US Government: We Suck At Security; Trust Us With Your Records

navalwarcollegehackers_168457_372093-300x193Your JoeDog is not one of those knee-jerk anti-gub’mint guys but god damn sometimes they test his patience.

By now you’ve heard of that database breach in which the Chinese allegedly stole the personal information of approximately 4 million government employees. About half of those records represent current employees, the rest are for previous workers. According to an unnamed US “official,” the data goes back to 1985.

CNN interviewed “experts” who told the network that the Chinese appear to be building a large database of Federal employees which will help them model the organization and setup insider attacks.

One-third of Your JoeDog’s visitors are from China and we’re starting to feel like an abused spouse. We give you free software and you break down the door and steal our records. Thanks, China. Thanks, a lot.

But here’s the real kick in the ass: US government officials cite this breach as a reason to pass a host of legislature which will, among other things, put more personal information into the hands of government. Information-sharing clauses in these bills will essentially channel more personal data from businesses to the Federal government. That makes Your JoeDog’s head explode. The government is essentially saying, “We can’t secure our own records so give us more records.”

The chairpersons of the select committee on cybersecurity have their hair on fire. They predict dire consequences if we don’t grant them more personal data: “Business and industry leaders warned us of the growing threats during various hearings, and this attack shows why the Senate needs to move quickly on a cyber bill.”

The shittier a bill is the quicker is must be passed, people. Don’t worry your pretty little heads about its contents.

Funny thing: Newton’s Third Law applies to politics as well as physics. For every asshole, there’s an equal and opposite anti-asshole. Are you from Oregon, Dear Reader? Then pat yourself on the back because your senator is our anti-asshole.

I believe sharing information about cyber-threats is a worthy goal, it is unlikely that information sharing by private companies would have made any significant difference in protecting federal employee data. That’s why cybersecurity experts say that passing a bill like this will do little to reduce security breaches.

“This is a bad excuse to try and pass a bad bill.”

Amen, Senator Anti-asshole. Amen.



Now That’s Underhanded

The Underhanded C Contest challenges participants to write straightforward and clearly written code which doesn’t perform its intended purpose. Winning entries should easily pass inspection by other programmers so they can be added to the code base in order to execute their intended purpose which is to miscount votes, shave money from transactions or pass along information to another party, etc.

Some of the techniques used in this year’s contest include the use of K&R style function declarations to circumvent type checks, #include statements that change the package structure, swapping user space #define with system ones and a misleadingly long loop execution.

The winning entry leveraged the __isleap() function in time.h. Because that function is actually a macro it expands into an expression when a user defined macro is invoked multiple times. The winning author placed a subtle bug in that macro which plausibly turns the year into a 0 and writes past a buffer thereby performs the author’s intended purpose: to leak information to the outside world.

[Karen Pease: The Underhanded C Contest Winner]



Siege 3.1.0

With little fanfare and positively no hoopla, Your JoeDog released siege-3.1.0 to an unsuspecting world. This release is better able to handle concurrencies greater than 1024 — please don’t use concurrencies greater than 256 unless you know what you’re doing. Siege is able to accomplish this feat through a combination of select on its first 1024 socket descriptors and poll on each one after that. Again, please don’t use concurrencies greater than 256 unless you know what you’re doing.

Hat tips to Abhishek Bhuyan, cheshirecatalyst, Teoh Han Hui, scooby, webus and Dave Fink for input and testing leading up to this release. We still have more work to do this area but we’re in a better place.

Hey ho — that’s not all! Three-one-oh comes with a new feature. We applied a patch from Eric Abbott which provides improved delay granularity. You are no longer confined to the rigid world of integers, one, two, three, four, etc. You can now use decimal precision like this: –delay=0.05 or this: -d 1.5  But here’s the thing about this feature: It’s kind of embarrassing that we’re adding it in the sixteenth year of the project but you guys never asked for it!

One more thing: please don’t use concurrencies greater than 256 unless you know what you’re doing. If you lay siege to apache with an out of-the-box config, it will not be able to handle the load and all you’ll do is make a mess.

[JoeDog: http://download.joedog.org/siege/siege-3.1.0.tar.gz]



Is Ted Cruz A Retard?

A few months ago, Your JoeDog wrote about Ted Cruz. The topic was net neutrality. Your JoeDog favors it, the Senator opposes it. As a result, one of the more popular search phrases which drives traffic to this site is this question: “Is Ted Cruz a retard?”

Here’s the thing: we never called Ted Cruz a retard. We think he’s either stupid or evil.

And why is that?

In the article Your JoeDog wrote last November, Cruz told an audience that rotary phones became stagnant technology due to FCC regulation but iPhones thrived because the government kept its grubby laws off of them.  In the reality-based world, both devices fall under FCC jurisdiction. As a sitting senator, he should know that. After all, Cruz sits on the subcommittee of which oversees them both.

Now we’re not qualified to say whether or not Ted Cruz is a retard but if you typed that into the Internets and landed here, then you probably already have an answer to that question. Our hunch is this: Cruz doesn’t actually believe any of the stuff he’s peddling. Donors probably gave him large bags of cash to lobby in their interests. Unfortunately, those interests don’t correspond with mine. So if you want to call Cruz a retard, knock yourself out. Your JoeDog is sticking with “evil.”



Ransomware Creator: Sorry About That

By now you’ve probably heard of ransomware. It’s a form of malware that encrypts your files and demands a payment for the decryption keys. The whole concept of ransomware says a lot about humans, huh? It says we’re quite clever but we’re also basically dicks.

Last week a new strain of human dickishness was unleashed on an unsuspecting public. Locker is a form of ransomware known as a sleeper. That’s a variant that lies dormant until the administrator wakes it up. Last week the alarm rang. The program rolled out of bed and encrypted files on thousands of PCs.

Now this week an internet user who claims to be the author apologized for that whole making-your-life-suck thing. To prove his sincerity, he released this statement on PasteBin:

I am the author of the Locker ransomware and I’m very sorry about that has happened. It was never my intention to release this.

I uploaded the database to mega.co.nz containing ‘bitcoin address, public key, private key’ as CSV. This is a dump of the complete database and most of the keys weren’t even used. All distribution of new keys has been stopped.

He went on to say that automatic decryption will begin today. If your files are already borked by this program, then I suppose you don’t have much choice but to trust the author. Try to decrypt the files with the keys he provided. If that fails, make sure your computer is connected to the internet so you can receive the task signal.



The USA Patriot Act

safe, secure and contentedSee that little Frenchie on the right hand side of this here blog post? That was Your JoeDog under the Patriot Act. He slept the sleep of the contented then.

While the USA Patriot Act was in effect he didn’t worry about terrorists coming to chop off his head. He did lose sleep over bad guys with suicide bombs. He didn’t worry his pretty little head about creeping sharia law. But that was then.

Early this morning — at midnight to be exact — the United States Congress allowed the USA Patriot Act to expire. All those terror fighting tools are out the window now. With no eavesdropping, no metadata, no records seizures. and no extended Secret Service jurisdictions, how’s Your JoeDog supposed to sleep at night?

See that little Frenchie on the right hand side of this here blog post? That’s how.  Good riddance, USA Patriot Act.



Google Cars Drive Like Your Nana

Here’s a nice first hand account of Google cars from Emerging Technologies:

Google cars seem to be a little overly-cautious at intersections where visibility is limited: Think a T-intersection where a big truck or a bush blocks visibility for the road that needs to turn either left or right. The Google car I saw inched forward very slowly with a lot of pauses, as if it was stopping to get its bearings even though it obviously hadn’t pulled forward enough to “see” anything. It appeared very safe, but if I had been behind it I probably would have been annoyed at how long it took to actually commit to pull out and turn.

Google cars are very polite to pedestrians. They leave plenty of space. A Google car would never do that rude thing where a driver inches impatiently into a crosswalk while people are crossing because he/she wants to make a right turn. However, this can also lead to some annoyance to drivers behind, as the Google car seems to wait for the pedestrian to be completely clear. On one occasion, I saw a pedestrian cross into a row of human-thickness trees and this seemed to throw the car for a loop for a few seconds. The person was a good 10 feet out of the crosswalk before the car made the turn.

This is all well and good but will they drive your drunk ass home from the brew pub?

[Emerging Technologies: Californians are OK with Google self-driving cars]



Al Qaeda’s Porn

al qaeda steganographyIn 2011, an al Qaeda operative named Maksud Lodin was arrested in Berlin. Among his possessions was a memory card that contained, among other things, a porn video called KickAss. While that may have raised eyebrows — “a religious holy warrior is carrying beat-off material?” — it wasn’t what authorities were after. To them the “good stuff” is actionable intelligence. According to die Zeit, they found it. Federal police recovered al Qaeda documents that were hidden on the card. Where? The were embedded in the film.

In total, the Germans recovered 141 separate text documents hidden within a .mov file. The discovery confirmed a long-standing hunch that al Qaeda used steganography to hide its information in plain sight. The public was outraged and horrified. “OMG! Al Qaeda is embedding shit inside our porn!!11!1!!”

Your JoeDog was reminded of al Qaeda’s porn when he stumbled across timeshifter. It’s a small utility that lets you to embed messages in regular network traffic. How does it work? By modifying the time intervals between packets, @anfractuosus is able to hide messages in plain site. The system relies on binary encoding. A short delay means 0 and a long delay means 1. By sending messages in this manner, the transmission is unlikely to arouse suspicion.

To implement this system, you’ll need the libnetfilter_queue library and the ability to set iptables rules. All the code is available along with detailed instructions. Check it out.

[anfractuosity: Timeshifter]



Missed Connections

epa03758610 An original Apple computer, now known as the Apple-1, which was designed and hand-built in 1976 by Apple co-founder Steve Wozniak is shown at a press preview at the Computer History Museum in Mountain View, California, USA, 24 June 2013. Christie's is auctioning the Apple-1 at its First Bytes: Iconic Technology From the Twentieth Century, an online-only auction featuring vintage tech products.  EPA/TONY AVELAR

An original Apple computer, now known as the Apple-1, which was designed and hand-built in 1976 by Apple co-founder Steve Wozniak is shown at a press preview at the Computer History Museum in Mountain View, California, USA, 24 June 2013. Christie’s is auctioning the Apple-1 at its First Bytes: Iconic Technology From the Twentieth Century, an online-only auction featuring vintage tech products. EPA/TONY AVELAR

You were a lady of grace, about 60 years old. You had several boxes of old computer parts. You said you were cleaning out the garage after your husband died. You didn’t want a receipt nor did you leave any contact information.

I worked for a computer recycling shop and strolled past those boxes for days until I finally went through them. After discarding several old keyboards and other worthless items, my excitement started to build. “Holy cow!” I said. “This can’t be real … can it?”

Its body was made of wood and its motherboard was large and clunky, a monstrosity that many other people would also consider junk. But it wasn’t junk. No, far from it. You had discarded an original Apple I computer, hand-crafted by The Woz himself. We sold it at auction for two-hundred thousand dollars. Company policy holds that all proceeds from such sales must be split with the original owner.

Call me. We have a $100,000.00 check for you….

[Reuters: Money Awaits Recycler of a Rare Apple I]



How You’ll Die On Mars

Over at Popular Science they provide some insight into the technical hurdles which must be overcome in order to establish a colony on Mars. Here’s a small taste:

Growing crops on Mars isn’t just for feeding hungry astronauts; plants will serve as a vital source of renewable oxygen for the habitat. It’s a much better option than consistently sending heavy oxygen tanks to the red planet, which will take up too much precious space on resupply missions and cost a lot of money to transport.

Studies have shown plants may be able to grow in Martian soil, however crops have never been grown in the Mars gravity environment, so further testing is required to see if vegetation can survive at all. But if that works, the plants required to feed a multi-person crew will be producing a lot of oxygen. And that’s not necessarily a good thing.

According to Do’s report, too much oxygen in a closed environment can lead to an increased risk of oxygen toxicity for the crew, and even worse, spontaneous explosions. So O2 will have to be vented from the habitat. To do this, the astronauts would need a specialized method for separating oxygen from the gas stream. There are a number of methods for doing so here on Earth (cryogenic distillation and pressure swing adsorption) but none of these technologies have been tested for a Martian environment, and considerable research and development would be needed to make these techniques viable on another planet.

[Popular Science: How You’ll Die On Mars]