Boing Boing » security

Kickstarting a detailed plan to rob five banks simultaneously

Cory Doctorow — Sat, 25 May 2013 15:50:11 +0000

Artist Ilona Gaynor produced a piece called "Under Black Carpets" that took the form of detailed plans for robbing five banks near LA's One Wilshire building, simultaneously. Gaynor worked with the LAPD and the FBI to produce a collection of fictional forensic evidence from these robberies, which were then exhibited. Now, Gaynor's trying to raise £20,000 to take the exhibit to tour the show. £30 gets you a cool-looking book, and £40 gets you the book and a tee.

WAIT, ARE YOU REALLY GOING TO ROB THESE BANKS?
No. This is strictly a design / art project.
The exhibition of the work will be presented to the audience as a police investigation, detailing the remaining evidential material after the event has taken place, something that could be argued or challenged as material (evidence) in a court of law. The work itself will take form as sculptures, architectural models, technical drawings, films and photography. It will open as a solo exhibition (Special Project) at the Lisbon Architecture Triennale opening from Sep 12th - Dec 15th 2013.

Under Black Carpets, kickstart a bank heist. (via Beyond the Beyond)

Book review: information security for lawyers

Cory Doctorow — Tue, 21 May 2013 18:00:30 +0000

On Slashdot, a reader called benrothke reviews a book called Locked Down: Information Security For Lawyers. This sounds like a vital book -- my experience of lawyers (and accountants, doctors and other professions that deal with sensitive information) is that they really don't get information security, routinely transmitting potentially compromising documents in the clear as email attachments. Not only don't they understand PGP -- they think it's good security to attach an encrypted ZIP archive to one email and follow it up with another email containing the password to decrypt it (facepalm). Anything that gets this sort of profession thinking well about security is most welcome.

The book quotes an ABA 2011 technology survey in which 21% of large law firms reported that their firm had experiences some sort of security breach, and 15% of all firms reported that they suffered a security breach. It is figures like those which show that attorneys really need to read this book and take the information to heart.
The books 17 chapters are in a readable 150 pages, with an additional 120 pages of appendices. Written in an easily understandable style and non-technical for the technologically challenge lawyer.
When it comes to the security of client data, in chapter 4 the authors write that encryption is a topic that most attorneys don't want to touch with a ten-foot pole. But it has reached a point where attorneys must understand how and when encryption should be used. Just as important, they need to know about key managements, and what good encryption is. The chapter provides a high-level detail on what needs to be done regarding encryption.
Chapter 13 is on secure disposal, is an important topic to everyone, and not just lawyers. Digital media needs to be effectively disposed of; and for many lawyers, they often think that means reformatting a hard drive or simply erasing files. The chapter effectively details the issues and offers numerous valuable hardware and software-based solutions.

Book Review: Locked Down: Information Security For Lawyers

Locked Down: Information Security For Lawyers [Amazon]

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

Cory Doctorow — Sat, 18 May 2013 15:15:46 +0000

I reviewed Ronald Diebert's new book Black Code in this weekend's edition of the Globe and Mail. Diebert runs the Citizen Lab at the University of Toronto and has been instrumental in several high-profile reports that outed government spying (like Chinese hackers who compromised the Dalai Lama's computer and turned it into a covert CCTV) and massive criminal hacks (like the Koobface extortion racket). His book is an amazing account of how cops, spies and crooks all treat the Internet as the same kind of thing: a tool for getting information out of people without their knowledge or consent, and how they end up in a kind of emergent conspiracy to erode the net's security to further their own ends. It's an absolutely brilliant and important book:

Ronald Deibert’s new book, Black Code, is a gripping and absolutely terrifying blow-by-blow account of the way that companies, governments, cops and crooks have entered into an accidental conspiracy to poison our collective digital water supply in ways small and large, treating the Internet as a way to make a quick and dirty buck or as a snoopy spy’s best friend. The book is so thoroughly disheartening for its first 14 chapters that I found myself growing impatient with it, worrying that it was a mere counsel of despair.
But the final chapter of Black Code is an incandescent call to arms demanding that states and their agents cease their depraved indifference to the unintended consequences of their online war games and join with civil society groups that work to make the networked society into a freer, better place than the world it has overwritten.
Deibert is the founder and director of The Citizen Lab, a unique institution at the University of Toronto’s Munk School of Global Affairs. It is one part X-Files hacker clubhouse, one part computer science lab and one part international relations observatory. The Citizen Lab’s researchers have scored a string of international coups: Uncovering GhostNet, the group of Chinese hackers taking over sensitive diplomatic computers around the world and eavesdropping on the private lives of governments; cracking Koobface, a group of Russian petty crooks who extorted millions from random people on the Internet, a few hundred dollars at a time; exposing another Chinese attack directed at the Tibetan government in exile and the Dalai Lama. Each of these exploits is beautifully recounted in Black Code and used to frame a larger, vivid narrative of a network that is global, vital and terribly fragile.
Yes, fragile. The value of the Internet to us as a species is incalculable, but there are plenty of parties for whom the Internet’s value increases when it is selectively broken.

How to make cyberspace safe for human habitation

Black Code: Inside the Battle for Cyberspace

Denial-of-Service attacker tells Brian Krebs he's working for the FBI

Cory Doctorow — Fri, 17 May 2013 00:23:33 +0000

Last week, I blogged Brian Krebs's amazing piece on AsylumBooter, a cheesy denial-of-service-for-hire site apparently run by a 17-year-old Chicago-area honor-roll student named Chandler Downs, whose PayPal account was flush with more than $30,000 paid by people who'd launched more than 10,000 online attacks.

