Movie Magic USB hacking tool really exists

Tech Crunch brings us a cool USB hacking tool here

As they describe it, the star hax0r of the movie is left alone with a computer, they pull out a necklace, plug it into the computer, it takes it over and sets up a reverse shell.

Unfortunately it only works on a Mac, ( how is this possible!  just kidding ) but other versions are coming soon

Washington Post Article on Sony hack - also the "Don't spend $10 Million to protect $1 Million" quote IS Director

Why it’s so hard to calculate the cost of the Sony Pictures hack

The cyberattack on Sony Pictures went far beyond the typical corporate hack -- with attackers allegedly leaking huge amounts of data, including personal information about employees and internal company strategy information. The malware reportedly used in the attack also damaged the underlying systems at the company, making recovery much more difficult than other types of corporate cyberespionage.

"These attacks are pretty devastating," said Kurt Baumgartner, principal for security research at Kaspersky Lab. The investigation into the situation could run on for months, and the cleanup will likely cost millions "if not tens of millions," he said.

...

Jason Spaltro, then executive director of information security at Sony Pictures, called it a "valid business decision to accept the risk of a security breach"  in a 2007 interview with CIO Magazine, adding he would not invest "$10 million to avoid a possible $1 million loss."

http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/05/why-its-so-hard-to-calculate-the-cost-of-the-sony-pictures-hack/

OK, look at it this way:

• 2007:  Sony would not invest "$10 million to avoid a possible $1 million loss." 
• Also 2007 TJ Maxx,  reported over $250 million
•  2011, Sony's PlayStation Network an estimated $170 million
• 2011: RSA $66 Million
• 2013: Target  $400 million
• 2014: Sony ???

Also 2014:

 Fusion [ when did Kash Hill leave Forbes? Halloween - Oh I was London]  reports that documents leaked after the recent attack show the company had just 11 people assigned to its information security team: "Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president." (Sony Pictures did not respond to requests for comment for this story.)
 BTW - According to Wikipedia, Sony Pictures Entertainment revenue for as of March 2014 was $8.0B

*Updated* Google News in Spain goes Dark

Update: Gizmodo agrees -  http://gizmodo.com/a-big-round-of-applause-to-google-for-shaming-spain-wor-1669840971

In a new take on "planned outage", Google has turned off Google News in Spain over a ridiculous tax for the snippets their search engine displays.

Techdirt calls it the "Nuclear Option", I call it "Well, Duh".

I was kinda hoping they'd do it in Germany or the EU (OMG what a crock!)

I say Go Go Google!

EFF has an important writeup in their blog too - can't resist this quote:

 Online intermediaries may be a convenient scapegoat for the fading fortunes of European newspaper publishers, but banning the use of text snippets alongside website links is a misguided and—now self-evidently
—counter-productive approach. Once it becomes illegal for aggregators to freely link news summaries to publicly-available websites, it becomes that much easier for those who want to prohibit other sorts of links, such as links to political YouTube videos, to make their case.

This will be fun to watch when the news websites in Spain Lose All Their Traffic

It won't shut down until Dec 16, think there will be furious backpedaling at the Spanish news sites?

Hint to Spanish sites:  Look for referer tag in your logs to see how much money you'll lose.

Viewing or using Sony stolen documents? Wrong Wrong Wrong

And I'm not gonna do it.  Period.

And there's always a BUT.

Remember:

1. The rootkit on the audio CD?
2. The promise to run Linux on the PS3?
3. All the Harrassment for Geohot?

the list goes on

Sony is not a friend of their community.  Is this karma?

The idiots that are threatening the families are going to get caught, and they're going to do time. BTW. duh?

Australia News (ABC) reports 77 Chinese arrested in Kenya accused of Cybercrime network attacking Banking and telecom system.

http://www.abc.net.au/news/2014-12-05/dozens-of-chinese-held-in-kenya-in-cyber-bust/5945610

Other interesting tidbits

1. Running mysterious "command centre" from upmarket houses in the capital Nairobi
2. "preparing to raid the country's communication systems".
3. equipment capable of infiltrating bank accounts, Kenya's M-Pesa mobile banking system and ATMs.
4. "being in the country illegally and operating radio equipment" without the necessary permits.
5. "military-style dormitories".
6. "China promised to send investigators to work with ours on this matter," 
7. the group were making microchips for ATM cards 

Maybe most interesting of all:

China, a major investor in Kenya's infrastructure and communications networks and hailed earlier this year by president Uhuru Kenyatta as "an honourable partner" for east Africa's largest economy

Declassified FISA court documents declassified under FOIA illustrate a wealth of Government activities

1500 pages of Documents Yahoo's case against their National Security Letters in 2008 have recently become declassified.

I guess the law is one thing and the interpretation of it is something completely different, especially where there is no oversight or public inspection.  If activities can be performed and judged  by the government, with no opposing council or public inspection, how can they not get out of control? 


The first document (64 pages) shows this in spades, where the FISA court justices can't understand that tapping the phones of provably innocent people isn't constitutional because they aren't aware of it.  A good article about it is (as usual) on Techdirt.

 It also shows contradictory statements of facts

'"There is no database," says Gregory Garre, before having to admit a few sentences later, that incidental data is retained (and distributed)'

[page 8] In the following quote, the Yahoo attorney (Zwillinger) is relating that in spite of monetary compensation for their time and effort they are still injured.

Justice Arnold: Well, if this order is enforced, and it's secret, how can you [yahoo] be hurt?  The people don't know that -- that they're being monitored in some way.

Awesome! Uber crying that media is mean to them, suggests "Digging up dirt on journalists"

Update #7 - 20-June because AUATT (below) - The FTC is investigating them?

Update #6 - 14-June-2017 - As a matter of fact, this blog is "All Uber all the time".  After Emil Michael's and Travis Kalanick's LOA departures, board member David Bonderman in a discussion with Adriana Huffington - 'who was speaking about the need for more female representation on Uber’s board. When “there’s one woman on the board, it’s much more likely that there will be a second woman on the board,” Huffington said, to which Bonderman shot back “what it shows is that it’s much more likely to be more talking.” - Bonderman was out in about the time it takes to say "Do we need to call security?"

Update #5 - 12-June-2017 - Eric Holder report released soon, likely not good.   Travis Kalanick on LOA after a family tragedy (we're truly sorry and our thoughts and prayers for the family), oh, and Emil Michael out
 
Update #4: The Verge:  Can Uber be saved from itself?

Watch for:  Ryan Graves (employee #1) to take the fall for the latest things, both the Misogyny from Susan Fowlers blog (sub watch - are they investigating her personally? ) and Greyball (Verge again) 

Update #3a:
Uber allegedly has a pretty horrible culture of sexual harassment, per engineer-author Susan Fowler who isn't afraid to blow the whistle under her own name, and there's a really good blog post at Global Nerdy that deconstructs and validates the claims

Kara Swisher from Recode/Decode had a podcast about Uber that posted the day after Susan’s blog post went viral named “Self-driving cars are an ‘existential crisis’ for Uber, ‘Upstarts’ author Brad Stone says”

Here’s Kara’s blog post about the leather jacket

http://www.recode.net/2017/2/22/14700114/is-uber-lost

Update #2:  CNN-  Uber limits employee access to God mode

Update #1:  Washington Post blog has insight on their privacy and least privilege policy

 AKA - Let's DOX our customers, that'll show them

So correct me if I'm wrong, Buzzfeed article, linked from Drudge:

According to Buzzfeed article uber-executive-suggests-digging-up-dirt-on-journalists :

1. Uber thinks journalists are being mean, especially pando writer Sarah Lacey writing about them after a Buzzfeed article accusing them of sexism (awesome example of just that BTW)
2. VP of Black Bag Jobs, er "business", Emil Michael, suggests opposition research including aforementioned digging up dirt
3. Immediate spin control, an Uber spokes droid states (from the article) "the company does not do “oppo research” of any sort on journalists, and has never considered doing it. She also said Uber does not consider Lacy’s personal life fair game, or believe that she is responsible for women being sexually assaulted."
4.  Even though (from the article again) "the general manager of Uber NYC accessed the profile of a BuzzFeed News reporter, Johana Bhuiyan, to make points in the course of a discussion of Uber policies."
5.  SO a new economy taxi company is on record of using it's data against journalists and anybody still uses them?!
6. Update:  Amy Keyishian at Re/code had the first link to Seth Meyers clip with the "That Boober Guy" nickname for Travis Kalanick, some great advice on the difference in truth in public and private speech, and equating the Emil Michael quotes with Valdemort speaking to Hogwarths.  
   

Yes, now you can see the dumbest agreement on earth

This is what EMS sports wants you to agree to before you post a review of their stuff:

http://www.powerreviews.com/legal/terms_of_use_en_US.html

I guess "Power Reviews" is running their review site.

An excerpt that will probably get me in trouble:

What you are promising by submitting UGC: By submitting UGC you represent and warrant that: (i) you are the sole owner of the UGC; (ii) the UGC is accurate; (iii) you are at least thirteen (13) years old; and, (iv) the UGC you submit does not violate these Terms of Use. Because you are solely responsible for what you post, you also agree to indemnify PowerReviews and PowerReviews's clients for a breach of your representations and warranties.

Where you can find additional information on PowerReviews's use of the UGC: PowerReviews's use of any UGC you submit is subject to PowerReviews's Privacy Policy, which can be found at http://www.powerreviews.com/legal/privacy_policy_en_US.html.

Oh by the way, they sey this in their thank you message:

Hello @comcast.net. Here is a list of the reviews we have connected to your email address. Currently, we have a limited set of managing options for your reviews:

Deleting a review: Unfortunately, we do not allow deletion of reviews as they become our property upon submission. However, if you would like to disconnect the review from your identity and unlink it from your email address, please feel free to do so at any time. Unlink a review.

Removing media: If you would like to remove an image or video you've shared along with a review, you can do so by finding the review in question below and clicking on the "Remove" button directly underneath the item.

SO - I'm solely responsible for what I post, but posts are their property!?

sheesh.  Please, someone put them out of their misery

Good Techdirt analysis of Applepay and CurrentC situation

States that retailers want to cut out Mastercard and Visa, and want ultimate tracking of their customers that they had when they used their old tracking cards

https://www.techdirt.com/articles/20141027/07065628950/payment-wars-how-merchants-carriers-are-trying-to-block-payment-systems-they-cant-track.shtml

Grab the popcorn, IMHO, this will be an utter and dismal failure, because the members of PCI won't correctly use their previous lessons learned to make a system that protects customers, instead they will greedily grab all the data they can on their customers, attempt to protect their shopkeeper members, but fail because they're cheaping out on the infrastructure, creating something even worse than PCI.

Seriously, Rite Aid and CVS are creating a payment system that will be more secure than Google, Apple and Mastercard/VISA?  OMG what are they thinking other than sheer greed.  I won't boycott, though, expecially CVS, I truly want to support a company that went out on a limb and stopped selling tobacco.

Don't use CurrentC, it will be even riskier than debit cards - the QR codes will be found to be awful security, and there will be people burned by the automatic debit behavior of the system. Even if they use something clever like Steve Gibson's SQRL , they won't be able to implemment something secure enough to handle the amounts of cash it needs to.

Please just use credit cards or cash at these merchants

Truth finally? Rutgers paper about e-voting - Don't do it

Slashdot talked about a paper generated when Rutgers university did an analysis of the emergency e-voting that was done after hurricane Sandy, and it was apparently another disaster.

Just pulling interesting things from the table of contents: 

VII. INTERNET VOTING IS NOT SAFE, SHOULD NOT BE MADE LEGAL, AND SHOULD NEVER BE INCORPORATED INTO EMERGENCY MEASURES

VIII. INTERNET ATTACKS ON U.S. INFRASTRUCTURE AND BUSINESSES ARE SO PREVALENT THAT IT IS NAÏVE TO BELIEVE THAT U.S.ELECTIONS WOULD NOT BE OF INTEREST TO HACKERS

So let's jump right to the conclusion:

CONCLUSION
After Superstorm Sandy, there was no structure in place to make sure that emergency voting directives were followed. There was mass confusion among county officials and voters, alike. Emergency measures such as Internet and fax voting not only violated New Jersey law, but also left votes vulnerable to on-line hacking. Internet voting should never be permitted, especially in emergencies when governmental infrastructure is already compromised.

As the May 2014 National Climate Assessment issued by the U.S. government makes all too clear, New Jersey is highly likely to be impacted negatively by more Superstorm Sandy-like disasters in the near future.265 This means that it is critical for New Jersey to enact and implement emergency voting procedures that comply with existing election law, and that protect every vote. As such, those emergency measures should not include Internet and fax voting as an option, under any circumstance.

Verizon tracking its users (again)

As the biggest fine ever ( http://www.fastcompany.com/3035193/fast-feed/fcc-fines-verizon-74-million-for-using-private-data-to-market-to-customers )
didn't make enough of an impression, 

Verizon is now tracking the browsing of its wireless users with a new token, according to Ars Technica - http://arstechnica.com/security/2014/10/verizon-wireless-injects-identifiers-link-its-users-to-web-requests/

More information can be found here:

http://codydunne.blogspot.com/2014/10/verizon-wireless-injecting-tracking.html

Or you can test it yourself here:

http://uidh.crud.net

Browsing from the work/desktop network shows no X-UIDH header, but from a (Work) Verizon cell phone shows the header, and links to an NBC news site with opt-out information.  According to people on Twitter (https://twitter.com/search?f=realtime&q=verizon%20uidh ) ,   opting out doesn’t always work.  I haven’t tested it yet.

Using HTTPS supposedly prevents this information from being sent, but there may not be a way to I don’t know whether this information uniquely identifies 

(* TODO *) I wonder whether setting up an apache server as a proxy, with HTTPS in and http out would prevent the headers?

(Updated) There's this web site/app called "Whisper" that wants you to "to anonymously share their innermost thoughts, secrets, and feelings."

Whisper (bad), not Whisper Systems (good, Moxie Marlinspike)

Yeah. 

Do I have to say DON'T DO IT?!

They Geolocate, which can't be turned off, concentrates on US military bases, and Intelligence agency locations, and also use the IP address

Whisper:  Lies! (the guardian)

US Senate: Oh really?  Why don't we chat about that? (The Verge)

Why is the National Science Foundation analysing Twitter for "Social Pollution"?

 And why does it affect Ajit Pai - a member of the FCC - enough to write an op-ed in the Washington Post?


http://www.washingtonpost.com/opinions/truthy-project-is-unworthy-of-tax-dollars/2014/10/17/a3274faa-531b-11e4-809b-8cc0a295c773_story.html

Head  of the article saved here for posterity...

Ajit Pai is a member of the Federal Communications Commission.

If you take to Twitter to express your views on a hot-button issue, does the government have an interest in deciding whether you are spreading “misinformation’’? If you tweet your support for a candidate in the November elections, should taxpayer money be used to monitor your speech and evaluate your “partisanship’’?

My guess is that most Americans would answer those questions with a resounding no. But the federal government seems to disagree. The National Science Foundation , a federal agency whose mission is to “promote the progress of science; to advance the national health, prosperity and welfare; and to secure the national defense,” is funding a project to collect and analyze your Twitter data.

The project is being developed by researchers at Indiana University, and its purported aim is to detect what they deem “social pollution” and to study what they call “social epidemics,” including how memes — ideas that spread throughout pop culture — propagate. What types of social pollution are they targeting? “Political smears,” so-called “astroturfing” and other forms of “misinformation.”
Named “Truthy,” after a term coined by TV host Stephen Colbert, the project claims to use a “sophisticated combination of text and data mining, social network analysis, and complex network models” to distinguish between memes that arise in an “organic manner” and those that are manipulated into being.

But there’s much more to the story. Focusing in particular on political speech, Truthy keeps track of which Twitter accounts are using hashtags such as #teaparty and #dems. It estimates users’ “partisanship.” It invites feedback on whether specific Twitter users, such as the Drudge Report, are “truthy” or “spamming.” And it evaluates whether accounts are expressing “positive” or “negative” sentiments toward other users or memes.

 The Truthy team says this research could be used to “mitigate the diffusion of false and misleading ideas, detect hate speech and subversive propaganda, and assist in the preservation of open debate.”

I'm so happy they have my best interests at heart

Violet Blue isn't a parody account, she's a real journalist

While her blog is NSFW ( big time ), she does some top-notch writing, including Infosec. 

This ZDNET article 10 things you need to know before hiring penetration testers 
realistically talks about penetration testing - bookmark!

Cool starter kit for the Internet of Things

The Wall Street Journal Personal Tech Blog talks about "little bits"


"LittleBits is selling its CloudBit as a standalone module for $59, or in a $99 Cloud Starter Bundle that includes six modules and instructions for five different beginner projects. The bundle includes devices that will send you a text message when your doorbell rings, remotely feed your pet, or allow you to turn off and on your air conditioning unit using your phone.
The CloudBit and Cloud Starter Bundle are available now at littlebits.cc, and will be sold in Radio Shack stores as well."

Guards at the White House... You have one job... (updated! :-) )

This just in... 

Man jumps WH fence Wednesday Oct 22.  Dogs unleashed. "knocked the man to the ground, and bit him." Man arrested.  "PR windfall"

That's what I'm talking about.  Respect.  Doing your job.  for Merica!

Mr President? Can you start doing it for the rest of your work?

 

Old news - 

On Friday evening, a man jumped the White House fence, sprinted across the North Lawn toward the residence, and was eventually tackled by agents, but not before he managed to actually enter the building. Now CBS reports that the security breach at the White House is prompting a new round of criticism for the Secret Service,

Does Major Garrett actually think this:

White House correspondent Major Garrett. "If you have a jumper and he is unarmed and has no bags or backpacks or briefcase, do you unleash a dog and risk having cell phone video shot from Pennsylvania Avenue of an unarmed, mentally ill person being bitten or menaced by an attack dog?"

 Umm yes!?

Is there anyone ANYONE? in a position or authority that has any IDEA of what they're doing?

Lord help us and save us :-(

Major Garrett:  Try this for TTP's

1. A small child wanders through the fence.  Approach, hug, find parents.
2. An ARMED MAN or very small group runs toward the White House.  Unleash the dogs.  PERIOD!!! 
3. You are under attack by Multiple ARMED PEOPLE running toward the White House.   AUTOMATIC WEAPONS.
4.  You are under attack by Multiple ARMED PEOPLE with Vehicles on the property toward the White House.   HEAVY WEAPONS 

 The Youtube videos will impress you friends, enemies, and people planning similar things in the future.

Apple Wave?

Umm no

Proposal to create a Federal Robotics Commission before it's too late

According to Slashdot,  University of Washington Law Professor Ryan Calo argues the need for a Federal Robotics Commission.

Taylor Swift @SwiftOnSecurity already knows this is a problem

Oh, are you running IPv6 ? Are you sure?

Here's an interesting address:

2001:558:feed::1

It's the comcast dns server I think

Try it

Hmmm...

oh, how about this: