The Daily Parker

Politics, Weather, Photography, and the Dog

How is it already 4pm?

I have opened these on my Surface at work, but I'll have to read them at home:

Finally, Empirical Brewery has a new line of beer that supports Tree House Cats at Work. I'll try some and let you know.

Happy birthday, Gene

Eugene Wesley Roddenberry would have been 100 years old todayStar Trek and NASA have a livestream today to celebrate.

In other news:

Finally, sometime today I hope to finish reading Joe Pinsker's interview with author Oliver Burkeman about how not to get sucked into things that waste your time, like the Internet.

Vaccines, climate change, and trains

Those topics led this afternoon's news roundup:

  • The Intergovernmental Panel on Climate Change released its 6th periodic report on the state of the planet, and it's pretty grim. But as Josh Marshall points out, "Worried about life on earth? Don’t be. Life’s resilient and has a many hundreds of millions of years track record robust enough to handle and adapt to anything we throw at it. But the player at the top of the heap is the first to go."
  • Charles Blow has almost run out of empathy for people who haven't gotten a Covid-19 jab. Author John Scalzi takes a more nuanced view, at least distinguishing between the people who peddle the lie and those who merely buy it.
  • A research group has discovered how they can own your locked-down computer in about 30 minutes with a few tools, but at least they also tell you how to lock it down better.
  • Almost half of Amtrak's $66 billion cash infusion will go to making New York City more navigable. I want my HSR to Milwaukee, dammit!
  • Sometime last week, a Russian capsule accidentally fired a thruster, sending the International Space Station into a 540-degree roll.

Finally, long-time police reporter Radley Balko exposes the lie that keeps innocent people in jail.

Facing limitations of security software

Via Bruce Schneier, researchers have developed software that can bamboozle facial-recognition software up to 60% of the time:

The work suggests that it’s possible to generate such ‘master keys’ for more than 40% of the population using only 9 faces synthesized by the StyleGAN Generative Adversarial Network (GAN), via three leading face recognition systems.

The paper is a collaboration between the Blavatnik School of Computer Science and the school of Electrical Engineering, both at Tel Aviv.

StyleGAN is initially used in this approach under a black box optimization method focusing (unsurprisingly) on high dimensional data, since it’s important to find the broadest and most generalized facial features that will satisfy an authentication system.

This process is then repeated iteratively to encompass identities that were not encoded in the initial pass. In varying test conditions, the researchers found that it was possible to obtain authentication for 40-60% with only nine generated images.

The paper contends that ‘face based authentication is extremely vulnerable, even if there is no information on the target identity’, and the researchers consider their initiative a valid approach to a security incursion methodology for facial recognition systems.

Hey, humans have evolved for 20,000 years or longer to recognize faces, and we make mistakes all the time. Maybe security software just needs more time?

Inside the Anom phone

Via Bruce Schneier, Motherboard got ahold of a pair of Anom phones, which the FBI and Australian Federal Police used to take down a bunch of criminal networks earlier this year:

Motherboard has obtained and analyzed an Anom phone from a source who unknowingly bought one on a classified ads site. On that site, the phone was advertised as just a cheap Android device. But when the person received it, they realized it wasn't an ordinary phone, and after being contacted by Motherboard, found that it contained the secret Anom app.

After the FBI announced the Anom operation, some Anom users have scrambled to get rid of their device, including selling it to unsuspecting people online. The person Motherboard obtained the phone from was in Australia, where authorities initially spread the Anom devices as a pilot before expanding into other countries. They said they contacted the Australian Federal Police (AFP) in case the phone or the person who sold it was of interest to them; when the AFP didn't follow up, the person agreed to sell the phone to Motherboard for the same price they paid. They said they originally bought it from a site similar to Craigslist.

Anom started when an FBI confidential human source (CHS), who had previously sold devices from Phantom Secure and another firm called Sky Global, was developing their own product. The CHS then "offered this next generation device, named 'Anom,' to the FBI to use in ongoing and new investigations," court documents read.

In June the FBI and its law enforcement partners in Australia and Europe announced over 800 arrests after they had surreptitiously been listening in on Anom users' messages for years. In all, authorities obtained over 27 million messages from over 11,800 devices running the Anom software in more than 100 countries by silently adding an extra encryption key which allowed agencies to read a copy of the messages. People allegedly smuggling cocaine hidden inside cans of tuna, hollowed out pineapples, and even diplomatic pouches all used Anom to coordinate their large-scale trafficking operations, according to court documents.

 

That's some cool and scary shit. I'm glad they got all those criminals, but what happens when the people targeted are political dissidents? As Schneier has discussed at length, there is no such thing as a zero-trust environment.

The NSA has a sense of humor

After Fox network blowhard Tucker Carlson whined that the National Security Agency, the US intelligence service tasked with spying on communications outside the US, had tapped his phones, the agency clapped back on Twitter:

TPM's Cristina Cabrera reports, "Carlson doubled down on his accusation shortly afterward on his program, saying the NSA’s statement 'an entire paragraph of lies written purely for the benefit of the intel community’s lackeys at CNN and MSNBC.'"

The NSA is just having a bit of sport with Carlson, but one can't know for sure. First, the NSA would never admit to spying on anyone. But second, even if the NSA were spying on him, wouldn't Carlson want to know which overseas friend of his would have attracted the agency's attention, and why?

In related news, the Manhattan District Attorney appears ready to charge the Trump Organization and its CFO with tax crimes tomorrow morning. Stay tuned!

All work and dog play

Oh, to be a dog. Cassie is sleeping comfortably on her bed in my office after having over an hour of walks (including 20 minutes at the dog park) so far today. Meanwhile, at work we resumed using a bit of code that we put on ice for a while, and I promptly discovered four bugs. I've spent the afternoon listening to Cassie snore and swatting the first one.

Meanwhile, in the outside world, life continues:

And right by my house, TimeLine Theater plans to renovate a dilapidated warehouse to create a new theater space and cultural center, while a 98-year-old hardware store by Wrigley Field will soon become apartments.

Wednesday afternoon

I spent the morning unsuccessfully trying to get a .NET 5 Blazor WebAssembly app to behave with an Azure App Registration, and part of the afternoon doing a friend's taxes. Yes, I preferred doing the taxes, because I got my friend a pile of good news without having to read sixty contradictory pages of documentation.

I also became aware of the following:

Tomorrow morning, I promise to make my WebAssembly app talk to our Azure Active Directory. Right now, I think someone needs a walk.

The world still spins

As much fun as Cassie and I have had over the last few days, the news around the world didn't stop:

Finally, journalist Jack Lieb filmed D-Day using a 16mm home movie camera, which you can see on the National Archives blog. It's really cool.

Ransomware in the news

I've just received my third nearly-identical fake DMCA takedown notice, which I may decide to turn over to the FBI if I can muster the shits to give. I find it funny how each one of them has a few differences that make them look like something other than lazy script-kiddie stuff. This one again misstated the statutory damage limits for willful copyright infringement, and the randomly-generated name of the "claimant" was no less bizarre than the other two. And yet I wonder why they bothered altering the bits they altered. Maybe there are multiple entities involved, with each email coming from a different person or group? Maybe they have some low-paid flunky typing in the note each time, so I'm watching its slow drift from a semi-competent DMCA notice into the digital equivalent of "hodor?"

This one bounced through an IP address in New York State, which means my previous guess that this was a domestic script-kiddie operation might be wrong. For one thing, the threatening language has a few tells that its author doesn't speak English natively. I had originally thought the author merely wanted to sound more convincing by using stock phrases and "magic" legal words, but now that I've seen three examples of the same basic text, it looks more like Russian-inflected English. In any event, I wave my private parts at their aunties.

Both the New Yorker and New York Times published reports over the weekend about crap like this. In the first, Rachel Monroe talked with ransomware negotiator Kurt Minder about negotiating with criminals:

For the past year, Minder, who is forty-four years old, has been managing the fraught discussions between companies and hackers as a ransomware negotiator, a role that didn’t exist only a few years ago. The half-dozen ransomware-negotiation specialists, and the insurance companies they regularly partner with, help people navigate the world of cyber extortion. But they’ve also been accused of abetting crime by facilitating payments to hackers. Still, with ransomware on the rise, they have no lack of clients. Minder, who is mild and unpretentious, and whose conversation is punctuated by self-deprecating laughter, has become an accidental expert.

Hackers use various techniques to gain access to a company’s computers, from embedding malware in an e-mail attachment to using stolen passwords to log in to the remote desktops that workers use to connect to company networks. Many of the syndicates are based in Russia or former Soviet republics; sometimes their malware includes code that stops an attack on a computer if its language is set to Russian, Belarusian, or Ukrainian.

When Minder founded GroupSense, in Arlington, Virginia, in 2014, the cybersecurity threat on everyone’s mind was data breaches—the theft of consumer data, like bank-account information or Social Security numbers. Minder hired analysts who spoke Russian and Ukrainian and Urdu. Posing as cybercriminals, they lurked on dark-Web marketplaces, seeing who was selling information stolen from corporate networks. But, as upgrades to security systems made data breaches more challenging, cybercriminals increasingly turned to ransomware.

Early last year, GroupSense found evidence that a hacker had broken into a large company. Minder reached out to warn it, but a server had already been compromised. The hacker sent a ransom note to the company, threatening to release its files. The company asked Minder if he would handle the ransom negotiations. Initially, he demurred—“It never occurred to me as a skill set I had,” he said—but eventually he was persuaded.

The profile on Minder dovetailed with the Times' collaboration with a criminal named Woris who gave the paper access to the tools gangs use to launch ransomware attacks:

The Times gained access to the internal “dashboard” that DarkSide customers used to organize and carry out ransom attacks. The login information was provided to The Times by a cybercriminal through an intermediary. The Times is withholding the name of the company involved in the attack to avoid additional reprisals from the hackers.

Access to the DarkSide dashboard offered an extraordinary glimpse into the internal workings of a Russian-speaking gang that has become the face of global cybercrime. Cast in stark black and white, the dashboard gave users access to DarkSide’s list of targets as well as a running ticker of profits and a connection to the group’s customer support staff, with whom affiliates could craft strategies for squeezing their victims.

In the chat log viewed by The Times, a DarkSide customer support employee boasted to Woris that he had been involved in more than 300 ransom attacks and tried to put him at ease.

“We’re just as interested in the proceeds as you are,” the employee said.

Together, they hatched the plan to put the squeeze on the publishing company, a nearly century-old, family-owned business with only a few hundred employees.

In addition to shutting down the company’s computer systems and issuing the pedophile threat, Woris and DarkSide’s technical support drafted a blackmail letter to be sent to school officials and parents who were the company’s clients.

The Russian government allows this to happen because (a) Russian President Vladimir Putin loves annoying the West, and (b) it seems obvious after two seconds of thought that Russian government officials are probably on the take.

All of this gets so exhausting, doesn't it? Simple economics demonstrates the inevitability of theft. It imposes a tax on everyone else, both financially (it costs money to set up good security) and mentally (I will never get back the hour I spent investigating the bogus DMCA notices). At some point, though, it just becomes easier to tolerate a certain level of theft than to build a squirrel-proof bird feeder.