Tuesday, September 02, 2014

My reading list 9/3/2014 - The NSA goes to court Jennifer Lawrence is still naked but Apple says it's not their fault and the IRS wants to tax your food

#IRS #JenniferLawrence #Fappening #NSA
#FeynmanLectureChallenge - Day 3 -
Physics is the most fundamental and all-inclusive of the sciences, and has had a profound effect on all scientific development. In fact, physics is the present-day equivalent of what used to be called natural philosophy, from which most of our modern sciences arose. Students of many fields find themselves studying physics because of the basic role it plays in all phenomena.
 Actually I don't think it can be called a challenge since 3 days in I am the only one participating.  Slackers.

Valleywag - The IRS Wants to Take a Bite Out Of Silicon Valley's Free Lunches -
The recent push to tax catered meals is a "national directive by senior officials," according to the Wall Street Journal. In the eyes of both IRS agents and tax professionals, company-provided meals are a fringe benefit, just like the use of a company car for personal purposes.
However, Silicon Valley firms are already pushing back against the tax, and the issue is expected to end up in court.
Because the IRS isn't hated enough...  You have to wonder where they find these assholes making these decisions.

Indefinately Wild - The Simple Math of Why Smaller Bullets Are Deadlier -

Basically it's all about the physics but they may be misapplied in this article.

Ars Technica - First US appeals court hears argument to shut down NSA database -
Senior Judge Robert Sack asked if the prudent thing might not be to wait. "Might we not say—great, we agree with you, but there's other litigation going on," he said. "We want to let the Supreme Court have a kick at the ball. Does it make sense to say, here are our views—and then wait until the DC Circuit speaks, and the Supreme Court has an opportunity to speak? Before actually making an order, an injunction? Suppose we're wrong, and someone blows up a subway train?"
Reading the article it didn't particularly positive for the ACLU, but Ars Technica maintains that the judges didn't indicate any leanings one way or the other.

Pando Daily - A year later, Thomas Pynchon’s “Bleeding Edge” still resonates to tech obsessives more than ever -
The bulk of “Bleeding Edge” is set in New York City during the months between the dotcom crash and the September 11 attacks. This imbues the novel with an eerie sense of dramatic irony — people know things are bad, but they have no idea how bad things will get. So your startup failed? No big deal, get a job on Wall Street or even suffer at a cubicle farm until the investment climate improves. And even if you’re unemployed it’s not as if we’re at war or anything… It’s the same vibe struck by those early powerful episodes of “The Sopranos” which took place around the same time: “Things aren’t great, but they’ll get better. Right? RIGHT?”
Tried to read the book.  Couldn't get into it, but maybe I will try again.  I kind of doubt it though, it seems to be aimed at the sensitive socially aware type (Social Justice Warriors as Larry Correia calls them) and frankly I don't really need the lecture yet again.

Wired - A Google Site Meant to Protect You Is Helping Hackers Attack You -
It’s long been suspected that hackers and nation-state spies are using Google’s antivirus site to test their tools before unleashing them on victims. Now Brandon Dixon, an independent security researcher, has caught them in the act, tracking several high-profile hacking groups—including, surprisingly, two well-known nation-state teams—as they used VirusTotal to hone their code and develop their tradecraft.
And once again the Law of Unintended Consequences bites us in the the buttocks.

The New Yorker - The Masked Avengers: How Anonymous incited online vigilantism from Tunisia to Ferguson.-

Mainly about Commander X on of the more public members.  Not a lot about the inner workings at all.

On the Fappening:

New Web Order - Notes on the Celebrity Data Theft -

Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.
Being able to POST an email address to https://appleid.apple.com/account/validation/appleid and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug.

This has been an ongoing issue for a long time.  From what I have seen it appears Apple is attempting to shift the blame to the victims, but even if they did everything right Apple's process still made them vulnerable.  That is a problem.

Valleywag - iCloud Isn't Safe, Because Everyone's a Target and Apple Doesn't Care -

Two years ago ago, tech writer Mat Honan wrote a blockbuster story for Wired, describing how a child got into his iCloud account and briefly ruined his life. You may have heard that the same thing recently happened to some very famous women, almost certainly using the same method. Apple is making it easy for you to be next.
See above.

Post a Comment

Weird Dream Alert

Very weird dream last night.  I was selected to facilitate a SANS Sec660 course that was being put together at the last minute.  I fly down ...