I'm not reading anything today

Not that you bastards care.  :-P

OK that's not quite true I did read one article on VMWorld, which sounds about as fun as being anally violated with a rusty chainsaw.  This is the one time I am glad my contracting company doesn't pay for conferences.

I am also reading the first module for the VMWare class I am taking online.  Which is why you will not have my sparkling repartee surrounding the events of the morning today.

One other thing - I finished A Planet for Rent last night.  Interesting book.  Definitely a product of another time and place but still kind of fun to read.  Reminded me a lot of The Book of Chamelons.  Not in subject so much but in that tropical hispanic / latino / colonial cultural feel (says the guy with no insight to Hispanic / Latino / Cuban / Angolan culture).  Anyway if you are looking for a change up I would recommend it - EVEN THOUGH my recommendation will mean nothing because no one ever reads them.  Just saying  :-)

The Uber Endgame? World Domination - What I am reading 8/26/2015.

The Awl - The Uber Endgame: Why Uber (and Lyft) continue to look more and more like mass transit -

But if you put all of these Uber innovations together—pre-determined routes with fixed pickup points and continuous passenger pickups—it sounds remarkably like a gently optimized version of currently existing mass transit, one of the services that Uber is attempting to d i s r xu p t.

 ...

The subtext of Uber’s new products having the look and feel of a slightly shinier version of mass transit is, of course, that Uber wants to be privatized mass transit. In Uber’s grand vision, no one owns cars because nearly everyone is taken everywhere in a driverless, electric, omnisciently networked Uber conveyance that arrives precisely when it is needed for a price cheap enough that for many people it feels free (but is just enough to make a profit, since one day, as unimaginable as it seems, the venture capital will run out). This is why Uber earnestly speaks of ending car ownership, taking cars off the road, and helping nurses commute to and from night shifts in the Bronx at two in the morning.

A year ago people were having conniptions over Google and Facebook running buses in order to move there workers to and from work.  It was like the world was coming to an end.  Now UBer comes along and actually is trying to displace public transit and there is silence?

Washington Post - Ted Cruz and Megyn Kelly tangle over immigration -

Prepare for another round of Kelly bashing.  Personally I like that she is pushing the candidates on these issues.  Remember everyone just let Obama slide in 2008 and we ended up with a feckless pice of shit as President.

Ars Technica - How security flaws work: The buffer overflow -

At its core, the buffer overflow is an astonishingly simple bug that results from a common practice. Computer programs frequently operate on chunks of data that are read from a file, from the network, or even from the keyboard. Programs allocate finite-sized blocks of memory—buffers—to store this data as they work on it. A buffer overflow happens when more data is written to or read from a buffer than the buffer can hold.

Long but informative article.  I recommend it.

NY Times - Signs, Long Unheeded, Now Point to Risks in U.S. Economy -

The data points range from the obvious to the obscure, encompassing stock market and credit bubbles in China, the strength of the dollar relative to emerging market currencies, a commodity rout and a sudden halt to global earnings growth.

I am not sure what this means although the repeated use of the word deflationary is rather scary, and I am pretty sure that this is the exact opposite of Monty's many predictions of runaway hyperinflation.  Correction:  I went back and looked at Monty's Mar 18 2015 Doom! piece and he does mention deflation: 

When we have sovereign long-bond rates dipping into negative territory and (possible) deflation looming in spite of a vast orgy of money-printing, it is clear that the global economic machine has begun to seriously malfunction.

Wired - A Peek Inside Mr. Robot’s Toolbox -

The bar wasn’t exactly high for dystopian hacker suspense thrillers when USA Network’s Mr. Robot launched, but the show has gone on to surprise everyone. WIRED Security writer Kim Zetter called it “the best hacking show yet.” What makes the show, which airs its season finale tonight, work is how true it is to its subject matter, from the alienation at the heart of an always-connected life to the technologies the characters use to pull off the story lines.

I have to say, I disagree about the quality of the show.  I really liked the first couple episodes, kind of liked the next few but I haven't even finished watching the last two.  They just completely lost me.  I'm not ever sure why, although the secret hacker family / near incest subplot may have had something to do with it.  I'll watch tonight's episode but unless it completely blows me away I am not tuning in for season two.

Twitter shows us why the public needs flamethrowers - What I am reading 8/25/2015

Ars Technica - Facing possible ban, more Americans are buying new—and legal—$900 flamethrowers -

"Why make/build/sell this? It’s awesome," Byars added. "It’s revolutionary in its design in contrast to previous flamethrowers throughout the years due to its portability and instant-action on the fly functionality. I wanted one, personally, back in 2007, so I began developing plans to create one. Years went by with slow development, and then a spark hit and I decided this was the year to make it happen. I used the resources I gained as an engineer in the auto industry to learn how to make this a reality."

And come the revolution it will strike fear into the heart of the bourgeoisie

NY Times - Stock Markets Rebound Despite Continued Sell-Off in China -

After a three-day rout that erased nearly $3 trillion in value from stocks globally, markets other than China’s on Tuesday showed signs that selling pressures were easing.

...

Stocks in Europe opened higher and kept climbing. The Standard & Poor’s 500-stock index rose about 2 percent at the open, and the Dow Jones industrial average rose more than 300 points, or more than 2 percent.

It is too soon to know whether the rebound will last, but there were signs on Tuesday that many analysts might have been right in saying that the recent global sell-off of stocks and commodities was an overreaction to China’s specific economic and financial market problems.

I don't really know enough about this to intelligently comment but here goes.  To me this seemed like an overreaction.  Yes China is a huge economy but they try so hard to stand apart it seemed like their stock market issues really shouldn't matter much to us.  That however won't stop me from trying to take advantage if the market keeps dropping.

The Verge - Twitter's decision to ban archiving of politicians' deleted tweets is a mistake -

Twitter is either incapable of making essential distinctions, or becoming submissive to powerful users — and either scenario should damage everyone’s trust in the platform. The question of who is a public figure is murky, but the idea that politicians and people in positions of state power are public figures is uncontroversial. That they should be held accountable by having their publicly-stated words stored as a matter of record is well-established and fundamental to concepts of democracy: elected officials form a bright line, not a slippery slope. Twitter's decision is especially flabbergasting when you consider that the company originally blessed the idea of preserving the deleted tweets of politicians, only to suddenly have a change of heart three years later.

And this shows why we the public need flamethrowers - to overcome the powerful entrenched interests of the twitter-politico complex.

The Register - Court rules FTC can prosecute companies over lax online security -

The Third Circuit US Court of Appeals in Philadelphia has ruled that the Federal Trade Commission does have the right to prosecute firms who mishandle their customers' data.

...

The FTC's case hinges on what would be considered a "reasonable" amount of computer security, and it told the courts that Wyndham, which uses a centralized computer system for all its properties, didn't take reasonable precautions at all.

The suit cites the fact that the company was storing credit card numbers on its servers in plain text, had easily guessable administrator passwords, little or no firewalls, and didn't check what operating systems its subsidiaries were using. In one case, a hotel was using an outdated operating system that hadn't been patched for three years.

Another good use for flamethrowers.  In fact the more I think about it the more I realize that there is not a single problem that cannot be solved with the proper application of a stream of flame from your own personal flamethrower.

Downloading Microsoft Server 2016 Technical Preview

We use VMWare at work my co-worker is really interested in moving to Hyper-V, I am interested in containers (which I know nothing about really) so should be interesting.  Going to start out with a VM on my personal machine before setting anything up at work.

Putting the band back together

In high school I belonged to two main groups - ROTC and a bunch of D&D playing nerds.  The ROTC crowd had a reunion a couple years ago and since then I have been thinking it would be cool to get the D&D types back together too.  Myself and a couple other guys have discussed meetups a couple times, usually centered around a comic-con or something, but it hasn't worked out so I am thinking maybe it is time to try again.

Here are the people I remember from our core group

Myself
Chris Stoddard
Bruce Evans
Jerry Whitney
Ed Badura
Mike Barrett
Thor Shenkel
Karl Clark
Wade Byrd
Leigh Sampson
Chris Olson
Darren Carter

Chris and Bruce could probably supply some other names.  I know that there were more people floating in and out of the game all time.  Of that group there are two or three that would probably have to be struck for personal conflict reasons.

So that's the who.  The next question is the where and when?

I tend to think early summer would be best (late June, early July).  The obvious answer for where is Billings, but I and at least a couple others probably want to stay away from there.  I love the beach so my next default is LA / SoCal (actually I would prefer the Oceanside / Carlsbad area) but I am absolutely sure that I would be the only taker on that one.  Two of us live in the Pacific Northwest and others are close (Utah / Montana) so Seattle or Portland would be a good bet.  We want some sort of Geekdom and there is Rose City Comic Con in Sept. usually.

So Portland - Mid September anyone?

The other option is meeting up in Vegas during Blackhat / Defcon which I swear I am going to next year.

How to discover great (?) music - What I am reading 8/21/2015

Ars Technica - The Ars summer playlist shows how we discover music today - 

These days, most of my music discovery tends to come from Spotify's much improved recommendations—which, once you've built up a good stack of listening history to work from, is rather good—as well as indulging my obsession with vinyl by picking up records from second-hand shops and flea markets "like a hipster," as my esteemed colleague Sam Machkovech put it. Playing guitar skews what I tend to buy too, because I'm often after inspiration for licks, whether that's from modern metal or old jazz records filled with sweet trumpet legato passages.

I guess that works - if you are a mindless drone willing to have your taste dictated to you by a soulless machine.  Being a musical connoisseur (see my blogger and google plus playlists) I find my music from tv commercials, movie trailers, and occasionally on this magic box in my car, where people much smarter than myself can tell me what I should be listening to.  Example;  




Discovered via the good people who make Diet Coke commercials.  Nuff Said.

olivierblanchard.net - Stop calling it the “Sharing Economy.” That isn’t what it is. -

Because Apple was “disruptive,” anything deemed disruptive now somehow borrows from Apple’s cachet. “Disruption” has become another meaningless buzzword appropriated by overzealous cheerleaders of the entrepreneurial clique they aspire to someday belong to. And look… every once in a while, someone does come up with a really cool and radical game-changing idea: Vaccines, the motorcar, radio, television, HBO, the internet, laptops, smart phones, Netflix, carbon fiber bicycles, drought-resistant corn, overpriced laptops that don’t burn your thighs in crowded coffee shops… Most of the time though, “disruption” isn’t that. It’s a mirage. It’s a case of The Emperor’s New Clothes, episode twenty-seven thousand, and the same army of early first-adopter fanboys that also claimed that Google Plus and Quora and Jelly were going to revolutionize everything have now jumped on the next desperate bandwagon. What will it be next week? Your guess is as good as mine.

...

Could taxi companies stand to get better at using tech (like they do in Bogotá, Colombia)? Sure. But you aren’t talking about helping them do that, are you. You aren’t lauding a company that set out to bring cab companies into the 21st century. What you’re doing is lionizing the ticket-scalpers of the hired car industry just because they use a popular app. When you do that, you aren’t praying to the altar of progress or even tech Darwinism. You’re praying to the altar of “disruption.” It doesn’t matter how chaotic or damaging it may be as long as it’s disruptive. You’ve just jumped on the latest tech bandwagon without bothering to look at the big picture. Again. Which is to say that you’ve fallen for the latest hype bubble, the latest bit of messaging, the latest round of investment-driving marketing. You’re just parroting PR copy without questioning its validity in the real world.

I have tried to express these same thoughs a number of times but Olivier Blanchard, whoever they are does it much much better, albiet in a very very long post.  

Defense One - Why Germany’s Cybersecurity Law Isn’t Working -

Essentially, as I read it, the law is a bunch of compromises no one is happy with that was enacted solely to show that the government was "doing something".  Those types of regulation never work out and always become overburdensome.

