Shared posts

12 Oct 14:59

The Airport Bomber From Last Week You Never Heard About

by Shaun King

It’s strange how some things really catch on and go viral and others don’t. These days, nothing quite makes a story blow up — no pun intended — like the president’s fixation with it. That’s why it’s so peculiar that what sure looks like an attempted terrorist attack was narrowly thwarted at an American airport this past Friday without so much as a peep from Donald Trump about it. No tweets. No nicknames for the alleged would-be-terrorist. Nothing. You’ll see why in a minute.

This past Friday morning, at 12:39 a.m., security footage from the Asheville Regional Airport in North Carolina showed a man walking through the front doors wearing black clothing and a black cap, while carrying a bag. “Based on a review of the video, the individual walked near the entrance to the terminal, went out of sight momentarily, and was then seen departing the area without the bag,” according to the criminal complaint.

Following the Transportation Security Administration’s protocols, airport security allowed a bomb dog to sniff the bag for explosives and the dog signaled to the team the presence of dangerous materials in the bag. The concourse was then shut down. The street leading to the airport was shut down. And Asheville Regional Airport officials found themselves in a dangerous emergency situation.

What investigators eventually found in the bag was AN/FO (Ammonium Nitrate/Fuel Oil) explosives that, according to the criminal complaint, have been used “in a number of terrorist-related incidents around the world. When AN/FO comes into contact with a flame or other ignition source it explodes violently. Nails or ball bearings are often items added to the device so as to increase the devastation inflicted by the explosion.”

In fact, sharp nails and bullets were found in this improvised explosive device. Whoever built it designed the bomb to cause horrific bodily harm. Before disarming it, authorities discovered that the alarm attached to it was scheduled to go off at 6:00 a.m. that morning just as a fresh round of travelers was scheduled to arrive at the airport.

The man who planted it, it turns out, openly admitted to authorities that he was “preparing to fight a war on U.S. soil” and that this bomb was but one part of that war.

Little Fanfare

I bet you never heard about it. I keep an eye on these types of incidents closely and I didn’t hear about it. Someone who follows me online who happens to live in Asheville sent me the story this morning — shocked that it hadn’t gotten any play at all beyond a few mentions in the local paper and some isolated pickup by a few national outlets.

As soon as I clicked on the article, it all made perfect sense.

The story didn’t go viral and Trump didn’t tweet about it because the bomb was not placed by an immigrant, or a Muslim, or a Mexican. It was placed there by a good ol’ white man, Michael Christopher Estes. Unlike the Las Vegas shooter, Stephen Paddock, whose motive is still hard to discern, Estes wanted to be very clear that his ultimate goal was to accelerate a war on American soil.

Sorry if it sounds like you’ve heard this story before. I’m as tired of writing it as you are reading it, but you know good and well that if Estes was a young Muslim — hell, if he had ever even visited a mosque in the past 25 years — that Trump would be tweeting about him right this very moment to tout how essential a Muslim ban is for American safety.

A Muslim attacker’s mugshot would become a meme across the conservative media. Mainstream American outlets would be covering the heroic bravery of those who thwarted the terrorist plot. We’d all be seeing footage of the perpetrator being walked from the police car to the jail and from the jail to the court room. Out loud, people would talk and tweet about the man’s family and friends and networks — wondering where he was radicalized, and if anyone else feels the way he does.

In this case, though? Crickets. We hear nothing at all — almost exclusively because the man who planted an improvised explosive device, just like ones that have been used to murder and maim people all over the world, was white. His guilt starts and stops with him. His actions aren’t an indictment of his whole faith, political outlook, and race. White people aren’t, thanks to Estes, suddenly labeled terrorists or seen as a threat to American safety in the way that would almost certainly happen had it been anybody other than a white man.

This isn’t me calling for all of those things that happen to Muslims and immigrants every single day to now happen to Estes and white people all over the country. It’s me saying that the fundamentally bigoted double standard by which it is done to virtually everyone except for Michael Christopher Estes and other white men has to stop.

Top photo: A collage shows Michael Christopher Estes and a view of Asheville Regional Airport. (Photos: Google Maps, Buncombe County Detention Center)

The post The Airport Bomber From Last Week You Never Heard About appeared first on The Intercept.

14 Aug 09:57

How to choose a cloud provider

by Jesse Anderson

Practical questions to help you make a decision.

If you look up the phrase “boiling the ocean,” it’s defined as writing a post on choosing a cloud provider—there are so many different facets and use cases, and each variable complicates your choice. The key is to narrow the field to your specific situation and needs. In this article, I share some of the early questions and decisions I use when working with a team to choose a cloud provider.

Simple pass/fails

I recently worked with a large financial organization who was considering a move to the cloud. When I started the engagement, we began with quick pass/fail decisions to see if a cloud move was feasible. These pass/fail choices allowed the team to make an initial go-forward decision before they went too deep down the rabbit hole. The following considerations helped mitigate their risk.

Can we use the cloud?

This might sound like an easy one, but some teams actually forget this step. There may be an outright prohibition on using the cloud at your organization, or the political climate may be so terrible that you decide not to fight that battle.

Will the technologies work for your use case?

Can the cloud technologies do what you need them to do? With small data problems, this isn’t usually an issue: they can handle almost anything. With big data problems, however, capability can be a sticky issue—there are bigger tradeoffs that the technology designers had to make.

I’ve written some in-depth posts covering some of these tradeoffs and comparisons. For example, I compared Amazon Kinesis and Apache Kafka, and Google Cloud Pub/Sub and Apache Kafka. You’ll notice there are subtle differences. In the lens of a use case, these differences can make a requirement of your use case impossible to implement with a technology.

In order to make this initial call, you need to really understand and know your use case. You’ll want to have a general idea of where and what you want to do in the future, and validate those use cases, too.

Compare providers

At the 10,000-foot level, there isn’t a glaring difference at small data scales. At these small data scales, there are fewer distinguishing factors. But at big data scales, the different cloud providers have bigger differences.

Generally, the providers distinguish themselves on:

  • How easy are the managed services to use and operate? For example, how easy is it for me to spin up a database and have it replicate all over the world?
  • Since the services are managed, how good is their uptime and how reliable is the system? In other words, how often does the service go down, and for how long? Some outages are system-wide, but how often do your instances disappear?
  • The cloud providers fight each other on price. What is the total cost of running infrastructure on the cloud provider? Unfortunately, this question can be difficult to answer because working with a single technology can have three or four different costs associated with it. For example, a messaging system could have costs for the message transfer, the storage of the message, and an hourly fee for the managed messaging system.
  • How prevalent are engineers with knowledge of that cloud provider in the marketplace? These days, you can’t throw a stone without hitting someone with some knowledge of Amazon Web Services. That said, the skills are largely similar at an operation level. The skills at a developer level are only somewhat similar.
  • How difficult will it be for you to move between cloud providers and technologies—aka “lock in”? For example, some providers use an open source technology or its API, but have their managed service behind the scenes. Conversely, using a managed service with a proprietary API really couples you to that cloud provider.

Keep your options open

As you’re looking over providers, don’t just look at the big cloud providers. Take the time to investigate niche providers as well. They may be able to provide a level of service that the big providers don’t (although, be warned that some smaller providers don’t provide tech support). Still other niche providers handle the operations of open source technologies that aren’t necessarily managed services.

Ask the right questions

Once you’ve considered the big-picture factors, you’re ready to fine-tune your decision process. Here are the questions I ask teams to consider when choosing a provider:

  • Cost: Is cost a primary factor? Have you created an accurate calculation for your comparisons?
  • Popularity contest: How popular is this cloud provider and do they have enough customers not to go the way of the dodo bird?
  • Availability of people: How difficult will it be to train the existing staff on the provider’s technologies (for both operations and development)? How difficult will it be to hire people who are familiar with the provider?
  • SLAs: What level of SLA does the provider give for the services you’ll be using (remember that some services are ghosted under a main service)? Does management know that during a large-scale outage, you won’t be able to scream loud enough to speed things up?
  • Use case: Does the technology work for your use case? Do you really understand your use case well enough to validate the technologies?
  • Lock-in: Are you comfortable with the potential level of lock-in? Will you write your software to be highly coupled to that service?
  • Company politics: Have you settled the company politics? In other words, have you established who owns what, and who is responsible for each piece?

Once you’ve thought about and answered these questions, you’ll be in a better position to make an accurate comparison of the cloud provider landscape. A little preparation and careful groundwork are the keys to making the right choice.

Continue reading How to choose a cloud provider.

02 Aug 10:29

⁠Btrfs has been deprecated in RHEL

Stuart.ward.uk

What should we move to XFS?

02 Jun 15:24

French President Emmanuel Macron Offers Refuge to American Climate Scientists

by Robert Mackey
Stuart.ward.uk

Inspireing

Updated: June 2, 7:23 a.m. EDT

Just one hour after Donald Trump announced that he was withdrawing the United States from the global climate accord negotiated in Paris — saying that he was “elected to represent the citizens of Pittsburgh, not Paris” — the new French president, Emmanuel Macron, offered refuge in France to American climate scientists.

In a three-minute address to the American people streamed live from the Élysée Palace, Macron offered hope for the future, and a message of solidarity that seemed to echo those once delivered by American presidents to captive nations suffering under the yoke of dictatorship — or aimed at resistance fighters in an occupied country.

“Tonight, I wish to tell the United States, France believes in you — the world believes in you,” Macron said. “I know that you are a great nation. I know your history — our common history.”

“To all scientists, engineers, entrepreneurs, responsible citizens who were disappointed by the decision of the president of the United States, I want to say that they will find in France a second homeland,” he continued. “I call on them: come and work here with us. To work together on concrete solutions for our climate, our environment. I can assure you, France will not give up the fight.”

At the end of his remarks, the French president made it crystal clear that his message was intended as a rebuke of not just his American counterpart’s decision, but his entire worldview.

“I call on you to remain confident,” Macron said, standing in front the of the flags of both France and the European Union. “We will succeed, because we are fully committed, because wherever we live, whoever we are, we all share the same responsibility: Make Our Planet Great Again.”

Macron’s social media team made sure that closing rejoinder to Trump and Trumpism was not missed by those lacking the strength or the stamina to make it to the third minute of his speech.

Trump later responded in a typically sophisticated, mature fashion.

Reuters reports that before his speech, Macron told Trump in a brief phone call on Thursday that the climate deal signed in Paris in 2015 could not be renegotiated. He added that while France would continue to work with the United States on other matters, it would no longer discuss climate issues.

The German Chancellor’s spokesman, Steffen Seibert, shared a joint statement from Angela Merkel, Emmanuel Macron and Paolo Gentiloni, the Italian prime minister, which confirmed that “the Paris Agreement cannot be renegotiated, since it is a vital instrument for our planet, societies and economies.”

Trump, whose beef with climate scientists might actually stem from his deep dismay at no longer being allowed to use aerosol hairspray, finished his own remarks by claiming a second time that he was acting to put the interests of Pittsburgh ahead of those of Paris. With this refrain, he was apparently hoping to con ill-informed voters into believing that the international agreement negotiated in the French capital, in which 195 nations agreed to limit fossil-fuel emissions for the global good, was somehow to the unique benefit of the French people.

The same minute Trump finished speaking, however, the mayor of Pittsburgh, Bill Peduto, reminded him that the city had in fact voted overwhelmingly against him.

Peduto also confirmed that the city’s government would continue to honor its obligations under the Paris framework.

The mayor of Paris, Anne Hidalgo — who was forced to respond recently to Trump’s bizarre claim that “Paris is no longer Paris,” because of the threat of terrorism — quickly seconded the Pittsburgh mayor’s affirmation of the role of local governments.

In his own response to Trump’s decision, Canada’s prime minister, Justin Trudeau, held out hope for working with local governments in American cities and states, while expressing regret at what he called a decision by “the United States federal government.”

“We are all custodians of this world,” Trudeau added, “and that is why Canada will continue to work with the U.S. at the state level, and with other U.S. stakeholders, to address climate change and promote clean growth.”

Subsequent reporting from The Washington Post on what led to Trump’s decision, and his strange focus on France, revealed that the American president has little understanding of how the climate deal works, and was also said to be “irritated and bewildered” that Macron upstaged him with a very firm handshake during their photo-op last week at the U.S. Embassy in Brussels.

Having seen Trump try to assert physical dominance over other world leaders, by pulling them forcefully towards him while shaking hands for the cameras, Macron told a French newspaper that he had come prepared. “My handshake with him, it wasn’t innocent,” Macron said. “We must show that we will not make small concessions, even symbolic ones.”

“Donald Trump, the Turkish president or the Russian president see relationships in terms of a balance of power, Macron added, likening Trump to Recep Tayyip Erdogan and Vladimir Putin. “That doesn’t bother me. I don’t believe in diplomacy by public abuse, but in my bilateral dialogues I won’t let anything pass.”

The post French President Emmanuel Macron Offers Refuge to American Climate Scientists appeared first on The Intercept.

10 May 13:21

Jimmy Carter and Bernie Sanders Explain How Inequality Breeds Authoritarianism

by Zaid Jilani
Stuart.ward.uk

what the 99% protests were all about.

On Monday night, one day after the far-right Marine Le Pen lost France’s presidential election but garnered a record number of votes for her political party, Bernie Sanders and Jimmy Carter sat down together to discuss rising authoritarianism across the globe.

The two spoke at the Carter Center, in a discussion that was streamed online.

Asked by the moderator about the rise of authoritarian politics in the United States and elsewhere, both the Vermont senator and former president agreed on a single root cause: political and economic inequality.

“I think the root of it is something that I haven’t heard discussed much,” Carter replied. “I believe the root of the downturn in human rights preceded 2016, it began earlier than that, and I think the reason was disparity in income which has been translated into the average person, you know good, decent, hard-working middle class people feeling that they are getting cheated by the government and by society and they don’t get the same element of health care, they don’t get the same quality education, they don’t get the same political rights.”

“I agree with everything that President Carter said,” Sanders replied.

“Look, here is the situation. You got all over this country tens of millions of people who are extremely angry and they are disappointed. Now we all know as a result of technology workers are producing more today than they did 20 or 30 years ago. Yet despite that you’re seeing people work not 40 hours a week, they’re working 50 or 60 hours a week. Their wages are actually going down!”

Carter and Sanders’s belief that inequality breeds authoritarianism is backed by evidence from France’s recent election.

A post-election examination of France’s presidential contest by the New York Times found that Le Pen’s support “was strongest in areas with high unemployment and low wages.” A regression analysis by The Economist came to similar conclusions.

Sanders and Carter disagreed on little during the night’s discussion, leading the former president to admit who he supported in the Democratic presidential primary.

“Do y’all see why I voted for him?” Carter joked, as the audience laughed.

Top photo: Former President Jimmy Carter, right, and Sen. Bernie Sanders discuss human rights during the Human Rights Defenders Forum at the Carter Center in Atlanta on Monday, May 8, 2017.

The post Jimmy Carter and Bernie Sanders Explain How Inequality Breeds Authoritarianism appeared first on The Intercept.

18 Apr 08:17

The Now Show 14/04/17

Stuart.ward.uk

Always good.

Steve Punt, Luke Kempner, Pippa Evans, Al Porter, Rich Peppiatt, Vikki Stone & Lucy Porter present the week in news through stand-up and sketches. Produced by Joe Nunnery A BBC Studios Production
02 May 20:27

Amazon Prime Video Now Usable On Linux, Too!

by Martin
Stuart.ward.uk

And they actually say on the requirements page that Linux systems are supported but chrome only

DRM protected content is a hotly debated topic and not without side effects but I have to admit I was somewhat glad when Netflix added support for Chrome and HTML5 playback on Linux back in 2014. At the time I also experimented with Amazon Prime video which was using Flash. Unfortunately this solution was quite unstable and thus unusable. Recently I noticed, however, that Amazon now also supports Chrome and HTML5 video playback on Linux. Over the past weeks I’ve watched a few full length movies and playback is now flawless. Well done, Amazon, thanks! … Just remove that DRM now please…

02 May 19:53

2nd Hand Computing

by Martin

Ever thought about buying a 2nd-hand notebook? Me neither until recently when a friend asked for advice. At first I was quite skeptical but it turns out it’s an interesting option and in the meantime I even bought one for myself.

I was skeptical because in the mobile space where device refresh cycles are somewhere near 18-24 months and the industry is very much in flux. It shows signs of slowing down but smartphones are carried in pockets and so after two years of use, many devices are pretty much worn out physically and need to be replaced anyway.

The story is quite different when it comes to desktop and notebook computers. There has been little ground breaking innovation compared to the mobile space, much of it concentrated on making notebooks thinner and more power efficient. From a software point of view not much has happened either. And thirdly, companies today typically lease notebooks for their employees and replace them with new models typically after 3 years. Most of those notebooks are mainly used on a desk so there is little physical wear when they are returned to the company leasing them out. Together, these things have given rise to a new type of notebook reseller companies in Germany that are refurbishing and selling desktop and notebook PCs who’s leases have expired from brands such as HP, Lenovo and Dell.

3 Year Old Models

The first 2nd-hand notebook I bought was a 3 year old Lenovo T430s for around 400 euros. Yes, you can buy a brand new notebook for the same price these days but those are low end consumer grade devices. The T430s is as high end and business grade as you can get and was sold for around 1200-1500 euros when it was new. The difference shows. Yes, it is not quite as flat and power efficient as up to date models but you get it for one third of the original price.

Still I was a bit skeptical at first but I was very pleasantly surprised when I received the shipment of a 3 year old computer that almost looked like new. Obviously the first thing I did was to replace Windows 7 with Linux. An hour of work and the notebook with a 3rd generation i5 processor, 4 GB of RAM and a 500 GB hard drive was good to go. After three months of daily use, feedback on hardware and software from its new owner was unanimously positive. Even the battery was still ok with around 80% of its original capacity which is enough for 3.5 to 4 hours of autonomy.

Older For Less

Many refurbishers also offer even older computing equipment with first generation i5 processors that are about 4-5 years old. And if money is really an issue a 5-6 year old notebook with a Core 2 Duo processor and 2 GB of RAM can be had for less than 200 euros. That’s a little bit too far on the low end for me but for people with a really tight budget it’s a real option. Ubuntu will run just fine on such a PC as I can tell from personal experience with my 6 year old media PC I use for video playback of Netflix and Amazon Video content. The 2GB RAM is a little bit on the low side these days perhaps, but for a a few extra euros this shortcoming can easily be fixed.

Reselling refurbished PCs on a greater scale is probably not only a German phenomenon but I have to admit I haven’t seen it anywhere else yet. So if you live in another country and have some information to share, please consider leaving a comment!

26 Apr 12:32

Stonewalled by NSA, Members of Congress Ask Really Basic Question Again

by Dan Froomkin
Stuart.ward.uk

If we get a figure and it is less than 99% it will be a lie.

A BIPARTISAN GROUP of lawmakers is none too happy that the executive branch is asking them to reauthorize two key surveillance programs next year without answering the single most important question about them.

The programs, authorized under Section 702 of the Foreign Intelligence Surveillance Act, are called PRISM and Upstream. PRISM collects hundreds of millions of internet communications of “targeted individuals” from providers such as Facebook, Yahoo, and Skype. Upstream takes communications straight from the major U.S. internet backbones run by telecommunications companies such as AT&T and Verizon and harvests data that involves selectors related to foreign targets.

But both programs, though nominally targeted at foreigners overseas, inevitably sweep up massive amounts of data involving innocent Americans.

The question is: How much? The government won’t answer.

Fourteen members of the House Judiciary Committee sent a letter to Director of National Intelligence James R. Clapper on Friday asking for at least a rough estimate.

“In order that we may properly evaluate these programs, we write to ask that you provide us with a public estimate of the number of communications or transactions involving United States persons subject to Section 702 surveillance on an annual basis,” said the letter. Signatories included ranking Democrat John Conyers Jr. and a senior Republican member, James Sensenbrenner.

Sen. Ron Wyden has asked for a number since 2011; the Privacy and Civil Liberties Oversight Board recommended in July 2014 that the government provide several. In October, more than 30 privacy groups asked for an estimate and explained how easy it would be to come up with one.

“House Judiciary Committee members have lent their voices to the growing chorus demanding hard facts about how foreign intelligence surveillance affects Americans,” said Elizabeth Goitein, co-director of the Brennan Center’s Liberty and National Security Program, in a statement. “The NSA will soon be asking Congress to reauthorize the Foreign Intelligence Surveillance Act, and it will repeat its past claims that any collection of Americans’ communications is merely ‘incidental.’”

But, Goitein said, “We still don’t have this basic information.”

Top photo: “Red Bricks” by Grzesiek used under CC BY, modified with NSA logo.

The post Stonewalled by NSA, Members of Congress Ask Really Basic Question Again appeared first on The Intercept.

19 Apr 15:48

The Secrets of X: These 5 Principles Will Help Your Company Make Moonshots Happen

by Peter Diamandis
Stuart.ward.uk

Some great ideas here.

This post explores the inside workings of "X" (formally Google X, Google's R&D factory) through conversations with my friend Astro Teller, chief of moonshots.

If you want to create a successful, hyper-growth company around solving tough problems, you've got to create the right culture, learn to rapidly experiment, and encourage rapid failure in your organization.

X's mission is to invent and launch "moonshot" technologies that could make the world a radically better place…dare I say, help create a world of abundance.

Astro leads a team of world-class engineers, scientists, and creatives developing solutions to dozens (perhaps hundreds) of the world's toughest problems. Some of their public projects include: the self-driving car, the smart contact lens, and Project Loon, just to name a few.

In the next two posts, we'll dive into the strategies Astro uses at X to manage his brilliant team. These strategies come from our recent discussions and Astro's 2016 TED talk, which was released a few days ago: The Unexpected Benefit of Celebrating Failure. They are important for every entrepreneur (and CEO) to consider in today's rapidly changing, exponentially empowered world.

In Part 1 (today's post), we'll talk about the importance of trying to kill ideas early and the value of setting audacious goals.

In Part 2 (next week), we'll talk about how to run high-quality experiments and why they matter.

First—What Is a Moonshot?

At X, Astro and his team look for the intersection of three key factors for the moonshots they take on. Astro explains them as follows:

  1. It’s a Big Problem: “We start with a large problem in the world that if solved could improve the lives of millions or even billions of people.”
  2. The Problem Has a Science-Fiction-Sounding Solution: “Then we propose a radical solution that sounds impossible today, almost like science fiction.”
  3. There is Technological Evidence It Could Work: “Lastly, we look for a technology breakthrough that exists today; this gives us the necessary hope that the solution we’re looking for is possible, even if its final form is five to 10 years away and obscured over the horizon.”

This unique approach to problem solving has generated some extraordinary (and some crazy) ideas at X — but the even harder part is implementing these ideas, and to do so, you have to ascribe to the following principles.

What Are the Principles for Solving 'X'?

The following principles from Astro allow X to build processes and culture around selecting and executing their ideas. This list is by no means exhaustive, but let's dive in.

Principle 1: Ideas Are the Easy Part

A lot of people think "having an idea" is the hardest part of starting a company or solving a problem.

The fact is: the idea is probably the easiest part…The world is awash with ideas, and most ideas aren't that good. (We'll get to this in a second).

The hard part is actually creating the ecosystem and infrastructure to allocate resources (talent, time, money) for rapidly evaluating and testing ideas. How do you create a culture where bad ideas are filtered out and people are continually motivated to keep trying new ideas? If you iterate enough and continuously toss out the weak ideas, you will (hopefully) eventually find a great one.

Principle 2: Try to Kill Your Best Ideas Early

If people, money and time are your most scarce resources, you don't want to waste them on ideas that won't work.

Instead, you want to kill these ideas early. The best way to do so: establish a culture that incentivizes killing ideas.

Astro explains, "The moonshot factory is a messy place. But rather than avoid the mess, pretend it's not there, we've tried to make that our strength. We spend most of our time breaking things and trying to prove that we're wrong." Astro pauses for effect: "That's it…that's the secret." He continues, "Run at all the hardest parts of the problem first. Get excited and cheer,' Hey! How are we going to kill our project today?'"

Here's two effective strategies X employs on a regular basis for killing weak ideas early:

  • Run a “Pre-mortem”: We’ve all heard of post-mortems where you analyze an idea in retrospect to find out why it failed. But what about trying to predict in advance why an idea is likely to fail? X calls this a pre-mortem. At X, teams typically vote to kill their ideas in a pre-mortem. When they do actually kill an idea, they are celebrated and rewarded by the organization.
  • Rapid “Eval-Team”: Before moving forward with a project, X employs a team to analyze the technical feasibility of projects. Given the known laws of physics and X’s available resources, is this solution physically possible? If not, kill it.

The strategy is pretty simple — you need to be constantly trying to come up with reasons your idea won't work, why you can't pull it off, why you don't have the right resources to do it, etc.

The ideas that survive this process (the ideas you literally can't kill) are the good ideas worth pursuing.

Principle 3: Set Quarterly Audacious Goals (Emphasis on "Audacious")

Most companies set quarterly goals in a contentious manner. The manager sets a high bar to stretch the employee, and the employees want to set a lower bar they know they can meet. In the end, both parties settle somewhere in the middle and nobody is happy with the result.

At X, the goal is for each team to set audacious, ridiculously hard quarterly goals.

X has a culture where each team has the objective of impressing the other teams with how audacious they're willing to be (Note: These goals should be just audacious enough that they are still plausible but not impossible).

The result is a culture of bravery and persistence.

Astro notes, "It is frequently the case that not a single person hits their audacious goals, but that's okay…"

He continues, "Create an organization that looks like Willy Wonka's Chocolate Factory and fill it with Peter Pans with PhDs. You need to make them understand and feel good about the fact that they are going to fail most of the time. And they'll love it when you let them go."

Principle 4: Failing Is Not "Wasting" Time and Money

"I often ask my project managers," Astro says, "If you had to rebuild your last project from scratch (let's say you lost all your code), how long would it take you to rebuild it, assuming you had your same team in place, to what it is now?"

"They usually say, 'I don't know…10% of the original time?'"

"There is a name for that other 90% — it's called LEARNING. The job of a great manager, a great entrepreneur, and a great CEO is to try to make that 90% time shorter. Focus on how to make it as short as possible, as efficient as possible."

If a team is working on solving a difficult problem and a manager complains that they are "wasting time and money and not getting anywhere," get rid of the manager.

That so-called wasted time is actually your team learning...

Astro continues with his advice, "It's also extremely important as a manager not to swoop in and kill projects you 'know' are going to fail."

"You have to allow your team to fail and watch the snowball effects of what they learn ripple through your organization. This creates a culture where folks will continue to try to solve problems and won't be afraid of failing."

Principle 5: Perspective Shifting Is More Powerful Than Being Smart

Sometimes shifting your perspective on solving a problem is more powerful than being smart.

This is one of X's mantras, Astro explains: "Take wind energy. It's one of my favorite examples of perspective shifting. There's no way that we're going to build a better standard wind turbine than today's experts in that industry. But we found a way to get our turbines up higher into the sky, and to get access to faster, more consistent winds, and to more energy without needing hundreds of tons of steel to get the turbines there."

He continues, "We haven't yet found a way to kill this project. And the longer it survives that pressure, the more excited we get that this could become a cheaper and more deployable form of wind energy for the world."

When you are faced with a seemingly impossible problem, sometimes you need to shift your perspective, question each assumption and see what crazy ideas may actually be the basis for a fundamental breakthrough.


Image credit: Shutterstock.com

 

06 Apr 15:40

Dr Who Returns to Earth

by Will Sweatman
Stuart.ward.uk

check the date on this one...

While searching for signs of Dalek activity in the vast depths of outer space, the Arecibo Observatory in Puerto Rico stumbled across a most interesting find. They were receiving modulated radio signals emanating from an invisible object about 25 light years away. The signals were all in the VHF band between 41 and 68 MHz. After a applying a little amplification and some wibbly wobbly timey wimey enhancements, it became clear what the signals were – 50 year old terrestrial television broadcasts. The site takes a minute or so to load due to the traffic its getting.

[Dr. Venn], the radio astronomer who discovered the signals, was able to talk NASA into pointing the Hubble Space Telescope in the direction of the now officially named “Bounce Anomaly”, but was unable to see anything. Meanwhile, a BBC team has been working with [Dr. Venn] to recover the 50 year old signals and is attempting to reconstruct entire broadcasts – some of which are the very first Dr. Who episodes.

Thanks to [PWalsh] for the tip.


Filed under: news
31 Mar 15:31

You Don’t Need To Panic About ‘Ubuntu on Windows’

by Scott Bouvier
Stuart.ward.uk

so this is adding a wine like layer to Windows to translate Linux system calls to run Linux ELF binaries on Linux.

keep calm use linux posterUp is now down, down is now left, and Microsoft is no longer evil — but are Linux lovers stuck in the past?

This post, You Don’t Need To Panic About ‘Ubuntu on Windows’, was written by Scott Bouvier and first appeared on OMG! Ubuntu!.

17 Feb 14:59

Report on the IP Bill

by Ross Anderson
Stuart.ward.uk

It is bad but not quite as bad as Ross seems to imply, I think.

This morning at 0930 the Joint Committee on the IP Bill is launching its report. As one of the witnesses who appeared before it, I got an embargoed copy yesterday.

The report s deeply disappointing; even that of the Intelligence and Security Committee (whom we tended to dismiss as government catspaws) is more vigorous. The MPs and peers on the Joint Committee have given the spooks all they wanted, while recommending tweaks and polishes here and there to some of the more obvious hooks and sharp edges.

The committee supports comms data retention, despite acknowledging that multiple courts have found this contrary to EU and human-rights law, and the fact that there are cases in the pipeline. It supports extending retention from big telcos offering a public service to private operators and even coffee shops. It support greatly extending comms data to ICRs; although it does call for more clarity on the definition, it give the Home Office lots of wriggle room by saying that a clear definition is hard if you want to catch all the things that bad people might do in the future. (Presumably a coffee shop served with an ICR order will have no choice but to install a government-approved black box. or just pipe everything to Cheltenham.) It welcomes the government decision to build and operate a request filter – essentially the comms database for which the Home Office has been trying to get parliamentary approval since the days of Jacqui Smith (and which Snowden told us they just built anyway). It comes up with the rather startling justification that this will help privacy as the police may have access to less stuff (though of course the spooks, including our 5eyes partners and others, will have more). It wants end-to-end encrypted stuff to be made available unless it’s “not practicable to do so”, which presumably means that the Home Secretary can order Apple to add her public key quietly to your keyring to get at your Facetime video chats. That has been a key goal of the FBI in Crypto War 2; a Home Office witness openly acknowledged it.

