tag:blogger.com,1999:blog-76177933293539437892024-03-16T11:53:09.461-07:00The Truth ImperativeJason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.comBlogger920125tag:blogger.com,1999:blog-7617793329353943789.post-87071197071695147332021-04-27T07:59:00.008-07:002021-04-27T07:59:53.516-07:00Update: Google Play store not taking advantage of Safe Browsing data to inform risk of apps in the store <p>I realized that I had never closed the loop on the flaw I discovered in the Google Play store years back.</p><p>I had discovered a missed opportunity for Google's own Safe Browsing
information to inform the Google Play machine learning to detect
suspicious mobile applications and alert users or block those apps and
potentially force them through a human review cycle to verify them.<br /><br />During
an incident at JP Morgan Chase, we were alerted to a malicious banking
application in the Google Play store targeting JP Morgan Chase
customers. The URL in the Google Play application listing was correctly
flagged by Google's own Safe Browsing API as malicious. However,
Google's Android app review did not consider this information when
deciding to allow the application to be published. Nor did Google Play
take advantage of this information to flag the app for review or
unpublish it or even warn users that the application may be suspicious
due to its association with the malicious URL.<br /><br />Google chose not to fix this. Closed as "Won't Fix (Infeasible)" ¯\_(ツ)_/¯</p><p>It's no surprise to still see articles like this 5 years later, <a href="https://www.pcmag.com/news/study-reveals-googles-play-store-is-main-distributor-of-malicious-apps" target="_blank">Google Play Store Is Main Distributor of Malicious Apps, Study Reveals.</a> (2020, November 12) and this one from just *yesterday* <a href="https://www.silicon.co.uk/mobility/smartphones/google-play-malware-etinu-394150" target="_blank">Malware From Google Play Store Infects 700,000 Users</a>. (2021, April 26)</p><p>Their official Android safety page has this gem: </p><p></p><blockquote>Google Play Protect helps you download apps without worrying if they’ll
hurt your phone or steal data. We carefully scan apps every day, and if
we detect a bad one, we’ll let you know and tell you what to do next.
And we study how it works. Because everything we learn improves the way
we screen apps. So you stay safer.<br /><a href="https://www.android.com/safety/">https://www.android.com/safety/</a><br /></blockquote> Well, they're not using "everything we learn" to "improve the way we screen apps".<p></p><p>My original questions to the Android team are still unanswered:</p><ul style="text-align: left;"><li>Is Google Play store taking advantage of Safe Browsing API data to
identify risky appstore apps?</li><li>Is it able to flag app uploads that match
risky Safe Browsing data and block them from the appstore unless there
is human review, for example? </li><li>Is it able to hide or flag applications
that are already in the Appstore so that unsuspecting users do not
unwittingly install a likely malicious application associated with
unsavory sites?</li></ul><p>My original writeup:<br /></p><p>Google Play + Safe Browsing = Safer Android Mobile Ecosystem. (2015, April 7). Retrieved from <a href="https://truthimperative.axley.net/2015/04/google-play-safe-browsing-safer-android.html">https://truthimperative.axley.net/2015/04/google-play-safe-browsing-safer-android.html</a><br /><br /><br /></p>Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com1tag:blogger.com,1999:blog-7617793329353943789.post-650177066528958642015-04-07T13:54:00.001-07:002015-04-07T13:54:48.900-07:00Google Play + Safe Browsing = Safer Android Mobile EcosystemA recent incident at my work came to my attention involving a takedown request for an unauthorized app in Google Play using my company's brand. This happens often in appstores all over the world, which is why having brand protection monitoring for these is really critical. It is all too easy for these to slip into even legitimate appstores like Google Play.<br />
<br />
One thing I noticed when I was investigating this incident was that the Google Play application page has a section that allows a developer to specify a website link, with a name "Visit Website". <br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhih17vRlxjvlthX10C5rwpQcAEGRh1u1wc2XI9nfWUDQDtcPYuhu-iWSKWu5pKtQp4Ghn0SlzIryTvHw32vUAdHxNYoJSx5ONWOjEZJPPKRobagNhqXTcemRf2xU2XXedAeA6x8TdteiOi/s1600/googleplay-visitwebsite.tiff" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhih17vRlxjvlthX10C5rwpQcAEGRh1u1wc2XI9nfWUDQDtcPYuhu-iWSKWu5pKtQp4Ghn0SlzIryTvHw32vUAdHxNYoJSx5ONWOjEZJPPKRobagNhqXTcemRf2xU2XXedAeA6x8TdteiOi/s1600/googleplay-visitwebsite.tiff" height="188" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Google Play app metadata, including Visit Website</td></tr>
</tbody></table>
<br />
I happened to notice that the website link for the application in question also included our brand/company name in the URL. I wanted to visit it to see what else I could learn from what they had on that site. When I clicked on the link, however, it went through a redirect at Google (e.g. https://www.google.com/url?q=http://example.example.com) where Google <a href="https://www.google.com/transparencyreport/safebrowsing/">Safe Browsing</a> actually flagged the URL as a phishing site.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi01-4dWM_vy5GXv6feGFmE-c7ocD0IUuwQBIXsKEB3LfRrLvqX8IxxJ7LIUTfFxGq_Xa5S2CZ7zHUChWcHeWhtp6RdpxCZJk1tgfTmdFsHgZD_i7RaY4-9NiI27SE3fFjBvaB7EvufUXAQ/s1600/phishing-warning-google.tiff" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi01-4dWM_vy5GXv6feGFmE-c7ocD0IUuwQBIXsKEB3LfRrLvqX8IxxJ7LIUTfFxGq_Xa5S2CZ7zHUChWcHeWhtp6RdpxCZJk1tgfTmdFsHgZD_i7RaY4-9NiI27SE3fFjBvaB7EvufUXAQ/s1600/phishing-warning-google.tiff" height="127" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Google phishing warning</td></tr>
</tbody></table>
Which made me wonder - if Google's left hand (Safe Browsing) has knowledge of a suspected phishing site, shouldn't that inform Google's right hand (Google Play) that any application tied to such a URL is also potentially untrustworthy? Essentially, if trust can propagate transitively, then the opposite (suspicion / risk) should also propagate transitively. If you take this even further, you should propagate that suspicion through a graph from the app containing the suspicious link up to the developer of the app and then back down to any other app that developer has associated with them in Google Play. This would be something that would be easily automated given the description of the machine learning in the <a href="https://static.googleusercontent.com/media/source.android.com/en/us/devices/tech/security/reports/Google_Android_Security_2014_Report_Final.pdf">Google Android Security 2014 Report</a> already done to analyze applications:<br />
<blockquote class="tr_bq">
"Google’s
systems use machine learning to see patterns and make connections that humans would not. Google
Play analyzes millions of data points, asset nodes, and relationship graphs to build a high-precision
security-detection system."</blockquote>
I would then imagine Google Play could take one or more of several actions if URLs are provided that get Safe Browsing scores low enough:<br />
<br />
<ol>
<li>Apps or developers and their apps could be delisted from Google Play until a human has reviewed the URL and app in more detail. Google <a href="http://android-developers.blogspot.com/2015/03/creating-better-user-experiences-on.html">announced just last month</a> they are going to be augmenting human review of apps in Google Play so this would dovetail with those efforts.</li>
<li>Google Play could and should include clear, usable UI warnings for users searching and browsing apps about the suspicion/risk so that they can make informed trust decisions.</li>
<li>The Google Play Verify Apps could further come into play if apps are confirmed malware/badware/Potentially Harmful Apps (PHAs) to warn users who may have already installed such an application or block the app. This would also seem to dovetail with other <a href="http://googleonlinesecurity.blogspot.com/2015/04/android-security-state-of-union-2014.html">recently-announced efforts</a> in their <a href="https://static.googleusercontent.com/media/source.android.com/en/us/devices/tech/security/reports/Google_Android_Security_2014_Report_Final.pdf">Google Android Security 2014 Report</a> to help crack down on these kinds of applications in the Android ecosystem.</li>
</ol>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-90041173540099814512015-03-16T20:52:00.004-07:002015-03-16T20:52:54.284-07:00Beating The Open-Source-Is-More-Secure Straw-ManGiven all of the serious security flaws in open source software lately, such as OpenSSL, it has been frequent subject of posters to use the open source hack-du-jour as a counterexample to a purported claim that "open source software is more secure" than proprietary software. And I just saw it come up again the other day:<br />
<blockquote class="twitter-tweet" lang="en">
Thank you OpenSSL for the one word answer when people claim open source software is secure.<br />
— Ryan Lackey (@octal) <a href="https://twitter.com/octal/status/577125881669283840">March 15, 2015</a></blockquote>
The problem with these statements is it seems to be a rampant <a href="http://www.nizkor.org/features/fallacies/straw-man.html">straw-man</a>. When I see them come up, I wonder, "Who in the world is actually making the positive claim that open source software is, in fact, more secure than proprietary software?" Is someone actually making these claims that are being "countered"? On what basis could they even make such a claim?<br />
<br />
So, I started to search for specific examples of specific individuals making this specific claim that "open source" is "more secure" and I found it more common to claim someone believes this than to cite actual examples.<br />
<br />
I've found a lot of discussion of the topic, such as this treatment from David A Wheeler <a href="http://www.dwheeler.com/secure-class/Secure-Programs-HOWTO/open-source-security.html">"Is Open Source Good for Security?."</a> But even in those discussions, nobody quotes a specific person making this specific claim. Is everyone arguing with a straw man? Many articles have been written to debunk this "myth" of software security (this yields <a href="https://www.google.com/webhp?q=myth+of+open+source+security">over 2 million hits</a> in Google), yet not a single one seems to cite any source to back up the fact that this is even a myth at all? The best I found was Jon Viega's piece from 2004, <a href="http://www.onlamp.com/pub/a/security/2004/09/16/open_source_security_myths.html">"Open Source Security: Still a Myth"</a> where he actually refers to nameless people he's encountered as believing this, but with David A Wheeler as being the only named proponent <a href="http://www.dwheeler.com/oss_fs_why.html#security">"Why Open Source Software / Free Software (OSS/FS, FOSS, or FLOSS)? Look at the Numbers!."</a> <br /><br />Much of the genesis appears to be an extrapolation of Eric S Raymond's famous <a href="http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/index.html">assertion </a>that, "given enough eyeballs, all bugs are shallow", which certainly does not seem to hold up in the general software defect case let alone security defects. I'm not sure how many actually believe that this is true in general these days, or even whether it is common for the average developer to believe that it leads to better security. It certainly does not seem to be a common "myth" that is promulgated by promoters from my searching - it's more the detractors that promote it as a myth.<br /><br />Anyone know who the main proponents of this "myth" are these days? Why aren't they called out in articles?Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-15898136909343864942014-08-20T21:38:00.000-07:002014-08-20T21:38:28.005-07:00Free Community For Youth lunch that will feed your soul<h3>
