Tuesday, January 31, 2017

Some people just want to watch the world burn

Yay, Virginia

Driving slow in the left lane to be punished with $250 fine:
The bill, set for approval in Virginia’s House of Delegates after it advanced Monday to a final vote, would make a violation a $250 fine.
“Simply put, a penalty behind it that shows that we understand the seriousness of this problem and that we’re going to be serious about actually enforcing it,” said Del. Israel O’Quinn, a Republican who represents Washington County.
O’Quinn said Monday the change would address “a particularly pervasive and ever-growing problem” of cars going “grossly under the speed limit in the left lane.” He hoped the new penalty could encourage more drivers to move over and cut down on road rage from drivers who come up behind slowpokes.
Now if we can get Maryland ...

Monday, January 30, 2017

Gee, Brain - what are we going to do tonight?*

*Reference here for the two of you who hadn't heard it before.

Trump's Stimulus plan

It seems that it's getting some cautious support (if that's the word) from libertarian quarters:
Before this list was released, the Antiplanner was far from thrilled with what little we know of Trump’s infrastructure plan, which calls for giving tax credits to private investors who spend money on infrastructure. When compared with the Democrats’ plan, however, it has some solid virtues:
  1. While the Democrats take a top-down approach dictating where the money will go, Trump leaves the setting of priorities to state and local governments;
  2. Where the Democrats would commit the federal government to spend an arbitrary amount of money whether it needs to be spent or not, Trump lets state & local governments decide how much to spend and how they will pay for it;
  3. Where Democrats would add $1 trillion to the deficit, Trump relies on a tax credit program that will cost the feds no more than $167 billion per trillion in spending (less, obviously, if less than $1 trillion is spent);
  4. Where a lot of the Democrats money would go down a rat hole, at least some of federal tax credits that Trump’s plan would issue will be offset by the reduced use of tax-free municipal bonds and taxes paid by companies and workers earning the money.
There's quite a lot of Compare And Contrast at the link, if you're interested.

Saturday, January 28, 2017

Is he talking about himself?

Rosanne Cash - Silver Wings

When Rosanne Cash was 18, her dad gave her a list of 100 "essential" country songs.  A list like that from someone like Johnny Cash has some weight, and in 2009 she released "The List" with 12 of the songs.  She lined up some big names to record with her - Rufus Wainwright sang with her on this version of Merle Haggard's classic.  Wainwright is a pretty interesting character, but not what anyone would describe as "country".  Despite this, the song is classic country.

Silver Wings (Songwriter: Merle Haggard)
Silver wings shining in the sunlight
Roaring engines headed somewhere in flight
They're taking you away, leaving me lonely
Silver wings slowly fading out of sight 
Don't leave me I cry
Don't take that airplane ride
But I you did not lock me out of your mind
But left me standing here behind 
Silver wings shining in the sunlight
Roaring engines headed somewhere in flight
They're taking you away, leaving me lonely
Silver wings slowly fading out of sight 
Silver wings shining in the sunlight
Roaring engines headed somewhere in flight
They're taking you away, leaving me lonely
Silver wings slowly fading out of sight

FedEx driver becomes new super hero

Saves America flags from being burned by punks:
IOWA CITY, Iowa — Two people have been arrested after a FexEx delivery man intervened a protest flag burning in Iowa City on Thursday, Jan. 26.
Around noon, a small number of people gathered at a rally in front of the pedestrian mall to protest the Dakota Access Pipeline, and a variety of other issues, reports KCRG. As they were burning an American flag, bystanders caught video of a FedEx employee jumping in and grabbing the flags, putting out the flames with a fire extinguisher.
[Pauses to let the cheers die down]

People are already celebrating the mythic aspects:

Friday, January 27, 2017

I laugh at your so-called "anti-virus"

It's funny because it's true.

Quote of the Day: You May Be A Democrat If ... edition

Lots of them listed, but this is QOTD:
You may be a Democrat if you believe that cops are mostly corrupt and violent and racist, but you also believe that they're the only people who should be allowed to have guns.

Wednesday, January 25, 2017

RIP, Mary Tyler Moore

I watched - and enjoyed - a lot of her shows, back in the day.

Encryption backdoors are still a bad idea

It was a bad idea under the Obama administration, and it's still a bad idea:
US President Donald Trump's pick for his Attorney General and head of the FBI will have security specialists nervous, since both believe breaking encryption is a good idea. 
Senator Jefferson Beauregard "Jeff" Sessions III (R‑AL) is Trump's pick for the top legal job in the US. In congressional testimony, he outed himself as a committed backdoor man when it comes to encryption. In the written testimony [PDF] to Senator Patrick Leahy, (D‑VT) he laid out his position. 
"Encryption serves many valuable and important purposes," Sessions wrote. "It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national security and criminal investigations." 
That's going to be bad news for people who favor strong encryption. The finest minds in cryptography have repeatedly pointed out the impossibility of building a backdoor for law enforcement into secure encryption, since there's no way to stop others from finding and exploiting the Feds-only access.
The Federales have been pushing for crypto backdoors since the early 1990s (remember the Clipper chip?) and it has always floundered on the rock of "there's no way to keep the bad guys from learning the backdoor".

The choice for the Fed.Gov is this:  live with crypto that they can't (easily) break, or destroy encryption (and the Internet economy that depends on it).

I know that they want a backdoor that only they know about.  I want a unicorn that farts 93 octane into my gas tank.  And remember: they would ask us in the security community to trust them after the Snowden revelations showing how we can't trust them.

Tuesday, January 24, 2017

Another passes

Another World War II veteran joins the final muster:
During World War II, Lt. Col Masters flew 28 B-17 bombing missions and 25 fighter scout missions, in which he flew a P-51 fighter plane to scout targets for bombers. He flew for the 551st Squadron of the 8th Army Air Corps and the 385th Bomb Group. He reached the rank of lieutenant colonel and was awarded numerous medals for his service in the war which include the Distinguished Flying Cross, Silver Star, and the French Legion of Honor medal. 

After the war, he returned to his native California and entered medical school at Stanford University. Dr. Masters moved to Athens in the early 1970’s and helped form the women’s clinic at UGA. He retired from UGA in the mid 1990’s and then continued to work part time for the nest 10 years for the Clark County Health Department.
That's quite a man.  Rest in peace.

Monday, January 23, 2017

Day out

I went to Antietam National Battlefield yesterday.  It was America's single bloodiest day, and a lot of that was here.

There's quite a nice (but small) museum, and the battlefield is small enough to walk.  I hadn't realized just how close it is to the Potomac river and Harper's Ferry.  This is definitely worth a detour if you're in the Washington D.C. area.

Sunday, January 22, 2017

OK, now that's just funny

I guess that's what they call a "Rebel Alliance" ...

John Philip Sousa - Presidential Polonaise

Chester Arthur didn't much care for "Hail To The Chief" and so asked Sousa to write a replacement.  This is what he came up with in 1886 - it is said that it was intentionally upbeat to keep people moving in the White House reception line.

But Hail To The Chief was traditional - dating to the 1820s in its use for the President - and so Sousa's replacement was soon gone.

Friday, January 20, 2017

Ray Charles - America The Beautiful

The Mormon Tabernacle Choir sang this today, but nobody does it like Ray did.

"Biker for Trump" attacked by rioter

Stay classy, Progressives.

Remember how people were talking about "violent Trump supporters" and how everyone who supported him was part of that?  Well, you made the rules, jerks.

Souvenirs, marked down

Drastically marked down.

Thursday, January 19, 2017

Quote Of The Day: Class Warfare edition

The Archdruid is simply on fire lately.  Today he gives a Field Guide to Trump opponents:
As Donald Trump becomes the forty-fifth president of the United States and begins to push the agenda that got him into the White House, it may be useful to have a convenient way to sort through the mix of signals and noise from the opposition. When you hear people raising reasoned objections to Trump’s policies and appointments, odds are that you’re listening to the sort of thoughtful dissent that’s essential to any semblance of democracy, and it may be worth taking seriously. When you hear people criticizing Trump and his appointees for doing the same thing his rivals would have done, or his predecessors did, odds are that you’re getting the normal hypocrisy of partisan politics, and you can roll your eyes and stroll on. 

But when you hear people shrieking that Donald Trump is the illegitimate result of a one-night stand between Ming the Merciless and Cruella de Vil, that he cackles in Russian while barbecuing babies on a bonfire, that everyone who voted for him must be a card-carrying Nazi who hates the human race, or whatever other bit of over-the-top hate speech happens to be fashionable among the chattering classes at the moment—why, then, dear reader, you’re hearing a phenomenon as omnipresent and unmentionable in today’s America as sex was in Victorian England. You’re hearing the voice of class bigotry: the hate that dare not speak its name.
This is a (typically) long and thoughtful exposition of class bigotry as currently practiced in the "classless" US of A.  Highly recommended.

Rule 2 violation

It applies to Light Sabers too.

Wednesday, January 18, 2017

The problems with Technocracy

Well, one of the problems:
For those who are unfamiliar with the term, technocracy is, in essence, rule by technical elites. For instance, your media would be run by trained, credentialed journalism experts. Politicians would be groomed and educated to be leaders from an early age. You could not, for instance, be President if you did not attend the proper schools, earn the proper certifications, and demonstrate a certain set of requirements, like IQ, or perhaps an impressive set of grades in your debating classes.
Climate scientists would run the departments dealing with weather and climate change. Rocket scientists would own NASA, and determine how it should be funded in consultation with the banking experts. The bankers, of course, would run the monetary system and determine appropriate levels of taxation and redistribution.
Naturally, none of these technical elites would need to consult with you and I on these matters. If you are not one of the elite, you would need to be quiet and accept the rulings of your superiors.
The flaws in technocracy are very obvious, to any who care to see them. First and foremost is the matter of trust. Even if we were to concede that the trained, technically-minded elites were better than the hoi polloi, how could one be assured that they were not pulling the wool over the people and taking advantage of them? After all, just because you’re intelligent doesn’t mean you’re honest.
Man, that's a simple way to put things.

Another critique, of course, is that technocrats are increasingly isolated from the negative consequences of their decisions.  Climate Scientists propose policies that impoverish Appalachia due to dodgy computer models and over-confident projections?  They don't lose their houses.  Politicians craft an "Affordable Care Act" that raises the cost of health insurance and the deductibles in the policies?  They don't feed their kids Ramen for dinner.

And so, our own eyes tell us that technically-minded elites are not better at governance than the hoi polloi.  Buckley's dictum that he would rather be governed by the first 2,000 people in the Cambridge telephone directory than by the faculty of Harvard shows us that these problems have been endemic.  The last election shows that the hoi polloi are waking up to this.

Tuesday, January 17, 2017

Infinite loop

n.  See "Loop, infinite"

MIT Wizz Kid: his "Smart" gun design is "relatively reliable"

Buried deep in a glowing review of MIT freshman Kai Kloepfer's "Smart gun" startup, the reporter unexpectedly stumbles onto why this has for decades been a technology in search of a buyer:
“Good intentions don’t necessarily make good inventions,” said Stephen Sanetti, president of the National Shooting Sports Foundation. They’re the main trade group for companies that make and sell guns.

Sanetti expressed concern about the reliability of any firearm that depends on battery power.

“The firearm has to work. And a firearm is not the same as a cell phone,” Sanetti said. “The consequences of a cell phone not working are inconvenience. The consequences of a firearm not working could be someone’s life.” 
Kloepfer said his gun is “relatively reliable.” 
“I know, like, when I’m using it, when I’m testing it, it functions almost every single time,” Kloepfer said.

But not every time, as we saw firsthand when Kloepfer’s prototype -- a modified Glock .22 – failed. 
Other than the minor detail of the gun not working, this solution is awesome.

The only thing new about this is that CBS News is reporting both sides of the debate.  But Mr. Kloepfer scored a sweet $50,000 to dust this idiocy off.

Monday, January 16, 2017

I hope that the Brady Campaign doesn't find out about this

They'll want background checks for sure.

Probably has the shoulder thing that goes up in there, too ...

(Seen on the Book of Faces by the Queen Of The World)

Don't want to get hacked?

Don't use "123456" as a password:
The security industry's ongoing efforts to educate users about strong passwords appears to be for naught, with a new study finding the most popular passwords last year were 123456 and 123456789. 
Keeper Security wonks perused breached data dumps for the most popular passwords when they made the despondent discovery. 
Some 1.7 million accounts used the password "123456", or 17 per cent of the 10 million hacked accounts the firm studied.
Dad used to say that the reason that history repeats itself is that nobody listens the first time.

You want a good password that's hard to crack and easy to remember?  Use a "passphrase" where you take the first letter of each word in an easy to remember sentence.  For example, if you take the first character of each word in "123456 is a lousy password and will get you PWNED!" you get a password of "1ialpawgyP!" which is pretty dang strong.  It's also pretty easy to remember.

Me, I haven't used a password in over 15 years.  Instead, I use this technique and I recommend it to anyone who thinks that "123456" is a bad password.

Sunday, January 15, 2017

John Bull - music for the Elizabethan Court

John Bull was an English musical genius, sometimes compared to Bach for his contrapuntal virtuosity.  While he never composed music for Good Queen Bess' coronation (crowned this day 457 years ago), he was one of the most famous musicians of his day and in fact Court Organist.  It seems that he was sent by the Queen on spying missions to the Continent.

He was also a lot of trouble.  He lost his job because he had a child out of wedlock and finally had to flee England, charged with adultery by no less than the Archbishop of Canterbury and pursued by King James' men.  He spent his final decade uncharacteristically quiet in Antwerp where he died in 1628.

Saturday, January 14, 2017

Old Dominion - Song for Another Time

Image via Rolling Stone
What is "real Country music"?  That's a question that is evergreen, and like sports rivalries will get the debate going hotter than a hoochie coochie.  Long time readers here will know that I tend to fall on the traditional to middle of the road side of things: Waylon, Travis Tritt, Today Keith.

But sometimes I wander into the brambles of the current over-produced Nashville pop.  A while back I posted a mashup of 5 top Country hits which showed that they're really the same song.  You can just see Pistolero rolling his eyes now.

But every now and then I run across one that I like.  I like this one a lot.  Old Dominion got their start writing songs for other artists (The Band Perry and Chris Young, for example).  They started touring with bigger names singing their songs.  When they were opening for Kenny Chesney, they had the idea for a breakup song where they lyrics told the story with a bunch of song titles.  The way they take these titles and knit the together to paint a picture is something that I think is very clever; add in a catchy upbeat rock tune and you have what really can only be described as the best of the modern Nashville.  It's just plain fun.

Even if it hit #1 on the Billboard Country chart.

And as a note to Pistolero - there's a Hank Sr and a Willie song in here, so shake not thy gory locks at me ...

Song For Another Time (Songwriters: Brad Tursi, Matt Jenkins, Matthew Ramsey, Trevor Rosen)
Right now we both know
We're Marina Del Ray
Planes gonna fly away
And you'll be on it
And by this time tomorrow
I'll be singing yesterday
The sunshine's gonna fade
And we can't stop it
So before we turn in
I can't make you love me
Let's be brown eyed girl sweet Caroline
Free fall small town Saturday night
Before you lose that loving feeling
Let's go dancing on the ceiling
Keep on living that teenage dream
Paradise city where the grass is green
Pretty soon I'll be so lonesome I could cry
But that's a song for another time
Just for one more day what do you say
Baby be my pretty woman
'Cause we know Sunday morning's coming down
Let's take a drive you and I down some old country road
Talk about growing old in one of those pink houses
Yeah we might be a candle in the wind
But let's pretend we're
Brown eyed girl sweet Caroline
Free fall small town Saturday night
Before you lose that loving feeling
Let's go dancing on the ceiling
Keep on living that teenage dream,
Paradise city where the grass is green
Pretty soon you will be always on my mind
But that's a song for another time
So before we're singing I will always love you
Let's sing
Brown eyed girl sweet Caroline
Free fall small town Saturday night
Before you lose that loving feeling
Let's go dancing on the ceiling
Keep on living that teenage dream,
Paradise city where the grass is green
Pretty soon I'll be so lonesome I could cry
But that's a song for another time
Yeah, that's a song for another time (brown eyed girl sweet Caroline)
Yeah, that's a song for another time (free fall small town Saturday night)
Yeah, that's a song for another time

Friday, January 13, 2017

Wednesday, January 11, 2017



Seen on Facebook by the Queen Of The World.

Beware of Amazon's Alexa

Alexa is a device that listens for voice commands and can tell you the weather, order you pizza, and other Jetsonsesque living in the future things.  But it looks like the system is either too perfect or not perfect enough:
Which is exactly what happened today during CW6 in the morning when Jim Patton and Lynda Martin were talking about a child who accidentally bought a dollhouse and four pounds of cookies 
“I love the little girl, saying ‘Alexa ordered me a dollhouse,’” said Patton. 
As soon as Patton said that, viewers all over San Diego started complaining their echo devices had tried to order doll houses.
I can see spammers using malware executing .WAV files to have Alexa order stuff.  If you want to take a walk on the bleeding edge of technology with Alexa, forewarned is forearmed.

Tuesday, January 10, 2017

Or read a book, for crying out loud

Remember that CEO who said he would pay all his employees $70,000 a year?

Remember how everyone said how awesome he was, paying people a "living wage"?  Well, you can drive nature out with a pitchfork but she always returns:
Back in April we told you about Dan Price, CEO of Gravity Payments, who said he would pay every single one of his employees $70,000 annually. 
Every single one, from the lowest skilled workers on up. 
Now, as expected, Price has fallen on hard times financially, even having to rent out his own home. 
Employees who work for Gravity are now leaving the company, “spurred in part by their view that it was unfair to double the pay of some new hires while the longest-serving staff members got small or no raises.”
In other news today, water is wet and it's dark at night.  Pictures at 11.

Monday, January 9, 2017

So, about that "the Russians hacked the emails" story

I went and read the government report so that you don't have to.  The report claims that the Russians hacked the DNC (the title of the report is "Russia-Hack-Report.pdf" so there's no question).

First, some computer security background from a very long and detailed analysis:
For Hillary we have a Hacker in custody who said he [hacked] it, where there is evidence he did it, where a law enforcement agency caught him in the act and where he was hauled in by the FBI. He said it was a trivial hack technique based on knowing personal details to make a custom dictionary (names, family and pet names, addresses, place of birth, etc.) then using it in a Dictionary Attack on some folks or in a “I forgot my password / Tell me your last name and DOB and I’ll send it to you.” spoof. There is also evidence (weak, but extant) that many TLAs (Three Letter Agencies) and other actors had hacked into her home brew server by other means.
Given what I’ve heard of the set-up, it would be a nearly open book to anyone with skilz. First off, it was built on PRISM infested equipment (so the NSA was in, and potentially the CIA), second, it was Microsoft, so if you didn’t patch daily, you were hacked with known zero-days, and if you DID patch daily, you were hacked by ‘non-fixable’ hacks. 
So at this point, we can largely dispose of Hillary’s Hack. It was an open book to all comers and at least one was Romanian (and sharing with friends) and not Russia.  However, I’d say it was almost certain that at some time a Russian intrusion happened. The name of the server was obvious. The location insecure. The operating system and protective layers a joke. Frankly, I’d expect them to be “in” the same day they first looked at it. Which means something like 8 years ago. So why didn’t things leak then?
Because the Russians Are Not Stupid. A fundamental of spycraft is you don’t expose sources and methods, you use them to collect intel for your use, not publication. I suspect they enjoyed a near real time email feed from the Secretary Of State for years, in silence. This argues for email dump to be someone other than them. My personal muse would be an NSA guy, aghast at what was in evidence. Like a Snowden, but not willing to give up the $1/4 Million salary… He (or she…) would have all the requisite skilz to pull it off and leave no finger prints, access to PRISM, and lots of neat toys to work with. Though more likely would be the underpaid I.T. guy Hillary had set it up who was making a backup one day and dropped a load… But I digress.
The bottom line on Hillary is we know she kept a full copy (found on Huma’s Laptop with the Wiener…) and that it was around until she had her lawyers erase it. We know it surfaced in full at the time the laptop went to the FBI, and in parts before that. We know at least one of her hackers was found (though he had likely not leaked it) and that he said he had a doomsday copy for safety. He wasn’t a very good hacker, so that shows lots of good ones walked right in and snagged copies. Assigning source of any Hillary leaks is going to be an exercise is “ME ME MEE!!! PICK MEEE!” with a dozen hands up in the room…
For the DNC:
We know Podesta fell for a phish. That, alone, is enough. Yet we also have evidence that the box wasn’t that well run and secured, and ample evidence that the privilege escalation path once in was easy. Privilege escalation is when you get in with weak powers, you find ways to raise your powers. Moving from “user” to “admin” to “root”.
How many others fell for a phish? How many other bugs, holes, unpatched zero-days? Was it PRISM? Were they on Microsoft? (Almost certainly…though I haven’t bothered to verify).
Once you are this far into the pants-down party, you know you will never know which of the hundreds of actors trying to get in, made it in. You may never even know how many made it.
So the starting point is that the systems were compromised, and almost certainly compromised by several different intruders, all of whom but one (Guccifer) remain unnamed in the unclassified report claiming that the Russians did it.  In other words, there is no uncertainty as to the compromise other than who did it, and enormous uncertainty as to that.

And so, on to the report.  It is a 27 page PDF, so it's actually a quick read.  It's quicker even than you might think based on its thickness when you consider that 18 pages are things like cover sheets, table of contents, background about the investigation (Yay FBI! Yay Intelligence Community!), discussions about how they don't disclose sources and methods, a long discussion of open source Russian media (especially RT television programming), and "This page intentionally left blank".

So there are only 4 pages that you need to read.  Three are "Summary/findings", and so do not have anything got back up their claims.  The meat of the report, therefore, are the pages numbered 2-5.  From a computer/network security perspective, these are entirely unpersuasive that the Russians (and more specifically, Vladimir Putin) was behind the hacks.  Here are the topics that those pages discuss:

  • Putin ordered campaign to influence US election (likely true, although may not have been Putin himself)
  • Russian campaign was multifaceted (you'd certainly think so)
  • Cyber espionage has been going on against US political organizations (well, duh)
  • Public disclosures of Russian-collected data says that the GRU (Russian Military Intelligence) ran the "Guccifer 2.0" persona and gave the data to Wikileaks.  No evidence is given to support this.
  • Russian intrusions into State and local electoral boards did not access vote tallying computers.
  • Russia has a propaganda effort and uses Russian media (especially RT) to get its message out (again, duh)
  • Influence effort was "boldest yet" in US (whatever)
  • Election operation signals "new normal" in Russian influence efforts (whatever)
And so of the eight topics discussed in the 5 pages that are the meat of the report, the only one that counts is "The GRU ran the Guccifer 2.0 collection effort and gave the data to Wikileaks".  There's simply no way to verify this because they don't give us their sources and methods.  Basically, it's "trust us".

And so, back to the second link in this post which discusses how things work in the real world:
Really good hackers get in with a set of warz, immediately start changing any log files and IDS systems to erase evidence of the attack, and exfiltrate what is highly interesting, erase those logs, then lay low with long duration backdoor kit. If possible, picking up additional bits over long periods of time. This is a skill set that takes years to understand, so I’m not going into it here. If you want to know more, attend one of the many hacker conferencesfor a few years. 
Excellent hackers leave indirection evidence that is hard to find (so either you don’t find it and don’t know you were hacked or if you DO find it, since it was hard to find, think yourself sooo smart it must be real…) and deflect any search elsewhere. IMHO, that’s the hardest to properly find. All the real evidence was erased, and what you are working from is the McGuffin. (Thing in a story line everyone is searching to find, that may not be real. See The Maltese Falcon as example.)
So what we know publicly about the investigation is that it was a postmortem, it found some forensic evidence, that evidence was an old Russian warz, and thus the conclusion is:
“Russia Did It!”
The flaws in this are many.
The BIGGEST flaw
You don’t know how many hacks happened. It may well be that the Russians hacked in 6 or 8 years ago and have been sniffing data ever since. That does not at all prevent an Admin dumping a tape and leaking it. It does not at all prevent a Chinese team sucking out the data and erasing their tracks. It does not at all prevent an NSA guy from dropping a USB drive on Wikileaks. It does not at all prevent the local ISP Night Shift Operator, who is bored silly, from piping a router feed of email to their laptop as it goes by and collecting a set (though good ISPs have systems to prevent that). It does not at all prove that only Russia is to blame for the hack / leak, and not some Fat Bastard in the basement of his Mom’s house using downloaded Russian warz (commonly available) to do the hack.
Assigning the Data Public Dump to the Russian Hack is a leap of faith.
Assigning the hack with Russian Warz to Russia proper is a leap of faith.
Assigning the Data Exfiltration to the Russian Warz is a reasonable, but still, leap of faith.
Now there may be classified evidence that is compelling but which is suppressed to protect sources and methods.  These wouldn't be IP address metadata from NSA, because the hop into Russia will almost certainly not be the final leg (indeed, it might be a hop before one to China,or Israel, both of whom have excellent cyber exploit capabilities).  It might be CIA intel from inside the Russian government, but that is unlikely to have detailed information on GRU technical operations (or maybe it does, in which case it's very classified and nobody will tell us about this, maybe ever).

And so we're back to trust us.  That's pretty weak.

My take is that several state actors certainly hacked Hillary's email server for years and years, and silently read all her communications.  Probably more than one state actor penetrated the DNC email system for several years.  It's plausible than an insider leaked the DNC emails - some BertieBro IT Admin type who saw how the sausage was being made and who was smart enough to cover his tracks while pointing clues towards Russia.

Bottom line, this is a tale told by an idiot; full of sound and fury and signifying nothing.  We know that something happened, but we don't know who did it, and what they say in the report doesn't change that.

If you're interested in the topic, I recommend that you click through to this analysis, and particularly the conclusion.

A new (to me) motorcycle blog

I Just Want To Ride is a motorcycle blog I just discovered over the weekend, run by a guy in the local HOG chapter.  It has a wide ranging set of topics, including the latest post on weird motorcycles:

I know that some of all y'all ride, so check it out.

Saturday, January 7, 2017

Hank Williams Jr - Secret Agent Man

So the Intelligence Community has released their report on "Russian hacking of the election", and it's quite unimpressive.  But since it's wall to wall coverages of Russians under beds everywhere, here's Hank Junior's cover of Johnny Rivers' 1966 classic.

Secret Agent Man (Songwriters: P.F. Sloan, Steve Barri)
There's a man who leads a life of danger
To everyone he meets he stays a stranger
With every move he makes another chance he takes
Odds are he won't live to see tomorrow
Secret agent man, secret agent man
They've given you a number, I know they've take away your name
Beware of pretty faces that you find
A pretty face can hide an evil mind
Ah, be careful what you say
Or you'll give yourself away
Odds are you won't live to see tomorrow
Secret agent man, secret agent man
They've given you a number, I know they've take away your name
Secret agent man, secret agent man
They've given you a number, oh they've taken away your name
Swingin' on the Riviera one day
And then layin' in the Bombay alley next day
Oh, don't you let you let the wrong word slip
While kissing persuasive lips
Odds are you won't live to see tomorrow
Secret agent man, secret agent man
They've given you a number, oh they've take away your name
Secret agent man

Thursday, January 5, 2017

On understanding the problem

It mystifies me why some people simply can't understand this.  None so blind as those who will not see, I guess.

Seen on Facebook by the Queen Of The World.

OK, this is really funny

In a very security geeky way.  UK company registers company name as ; DROP TABLE "Companies"; --

If you're interested in learning more about this sort of security fun and games, I have an old post that goes into this in a humorous way.

Wednesday, January 4, 2017

How credible is the "Russians hacked the DNC" report from the Intelligence community?

In this corner, the "You l4mers need to up your game" argument:
[The Administration] had the DHS and US-CERT issue the "GRIZZLY-STEPPE" report "attributing those compromises to Russian malicious cyber activity". It does nothing of the sort. It's full of garbage. It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth.

Yes, hackers use Yahoo for phishing and malvertising. It doesn't mean every access of Yahoo is an "Indicator of Compromise".

For example, I checked my web browser [chrome://net-internals/#dns] and found that last year on November 20th, it accessed two IP addresses that are on the Grizzley-Steppe list:
No, this doesn't mean I've been hacked. It means I just had a normal interaction with Yahoo. It means the Grizzley-Steppe IoCs are garbage.
The summing up:
If your intent was to show technical information to experts to confirm Russia's involvement, you've done the precise opposite. Grizzley-Steppe proves such enormous incompetence that we doubt all the technical details you might have. I mean, it's possible that you classified the important details and de-classified the junk, but even then, that junk isn't worth publishing.
In the other corner, the "Russia uses non-state hackers all the time" argument:
That source, who won’t be named here because it would compromise his current position and create legal problems for him, said he routinely saw Russian intelligence services recruiting hackers on cybercrime forums — particularly for research into potential vulnerabilities in the software and hardware that powers various national power grids and other energy infrastructure.
“All these guys had interest in hacking government resources, including Russian [targets],” my source told me. “Several years ago I got to know one of these hackers who worked for Russian government, [and] he operated his [cybercrime] forum as a government honeypot for hiring hackers. They were hiring hackers to work in official government organizations.”
Initially, he said, the hackers targeted U.S. military installations and U.S. news media outlets, but eventually they turned their attention to collecting government and corporate secrets full-time. The source said the teams routinely used botnets for foreign intelligence gathering and counterintelligence, and frequently sought to infiltrate botnets that were suspected of being co-opted for the same purposes by other countries.
My take is that both of these are plausible.  The Russian government has at least loose connections to a whole community of Black Hats who live on their soil (as do other governments, especially China, Iran, and Israel).  Influence is absolutely plausible, though the Grizzley-Steppe report is unconvincing here.  Motivations vary from country to country - China and Iran likely would have preferred Hillary, Israel almost certainly would have preferred Trump.

Does it make a difference?  Not really, as long as DNC bigwigs use an email password of "password".  What is clear is that the DHS report should be taken with a huge grain of salt.  But both of these linked articles do a very good job covering the landscape - if you are interested in this topic, you should click through.

Why the Elites are not fit to govern

Offered for your consideration: John Podesta's email password was "password".

But we're constantly told that the Elites should govern us because they are so very clever and highly trained, and us poor rubes will screw everything up without them.

Hat tip: Rick, via email.

Tuesday, January 3, 2017

Intelligence Agency "The Russians Hacked The Election" report is incredibly weak

Man, it seems like the report is really weak:
Sadly, the JAR, as the Joint Analysis Report is called, does little to end the debate. Instead of providing smoking guns that the Russian government was behind specific hacks, it largely restates previous private-sector claims without providing any support for their validity. Even worse, it provides an effective bait and switch by promising newly declassified intelligence into Russian hackers' "tradecraft and techniques" and instead delivering generic methods carried out by just about all state-sponsored hacking groups.
"This ultimately seems like a very rushed report put together by multiple teams working different data sets and motivations," Robert M. Lee, CEO and Founder of the security company Dragos, wrote in a critique published Friday. "It is my opinion and speculation that there were some really good government analysts and operators contributing to this data and then report reviews, leadership approval processes, and sanitation processes stripped out most of the value and left behind a very confusing report trying to cover too much while saying too little."
It's larded with basic n00b errors:
The sloppiness, Lee noted, included the report's conflation of Russian hacking groups APT28 and APT29—also known as CozyBear, Sandworm, Sednit, and Sofacy, among others—with malware names such as BlackEnergy and Havex, and even hacking capabilities such as "Powershell Backdoor." The mix up of such basic classifications does little to inspire confidence that the report was carefully or methodically prepared. And that only sows more reasons for President elect Donald Trump and his supporters to cast doubt on the intelligence community's analysis on a matter that, if true, poses a major national security threat.
It also doesn't discuss that while there are many linkages between these groups and the Russian government, the links are loose.
As Errata Security CEO Rob Graham pointed out in a blog post, one of the signatures detects the presence of "PAS TOOL WEB KIT," a tool that's widely used by literally hundreds, and possibly thousands, of hackers in Russia and Ukraine, most of whom are otherwise unaffiliated and have no connection to the Russian government.
All in all, this does not seem at all convincing.  It's not clear what exactly was hacked, it's very unclear who was behind the hack(s), and it is murky indeed whether this was state sponsored or just run of the mill Black Hat activity.

What IS interesting is that the Intelligence community would issue such Security Kabuki.  Your speculation is as good as mine on the motivations of those involved.

Sunday, January 1, 2017

Happy New Years everybody

I hope that your celebration was measured and safe.