Linked In - The Case Against Full-Time Employees -

I don't have time to dissect this article completely just read it.

Received in the mail today

VMWare IT Academy Training Kit

Powerline takes on H1-B visas

The first step in the H-1B process is for the employer to file a labor condition application (LCA). That is where the employer certifies the prevailing wage, the wage to be paid to the H-1B worker, and to other labor protection provisions. Notice that the employer determines what the prevailing wage is.

And it gets even better. 8 U.S.C. § 1182(n)(1) requires the Department of Labor to approve all LCAs within seven days as long as the form is filled out correctly. The employer can put anything down on the LCA and know that it will be approved. 8 U.S.C. §1182(n)(2)(G)(v) prohibits the Department of Labor from going back and reviewing LCAs later. The whole LCA system is a meaningless paper shuffling exercise. …

Source

Batgirl dies - What I am reading 8/19/2015

BBC - Yvonne Craig, the actress best known for playing Batgirl in the 1960s Batman TV series, has died at the age of 78. -

RIP

Ars Technica - Data from hack of Ashley Madison cheater site purportedly dumped online -

Gigabytes worth of data taken during last month's hack of the Ashley Madison dating website for cheaters has purportedly been published online—an act that, if true, could prove highly embarrassing for the men and women who have used the service over the years.

Apparently there are 15,000 or so .gov or .mil email addresses contained in the dump. I expecte a lot of Admiral and Generals to be doing some explaining today.

Boing Boing - M.W.A: Fozzie and Kermit do Express Yourself by N.W.A -


Wired - Busting the Biggest Myth of CISA—That the Program Is Voluntary -

Access calls upon all companies to outright oppose CISA and the other “cybersecurity” bills that have been introduced in this Congress. They all strike a deal that sacrifices people’s privacy and security at the altar of corporate liability protection. Instead, these companies should publicly pledge not to participate in any government-run information sharing program that does not provide adequate privacy protections for users, including a right to remedy and provisions for transparency and accountability. In the meantime, Congress should be focusing on passing cybersecurity legislation that would actually assist companies in enhancing their digital security efforts, not in harming users’ privacy.

In my opinion any cybersecurity bill should also attach legal liability to the CEO and CIO / CISO  whose company is breached, where it is found that the company was not making a good faith effort to follow best practices.  

The Verge - Zorro is getting a post-apocalyptic reboot -

The masked outlaw Zorro is preparing to defend the poor from tyrants and despots in a new film set in the post-apocalyptic future, according to The Hollywood Reporter. The project, which has been in development hell for years, is titled Zorro Reborn, with shooting slated to begin in March 2016 at a Pinewood Studios facility in the Dominican Republic.

This will not in any way be an embarrassing failure.  I do have to admit though the last Zorro reboot is where I first became aware of Catherine Zeta Jones, who really deserves (hah!!) to be my wife.

Gizmodo - Here's The Box That Can Turn a Puny Laptop Into a Graphical Powerhouse -

What you see in these pictures is a hub that uses Intel’s Thunderbolt 3, a supercharged version of USB-C with double the bandwidth. What does that actually mean in practice? It’s fast enough that you can actually augment the power of a relatively weak laptop with an external graphics card... yes, while still charging the laptop... driving two 4K monitors... and powering your USB devices all at the same time. Here’s what that looks like:

Computer World - Oracle yanks blog post critical of security vendors, customers -

 Oracle published, then quickly deleted, a blog post criticizing third-party security consultants and the enterprise customers who use them.

Authored by Oracle chief security officer Mary Ann Davidson, the post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company's proprietary software, with the aim of finding as of yet unfixed security vulnerabilities. 

...

 Not surprisingly, many security firms were not happy with the blog post.

"Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security," wrote Chris Wysopal, Veracode chief technology officer and chief information security officer, in an e-mail statement. 

Way to go Oracle.  maybe for your next trick you could massively screw up a major government website launch.  Oops, did that.  OK, maybe you canroast and eat young orphans, or have you done that too?
\
The Hacker News - Script Kiddies can Now Create their Own Ransomware using This Kit -

A Turkish security researcher named Utku Sen has posted a fully functional Ransomware code on open source code sharing website GitHub.

The Ransomware dubbed Hidden Tear, uses AES Encryption to lock down files before displaying a ransom message warning to get users to pay up.

The currently undetectable version of ransomware can be modified and implemented accordingly, as it contains every feature a cybercriminal can expect from modern malware.

Yay, so glad that there are responsible people out there publishing code like this.

The State of Security - IE Under Attack! Microsoft Releases Emergency Out-of-Band Patch -

If Microsoft calls a vulnerability “critical,” warns that it affects all versions of Windows, and is prepared to issue a patch outside of its normal Patch Tuesday monthly schedule, you should sit up and listen.

Today, Microsoft has issued an advisory about a zero-day vulnerability, dubbed CVE-2015-2502, that could allow an attacker to hijack control of your computer via Internet Explorer – just by you visiting a boobytrapped webpage.

Just kill IE on your machine now.  

What I am reading 8/18/2015

WaPo - Major publisher retracts 64 scientific papers in fake peer review outbreak -

In the latest episode of the fake peer review phenomenon, one of the world’s largest academic publishers, Springer, has retracted 64 articles from 10 of its journals after discovering that their reviews were linked to fake e-mail addresses. The announcement comes nine months after 43 studies were retracted by BioMed Central (one of Springer’s imprints) for the same reason.

Douchebags.  That's really all I can say.

NY Times - Two Female Soldiers Poised to Graduate From Ranger School -

Two female soldiers will graduate this week from Ranger School in Fort Benning, Ga., the first women to have made it through the Army’s premier leadership course and one of the most challenging and exhausting training programs in the military, Army officials said on Monday.

Congratulations, sincerely, but I'm not sure this really settles anything about the women in combat / women in infantry debate.  There are always people who will excel no matter what that are not reflective of the general population.  I think a far better test would have been training a large number of female infantry soldiers and comparing their progress to males over 3-5 years. (For the record - I support allowing women to serve in any role they can physical qualify for as long as it doesn't affect unit cohesion / mission readiness.  I admit that is a slippery standard and I don't know how to enforce it fairly, but that exception has to exist in order to allow the military to fulfill it's primary mission.)

Boing Boing -Soda Pop Soldier, a novel of what is far too likely to come, by Nick Cole -

Nick Cole's Wasteland saga is amazing. When I realized his Soda Pop Soldier was a take on one of my favorite odd advertising campaigns, the Cola Wars, I had to read it. 

I have had this book sitting around for over a year.  I have tried a number of times to read it and have never gotten past the third page.  Maybe it's time to try again.

Slashdot - Debate Over Amazon Working Conditions Goes Back Years -

This weekend, The New York Times published a lengthy report about working conditions for white-collar workers at Amazon. Describing the e-commerce giant as a "bruising workplace," the report paints a picture of a Darwinian environment. But criticism of Amazon's working conditions actually goes back years. In The Everything Store, a book-length account of Amazon by Bloomberg BusinessWeek reporter Brad Stone, the Amazon of yesteryear is indeed described as an aggressive place in which Bezos pushed employees relentlessly. So is Amazon a terrible place to work? 

In the comments about the article people point out that Amazon execs are writing in to say that they have never been asked to work on a weekend etc.  I believe the are referring to this piece.  Not my experience.  I worked at Amazon, as a contractor a few years ago, I was only there for a couple months (my choice I told them when I took the position that I had another job lined up but was waiting for the security review to complete) but I saw enough while I was there to say that there is probably some truth to both sides of the debate.

On the @AoSHQ morning book thread

Every week at Ace of Spades there is a Sunday Morning Book Thread,  This week they were discussing IO9's list of 10 Books You Pretend to Have Read (And Why You Should Really Read Them).  Being a loudmouth idiot with time on my hands I was going to comment, but once again the comments on the worlds shittiest blogging platform are broken.  Seriously someone plaese migrate Ace to a stable platform and then have Pixy Mesa gang raped to death by a pack of rabid zombie wolverines for having foisted this shitty shitty platform upon the world.

Anyway after all that here is the comment I was going to post:

Book List - I have read 5 of the 10.  2 of my favorite books are in that list, Cryptonomicon and 1984.  The thing about Stephenson is there is a lot of very pro-American sentiment buried in his books (especially Reamde) - there is an exchange in Cryptonomicon about the Children of Athena vs. Children of Ares that sums it up pretty well, but unfortunately does not work well out of the context of the book.  R.S. McCain says it better:

One of the things I like about his writing is that for somebody who grew up in academia (admittedly, the engineering and science side) Stephenson exchanged his disdain for middle-class working folks for serious respect, and you can see this very clearly if you compare the “meshbacks” in Snow Crash to the Forthrasts in Reamde. It’s not something you see a lot of in mainstream fiction these days, and it deserves kudos.

Kind of sums it up.

Also Stephenson wrote what I think is one of the funniest books ever - The Big U.  It has everything.  Giant Rats, D & D, Commie Spies, Hot Gun Toting Lesbians, A cult worshiping a flashing neon sign and a thinly veiled contempt for the forced conformity of higher education.

Anyway enough on Stephenson, one of the other commenters mentioned Ghost Fleet.  I agree it was a pretty good but not great book  - very early Clancyesque.  The author is a futurist so they took current technology combined it with stuff they knew people are working on, laid that over the top of the current political situation in the US and China and wrote a novel.

The DEFCON movie list

Far from exhaustive, this is a short list of films that have some hackish content and function as a fun starting point for exploring hacker cinema. Some of them are fun, some of them are meatier fare - the common link is the highlighting of the hacker mindset. If you have others you want to suggest, let us know. We'll keep the list growing.

• Hackers - seen
• Sneakers - seen
• WarGames -seen
• Trackdown / Takedown -seen
• Colossus - The Forbin Project -seen
• Hardware -seen
• The Signal
• Ghost in the Shell
• Three Days of the Condor -seen
• The Conversation
• Enemy of the State -seen

source

Cybersecurity for dummies, sorry I mean Presidential candidates - What I am reading 8/14/2015

Wired - Let’s School the Presidential Hopefuls on Cybersecurity -

In the build up to the 2016 US election, both Democratic and Republican presidential hopefuls are talking about cybersecurity—and specifically state-sponsored hacks. Cybersecurity is the hot-button national security issue on the campaign trail. 

...

As these discussions heat up, it’s more important than ever that mainstream politicians actually understand what they’re talking about. Here is a quick primer on what anyone running in the US Presidency race really should know when it comes to cybersecurity...

Infosec Institute - How to Fix the Top Five Cyber Security Vulnerabilities -

Data breaches like the one affecting the Federal Office of Personnel Management (OPM) and the numerous cyber-attacks targeting US infrastructure and government offices raise the discussion of the potential catastrophic damage caused by the exploitation of cyber security vulnerabilities.

Let’s examine in detail the top five cyber security vulnerabilities that we have identified to provide a few suggestions to mitigate the risk for a cyber-attack.

This is a follow-up to a previous article identifying what the author considers the top 5 security vulnerabilities.  While some of the solutions are out of the reach of the average user number 5 definitely contains some hints on securing your system - essentially keep your software updated, and change default settings. 

Cisco - A Global Cybergovernance Framework: The Real Infrastructure Needed to Support a More Secure Internet -

As part of a broader “Cybersecurity Call to Action” outlined in the Cisco 2015 Midyear Security Report, Cisco has called for the development of a cohesive, multi-stakeholder, global cybergovernance framework. Investing in the development of such a framework is essential to supporting innovation and economic growth in business on the global stage.

While there has been an increasing awareness that managing cyber risks is essential to the operation of any networked system, current mechanisms are not effective to protect businesses from cyberattacks. The lack of effective global cybergovernance can prevent collaboration in the security industry, which is needed to create adaptive technologies that can detect and prevent new threats.

Yeah, no!  This is a horrible idea, in any global governance scheme things always devolve down to the worst possible solution so basically we would all end up with China or Saudi Arabia, or Iran's rules for internet access or use.  No thanks.

Medium - What Strippers Can Teach Uber -

Liss-Riordan argues that, actually, the on-demand companies aren’t disrupting much at all: In fact, they’re just copying the behavior of other industries — ones that she has continually sued over this very issue, and beat time and time again. Including strip clubs.

Interesting read.  I don't have anything against an on demand economy - I do have a great deal against the way companies like Uber operate.  If the contractors are actually contractors then treat them that way, if they are employess then abide by the employment laws and regulations.

Obama's Summer Reading List

"All That Is," James Salter

"All The Light We Cannot See," Anthony Doerr

"The Sixth Extinction," Elizabeth Kolbert

"The Lowland," Jhumpa Lahiri

"Between the World and Me," Ta-Nehisi Coates

"Washington: A Life," Ron Chernow

None of them look particularly odious; I expected "Marxism for Dummies" and "Death to America" so I am pleasantly surprised.

Cisco Warns of Malicious Firmware Circulating in the Wild - What I am reading 8/13/2015

Ars Technica - Attackers are hijacking critical networking gear from Cisco, company warns -

Cisco Systems officials are warning customers of a series of attacks that completely hijack critical networking gear by swapping out the valid ROMMON firmware image with one that's been maliciously altered.

The attackers use valid administrator credentials, an indication the attacks are being carried out either by insiders or people who have otherwise managed to get hold of the highly sensitive passwords required to update and make changes to the Cisco hardware. Short for ROM Monitor, ROMMON is the means for booting Cisco's IOS operating system. Administrators use it to perform a variety of configuration tasks, including recovering lost passwords, downloading software, or in some cases running the router itself. In an advisory published Wednesday company officials wrote:

This appears to be an insider attack, but it is reminiscent of one of the early Snowden revelations regarding the installation of beacon implants on Cisco routers.  At the time I scoffed at this because it as described it would have required access to Cisco's firmware i order to properly modify it and get a valid MD5 hash, but apparently no one actually checks MD5 checksums.

Sorry that's all I had time for today.

Was the Civil War About Slavery?

Discuss -

The scientific method - when the data doesn't fit change the data - What I am reading 8/10/2015

Wired - Here’s What Disaster Preppers Pack to Survive for 72 Hours -

Sam seems to have the right idea otherwise most of these preppers seem to be of the kill my neighbor and live off their supplies school of disaster preparedness.

Register - Sunspots drive climate change' theory is result of ancient error -

The adoption of the new Sunspot Number doesn't change our understanding of the Maunder Minimum, the low sunspot activity period between 1645 and 1715 that coincided with the “Little Ice Age”.

However, the recalibration does overturn a previous consensus that the data set showed a 300-year upward trend in sunspot activity, culminating in a “grand maximum” in the 20th century.

As Physicsworld says, the dataset “nullifies the claim that there has been a modern grand maximum”.

OK, look I believe the data was probably badly calibrated or whatever, but this really does look like an example to changing data to fit a theory.  Lot's of people are going to be calling BS on this.

Network Computing - Network Change Management Best Practices -

Suggestions include:

• Don't Blindly Follow Orders
• ?
• Peer Review
• ?
• ?
• Keep backups
• ?

I guess my method of just blindly applying patches whenever and wherever isn't the way to go :-(

NextGov - After Dodging the Bullet that Hit OPM, Interior ‘Owns’ Up to Cyber Problem -

Burns clearly has her work cut out for her. Results of an information security audit presented to lawmakers Wednesday laid out thousands of security vulnerabilities in Interior’s public websites.

The White House in 2004 first mandated all federal system logins require the use of both a password and a smart card, a process known as two-factor authentication.  

"That's an important control that's needed. We were already working on it," Burns told members of the House Oversight and Government Reform Committee on Wednesday. "We were making slow progress. When the incident happened, it just created a different lens on looking at the need, and I think it made it crystal clear to everybody why it was so critical that we achieve two-factor authentication."

I am not a fan of the PIV cards but 2 factor authentication is plainly overdue.

Listen to the BBC Audiodramatization of The Foundation Trilogy

available here

via IO9

Did Ted Rall Lie? Firefox Security Hole Being Actively Exploited - What I am reading 8/7/2015

Boing Boing - The LA Times fired a journalist after cops told them he lied—but did they investigate? -

Ted Rall, a journalist and cartoonist often critical of police misconduct, was fired by the LA Times after the LAPD claimed he lied about a 2001 encounter with an officer. But an audio recording of the event appears to back up Rall's version of events, leaving everyone to wonder why the Times was so eager to cut him loose.

In the past I have found Boing Boing less than honest in these types of stories so I am erring on the side of yes Rall lied and Boing Boing is exaggerating again but it would be interesting to hear the tape.

Dark Reading - Out of Aspen: State of Critical Infrastructure Cybersecurity, 2015 -

The annual Aspen Security Forum takes place this week in Aspen, CO. This two-day line-up of national security panels and 1:1 discussions presents a great forum to gauge the state of critical infrastructure cybersecurity. In cooperation with the Aspen Institute, Intel Security surveyed security professionals in energy production, financial services, transportation, telecommunications, and many government functions to determine what progress has been made, and what areas require greater attention.

Our survey results revealed the good, the bad, and the potentially worse of critical infrastructure protection:

·       The good news: no catastrophic loss of life and an improved confidence in critical infrastructure cyber security postures

·       The bad news: cyber-attacks are real, increasing, and capable of real, substantive damage to our critical infrastructure

·       The potentially ugly: attacks are likely to become fatal and could escalate from the digital to physical realms.

I am somewhat involved in this type of effort at work.  It is nowhere near as easy to secure a lot of these devices as people think.  The fact that the effort is starting to show some results is good news.  Also time to once again link the SANS 20 Critical Security Controls.   The bad news is that the effort is failing everywhere that it's mainly a human factors thing (Yes I am looking at you OPM)

Wired - In GOP Debate, Cyber Security Is The New National Security -

While Paul stood his ground as a diehard opponent of government collection of public records, Christie said his experience as US Attorney of New Jersey in the aftermath of September 11th convinced him of the importance of surveillance. As president, Christie said he would push to provide even more tools to these agencies.

Rand Paul is an idiot, but given the choice between his approach and what Christie and Fiorina appear to be saying (no restrictions whatsoever on collection activities) I would prefer Paul's approach, but I don't this this is a binary problem.  

Here is my approach - Collect the metadata.  Hash / Encrypt  it so it is not human readable, but can still be used to build social networking maps for the purpose of identifying informal or hidden networks.  When a person of interest is identified get a warrant and unhash the metadata for that number / email address.  If that person is then revealed to be associated with a potential terror network unhash the data for the rest of the network. 

Valleywag - Here Are the Internal Documents that Prove Uber Is a Money Loser -

Is anyone really surprised?

The Verge - Joint chiefs' network outage linked to 'sophisticated cyberattack' -

For the past two weeks, the unclassified email system serving the Joint Chiefs of Staff has been down — and a report today from NBC News suggests there may be more to the outage than meets the eye. NBC says the downtime is the result of a "sophisticated cyberattack" from Russian attackers, citing US officials. Officials said it's still unclear whether the attack is linked to the government or individuals residing in Russia. The email system is expected to come back online this week.

This is why the classified and unclassified systems are airgapped, although as Manning and Snowden proved those gaps may get jumped it's a hell of a lot harder to get to the sensitive stuff.

Gizmodo - There's a Firefox Exploit in the Wild—You Should Update Right Now -

Mozilla has published a blog post explaining that a Firefox exploit is running in the wild that can search for and upload files from your computer—but you can install and update to solve the problem right now.

Malicious javascript injection.  I am not sure if noscript would offer any sort of protection.

Hitb Security News - Microsoft delivers first cumulative Windows 10 update -

I just checked and my system has downloaded it, and was the system is smart enough to schedule the restart when usage patterns indicate I won't be on the computer.

InfoSec Island - The Technical Limitations of Lloyd’s Cyber Report on the Insurance Implications of Cyberattack on the US Grid -

The recent Lloyd’s report on cyber implications of the electric grid serves a very important need to understand the insurance implications of a cyber attack against the electric grid. There have already been more than 250 control system cyber incidents in the electric industry including 5 major cyber-related electric outages in the US. There have been numerous studies on the economic impact of various outage durations, but they have not addressed issues associated with malicious causes. Consequently, there is a need to address the missing “malicious” aspects of grid outages. Unfortunately, I believe the technical aspects of the hypothesized attack in the Lloyd’s study are too flawed to be used.

The author of the article raises some possibly valid points about not enough detail to determine potential scope etc, but I don't think he really justifies his conclusions this that this is a high impact high likelihood event.  He may be right (hopefully not) but all he does is make an assertion with no real data to back it up.  

Network Computing - Terracotta VPN Piggybacks On Network Of Compromised Windows Servers -

A Chinese-language Virtual Private Network service provider offers attack groups a robust network of compromised servers which can be used to launch attacks while obscuring their origins, researchers from RSA Security found.

Terracotta is a commercial VPN service provider with over 1,500 nodes around the world, RSA researchers said in a report released Tuesday. What sets Terracotta apart from other VPN services is that much of its  servers are actually Windows systems in small businesses and other organizations with limited IT staff which have been compromised and commandeered into the network.

So they are stealing their ifrastructure and providing a haven for APT hackers.  Nice.

The Music of Kurulounge

Compiled for your listening pleasure (almost) all the music I have posted here over the years.  Some stuff is missing because Youtube took down the videos and I couldn't remember what it was.  Some stuff is duplicated because I was showing different version of the same song.

Saliva – Survival of the Sickest

Britney Spears – Do Something

Jessica Simpson – These Boots Are Made For Walking

Max Graham – Owner of a Lonely Heart

Dave Brubeck – Take Five

Benny Goodman – Sing Sing Sing

Y&T – Summertime Girls

Van Halen – Panama

Billy Idol - Cradle of Love

Billy Idol – Mony Mony

Shampoo – Delicious

Shampoo – Trouble

Nirvana – Heart Shaped Box

Chemical Brothers – Block Rockin Beats

Haddaway – Life

Haddaway – What is Love

Bond – Victory

Bond – Explosive

John Mellencamp – Get a Leg Up

? – Call on Me

Benny Benasi – Satisfaction

Body Rockers – I Like the Way You Move

Green Day – Holiday

Kenny Chesney – Anything But Mine

Dierks Bently – What Was I thinking

Fiona Apple – Criminal

Ewa Sonnet - Nie zatrzymasz mnie

Kelly Clarkson – Walk Away

Buckcherry – All Lit Up Again

Guns N Roses – Welcome to the Jungle

The Zombies – Time of the Season

OK GO – Here It Goes Again

Ewa Sonnet – RNB

Slaughter – Up All Night

XYZ – Face Down in the Gutter

Christina Aguilera – Candyman

Amy Irving – Why Don’t You Do Right

Peggy Lee – Why Don’t You Do Right

Sinnead O’Connor – Why Don’t You Do Right

Wall of VooDoo – Mexican Radio  (check out Kinky – Mexican radio)

Cowboy Mouth – Jenny Says

Toby Keith – Honkytonk U

Trace Adkins – Chrome

She Wants Revenge – Tear You Apart

Mint Royale – Blue Song

TeddyBears Stockholm – Cobrastyle

Thievery Corporation – Lebanese Blonde

Gun – Word Up

Vangelis – L’Enfant

Tim Wilson – But I Could Be Wrong

Jason Aldean – Hicktown

Jason Aldean Johnny Cash

Smithereens – A Girl Like You

Raquel Welch – Ready to Groove

Dropkick Murphy’s – Shipping Up To Boston

My Life With The Thrill Kill Kult – Sex on Wheelz

OMC – How Bizzare

Will Smith – Miami

Garbage – Sex Is Not The Enemy

Garbage – Cherry Lips

She Wants Revenge – These Things

Tito & Tarantula – After Dark

Ashley Simpson – LaLa

Katy Paerry – I Kissed a Girl

Theory of a Deadman – Bad Girlfriend

Motley Crue – Kickstart My Heart

Diesel – Sausalito Summernight

Steve Miller Band – Take the Money and Run

Fabulous Thunderbirds – Tuff Enuff

Fabulous Thunderbirds – Wrap it Up

Vixen – Love is a Killer

Aerosmith – Sweet Emotion

Alice Cooper – No More Mr. Nice Guy

Rachid Taha – Barra Barra

Joi Lansing – The Silencer

Joi Lansing – web of Love

Enrico Morricone _ A Fistful of Dollars

Offspring – Pretty Fly For A White Guy

Joi Lansing – The One I love Belongs to Somebody Else

Pink Floyd – Another Brick in the Wall

Concrete Blonde – Everybody Knows

Nina Simone – Sinnerman

Yearso Kele – Lao

Broken Bells – The Ghost Inside

Ariel – Wipe the Raid

Noorkuu – Smells Like Teen Spirit

Tone Loc + Peaches – Wild Thing

The Nymphs – Enter Sandman

FRED – Cocaine

Anna Semenovich – Ne Madonna

Anna Semenovich - Боже мой
 Willis – This is the Night Willis – Word Up 
 Will.i.am + Britney Spears – Scream & Shout  
Flo-rida – Good Feeling  
Ewa Sonnet - Nie zatrzymasz mnie  
Tata Young – Sexy, Naughty, Bitchy 
Lana Del Rey vs. Cedric Gervais – Summertime Sadness Remix 
DotEXE – Inside Out
 Johnny Cash – The Man Comes Around 
Shirley Manson – Samson and Delilah
 Calvin Harris – Summer 
The Bangles – Manic Monday  
The Bangles – Hazy Shade of Winter  
White Stripes – Icky Thump 
 R.E.M. – It’s the End of the World  
Boom! Zap! Pow! – Suit  
Liam Clancy – Band Played waltzing Matilda T
he Pretty Reckless – Heaven Knows 
 The Pretty Reckless – Fucked Up World 
 Tommy James – Draggin the Line 
Vanity – 7^th Heaven 
 Vanity 6 – Nasty Girl  
? – Cruel Summer (Explicit Rap Remix) 
 Ace of Base – Cruel Summer 
 Avicii vs. Ace of Base – Cruel Summer  
Little Mix – Word Up  
Natalia Kills  - Problem  
Neon Hitch - Fuck You Betta (DJ Chuckie Remix)  
Anna Semenovich – Tyrolean Song 
 Skylar Grey – C’mon Let me ride  
Black Keys – Lonely Boy 
 Charlie Cooper – Lonely Boy (Soul Cover)  
Britney Spears & Iggy Azalea – Pretty Girls 
 Kaleida – Think 
 ZZ Top- Gimme All Your Lovin 
 ZZ Top – Sharp Dressed Man 
 ZZ Top – Legs

VMWare Install Configure etc. etc. - also Dungeons and Dragons gets a film franchise

I have been thinking about getting my VMware Certified Professional Certification for awhile now, but haven't really done anything about it because frankly it is a giant pain in the butt.  Unlike most certs the good people at VMware require that you go thru an approved training course before you can take the exam.  

Finding a course can be problematic...

AND, if you do find a course it can be expensive as hell.  

Fortunately I stumbled across a link to the Continuing Ed course at Stanly Community College in North Carolina.  It's an approved VMware academy,  it's a distance learning course, and it is affordable at $185.00 plus a $46.00 book.  Pretty reasonable.  The only drawback is there is a waiting list.  Fortunately I put my name on the list back in April and got accepted for the August season.  So that will be going on for awhile. 

Other stuff - 

Wired - The Windows 10 Security Settings You Need to Know - 

So you finally installed Windows 10 and joined the ranks of the other 67 million users. You open your browser to search for a place to grab lunch, and Bing already knows your location. You notice that all the banner ads are geared toward your secret knitting hobby. And when you open Cortana to ask what’s going on, she knows your name and the embarrassing nickname your mother calls you.

This may seems like a stretch, but you’d be surprised by the amount of personal information Windows 10 collects from its users

Wall Street Journal - Warner Bros., Hasbro Announce ‘Dungeon & Dragons’ Film Franchise  -

Warner Bros. and toy maker Hasbro’s Allspark Pictures said Monday that they are working with Sweetpea Entertainment Inc. to create a franchise based on the fantasy game. The first movie in the prospective franchise doesn’t have a director yet, but a script, written by David Leslie Johnson (“The Conjuring 2″), is already in place.

Bring Back Thora Birch!!!

   

V3.Co.UK - Hackers use Yahoo ad network to spread malware to millions - 

 

Cyber criminals are targeting Yahoo's advertising networks in an orchestrated malware campaign putting millions of people at risk.

Security firm Malwarebytes, which discovered the campaign, reported that hackers used the sophisticated Angler exploit to infect victims through the Yahoo suite of websites.

And by hackers we of course mean Marissa Mayers, as she attempts to extend he evil dominion throughout the cyber realms (just kidding - don't sue, I actually love Marissa Mayers even though she doesn't follow me on twitter, facebook, or Google+)

Aspiring Supervillian? Here's how to destroy the world - What I am reading 8/4/2015

Seclists.org - Hacking Critical Infrastructure: A How-To Guide -

Cyber-aided physical attacks on power plants and the like are a growing concern. A pair of experts is set to reveal how to pull them off — and how to defend against them.

...

Scheduled to speak at the Las Vegas conferences are Jason Larsen, a principal security consultant with the firm IOActive, and Marina Krotofil, a security consultant at the European Network for Cyber Security. Larsen and Krotofil didn’t necessarily hack power plants to prove the exploits work; instead Krotofil has developed a model that can be used to simulate power plant attacks. It’s so credible that NIST uses it to find weakness in systems.
source

Ah, good, my plans for world domination can begin.

Infosec Institute - Cybersecurity Policy and Threat Assessment for the Energy Sector -

New cyber vulnerabilities in the energy infrastructure are discovered on a weekly basis which results in a vicious cycle where there is a constant struggle to patch up the newly emerging holes in the protective cloak.

The energy sector is up against two major cyber threats:

1) Vulnerabilities in the IT system employed for business and administrative purposes.

2) The operational technology (OT), that is, SCADA systems, specific software and other control technologies that are embedded into and operate power plants, transmission and distribution grids and pipelines.

This article kind of makes it seem like the energy sector is clueless but I can tell you for a fact that these issues get considered everyday People are aware and working to rectify these problems but it is a massive task and one that can't be accomplished overnight.

SANS - Clearer, More Stringent Cybersecurity Rules for Government Contractors (July 30, 2015) -

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data. Recent breaches underscore problems in the current contactor arrangements, including inconsistent data security standards in federal contracts as well as in various guidelines established by different agencies. A proposal for new rules will soon be available for public comment. 

-http://thehill.com/policy/cybersecurity/249752-white-house-wants-consistent-cybe
r-rules-for-contractors-https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-18747.pdf

[Editor's Note (Pescatore): Many government RFPs, and probably most of the large ones, include FISMA requirements. The issue is not the requirements; it is the lack of assessing whether the contractor actually meets the requirements - same as the problem at Government agencies. The White House should look at the FedRAMP program, which has a consistent, well-thought-out way of defining, and more importantly assessing, the security of cloud service providers who want to do business with the Federal Government. ]

Network Computing - Networking Career: How To Make It To The Big League -

we recently found ourselves with a core networking position open, we put out the typical networking engineer job ad and started working through the screening and interview processes as applications came in. The person we ended up hiring was a bit surprising as his resume wasn’t the strongest. He also came from a small environment where he was a one-man soup-to-nuts IT shop unto himself, with a wide skillset that wasn’t all that deep. So how did our new guy land a network job that arguably was too big for him at the time of hiring?

Some good general purpose advice in the article.

Want a new life? Have $20.00? - What I'm reading 8/3/2015

Backchannel - Stock Options? Don’t Need ‘Em! I’m Coding For Uncle Sam! - 

HVD: The biggest foe is generally risk aversion. People in government are trained to not do things differently because there’s often really bad consequences when you try something differently and it fails. We run up against this all the time.

MD: I wish there were bad guys with top hats and handlebar mustaches because if there was some super villain behind a humongously dysfunctional project, all we would have to do is identify that person and take them out and everything would get better. That’s not the problem. The problem is just all of the things that inevitably happen when you try to coordinate 60,000 people in the VA to do the same thing at the same time. Even when somebody looks like they’re being a big pain, it’s just a function of their position in the bureaucracy and their role. Their interest is almost always wanting the same thing that we want, which is that they want the veterans to get a better experience, they want the disability claims to be adjudicated faster, but to them that doesn’t mean the same thing necessarily that it means to the person next to them.

Good luck to them, from what I have seen of Federal IT systems they will need it. 

(Interesting point made in the article btw, according to the interviewee the original Healthcare.gov cost $200,000,000 to develop and would have cost $70,000,000 per year to maintain.  The fixed site is $4,000,000 and $4,000,000.)

The Verge - Star Trek's original Uhura is going on a NASA mission -

Nichelle Nichols, aka the original Uhura from Star Trek, is going on a NASA mission. First mentioned in a Reddit AMA and then clarified in a post on Starpower, Uhura will be "among the first non-essential personnel to experience NASA's newest telescope: SOFIA."

It isn't, however, a mission into space: SOFIA ("Stratospheric Observatory For Infrared Astronomy") is built into a Boeing 747, which will take off from NASA's Armstrong Flight Research Center in California on September 15th.

Quartz - Here’s what your stolen identity goes for on the internet’s black market -

The going rate for a stolen identity is about twenty bucks.

Tens of millions of people have lost their private information in data breaches over the past few years. But what happens after that—how the data are leveraged for financial gain—remains murky. Many of those stolen records end up for sale on the anonymous, seedy area of the internet commonly known as the dark web.

So my question is how easy is it to turn that information into papers?  If I want to disappear with a new name and SSN.  How hard to buy an ID and make the switch?  Kevin Mitnick outlines how he did it in Ghost in the Wires but I am not sure that information is what could be called reliable.

Quartz - Oil prices are falling again. Here’s why -

The article outlines 3 reasons - 1) Softness in the China Market, 2) After shutting down wells in response to Saudi Arabia flooding the market American producers are turning them back on again, 3) People are anticipating Iran's full-fledged return to the world oil market.

Slashdot - Microsoft Creates a Quantum Computer-Proof Version of TLS Encryption Protocol

ZDNet - Federal Court's data breach decision shows new tilt toward victims, class-action lawsuits -

Last week, the U.S. Court of Appeals for the Seventh Circuit began to question the depth of on-going harm to victims by overturning a district court that had tossed a class-action lawsuit against Neiman Marcus over a 2014 data breach. The Court said victims had "standing," a right to file a lawsuit in federal court, over concerns of on-going problems.

...

Both the Seventh Circuit and the Ninth Circuit have begun to take a second look at the legal impact a breach has on victims - specifically in the long term. Both courts have recently concluded that victims do have a legal right to file a lawsuit (standing) over the long-term consequences of a breach.

I have said (as have many others) for a long time that the only way to start staunching these data breaches is to hold the companies liable.  Until they are hit in the pocket book there is no incentive to fix problems.