a damp rag. Not quite as tedious as the hand-painting, but close.

A before-and-after with the two gold Knights:
I do like shiny, but I love the aged one. It just looks more substantial.

Now, pretty photoshoot time!

Check out those glorious horse bellies: would you ever guess that's epoxy putty?
(Yeah, I'm bragging. GIVE ME THIS MOMENT.)

As-is, the plastic set hides a TON of impressive detail. Just look at the difference:

From this...

To this!

Ah, I forgot to mention: I finished the set by gluing black felt bottoms to all the pieces. Which was tricky, since the bases are imperfect octagons.

I may have gotten carried away with this photo shoot and taken about 100 shots.

I, uh, promise not to include them all here, though.

Size reference:

I really love how heavy they are with those embedded lead weights. 

You may have noticed I don't have a chess board yet.

I'm debating between just buying one and making one, and also which color scheme to go with. Plus I'm talking with John about making a wall-mounted display, which I think would be pretty sweet. (Maybe with a mirrored backing? OoooOOOOooh.)

And that's my Harry Potter chess set! 

Hope you guys enjoyed the eye candy!

The Wheels of Justice Turn Slowly

Jul. 27th, 2015 03:39 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

On the evening March 14, 2013, a heavily-armed police force surrounded my home in Annandale, Va., after responding to a phony hostage situation that someone had alerted authorities to at our address. I’ve recently received a notice from the U.S. Justice Department stating that one of the individuals involving in that “swatting” incident had pleaded guilty to a felony conspiracy charge.

swatnet“A federal investigation has revealed that several individuals participated in a scheme to commit swatting in the course of which these individuals committed various federal criminal offenses,” reads the DOJ letter, a portion of which is here (PDF). “You were the victim of the criminal conduct which resulted in swattings in that you were swattted.”

The letter goes on to state that one of the individuals who participated in the scheme has pleaded guilty to conspiracy charges (Title 18, Section 371) in federal court in Washington, D.C.

The notice offers little additional information about the individual who pleaded guilty or about his co-conspirators, and the case against him is sealed. It could be the individual identified at the conclusion of this story, or someone else. In any case, my own digging on this investigation suggests the government is in the process of securing charges or guilty pleas in connection with a group of young men who ran the celebrity “doxing” Web site exposed[dot]su (later renamed exposed[dot]re).

As I noted in a piece published just days after my swatting incident, the attack came not long after I wrote a story about the site, which was posting the Social Security numbers, previous addresses, phone numbers and credit reports on a slew of high-profile individuals, from the director of the FBI to Kim Kardashian, Bill Gates and First Lady Michelle Obama. Many of those individuals whose personal data were posted at the site also were the target of swatting attacks, including P. Diddy, Justin Timberlake and Ryan Seacrest.

The Web site exposed[dot]su featured the personal data of celebrities and public figures.

The Web site exposed[dot]su featured the personal data of celebrities and public figures.

Sources close to the investigation say Yours Truly was targeted because this site published a story correctly identifying the source of the personal data that the hackers posted on exposed[dot]su. According to my sources, the young men, nearly all of whom are based here in the United States, obtained the personal data after hacking into a now-defunct online identity theft service called ssndob[dot]ru.

Investigative reporting first published on KrebsOnSecurity in September 2013 revealed that the same miscreants controlling ssndob[dot]ru (later renamed ssndob[dot]ms) siphoned personal data from some of America’s largest consumer and business data aggregators, including LexisNexis, Dun & Bradstreet and Kroll Background America.

The administration page of ssndob[dot]ru. Note the logged in user, ssndob@ssa.gov, is the administrator.

The administration page of ssndob[dot]ru. Note the logged in user, ssndob@ssa.gov, is the administrator.

I look forward to the day that the Justice Department releases the names of the individuals responsible for these swatting incidents, for running exposed[dot]su, and hacking the ssndob[dot]ru ID theft service. While that identity theft site went offline in 2013, several competing services have unfortunately sprung up in its wake, offering the ability to pull Social Security numbers, dates of birth, previous addresses and credit reports on virtually all Americans.

Further reading:

Who Built the Identity Theft Service SSNDOB[dot]RU? 

Credit Reports Sold for Cheap in the Underweb

Data Broker Giants Hacked by ID Theft Service

Data Broker Hackers Also Compromised NW3C

Swatting Incidents Tied to ID Theft Sites?

Toward a Breach Canary for Data Brokers

How I Learn to Stop Worrying and Embrace the Credit Freeze


Jul. 27th, 2015 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by john (the hubby of Jen)

Warning: A supposedly naughty cake ahead. (But good luck seeing it.)


"We asked for Mike Wazowski from Monsters, Inc."



"This was our Hello Kitty cake:"



"They told us those were flames."



"Believe it or not, it's supposed to be a penis."




Thanks to Amy J., Cindy P., Sara W., & Sarah H., who all knew it was bound to happen sooner or later.


Thank you for using our Amazon links to shop! USA, UK, Canada.

Santiago, April-May 2015

Jul. 27th, 2015 12:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate





















I go everywhere expecting to like it, but the truth is – I really didn’t like Santiago. It didn’t get off to a great start when I arrived at the airport exhausted, didn’t try and get a SIM card or money, but went straight to my AirBnB and found that it wasn’t ready. The following day was Sunday, and so I went out hunting for an ATM, food, and a SIM card. An ATM was relatively easy to find, but almost everywhere was closed so I was reduced to eating breakfast at Starbucks and went home still without data.

Monday I tried again, found somewhere better for breakfast, and went around in circles trying to get a SIM card and being told “no” – even by places with signs in the window advertising the availability of SIM cards. I finally managed to buy one, and ended up paying for it a second time rather than buying credit for it which had been my intention (I’ve no idea what this was actually for… it sounded like some kind of insurance). Well… at least it was cheap.

This generally was my experience in Santiago, and why I found it stressful – I had a very high failure rate. It took me ages to find a decent gym (the first one was so terrifying, I walked inside… and then walked straight out again), most times I went looking for a restaurant I couldn’t eat at the first one because it was shut, or not actually a restaurant. Sundays everything (including restaurants) was shut, and on national holidays (of which there was one whilst I was there). The AirBnB was OK, but didn’t have laundry in-suite, and dealing with that ended up being stressful, as the hosts instructions for using the communal laundry didn’t work.

Basically it was just Hard Work, and unfriendly. Which when travelling alone you don’t have someone to reminisce with about “oh do you remember? Nothing was open and we had to eat at McDonalds!”

But there were some cool things. There’s a hill (Cerro Santa Lucia) in the centre of town which was beautiful, and I loved Museo Ralli, lots of Dali including some sculptures, and some other artists I really liked. I went to the Artequin (cool building), and the human rights museum (dark, and not much translated text although I hear there is an audio guide) There were also some nice parks, including one with a plane in it.

I went to the spa, which was lovely and just what I needed. I found a favourite breakfast place where I went every day – except Sunday – with lovely staff who taught me Spanish! There was a cafe in a cultural centre, Cafe Civico which I quite liked and was actually open on Sundays.

Having arrived and hated it, I cut my trip short (I’d planned to stay ~3 weeks but left a week early) and went to Easter Island. I’d consider going back, and spending a couple of days in a hotel if I was in the area, but I wouldn’t go back for an extended stay again.

[syndicated profile] bruce_schneier_feed

Posted by schneier

This is an interesting article that looks at Hacking Team's purchasing of zero-day (0day) vulnerabilities from a variety of sources:

Hacking Team's relationships with 0day vendors date back to 2009 when they were still transitioning from their information security consultancy roots to becoming a surveillance business. They excitedly purchased exploit packs from D2Sec and VUPEN, but they didn't find the high-quality client-side oriented exploits they were looking for. Their relationship with VUPEN continued to frustrate them for years. Towards the end of 2012, CitizenLab released their first report on Hacking Team's software being used to repress activists in the United Arab Emirates. However, a continuing stream of negative reports about the use of Hacking Team's software did not materially impact their relationships. In fact, by raising their profile these reports served to actually bring Hacking Team direct business. In 2013 Hacking Team's CEO stated that they had a problem finding sources of new exploits and urgently needed to find new vendors and develop in-house talent. That same year they made multiple new contacts, including Netragard, Vitaliy Toropov, Vulnerabilities Brokerage International, and Rosario Valotta. Though Hacking Team's internal capabilities did not significantly improve, they continued to develop fruitful new relationships. In 2014 they began a close partnership with Qavar Security.

Lots of details in the article. This was made possible by the organizational doxing of Hacking Team by some unknown individuals or group.


terriko: (Default)

July 2015

5678910 11
192021222324 25

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 31st, 2015 07:24 pm
Powered by Dreamwidth Studios