MIT Gets Swatted and Other Stuff 2/28/2013

MIT Gets Swatted

In honor of Aaron Swartz.

The alleged gunman was heading toward the administrative offices. It was all part of a larger plan: retaliation, according to MIT, against "the people involved in the suicide of Aaron Swartz."

...

Haven't heard about this? Thankfully, it's because no shooting took place on February 23 at MIT. The police thoroughly checked out the situation and declared the reports of a gunman to be false shortly after 10:30 am. The situation was the result of what's being called an elaborate hoax, still unsolved and being investigated as of yesterday.

How a Social Network Dies

when the costs–the time and effort–associated with being a member of a social network outweigh the benefits, then the conditions are ripe for a general exodus. The thinking is that if one person leaves, then his or her friends become more likely to leave as well and this can cascade through the network causing a collapse in membership.

Personally I think Facebook exceeded that ratio long ago but that's me.

Group accesses Bank of America server- claims to have proof B of A monitored activist groups

Of course they were monitoring them, for one thing those groups were protesting them and at one point had launched DDoS attacks and at another had hacked them.

Bob Woodward seems to be at war with the White House

First He challenges them on who actually came up with the sequester (Obama) then he says Obama is exhibiting a special kind of madness that he hasn't seen in a long time by pulling an aircraft carrier from the Persian Gulf and now he releases and e-mail in which an administration official threatens him for challenging the administration.

Woo Hoo way to make friends and influence people guys.

5 Mistakes Political Pundits Make All The Time

Well really it's one mistake. Assuming they know what they are talking about but if the want to parse it down to five I'm not going to complain.

More on Woodward

Well it's been 15 minutes

Time for another Java security flaw -

Security Explorations CEO Adam Gowdiak told Softpedia that it tested the flaw in the original release of Java 7, as well as in Java 7 Updates 11 and 15. Java 7 Update 15 is the latest version released last week. "When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox," Softpedia wrote.

Once again unless you absolutely need it remove Java from your system.

Stuff 2/26/2013

Bypassing Google's Two factor Authentication - with cartoons even:

TL;DR – An attacker can bypass Google’s two-step login verification, reset a user’s master password, and otherwise gain full account control, simply by capturing a user’s application-specific password (ASP).

Former leader of LulzSec, "Sabu", avoids jail for another 6 months - Apparently he is still helping the FBI.  (Read about this yesterday but didn't care, now it's midnight and I need blog material.)

Good idea -

Google is working on identifying Chrome tabs that are currently playing audio (or recording it). The feature is expected to show an audio animation if a tab is broadcasting or recording sound.

An alternative idea is to hire ninjas to track down and beat anyone who puts autorun media on their website.

Well that's really all I have.

Stuff 2/25/2013

Oh My God thinking up these titles is exhausting, why do I go on?

Oh wait I know the answer to that;  first off it's for you my loyal readership of zero, secondly it's an outgrowth of my narcissistic personality disorder which causes me to believe that I actually have something important to say.  In my semi-lucid moments I realize that but I just play along anyway.

OK on to the good stuff:

Impostor syndrome rears it's ugly head at Stanford.

Wait, pause a second. I was no impostor. What did that even mean?

When I went back to my previous LadyCoders post, I realized that Tarah had put my post under “Impostor Syndrome.” I ended up googling this strange term. According to Wikipedia, Impostor Syndrome is a “a psychological phenomenon in which people are unable to internalize their accomplishment.”

OK, successful people who feel like you are frauds let me tell you something - You are very annoying to us frauds who are trying to pass as successful people so knock it off.

A look at improved ease of programmability in FPGAs.  I can't honestly say how important this is in the giant tech scheme of things but it was slightly interesting.

Twitter Hackings Put Focus on Security for Brands - Basically the article says that it's (relatively) easy to hack the social media accounts of advertisers because the social media companies won't step up and put in the extra layers of security that commercial accounts require.

A New Cold War in Cyberspace -

...underscored the heightened sensitivities inside the Obama administration over just how directly to confront China’s untested new leadership over the hacking issue, as the administration escalates demands that China halt the state-sponsored attacks that Beijing insists it is not mounting.

The issue illustrates how different the worsening cyber-cold war between the world’s two largest economies is from the more familiar superpower conflicts of past decades — in some ways less dangerous, in others more complex and pernicious.

