Wednesday, June 14, 2017

Notes on open-sourcing abandoned code

Some people want a law that compels companies to release their source code for "abandoned software", in the name of cybersecurity, so that customers who bought it can continue to patch bugs long after the seller has stopped supporting the product. This is a bad policy, for a number of reasons.

Tuesday, June 06, 2017

What about other leaked printed documents?

So nat-sec pundit/expert Marci Wheeler (@emptywheel) asks about those DIOG docs leaked last year. They were leaked in printed form, then scanned in an published by The Intercept. Did they have these nasty yellow dots that track the source? If not, why not?

The answer is that the scanned images of the DIOG doc don't have dots. I don't know why. One reason might be that the scanner didn't pick them up, as it's much lower quality than the scanner for the Russian hacking docs. Another reason is that the printer used my not have printed them -- while most printers do print such dots, some printers don't. A third possibility is that somebody used a tool to strip the dots from scanned images. I don't think such a tool exists, but it wouldn't be hard to write.

Monday, June 05, 2017

How The Intercept Outed Reality Winner

Today, The Intercept released documents on election tampering from an NSA leaker. Later, the arrest warrant request for an NSA contractor named "Reality Winner" was published, showing how they tracked her down because she had printed out the documents and sent them to The Intercept. The document posted by the Intercept isn't the original PDF file, but a PDF containing the pictures of the printed version that was then later scanned in.

As the warrant says, she confessed while interviewed by the FBI. Had she not confessed, the documents still contained enough evidence to convict her: the printed document was digitally watermarked.

The problem is that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed. Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document.

In this post, I show how.

Some non-lessons from WannaCry

This piece by Bruce Schneier needs debunking. I thought I'd list the things wrong with it.

Saturday, June 03, 2017

How to track that annoying pop-up

In a recent update to their Office suite on Windows, Microsoft made a mistake where every hour, for a fraction of a second,  a black window pops up on the screen. This leads many to fear their system has been infected by a virus. I thought I'd document how to track this down.

Tuesday, May 30, 2017

I want to talk for a moment about tolerance

This post is in response to this Twitter thread. I was going to do a series of tweets in response, but as the number grew, I thought it'd better be done in a blog.


She thinks we are fighting for the rights of Nazis. We aren't -- indeed, the fact that she thinks we are is exactly the problem. They aren't Nazis.

The issue is not about a slippery slope that first Nazi's lose free speech, then other groups start losing their speech as well. The issue is that it's a slippery slope that more and more people get labeled a Nazi. And we are already far down that slope.

The "alt-right" is a diverse group. Like any group. Vilifying the entire alt-right by calling them Nazi's is like lumping all Muslims in with ISIS or Al Qaeda. We really don't have Nazi's in America. Even White Nationalists don't fit the bill. Nazism was about totalitarianism, real desire to exterminate Jews, lebensraum, and Aryan superiority. Sure, some of these people exist, but they are a fringe, even among the alt-right.

It's at this point we need to discuss words like "tolerance". I don't think it means what you think it means.

The idea of tolerance is that reasonable people can disagree. You still believe you are right, and the other person is wrong, but you accept that they are nonetheless a reasonable person with good intentions, and that they don't need to be punished for holding the wrong opinion.

Gay rights is a good example. I agree with you that there is only one right answer to this. Having spent nights holding my crying gay college roommate, because his father hated gays, has filled me with enormous hatred and contempt for people like his father. I've done my fair share shouting at people for anti-gay slurs.

Yet on the other hand, progressive icons like Barack Obama and Hillary Clinton have had evolving positions on gay rights issues, such as having opposed gay marriage at one time.

Tolerance means accepting that a person is reasonable, intelligent, and well-meaning -- even if they oppose gay marriage. It means accepting that Hillary and Obama were reasonable people, even when they were vocally opposing gay marriage.

I'm libertarian. Like most libertarians, I support wide open borders, letting any immigrant across the border for any reason. To me, Hillary's and Obama's immigration policies are almost as racist as Trump's. I have to either believe all you people supporting Hillary/Obama are irredeemably racist -- or that well-meaning, good people can disagree about immigration.


I could go through a long list of issues that separate the progressive left and alt-right, and my point would always be the same. While people disagree on issues, and I have my own opinions about which side is right, there are reasonable people on both sides. If there are issues that divide our country down the middle, then by definition, both sides are equally reasonable. The problem with the progressive left is that they do not tolerate this. They see the world as being between one half who hold the correct opinions, and the other half who are unreasonable.

What defines the "alt-right" is not Nazism or White Nationalism, but the reaction of many on the right to intolerance of many on the left. Every time somebody is punished and vilified for uttering what is in fact a reasonable difference of opinion, they join the "alt-right".

The issue at stake here, the issue that the ACLU is defending, is after that violent attack on the Portland train by an extremist, the city is denying all "alt-right" protesters the right to march. It's blaming all those of the "alt-right" for the actions of one of their member. It's similar to cities blocking Muslims from building a mosque because of extremists like ISIS and Al Qaeda, or disturbed individuals who carry out violent attacks in the name of Islam.

This is not just a violation of the First Amendment rights, it's an obvious one. As the Volokh Conspiracy documents, the courts have ruled many times on this issue. There is no doubt that the "alt-right" has the right to march, and that the city's efforts to deny them this right is a blatant violation of the constitution.

What we are defending here is not the rights of actual Nazi's to march (as the courts famous ruled was still legitimate speech in Skokie, Illinois), but the rights of non-Nazi's to march, most who have legitimate, reasonable (albeit often wrong) grievances to express. This speech is clearly being suppressed by gun wielding thugs in Portland, Oregon.

Those like Jillian see this as dealing with unreasonable speech, we see this as a problem of tolerably wrong speech. Those like Jillian York aren't defending the right to free speech because, in their minds, they've vilified the people they disagree with. But that's that's exactly when, and only when, free speech needs our protection, when those speaking out have been vilified, and their repression seems just. Look at how Russia suppresses supporters of gay rights, with exactly this sort of vilification, whereby the majority of the populace sees the violence and policing as a legitimate response to speech that should not be free.

We aren't fighting a slippery slope here, by defending Nazis. We've already slid down that slope, where reasonable people's rights are being violated. We are fighting to get back up top.

--> -->

Monday, May 22, 2017

Houston we have a problem!


Of the many undesirable results of the Space Program is the fetishization of the "mission control center", with it's rows of workstations facing a common central screen. Ever since, anybody with any sort of mission now has a similar control center.

It's a pain for us in the cybersecurity community because every organization wants a "security operations center" laid out the same way. The point of he room isn't to create something that's efficient for working, but one that will impress visitors. The things done to impress customers can often make an already difficult job even more difficult.




I point this out because of the "glowing globe" picture from President Trump's visit to Saudi Arabia. It's supposed to celebrate the opening of the "Global Center for Combating Extremist Ideology" (http://etidal.org). Zoom the camera out a bit, and you can see it's the mission control center from hell.


Manually counting, I see three sides, each with slightly more than 100 workstations/employees, or more than 300 in total. I don't know if they intend all three sections to focus on the same sets of problems, or if they are split into three different tasks (e.g. broadcast TV vs. Internet content). Their brochure is unclear. I suspect in the long it'll be full of third country nations from a broad swath of Muslim nations who can speak the local languages and dialects, working in a sweat-shop manner.

In any case, it's clear that the desire for show/spectacle has far outstripped any practical use.

The more I read about this, the more Orwellian it seems. Rather than opposing ISIS's violence, it seems more intent on promoting a Saudi ideology. The whole spectacle seems intent on tricking the Trump administration into supporting something it really should be opposing.

Friday, May 12, 2017

Some notes on Trump's cybersecurity Executive Order

President Trump has finally signed an executive order on "cybersecurity". The first draft during his first weeks in power were hilariously ignorant. The current draft, though, is pretty reasonable as such things go. I'm just reading the plain language of the draft as a cybersecurity expert, picking out the bits that interest me. In reality, there's probably all sorts of politics in the background that I'm missing, so I may be wildly off-base.