Community For Youth changes lives. I know -- it's changed mine! </h3>
<b><u>Personal Integrity</u></b>. The CFY curriculum and <a href="http://communityforyouth.org/cfy/programs/">core values</a> have challenged the students in the community as well as mentors like me to be our best selves. When I started, I didn't challenge myself with clear life goals and share them with others. I was too afraid of opening myself up to the shame of failure. However, through CFY, I've come to learn that sharing goals with a powerful community that can support you is exactly what can actually <i>increase </i>your chances of success. You learn to be more accountable to yourself by being accountable to a supportive community. And this has bled over into my daily life so much that even for small commitments, I maintain personal integrity. "Darn, I did say that I was going to bike to work tomorrow. Guess I have to suck it up and do it."<br />
<br />
<u style="font-weight: bold;">Authenticity.</u> I didn't realize how much compartmentalization went on in my head regarding how I presented myself to others. We learn together how much more pleasant it is to be your own true self and how richer your connections are when you are not holding back or censoring yourself unnecessarily or trying to be someone you are not. "You let your students see your Facebook posts?" Sure. What I post and what I believe are important to me and I only share what interests me. Who I am or believe should not be something that I have to parcel out in small doses to particular people. It's much freer to just be myself. How do people know they have something in common if they don't share of themselves anyway? <br />
<br />
<b><u>Vulnerability</u></b>. I felt somewhat comfortable in front of crowds, strangers talking about something abstract or technical. But CFY challenged everyone, including mentors, to share openly as your true authentic self. "Get comfortable with being uncomfortable", we say. That was initially a very difficult thing for me to get used to, "You want me to talk about personal things...in front of everyone?" But you quickly find that, as social animals, human relationships are strengthened by vulnerability because it cuts through the pretense and superficiality that we often use when interacting with others -- that's not authentic and it shields you from truly connecting with others on a deeper level. Oh, and one of the biggest ways this has always manifested itself in my live is my reluctance to ask for help and instead go-it-alone. I've definitely gotten better at realizing when I need help -- not perfect -- but better.<br />
<br />
There are many, many other ways that I've changed. And I have seen my students and other students change as well because of CFY. It truly does change your life and although you don't always get direct evidence of it, the student's lives are changed as well.<br />
<br />
The most moving experience of a transformation I can recall from my 8 years with CFY was when a student who had been <i>paralyzed </i>by fear when speaking in front of crowds was encouraged to perform her spoken word poetry in front of the whole community at one of our weekend retreats. It took her a while to warm up to the idea and when she started speaking, my jaw <i>dropped</i>. She gradually transformed into a confident young woman creatively and boldly expressing herself through her words -- compelling us to feel them as she felt them. She said later that she was incredibly nervous but honestly I had no idea. You could hear a pin drop in that room. Everyone was <u>blown away</u> in rapt attention. That was a turning point for her. From that point, she was able to challenge herself more and grow into a real leader with things to say and express with less and less fear. Truly inspiring.<br />
<br />
That kind of growth and moving experiences is one of the most rewarding aspects. But even the challenges are rewarding. You are faced with situations and kids in situations that you never had to face in your life. Sometimes you're thinking, "What the f* do I do with that?" But, you have a supportive community to help find ways of dealing with those solutions. Then that experience of tackling and possibly overcoming that challenge just makes you more ready for the next challenge in your own life.<br />
<h3>
Share in the Community Experience</h3>
<div>
This upcoming year will mark 9 years as a mentor with <a href="http://www.communityforyouth.org/">Community For Youth </a>(CFY). It is impossible to sum up the impact that CFY has had on the community, the students it serves, and the mentors (especially myself) in a simple blog post. But there is an opportunity coming up that is far better that I hope you take me up on: come have a free lunch downtown Seattle on September 30th and learn about CFY, hear from the 2013-2014 mentors of the year, and on top of that, you get to hear from Seahawks wide receiver, Doug Baldwin.<br />
<br />
The lunch is an opportunity for those who might know that I'm involved with Community For Youth but may not quite know what it's all about. I absolutely love CFY and would appreciate any opportunity to share my experiences for others to see how impactful the program is. You can sign up at <a href="http://www.communitylunch.com/">www.communitylunch.com</a> and <i>join me at my table</i>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://communityforyouth.org/wp-content/uploads/2011/10/CommunityLunch.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://communityforyouth.org/wp-content/uploads/2011/10/CommunityLunch.gif" height="320" width="232" /></a></div>
<br />
<h3>
Get inspired</h3>
In a student's own words, on the importance of CFY to their life.<br />
<blockquote class="tr_bq">
"I appreciate the work that everyone has contributed in one way or another, to keep this program alive. Because there are teenagers like me, who need people, even if it’s just one person, to believe in them." - See more at: <a href="http://communityforyouth.org/2013/04/my-introduction-to-cfy/#sthash.Xk9ZikAj.dpuf">http://communityforyouth.org/2013/04/my-introduction-to-cfy/#sthash.Xk9ZikAj.dpuf</a></blockquote>
Even if you can't join, you should take some time to watch this 12-minute video to learn about who we serve from the students and mentors that are part of this powerful community. And if you're feeling moved or generous or both, you can head on over and <a href="http://communityforyouth.org/get-involved/donate-now/">donate </a>to Community For Youth too!<br />
and
<iframe allowfullscreen="" frameborder="0" height="281" mozallowfullscreen="" src="//player.vimeo.com/video/17281382" webkitallowfullscreen="" width="500"></iframe> <br />
<a href="http://vimeo.com/17281382">Community For Youth</a> from <a href="http://vimeo.com/user5242243">Greg Hay</a> on <a href="https://vimeo.com/">Vimeo</a>.</div>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-13071221001074163752014-04-17T15:05:00.001-07:002014-04-17T15:05:10.868-07:00iOS clients not vulnerable to Heartbleed. What does the source say?<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcNybwPDbliI0-YM3k5BZc4bf5RA58iMCCdsXF69Exp6yjpzzLZKWnreIpkneKEmOPnLsaw8TUS6eJBLrMOiXqseN-02QnV8Gr_4Ua1OxtdCrT5A_DKza1fyPI9Y4NcbZmRLcGmkvZnVS8/s1600/heartbleed.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcNybwPDbliI0-YM3k5BZc4bf5RA58iMCCdsXF69Exp6yjpzzLZKWnreIpkneKEmOPnLsaw8TUS6eJBLrMOiXqseN-02QnV8Gr_4Ua1OxtdCrT5A_DKza1fyPI9Y4NcbZmRLcGmkvZnVS8/s1600/heartbleed.png" height="200" width="165" /></a></div>
<br />
<br />
Apple's language in their assertion that they are not vulnerable to heartbleed on iOS are troubling as they specifically say (via <a href="http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affected-by-heartbleed-security-flaw/">ReCode</a>), "IOS and OS X never incorporated the vulnerable software..." However, not incorporating the vulnerable OpenSSL software is merely one way that their customers could have been made vulnerable. What about the Apple SSL/TLS implementation? Has anyone checked it? Did they incorporate <a href="https://tools.ietf.org/html/rfc6520">RFC 6520</a> for heartbeat support? I couldn't find anything Google so figured I would share what I found.<br />
<br />
Since the Apple SSL library code is open sourced, we can actually look at the code. <!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:DontVertAlignCellWithSp/>
<w:DontBreakConstrainedForcedTables/>
<w:DontVertAlignInTxbx/>
<w:Word11KerningPairs/>
<w:CachedColBalance/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
</style>
<![endif]-->And based on my read of the code, Apple doesn’t even implement the heartbeat extension. <a href="http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslHandshake.h">http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslHandshake.h</a> doesn’t even define the <a href="https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#tls-extensiontype-values-1">heartbeat helloextension code 15</a> in the data structure:<br />
<br />
<pre><span class="enscript-comment">/* Hello Extensions per RFC 3546 */</span>
<span class="enscript-type">typedef</span> <span class="enscript-type">enum</span>
{
SSL_HE_ServerName = 0,
SSL_HE_MaxFragmentLength = 1,
SSL_HE_ClientCertificateURL = 2,
SSL_HE_TrustedCAKeys = 3,
SSL_HE_TruncatedHMAC = 4,
SSL_HE_StatusReguest = 5,
<span class="enscript-comment">/* ECDSA, RFC 4492 */</span>
SSL_HE_EllipticCurves = 10,
SSL_HE_EC_PointFormats = 11,
<span class="enscript-comment">/* TLS 1.2 */</span>
SSL_HE_SignatureAlgorithms = 13,
<span class="enscript-comment">/* RFC 5746 */</span>
SSL_HE_SecureRenegotation = 0xff01,
<span class="enscript-comment">/*
* This one is suggested but not formally defined in
* I.D.salowey-tls-ticket-07
*/</span>
SSL_HE_SessionTicket = 35
} SSLHelloExtensionType;</pre>
<br />
Then in the implementation <a href="http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslHandshakeHello.c">http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslHandshakeHello.c</a>, they actually only support one extension, SSL_HE_SecureRenegotation. All others return an error code.<br />
<br />
<pre> <span class="enscript-keyword">switch</span> (extType) {
<span class="enscript-keyword">case</span> <span class="enscript-reference">SSL_HE_SecureRenegotation</span>:
<span class="enscript-keyword">if</span>(got_secure_renegotiation)
<span class="enscript-keyword">return</span> errSSLProtocol; <span class="enscript-comment">/* Fail if we already processed one */</span>
got_secure_renegotiation = true;
SSLProcessServerHelloExtension_SecureRenegotiation(ctx, extLen, p);
<span class="enscript-keyword">break</span>;
<span class="enscript-reference">default</span>:
<span class="enscript-comment">/*
Do nothing for other extensions. Per RFC 5246, we should (MUST) error
if we received extensions we didnt specify in the Client Hello.