...

the prescriptions for what to do vary greatly — from calm negotiation to economic sanctions and talk of counterattacks led by the American military’s Cyber Command, the unit that was deeply involved in the American and Israeli cyberattacks on Iran’s nuclear enrichment plants.

So here's my plan:  Clone Jeffery Dahmer and using secret government technologies force him through a period of accelerated growth while feeding him a diet rich in Chinese food.  After he has reached prime people eating age rent him an apartment in Shanghai about a block from the building where the Chinese army is launching it's attacks from.  For good measure we can rent him a restaurant storefront also, the lunch specials would probably be right up Antony Bourdain's alley.  I've submitted this plan to the Joint Chiefs of Staff but I haven't heard back yet.  

The gun control debate heats up again as the NRA releases a leaked Department of Justice memo which basically backs their position:

The memo, under the name of one of the Justice Department's leading crime researchers, critiques the effectiveness of gun control proposals, including some of President Barack Obama's. A Justice Department official called the memo an unfinished review of gun violence research and said it does not represent administration policy.

The memo says requiring background checks for more gun purchases could help, but also could lead to more illicit weapons sales. It says banning assault weapons and high capacity ammunition magazines produced in the future but exempting those already owned by the public, as Obama has proposed, would have limited impact because people now own so many of those items.

It also says that even total elimination of assault weapons would have little overall effect on gun killings because assault weapons account for a limited proportion of those crimes.

and that winds up today's collection of stuff.

Just another collection of stuff 2/24/2013

An examination of the state of the Chinese Model of Economic Growth:

 I (M. Pettis the author) I  have often argued that the Chinese development model is an old one, and can trace its roots at least as far back as the “American System” of the 1820s and 1830s. This “system” was itself based primarily on the works of the brilliant first US Secretary of the Treasury Alexander Hamilton (see especially his report to the Congress on manufacturing and his two reports on public credit and banks).
... 

There were three key elements of the American System. Historian Michael Lind, in one of his economic histories of the United States, described them as:

·      infant industry tariffs
·      internal improvements, and
·      a sound system of national finance 

These three elements are at the heart, explicitly or implicitly, of every variation of the investment-led development model adopted by number of countries in the last century – including Germany in the 1930s, the USSR in the early Cold War period, Brazil during the Brazilian miracle, South Korea after the Korean War, Japan before 1990, and China today, to name just the most important and obvious cases.

The author of Penny Arcade reviews the Surface Pro

How H1B visas are screwing tech workers -

 if tech workers are in such short supply, why are so many of them unemployed or underpaid? According to the Economic Policy Institute (EPI), tech employment rates still haven't rebounded to pre-recession levels. And from 2001 to 2011, the mean hourly wage for computer programmers didn't even increase enough to beat inflation.

The ease of hiring H-1B workers certainly hasn't helped. More than 80 percent of H-1B visa holders are approved to be hired at wages below those paid to American-born workers for comparable positions, according to EPI. Experts who track labor conditions in the technology sector say that older, more expensive workers are particularly vulnerable to being undercut by their foreign counterparts. "You can be an exact match and never even get a phone call because you are too expensive," says Norman Matloff, a computer science professor at the University of California-Davis. "The minute that they see you've got 10 or 15 years of experience, they don't want you."

Speaking from my experience I can say that is true.  I have worked with a number of H1B visa holders and they anecdoataly I can say they were hired at below standard wages.  This is supposed to be illegal but I suspect what the companies do in order to get away with it is decrease salaries for everyone then list that new salary for the immigration authorities.  In the end it has the same effect in the tech industry as hiring illegals has had in the hospitality and food service industries.

Why fighting cyber-attacks is so hard - Basically it comes down to the sheer volume and unrelenting nature of the attacks coupled with increasing sophistication on the part of the attackers.  In addition the tools being used to defend against these attacks may not be effective.  One other issue according to the FBI is a lack of data sharing that hinders in developing effective countermeasures.

It's an uphill battle.   A good book on the subject is Fatal System Error.  It isn't a technical book by any means but it shows in part why it can be so hard to deal with these attacks:




OK I guess that's it for this episode of "Pigs in Space"

Another Gov't Site Taken Down

or claimed at least .  More

So apparently OpLastResort continues in honor of Aaron Swartz.  In related news The Guardian published details about the FBI's investigation into Swartz's downloading of 18,000,000(?) documents from PACER.  Pretty bland reading actually.  The investigation appears to have been 3 phone calls and a web search.

