A famed hacker is grading thousands of programs — and may revolutionize software in the process
By Kim Zetter
Jul 29 2016
At the Black Hat cybersecurity conference in 2014, industry luminary Dan Geer, fed up with the prevalence of vulnerabilities in digital code, made a modest proposal: Software companies should either make their products open source so buyers can see what they’re getting and tweak what they don’t like, or suffer the consequences if their software failed. He likened it to the ancient Code of Hammurabi, which says that if a builder poorly constructs a house and the house collapses and kills its owner, the builder should be put to death.
No one is suggesting putting sloppy programmers to death, but holding software companies liable for defective programs, and nullifying licensing clauses that have effectively disclaimed such liability, may make sense, given the increasing prevalence of online breaches.
The only problem with Geer’s scheme is that no formal metrics existed in 2014 for assessing the security of software or distinguishing between code that is merely bad and code that is negligently bad. Now, that may change, thanks to a new venture from another cybersecurity legend, Peiter Zatko, known more commonly by his hacker handle “Mudge.”
Mudge and his wife, Sarah, a former NSA mathematician, have developed a first-of-its-kind method for testing and scoring the security of software — a method inspired partly by Underwriters Laboratories, that century-old entity responsible for the familiar circled UL seal that tells you your toaster and hair dryer have been tested for safety and won’t burst into flames.
Called the Cyber Independent Testing Lab, the Zatkos’ operation won’t tell you if your software is literally incendiary, but it will give you a way to comparison-shop browsers, applications, and antivirus products according to how hardened they are against attack. It may also push software makers to improve their code to avoid a low score and remain competitive.
“There are applications out there that really do demonstrate good [security] hygiene … and the vast majority are somewhere else on the continuum from moderate to atrocious,” Peiter Zatko says. “But the nice thing is that now you can actually see where the software package lives on that continuum.”
Joshua Corman, founder of I Am the Cavalry, a group aimed at improving the security of software in critical devices like cars and medical devices, and head of the Cyber Statecraft Initiative for the Atlantic Council, says the public is in sore need of data that can help people assess the security of software products.
“Markets do well when an informed buyer can make an informed risk decision, and right now there is incredibly scant transparency in the buyer’s realm,” he says.
Corman cautions, however, that the Zatkos’ system is not comprehensive, and although it will provide one indicator of security risk, it’s not a conclusive indicator. He also says vendors are going to hate it.
“I have scars to show how much the software industry resists scrutiny,” he says.
[Note: This item comes from friend Jen Snow. The article is from 2015. Be sure to watch the nine minute video to the end, its well worth your time. DLH]
Sci-Fi Short Film ‘Uncanny Valley’ Paints a Dark Future for Virtual Reality
By SVETA MCSHANE
Dec 24 2015
What’s the worst possible outcome of virtual reality technology going mainstream?
A generation of burnt-out, washed-up VR junkies losing touch with reality and surviving only to sustain their virtual existence.
That reality is where the haunting sci-fi short film, Uncanny Valley, begins. Written and directed by Argentine filmmaker Federico Heller, the short is already slated to be developed into a feature film.
We are introduced to several men who are squatting in a decaying building. In documentary style, these characters tell us about their lives and addiction to VR. One tells us he’s online for 17 hours a day, averaging “100 kills” a day in the immersive first-person shooter game that has become his life.
Another admits, “I haven’t left this house in quite a few years.”
These VR junkies depend on food printers for their sustenance and never have to leave their dwelling. They enter the virtual world via a thumb-sized device that attaches between the nostrils.
These are the outcasts of society. They find great solace in the virtual world where, by their own admission, they can feel free to express their anger in a way that’s not dangerous. In VR, they are free to do things that would get them locked up in the real world.
In a moment of ironic foreshadowing, one tells us, “I don’t feel comfortable around people, I don’t really know what I should say or do. Game play is just simpler. There’s no people. Just targets.”
The film tackles two frightening ideas: the consequences of addiction to immersive gameplay, and the even more frightening notion that the game is not merely a game.
It’s doubtful that we will end up with a generation of junkies addicted to VR, as portrayed in Uncanny Valley. It’s more likely that VR will unleash greater opportunity for creativity and collaboration than this film’s version of the future. However, we know that this kind of addiction is very real, and we have yet to understand how significant time spent in immersive virtual environments could affect children as well as adults.
Still, in another way, it’s possible we’re already living in a version of this frightening future.
It’s no secret warfare is becoming more and more automated. Drones are just one example of technology that can be controlled remotely to survey and kill. A few years ago, the Atlantic published “Playing War: How the Military Uses Video Games,” a piece that chronicles the history of the military’s connection with the video game industry.
[Note: This item comes from friend Jen Snow. Jen’s comment:’This is getting scary. Pitting two nuclear nations against each other in cyberspace, not good.’. DLH]
Russia cyber attack: Large hack ‘hits government’
A “professional” cyber attack has hit Russian government bodies, the country’s intelligence service says.
Jul 30 2016
A “cyber-spying virus” was found in the networks of about 20 organisations, the Federal Security Service (FSB) said.
The report comes as Russia stands accused over data breaches involving the Democratic Party in the US.
The Russian government has denied involvement and has denounced the “poisonous anti-Russian” rhetoric coming out of Washington.
The FSB did not say who it believed was responsible for hacking Russian networks, but said the latest hack resembled “much-spoken-about” cyber-spying, without elaborating.
It said the hack had been “planned and made professionally”, and targeted state organisations, scientific and defence companies, as well as “country’s critically important infrastructures”.
The malware allowed those responsible to switch on cameras and microphones within the computer, take screenshots and track what was being typed by monitoring keyboard strokes, the FSB said.
In the US, the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee have both suffered hacks in recent weeks.
Emails from the DNC were later distributed by the Wikileaks organisation, and showed party officials had been biased against Bernie Sanders in his primary race against Hillary Clinton.
US officials believe the cyber attacks were committed by Russian agents.
The Kremlin has repeatedly denied being responsible, and Mrs Clinton’s presidential rival Donald Trump said he had no ties to Russia.
Billion-year-old air reveals surprise about oxygen on ancient Earth
Oxygen levels much higher than expected, with implications for origin of complex life
By Emily Chung, CBC News
Jul 28 2016
Canadian scientists have found a way to analyze air from the ancient Earth’s atmosphere that was trapped in salt crystals nearly a billion years ago.
What they found may have implications for the origin of complex life.
The air, which has been preserved, undisturbed, in tiny pockets in the crystals for about 815 million years, appears to contain 10.9 per cent oxygen — just half the amount in the atmosphere today.
But it’s about five times more than scientists expected for that time period, which is about 200 million years before the first known multicellular fossils.
“I’m surprised and excited,” said Nigel Blamey, a professor of earth sciences at Brock University in St. Catharines, Ont., who co-led the study with fellow Brock geochemist Uwe Brand.
Brand says the discovery answers a key question about the evolution of complex life — did animals arise before or after the oxygen needed to support larger, more complex organisms?
“And now with our research and our result, we know there was sufficient oxygen before they arose,” he said, adding that the higher oxygen levels would have allowed animals to diversify and become more complex.
That means it may be possible to find multicellular fossils older than the oldest that are currently known.
“Now paleobiologists will have reason to go looking for rocks with original traces of these first evolutionary steps,” Brand said.
The team’s results are published in the journal Geology.
When salty water called brine evaporates from a shallow pool, it forms crystals of salt called halite — very similar to the kind we sprinkle on our food. In the process, it often traps tiny bubbles of fluid or air from the atmosphere at the time it forms.
That happened in the Officer Basin in southwestern Australia about 815 million years ago, during a geological era called the Neoproterozoic. The halite was subsequently buried and preserved under about a kilometre of sediment.
For the study, researchers removed the deeply buried samples using a drill core. While it wasn’t chemically possible to directly measure the age of the salt, the layers on either side of it contained radioactive isotopes of elements such as uranium that decay at a very specific rate. Those measurements showed that the layers on either side of the salt were 800 million and 830 million years old, suggesting the salt was in between those ages.
[Note: This comment comes from friend Steve Schear. DLH]
From: Steven Schear <email@example.com>
Subject: Re: [Dewayne-Net] Detecting When a Smartphone Has Been Compromised
Date: July 29, 2016 at 1:29:48 AM EDT
While this device may prevent the phone from disclosing its location in real-time it will not prevent the device from recording the sound in its vicinity nor prevent it from using its motion sensors as an inertial navigation system. Later, once its wireless capability is reactivated, it can report both. It seems to me that of you are concerned enough to see your threats at this level you need to acquire good security trade-craft and take other precautions, such as only using a mobile with a removable battery and pull it out before you set out for a meeting or leave it on (so it looks like your are at your home or office) and use a “burner”phone that is never operated near your normal mobile’s locations and is discarded after each meeting.
Detecting When a Smartphone Has Been Compromised
By Bruce Schneier
Jul 27 2016
Russia now collecting encryption keys to decode information from Facebook, WhatsApp and Telegram
Russia’s Federal Security Service says it now has a method to collect encryption keys to spy on users’ data.
By Mary-Ann Russon
Jul 28 2016
Russia’s Federal Security Service (FSB) has announced it now has the capability to collect encryption keys that would give it the back door into popular internet services such as Facebook, Gmail, WhatsApp and Telegram in order to spy on users’ conversations.
In June, Russia passed a scary new surveillance law that demanded its security agencies find a way to conduct better mass surveillance, demanding that all internet firms who provide services to citizens and residents in Russia be required to provide mandatory backdoor access to encrypted communications so the Russian government can know what people are talking about.
If any of these internet companies choose not to comply, the FSB has the power to impose fines of up to 1 million rubles (£11,406). Then on 7 July, President Vladimir Putin followed up the surveillance law with a seemingly hilarious pronouncement – in addition to making sure internet firms provided backdoor access and threatening them with fines, the FSB now also had to find a way to get encryption keys that could decrypt all data on the internet, a seemingly impossible feat that the agency had to complete in two weeks.
So it is much to our surprise that two weeks later, the FSB has now updated its website declaring that it has indeed been able to procure a method to collect these encryption keys, although, cryptically, the agency isn’t saying how exactly it will be doing so.
The notice on the FSB website simply declares that in order to ensure public safety and protect against terrorism, the FSB has found a “procedure of providing the FSB with a method necessary for decoding all received, sent, delivered, and chat conversations between users on messaging networks” and that this method had been sent to the Ministry of Justice to approve and make provisions to amend federal law.
So we have no idea how the FSB will be able to gain backdoor access to internet companies without their permission, which would surely be illegal in the companies’ countries of origin, which are certainly not Russia. What is interesting is that the Daily Dot reports that the likes of Facebook, WhatsApp and Viber have not commented at all on the new law.
The Ice Bucket Challenge did not fund a breakthrough in ALS treatment
By Cory Doctorow
Jul 28 2016
Yesterday’s science-by-press-release announcement that a research team had made a “breakthrough” in treating ALS thanks to funds raised in last year’s viral ice-bucket challenge turns out to be vaporware: the gene identified was already known to be implicated in ALS, but only affects 3% of cases, and the new refinement in the research suggests some avenues for further work, but has no immediate therapeutic value.
Of course, that’s still not nothing: science generally advances through small, incremental steps, not headline-grabbing breakthroughs. There is real harm in trumpeting citizen fundraising campaigns as a source of scientific advancement, though: because of this long-term, incremental work, science requires sustained, long-term funding. As useful as the funds raised by the Ice Bucket Challenge are, they can’t replace the big, institutional, steady spending that has been under assault since the Reagan era.
Not only does this shallow, cheerleading style of reporting mislead readers as to what the research actually found, but it could also have a long-term detrimental impact on the way that research is funded in the United States.
Prasad says that headlines claiming the Challenge “worked” do a “grave disservice” by “contributing to false ideas about science and funding by the public.”
Given the widespread interest in the ice-bucket challenge, we all want, we hope, we wish those funds to lead to some improvement in outcomes for patients with this conduction. But we have to avoid misleading the public that science funding leads to breakthroughs on this time frame, and for these miniscule funds. The challenge raised 125 million for the ALS organization, which is a drop in the bucket of science funding.