Client should also abort handshake if multiple extensions of the same
type are found
*/</span>
<span class="enscript-keyword">break</span>;
}</pre>
So, it appears from the library code that they would not be vulnerable to this bug at all. Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-6999151666660295912014-04-13T22:27:00.003-07:002014-04-13T22:27:42.719-07:00Using VNC to securely connect to OSX without exposing an unlocked consoleI couldn't believe how supremely difficult it is to <i><b>securely</b></i> use VNC to access an OSX mac remotely. Turns out that by default, using a standard VNC client (as opposed to an Apple Remote Desktop client) does not afford you an option to have the physical console lock when someone connects to the VNC server. Some third-party clients make this an option, but all that I could find were paid VNC clients that support it. It is somewhat ridiculous that this setting is left to the <i>client</i> rather than enforced on the <i>server</i>, but I digress...<br />
<br />
I tried a few things suggested, such as enabling the screen saver or screen blanker, but those did not solve the problem as they did not differentiate between the VNC session and the physical desktop session so applied equally (the only states that were valid were either both unlocked or both locked). Other options people suggested were to just turn the screen brightness all the way down. This is security through obscurity though (the display is still unlocked and anyone who can get to your mouse/keyboard could mess with your computer, they just would be blind to what's on the screen). It also seems problematic for usability (imagine you turn the brightness down and then come into the office the next day; how are you supposed to see the screen when you login if the brightness is still forced to the minimum?)<br />
<br />
The solution I found that had the right security and usability properties was to use fast user switching + the Vine VNC Server. This enables you to have a different set of content on the physical display from what you see remotely on VNC. Unfortunately, fast user switching with the Apple VNC "Screen sharing" server doesn't work. It mirrors your display exactly to the VNC display so does not allow you to have separate physical and remote displays. I presume that's why it has a name like "Screen sharing". It's also not surprising that this doesn't quite work as well outside of the Apple monoculture.<br />
<ol>
<li><a href="http://www.testplant.com/dlds/vine/">Download</a> and install <a href="http://www.testplant.com/eggplant/testing-tools/vine-vnc-for-mac/">Vine VNC Server</a></li>
<li>Enable Fast User Switching on the mac</li>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4REb84SxkuOESzarA51wAKP9WplAajmRJ1_oTkqXD6audYJSjD6tRh42yYOa6hWNB4HQnFcdPfS6M_PJ7-AuR6u7RVf9_qE5d9gP-sjRR6FZv3AmYcN4EdV_Zvby7R0X6cH8ou3cseuEW/s1600/FastUserSwitching.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4REb84SxkuOESzarA51wAKP9WplAajmRJ1_oTkqXD6audYJSjD6tRh42yYOa6hWNB4HQnFcdPfS6M_PJ7-AuR6u7RVf9_qE5d9gP-sjRR6FZv3AmYcN4EdV_Zvby7R0X6cH8ou3cseuEW/s1600/FastUserSwitching.png" height="301" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Enable fast user switching on OSX Mavericks</td></tr>
</tbody></table>
<li>Connect to Vine VNC Server on OSX with any VNC client (e.g. on port 5901). I configure Vine to require SSH so it doesn't listen to any remote port and requires SSH port tunneling to use it. Less attack surface.</li>
<li>Go to the fast user switching menu and select "Login Window..." When you do this, the physical display will change to the login screen but the VNC window will remain unlocked and functional, as desired.</li>
</ol>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5e4YrFvhCjDuzrNudQ5RQxrpKgzs8UL21rwjw4rW7T33OIvJ4ejQIZs7oaQsDngB44x7nC9xMbTJYb4Q7O20Wp6v15UzYIBTRUEKjukdiMkaX2WBW_y92ygdDxdoSgkgGcxwFRrlpljW1/s1600/SwitchToLoginWindow.png" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5e4YrFvhCjDuzrNudQ5RQxrpKgzs8UL21rwjw4rW7T33OIvJ4ejQIZs7oaQsDngB44x7nC9xMbTJYb4Q7O20Wp6v15UzYIBTRUEKjukdiMkaX2WBW_y92ygdDxdoSgkgGcxwFRrlpljW1/s1600/SwitchToLoginWindow.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Switch to login screen</td></tr>
</tbody></table>
<div>
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-24398132917695069902014-04-13T22:22:00.001-07:002014-04-13T22:22:25.263-07:00I get an IRS scam voice-mailHad to share this hilarious voice-mail I received from an IRS scammer (happened to come in with Unknown caller ID -- I read online that others had been spoofing US phone numbers for caller ID in the past). The transcript does not do it justice. I laughed out loud when I heard the phrase, "and you get arrested" as that is precisely what one would expect to hear from the IRS.<br />
<br />
<br />
They actually tried calling me back and I got to talk to one of the people that afternoon, but my crummy cell service in my office resulted in the call dropping before I could chat with them too much. I told them that I didn't believe them that they were from the IRS. Maybe they'll call back again this week?
<br />
<br />
I plan on reporting it, as suggested. Head over to the IRS <a href="http://www.irs.gov/uac/Tax-Fraud-Alerts">Tax Fraud Alerts</a> page. Perhaps the best channel will be via their <a href="http://www.irs.gov/uac/Report-Phishing">Phishing </a>page. The <a href="http://www.irs.gov/uac/Newsroom/IRS-Warns-of-Pervasive-Telephone-Scam">IRS warning</a> regarding this scam provides some information but there is of course no direct links to report the issue. I wonder if the 20,000 that reported it are a small fraction of those victimized since it's so difficult to find a way to report it? They also suggest lodging a complaint with the FTC as well, but that is also somewhat difficult to determine how to categorize it for reporting.<br />
<br />
See also: <span style="background-color: #eeeeee; color: #333333; font-family: Arial, helvetica, sans-serif; font-size: 12px;">"IRS monitor: $1 million phone scam 'largest ever' - Mar. 20, 2014 ." Last modified 04/14/2014 05:10:31. <a href="http://money.cnn.com/2014/03/20/pf/taxes/irs-phone-scam/">http://money.cnn.com/2014/03/20/pf/taxes/irs-phone-scam/</a> (accessed 4/13/2014).</span><br />
<br />
<audio controls="">
<source src="https://sites.google.com/a/axley.net/truthimerative-media/mp3/IRS-scam-voicemail.mp3" type="audio/mpeg"></source>
Upgrade your browser. It should really support HTML5 audio.
</audio>
<br />
<h2>
Transcript</h2>
<blockquote class="tr_bq">
Good morning. This is Willy ["Villy"] Mandersen, calling you from Internal Revenue Service...Crime Investigation Department. The nature and the purpose of this call is just to let you know that....we have received...a legal petition notice...against your name...under your social security number. So, before this matter goes to the Federal claim court house...and you get arrested, kindly call us back at (866) 978-8320. I repeat (866) 978-8320. Remember, don't disregard the message...as it is very important for you. And if you don't return the call, then the situation will be worse. So take care about it, and call us back as soon as possible. Goodbye.
</blockquote>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com9tag:blogger.com,1999:blog-7617793329353943789.post-72257883539702525322013-10-08T21:40:00.000-07:002013-10-08T21:40:32.745-07:00What's wrong with the Amazon mp3 store on Android?First, I'm a big fan of amazon mp3. They offer high-quality DRM-free music that plays on anything and often at very competitive prices. And they make it very easy to spend a good amount of money and get some quality music. Their suggestions and free content have also been where I've discovered lots of new artists, such as ZZ Ward.<br />
<br />
But I absolutely abhor shopping for mp3s on my mobile phone on Amazon's mp3 app. Their interface on mobile only gives you these features:<br />
<ul>
<li>Search</li>
<li>Recommendations</li>
<li>Bestsellers</li>
<li>New Releases</li>
<li>Genres</li>
<li>And some individual highlights, such as a $0.69 song, Latin song, Hot Single, one Free Song, a $5 album, a Song of the week, and an Album of the week</li>
</ul>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="http://3.bp.blogspot.com/-IYGblBoU4Pw/UlTWGv8PPoI/AAAAAAABnyc/itil8j5_tRU/s1600/2013-10-08+20.33.08.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="320" src="http://3.bp.blogspot.com/-IYGblBoU4Pw/UlTWGv8PPoI/AAAAAAABnyc/itil8j5_tRU/s320/2013-10-08+20.33.08.png" width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Amazon mp3 store in Chrome on Android</td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-ElLvJXLeeUU/UlTWFxubW8I/AAAAAAABnyM/GjHRishl1mc/s1600/2013-10-08+20.32.12.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="http://4.bp.blogspot.com/-ElLvJXLeeUU/UlTWFxubW8I/AAAAAAABnyM/GjHRishl1mc/s320/2013-10-08+20.32.12.png" width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Amazon mp3 Android UI</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-1YiyPIlqONk/UlTV0rxStoI/AAAAAAABnyI/G_sFMltkVPs/s1600/amazonmp3-desktop.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="217" src="http://1.bp.blogspot.com/-1YiyPIlqONk/UlTV0rxStoI/AAAAAAABnyI/G_sFMltkVPs/s400/amazonmp3-desktop.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Amazon mp3 desktop website</td></tr>
</tbody></table>
All of the categories let you view by Album or Songs. And one of the first annoying things is that there is an arbitrary limit of 100 items in each of the categories. What song/album is the 101st New Release? What if I want to keep shopping down the list? What if I own or don't care about the top 100?<br />
<div>
<br /></div>
<div>
Grievance list:</div>
<div>
<ul>
<li>100 item arbitrary limit, regardless of the category, with no way to keep scrolling for more. Although I do see that even the desktop site caps the list at this arbitrary number. Lame x 2.</li>
<li>No way to view song/album reviews, other than a static star-list. This is one of the highlights of the Amazon mp3 experience on the desktop that I find most useful (and often entertaining).</li>
<li>No way to rate songs/albums on mobile. Oops, a prerequisite for contributing (or benefiting) from the crowdsourced content is that you must first go to Amazon and buy a PC.</li>
<li>No access to the sub-lists within the category. One of my favorites has been the Top 100 Free lists. Another fun one is their monthly $5 albums list. I've found some great artists just perusing those lists. But sadly, on mobile you have no inkling they even exist. At least their HTML website on mobile has those (but even then the UI takes many cues from the mobile application).</li>
<li>No child lock. At least Amazon VOD on my Roku has a PIN code that I need to enter before purchasing videos to keep my kids from draining my bank account. Be careful who you give your phone to!</li>
<li>What you miss out on from the desktop site:</li>
<ul>
<li>Hot New Releases</li>
<li>Movers & Shakers</li>
<li>Top Rated (another failure to enable social media to help drive sales)</li>
<li>Featured Albums, Editor's picks, Artists on the rise, etc. (no ability to take advantage of Amazon's music buyer curation, which is quite good. I've found lots of good music that way)</li>
<li>Customers who viewed/purchased X also viewed/purchased Y</li>
<li>All of the "deals" lists. You get only a light mist of them. </li>
</ul>
<li>No wish list integration. Where's a list of the music on my wish list? Can I add an item to my wish list rather than just buy it now?</li>
<li>Lack of a Play All button to play all samples. The desktop site has it. You somehow have to know that it will automatically play all (but this doesn't give you a choice to listen to one without listening to all)</li>
<li>Lack of larger cover art.</li>
</ul>
</div>
I gave their HTML website a whirl in Chrome on Android and, although better in a few areas, it still has some of the annoying limitations that drive me back to a PC (the most annoying is when the _functionality_ of the site is artificially pruned, so you don't even know it exists). I would love to get rid of my PCs and have nothing but tablets, but all too often the mobile experience on apps is completely butchered and hobbled to the point where you often have no choice but to fake a desktop browser or just open up the laptop. But I digress.<br />
<br />
What they did right:<br />
<ul>
<li>Long-press context menu on an item lets you "Shop album" or "Shop artist". Nice way to explore "more"</li>
<li>Music previews good quality and have continuous play for sampling</li>
<li>Convenient to quickly purchase songs/albums you just heard.</li>
</ul>
<div>
I could rant about the cloud player annoyances, but they are far fewer.</div>
<div>
<br /></div>
<div>
Where Google Play Music Store on Android shines:</div>
<div>
<ul>
<li>Clean, intuitive UI with swipe interaction model</li>
<li>Infinite scrolling lists of Top Albums, Top Songs, even Recommendations, etc.</li>
<li>Wish list integration</li>
<li>Free-music lists</li>
<li>Personalized recommendations right on the home screen based on genres and artists in your existing collection</li>
<li>Video integration</li>
<li>Clear Play All button to play all samples.</li>
<li>Larger thumbnails and ability to click and see a larger version you can actually see</li>
<li>You can read the reviews!!! And contribute your own. And moderate the reviews.</li>
<li>Integration with Google+ for sharing/liking content. Would be nice if there were other options than Google+ though.</li>
<li>Integration with Android Share to send via twitter, email, etc.</li>
<li>Parity with the desktop site (it's the same thing, only with more real-estate)</li>
</ul>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://4.bp.blogspot.com/-r0SEd6827I0/UlTV0t6nSoI/AAAAAAABnyE/j3mbNIo6fig/s1600/googleplaymusic-desktop.png" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="221" src="http://4.bp.blogspot.com/-r0SEd6827I0/UlTV0t6nSoI/AAAAAAABnyE/j3mbNIo6fig/s400/googleplaymusic-desktop.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Google Play Music Desktop site</td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://1.bp.blogspot.com/-tho4VFQt2_8/UlTWHNLeHdI/AAAAAAABnyg/RNwo-kHj61Y/s1600/2013-10-08+20.32.43.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="http://1.bp.blogspot.com/-tho4VFQt2_8/UlTWHNLeHdI/AAAAAAABnyg/RNwo-kHj61Y/s320/2013-10-08+20.32.43.png" width="180" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Google Play Music App on Android</td></tr>
</tbody></table>
<div>
Google Play Music is rather annoying for purchases, especially forcing you to go through the same workflow for free songs as if you were "buying" them (really works to discourage "buying" multiple Free tracks, which may have been a business requirement -- I don't know). Too many clicks (even on the desktop).</div>
</div>
<div>
<br /></div>
<div>
At this point, what I would wish for these things to be fixed:</div>
<div>
<ul>
<li>Update the UI to take advantage of mobile capabilities and gestures. Swipe from tab to tab to fluidly navigate</li>
<li>Remove the 100 item cap and make everything infinite scroll lists.</li>
<li>Abandon the "mobile crippleware" design strategy that so many have fallen in love with and maintain parity with the desktop site for accessing all of the same content. If you are concerned about UI bloat, there are ways of handling that (just look at Google's approach for one). I prefer to have the options available _somewhere_ even if hidden in another menu somewhere.</li>
<li>If you can't get the functionality into the mobile app, at least enable links into the mobile web version of the site from the Android app to allow for accessing the functionality</li>
<li>Remove the "mobile crippleware" design strategy on the mobile website to also maintain parity with the desktop site.</li>
<li>Take advantage of the curated content to drive sales!</li>
<li>Take advantage of user feedback and your preferences engine that works rather well on the desktop site to enable social exploration of other users who may have similar tastes to discover new music. </li>
<li>Enable social integration. I've often wanted to share a song I just heard or a playlist publicly but cannot</li>
<li>Push notifications could be employed in a limited way (ideally, fully user customizable) to notify when the new $5 list of albums are out, new free songs, highlighted curated content, etc. I'd sign up for them.</li>
<li>Here's an idea, since you have access to the Android media list, you could maybe actually recognize in the UI when I've already purchased a given album/song (either from Amazon or elsewhere). You don't even do that for stuff in my Cloud Player for some strange reason.</li>
</ul>
</div>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-62949089928664693342013-09-25T21:27:00.005-07:002013-09-25T21:27:59.882-07:00Seattle-area segregation<a href="http://www.wired.com/design/2013/08/how-segregated-is-your-city-this-eye-opening-map-shows-you/">The Best Map Ever Made of America's Racial Segregation | Wired Design | Wired.com</a><br />
<br />
White people seem to love them some waterfront property in Seattle. This is fascinating. Go check out your neighborhood on <a href="http://demographics.coopercenter.org/DotMap/index.html">the map</a>. There are clearly pockets of similar ethnicity divided by street boundaries.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-rcsSRVVNmFA/UkO3t4gRTyI/AAAAAAABmxg/Uv8GLJoqHws/s1600/WestSeattleRacialMakeup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://3.bp.blogspot.com/-rcsSRVVNmFA/UkO3t4gRTyI/AAAAAAABmxg/Uv8GLJoqHws/s640/WestSeattleRacialMakeup.png" width="619" /></a></div>
<br />Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-37775851742216136332013-09-25T21:13:00.000-07:002013-09-25T21:13:51.171-07:00Humorous "Page Not Found" error pageThis is great! <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.computershare.com/Style%20Library/Images/404.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="234" src="http://www.computershare.com/Style%20Library/Images/404.png" width="320" /></a></div>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-73747870304935919712013-09-18T23:21:00.001-07:002013-09-25T21:11:46.302-07:00Information Warfare via URL shortenersAs I've used Twitter more, I've noticed how many of the shared URLs are shortened. And to think that the Library of Congress is <a href="http://www.businessinsider.com/library-of-congress-is-archiving-all-of-americas-tweets-2013-1">archiving all US tweets</a>, how many will actually be usable at some point in the future? Hopefully their process logs the resolved actual URL instead of the shortened one. When I restored my blog, it was amazing how many broken links I found. I stopped fixing them. That's just the regular web. Adding URL shortening is another level of indirection that is also another failure point.<br />
<br />
As an information security guy, there's another downside and that is just how secure are the shortened URLs now and long into the future from malicious redirection, including <a href="http://www.fas.org/irp/eprint/snyder/infowarfare.htm">information warfare</a>? Shortened URLs give a single entity enormous power into the future to do some pretty bad stuff. And I was wondering about the choice of Top-Level Domains (TLDs) that are used for URL shortening services. Just how stable are those politically? What kind of information warfare opportunities are there? Which URL shorteners have better security properties given all of the possible attack vectors? How powerful a political statement would it be if all of the shortened URLs were replaced by a political statement or terrorist threat for almost everything referenced on Twitter? You'd be able to gather a lot of eyeballs and press by doing that to get your message out.<br />
<ul><li>bit.ly and ow.ly - both very popular on Twitter (as well as several others using .ly). The LY top-level domain is controlled by <a href="http://www.nic.ly/">Libya</a>. I can't see a problem with them controlling where my links go now or sometime in the future, do you? Information warfare, anyone? <a href="http://travel.state.gov/travel/cis_pa_tw/tw/tw_5992.html">Libya </a>is on the US State Department's list of travel warnings, with this summary of the stability of the region, "The security situation in Libya remains unpredictable. Sporadic episodes of civil unrest have occurred throughout the country." </li>
<li>su.pr - Stumbleupon's url shortener service. The PR TLD is <a href="https://www.nic.pr/index.asp">Puerto Rico</a>, an unincorporated US territory. So it probably would be more likely to have reasonable protection from information warfare except of course at the behest of our <a href="https://www.eff.org/nsa-spying">own US government</a>. </li>
<li>cli.gs - this shortener service <a href="http://thenextweb.com/2009/06/16/popular-url-shortener-cligs-hacked/">got hacked in 2009</a>. The GS TLD is for <a href="http://nic.gs/">South Georgia & South Sandwich Islands</a>, which is a British territory, so presumably it is relatively stable and western-friendly.</li>
<li>goo.gl - a newer entrant, run by Google. The GL TLD is <a href="http://www.nic.gl/bin/view/Main/">Greenland</a>, which is part of the Kingdom of Denmark. Interestingly, Denmark is "frequently ranked as the happiest country in the world in cross-national studies of happiness", <a href="https://en.wikipedia.org/wiki/Denmark">Wikipedia</a></li>
<li>is.gd - A service that has an interesting terms of service about being an <a href="http://is.gd/ethics.php">ethical URL shortener</a>. The GD TLD is actually <a href="http://nic.gd/">Grenada</a> The world bank publishes XML data apparently that includes probability of political instability/terrorism for various countries, including <a href="http://www.quandl.com/WORLDBANK-World-Bank/GRD_PV_EST-Grenada-Political-Stability-and-Absence-of-Violence-Terrorism-Estimate">Grenada</a>. The current data shows a measure of the <a href="http://info.worldbank.org/governance/wgi/faq.htm">Political Stability and Absence of Violence (PV)</a> – "capturing perceptions of the likelihood that the government will be destabilized or overthrown by unconstitutional or violent means, including politically-motivated violence and terrorism." of 0.44. However, the USA's data is continuing up and also has a 0.54. Earlier this year, the .gd domain and two others were also <a href="http://domainincite.com/12238-confusion-reigns-over-three-hijacked-cctlds">hijacked </a>due to a dispute over control ov"er the TLDs. </li>
<li>tr.im - a shortening service that shut down in 2009 (but appears to possibly be back?) </li>
</ul><div>Given these factors, I'd first suggest you run your own shortener service if you want full control and assurance of longevity (assuming you can build and operate such a thing securely). But if you had to pick a service, I'd go with a service running on a stable TLD registrar not likely to be subject to political wills of the host country and hosted by a company not likely to be going anywhere for the next few decades. Or just consider all communications using URL shorteners to be ephemeral and consider the likely non-functioning in the future a security precaution against future government snooping, perhaps.</div><div><br />
</div><a href="http://joshua.schachter.org/2009/04/on-url-shorteners.html">On URL Shorteners</a> is a discussion of the risks and issues with shorteners from 2009<br />
<br />
Some other takes on them from around the web that summed up some of the general thoughts I had about them (if you care about your content being usable down the road and care about whether someone could take your visitors for a ride to malware-town)<br />
<br />
<a href="https://www.fightaging.org/archives/2010/05/an-unwelcome-reminder-of-the-nature-of-url-shortening-services.php">An Unwelcome Reminder of the Nature of URL Shortening Services</a>, "if you care about the long-term survival of your external links, steer clear of URL shortening services, no matter how convenient they may at first appear."<br />
<br />
<a href="http://tom.goskar.com/2009/04/16/why-im-creating-my-own-url-shortening-service/">Why I'm creating my own URL shortening service</a> "I suppose that one of the driving forces behind this is my training as an archaeologist (we don’t like throwing things away, generally, and that includes data). I can’t archive the pages I link to, but at least I can give folks in the future a better chance of finding what I’m linking to."Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-73862828422850462812013-07-11T00:34:00.001-07:002013-07-11T10:00:52.277-07:00Seattle Infosec calendarI searched and didn't find a Seattle-specific Information Security calendar showing not only conferences, but smaller security events. So I created a new public one. And I guess that means now I'm maintaining one ;-)<br />
<br />
If you know of something I've missed, let me know and I'll add it.<br />
<br />
To subscribe: <a href="http://www.google.com/calendar/ical/axley.net_9rovn2snphdqmblujc4qshpqt4%40group.calendar.google.com/public/basic.ics">ICAL</a>, <a href="http://www.google.com/calendar/feeds/axley.net_9rovn2snphdqmblujc4qshpqt4%40group.calendar.google.com/public/basic">XML</a><br />
<br />
<a href="https://www.google.com/calendar/embed?src=axley.net_9rovn2snphdqmblujc4qshpqt4%40group.calendar.google.com&ctz=America/Los_Angeles">Full browser web view</a><br />
<br />
<iframe frameborder="0" height="600" width="550" scrolling="no" src="https://www.google.com/calendar/embed?height=600&wkst=1&bgcolor=%23FFFFFF&src=axley.net_9rovn2snphdqmblujc4qshpqt4%40group.calendar.google.com&color=%235F6B02&ctz=America%2FLos_Angeles" style="border-width: 0;" width="800"></iframe>Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-37858553036892289252013-07-02T23:37:00.001-07:002013-07-11T09:58:26.300-07:00What can we learn from the ZRTPCPP / Silent Circle debacle?As a way of background, Phil Zimmerman's company <a href="https://silentcircle.com/">Silent Circle</a> became wildly successful recently after Snowden's disclosures of extensive NSA data collection of telephony "metadata" and "data — including e-mails, videos, pictures, and connection logs — from the main servers of Microsoft, Google, Apple, and other leading U.S. tech companies" (1). "Mike Janke, one of the founders, estimated that the number of new customers for its subscription-based service surged by 400 percent" (2)<br />
<br />
<a href="https://twitter.com/mdowd">Mark Dowd</a> from Azimuth Security "decided to take a brief look at the GNU ZRTPCPP library (<a href="https://github.com/wernerd/ZRTPCPP">https://github.com/wernerd/ZRTPCPP</a>), which is a core security component of various secure phone solutions (perhaps most notably, the impressive SilentCircle suite of applications)." (3) He found several disturbing vulnerabilities in this library, including heap overflows, stack overflows, etc. that can lead to remote code execution or crashing the application. Additionally, <a href="https://twitter.com/matthew_d_green">Matthew Green</a> found an <a href="https://github.com/wernerd/ZRTPCPP/issues/7">implementation issue</a> after a casual review.<br />
<br />
Several applications use the same library, but most are open source free software applications. Silent Circle, however, is a commercial venture started by PGP's Phil Zimmerman. And commercial entities, especially offering a service and product set completely geared toward security and privacy should probably be expected to have an application security program and sufficient tooling and resources to validate and vet its wares. And they claimed to have had done this. However, due to the glaring bugs that were identified in the ZRTPCPP library that they mainly funded development of through its author, <a href="https://github.com/wernerd">Werner Dittman</a>, it is clear that their controls program to ensure security of their product is wholly inadequate and they admit as much<br />
<blockquote class="tr_bq">
"[W]e audit and test our own work and pay others to audit and test it for us. Obviously, in this case, the auditing failed. It was my understanding that all of the libraries that we used were audited, as well as all of our own code. The fact that these problems were missed suggests that there is a problem with the auditing process, that either not all of the third party libraries were audited or that somehow the auditing was not rigorous. Besides developing, testing and deploying these fixes, we will also be looking into the process." (4)</blockquote>
When I learned the details, I wondered what can other entities that either have application security programs in place (or should) learn from this?<br />
<ol>
<li>Even security software companies make mistakes and imperil security -- sometimes they make some <a href="http://funoverip.net/2013/06/mcafee-epolicy-0wner-preview/">doozies</a></li>
</ol>
<div>
So, don't assume that because a company has a security stalwart like Phil Zimmerman or that it's in the security business that it is immune from the software security problems most everyone in every organization is dealing with.</div>
<ol>
<li value="2">
Open source does allow for "more eyes" to potentially make "all bugs...shallow" but it's not a guarantee. "open source <i style="font-size: 15px;">can</i> be reviewed by more people than proprietary software, but I don’t think it <i style="font-size: 15px;">is</i> reviewed by more people than proprietary software." (5)</li>
</ol>
ZRTPCPP code had these bugs for roughly 6 years before they were found, and there were not just security bugs but double-increment bugs in loops and other issues. Third-party dependencies need to be evaluated as part of your threat model and the same scrutiny needs to be applied as you would to your own code. Probably even more so as you also need to consider other non-technical issues with each such as third-party viability, responsiveness, etc.
<br />
<ol>
<li value="3">Use static analysis!</li>
</ol>
Several of these bugs are trivial for static analysis tools to find. For C++ code, there's even the <a href="http://clang-analyzer.llvm.org/">clang </a>analyzer that is open source. This should be part of the build process and findings validated and hopefully fixed prior to release.
<br />
<ol>
<li value="4">Trust, but verify your application security controls</li>
</ol>
<div>
So, you paid a chunk of change to an external party to vet your code for security issues and you got a clean bill of health. That means you can rest easy, right? Not necessarily. Absence of evidence is not evidence of absence. There are myriad reasons that an external assessment did not yield results. It could have been that the tester had inadequate experience or perhaps was not thorough enough or was just plain incompetent -- all would yield equally "impressive" results. Ideally, you should be vetting your external partners to ensure they are able to catch flaws. You could even purposefully include code with known issues as a test.</div>
<ol>
<li value="5">Write unit tests -- and ensure they execute as part of every build.
</li>
</ol>
How can you trust code without any unit tests, or if the tests are not continuously executed to guard against new bugs being introduced, especially code that needs to accept arbitrary untrusted inputs that can be malformed in myriad ways? Looking at the <a href="https://github.com/wernerd/ZRTPCPP">github repository</a> for the library, I see lots of application C++ code, but I don't see any folder with "test" in it. I see a couple of files in the "demos" directory with "test" in the name, but based on their function and the README, they are examples of how to use the code, not defensive tests ensuring the correct functioning of the implementation (which should include both happy path cases and negative/boundary cases).
<br />
<br />
Even if you're the best coder in the world and think you don't need tests, what about the next person to make a change to your code or the team that inherits your code for maintenance who lacks your skill and familiarity? How can you ensure correct, safe operation now and in the future without code to check your code? What if an implementation (or security) bug is found in your code? How do you validate your fix works? How do you ensure that the same issue doesn't get re-introduced later? Unit tests can do all of this for you while you sleep and your continuous integration (CI) build runs.<br />
<br />
Security software needs to be the leader in this. If those in infosec can't write secure software and follow secure development pracices, what are the chances for the rest of us?<br />
<ol>
<li value="6">Fuzz your network code. (and fuzz your other code as well)</li>
</ol>
This could be a corollary of the unit test recommendation. Code expecting untrusted inputs from outside should be fuzzed with random inputs and boundary conditions to validate your parsing and buffering code is sufficiently robust against active attacks. Fuzzing can help find other test cases that your unit tests may not be covering. If you find anything -- fix it -- and write a unit test for it so you will ensure that your code will remain immune to that issue in the future.
<br />
<div>
<br /></div>
<div>
(1) "NSA Reportedly Mines Servers Of U.S. Internet Firms For Data : The Two-Way : NPR." Last modified 07/03/2013 04:04:55. <a href="http://www.npr.org/blogs/thetwo-way/2013/06/06/189321612/nsa-reportedly-mines-servers-of-u-s-internet-firms-for-data">http://www.npr.org/blogs/thetwo-way/2013/06/06/189321612/nsa-reportedly-mines-servers-of-u-s-internet-firms-for-data </a>(accessed 7/2/2013).</div>
<div>
(2) "Startup sees boost in business following news of NSA surveillance - Washington Business Journal." Last modified 07/03/2013 04:06:02. <a href="http://www.bizjournals.com/washington/blog/techflash/2013/06/startup-sees-boost-in-business.html">http://www.bizjournals.com/washington/blog/techflash/2013/06/startup-sees-boost-in-business.html</a> (accessed 7/2/2013).<br />
(3) "Azimuth Security: Attacking Crypto Phones: Weaknesses in ZRTPCPP." Last modified 07/02/2013 13:28:12. <a href="http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html">http://blog.azimuthsecurity.com/2013/06/attacking-crypto-phones-weaknesses-in.html</a> (accessed 7/2/2013).<br />
(4) "Impact of ZRTP library critical security vulnerabilities · Issue #5 · SilentCircle/silent-phone-base · GitHub." Last modified 07/03/2013 04:38:41. <a href="https://github.com/SilentCircle/silent-phone-base/issues/5#issuecomment-20232374">https://github.com/SilentCircle/silent-phone-base/issues/5#issuecomment-20232374</a> (accessed 7/2/2013).<br />
(5) <span style="background-color: #eeeeee;">" Microsoft’s Many Eyeballs and the Security Development Lifecycle - Thinking About Security - Site Home - MSDN Blogs ." Last modified 07/03/2013 04:52:27. <a href="https://blogs.msdn.com/b/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx?Redirected=true">https://blogs.msdn.com/b/shawnhernan/archive/2010/02/13/microsoft-s-many-eyeballs-and-the-security-development-lifecycle.aspx?Redirected=true</a> (accessed 7/2/2013).</span><br />
(6) "What Happened With ZRTP This Week | Silent Circle Blog." Last modified 07/03/2013 05:10:20. <a href="http://silentcircle.wordpress.com/2013/06/29/what-happened-with-zrtp-this-week/">http://silentcircle.wordpress.com/2013/06/29/what-happened-with-zrtp-this-week/</a> (accessed 7/2/2013).</div>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-57136240191630977332013-06-21T13:31:00.001-07:002013-06-22T21:21:43.382-07:00Mountain Lion easter egg references debut of original Apple Macintosh<div class="tr_bq">How clever. I just noticed this today.</div><blockquote><a href="http://appleinsider.com/articles/12/07/26/mountain_lion_easter_egg_references_debut_of_original_apple_macintosh">Mountain Lion easter egg references debut of</a><a href="http://appleinsider.com/articles/12/07/26/mountain_lion_easter_egg_references_debut_of_original_apple_macintosh"> original Apple Macintosh</a>: Mountain Lion easter egg references debut of original Apple Macintosh</blockquote><blockquote class="tr_bq"> Incomplete downloads in OS X 10.8 Mountain Lion show a "Date Modified" of Jan. 24, 1984, a reference to the day when Apple's very first Macintosh was unveiled by Steve Jobs.</blockquote>Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-44487698706694179942013-06-20T00:46:00.000-07:002013-06-20T00:46:26.429-07:00Ross Anderson response about payments system weakness<br />
<br />
"You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it."<br />
<br />
<a href="http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf">http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf</a><br />
<br />Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-25553155081147346622013-06-20T00:43:00.001-07:002013-06-20T00:43:40.153-07:00Zombie Juxtaposition blog coming back to lifeI've had it on my TODO list to resurrect my blog posts and import into Blogger and finally started doing it. So, you'll see lots of former posts coming back. I'm trying to review each one and clean up any formatting issues or easy to fix broken links or images.<br />
<br />
My incentive was that summer is here, but I could not find the recipe for <a href="http://0.0.7.217/07/my-new-concoction-adele-claire.html">My New Concoction: The Adele Claire</a>. And I'm also going to be crafting a new creation in honor of my son. Now it is back so enjoy an Adele Claire and read some history ;-)<br />
<br />
It is actually somewhat sad to see old topics back in the news again:<br />
<br />
<ul>
<li>FISA, warrantless wiretaps, telecom immunity</li>
<li>Obama vs. his former self (he was running anti-FISA)</li>
</ul>
<div>
Oh, how times change yet stay the same...</div>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-81006534777733171062013-06-19T22:58:00.000-07:002013-06-19T22:58:08.164-07:00Untrusted apt repositories may be harmful<a title="Ubuntu Untrusted Repository "gift" on Flickr - Photo Sharing!" href="http://www.flickr.com/photos/trevi55/296804891/">Ubuntu Untrusted Repository "gift" on Flickr - Photo Sharing!</a><br /><br/><br/><br/>Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-43029843139912127292013-02-28T23:24:00.000-08:002013-02-28T23:24:45.608-08:00Devaluing harassmentI've been taken aback lately by a variety of claims on blogs and twitter of someone "harassing" someone else or "stalking" them. People seem to throw these words out so cavalierly that they are in serious danger of being devalued; watered down so that they have no substantive meaning.<br />
<br />
I wanted to do my own research to provide those who might be tempted to throw these words out in casual assertions with some clear definitions and some tools you could use to perhaps determine if certain behaviors rise to the level of actual "harassment" or "stalking" before using those terms.<br />
<br />
Many states, including my own, have passed laws where these terms have been given specific meanings that can help provide some guidance (although many I have seen are still problematic in an operational sense as they are fairly vague and do not differentiate between "annoying" and outright "harassing" behavior).<br />
<br />
Let's start with a dictionary <a href="http://oxforddictionaries.com/definition/english/harassment?q=harassment" target="_blank">definition of harassment</a>:<br />
<blockquote class="tr_bq">
<div class="after">
aggressive pressure or intimidation</div>
</blockquote>
Okay, that is not very helpful in terms of distinguishing between behavior that is socially and morally acceptable from the abusive kind of behavior. What causes behavior to rise to the level of harassment vs. mere annoyance?<br />
<br />
My own state of Washington defines an "unlawful harassment" term thusly<sup><a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1#[1]">[1]</a></sup>:<br />
<blockquote class="tr_bq">
<div class="after">
"Unlawful harassment" means a knowing and willful course of conduct directed at a specific person which seriously alarms, annoys, harasses, or is detrimental to such person, and which serves no legitimate or lawful purpose. The course of conduct shall be such as would cause a reasonable person to suffer substantial emotional distress, and shall actually cause substantial emotional distress to the petitioner, or, when the course of conduct would cause a reasonable parent to fear for the well-being of their child.</div>
</blockquote>
California was one of the first states to pass online harassment legislation and this is their definition<sup><a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1#[2]">[2]</a></sup>:<br />
<blockquote class="tr_bq">
<div class="after">
"Harassment" means a knowing and willful course of conduct directed at a specific person that a reasonable person would consider as seriously alarming, seriously annoying, seriously tormenting, or seriously terrorizing the person and that serves no legitimate purpose.</div>
</blockquote>
The key distinctions of harassment over just annoying behavior are:<br />
<ul>
<li>willful (speaks to the intent of the actions)</li>
<li>directed at a particular individual</li>
<li>seriousness or severity of the conduct (typically "torments" or "terrorizes" the individual)</li>
<li>serves no legitimate or lawful purpose</li>
<li>causes"substantial" emotional distress</li>
</ul>
Cyberstalking is a flavor of harassment that "generally refers to a clear pattern of conduct through which the perpetrator causes the victim reasonable fear for their safety or their family's safety."<sup><a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1#[4]">[4]</a></sup> Not all states have statutes covering both of these flavors and many include just one or the other or lump both in together.<sup><a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1#[5]">[5]</a></sup><br />
<br />
Washington state's cyberstalking statute says:<sup><a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1#[3]">[3]</a></sup><br />
<blockquote>
<pre class="quote">(1) A person is guilty of cyberstalking if he or she, with intent to harass, intimidate, torment, or embarrass any other person, and under circumstances not constituting telephone harassment, makes an electronic communication to such other person or a third party:
(a) Using any lewd, lascivious, indecent, or obscene words, images, or language, or suggesting the commission of any lewd or lascivious act;
(b) Anonymously or repeatedly whether or not conversation occurs; or
(c) Threatening to inflict injury on the person or property of the person called or any member of his or her family or household.
</pre>
</blockquote>
So, my state differentiates cyberstalking different from plain harassment:<br />
<ul>
<li>requires a particular intent</li>
<li>requires an electronic (but not telephone) communication</li>
<li>requires the content to be of a nasty nature OR</li>
<li>requires making a threat to the person or property or relations</li>
</ul>
I'm not going to drag up any specific twitter or blog examples of people devaluing harassment (you know who they (or you) are). But will generally point out that flaming someone or mentioning someone on twitter or a blog would not rise to the level of<br />
<br />
But some of the actions that I've seen documented would appear to meet (IANAL) some (or more) of the legal criteria. Such as photoshopped obscene pictures of the individuals being criticized, and perhaps the practice of doxing people that you disagree with (which only seems to serve the purpose of intimidating the individual by exposing their physical and personal information).<br />
<br />
Anyhow, the legal language still does not make it quite clear where to draw the line between annoying someone and harassing. Stalking may be clearer, although I don't quite understand how the term "stalking" applies based on the way the legal language is written. What is more useful is a heuristic tool to gauge someone's words and actions. One such tool was mentioned on a Linkedin discussion forum that is claimed to originate from the University of Alberta<a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789#[6]">[6]</a>. I tried to find the primary source material for the tool as I think it is a good one, but have yet to find it. I will quote it here for posterity and will add pointers to the original if it ever comes to light. The tool is called R.A.T.E.:
<br />
<blockquote>
<span class="after">
</span>
<ul class="nobullets"><span class="after">
<li><b>Respect </b>- Is this behaviour respectful? Does this behaviour honour the dignity and the worth of the person? Does the behaviour recognize and appreciate differences - culture, viewpoint, age, status etc.?</li>
<li><b>Appropriate </b>- Is the behaviour appropriate to the situation and to the relationship between the individuals? </li>
<li><b>Trust </b>- Many relationships are relationships of trust - e.g. the relationship between a professor and student or between an employee and manager. Is the behaviour a violation of the trust? </li>
<li><b>Equal </b>- What is the power balance in the relationship? Are the individuals equals? Is the behaviour exploiting a difference in power? Would an objection to the behaviour threaten the well-being of the person to whom the behaviour is directed?</li>
</span></ul>
<span class="after">
</span>
</blockquote>
I like that this model includes an assessment of the relative power of the individuals involved. There is a note that a single incident would not rise to the level of harassment. Harassment would generally need to involve a <i>pattern </i>of behavior.<br />
<br />
<a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1" id="#[1]">[1]</a> "RCW 10.14.020 Definitions", <a href="http://apps.leg.wa.gov/rcw/default.aspx?cite=10.14.020">http://apps.leg.wa.gov/rcw/default.aspx?cite=10.14.020</a>, accessed 2013-02-18<br />
<br />
<a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1" id="#[2]">[2]</a> "PENAL CODE SECTION 639-653.2", <a href="http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&group=00001-01000&file=639-653.2">http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&group=00001-01000&file=639-653.2</a>, 653.2. (c)(1), accessed 2013-02-18<br />
<br />
<a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1" id="#[3]">[3]</a> "RCW 9.61.260 Cyberstalking.", <a href="http://apps.leg.wa.gov/rcw/default.aspx?cite=9.61.260">http://apps.leg.wa.gov/rcw/default.aspx?cite=9.61.260</a>, accessed 2013-02-18<br />
<br />
<a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1" id="#[4]">[4]</a> "Harassment", <a href="http://criminal.findlaw.com/criminal-charges/harassment.html">http://criminal.findlaw.com/criminal-charges/harassment.html</a>, accessed 2013-02-18<br />
<br />
<a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1" id="#[5]">[5]</a> "State Cyberstalking and Cyberharassment Laws", <a href="http://www.ncsl.org/issues-research/telecom/cyberstalking-and-cyberharassment-laws.aspx">http://www.ncsl.org/issues-research/telecom/cyberstalking-and-cyberharassment-laws.aspx</a>, accessed 2013-02-19
<br />
<a href="http://www.blogger.com/blogger.g?blogID=7617793329353943789&pli=1" id="#[6]">[6]</a> "Where is the fine line separating "harassment" behaviour from merely "annoying"?", <a href="http://www.linkedin.com/groups/Where-is-fine-line-separating-4416291.S.152158149">http://www.linkedin.com/groups/Where-is-fine-line-separating-4416291.S.152158149</a>, accessed 2013-02-19Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-89143421653812694112013-02-27T21:10:00.002-08:002013-02-27T21:42:12.160-08:00The Truth Imperative: What's in a name?I used to have a blog. I used to opine in it. Oh those days of yesteryear before kids when I had such luxuries of time... I let my blog languish. It devolved into my personal bookmark tool. It didn't have a good focus. It was called "Juxtaposition", after all, which is by its nature not focused. I had a missed opportunity to call it "Jaxtaposition" since my network handle was often "jaxley" -- a kind of portmanteau of my name. But I have even found since then that neither were as unique or compelling as I had thought.<br />
<br />
I have long wanted to have a place that could serve as my sounding board for sharing insights or tips regarding information security as well as skepticism and science. This is the focus my previous effort lacked. I plan to tag each post separately so if it turns out you really don't care about skepticism, you can just subscribe to the "security" tagged items. And vice-versa, you could just subscribe to the "skeptical" tags. <br />
<br />
I get a lot from detailed articles and in-depth insights and wanted to be able to give back to some extent. This will be my vehicle to do so.<br />
<br />
Coming up with a name was a combination of frustration and humility in that so many of the names I thought of were not just inspiring to me but had been used already or were too common to stand out. I wanted something that would embody what my I've come to see is a core <i><b>moral imperative</b></i>: to seek the truth, no matter where it leads, and to stamp out falsehood and ignorance as the enemies of truth. Hence, "The Truth Imperative" seemed to embody this perfectly and was also was not crowded out in the Google search rankings. In fact, even before I posted the first article, this blog is result number 7 on Google. <br />
<br />
If you were on the fence about the moral angle to the truth, perhaps the analogy in this quote will make the relationship clearer:<br />
<blockquote>
<p>
It is morally as bad not to care whether a thing is true or not, so long as it makes you feel good, as it is not to care how you got your money as long as you have got it. -- Edmund Way Teale</p></blockquote>
There is something inside me that is outraged by truth injustices as much as social injustice. Falsehoods are so corrosive to our democracy, our environment, our health, to our freedoms, our safety, our own personal growth, and our understanding of the world around us. I came across this blog post, <a href="http://www.rogerdarlington.me.uk/truth.html">The reason for truth</a>, sets out a fantastic list of reasons why the truth matters that I heartily endorse and says much of what I was going to write so go read it instead and then come back. He lays down his position on truth which jives completely with mine that I will quote here:<br />
<blockquote>
<ol>
<li>In a strict sense, all truth is provisional and stands open to challenge on the basis of a new interpretation of the available evidence or the provision of new evidence. The key point here is that it is evidence - old or new - that is at the heart of the determination.</li>
<li>In the meanwhile, the most truthful statements explain and are consistent with all the currently available evidence.</li>
<li>On the basis of consistency and utility, the most truthful statements are likely to be consistent with the current paradigm until persuasive evidence challenges that paradigm.</li>
<li>The most useful truths are those that do simply explain past phenomena but enable consistently accurate statements about the future.</li>
</ol>
</blockquote>
I would only perhaps add some bullets to the list regarding protection of the truth from corrosive influences, whether subconscious or deliberate.<br />
<br />
Additionally, I would clarify that this pursuit of truth is all about truth with a small "t". Many make the false assumption that there is (or must be) some metaphysical Truth with a capital "T" out there and even claim that skeptics or scientists think they "know the truth" or "know everything". Not only are these flimsy straw men, but skeptics and scientists generally do not believe that such a Truth is something we are going to be able to know for certain. Truth, and especially scientific truth, is always truth with a small "t". It is a provisional, asymptotic approximation of the Truth with a capital "T", or at least a usable model of that Truth that works well enough to make predictions and describe and understand our world. <br />
<br />
As humans, we are fettered by various human frailties, biases and tendencies toward rationalization that make it often times difficult to step back and be truly objective about ourselves, our beliefs, the world and the facts that we attempt to evaluate. Our brains are constantly filtering and interpreting the information we receive via all of our senses. We all (skeptics included) need to be aware of and constantly diligent about these limitations as well in our pursuit of the truth. I've seen ideology trump facts and data too often in all walks of life. Follow the evidence!<br />
<blockquote class="tr_bq">
Q: "What do you call alternative medicine that works?"<br />
A: "Medicine"</blockquote>
I love this joke. It is pithy and gets to the heart of the difference between a prevalent topic where people have many rationales that lead them to relaxing the standards for reason and evidence to give something not rooted in demonstrable, testable, measurable facts a seat at the table next to something that is.<br />
<br />
Reason and evidence are crucial as well for my vocation, information security. I have come across so many terrible arguments, both for and against, security controls as well as people who try to use security as a trojan horse to deliver something rooted in ulterior motives that would otherwise have never been green-lighted, or who use security as a sword to strike down something they don't like for other reasons (often unjustifiable or flimsy at best). Intellectual dishonesty, sloppy scholarship, fallacious argumentation, rationalization, cognitive dissonance all occur so often that it is useful and necessary to engage one's skills as a skeptic to get at the kernel of truth and ensure you are making the right evidence-based decisions, lest you convey a false sense of security, waste precious security budget on the wrong (or incomplete or ineffectual) solutions, or miss out on focusing on more important security problems. I think I've made a career out of being the voice of reason calling out for demonstrable evidence where necessary to prove an assertion or in redirecting efforts to address higher risk vulnerabilities than the hack-du-jour. I'll definitely write more about those experiences.<br />
<br />
Wherever those pesky facts lead us is worthy of pursuit and protection from those who would undermine reality for pursuit of their own alternative agenda. There are the aforementioned who abuse the truth about information security to push a competing agenda, religious fundamentalists who are adulterating the educational system, global warming deniers preventing real change to stem the damage and research solutions to anthropogenic forcing, ideologues, quacks and charlatans who peddle remedies that simply don't work (except to drain your bank account) or worse, are highly dangerous or keep people from continuing with real therapies, religious fundamentalists that keep their kids from receiving medical care in lieu of prayer, etc. Visit <a href="http://whatstheharm.net/">http://whatstheharm.net/</a> for specific documented examples of the real harms of pseudoscience.<br />
<br />
I leave you for now with some of my favorite quotes regarding the pursuit and importance of truth:<br />
<blockquote><p>
Truth is a shining goddess, always veiled, always distant, never wholly approachable, but worthy of all the devotion of which the human spirit is capable. -- Bertrand Russell</p></blockquote>
<blockquote><p>
The pursuit of truth and beauty is a sphere of activity in which we are permitted to remain children all our lives. -- Albert Einstein</p></blockquote>
<blockquote><p>
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. -- Mark Twain</p></blockquote>
<blockquote><p>
The truth may be puzzling. It may take some work to grapple with. It may be counterintuitive. It may contradict deeply held prejudices. It may not be consonant with what we desperately want to be true. But our preferences do not determine what's true. -- Carl Sagan</p></blockquote>
<blockquote><p>
I maintain there is much more wonder in science than in pseudoscience. And in addition, to whatever measure this term has any meaning, science has the additional virtue, and it is not an inconsiderable one, of being true. -- Carl Sagan</p></blockquote>
<blockquote><p>
The significance of our lives and our fragile planet is then determined only by our own wisdom and courage. We are the custodians of life's meaning. We long for a Parent to care for us, to forgive us our errors, to save us from our childish mistakes. But knowledge is preferable to ignorance. Better by far to embrace the hard truth than a reassuring fable. If we crave some cosmic purpose, then let us find ourselves a worthy goal. -- Carl Sagan</p></blockquote>
<blockquote><p>
If I could get the world to respond to one question, it would be, Do we have the courage to let go of our beliefs in order to grab on to what is true? -- Sara Mayhew</p></blockquote>
Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-45228363975236848252012-03-25T13:31:00.000-07:002013-06-19T23:04:10.123-07:00Beautiful life diary to cultivate happinessFrom the book <a href="http://richardwiseman.wordpress.com/59-seconds-think-a-little-change-a-lot/">59 Seconds</a> by Richard Wiseman, this is a list of writing topics that you can do over the course of a week -- spending just 59 seconds each day -- to cultivate happiness. And each activity is backed by actual scientific research.<br />
<br />
I had intended to do this from early on this year but have not done so. But that's not going to stop me from starting now.<br />
<br />
<ul><br />
<li>Monday: <strong>"Thanksgiving"</strong> [list 3 things]; be grateful even for small things over past week</li>
<li>Tuesday: <strong>"Terrific times in life"</strong>; describe it and how you felt</li>
<li>Wednesday: <strong>"Future fantastic"</strong>; imagine life in the future as a realistic reality and write about it</li>
<li>Thursday: <strong>"Dear"</strong>; someone dear to you. write a letter to them describing their impact on you and how as if this was the only opportunity to tell them</li>
<li>Friday: <strong>"Reviewing the situation"</strong>; reflect over past week and write 1 sentence on why each of 3 things that went well for you and why each turned out so well</li>
</ul>
<br />
<br />
I'd highly, highly recommend this book. It is a fascinating read and has loads of very insightful and useful tips and cuts through the self-help scrap-heap.<br />
<br />Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-58970015010540587532010-12-24T04:31:00.000-08:002013-06-22T21:13:29.211-07:00Christmas Car Break-inUgh. Came out this morning to my car in my driveway to go downtown and found both right-side windows rolled down. Hmmm... I didn't do that. Go around to the driver's side and both of _those_ are rolled down too. Grrr.<br /><br/>Fortunately, it did not rain very hard so there was little water that got in the car. And fortunately there is no visible damage and nothing was taken (there really wasn't anything to take except some pennies)<br /><br/>And now I find via a Google search that there are some hacks that can cause the windows to all electronically roll down with a screwdriver in or near the keyhole. Lovely. This system does not seem to require the key with the transponder chip in it to operate. Maybe someone with a valet key or some kind of master can trick the lock into rolling down the windows.<br /><br/>Looks like I'll be disconnecting that wiring and maybe even replacing the keyhole cover with a blank plate like on the passenger side to cover the hole entirely. Either that or leave the car unlocked for the next guy.<br /><br/>Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-79242902016269325052010-11-24T14:55:00.000-08:002013-06-20T00:46:49.933-07:00ABC News poll on TSA scanners misleadingSo, ABC news polled 514 people by telephone to try to find out if people support the new backscatter x-ray machines. They are reporting now that people support them "2 to 1" over those opposing them. However, if you look at their sampling methodology (available on a PDF on their site), you can see that they actually skewed the question. Their whole focus was on determining support _in lieu of the privacy issues_. They did not, however, include any questions about the support if there were _risks due to radiation_ They asked questions about how informed users were about possible risks, but only generically and treated it as if it was relegated to just opinion.<br />
<br />
Here is the question they asked that the 2-to-1 figure is based on:<br />
<br />
"The Transportation Security Administration is increasing its use of so-called<br />
'full-body' digital x-ray machines to screen passengers in airport security lines.<br />
(Supporters say these machines improve the ability to spot hidden weapons and<br />
explosives, and reduce the need for physical searches.) (Opponents say these machines<br />
invade privacy by producing x-ray images of a passenger's naked body that security<br />
officials can see, and don't provide enough added security to justify this.) Which<br />
comes closer to your own view - do you support or oppose using these scanners in airport security lines? "<br />
<br />
Here is the question they asked about health concerns:<br />
<br />
"As far as you're aware do you think these new scanning machines may pose a health<br />
risk, or do you think that's not a serious concern?"<br />
<br />
As if the health risks are just some kind of matter of opinion? Why not ask a question like,<br />
<br />
"Researchers have shown that these machines emit X-rays in high enough doses that are concentrated at skin depth and may well increase the risk of cancer (skin, testicular, etc.), which will knowingly result in harming people each year -- more than the machines might save from terrorist attacks. Given this information, do you think that their usage is justified?"<br />
<br />
<a href="http://abcnews.go.com/Politics/abc-news-washington-post-poll-air-travel-security/story?id=12215139">http://abcnews.go.com/Politics/abc-news-washington-post-poll-air-travel-security/story?id=12215139</a><br />
<br />Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-47000424147657136272010-10-17T13:21:00.000-07:002013-06-19T23:31:28.824-07:00Skepticblog » Get Fed Up: Report Medical Quackery to the FDAMedical practice quackery has to be reported to the FTC, <a href="http://www.ftc.gov/ftc/contact.shtm">http://www.ftc.gov/ftc/contact.shtm</a> as I just did to a chiropractor that claimed they could help with "ADHD", "Bedwetting", "PMS", "Asthma", "Ear infections", "Colic", and even "Allergies" The FTC "wizard" is a bit cumbersome, but you eventually get 3500 characters to describe your complaint after about 50 clicks.<br />
<br />
<a href="http://skepticblog.org/2010/01/14/get-fed-up-report-medical-quackery-to-the-fda">http://skepticblog.org/2010/01/14/get-fed-up-report-medical-quackery-to-the-fda</a>/<br />
<br />
<br />
<br />
Update: Forgot to link to a great paper summarizing the common false claims made and a summary of the current evidence for each claim from the New Zealand Medical Journal <a href="http://www.dcscience.net/Ernst-Gilbey-Chiropractic-claims-NZMJ.pdf">Chiropractic claims in the English-speaking world</a><br />
<br />Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-41685752283544671212010-10-01T15:59:00.000-07:002013-06-19T23:07:18.581-07:00Google Voice Chat QoSI've been looking for QoS pointers for Google Voice Chat. I've found that it works great on my DSL until I also am attending a web conference over Webex at the same time. Then I can still hear fine, but upstream I'm told my voice cuts in and out.<br />
<br />
So, I figured it's time for some QoS Settings on my router.<br />
<br />
It appears that Google Voice Chat uses HTTPS for signaling but an XMPP extension called Jingle that uses RTP over UDP for the actual call data.<br />
<br />
I cracked open Wireshark to analyze the traffic and see communication with servers on the 74.125 network, which is owned by google (a /16).<br />
<br />
<blockquote>
Destination: stun.l.google.com (74.125.155.126)</blockquote>
<br />
<br />
So, for now, I have enabled Expedited packet status for any UDP packets going to and from that network. Will have to run another test later to see if it helped dramatically.<br />
<br />
One troubling thing that I noticed in the packet capture is that not all of the data is protected by confidentiality protection. I suspect there _may_ be some encryption for the RTP data because Wireshark did not detect any RTP sessions. However, one packet every once in a while revealed the phone number that I was calling. So anyone on your wireless LAN or along the wire can see who you are calling. They may even be able to intercept that packet and play MITM by routing your calls through them. Who knows.<br />
<br />
Here's a redacted version of the ascii portion of the data packet contents:<br />
<br />
<blockquote>
0 0+12065551212@voice.google.com</blockquote>
<br />
<br />Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0tag:blogger.com,1999:blog-7617793329353943789.post-6811262391194580962010-09-25T04:59:00.000-07:002013-06-20T00:49:14.632-07:00Understanding Atheists/AgnosticsCame across this quote today that is more cerebral than the quip about "We're all atheists -- I just go one god further than you"<br />
<blockquote>
"when you understand why you reject the gods of other religions, you'll understand why I reject yours."</blockquote>
<br />
<br />Jason Axleyhttp://www.blogger.com/profile/05804748043244078290noreply@blogger.com0