Monday, September 01, 2014

My Reading List 9/1/2014 - Mainly stuff about Jennifer Lawrence's nude photos (the hack not the photos pervs)

#JenniferLawrence
#FeynmanLectureChallenge Day 1 - Chapter One, All matter is made of atoms, read and partially understood.
The principle of science, the definition, almost, is the following: The test of all knowledge is experiment. Experiment is the sole judge of scientific “truth.” But what is the source of knowledge? Where do the laws that are to be tested come from? Experiment, itself, helps to produce these laws, in the sense that it gives us hints. But also needed is imagination to create from these hints the great generalizations—to guess at the wonderful, simple, but very strange patterns beneath them all, and then to experiment to check again whether we have made the right guess. This imagining process is so difficult that there is a division of labor in physics: there are theoretical physicists who imagine, deduce, and guess at new laws, but do not experiment; and then there are experimental physicists who experiment, imagine, deduce, and guess.
 Huffington Post - Jennifer Lawrence's Nude Photos Leak Online, Other Celebs Targeted -
A 4chan user claims to have released nude photos of several female celebrities in a major hacking.

The hacker said that he or she leaked photos of Jennifer Lawrence, Kate Upton, and a host of other stars.
A rep for J.Law confirmed that the images, allegedly stolen from her iCloud account, are real.
In my opinion this isn't a major hacking scandal, it was an inevitability.  The photos were stored in a cloud storage account (iCloud); I keep telling people cloud storage has two problems: 1) it is inherently insecure, and 2) once you put something into cloud storage you lose control of it.  It no longer belongs to you, it belongs to the storage provider. 

Case in point - Mary Elizabeth Winstead, another victim, acknowledged that the pictures of her were real but stated that she had deleted them from her storage.  Well obviously not because there they are. 

 I am not going to say never use cloud storage, it is too convenient for that to be feasible, but you do need to be careful with your data and anything sensitive should be encrypted.

  (BTW - This should not be interpreted as a "well they deserved it" thing.  They don't.)  

Related - Endgadget - 'Find My iPhone' exploit could be to blame for celebrity photo hacks -

some keen programmers think they may have spotted at least one (now fixed) route into accounts.
The potential exploit relates to a project on the code hosting site Github called, imaginatively, ibrute. Just a day before the images leaked, the developers of ibrute announced a bug in the Find My iPhone service means it doesn't employ bruteforce protection (i.e. an attack can continue using different passwords until the right one if found). The implication is that this could give access to AppleIDs, and from there any number of avenues to compromise accounts become significantly more viable.

Related - Those who wish to remain unnamed on a certain chan board believe they have identified the leaker.

I would post a link but it would expire before anyone reads this.  If you are curious you can visit the board yourself but be careful there are things there that you probably don't want to see.

Wired - Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft -
When whistleblower Edward Snowden revealed that full extent of the NSA’s activities last year, members of the site’s tech forum started talking about the need for a more secure alternative to Skype. Soon, they’d opened a chat room to discuss the project and created an account on the code hosting and collaboration site GitHub and began uploading code.
Eventually, they settled on the name Tox, and you can already download prototypes of the surprisingly easy-to-use tool. The tool is part of a widespread effort to create secure online communication tools that are controlled not only by any one company, but by the world at large—a continued reaction to the Snowden revelations. This includes everything from instant messaging tools to email services.
I am pretty sure that this project has been infiltrated by any number of governements, we'll see what happens.

The Hacker News -   -
Criminal and Civil (financial) liability anyone?
More Workers Are Claiming ‘Wage Theft’ -

The lawsuit is part of a flood of recent cases — brought in California and across the nation — that accuse employers of violating minimum wage and overtime laws, erasing work hours and wrongfully taking employees’ tips. Worker advocates call these practices “wage theft,” insisting it has become far too prevalent.
...
Many business groups counter that government officials have drummed up a flurry of wage enforcement actions, largely to score points with union allies. If anything, employers have become more scrupulous in complying with wage laws, the groups say, in response to the much publicized lawsuits about so-called off-the-clock work that were filed against Walmart and other large companies a decade ago.

I am absolutely positive that this occurs, especially in jobs with lots of immigrant workers or contractors who are hoping for a full time position.  In the case of low end jobs with lots of recent, possibly illegal, immigrants it happens because the employer knows they can't complain.  This problem then ripples out to effect everybody else.  It's one part of the wage deflation that occurs from illegal immigration.  In the case of contractors it's a little more insidious.  First you don't actually work for the company, you work for the staffing firm, so the company has some deniability.  Second they never actually come out and say "work without pay" but it is strongly implied, "We really need this work to be done tonight, but we can't authorize overtime".  The implication is that if you are a team player you will pick up the slack.  If you don't, well when you contract is up for renewal they may decide to give someone else a try.   I recently worked for a very large internet based company that used that approach.  I had to tell the people working with me that it was illegal for them to require you to work without pay.  (the group working with me was 90% foreign, mainly Indian, and most had only recently recieved permission to work in the states.)  















Post a Comment

OSCP and Defcon26

First - I was thinking my OSCP course started on the 27th, nope it starts on the 19th.  I would have missed it except i decided to double ch...