IT World explored how the weakest link in the security of any organization is human weakness.
„Security experts used fake Facebook and LinkedIn profiles pretending to represent a smart, attractive young woman to penetrate the defenses of a U.S. government agency with a high level of cybersecurity awareness, as part of an exercise that shows how effective social engineering attacks can be, even against technically sophisticated organizations.”
Also, it turns out US intelligence agencies have their own Twitter. There is so much I would give to be able to read it just once.
Vulnerabilities in Microsoft and Office – lock your doors and don’t open attachments, because Indian (and other) groups are targeting the way Microsoft code processes TIFF images. Exciting article with great links.
Once we are on the topic of Microsoft: last week there was some talk about how IE is still the browser with the most users – it seems like in some places, like South Korea, laws are part of the problem. In the country where online shopping is huge, the authentication needed to make purchases above $280 is tied to ActiveX, which is made by Microsoft. On mobile devices, there are special security apps. In a way, this makes me wonder whether the judicial background made it possible for South Korea to become this big in e-commerce.
Last week I was on the point of turning off notifications for any news with the word IPO in it. There were three of them though which were worth the read:
- AdAge points out some big problems Twitter faces – having a niche audience, not creating content, only meta-content, etc.
- Facebook was trying really hard to buy Twitter. Facebook, friendly piece of advice: leave the teens alone, make an email service for them, but leave them, and concentrate on your new market: those above 40.
- „Last month a Reuters/Ipsos poll found that 36 percent of people who joined Twitter say they don’t use it”(Technology Review)
Tesco gas stations int he UK now personalize ads based on face-recognition software. The Atlantic put together a list of other projects based on facial recognition which will make you consider the beauties of living in the woods, far from civilization.
Scramble is an open-source encrypted mail that has a wonderful description on what is wrong with encryption and a bit of cryptography. Great read, if you’re in the US, do sign up.
Scramble’s description already touched on what was wrong with Lavabit, but Thought Catalogue also has a well-written critique of the service.
THE FUTURE OF BROWSERS
Borge Forrteller suggests that the future of the browser is to have Facebook’s attributes within it (but out of Facebook). You could, ideally, use your browser to chat and get updates. (After you saw what the future might look like, take a look at the hilariously written account of their past a.k.a, „Mozilla the Mosaic killer”.)
This Monday, Prezi put together the first Budapest IT Security meetupfor „everyone interested in security”. First, let me just say a huge thank you for both throwing the event (there was beer and pizza!) and making it open for everyone (beer and pizza! I was excited about that). Many of these meetups tend to be exclusive boys’ clubs where everyone knows everyone, it’s great they opened up for a wider audience.
The two presenters were Balazs Bucsay, Ethical Hacking Engineer at Vodafone and Mihaly Zagoff from Prezi’s IT security team. Both presentations were very exciting while showing two totally different sides of the same field.
Balázs’s topic was „It is not the crypto that makes a code secure” (let me TL;Dr it: it’s how you implement it). He talked about breaking into a Nagios-like software, which uses active monitoring, servers querying the nodes and traffic encryption, like Nagios does. Balázs basically walked the audience through step-by-step on how they managed to decrypt the software, which was exactly the kind of thing I went to the meetup for (let’s decrypt all the softwares!). They basically sniffed the traffic, saw it was Base 64 (fairly easy, includes the entire alphabet, equal signs appear at the end, etc), and then looked for crypto algorithms within it with the help open source softwares. They then used the application in a basic waty(with the configs grabbed from the server), and after a couple of hours, they found the key hardcoded into the binary. They then used the same algorithm that they found from the Base 64 encrypted traffic in Hex-Rays (C formatting) – by that time, they knew what the key was and with what algorithm was used to encrypt.
They had the key, had the encryption algorithm (Blowfish) – but they went ahead and checked to see if there was any more stuff left hardcoded in the binary. They made clear text from the sniffed binary data, which meant that they were at their most powerful: if they modify that script, encrypt it again, and then send it back to the nodes, they can run any type of commands in the server.
What was screwed up?
DO NOT HARDCODE YOUR KEY. That was a big morale of Balázs’s presentation. First, use asymmetric cryptography, to encode your key (have one private that only the server knows, and one public), and then you can use symmetric encoding, such as Blowfish, to encrypt your traffic.
What we learnt
- Don’t implement code, if you don’t know what you’re doing.
- Do test software before you buy it and have amazing warranties.
- Also, did I mention the part about NOT HARDCODING YOUR KEY?
Mihály’s presentation was slightly less technical but still very instructive. Prezi has a bugbounty program going on, and Mihály basically showed the backstage of the program. His presentation was captivating because he was really excited that the program is taking place, about the number of submissions they received and about Prezi itself.
Mihály introduced the security team at Prezi, and how their goal was creating scalable security – when a company grows as fast as Prezi did, they can’t just keep doing penetration testing.
The bugbounty program’s principle originated from Mozilla, who in 2004 introduced the concept. Since then, a number of other companies started to allow with hat researchers to test your app, the latest-most famous Google with the open source projects.
As I mentioned, Mihály had faith in the program: according to him, everyone wins, as you learn from it, know about any problem ASAP, and you can postmorterm your way about how they could have spotted it before. He claimed it was not more risky than any given day int he jungle: the bad guys were always there. They prepared to be monitoring and follow the attacks real time (which, in the first couple of days, when submission peaked, was impossible), but they did track using Kibana. They also knew from their issue history that there will be unavoidable attack – cross-site request forgeries and JSONP, to mention two they counted on happening. What they learnt is that CSRF can be really bad, and that DOM based XSS will happen, if you don’t sanitize all your input. Mihály mentioned that XSS was the most common attack they experienced, but they also had a phishing attack (which I’m not sure was in the scope of the program?). Prezi also continued with its transparency decision: the finding (with timestamps) were put up on Github. What was unexpected to me was that these gists they put up for educational reasons (and in order not to have the same attacks happen multiple times) were hard to put in a way that shows enough info, but not too much.
In the first 12 days, they found 21 issues, 18 of which has already been solved (which is an amazing percentage). Interestingly, Mihály said the biggest change that the program brought with itself was within the company culture – system devs are now more concerned about security, because they know „someone is always watching”. After the presentations, Mihály told me that hopefully, in the future they might do the same program with their smartphone app as well, which I’m really excited about, because
then I can pull a 301 Move Permanently Status Code abuse on them we don’t talk about app security enough.
So, all in all, the event was wonderful. Let there be more like this one, a lot more.
THERE WILL BE A NEW EMAIL PROTOCOL A NEW EMAIL PROTOCOL A NEW EMAIL PROTOCOL that I’m way too excited about, because, as Jon Callas, CTO of the Silent Circle said: „E-mail was designed 40 years ago when everybody on the Internet knew each other and were friends” It shall be more secure and private. Read it, live it, love it, and fund it on Kickstarter when the campaign starts.
TechCrunch reported on an Uruguay startup, Truly.am, that uses the SkyBiometry Facial Recognition API in such way that once you upload a picture of a given email address’ owner, the owner can prove that it’s their picture by letting their webcam take a number of pictures of them. Who wants to make bets on how much time it’ll take until Google/Facebook/Match.com buys the service and makes it obligatory for its users?
After the news on how your Facebook statuses give away information on your age, race, and sex, it turns out data mining can point to who you are romantically involved with.
„It turns out that if one of your Facebook friends—let’s call him Joe—has mutual friends that touch disparate areas of your life, and those mutual friends are themselves not extensively connected, it’s a strong clue that Joe is either your romantic partner or one of your closest personal friends.”
If you put your data in someone else’s hands (or app), they will make money of it. InfoScout „entic[ed] people to anonymously upload all their receipts via their smartphones”, analyzed the data, and now sells it to marketers. If I had to choose, InfoScout still seems better than most other services, as they actually pay customers for the uploading – ReceiptHog pays coins redeemable via PayPal or Amazon gift cards, while Shoparoo turns the receipts into donations, which just seems amazing for me – InfoScout just covered all the consumer desires, be them materialistic or charitable.
The awkward moment, when news about the Mavericks OS spread that the iSight camera is always on (because if there is movement in front of it, it will not go idle), but then realizing, it’s not the camera, but the light sensor to the left of the camera, that senses movement, and everyone lets out a relieved breath, only to realize later on, that it doesn’t really matter, because the fact is, it could have been the camera.
So remember how last week everyone was talking about Douglas Hofstadter, „The Man who Would Teach Machines to Think”, and how the expression „artificial intelligence” became corrupted, as people started to use it to signal that they would use problems intelligently (see: Siri), but really, it meant making human thinking into a software, basically? Good news for Mr. Hofstadter, AI company Vicarious just used „an old idea of using an artificial neural network that is modeled on the brain and builds connections between artificial neurons” to break CAPTCHAs with the success rate of 90-99%. While Vicarious is not the first to break CAPTCHAs (list of others), it certainly is the scariest:
„Vicarious hopes to eventually sell systems that can easily extract text and numbers from images (such as in Google’s Street View maps), diagnose diseases by checking out medical images, or let you know how many calories you’re about to eat by looking at your lunch. “Anything people do with their eyes right now is something we aim to be able to automate,” says cofounder D. Scott Phoenix.”
Or I have just been reading „The Circle” by Dave Eggers too much.
Umm, your wireless could double its speed soon.
„Kumu built an extremely fast circuit that can predict, moment by moment, how much interference a radio’s transmitter is about to create, and then generates a compensatory signal to cancel it out. The circuit generates a new signal with each packet of data sent, making it possible to work even in mobile devices, where the process of canceling signals is more complex because the objects they bounce off are constantly changing.”
More cat videos!
Some IE hate
IE is still the web browser with the most users (yet not with the most usage – that’s Chrome). While some cry sad tears over this, we must not forget that Windows XP (that 1 in 4 PCs still run – if you wanna cry about something, this might be the time) will not allow any IE above IE 8 to run. Why is that bad? Because many, many companies are really invested in Microsoft products, and they will have IE as the „natural choice”. Troy Hunt (whose amazing blog continues to be amazing) gives a wonderful explanation of why big corporations should suck it up and change from XP.
It was also a good week, if you like to see marketers freak out (who doesn’t?)
… as Google started to limit the information publishers would see about their keywords. Honestly, I feel like it might lead to better content, as publishers will be less able to play the algorithms. So we will see how the new buzzword, OAO (Online Audience Optimization) will work out.
The Bubble We Live in
Snapchat is valued between 3 and 4 billion dollars. Tencent, a Chinese media holding might buy it, but no one is really sure why. Washington Post guesses it would add Snapchat to its offerings.
The International Prototype Kilogram (against which 39 other copies are measured) is changing its weight, and no one knows why. As four out of seven SI measurements are underpinned by the kilogram, this is less than ideal. Scientists are trying to pinpoint Planck’s constant to make sure that the kilo can be measured by something else than a physical artifact, but it might take up to 2018 to figure that out.
Tl;Dr: can you believe that there is actually a prototype kilogram, and the kilo is not something constant? I had no idea.
USB standards are changing (the world). Next year, by a new USB Power Delivery Standard will come out, changing the amount of watts possibly transferable via USB into 100 (from the 10 that is currently in place). Why is that so important?
The big roll-out is expected to happen in 2015, but the article notes that big data servers are already using DC, which is super surprising (well, for me).
And not so much as news, but there is a wonderful essay over at the Atlantic on what Artificial Intelligence used to mean (exploring the human mind) and what it means now (solving human problems intelligently with the help of big data). It is also a marvelous piece of writing and look into the brain of Douglas Hofstadter. Highly recommended.
Another fantastic piece of writing on The Atlantic (which also mentions
the Jeopardy-trumping IBM supercomputer) is by Nicholas Carr on how automation is changing our lives (for the worse, of course, not a surprise if you read his book).
A labor-saving device doesn’t just provide a substitute for some isolated component of a job or other activity It alters the character of the entire task, including the roles, attitudes, and skills of the people taking part.
It is worth a read, especially his points on the best practices of software development (switching control back to humans, making people perform challenging tasks. etc), as “it is humanly impossible to carry out the basic function of monitoring for unlikely abnormalities” (Tell that to my boss.)
As a tie-in of the topic to privacy, Evgeny Morozov also had an essay at the Techonology Review on how big data is endangering democracy, and what could be done.
Instead of getting more context for decisions, we would get less; instead of seeing the logic driving our bureaucratic systems and making that logic more accurate and less Kafkaesque, we would get more confusion because decision making was becoming automated and no one knew how exactly the algorithms worked. We would perceive a murkier picture of what makes our social institutions work; despite the promise of greater personalization and empowerment, the interactive systems would provide only an illusion of more participation. As a result, “interactive systems … suggest individual activity where in fact no more than stereotyped reactions occur.”
And how does that work in real life? For example, it might be algorithms that decide how much screening you will receive at airports:
Critics argue that the problem with what the agency calls an “intelligence-driven, risk-based analysis” of passenger data is that secret computer rules, not humans, make these determinations. Civil liberties groups have questioned whether the agency has the legal authority to make these assessments, which the T.S.A. has claimed in Federal Register notices and privacy disclosures about the initiative. Privacy advocates have also disputed whether computer algorithms can accurately predict terrorist intent.
Kenneth Lipp reported from 120th Annual Meeting of the International Association of Chiefs of Police that 86.1% of law enforcement agencies use social media for investigative purposes, and that soon Facebook will be able to block any “user from the social media platform by account, Internet location, and device” “if it is determined they have posted what is deemed criminal content”.
And if you want to freak out, think about who owns your data and if you think they handle it well enough, especially after Experian, one of the three major credit card services, sold 500 000 pieces of “fullz”, “a complete package of identifiable information including a person’s name, address, Social Security number, birth date, place of work, duration of work, state driver’s license number, mother’s maiden name, bank account numbers, bank routing numbers, e-mail accounts, and account passwords.”
Based on the NSA presentation „Tor Stinks” (…), Ars Technica decided to look into if it’s possible to identify TOR users based on their Yahoo/Hotmail/Gmail cookies. The article’s answer: only the older versions of TOR have this vulnerability. Other people: the NSA has so, so many other ways to intercept data – and something that we’re just beginning to find out about is hardware backdoors, which are truly scarier than cookies. Nobody is really sure yet, but
„The Times report says, however, that the NSA inserted backdoors into some encryption chips that businesses and governments use to secure their data, and that the agency worked with an unnamed U.S. manufacturer to add backdoors to computer hardware about to be shipped to an overseas target.”
The question is, if the backdoor does exist (which would mean that the NSA compromised security at literally every step of computer-making: does anyone remember how it was said the NSA placed backdoors in encryption standards?), what would stop them from only using them for „overseas targets”? Would it not have been easier to just use the compromised hardware everywhere?
The problem is that finding out if the hardware has backdoor is not easy.
„The Columbia group is currently working with a commercial fab company to test software it designed that can scan designs for possible backdoors. “They are trying out the tool on their line,” Sethumadhavan explains. Called FANCI, the tool analyzes a chip design, simulates how its circuits would operate, and looks for connections or circuits that almost never become active.
Such circuits are suspected of being part of a backdoor, because chip designers avoid wasting space or circuitry in designs since manufacturing chips is expensive.”
In different cookie-related news: it will die, soon. Microsoft is already getting ready for it (Google has started as well, while Apple and Facebook have their “own” trackers): as The Verge reports,
“sources say is working on a technology that could track users across Windows computers, Bing, Internet Explorer, Windows Phone devices, and Xbox consoles in order to serve highly targeted ads.”
The article points out multiple ways why this would be better for Microsoft: one is that cookies lose out on mobile, console, or video streaming activity, and the other is that
they could make more money there would be fewer privacy concerns if they were the sole keepers of user data, instead of the multitude of third parties.
Also, lest we forget how bad cookies (and metadata and data analytics are): the Technology Review looks at the civic battle against “data discrimination”, wherein “anonymous data can be mined to reveal health data and other private information”. Kate Crafword, principal researcher at Microsoft Research, proposes that there would be a “due process”, which would give people more legal rights in understanding how data analysis can be used against them.
And really, how?
“purchasing histories, tweets, and demographic, location, and other information gathered about individual Web users, when combined with data from other sources, can result in new kinds of profiles that an employer or landlord might use to deny someone a job or an apartment.”
Crawford mentions something that’s very often disregarded: that not everything gets on social media
“If we start to use social media data sets to take the pulse of a nation or understand a crisis—or actually use it to deploy resources—we are getting a skewed picture of what is happening,” Crawford warned in her talk.”
Interestingly enough, the article makes note of how the Google flu predictions failed last year, when chatter and media coverage on flu were mistaken for complaining about having the flu – which leads us right into our next topic,
, about which Jiwei Li and Claire Cardie believe could be a useful tool in mapping epidemics. While I hope these findings can help save lives, I am also skeptical (after Kate Crawford told me to be): to what extent can we trust these predictions? To what extent to the skewer reality? To what extent can they become reflective of class/wi-fi coverage?
Not from this week, but still interesting about Twitter: it makes $0.00008 every time you look at your feed. Also, the most valuable clients are in the U.S. – I wonder if that because it’s primarily U.S. companies who utilize Twitter, or is there some other reason?
Also, somebody finally figured out how Twitter could make more money. It is still just an educated guess, but
“Presumably, as this strategy evolves, Twitter users could start to see very specific sponsored tweets closely married to a piece of TV content that someone they followed just tweeted about. The targeting of such sponsored tweets could be further refined using insights about the users’ interests, gleaned from his or her tweets, the profiles of people he or she follows, and other sources.”
One article on how Amazon will be the end-all of online retail (especially with the new “Login pay with Amazon”:
“So here’s our prognosis. This new service will start small, US mostly to begin with, but over time will start to gather steam as customers start to learn about the benefits. Some astute crossover marketing, offers, extended customer tie-ins (e.g. Amazon Local coupon deals especially tailored for Login And Pay With Amazon retailers) and more and very soon the roster of retailers sporting the yellow button will literally explode across the web.
At that point, not having the feature will produce such a hit to the bottom line that it will take on a life of its own, and suddenly the online retail world is all Amazon. “
Also, think about all the more information Amazon will have on you. $$$.
The Technology Review had an article about the open source software that tries to provide a “software platform for linking Internet-connected gadgets, making it easier to control all kinds of smart home devices, regardless of who made them.” Which sure, sounds exciting. But it really becomes sci-fi only at the end of the article:
“Last year, OpenRemote conducted a small test in Eindhoven, in hopes of using automation and crowdsourcing to monitor a city. This included people-tracking with cameras, sound-level tracking, social-media monitoring, and an app that people in the area could use to rate what the atmosphere was like. The company is currently working on a larger-scale project in Eindhoven, Kil says. “If you put four walls around a city, it’s a big room, if you know what I mean,” he says.”
Zach’s primary interests are collecting Nazi paraphernalia and talking to Loli every day on Skype. When he has extra cash, he pays her to read aloud from Carl Sagan books and the Bible, $2.50 per page.This article on the “Chan” girls of 4chan is absolutely mesmerizing. Also shows how much the internet changed really fast: today, in the age of the ubiquitous selfie, it seems unlikely anyone could reach this level of fame.
Jenny Francis and daily tabloid newspaper The Sun teamed up to show how real men compare to male models with chiseled abs in underwear ads.
"American culture — and not just ‘guido’ culture — dictates that the dominant understanding of “hot” = “jacked.” Now, “jacked” is an exaggerated physicality that’s actually a fetishization of the working class body: a body that looks like it labors. But since most of those jobs of disappeared, most men, working class or otherwise, go to the gym and lift heavy things in order to approximate the bodies that their jobs would’ve created for them. Jon is a working class guy, but he works, in his words, in “service” — he bartends. But in order to obtain a desirable body, he has to spend his off hours doing pull-ups."
Have you read Anne Helen Petersen’s essay on Don Jon and the Digital Porn Dystopia? You should. We will be talking about her “prince/dick dichotomy” for years to come.