Apple hacked - same thing as yesterday Java enabled in browsers and users visited a compromised site.  Apple says they are releasing a tool to resolve the issue.  Related AllThingsD looks at the security research team at Apple.

OOPS - the lead detective in the Oscar Pistorious case is also face attempted murder charges.

Georgia proposes repealing the 17th amendment (Direct Election of Senators).  Interesting question, The way things were originally set up the House represented the people, the Senate represented the states and the Executive branch represented the federal government.  That model was broken with the 17th amendment.  I'm not sure it can be restored (and honestly while I am an originalist / intentionalist I'm not sure that it should be the Senate was much more corrupt under the 17th amendment than now).  The biggest issue I see with trying to restore it, other than resistance from voters, is that too many federal rights have been incorporated down to the state level for it to be a meaningful act and the only way around that would be to reverse the incorporation of those rights.  I would rather have the guarantee of free speech at both the federal and state level that senators elected by state legislatures.


And now just because I know it's your favorite:

More Hacking News

I don't know why I have recently started finding all these attacks so fascinating.  I mean I have always been interested in this stuff going back to reading "Hardwired", "Neuromancer" and and "Count Zero" for the first time (although strangely the movie "Hackers" turned me off on computers for quite a while).  I think it's because we are slowly watching a system implode on itself and the people who use the system are encouraging it's destruction.  It's like watching the Soviet Union fall again you never know what the next day is going to bring.

All Things D identifies the site which hosted the exploit behind the recent Facebook, Twitter and Apple attacks.

In the spate of large companies hacked in recent weeks, it seems that many of them have one thing in common. Many have visited one compromised website specifically devoted to sharing information related to mobile development — and it’s not just tech companies visiting the site.
...
After Facebook employees visited the mobile development site in recent weeks, malicious code injected into the HTML of the site used an exploit in Oracle’s Java plug-in to infect employee laptops, as the company divulged last Friday.

Uninstall Java in your browsers (at the least) people its rapidly becoming the tool of the debble.

Ars Technica explains how the attack on HB Gary helped identify the two Chinese hackers that security firm Mandiant identified in the report it released yesterday.

...hackers used Hoglund's e-mail account to convince another rootkit.com administrator to reset the root password on the site's server to "changeme123." Once done, they entered the server and—among other things—dumped the entire list of user account and password hashes for rootkit.com, which had been hashed with the MD5 algorithm and proved susceptible to third-party password cracking tools. The cracked list was then publicly released.

This list was a boon to Mandiant because UglyGorilla was on it; he had signed up as "uglygorilla" and had used the password uglygorilla@163.com during registration. The password matched one that had been used by someone to register for a People's Liberation Army event back in 2004 and to register hugesoft.org, a domain long associated with the APT1 hacks.

Slashdot links to an article about the ongoing efforts to to protect SCADA networks.

Violet Blue continues to provide updates on the various OpLastResort operations.  Her twitter stream is hit and miss, I am completely uninterested in all the SF-centric stuff (and the Open Source Sex stuff, not that I am against sex just not interested in sex columns) YMMV.

It's all fun and games until the missiles start flying

Chinese Army Unit Is Seen as Tied to Hacking Against U.S.



From the New York Times:

(...)The building off Datong Road, surrounded by restaurants, massage parlors and a wine importer, is the headquarters of P.L.A. Unit 61398. A growing body of digital forensic evidence — confirmed by American intelligence officials who say they have tapped into the activity of the army unit for years — leaves little doubt that an overwhelming percentage of the attacks on American corporations, organizations and government agencies originate in and around the white tower. 

I don't think this really surprises anyone but someone is finally putting it in writing and it sounds like the administration is going to confirm it.

Oooops... FCC invests $10M in new network security but leaves backdoor unlocked

In light of yesterdays announcement that the Department of Energy will be spending $20,000,000 to develop advanced cybersecurity tools (following a hack in which personal information of several hundred employees was leaked, although the two aren't necessarily related) I found this article, on Ars Technica, regarding the FCC's implementation of their cybersecurity upgrade rather amusing.

a Government Accountability Office audit of the project, released publicly last week, found that the FCC essentially dumped that $10 million in a hole. The ESN effort failed to properly implement the fixes, and it left software and systems put in place misconfigured—even failing to take advantage of all the features of the malware protection the commission had selected, leaving its workstations still vulnerable to attack. In fact, the full extent of the problems is so bad the GAO's entire findings have been restricted to limited distribution.

"As a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information," the report concluded. And much of the work done to deploy the security system must be redone before the FCC's systems approach anything resembling the security goals set for the project.

From the article it appears that the contractors just slapped stuff in place and there was no validation period or acceptance testing and certainly nothing resembling Pen Testing.   Seriously people, come on! This type of thing is one of the reasons so many people are leery of government spending.  It is never done wisely.

Regarding the DoE hack, I don't think they have positively identified culprits.  I read over the previous weekend that Anonymous had claimed credit, but not being on the secret mailing list I can't conform that.  The Department of Energy itself seems to be leaning towards China but at least one security experts seems skeptical.    I would say especially in light of the audit which found DoE wasn't adequately patching their systems.

The President is supposed to be releasing a national cybersecurity plan tomorrow.  Maybe it will provide some baseline best practices that everyone can aim for but I am not particularly hopeful.

Have $27,000 that you feel like throwing away?

If so Oregon State University has a deal for you - You can take a special accelerated 1 year online computer science program for $450 per credit. The course requires 60 credits and you have to already have a Bachelor's degree:

I can't say whether the quality of instruction is good or bad, but what I can say with complete absolute certainty is that the cost is out of line. As a comparison University of Phoenix (considered by many to be the gold standard of rip-off for profit schools) charges between $400 to $600 per credit hour.  Western Governors University charges about $3000 per 6 month term no limit on credit hours and a continuing education class in computer programming lasting 6 to 8 weeks typically runs between $700 to $1000.

Curriculum

What happens to all that personal data that gets collected?

Yesterday on +TWiT +Leo Laporte and +John C. Dvorak asked what companies are doing with all the personal dat they collect.  Well here is part of that answer -

Software that tracks people on social media created by defence firm

Exclusive: Raytheon's Riot program mines social network data like a 'Google for spies', drawing ire from civil rights groups

I'm not saying that Google / Facebook et.al are actually spying on their users, but we all know that there are a lot of companies out there that are compiling data and selling it and that data could be used for things such as this.

So What's Up With The Microsft Surface Launch?

+Mary Jo Foley (@maryjofoley) writes Microsoft is touting 'amazing' customer response to its new Surface Pro. But customers are saying they couldn't get their hands on devices due to lack of supply.

Any time a device sells out doesn't that indicate a "lack of supply"

Seriously, when the Surface RT launched MSFT was criticized for overestimating customer demand for what critics were describing as the most ill-conceived crappiest device ever.  _(Okay I am paraphrasing a bit but that's pretty damn close to what they said)._  

So now four months later MSFT launches the pro and presumably adjusted their numbers a bit in response to both critical response and actual sales,I mean two weeks ago Gartner or someone claimed millions of RT devices were sitting on pallets gathering dust, and they are getting hammered again.  This time it's for underestimating demand for what critics are describing as the most ill-conceived crappiest product ever.

 It's the Kobayashi Maru of marketing - Unless you are Apple - remember a couple years ago Apple was accused of underestimating demand for an iPhone release and it was treated as a marketing coup designed to drive buzz and build demand.

I don't remember if I posted any one of these before but I watched them this morning before work while trying and  wake up and actually find something to write about so I am sharing:

(The looks on the crowds' faces kill me.)


And yes I know my musical taste sucks. It come from growing up on Top 40 radio in Montana in the 70's

Anonymous strikes againPosts login information and other credentials of over 4000 bank officials on defaced Alabama .gov websitehttp://www.zdnet.com/anonymous-posts-over-4000-u-s-bank-executive-credentials-7000010740/Coincidentally Ars Technica has a a series running regarding web security:...Expand this post »

Anonymous strikes again

Posts login information and other credentials of over 4000 bank officials on defaced Alabama .gov website

Coincidentally Ars Technica has a a series running regarding web security:

Part 1 - Keep it secret, keep it safe: A beginner's guide to Web safety

Part 2 - Viruses, Trojans, and worms, oh my: The basics on malware

Part 3 - Securing your website: A tough job, but someone's got to do it.

Again Violet Blue's twitter feed seems to be the easiest place to access info: