Category Archives: Technology

Google invasion of privacy lawsuit

Posted on by

This will be interesting to see how it plays out:

Google was sued on Tuesday in a proposed class action accusing the internet search company of illegally invading the privacy of millions of users by pervasively tracking their internet use through browsers set in “private” mode.

The lawsuit seeks at least $5 billion, accusing the Alphabet Inc unit of collecting information about what people view online and where they do their browsing, despite using what Google calls Incognito mode.

It’s really, really tough to be anything close to truly anonymous on the Internet these days. You can get close enough for all practice purposes but it takes a lot of effort and a certain amount of skill.

I think it should be much easier and that Google is a huge part of the problem in achieving anonymity just further confirms my opinion that they are evil (also here and here).

I hope the lawsuit is widely successful and is applied, as needed, to other Internet privacy violators.

Truth

Posted on by

I was nearly finished with a 20 page paper (of sorts) on searching for bots in computer networks when I took a break and scanned the contents of my RSS feeds. This struck me as particularly timely and funny:

garbage_math_2x

As I told my boss last week I was disappointed in the algorithms used in what is considered “state of the art” tools. I actually found a strong inverse correlation in the “scoring” of network traffic of highly suspicious traffic compared to clearly normal traffic. The higher scoring traffic should indicate high probability of the traffic being communication with a Command and Control Server (C2 Server) and lower scores with normal traffic. I easily found instances where just the opposite was true.

When I used synthesized data I could get the expected scoring results but real world data demands new detection algorithms. It looks to me like bot builders also do research. Existing algorithms appear to be essentially garbage.

Quote of the day—Lee Enfield

Posted on by

The FGC-9 enables everyday people all around the world to build a 9mm semi-automatic firearm, from start to finish, using a 3D printer and commonly available, unregulated materials. It’s specifically designed to be accessible to folks with minimal gun building experience, and avoids using parts commonly or easily restricted by law in the US and Europe. Anyone can build it, and no one can stop it.

In case there was any doubt about the political ideology here, you should know that the ‘FGC’ in the ‘FGC-9’ stands for “fuck gun control”.

Lee Enfield
March 31, 2020
The FGC-9 Fulfills the Promise of 3D Printed Guns
[Things have come a long way:

It’s not going to make the anti-gun people give up the fight and become normal humans. They will, as is always the case, continue to lie and double down on their failing objectives.—Joe]

Quote of the day—Lisa Vaas

Posted on by

We would be remiss were we to not point out what has been demonstrated time and time again: that Big Data can be dissected, compared and contrasted to look for patterns from which to draw inferences about individuals. In other words, it’s not hard to re-identify people from anonymized records, be they records pertaining to location tracking, faceprints or, one imagines, anuses.

Lisa Vaas
April 8, 2020
As if the world couldn’t get any weirder, this AI toilet scans your anus to identify you
[It’s a lot like most encryption*. Data is only “anonymized” in the minds of those doing the anonymizing. The right people, with a big enough dataset, and enough CPU cycles can deanonymize/decrypt it.

So, other than the obvious embarrassment of having pictures of your anus being featured in the next big data security breach, what is the worst way this technology be abused?

It turns out that just like fingerprints and irises you can be uniquely identified by your anus. If all toilets were equipped with cameras and the data obtained by a totalitarian government it would becoming far more difficult to keep your location private. It would violate my Jews in the Attic Test.—Joe]

* There are exceptions. One-time-pads come to mind.

In forced quarantine

Posted on by

No. Not me. My phone.

Yesterday I noticed my phone wouldn’t lie flat. Odd. Upon further investigation I realized the battery was swelling. It’s a Galaxy S8 Active. The back doesn’t come off to allow you to replace the battery.

Rats! I don’t want to go out and buy a new phone now. I don’t want to have to move all my two factor authentication stuff to a new phone. It could take a full day to move to a new phone.

I looked on Amazon for a new phone and then decided to look for a battery anyway. Success! It includes tools and adhesive to take the phone apart and glue it back together. I ordered the battery.

But I need my phone for accessing things at work because of the two factor authentication. I can’t just put my phone in an old ammo can in the back yard to avoid explosion and fire hazards then run out there to check text messages every once in a while.

I made an indoor quarantine for it:

WP_20200325_12_21_02_Pro

The phone is inside two zip lock bags, on top of an old cookie-sheet, and surrounded by nearly 200 pounds of lead (and brass).

I pulled the phone out a few minutes ago to check something and the swelling has increased:

WP_20200325_12_25_23_Pro

The new battery is supposed to arrive in the next 45 minutes and the phone will then undergo battery replacement surgery.

Update: The battery has been replaced and the phone is functional. And it is in the process of being fully charged.

The battery replacement is not for the faint hearted. There were two electrical connecters which were the smallest I have ever seen. I put on my magnifying glasses to see many of the components I needed to manipulate. The adhesive replacement was a bit of a sticky problem (pun intended). They supplied two large strips that needed to be cut into six (or more) pieces. No instructions on how to use the adhesive.

Quote of the day—RyanSepe

Posted on by

All this awareness would make us liable. Without them its ignorance, if we hire them it becomes negligence and I prefer ignorance.

RyanSepe
February 28, 2020
Suggested caption to this cartoon:


[There is way too much truth in this.

Companies have finite resources. They have to prioritize their cyber security efforts. If something is documented as an active issue, or even a potential weakness, and they don’t address it in a timely manner they have legal liability issues to deal with as well as fixing the problem.

In the “big picture” view of things companies have a lot of motivation to “not put it in writing” until they have the resources to deal with it. On the other hand, if managers don’t show they have a backlog and are overworked they aren’t going to get the resources to fix things in a timely manner. I have more than a little sympathy for cyber security managers caught in this dilemma.

After illegal computer access incidents have been made public Barb sometimes tells me, “I wish they would just stop doing that!” I would be out of a job, but the world would be a better place. So much money is spent on security that from a big picture you see it as huge waste of human and even natural resources (millions of computers monitor and guard against intrusion as their sole purpose). Even when the criminals are caught (extremely rare) they will never have to pay for all the resources spent in finding them and bringing them to justice.

And, of course, it’s never going to happen. Some of these criminals do it for the “free” money. Others do it for the thrill. And some do because they are spies in search of information useful to their country. There are always going to be those type of people. The best we can do is find them, stop them, and prosecute them if we can build a case against them.—Joe]

Pushing the limits

Posted on by

I like pushing the limits in certain directions.

Recently I have been spending nearly every waking hour working on my Bird Dog software for work.* I’m dealing with information on billions of network connections. I extract the stuff of interest and present it in an way which makes it easier to find the wood slivers in the hay stack. After using all the algorithmic tricks available I started finding places to do more parallel processing.

It was with great satisfaction that I found that I pretty much continuously keep all eight logical processers at 100 percent when doing certain tasks:

Limits

Each one of those processors is over 1000 times more powerful than the single processer I had on my first personal computer. And just the Bird Dog executable would take up over 75% of the hard disk space on that computer. Never mind the O/S or the database software which wouldn’t fit on a dozen hard disks I was so proud of at the time I first purchased it. “I’ll never run out of room on this disk!”, I foolishly told myself.

I now routinely open up text files in Vim for review and/or editing that are 50 to 100 times larger than what that hard disk could contain.

I like living in the future.

* I received an email from the company patent team earlier this week. They told me they are pursuing a patent on Bird Dog. I think the existing invention disclosure is okay, but the next one will be AWESOME! I’m really excited about what is coming up next. It’s as if a decade or more of my life’s work is coming to a focus on this one thing. I’ll probably need a more powerful computer, or set of computers, though.

Boomershoot weather station upgrade

Posted on by

I have been having problems with the Boomershoot weather station since the first few hours daughter Kim and I installed it. The Hoarfrost accumulated overnight immobilized the wind sensors:

There were other problems as well. The communication between the “indoor” part of the unit and the outdoor sensors, above, was not reliable. I didn’t have a indoor environment for it. This indoor part uses an ethernet cable to connect to the Internet and a 900 MHz radio link to connect to the outdoor sensors. I put it in a plastic box that only barely protected it from direct exposure to the elements. And the insects, such as earwigs and yellow jackets made it their home:

Sometimes the connection would go down just an hour or so after I rebooted things, got it working, and was on my way home six hours away. And then there was the time it stopped recording rainfall. It turned out a bird had pooped in the rain gauge and plugged it up.

I tried moving the sensor closer to the Internet connection unit without improvement. Then when I visited just before Christmas I decided it was time to purchase a new weather station. The wind sensors were immobilized by freezing rain:

20191225_101011

I realize the manufacture is based in Arizona, but they are making a product intended to be used to measure weather conditions. It’s not like I installed this sensor in Barrow Alaska or something. Sure, this is a bit hostile, but it shouldn’t be unexpected to the designers.

Last weekend I installed a new weather station and made the “indoor” environment a little better.

It’s not really a coincidence that both the initial installation and this upgrade took place in January. There isn’t time to do it just before Boomershoot. And it’s easier to do it before the mud is so soft that you can’t easily walk across the ground. But the cold does make it a hardship. This year, compared to the initial installation, I was able to drive instead of snowshoeing in like last time, to the shooting line where we have the weather station… after I shoveled a path through berm in front of the driveway.

Before:

20200125_080822

After:

20200125_082815

To improve the environment for the “indoor” electronics I dug a pit and installed an underground box for the solar charged batteries, the charge controller, the 12V –> 24V switching power supply for the Wi-Fi connection, and the 12V –> 5V switching power supply for the ethernet switch and the weather station “indoor” electronics.

20200125_094608

It was just above freezing temperatures and frequently raining when I was working. Moving 130 pound batteries into the pit and connecting all the wires was less than fun. Notice the mud I was kneeling in to work on things:

20200126_124624

The end result looks pretty good. I insulated the lid and with the underground environment, some heat from the batteries and electronics, the temperature should be less extreme both in the summer as well as the winter.

20200125_162127

Here is the new outdoor sensor array:

20200126_124853Cropped

The spikes over the rain gauge are supposed to keep the birds from sitting on the edge and building nests in it. I don’t know that the wind sensors are more resistant to frost and freezing rain but I know the old one didn’t tolerate those conditions well.

It’s been almost a week now with no interruptions in service to the Boomershoot live web page.

When I was a boy…

Posted on by

A couple days ago a coworker was talking about things “the kids these days” wouldn’t recognize. One of the things he mentioned was rotary dial phones. Or even just desktop phones in general. These days a phone is a thin rectangular object you can put in your pocket and many young people would not make the connection between what they know as a phone and what a generation or two earlier knew as phones when they were growing up.

I one upped him by telling about the phones we had at the first two houses I remember living in. Here are those houses with me in front of the first house:

Here is the type of phone:

20191224_181348Cropped

This picture is from Christmas Eve about a month ago at brother Doug’s place. The phone from my childhood is in brother Gary’s house a hundred yards away from brother Doug. Until a few years ago the phones were connected and working. There is still a similar phone in the shop between the two houses. Sometime in the last couple of decades an underground wire broke and the Huffman phone network went down for the last time when it wasn’t worth the effort to find the break and fix it.

And as late as when I was in high school there were other phones of this type on our local phone network in my two grandmothers mobile homes which were also on the property.

One of the stories I told my coworker about these phones is that these type of phones were the only type phones available at our house until I was in the third grade. We upgraded to a rotary style phone.

Mom and dad thought the older phones worked just fine and objected to the price increase (it went from something like $3/month to $5/month). They did without a phone for a year in protest before getting a new phone. It was still a party line where you had different ring types to distinguish between calls to your phone and calls to your neighbor. Our ring with both the phone type you see above and the first rotary phone was three shorts. Later there were party line phones with band pass filters for the ring signals and unless your phone used an adjacent ring frequency and the filter wasn’t that good you couldn’t hear the incoming ring for your neighbor. But if the frequency was adjacent and the filter wasn’t doing its job you could hear some vibration from the ringer and maybe a anemic “ding” or two when the call was intended for your neighbor.

That’s odd

Posted on by

I’ve frequently read that important discoveries and inventions more often start with “That’s odd.” than with “Eureka!”

And so it was with a discovery of mine a week ago today.

I write software tools for the cyber security team at a major corporation. The culture is somewhat freewheeling. In the first couple of days when I started work my boss told me something to the effect of “People create their own positions here.” After the first couple of months I would talk to him no more than once a month. Sometimes it would be far longer than that. I did, pretty much, whatever I wanted. At review time I would be told, “We really like what you are doing and keep it up.” My model was look at what people around me were doing and write tools to make their job easier, faster, and enable better results.

I sometimes would joke that my goal was to eliminate the jobs of the people around me by writing the software to replace them. In reality what I did just meant people could be far more productive. Cyber security is never ending and I don’t see an end in sight for a job in this field as long as we have computer networks and human nature is what it is.

Nearly everything I did was little web application which would do things like check IP addresses for being on black lists and geolocate them, pull data and reformat from sensors, and graph data on “dashboards” for management to look at. My background task was working on something much bigger. I would see patterns in some of the data I was pulling from sensors and would try to get someone to investigate what I thought was suspicious activity.

The investigators would look at it for a few seconds and tell me something to the effect of, “I can see anything here. I need to see A, B, and C as well in order to know if this is anything.” So, a week or two later, I would show them similar data with A, B, and C added to the set. Again they would look at it for a few seconds, not see what I was seeing, and tell me they needed X, Y, and Z as well.

This went on for some time. I was somewhat frustrated and annoyed but I was learning how they did their jobs and what data they needed from multiple sources to evaluate a potential threat. But tens of thousands of rows in a spreadsheet with dozens of columns still didn’t allow people to quickly see the patterns I believed I was seeing. About two years ago I had kind of an eureka moment and I came up with a much better way of viewing the data (patent idea submitted to our attorneys was made late last year).

I started writing the software and explained it to anyone who expressed the slightest bit of interest in what I was doing. I gave the software the name “Bird Dog”. It essence it’s hunting through the grass and brush searching for specific things of interest to the (cyber security threat) hunter. It then points them out and then, when given the command, flushes them into the “air” such that only the the blind could not see them.

Everyone that sees it thinks it’s awesome but as much as I try I’m the only one that uses it. Everyone likes the data it produces but they don’t use it themselves. I think I need to make it easier to use but that’s a different story.

Last weekend I was putting in extra hours working on Bird Dog because I had gone through a major rewrite and it was to the point where things were working again as features were reenabled and new features were showing up. It’s very exciting to see what things will show up in the data with the proper visualization.

One of the things I had occasionally done in the past was to run a set of our externally facing IP addresses against the lists of “high risk” IPs. I didn’t have a complete set of our IP addresses but I had gathered some from public sources and had somewhat automated the process. I still had to copy and paste the list into a web app, click a button, and download the .CSV file into Excel. It didn’t take long but I never found anything and didn’t do it very often.

After the rewrite Bird Dog had a new data source. The new data source included more of our externally facing IP addresses. Bird Dog would now have not just my hand crafted list of IPs but IPs from the firewalls and other sources that might not be on any easily available list. And Bird Dog automatically added the risk scores to every public IP it saw, not just the IP addresses which were not ours (a previous limitation).

Last week during my testing of the new Bird Dog code one of our IPs was given a risk score indicating it was considered “Malicious”. That’s odd. I have been doing those sort of checks for years and I had never seen that before. But, it was one of the new features of Bird Dog and I knew it was possible.

I pointed it out to my boss. He and I spent a few minutes on it. We tried to find out why it was considered high risk but the supplier of the risk score for that IP had a 404 error on the web page for that one IP.

Another investigator was assigned and we looked some more. We didn’t make much progress and could create a story matching all the data that it was a false positive and we didn’t need to worry about it. We were about to close the case and move on when the vendor who had supplied the risk scores showed up for a meeting.

One of the guys (who plans to attend Boomershoot this year, BTW) stopped by my desk and asked how things were going. We chatted about Boomershoot some and then I told him I was a little frustrated about the missing risk score “evidence” for the one IP address. They get their information from various sources and had provided a link to the original source which where I was getting the 404 error from. He pointed out his company had cached the web page and we could just click on a different link. It wasn’t obvious to either I or the other investigator and we both missed it.

Together the vendor and I looked at the cached web page. We quickly determined that as far as our network security was concerned it was certainly a false positive. But the data was something we couldn’t ignore.

When my boss, a former police officer, came back to the office I showed it to him and asked if it should be forwarded to the police for investigation. He asked me to write it up and forward it to him and he would forward it to Corporate Investigations who handles all interaction with law enforcement.

Within a couple hours the referral had been made. Later that day my boss wrote an email to our director (some details redacted, indicated by XXX, for various reasons):

Joe was working on his Bird Dog code and identified a XXX IP address labeled “High Risk” by XXX.  After additional analysis, Joe and Mike found the IP address was listed in a cached webpage where someone posted XXX links to suspected child pornography

This was immediately handed off to XXX and the appropriate LE referral was made to the National Center for Missing and Exploited Children.

Great work by the entire team to keep digging and hopefully contribute to protecting a vulnerable child!

Neither I nor anyone I know clicked on the links. We all know better than to do that. You never want to go there.

This is probably the best, for certain measures of best, find so far by Bird Dog. And it was totally inadvertent. Sometimes it’s the odd things that are the most important to follow up on.

Quote of the day—Brad Smith

Posted on by

The pressure to put data centers in more countries is giving rise to what is rapidly becoming one of the world’s most important human rights issues. With everyone’s personal information stored in the cloud, an authoritarian regime bent on broad surveillances can unleash draconian demands to monitor not only what people are communicating, but even what they are reading and watching online. And armed with this knowledge, governments can prosecute, persecute, or even execute those individuals they consider threats.

This is a fundamental fact of life that everyone in works in the tech sector needs to remember every day.

Brad Smith
President and chief legal officer of Microsoft
September 2019
Page 45 in Tools and Weapons: The Promise and the Peril of the Digital Age


[One of Barb’s brother-in-laws recommended this book to me a few days ago as we were having a discussion about privacy and security.

I’m only about 20% of the way through the book but I’m really enjoying it. What I’m hearing matches the general tone of the culture when I worked at Microsoft. They take customer privacy seriously.

They have a team of about 50 people that work full time to respond to government requests and push back if the request is out of line with the law. They have promised to go to court rather than comply with requests that don’t have the warrants and documentation all in order. And they have gone to court numerous times. Smith claims they win in court 90% of the time.

I don’t know the details of the level of cooperation my current employer and the government have but I know that on the security side of things we take things very seriously. I also know that, IIRC, we have about 100 full time people who deal with government requests for information. I’ve talked with some of them and they too seem to believe it’s critical to keep the government on the straight and narrow.

I only see the criminal side of things but if we know or suspect customer personal information has been compromised, by either insider or outsiders, we put a stop to it as quickly as possible. And in the past year or two I’ve been seeing names of the people we chased end up in the news as being arrested, prosecuted, and convicted. None of them have been government officials, but that’s probably a little too much to expect.—Joe]

I don’t think so

Posted on by

I have listened to, read about, and commented on Fascitelli for almost 10 years*. I know enough about him that I think he’s probably a nice guy. I don’t think he is stupid either. He has changed his stance toward gun control and gotten a lot smarter about things (read the links below* and see how his attitude has changed over the years). But this indicates he has some other problem:

They’ve been working on Philadelphia-based Lodestar for a couple of years now. The duo recruited Ginger Chandler, a former Remington executive, to design the product, which, Fascitelli says, will be a gun accompanied by an RFID tag (some argue for fingerprint technology). Smart guns reached a turning point this summer, when New Jersey Gov. Phil Murphy reformed that state’s law to allow more research and development of smart guns.

Lodestar, which raised $250,000, is now looking for an additional $3 million to finish its prototype. Its three-person payroll is about $10,000 a month while the team waits for the shift in the political landscape to catch funders’ interest. They estimate potential sales at $1 billion, or about 40% of the 7-million-unit handgun market.

I’ve pointed out the probably unsurmountable problems with his proposed product and company before. But this is another layer of frosting on that cake.

Can he possibly believe their product has a realistic chance at 40% of the handgun market? I don’t think so. Perhaps the author of the article twisted his words, I could believe that. I’ve been misquoted enough that I can give him the benefit of the doubt here. Otherwise one has to conclude he is lying and/or delusional. In the past there have been a number of hints this was true but in recent years he seems to have gotten that pretty much under control.

* Here is a partial list of my posts quoting or referring to him:

Early research for the T-1000

Posted on by

Skynet smiles:

For the first time, scientists have created a permanently magnetic liquid. These liquid droplets can morph into various shapes and be externally manipulated to move around, according to a new study.

In an even more bizarre application, imagine a mini liquid person — a smaller-scale version of the liquid T-1000 from the second “Terminator” movie — Russell said. Now imagine that parts of this mini liquid man are magnetized and parts aren’t. An external magnetic field could then force the little person to move its limbs like a marionette.

Quote of the day—Bruce Schneier

Posted on by

As computers continue to permeate every aspect of our lives, society, and critical infrastructure, it is much more important to ensure that they are secure from everybody — even at the cost of law-enforcement access — than it is to allow access at the cost of security. Barr is wrong, it kind of is like these systems are protecting nuclear launch codes.

Bruce Schneier
July 24, 2019
Attorney General William Barr on Encryption Policy
[Creating, or even allowing, a process by which the government can get access to all your communication and personal documents fails The Jews in the Attic Test.

“Nuclear launch codes” indeed!—Joe]

The Singularity Is Near

Posted on by

One might say The Singularity Is Near:

AI Pores Over Old Scientific Papers, Makes Discoveries Overlooked By Humans

Researchers from Lawrence Berkeley National Laboratory trained an AI called Word2Vec on scientific papers to see if there was any “latent knowledge” that humans weren’t able to grock on first pass.

The study, published in Nature on July 3, reveals that the algorithm found predictions for potential thermoelectric materials which can convert heat into energy for various heating and cooling applications.

“It can read any paper on material science, so can make connections that no scientists could,” said researcher Anubhav Jain. “Sometimes it does what a researcher would do; other times it makes these cross-discipline associations.

The algorithm was designed to assess the language in 3.3 million abstracts from material sciences, and was able to build a vocabulary of around half-a-million words. Word2Vec used machine learning to analyze relationships between words.

“The way that this Word2vec algorithm works is that you train a neural network model to remove each word and predict what the words next to it will be,” said Jain, adding that “by training a neural network on a word, you get representations of words that can actually confer knowledge.

As one example, researchers fed publications from before 2009 into the algorithm and were able to predict one of the most effective modern-day thermoelectric materials four years before it was actually discovered in 2012.

The technology isn’t restricted to materials science either – as it can be trained on a wide variety of disciplines by retraining it on literature from whichever subject for which one wants to provide a deeper analysis.

“This algorithm is unsupervised and it builds its own connections,” said the study’s lead author, Vahe Tshitoyan, adding “You could use this for things like medical research or drug discovery. The information is out there. We just haven’t made these connections yet because you can’t read every article.”

One could also say, with a similar amount of justification, Skynet smiles.

Defeating the Fourth Amendment

Posted on by

This is rather scary stuff:

Liberty Defense is developing Hexwave, a new disruptive technology that was exclusively licensed from the Massachusetts Institute of Technology (MIT) uses 3D radar imaging and artificial intelligence to detect concealed weapons in urban settings.

Hexwave could be the next technology that replaces X-ray machines, such as for scanning bags in airports or other venues, and it also provides 3D scans of a person’s exterior as where X-ray can only provide 2D scans.

“Hexwave provides 3D imaging at a rate that is in real time — it can assess for threats while the person is still walking, which means it is well suited for higher, faster throughput,” Riker told VentureBeat.

The urban security market by 2020 to 2025 in North America is set to increase by 33%. The new 3D detection machine can revolutionize security at indoor high traffic crowded areas, like schools, malls, hotels, and places of worship, and protect outdoor high traffic areas, like airports, sports venues, government buildings, and bus/subway stations.

Will this sneak by the Fourth Amendment? If used in a common access public place, does this constitute an unwarranted search? The courts danced around the Fourth Amendment issues when doing searches at airports by saying, in essence, “You can still drive, ride a bus, and walk without being searched hence you are consenting to these searches.”

Also of great concern is the often used phrase “concealed means concealed” will no longer be true. Statists will use this technology to claim you don’t need to have a gun to protect yourself because they have the ability to prevent bad guys (everyone except agents of the state) from having a gun. While individual and groups of criminals are of obvious concern and a reasonable justification for private ownership and carry of self-defense firearms that isn’t the primary reason we have the Second Amendment. The primary reason is defense against the state. This technology could tip the balance in favor of dependency of the state for personal protection. This leading to inability to justify in the public eye the private carry and eventual ownership of firearms. This, of course, puts people at great risk of wholesale slaughter when our government goes completely rogue: