Wednesday, January 27, 2016

It pains me to say this

The Internet can't match the local pub:
The Campaign for Real Ale (CAMRA) has perhaps merely confirmed what all right-minded people already know: that those who have a local boozer in which to quaff ale and chew the fat with mates are "significantly happier" than wretched souls who do not. 
CAMRA asked Oxford Uni's Professor Robin Dunbar to look into the link between pub-based social interaction and personal wellbeing. He concluded that "having a strong social network significantly improves both your happiness and your overall health".
So much as I love all y'all, get out to your local and have a pint with your mates.  Because SCIENCE®!

Tuesday, January 26, 2016

Is the NSA making friends and influencing people at other agencies?

Because Congress is grilling those other agencies over their use of equipment containing backdoors probably put there by NSA:
A bunch of US government departments and agencies – from the military to NASA – are being grilled over their use of backdoored Juniper firewalls. 
The House of Representatives' Committee on Oversight and Government Reform fired off letters to top officials over the weekend, demanding to know if any of the dodgy NetScreen devices were used in federal systems. 
Juniper's ScreenOS software – the firmware that powers in its firewalls – was tampered with by mystery hackers a few years ago to introduce two vulnerabilities: one was an administrator-level backdooraccessible via Telnet or SSH using a hardcoded password, and the other allowed eavesdroppers to decrypt intercepted VPN traffic. The flaws, which were smuggled into the source code of the firmware, were discovered on December 17 by Juniper, and patches were issued three days later to correct the faults.
The speculation is that there aren't many other actors other than the NSA who could have pulled this off.  Speculation, of course - there's no smoking gun, as you'd expect.

But everyone suspects them, which means they're incompetent: either they did this and got caught, or they didn't do this but have made everyone distrust them anyway.  Way to go!

Monday, January 25, 2016

"Nannycam" security so bad, there's a search engine for bedroom video monitors

I keep talking about how when it comes to the new "Internet Of Things", security wasn't an afterthought.  It wasn't thought of at all. Internet of Things security is so bad, there’s a search engine for sleeping kids:
Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.
The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.
We've seen Shodan here before.  It's the All Seeing Eye to identify which devices are connected to the 'net.  As you see here, there are a whole lot of devices that should not be connected to the 'net, at least without better security.  And for an easily understandable reason:
Tentler told Ars that webcam manufacturers are in a race to bottom. Consumers do not perceive value in security and privacy. As a rule, many have not shown a willingness to pay for such things. As a result, webcam manufacturers slash costs to maximize their profit, often on narrow margins. Many webcams now sell for as little as £15 or $20.
"The consumers are saying 'we're not supposed to know anything about this stuff [cybersecurity]," he said. "The vendors don't want to lift a finger to help users because it costs them money."
So what do you do?  One thing is simply not to get any of this sort of thing.  No Internet-connected webcams, security systems, light bulbs, refrigerators, TVs, etc.  Some of these products are frivolous, like Philips' Internet controllable light bulbs that change color via command from your iPhone app.

But others are not.  The Queen Of The World likes her Netflix and Amazon Fire TV, and we have a new TV that will give her than.  What's the risk?  I guess I need to figure that out.  What I'm thinking is to block outbound traffic at the Internet router.  Probably to do this I will need to build a box to put in front of that, with appropriate tools and logging.

That takes a pretty high skill set, and a lot of time.  That's not something that, say, Mom could do.  I'm thinking more and more that I should have gone to Law school.  This might make a good class action suit.

Sunday, January 24, 2016

What's all this cold white stuff, Boss?

I guess we're not in Georgia anymore, Wolfgang ...

Saturday, January 23, 2016

Snowmageddon, explained

I guess I need to point out that Maryland is south of the Mason-Dixon line.  And while that doesn't make it in the South, it does make everyone here officially a Snow Weenie™.  I mean, you don't see that in Pennsylvania, and that's only a half hour motorcycle ride* from here.

* Well, when all this Global Warming melts ....

Merle Haggard - If We Make It Through December

We've had near 20 inches of snow here at Castle Borepatch - it's hard to tell exactly how much because the wind is gusting and the drifts are filling in the moat.  I'd worry about being able to lower the draw bridge but the plow is nowhere to be seen (and likely won't be for some time).

But Country music has some great songs about winter, like this one which went to #1 on Billboard.

If We Make It Through December (Songwriter: Merle Haggard):
If we make it through December
Every thing's gonna be all right, I know
It's the coldest time of winter
And I shiver when I see the falling snow 
If we make it through December
Got plans to be in a warmer town, come summer time
Maybe even California
If we make it through December, we'll be fine 
Got laid off down at the factory
And their timing's not the greatest in the world
Heaven knows I've been working hard
Wanted Christmas to be right for my sweet girl 
I don't mean to hate December
It's meant to be the happy time of year
And my little girl won't understand
Why momma can't afford no Christmas here

So if we make it through December
Every thing's gonna be all right, I know
It's the coldest time of winter
And I shiver when I see the falling snow 
I don't mean to hate December
It's meant to be a happy time of year
and my little girl won't understand
Why momma can't afford no Christmas cheer.
If we make it through December.

Friday, January 22, 2016

I seem to be the Typhoid Mary of snow

Three weeks after I moved from Yankeeland to Atlanta, it snowed.  I've been in Castle Borepatch for three weeks and a day and it's snowmageddon.

I am now accepting offers from communities that never want snowfall.  For the right price, I will promise never to move to your fair locale.  I will also take offers from communities that want huge amounts of snow - for the right price, I'll move there.

Who knows, maybe I can get offers from both.  Winning!

Why we can't have nice things on the Internet, redux

The Silicon Graybeard brings an epic rant.  You really need to RTWT, but this gives you the flavor:
A running joke in the electronics hardware business is that software is going to cause the end of the world.  The way the software business is run is so fundamentally different from the way that hardware works that most of us are perpetually astounded.  Can you imagine buying a car where many features just don't work right, and the companies have you return to the dealer to install new hardware?  I suspect that would raise a pretty loud howl from their owners.  How is that different from a software patch to fix something that doesn't work properly?
Yup.  Another old saying is that if you screw with it long enough hardware eventually breaks; if you screw with software long enough it eventually works.  Kind of.  Sometimes.

That's why I won't ever have a self driving car.  I'll never be convinced they've screwed with it enough to make it work.

Thursday, January 21, 2016

Attacks via Internet Dating sites

I can't really say I'm surprised at this:
At least five dating websites may be involved in an attack scenario that is spreading a worm to site visitors, infecting their home router and adding it to a botnet.
The worm is a variant of TheMoon, which was first discovered in February 2014, and works by taking advantages of weaknesses in the HNAP (Home Network Administration Protocol) protocol.
Attackers are using one-night stand dating sites to spread the worm. On each malicious website, the infection occurs via a two-step phase launched via a malicious iframe embedded on the page.
The iframe works by making different URL calls to see if the router runs the HNAP protocol and if it uses the and for router management and as gateway IPs.
It then calls home, informing its creators of its findings. Here is where the second attack stage happens, and where a second URL is loaded in the iframe, which delivers the actual worm, a Linux ELF binary.
What's interesting here is that the target isn't the computer, it's the home router.  Needless to say, it's a Bad Day when someone owns your home router.

It seems that the web sites were stood up using a stolen identity, so there are multiple layers of security fail involved.  If Online Dating is your bag, Baby, it's probably best to stick to a name brand site.  Err, not Ashley Madison, though.

Beware Linkedin invitations

It seems that there's a big spike in fake profiles on Linkedin.  These profiles are used by scammers to get information out of you that they then exploit for financial gain.  This technique has been called "Social Engineering" for a long time; the fact that it's been around for a long time tells you all you need to know about its effectiveness.

Linkedin has a good (despite being rather old) blog post about how to spot a fake profile.

My attitude has always been to ignore requests from Linkedin users who I don't recognize, and who don't craft a personalized invitation pointing out how I've worked with them (or someone I know) in the past.  "I'd like to add you to my professional network" messages from folks I don't recognize go straight to the bit bucket.

Wednesday, January 20, 2016

Fascist government goon says "What?"

Actually, he said that anonymity of the Internet should be against the law:
A senior Homeland Security official recently argued that Internet anonymity should outlawed in the same way that driving a car without a license plate is against the law. 
Erik Barnett, an assistant deputy director at U.S. Immigration and Customs Enforcement and attache to the European Union at the Department of Homeland Security, outlined his argument in an article titled “Whose Privacy Are We Protecting? Balancing Rights to Anonymity with Rights to Public Safety,” published in FIC Observatory, a French publication dedicated to debates about cybersecurity.
Because speech needs a license, just like your car does.  Or something.  And of course he rolls out the do-it-for-teh-childrenz excuse as justification.  Odd that he doesn't spend much time discussing government suppression of free speech, like the IRS audits of the Administration's political enemies.

Actually, he doesn't spend any time discussing that.  Must not be a problem*, or something.

* To him.

Tuesday, January 19, 2016

Entitled Internet reviewer is etitled

I thought I was going to High Tea but found myself at a biker bar ...

Monday, January 18, 2016

This is why we can't have nice things

Smartphone photo of lock keyways enough to produce ready-to-print CAD drawings for key:
Hackers have been gifted with an online web service that can produce blueprints for 3D printed keys from nothing more than a photograph of a lock.
The KeysForge application developed by an academic trio drastically simplifies the complexities in developing keys, allowing amateurs to snap a photo of a lock and have the respective key 3D printed. 
University of Colorado infosec assistant professor Eric Wustrow and two colleagues revealed the work at the Chaos Communications Congress in Hamburg last month. 
"We made an automatically generating 3D model program [which] takes a single picture of the keyway (lock) and produces a model in CAS (computer assisted design)," Wustrow says, adding that a smart photo photo will suffice. 
"You can then take that model and print it on a 3D printer or ship it off to Shapeways or whatever.
Double gah.  It will cost you eight cents to print the key.

Happy Monday, everyone!

Friday, January 15, 2016

With the "Internet Of Things" you got no stinkin' security

The "Internet Of Things" is where companies stuff tiny computers with wifi into basically all consumer products - refrigerators, light bulbs, toys.  This allow them to add "value add" services, like, err, well I really can't think of much.

Maybe it would let you remotely turn off your refrigerator if you had left it on, or something.

The punch line, of course, is that companies collect all sorts of data on you using these.  I've posted about this before:

Your "Smart" TV spys on you

But wait, there's more!  Et tu, Barbie?  Et tu?
Earlier this year Mattel unveiled "Hello Barbie," a $74.99 wi-fi equipped interactive doll. Users press a button on Barbie's belt to start a conversation and the recorded audio is processed over the internet so that the doll can respond appropriately. The doll also remembers the user's likes and dislikes.

Now Security Researcher Matt Jakubowski claims that he has managed to hack the Hello Barbie system to extract wi-fi network names, account IDs and MP3 files, which could be used to track down someone's home. "You can take that information and find out a person's house or business. It's just a matter of time until we are able to replace their servers with ours and have her say anything we want," Jakubowski warned.
Fortunately, the Black Hat hackers have a demonstrated track record of being respectful to those they hack.  Wh00t!

And it must be said: who ever would have seen this coming?

But wait - there's more!  Internet ads listen to you:
SilverPush is an Indian startup that's trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch.

Software secretly embedded in your computers, tablets, and smartphones picks up the signals, and then uses cookies to transmit that information back to SilverPush. The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make. It can link the things you do on your tablet with the things you do on your work computer.

Your computerized things are talking about you behind your back, and for the most part you can't stop them­ -- or even learn what they're saying.
Actually, you probably can stop this, but you'd have to use a desktop computer, unplug the built-in speaker, and make sure you haven't got a microphone plugged into the mic jack.  In other words, use 1990s technology.

Remember, if you're not paying for it, you're the product.

So what do you do?  Your mileage may vary, but I personally will never enable "smart" functions on things like TVs.  I won't use "smart" light bulbs.

But now for full disclosure: The Queen Of The World looks like she might like her some Netflix from the TV, which means that it's on the 'net.  Bah.

Short of blocking outbound Internet traffic from the TV to all but known locations, I'm not sure.  That wouldn't be simple.  That is a post for another day.

Thursday, January 14, 2016

Homeland Security: Gee, it's awful that all these power plants can get hacked

Filed under "we're only surprised that you're willing to say this in public":
Utilities opening their infrastructure to the internet are creating an irresistible honeypot for criminals, says the US government's Industrial Control Systems Cyber Emergency Response Team. . 
In spite of often being billion-dollar operations with long-standing experience in their industrial control networks, critical infrastructure owners seem to think they can take advantage of the public 'net for connectivity without a care for security. 
While ICS-CERT's Marty Edwards, speaking to the S4 conference in Miami this week, didn't call such operators idiots, he may as well have done. According to Reuters, he came close, saying: “I am very dismayed at the accessibility of some of these networks … they are just hanging right off the tubes.”
That's OK - nobody would ever try to take down a power plant.  Oh, wait ...

R.I.P. Alan Rickman

Well, damn.

He was one of my favorite actors for years.  Truly, Madly, Deeply is a great performance of his from back in the Die Hard/Robin Hood days, but one that shows a depth that he carried with him throughout his career.  If you haven't seen that film, you're in for a treat.

Oh, yeah - I loved him in Galaxy Quest, too.

Thanks for the great performances, Alan - including this one which I've posted several times before but which assumes a particular poignance today.

Tuesday, January 12, 2016

Hillary Clinton: dead candidate walking

The news over the weekend was about how the FBI is expanding their investigation of Hillary's email server from mishandling of classified information to include investigation of corruption involving the Clinton Foundation.  Apparently there are dozens (maybe as many as a hundred and fifty) FBI Agents assigned to the case.  It seems that this will blow up during the height of the Presidential campaign this year.

This makes me go "Hmmmmm".

Consider: there are multiple leaks from inside the FBI.  But this administration has been harsher on cracking down on leaks than any in history.  They even investigated a journalist (James Rosen) who published a leak.  And yet there are multiple leakers.  Hmmmmm.

Consider: the Justice Department has been heavily politicized by this administration.  Maybe the FBI is motivated by simple a desire to see justice done and the laws enforced against all violators, however large or small.  Hmmmmm.

I don't buy it.  I think that Obama is behind this.  So what's the motivation?

I don't think it's because the Obama team and the Clinton team despise each other.  They do, but that doesn't seem to rise to the level of this sort of political risk.  After all, Obama is focused on his legacy and on what he'll do for the next 30 years after leaving office.  If the Democratic party thought that he threw Hillary under the bus for petty reasons, that would be a huge loss of status for him.

I think it's because they don't think that she can win.

But the primary is locked up for her.  The fix is in - sure, crazy old Bernie is gaining in Iowa and New Hampshire.  The Clintons raised a Billion dollars in the Clinton Foundation.  That won't sit in the bank.  Favors will be called in.  The nomination is a lock.

As is her defeat in the General Election.  I think that Trump put the nail in that coffin with his comments about Bill.  Turn out the lights, the party's over.

So what is Obama to do?  Indict Hillary, forcing her to step down, and stand up Vice President slow Joe Biden.  And rely on the Mainstream Media and the corrupt GOP establishment to squeeze Trump out so Joe runs against a typical sad sack.

I expect an announcement from her by March that she's stepping down due to "health reasons",  and Joe to enter a brokered convention.

Will any of this matter?  Only if Trump drops out, too.  A lot of people have considered him as a stalking horse for the Democratic Party.  I'm pretty skeptical - even if he threw his hat into the ring on a lark, it's pretty hard to see a guy like him walk away from a big lead.

And I suspect that his lead is bigger than anyone will admit - he polls well among Democrats and hispanics (!), so the polls represent a floor for his support.  The ceiling?  We'll have to see.  I expect it's in potential landslide territory.

Will he make a good President?  Beats me.  Will he cause the collapse of the Republican Party?  Beats me.

Will he get Obama to force Hillary from the race?  Hmmmm.

Monday, January 11, 2016

R00t, r00t, r00t for the home team

Filed under "not using your Powers for good":
The former scouting director of the St Louis Cardinals baseball club has admitted he illegally poked around in the player database of a Major League Baseball rival 
Chris Correa pleaded guilty on Friday at a Houston federal court to five counts of unauthorized access to a computer stemming from a 2013 infiltration of the email accounts and scouting database of the Houston Astros. 
Each of the counts carries a maximum penalty of five years in prison and $250,000 fine.
It seems that one of his scouts left St. Louis and went to the Astros.  Once there, the scout used the same password he had used at St. Louis.  Our Hero guessed that password, starting his date with Clud Fed.

It's idiots, all the way down.

Thursday, January 7, 2016

The difference between Rangers and Special Forces

Sent to me by someone who was formerly in Special Forces:
Rangers vs Special Forces

The Chief of Staff of the Army asked his Sergeant Major, who was both Ranger and Special Forces qualified, which organization he would recommend to form a new anti-terrorist unit. The Sergeant Major responded to the General's question with this parable: If there were a hijacked Boeing 747 being held by terrorists along with its passengers and crew and an anti-terrorist unit formed either by the Rangers or the Special Forces was given a Rescue/Recovery Mission; what would you expect to happen?

Ranger Option
Forces/Equipment Committed: If the Rangers went in, they would send a Ranger company of 120 men with standard army issue equipment.

Mission Preparation: The Ranger Company First Sergeant would conduct a Hair Cut and Boots Inspection.

Infiltration Technique: They would insist on double timing, in company formation, wearing their combat equipment, and singing Jody cadence all the way to the site of the hijacked aircraft.

Actions in the Objective Area: Once they arrived, the Ranger company would establish their ORP, put out security elements, conduct a leaders recon, reapply their face cammo, and conduct final preparations for Actions on the OBJ.

Results of Operation: The Rescue/Recovery Operation would be completed within one hour; all of the terrorists and most of the passengers would have been killed, the Rangers would have sustained light casualties and the 747 would be worthless to anyone except a scrap dealer.

Special Forces Option
Forces/Equipment Committed: If Special Forces went in, they would send only a 12 man team (all SF units are divisible by 12 for some arcane historical reason) however, due to the exotic nature of their equipment the SF Team would cost the same amount to deploy as the Ranger Company.

Mission Preparation: The SF Team Sergeant would request relaxed grooming standards for the team.

Infiltration Technique: The team would insist on separate travel orders with Max Per Diem, and each would get to the site of the hijacking by his own means. At least one third of the team would insist on jumping in.

Actions in the Objective Area: Once they arrived , the SF Team would cache their military uniforms, establish a Team Room, use their illegal Team Fund to stock the unauthorized Team Room Bar, check out the situation by talking to the locals, and have a Team Meeting to discuss the merits of the terrorists' cause.

Results of Operation: The Rescue/Recovery Operation would take two weeks to complete and by that time all of the terrorists would have been killed, (and would have left signed confessions); the passengers would be ruined psychologically for the remainder of their lives; and all of the women passengers would be pregnant. The 747 would be essentially unharmed, the team would have taken no casualties but would have used up, lost, or stolen all the "high speed" equipment issued to them.
I can neither confirm nor deny any of this ...

Tuesday, January 5, 2016

Another musters out

One of the last original member of Merrill's Marauders has passed:
MSG Melillo served his country for over 20 years and served in both WWII and Korea. MSG Melillo was an original member of "Merrill's Marauders" Merrills Marauders was originally named the 5307th Composite Unit and was created to conduct long range, deep penetration missions behind enemy lines and specialized in jungle warfare. The unit carried the name of their brilliant commander, BG Frank Merrill. The Marauders became famous for operating for extended periods of time behind the Japanese lines and during operations in Burma walked hundreds of miles.

Retired MSGT Vincent Melillo, 97, was the last ORIGINAL Merrill's Marauder in Georgia out of around 40 who are still living. 

MSG Melillo was a member of the Ranger Hall of Fame as well as the Georgia Military Hall of Fame and was much beloved by the Ranger and Special Forces communities. Among his many awards and decorations were the Bronze Star Medal, The Purple Heart, WWII Victory Medal and Korean Defense Medal.
The Marauders were tough:
A week after Myitkyina fell, on 10 August 1944, the 5307th was disbanded with a final total of 130 combat-effective officers and men (out of the original 2,997). Of the 2,750 to enter Burma, only two were left alive who had never been hospitalized with wounds or major illness.
Every man in the unit was awarded the Bronze Star.

Monday, January 4, 2016

"Skin grows back. Varnish doesn't."

Watching the movers unload the van at Castle Borepatch, I hear Dad's voice whisper in the back of my head.

It will be nice to have something to sit on (other than the floor).

Friday, January 1, 2016

New Year's thoughts

Every new beginning comes from the end of some beginning. - Seneca

There is so much to say, but Seneca nailed it. This last year (or two) has been an exercise in pruning for me. Now we see new growth. Seneca would have nodded knowingly.

May this new year be as good to you and yours as it looks like it will be for the Queen Of The World and me.