Security companies and governments conspire to discover and hide software vulnerabilities that can be used as spyware vectors
The Electronic Frontier Foundation's Marcia Hoffman writes about security research companies that work to discover "zero day" vulnerabilities in software and operating systems, then sell them to governments and corporations that want to use them as a vector for installing spyware. France's VUPEN is one such firm, and it claims that it only sells to NATO countries and their "partners," a list that includes Belarus, Azerbaijan, Ukraine, and Russia. As Hoffman points out, even this low standard is likely not met, since many of the governments with which VUPEN deals would happily trade with other countries with even worse human rights records -- if Russia will sell guns to Syria, why not software exploits? VUPEN refuses to disclose their discoveries to the software vendors themselves, even for money, because they want to see to it that the vulnerabilities remain unpatched and exploitable for as long as possible.
“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.
While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million.
But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful. Another hacker who goes by the handle “the Grugq” says he acts as a middleman for freelance security researchers and sells their exploits to many agencies in the U.S. government. He implies the only reason he doesn’t sell to Middle Eastern countries is they don’t pay enough.
EFF calls out governments for trafficking in these vulnerabilities, rather than demanding their disclosure and repair. Any unpatched vulnerability puts every user of the affected software at risk. For a government to appropriate a vulnerability to itself and keep it secret in the name of "national security," rather than fixing it for the nation's citizens, is "security for the 1%."
Sculptor Christopher Locke makes the most amazing spiders out of scissors -- but not just any scissors. Scissors that the TSA confiscated and auctioned off.
Although the TSA website says scissors with blades less than four inches are allowed on airplanes, the individual officers conducting the screening have the authority to confiscate anything they think could be used as a weapon. As a result, hundreds of pairs of scissors are confiscated daily at American airports.
In the Boing Boing store, a bubblegum-based label-writer. Feed it with any standard bubblegum tape, and stamp your message into it before you begin your chewy chewing for choosy chewers.
Romssonson created a single YouTube video displaying a grid of 130 miniature Simpsons episodes:
About the video:
-Top to bottom: each row shows a season (from season 1 to season 10)
-Left to right: each column shows an episode (from episode 1 to episode 13)
A total of 130 episodes is displayed, framerate is 25fps, thumbnails have been captured at 80x60px
Our maker this week is Yury Gitman. Yury's a toy inventor and a product designer who teaches physical computing and toy design at Parsons The New School for Design in New York. In the current issue of MAKE, Volume 29, Yury co-wrote an article about his Pulse Sensor, a wearable heart beat sensor that he created with his colleague Joel Murphy.
Before the interview with Andy, I mention a cool project on our makeprojects.com website. It's a guide on how to harvest and use squid ink, which you can use for cooking or printing. It was written by Instrucatables.com cofounder Christy Canida.
Mark Bowden's Atlantic article tells the story of Don Johnson, a high-rolling gambler who broke the bank at three Atlantic City casinos without card-counting or other "cheats."
Years ago, I was mildly obsessed with understanding casino economics and cheats, and read a bunch of books on how to win (or at least lose slowly) at a casino. The consensus among the experts I read was to realize that most skill-based casino games are only mildly "negative expectation" (that is, if you play them with perfect statistical strategy, you'll lose a little money over time). Also, most casinos distribute "comps" (freebies) to make up about forty percent of your estimated losses. These losses are calculated by pit bosses who keep an eye on consistent gamblers and observe the size of your normal bet and the tightness of your play, then make a guess at how much you're losing per hour, and multiply that by the number of hours you spend at the table (or at least, they did -- some casinos now use automated stored-value wagering cards that eliminate the need for estimation).
The secret to converting the negative expectation game to a positive expectation game was to trick the pit bosses. Play very slowly when the pit boss isn't watching, making the minimum bet on each hand and losing as slowly as possible. When the pit boss comes by to look, start playing fast and loose, and increase your bet-size. If the ruse works, the pit-boss will be tricked into comping you enough freebies to make your play pay, even if only by a little.
The problem with this method is that it means that you can get a "free holiday" in Vegas or Atlantic City only if you're willing to devote most of that holiday to standing at a blackjack table or video-poker machine playing hand after hand after hand, for eight or ten hours a day, playing with perfect, machine-like precision, making no mistakes at all (get the odds wrong and your profits can disappear in a single hand), in order to win a few nights in a hotel, show tickets, buffet passes, and some golf. Most people capable of that sort of consistent activity and focus can find gainful employment that pays substantially more than they'd earn at the tables and just buy the vacation outright, without having to squander their holidays trying to beat the house.
But Don Johnson went much further. As a high-roller, Johnson was often solicited by the big casinos to come and play at their tables. As the recession deepened, the offers got sweeter. They offered him "discounts" on his losses -- cash rebates of a fixed percentage of the money he lost at the tables. Johnson is also a monstrously focused, skilled blackjack player. So he would negotiate these excellent deals from the casinos, bring a huge stake with him, sit at a blackjack table, and play at high velocity, making zero mistakes, for extremely long stretches. With perfect, high-speed play, he could convert his small positive expectation -- thanks to the discount he'd negotiated with the house -- to multimillion-dollar winnings.
Sophisticated gamblers won’t play by the standard rules. They negotiate. Because the casino values high rollers more than the average customer, it is willing to lessen its edge for them. It does this primarily by offering discounts, or “loss rebates.” When a casino offers a discount of, say, 10 percent, that means if the player loses $100,000 at the blackjack table, he has to pay only $90,000. Beyond the usual high-roller perks, the casino might also sweeten the deal by staking the player a significant amount up front, offering thousands of dollars in free chips, just to get the ball rolling. But even in that scenario, Johnson won’t play. By his reckoning, a few thousand in free chips plus a standard 10 percent discount just means that the casino is going to end up with slightly less of the player’s money after a few hours of play. The player still loses.
But two years ago, Johnson says, the casinos started getting desperate. With their table-game revenues tanking and the number of whales diminishing, casino marketers began to compete more aggressively for the big spenders. After all, one high roller who has a bad night can determine whether a casino’s table games finish a month in the red or in the black. Inside the casinos, this heightened the natural tension between the marketers, who are always pushing to sweeten the discounts, and the gaming managers, who want to maximize the house’s statistical edge. But month after month of declining revenues strengthened the marketers’ position. By late 2010, the discounts at some of the strapped Atlantic City casinos began creeping upward, as high as 20 percent.
Thank you to our sponsor ShanaLogic, sellers of handmade and independently designed durable goods, apparel, delightful gifts, and other fine kit. Check out this clever unisex "<3 (heart) ring" for $55 and the mutant creature emblazoned on this $44 cotton canvas Octopus Owl Messenger Bag. Shana says, "I'm giving out 10% off orders with code BOINGY and 15% off orders over $100 with code GREATEST!"
Regina Spektor is a Russian-born, classically-trained pianist who started making the downtown NYC avant-folk scene as a singer-songwriter in the late 1990s. She eventually rose to international prominence with her exquisite fourth album, "Begin to Hope" (2006), featuring the popular single "Fidelity." My whole family has enjoyed her music for years and so I was delighted when I heard some time ago that Regina really digs BB! Above is Regina's new video for "All the Rowboats," from her album "What We Saw From the Cheap Seats" due out in May. The video was directed by Adria Petty (yes, daughter of Tom), who also directed the "Live In London: Regina Spektor" concert film.
Canada to stop issuing pennies, businesses told to round off to nearest 5 cents, or "work it out for themselves"
The Canadian Tory government has announced that it's discontinuing the minting of new pennies, as the coins are expensive and considered a "nuisance" by businesses and their customers. As Steven Chase writes in the Globe and Mail:
“It costs taxpayers a penny-and-a-half every time we make one,” Finance Minister Jim Flaherty told the Commons, adding the move will save taxpayers $11-million annually.
...The increasing scarcity of pennies means Canadians will have to get used to cash transactions being rounded off if they’ve got no pennies on hand.
Ottawa is suggesting businesses round off cash transactions to the nearest five-cent increment but says it’s leaving this to businesses to work out for themselves.
When I was (briefly) at the University of Waterloo, the Engineering faculty's cafeteria had an option to dispense with change altogether: when your bill was added up, you could opt to gamble on rounding, with the direction -- up or down -- dependent on your change. In other words, if you had $3.83 owing to you, you'd have an 83% chance of getting $4 back, and a 17% chance of getting $3 back.
(Image: CANADA, GEORGE V 1920 ---FIRST ISSUE, SMALL ONE CENT a, a Creative Commons Attribution Share-Alike (2.0) image from woodysworld1778's photostream)
Abuse (physical, sexual, emotional, or psychological), Alcohol (beer and liquor), tobacco, or drugs, Birthday celebrations (and birthdays), Bodily functions, Cancer (and other diseases), Catastrophes/disasters (tsunamis and hurricanes), Celebrities, Children dealing with serious issues, Cigarettes (and other smoking paraphernalia), Computers in the home (acceptable in a school or library setting), Crime, Death and disease, Divorce, Evolution, Expensive gifts, vacations, and prizes, Gambling involving money, Halloween, Homelessness, Homes with swimming pools, Hunting, Junk food, In-depth discussions of sports that require prior knowledge, Loss of employment, Nuclear weapons, Occult topics (i.e. fortune-telling), Parapsychology, Politics, Pornography, Poverty, Rap Music, Religion, Religious holidays and festivals (including but not limited to Christmas, Yom Kippur, and Ramadan), Rock-and-Roll music, Running away, Sex, Slavery, Terrorism, Television and video games (excessive use), Traumatic material (including material that may be particularly upsetting such as animal shelters), Vermin (rats and roaches), Violence, War and bloodshed, Weapons (guns, knives, etc.), Witchcraft, sorcery, etc."50 words banned from NYC school tests" (SILive.com)
Over at MyLifeScoop, a site created by one of our sponsors, Intel, I wrote about Ken Goldberg's Telegarden (1995), Eric Paulos's Limelight (2004), and other classic Internet artworks.
Cyberspace is no longer a place we go to through our desktop or laptop screens, but an overlay on top of our physical reality. In fact, the most fertile ground for experimentation is where the real and the virtual blend together. As a card-carrying "futurist," one of my favorite places to look for experiments that point to where things are headed is within the world of art. Artists tend to push on the questions that we'll all be asking years later. And in the process, they often grapple with emerging technologies in unpredicted ways.
If you've ever heard Meco's classic space disco version of the Star Wars theme, or played the Xenon pinball machine, or saw the original Atari TV commercials, then you've heard the pioneering electronic music of Suzanne Ciani. From her earliest days studying with Don Buchla at UC Berkeley and Max Mathews at Stanford to her commercial work in the 1970s and 1980s to Grammy-nominated New Age music in the 1990s, Ciani has been a prolific composer and electronic music innovator. Here is a 1979 interview with her about creating the sounds for Bally's Xenon pinball machine:
The excellent Finders Keepers Records has just issued Suzanne Ciani: Lixiviation, a fantastic collection of her early recordings -- TV spots, corporate IDs, advertising jingles, and other short bits of brilliance. Check out her music for an Atari Liberator television commercial:
From Finders Keepers:
A classically trained musician with an MA in music composition this American Italian pianist was first introduced to the synthesizer via her connections in the art world when abstract Sculptor and collaborator Harold Paris introduced Suzanne to synthesizer designer Don Buchla who created the instrument that would come to define Ciani's synthetic sound (The Buchla Synthesiser). Cutting her teeth providing self-initiated electronic music projects for art galleries, experimental film directors, pop record producers and proto-video nasties Suzanne soon located to New York where she quickly became the first point of call for electronic music services in both the underground experimental fields and the commercial advertising worlds alike. Counting names like Vangelis and Harald Bode amongst her close friends Suzanne and her Ciani Musica company became the testing ground for virtually any type of new developments in electronic and computerized music amassing an expansive vault of commercially unexposed electronic experiments which have remained untouched for over 30 years… until now.Suzanne Ciani: Lixiviation (Amazon)
The illustration in this 1943 Listerine shaving ad is totally perfect, and really makes the case that the MAD Magazine parodies of old time ads were basically faithful recreations. I love that they gave the guy a double chin.
3 days until the release of “The Art of Daniel Clowes: Modern Cartoonist”! (…plus your chance to win an autographed copy today)
Daniel Clowes: “The only valuable class I took in art school was from a guy who taught display lettering which was literally like sign painting. Everybody else was like, ‘Aww man, I can’t believe I have to take this cornball class,’ where I was front and center every week. Still to this day I use everything I learned in that class.”See the other images
Here is a man who has apparently been arrested for intoxication in an unknown jurisdiction, disputing the charge from the back of a police cruiser by belting out a genuinely soulful rendition of Queen's "Bohemian Rhapsody." Skip to 3:40 for "Scaramouche! Scaramouche!"
Arrested Drunk Guy Sings Bohemian Rhapsody (Thanks, Fipi Lele!)