Codsmack

Interesting paper: "Anonymization and Risk," by Ira S. Rubinstein and Woodrow Hartzog:

Abstract: Perfect anonymization of data sets has failed. But the process of protecting data subjects in shared information remains integral to privacy practice and policy. While the deidentification debate has been vigorous and productive, there is no clear direction for policy. As a result, the law has been slow to adapt a holistic approach to protecting data subjects when data sets are released to others. Currently, the law is focused on whether an individual can be identified within a given set. We argue that the better locus of data release policy is on the process of minimizing the risk of reidentification and sensitive attribute disclosure. Process-based data release policy, which resembles the law of data security, will help us move past the limitations of focusing on whether data sets have been "anonymized." It draws upon different tactics to protect the privacy of data subjects, including accurate deidentification rhetoric, contracts prohibiting reidentification and sensitive attribute disclosure, data enclaves, and query-based strategies to match required protections with the level of risk. By focusing on process, data release policy can better balance privacy and utility where nearly all data exchanges carry some risk.

Two researchers have discovered over 100 Tor nodes that are spying on hidden services. Cory Doctorow explains:

These nodes -- ordinary nodes, not exit nodes -- sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used "honeypot" .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions' existence. They didn't advertise the honions' existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.

No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of "infowar" weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).

The Tor project is working on redesigning its system to block this attack.

Vice Motherboard article. Defcon talk announcement.

BBC has the story. The confusion is that a scan of a passport is much easier to forge than an actual passport. This is a truly hard problem: how do you give people the ability to get back into their accounts after they've lost their credentials, while at the same time prohibiting hackers from using the same mechanism to hijack accounts? Demanding an easy-to-forge copy of a hard-to-forge document isn't a good solution.

Interesting research: "Characterizing and Avoiding Routing Detours Through Surveillance States," by Anne Edmundson, Roya Ensafi, Nick Feamster, and Jennifer Rexford.

Abstract: An increasing number of countries are passing laws that facilitate the mass surveillance of Internet traffic. In response, governments and citizens are increasingly paying attention to the countries that their Internet traffic traverses. In some cases, countries are taking extreme steps, such as building new Internet Exchange Points (IXPs), which allow networks to interconnect directly, and encouraging local interconnection to keep local traffic local. We find that although many of these efforts are extensive, they are often futile, due to the inherent lack of hosting and route diversity for many popular sites. By measuring the country-level paths to popular domains, we characterize transnational routing detours. We find that traffic is traversing known surveillance states, even when the traffic originates and ends in a country that does not conduct mass surveillance. Then, we investigate how clients can use overlay network relays and the open DNS resolver infrastructure to prevent their traffic from traversing certain jurisdictions. We find that 84% of paths originating in Brazil traverse the United States, but when relays are used for country avoidance, only 37% of Brazilian paths traverse the United States. Using the open DNS resolver infrastructure allows Kenyan clients to avoid the United States on 17% more paths. Unfortunately, we find that some of the more prominent surveillance states (e.g., the U.S.) are also some of the least avoidable countries.

Interesting research: Debora Halbert, "Intellectual property theft and national security: Agendas and assumptions":

Abstract: About a decade ago, intellectual property started getting systematically treated as a national security threat to the United States. The scope of the threat is broadly conceived to include hacking, trade secret theft, file sharing, and even foreign students enrolling in American universities. In each case, the national security of the United States is claimed to be at risk, not just its economic competitiveness. This article traces the U.S. government's efforts to establish and articulate intellectual property theft as a national security issue. It traces the discourse on intellectual property as a security threat and its place within the larger security dialogue of cyberwar and cybersecurity. It argues that the focus on the theft of intellectual property as a security issue helps justify enhanced surveillance and control over the Internet and its future development. Such a framing of intellectual property has consequences for how we understand information exchange on the Internet and for the future of U.S. diplomatic relations around the globe.

EDITED TO ADD (7/6): Preliminary version, no paywall.

Funny:

The Department of Canine Security urges dogs to remain on high alert and employ the tactic of See Something, Say Something. Remember to bark upon spotting anything suspicious; e.g. firecrackers, sparklers, Roman candles, cats, squirrels, mail carriers, shadows, reflections, other dogs on TV, etc.

Here's a Corpse Reviver #2 variant with squid ink.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

There's an app that allows people to submit photographs of hotel rooms around the world into a centralized database. The idea is that photographs of victims of human trafficking are often taken in hotel rooms, and the database will help law enforcement find the traffickers.

I can't speak to the efficacy of the database -- in particular, the false positives -- but it's an interesting crowdsourced approach to the problem.

Michah Lee has a nice comparison among Signal, WhatsApp, and Allo.

In this article, I'm going to compare WhatsApp, Signal, and Allo from a privacy perspective.

While all three apps use the same secure-messaging protocol, they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud ­- and therefore available, in theory at least, to government snoops and wily hackers.

In the end, I'm going to advocate you use Signal whenever you can -­ which actually may not end up being as often as you would like.

EDITED TO ADD (6/25): Don't use Telegram.

Ronald V. Clarke argues for more situational awareness in crime prevention. Turns out if you make crime harder, it goes down. And this has profound policy implications.

Whatever the benefits for Criminology, the real benefits of a greater focus on crime than criminality would be for crime policy. The fundamental attribution error is the main impediment to formulating a broader set of policies to control crime. Nearly everyone believes that the best way to control crime is to prevent people from developing into criminals in the first place or, failing that, to use the criminal justice system to deter or rehabilitate them. This has led directly to overuse of the system at vast human and economic cost.

Hardly anyone recognizes--whether politicians, public intellectuals, government policy makers, police or social workers--that focusing on the offender is dealing with only half the problem. We need also to deal with the many and varied ways in which society inadvertently creates the opportunities for crime that motivated offenders exploit by (i) manufacturing crime-prone goods, (ii) practicing poor management in many spheres of everyday life, (iii) permitting poor layout and design of places, (iv) neglecting the security of the vast numbers of electronic systems that regulate our everyday lives and, (v) enacting laws with unintended benefits for crime.

Situational prevention has accumulated dozens of successes in chipping away at some of the problems created by these conditions, which attests to the principles formulated so many years ago in Home Office research. Much more surprising, however, is that the same thing has been happening in every sector of modern life without any assistance from governments or academics. I am referring to the security measures that hundreds, perhaps thousands, of private and public organizations have been taking in the past 2-3 decades to protect themselves from crime.

Last week, CIA director John Brennan told a Senate committee that there wasn't any strong cryptography outside of the US.

CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.

And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."

Here's the quote:

"US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said.

"So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."

Is he actually lying there? I suppose it is possible that he's simply that ignorant. Strong foreign cryptography hasn't been "theoretical" for decades. And earlier this year, I released a survey of foreign cryptography products, listing 546 non-theoretical products from 54 countries outside the US.

I know Sen. Wyden knows about my survey. I hope he asks Brennan about it.

Slashdot thread. HackerNews thread.

EDITED TO ADD (6/22): Herb Lin comments.

Kap Te'O Tafiti of the Polynesian Cultural Center in Hawaii shows us how to make fire. It’s as easy as rubbing two sticks together. Oh, so simple! If you’ve ever tried it, watching Kap do it will convince you he has some kind of magic going on.

(YouTube link)

Like Old Spice? This is way older and spicier!

If this were the average person trying to make fire, it would end at the part where they cut their fingers off with that impressive knife. But even if you never intend to make fire without a lighter, you'll enjoy watching this. -via Tastefully Offensive

Remember Cody Wilson, the founder of Defense Distributed who caused chaos last year with his design for a 3D printed gun, The Liberator? Now, Wilson and engineer John Sullivan have developed a $1500 desktop CNC mill, called the Ghost Gunner, that cranks out the key component in assault rifles. Now you can make your own AR-15! There's a waiting list to buy one and the money is going to Wilson's lawsuit against the State Department. From Rob Walker's excellent feature in Bloomberg Businessweek:

Most people can purchase a pretty good factory-built gun for $1,000. Even so, Wilson got 10 orders on Day One and started raising the price, soon cutting off pre-orders at 500. Sullivan submitted redesigned specs to suppliers by mid-December, with Wilson, Sullivan, and Denio building the earliest units themselves. They started shipping in April 2015.

Gradually, Wilson put together an assembly team—contacts from his network, random supporters who reached out via Twitter, and so on. “It’s torture man, getting going,” he says. “But here we are. It’s been a full year of Ghost Gunner shipping.” The enterprise just surpassed 2,000 units shipped. (An upgraded Ghost Gunner 2 debuted on June 21 at $1,500; you can get on a waiting list for $250.)

Sullivan has since transitioned to a “consulting role.” He spoke to me, somewhere en route to Oklahoma City, from his van, which is where he and his fiancée essentially live, having sold most of their possessions. He’s opted for a low-expense, permanent-vacation lifestyle, he says, and can now pick and choose the projects that interest him.

Back at Jim’s, Wilson says the Ghost Gunner business could expand, even internationally—or could be snuffed out by regulatory caprice. His partner Denio has taken an interest in a few orders from engineering educators and now imagines a spinoff business—thoroughly rebranded—bringing desktop CNC machines to that market. (That said, Denio underscored to me that his ideological goals trump his entrepreneurial ones: “I wouldn’t mind living on the street and eating garbage if I knew our Second Amendment was protected.”)

Wilson says he wants the product to succeed and satisfy the customers who’ve supported him. In May, Defense Distributed had its first trade-show booth, at a survivalist expo in Dallas. But it’s pretty clear that engineering and business aren’t a rush for him but a means to an end. “I’m just trying,” he says, “to win my lawsuit.”

"A Crypto-Anarchist Will Help You Build a DIY AR-15" (Businessweek)

detail of photo by Bryan Schutmaat

 

Recipe:  Frozen Peach Barrel   5 cups frozen fresh peaches 3 tbsp sugar 2 tbsp lime juice 1/2 cup white rum   Prep: Mix in blender. (You may need or wish to add a little additional water or rum to thin the drink to taste).  Enjoy! (Thanks Jamie G.!)

Like many youtubers, the incomparable, fast-talking, sharpie-doodling mathematician Vi Hart (previously) was stunned by the Orlando shooting of Christina Grimmie, a Youtube singing star who broke out into the mainstream, and who was murdered by a man who attended her public appearance. (more…)

An anonymous reader writes: FinFisher, the hacker that broke into Italian firm Hacking Team, has published a step-by-step account of how he carried out the attacks, what tools he used, and what he learned from scouting HackingTeam's network. Published on PasteBin, the attack's timeline reveals he entered their network through a zero-day exploit in an (unnamed) embedded device, accessed a MongoDB database that had no password, discovered backups in the database, found a BES admin password in the backups, and eventually got admin access to the Windows Domain Server. From here, it was easy to reach into their email server and steal all the company's emails, and later access Git repos and steal the source code of their surveillance software.

Read more of this story at Slashdot.

Marco Arturo's brilliant 2-minute movie about the anti-vaccine movement starts with the 12-year-old promising to show all the evidence supporting the link between autism and vaccination, after which he holds up a succession of blank pages. (more…)

Ashley Cervantes, a US citizen who was 18 at the time, was stopped at the Mexico border and accused by Customs and Border Protection of smuggling drugs. A search proved fruitless so they gave her a body cavity search. US Customs and Border Protection still couldn't find the drugs they were looking for so they took her to a hospital for an X-ray. No drugs.

(more…)

There are at least two articles posted online about how similar Elijah Wood and Daniel Radcliffe look, and how this is either proof they were separated at birth or that they're part of a clone conspiracy.

Daniel has remarked "Me and Elijah Wood just need to do a film together where we play brothers" to distract from the cloning angle and make it all look like it's just a coincidence.

But when you see their portraits side-by-side and then look at a GIF showing the subtle differences between Elijah and Daniel the clone stuff somehow seems more plausible.

(Image Link)

Does this GIF prove they're part of a clone conspiracy? Nah, all it really proves is that Hollywood likes to cast facial "types", and both of these megastars fit the mold.

-Via BuzzFeed

Although Minneapolis man Hooman Nikizad arrived at the airport two hours early, as recommended, his hour-and-a-half wait in the security line made him miss his flight. He then had to buy a second ticket on another airline in order to get to his destination on time. Now he's suing the TSA for $506.85 to cover the cost.

"I had to buy a ticket with another airline to be able to make my destination and meet my obligations," Nikizad said in his claim, which noted the TSA had limited staff on duty at the time and "only one body scanner for the regular security line [in operation]"...The money being sought, he said, is to reimburse him for a replacement ticket, additional ground transportation expenses and the $75 court fee to file his claim.

No comment from the TSA. For more, read the full story at the Star Tribune.

If you're into craft beers, then you know there are a lot of seriously weird beers out there. The thing is, some of those brews are actually amazing, while others are just plain nasty. Bon Appetit recently went ahead and taste tested some of the most bizarre brews on the market -from the one made with yeast out of the brewer's beard to the one made with a sheep dung-smoked whale testicle. They give you a good idea of which of these beers are actually good and which are just gimmicks -though each of these companies almost certainly has die-hard fans who will defend their brand until they die, so don't be surprised if you hear someone disagree entirely.

moonipulations:

The Moon And The Castle - Photography by Mauro Maione Full moon viewed from the Town Hall building in Siena, Italy.

transistoradio:

Leonor Fini (1908-1996), Unconditional Love (1958), oil on canvas, 64.7 x 92.1 cm. Via Sotheby’s.

This interview with UBS whistleblower Brad Birkenfeld is as neat a case study in financial corruption as you could ask for: Birkenfeld's disclosures detailed 19,000 US tax evaders, including the bank's super-secretive list of "politically exposed persons," including people who laundered money for terrorists, and the US government threw him in prison (as well as paying him the largest reward in US history), declined to prosecute three quarters of those implicated, and then put him in prison. (more…)

This is a good summary article on the fallibility of DNA evidence. Most interesting to me are the parts on the proprietary algorithms used in DNA matching:

William Thompson points out that Perlin has declined to make public the algorithm that drives the program. "You do have a black-box situation happening here," Thompson told me. "The data go in, and out comes the solution, and we're not fully informed of what happened in between."

Last year, at a murder trial in Pennsylvania where TrueAllele evidence had been introduced, defense attorneys demanded that Perlin turn over the source code for his software, noting that "without it, [the defendant] will be unable to determine if TrueAllele does what Dr. Perlin claims it does." The judge denied the request.

[...]

When I interviewed Perlin at Cybergenetics headquarters, I raised the matter of transparency. He was visibly annoyed. He noted that he'd published detailed papers on the theory behind TrueAllele, and filed patent applications, too: "We have disclosed not the trade secrets of the source code or the engineering details, but the basic math."

It's the same problem as any biometric: we need to know the rates of both false positives and false negatives. And if these algorithms are being used to determine guilt, we have a right to examine them.

Read 41 remaining paragraphs | Comments

Read 3 remaining paragraphs | Comments