The comparison with the USA is stark. There, all three branches of government realised they’d gone too far after Snowden. President Obama set up the NSA review group, and implemented most of its recommendations by executive order; the judiciary made changes to the procedures of the FISA Court; and Congress failed to renew the data retention provisions in the Patriot Act (aided by the judiciary). Yet here in Britain the response is just to take Henry VIII powers to legalise all the illegal things that GCHQ had been up to, and hope that the European courts won’t strike the law down yet again.

People concerned for freedom and privacy will just have to hope the contrary. The net effect of the minor amendments proposed by the joint committee will be to make it even harder to get any meaningful amendments as the Bill makes its way through Parliament, and we’ll end up having to rely on the European courts to trim it back.

For more, see Scrambling for Safety, a conference we held last month in London on the bill and whose video is now online, and last week’s Cambridge symposium for a more detailed analysis.

27 Jan 17:21

RWMC – Retrieve Windows Credentials With PowerShell

by Darknet
RWMC is a Windows PowerShell script written as a proof of concept to Retrieve Windows Credentials using only PowerShell and CDB command-line options (Windows Debuggers). It allows to retrieve credentials from Windows 2003 to 2012 and Windows 10 (It was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows […] The post...

Read the full post at darknet.org.uk
26 Jan 17:42

How a Small Company in Switzerland Is Fighting a Surveillance Law — And Winning

by Jenna McLaughlin
Stuart.ward.uk

Let this be an example to the UK and their Snoopers Charter

A small email provider and its customers have mobilized to force the Swiss government to put its new invasive surveillance law up for a public vote in a national referendum in June. (See correction below.)

“This law was approved in September, and after the Paris attacks, we assumed privacy was dead at that point,” said Andy Yen, co-founder of ProtonMail, when I spoke with him on the phone. He was referring to the Nachrichtendienstgesetz (NDG), a mouthful of a name for a bill that gave Swiss intelligence authorities more clout to spy on private communications, hack into citizens’ computers, and sweep up their cellphone information.

The climate of fear and terrorism, he said, felt too overwhelming to get people to care about constitutional rights when people first started organizing to fight the NDG law. Governments around the world, not to mention cable news networks, have taken advantage of tragedy to expand their reach under the guise of protecting people, even in classically neutral Switzerland — without much transparency or public debate on whether or not increased surveillance would help solve the problem.

But thanks to the way Swiss law works — if you get together 50,000 signatures within three months of the law passing — you can force a nationwide referendum where every citizen gets a say.

“In Switzerland, and overseas, no one really thought to ask the people,” Yen said. “The public opinion, especially from the young people, has shifted to pro-privacy.”

By gathering its users and teaming up with political groups including the Green and Pirate parties, as well as technological and privacy advocates including Chaos Computer Club Switzerland and Digitale Gesellschaft Switzerland, ProtonMail was able to contribute to the effort to collect over 70,000 signatures before the deadline. (See correction below.)

The new law is the first of two surveillance laws that have been circulating through the Swiss Parliament. The NDG law was fully passed in September, but can’t take full effect until after the referendum vote in June. The NDG would “create a mini NSA in Switzerland,” Yen wrote — allowing Swiss intelligence to spy without getting court approval. It would authorize increased use of “Trojans,” or remote hacking tactics to investigate suspects’ computers, including remotely turning on Webcams and taking photos, as well as hacking abroad to protect Swiss infrastructure. It would legalize IMSI catchers, or Stingrays, which sweep up data about cellphones in the area.

The second law, known as the “BÜPF,” might come up for a vote in the Parliament’s spring session, but may be revised or delayed. The BÜPF would expand the government’s ability to retain data for longer, including communications and metadata, as well as deputize private companies to help spy on their users, or face a fine. “What I have heard from insiders is that they will reduce its scope now that they know we have the numbers to also force a vote on that law,” Yen wrote in an email to The Intercept.

ProtonMail, created by scientists and engineers with know-how in particle physics, software, cryptology, and civil liberties, provides unbreakable end-to-end encryption by default to its users for free — making it easy for ordinary people to protect their communications and preserve their anonymity.

With end-to-end encryption, only the person who sends the message and the person who receives it can access the content; not even the company can see what was written. Encryption protects transactions on the internet, so that criminals can’t read messages, steal credit card information, or impersonate others.

The Swiss surveillance bill does not compel ProtonMail to decrypt its users’ communications, so if the Swiss intelligence service forces it to hand over data, all the intelligence service will get is gobbledygook. But ProtonMail still feels the measure threatens Swiss privacy — something the company hopes to defend, regardless of its bottom line.

There are some strong political currents in Europe, as in the United States, beating strongly against encryption and privacy — which law enforcement says prevents them from accessing evidence with a warrant. Lawmakers, government officials, and law enforcement agencies alike have been pushing for a way to gain access into uncrackable end-to-end encryption. Scientists collectively agree this is a bad idea, and would threaten the security of the internet without actually helping anyone catch bad guys.

As of November, 14 countries had passed new laws bequeathing more power to intelligence agencies to spy. France’s upcoming surveillance law, though it will not mandate backdoors in encryption, will allow law enforcement more surveillance powers, including to spy on phone calls and emails without a judge’s approval and install key logger devices on suspects’ computers to retrieve their passwords. The Chinese government passed a law in December requiring companies to turn over encryption keys, and the Cuban government has the power to approve all encryption technology before it hits the market. In Bahrain, where dissenting political speech is condemned, encryption is outlawed for “criminal intentions.”

The U.K.’s Investigatory Powers Bill, or “Snooper’s Charter,” as many call it, could compel companies to help the government circumvent encryption if it becomes law, according to privacy advocates familiar with the draft legislation.

Other countries’ laws might affect ProtonMail’s business overseas, as well as major American companies offering end-to-end encryption, like Apple.

According to Yen, issues of national security and privacy aren’t usually brought to a vote by the entire country. Nationwide referendums aren’t all that common — they happen maybe five or six times a year, usually when the government wants to build something expensive and people don’t want to pay for it. Forcing a referendum is a lengthy, pricey process, he says.

But now, the Swiss want to be an example for the rest of the world by “pushing to make data a cornerstone of the Swiss economy,” he said. “When you talk about data privacy, all our data goes online — we have to find a way to secure it. At the end of the day this privacy comes as a result of security.”

The same fight is brewing in the U.S., where people might have to be more creative and forceful to make their opinions heard. “ProtonMail went out to get signatures, worked with political parties, the Green party, the Pirate party. In the U.S., maybe with non-mainstream political groups, with the support of young people, and a few of the technology companies — there’s a real chance,” Yen said.

“A couple months ago we thought this referendum was totally impossible. Now here we are.”

Correction: An earlier version of this article overstated the role of ProtonMail and understated the role of the parties whose names were on the referendum committee that formally submitted signatures to the Swiss Parliament. The committee was spearheaded by the Young Socialists Party, and included the Social Party, Green Party, the rights groups Grundrechte.ch and Digitale Gesellschaft, the Group for a Switzerland without an Army (GSoA), the Pirate Party, the media syndicate Syndicom, the Labor Party of Bern and Tessin (PDA), Basler Fankurve, Swiss football supporters, and four others. ProtonMail was supportive of the effort but was not formally included on the referendum committee

Top photo: Swiss citizens bring boxes of signatures to the Swiss Parliament. 

The post How a Small Company in Switzerland Is Fighting a Surveillance Law — And Winning appeared first on The Intercept.

13 Dec 16:20

Amazon Deal of the Day: Amazon Fire TV Gaming Edition + Great Gift Ideas at AMAZING Prices!

by Geeks are Sexy

firetv

We’ve got a lot of stuff for today, so if you’re still looking for that perfect gift for someone, check these deals out, including the all-new Fire TV Gaming Edition (Over 800 games available for now!)

Save $25 on the All-new Fire TV Gaming Edition$139.99 $114.99

Save Up to 73% on Popular TV shows and Movies

Kindle E-Reader – $79.99 $59.99

$25 Applebee’s Gift Card for just $18.75! (25% Off)

40% and more off Giftable Toys

70% or More Off Luggage and Travel Gear

Save BIG on Holiday Lights and Decorations

Miracle-Gro AeroGarden Bounty with Gourmet Herb Seed Pod Kit$319.95 $179.95 (44% Off)

Up to 40% Off Select Graco Car Seats, Strollers and Gear

The post Amazon Deal of the Day: Amazon Fire TV Gaming Edition + Great Gift Ideas at AMAZING Prices! appeared first on Geeks are Sexy Technology News.

06 Nov 15:38

New Zealand Spy Watchdog Investigating Country’s Ties to CIA Torture

by Dan Froomkin

New Zealand’s spy watchdog has launched an inquiry into her country’s links to the CIA’s detention and interrogation program.

Cheryl Gwyn, the inspector general for intelligence and security, said the U.S. Senate Intelligence Committee report released in December 2014 named a number of countries that were involved in the torture and inhumane treatment of detainees — “but the names of those countries have been redacted.”

That wasn’t OK with her.

“I identified a public interest in inquiring into whether New Zealand’s intelligence agencies and personnel knew or were otherwise connected with or risked connection to the activities discussed in the U.S. Senate Report,” she wrote in her annual report released Wednesday.

Gwyn wrote that her inquiry “does not suggest or presuppose that New Zealand agencies or personnel were in any way connected with those activities.” But she said she does intend to find out whether there was such a connection — and “whether there were and/or now are any safeguards in place or other steps taken to address any connection or risk of connection to such activities.”

The New Zealand Herald first reported the investigation. “She’s opened a can of worms here because there was no reason for her to open this inquiry unless she saw something,” the paper quoted a security analyst, Paul Buchanan, telling Radio New Zealand.

Gwyn also announced that she has developed a “formal internal policy for handling protected disclosures, or ‘whistleblowing,'” and is trying to get the country’s intelligence agencies to adopt it.

“The Edward Snowden disclosures demonstrate how critical it is to have a clear path, with appropriate protections, for disclosing information about suspected wrongdoing within an intelligence and security agency,” she said in a statement.

 

The post New Zealand Spy Watchdog Investigating Country’s Ties to CIA Torture appeared first on The Intercept.

30 Dec 19:13

JPMorgan Chase hack due to missing 2-factor authentication on one server

by Peter Bright

JPMorgan Chase was among five banks that were reported to have been hacked earlier this year, and details have emerged on how the hack took place.

When news first broke in August, it was believed that a zero-day Web server exploit was used to break into the bank's network. Now, however, The New York Times is reporting that the entry point was much more mundane: a JPMorgan employee had their credentials stolen.

This shouldn't have been a problem. JPMorgan uses two-factor authentication, meaning that a password alone isn't sufficient to log in to a system. Unfortunately, for an unknown reason one of the bank's servers didn't have this enabled. It allowed logging in with username and password alone, and this weak point in the bank's defenses was sufficient for hackers to break in and access more than 90 other servers on the bank's network.

Read 2 remaining paragraphs | Comments

04 Sep 11:42

Pixels

Stuart.ward.uk

one of the best

25 Jun 11:35

UK secretary of state: "There is no surveillance state"

by Cory Doctorow
12 Jun 12:00

ZOMGTERRISTSGONNAKILLUSALL tee, now in tote form

by Cory Doctorow



My ZOMGTERRISTSGONNAKILLUSALLRUNHIDE TSA tee-shirt (of Poop Strong fame) is available in tote-bag form, a fact I had somehow missed!

04 Jun 11:40

To beat this new video game, reprogram it

by bbehrens

The only way to truly beat Hack 'n' Slash, a new video game from Double Fine Productions, is to reprogram it.

But playing the game—a sendup to traditional adventure games like The Legend of Zelda, which place players on quests that involve battling monsters, collecting artifacts, and solving puzzles—requires no programming knowledge whatsoever. Nor does it demand familiarity with coding tools. Instead, Hack 'n' Slash makes manipulating the game's source code part of the game itself. To play it is to hack it.


read more
21 Feb 16:41

Stand Up For ODF In The UK

by Simon Phipps
Stuart.ward.uk

Advocate ODF

Originally posted on Meshed Insights & Knowledge:

Showing that no issue is actually sorted until the end of the process is reached, Microsoft is trying to get its partner network to speak up for OOXML as a document format for government interaction. In a posting to ComputerWorldUK , Simon explains that this would defeat the objective explained by Cabinet Office Minister Francis Maude, who said

“The software we use in government is still supplied by just a few large companies. A tiny oligopoly dominates the marketplace. I want to see a greater range of software used, so civil servants have access to the information they need and can get their work done without having to buy a particular brand of software.”

So ODF Advocates once again need to speak up for openness and diversity – there are links in the article.

View original


15 Nov 17:49

Why the Government Should Help Leakers

by schneier

In the Information Age, it's easier than ever to steal and publish data. Corporations and governments have to adjust to their secrets being exposed, regularly.

When massive amounts of government documents are leaked, journalists sift through them to determine which pieces of information are newsworthy, and confer with government agencies over what needs to be redacted.

Managing this reality is going to require that governments actively engage with members of the press who receive leaked secrets, helping them secure those secrets -- even while being unable to prevent them from publishing. It might seem abhorrent to help those who are seeking to bring your secrets to light, but it's the best way to ensure that the things that truly need to be secret remain secret, even as everything else becomes public.

The WikiLeaks cables serve as an excellent example of how a government should not deal with massive leaks of classified information.

WikiLeaks has said it asked US authorities for help in determining what should be redacted before publication of documents, although some government officials have challenged that statement. WikiLeaks' media partners did redact many documents, but eventually all 250,000 unredacted cables were released to the world as a result of a mistake.

The damage was nowhere near as serious as government officials initially claimed, but it had been avoidable.

Fast-forward to today, and we have an even bigger trove of classified documents. What Edward Snowden took -- "exfiltrated" is the National Security Agency term -- dwarfs the State Department cables, and contains considerably more important secrets. But again, the US government is doing nothing to prevent a massive data dump.

The government engages with the press on individual stories. The Guardian, the Washington Post, and the New York Times are all redacting the original Snowden documents based on discussions with the government. This isn't new. The US press regularly consults with the government before publishing something that might be damaging. In 2006, the New York Times consulted with both the NSA and the Bush administration before publishing Mark Klein's whistle-blowing about the NSA's eavesdropping on AT&T trunk circuits. In all these cases, the goal is to minimize actual harm to US security while ensuring the press can still report stories in the public interest, even if the government doesn't want it to.

In today's world of reduced secrecy, whistleblowing as civil disobedience, and massive document exfiltrations, negotiations over individual stories aren't enough. The government needs to develop a protocol to actively help news organizations expose their secrets safely and responsibly.

Here's what should have happened as soon as Snowden's whistle-blowing became public. The government should have told the reporters and publications with the classified documents something like this: "OK, you have them. We know that we can't undo the leak. But please let us help. Let us help you secure the documents as you write your stories, and securely dispose of the documents when you're done."

The people who have access to the Snowden documents say they don't want them to be made public in their raw form or to get in the hands of rival governments. But accidents happen, and reporters are not trained in military secrecy practices.

Copies of some of the Snowden documents are being circulated to journalists and others. With each copy, each person, each day, there's a greater chance that, once again, someone will make a mistake and some -- or all -- of the raw documents will appear on the Internet. A formal system of working with whistle-blowers could prevent that.

I'm sure the suggestion sounds odious to a government that is actively engaging in a war on whistle-blowers, and that views Snowden as a criminal and the reporters writing these stories as "helping the terrorists." But it makes sense. Harvard law professor Jonathan Zittrain compares this to plea bargaining.

The police regularly negotiate lenient sentences or probation for confessed criminals in order to convict more important criminals. They make deals with all sorts of unsavory people, giving them benefits they don't deserve, because the result is a greater good.

In the Snowden case, an agreement would safeguard the most important of NSA's secrets from other nations' intelligence agencies. It would help ensure that the truly secret information not be exposed. It would protect US interests.

Why would reporters agree to this? Two reasons. One, they actually do want these documents secured while they look for stories to publish. And two, it would be a public demonstration of that desire.

Why wouldn't the government just collect all the documents under the pretense of securing them and then delete them? For the same reason they don't renege on plea bargains: No one would trust them next time. And, of course, because smart reporters will probably keep encrypted backups under their own control.

We're nowhere near the point where this system could be put into practice, but it's worth thinking about how it could work. The government would need to establish a semi-independent group, called, say, a Leak Management unit, which could act as an intermediary. Since it would be isolated from the agencies that were the source of the leak, its officials would be less vested and -- this is important -- less angry over the leak. Over time, it would build a reputation, develop protocols that reporters could rely on. Leaks will be more common in the future, but they'll still be rare. Expecting each agency to develop expertise in this process is unrealistic.

If there were sufficient trust between the press and the government, this could work. And everyone would benefit.

This essay previously appeared on CNN.com.

05 Nov 13:22

Fighting patent trolls and corruption with the Magnificent Seven business-model

by Cory Doctorow
Stuart.ward.uk

I hope this actually happens


My new Locus column, Collective Action, proposes a theory of corruption: the relatively small profits from being a jerk are concentrated, the much larger effects are diffused, which means that the jerks can afford better lawyers and lobbyists than any one of their victims. Since the victims are spread out and don't know each other, it's hard to fight back together.

Then I propose a solution: using Kickstarter-like mechanisms to fight corruption: a website where victims of everything from patent trolls and copyright trolls, all the way up to pollution and robo-signing foreclosures, can find each other and pledge to fund a group defense, rather than paying off the bandits.

It's the Magnificent Seven business model: one year, the villagers stop paying the robbers, and use the money to pay mercenaries to fight the robbers instead.

What would a Kickstarter for Class Action Defense look like? Imagine if you could pledge, ‘‘I promise that I will withhold license fees/settlements for [a bad patent/a fraudulent copyright fee/a copyright troll’s threat] as soon as 100 other victims do the same.’’ Or 1,000. Or 10,000. Hungry, entrepreneurial class-action lawyers could bid for the business, offer opinions on the win-ability of the actions, or even start their own kickstarters (‘‘I promise I will litigate this question until final judgment if 1,000 threat-letter recipients promise to pay me half of what the troll is asking.’’)

Basically, it’s the scene where the villagers decide to stop paying the bandits and offer the next round of protection money to the Magnificent Seven to defend them.

There’s a lot to like about this solution. Once a troll is worried about a pushback from his victims, he’ll need to raise a war-chest, and since the only thing a troll makes is lawsuits, he’ll start sending more threats. Those threats will attract more people to the kickstarter, raising its profile and its search-rank. The more the troll wriggles, the more stuck he becomes.

We could spin out a thousand possible variations on this – a pro-rated refund if the lawyer wins without spending all the money, or preferential shares to early entrants; a traditional plaintiff’s side class-action sister-project that goes after trolls who’ve lost their suits and uses their defeat as the basis for stripping them of every asset to their underwear and redistributing it to victims (and lawyers, of course – though that’s not a bad outcome, since it means lawyers might be willing to spend more on the ‘‘defense’’ part of the action in the hopes of a bigger payout down the line).

Collective Action

14 Oct 17:08

Fixing ALL login issues for web service logins with SQRL [Martin]

by mobilesociety

In the past couple of years we've become accustomed to weekly news of grand scale username and password thefts at major web services. As many people use very insecure passwords that can be cracked in seconds and by using the same passwords for many web services, usernames and passwords have become very insecure. In addition, viruses and Trojan horses try to get username and password combinations directly on PCs to get access to banking web sites and other high value targets. To me it looks like the situation is getting more and more out of control. While two factor authentication (e.g. an SMS with an additional code being sent by the bank before a transaction is made) fixes some of the issues for some web services, it's too cumbersome for everyday logins. But now Steve Gibson, famous for his SpinRite product and perhaps even more for his weekly Security Now podcast has come up with a solution that fixes all of this. Too good to be true? I thought so, too, at first but it seems he's really figured it out.

The core of his solution that he named SQRL (Secure QR Code Login) is that web services no longer store usernames and passwords but just a public key that was sent from the user when he first registered to the web site. For login, the web site sends a random number that is encrypted on the client side with the users secret key to generate a response. On the web service's side the response is decrypted with the public key agreed during initial registration. In other words, the secret password is no longer in the hands of the web service but in the hand of the user. That means that there is no longer a password database with millions of entries worth stealing on the web service's side. As each web service gets a different public key with the SQRL method and a different random number is used for each login, there's no password leakage between services due to the user of the same username and password for different sites as done by many users today to make their life simpler. Also not to underestimate is the advantage that no password has to be typed in, which fixes the issues that simple to remember and easy to crack passwords are used.

On the client side the use of SQRL is straight forward. Either a smartphone is used to scan a QR code on the login page for an out-of-band authentication which is the most secure way to access a web service in case the secret key can be stored securely on the mobile device. Also, implementations are possible with a browser plugin that detects that a web service offers SQRL login and automatically generates the response.

For more, head over to Steve's page that explains the details or listen to the podcast /videocast on the topic where he introduces SQRL starting at around 38 minutes into the podcast. I am amazed and very enthusiastic about it and hope we'll see implementations of this in the wild soon.

07 Oct 15:53

On Secrecy

by schneier

"When everything is classified, then nothing is classified."

I should suppose that moral, political, and practical considerations would dictate that a very first principle of that wisdom would be an insistence upon avoiding secrecy for its own sake. For when everything is classified, then nothing is classified, and the system becomes one to be disregarded by the cynical or the careless, and to be manipulated by those intent on self protection or self-promotion. I should suppose, in short, that the hallmark of a truly effective internal security system would be the maximum possible disclosure, recognizing that secrecy can best be preserved only when credibility is truly maintained.
Justice Stewart, New York Times v. United States, 1971.
23 Sep 09:18

CCC bust Apple's fingerprint scanner?

by David Rogers
Stuart.ward.uk

That was quick...

Just a few days ago I wrote about some of my concerns on biometrics, after the launch of the fingerprint scanner 'TouchID' on the iPhone 5S. It appears that they may have been well-founded. The Chaos Computer Club in Germany have released a blog and video which seems to show TouchID being broken by a fake fingerprint. Back to the drawing board again on biometrics? Watch the video for yourself below:


10 Sep 13:39

Conspiracy Theories and the NSA

by schneier

I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public institution fails.

The NSA has repeatedly lied about the extent of its spying program. James R. Clapper, the director of national intelligence, has lied about it to Congress. Top-secret documents provided by Edward Snowden, and reported on by the Guardian and other newspapers, repeatedly show that the NSA's surveillance systems are monitoring the communications of American citizens. The DEA has used this information to apprehend drug smugglers, then lied about it in court. The IRS has used this information to find tax cheats, then lied about it. It's even been used to arrest a copyright violator. It seems that every time there is an allegation against the NSA, no matter how outlandish, it turns out to be true.

Guardian reporter Glenn Greenwald has been playing this well, dribbling the information out one scandal at a time. It's looking more and more as if the NSA doesn't know what Snowden took. It's hard for someone to lie convincingly if he doesn't know what the opposition actually knows.

All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA. We know secrecy corrupts, and we see that corruption. There's simply no credibility, and -- the real problem -- no way for us to verify anything these people might say.

It's a perfect environment for conspiracy theories to take root: no trust, assuming the worst, no way to verify the facts. Think JFK assassination theories. Think 9/11 conspiracies. Think UFOs. For all we know, the NSA might be spying on elected officials. Edward Snowden said that he had the ability to spy on anyone in the U.S., in real time, from his desk. His remarks were belittled, but it turns out he was right.

This is not going to improve anytime soon. Greenwald and other reporters are still poring over Snowden's documents, and will continue to report stories about NSA overreach, lawbreaking, abuses, and privacy violations well into next year. The "independent" review that Obama promised of these surveillance programs will not help, because it will lack both the power to discover everything the NSA is doing and the ability to relay that information to the public.

It's time to start cleaning up this mess. We need a special prosecutor, one not tied to the military, the corporations complicit in these programs, or the current political leadership, whether Democrat or Republican. This prosecutor needs free rein to go through the NSA's files and discover the full extent of what the agency is doing, as well as enough technical staff who have the capability to understand it. He needs the power to subpoena government officials and take their sworn testimony. He needs the ability to bring criminal indictments where appropriate. And, of course, he needs the requisite security clearance to see it all.

We also need something like South Africa's Truth and Reconciliation Commission, where both government and corporate employees can come forward and tell their stories about NSA eavesdropping without fear of reprisal.

Yes, this will overturn the paradigm of keeping everything the NSA does secret, but Snowden and the reporters he's shared documents with have already done that. The secrets are going to come out, and the journalists doing the outing are not going to be sympathetic to the NSA. If the agency were smart, it'd realize that the best thing it could do would be to get ahead of the leaks.

The result needs to be a public report about the NSA's abuses, detailed enough that public watchdog groups can be convinced that everything is known. Only then can our country go about cleaning up the mess: shutting down programs, reforming the Foreign Intelligence Surveillance Act system, and reforming surveillance law to make it absolutely clear that even the NSA cannot eavesdrop on Americans without a warrant.

Comparisons are springing up between today's NSA and the FBI of the 1950s and 1960s, and between NSA Director Keith Alexander and J. Edgar Hoover. We never managed to rein in Hoover's FBI -- it took his death for change to occur. I don't think we'll get so lucky with the NSA. While Alexander has enormous personal power, much of his power comes from the institution he leads. When he is replaced, that institution will remain.

Trust is essential for society to function. Without it, conspiracy theories naturally take hold. Even worse, without it we fail as a country and as a culture. It's time to reinstitute the ideals of democracy: The government works for the people, open government is the best way to protect against government abuse, and a government keeping secrets from its people is a rare exception, not the norm.

This essay originally appeared on TheAtlantic.com.

30 Aug 12:44

Who Wrote the Pincer Android Trojan?

by BrianKrebs

Stories in this blog’s Breadcrumbs series have sought to comb through clues that point to the possible location and identities of malware authors and purveyors.  But from time to time those clues lead definitively back to an individual. In today’s post, we’ll talk with the author of  the Pincer Trojan for Android — a 32-year-old programmer at a mobile app development firm in Russia.

bwshadowIn April, Finnish security firm F-Secure  first warned about Trojan:Android/Pincer.A, which comes disguised as a security certificate and is designed to surreptitiously intercept and forward text messages. As F-Secure notes, previous malicious mobile apps pretending to be certificates have been mobile components of banking Trojans aimed at defeating two-factor authentication.

F-Secure researchers observed that Pincer used the IMEI of the victim’s phone as an identifier, and that the Trojan would call home to a control server and report the device’s phone and serial numbers, phone model, carrier and OS version. They also found that Pincer checks to see if it’s being run in a virtual environment, which is a common trick designed to frustrate malware analysis tools used by security researchers.

Interestingly, F-Secure noted that the code within the trojan includes a class called “USSDDumbExtendedNetworkService” — a component that was assigned a seemingly arbitrary variable that F-Secure researchers said was probably either associated with a French Canadian concrete company or the Twitter handle of a young Russian whose Google+ page lists employment as “Android developer”.

I followed up with F-Secure about this post, and learned that the redacted portion of that post — the variable included in that first variant of the Pincer Trojan — was “senneco.com” (Virustotal’s analysis lists it as “com.senneco”). A quick search on Google turns up Twitter and Google+ accounts by this name belonging to a Yuri Shmakov from Novosibirsk, Russia. Shmakov’s Google+ page says he is a developer at Arello-Mobile, a mobile app development firm also in Novosibirsk.

Text string "senneco" inside of the Pincer Android Trojan.

Text string “senneco” inside an early sample of he Pincer Android Trojan. Source: F-Secure.

A scan of Shmakov’s accounts turned up the email address senneco@gmail.com. I sent an email to that address, explaining F-Secure’s findings and asking whether the recipient had anything to do with the Pincer Trojan. To my surprise, Shmakov promptly replied that, why yes he had indeed created it as a freelance project.

Shmakov told me that, based on the client’s specifications, he suspected it might ultimately be put to nefarious uses. Even so, he completed the job and signed his work by including his nickname in the app’s code.

“I was working on this app for some months, and I was hoping that it would be really helpful,” Shmakov wrote. “[The] idea of this app is that you can set it up as a spam filter…block some calls and SMS remotely, from a Web service. I hoped that this will be [some kind of] blacklist, with logging about blocked [messages/calls]. But of course, I understood that client [did] not really want this.”

Shmakov said the guy who hired him to write the Android application used the email address alexbort@hush.com. But Shmakov declined to say why he decided to take the job even though he understood that his creation would be used for malicious purposes.

“The most difficult task to understand and to implement was to intercept the USSD execution value without root access,” Shmakov continued, switching to Russian in a second, more academic reply via email. “The related algorithm was a rather complicated one. For example, should you not succeed in transmitting the intercepted SMS over the Internet, then add it to the queue; had it spent too much time in the queue, then send it by SMS, etc. That being said, this is not really relevant to our case.  By the way, it may indeed be worth creating such a service – the way I originally imagined it. Especially, having considered the fact that the mobile spam has finally taken over Russia.”

Whoever owns the address alexbort@hush.com did not respond to requests for comment. Update, Aug. 28, 8:55 a.m. ET: Heard from alexbort@hush.com, who was none too happy that I’d posted his email address. Alex wanted me to know that he was the one who really weaponized the Android application that Shmakov created.

“dear Brian., thank you for your email.The developer did not create the malware as his task was to create the legitimate application. having received the source codes i personally redesigned it into malware ( changed interface and added some features and tricks to it as well ). I am professional developer, but dont have sufficient experience in android applications development. P.S. i am very disappointed that you posted contact information in public, Now am receiving bulk spam emails on my email thank you very much for that.”

Original post:

It is extremely common to find malware and cybercrime jobs that are outsourced to freelancers. In their excellent 2011 paper, “Dirty Jobs: The Role of Freelance Labor in Web Service Abuse,” (PDF), researchers from The University of California, San Diego delved into how cybercriminals crowdsource Web abuse. Also, it’s not unusual to see on underground forums individuals hiring out services to design various components of malware operations, from back-end administrative panels to user interfaces for point-and-click malware creation tools. This was the case with the Styx Exploit Pack, although the designers of that crimeware kit clearly had more personal ties to the individuals who were selling the malware.

In the United States, writing malware is a protected form of free speech, but only up to a point. Prosecutors have gone after malware writers who seek to spread their creations or who have created malicious software with full knowledge of how it will be used.

This seems to also be the case in Russia, albeit in a case involving the theft of hundreds of millions of dollars. Earlier this year, authorities there sentenced to prison a number of programmers who were hired to create individual components of the Carberp banking Trojan.” According to an account of the law enforcement action in the Russian news outlet Kommersant, Carberp was coded by a team of about 20-25 people under the age of 30. Most of the men had never met face-to-face. Each worked remotely and was responsible for developing specific modules of the Carberp code, components that were then transmitted to a main development server in Odessa, Ukraine.