Now, Krebs has uncovered an even weirder booter story: Ragebooter is another DoS company, but this one is run by a guy who claims to be working part time for the FBI, and who says that the FBI has its own login to his site, and review all the IP addresses and other traffic data it logs.

Ragebooter.net’s registration records are hidden behind WHOIS privacy protection services. But according to a historic WHOIS lookup at domaintools.com, that veil of secrecy briefly fell away when the site was moved behind Cloudflare.com, a content distribution network that also protects sites against DDoS attacks like the ones Ragebooter and its ilk help to create (as I noted in Monday’s story, some of the biggest targets of booter services are in fact other booter services). For a brief period in Oct. 2012, the WHOIS records showed that ragebooter.net was registered by a Justin Poland in Memphis...
... “I also work for the FBI on Tuesdays at 1pm in memphis, tn,” Poland wrote. “They allow me to continue this business and have full access. The FBI also use the site so that they can moniter [sic] the activitys [sic] of online users.. They even added a nice IP logger that logs the users IP when they login.”
When I asked Poland to provide more information that I might use to verify his claims that he was working for the FBI, the conversation turned combative, and he informed me that I wasn’t allowed to use any of the information he’d already shared with me. I replied that I hadn’t and wouldn’t agree that any of our discussion was to be off the record, and he in turn promised to sue me if I ran this story. That was more or less the end of that conversation.

Poland gave Krebs the working personal number of an FBI agent identified as "Agent Lies," who put him onto the FBI's press contact, who stonewalled. Meanwhile, Ragebooter leaks a lot of info and there's some reason to believe that the FBI really does have its own back door.

Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor?

Inside the world of "booters" -- cheesy DoS-for-hire sites

Cory Doctorow — Mon, 13 May 2013 23:10:55 +0000

Brian Krebs delves into the world of "booter" services, low-level, amateurish denial-of-service websites where you can use PayPal to have your video-game enemies' computers knocked off the Internet by floods of traffic. Many booter services run off the same buggy codebase, and Krebs was apparently able to get inside the administrative interfaces for them and get some insight into their business.

One such is "Asylum," which appears to be run by Chandler Downs, a 17-year-old Chicago-area honor-roll student who reportedly made $35,000 in PayPal payments in exchange for denial-of-service attacks. Asylum even has an ad (narrated by an actor hired through the casual labor exchange site Fiverr) where, for $18/month, you can launch unlimited DoSes against "skids on Xbox live."

Young Mr Downs claimed that his service was not used to attack people, but only for legitimate stress-testing, then he changed his story and said he was only managing the service for someone else, and "You are able to block any of the 'attacks' as you say with rather basic networking knowledge. If you're unable to do such a thing you probably shouldn't be running a website in the first place."

Nixon noted that all of the packets incoming from the traffic she ordered to her test machines appeared to have been sent from spoofed IP addresses. However, when she used the “Down or Not?” host checker function on Asylum, the site responded from what appears to be the real Internet address of one of the servers that are used to launch the attacks: 93.114.42.28. She noted that a booter service that appears to be a clone of Asylum – vastresser.ru – is hosted on the same server.
Asylum, like most other booter services, is hidden behind Cloudflare, a content distribution network that helps sites block attacks that services like Asylum are designed to launch. Apparently, getting attacked is something of an occupational hazard for those running a booter services. Behind the Cloudflare proxy, Nixon found that the secret IP for the Asylum stresser Web frontend was 93.114.42.205.
Both IP addresses map back to Voxility, a hosting facility in Romania that has a solid reputation in the cybercrime underground for providing so-called “bulletproof hosting” services, or those that generally turn a deaf ear to abuse complaints and requests from law enforcement officials. In January 2013, I profiled one data center at this ISP called Powerhost.ro that was being used as the home base of operations for the organized cybercrime gang that is currently facing charges of developing and distributing the Gozi Banking Trojan.

According to Krebs, "Between the week of Mar. 17, 2013 and Mar. 23, 2013, asylumstresser.com was used to launch more than 10,000 online attacks."

DDoS Services Advertise Openly, Take PayPal

Apple can decrypt iPhones for cops; Google can remotely "reset password" for Android devices

Cory Doctorow — Sun, 12 May 2013 15:49:04 +0000

Apple apparently has the power to decrypt iPhone storage in response to law-enforcement requests, though they won't say how. Google can remotely "reset the password" for a phone for cops, too:

Last year, leaked training materials prepared by the Sacramento sheriff's office included a form that would require Apple to "assist law enforcement agents" with "bypassing the cell phone user's passcode so that the agents may search the iPhone." Google takes a more privacy-protective approach: it "resets the password and further provides the reset password to law enforcement," the materials say, which has the side effect of notifying the user that his or her cell phone has been compromised.
Ginger Colbrun, ATF's public affairs chief, told CNET that "ATF cannot discuss specifics of ongoing investigations or litigation. ATF follows federal law and DOJ/department-wide policy on access to all communication devices."
...The ATF's Maynard said in an affidavit for the Kentucky case that Apple "has the capabilities to bypass the security software" and "download the contents of the phone to an external memory device." Chang, the Apple legal specialist, told him that "once the Apple analyst bypasses the passcode, the data will be downloaded onto a USB external drive" and delivered to the ATF.
It's not clear whether that means Apple has created a backdoor for police -- which has been the topic of speculation in the past -- whether the company has custom hardware that's faster at decryption, or whether it simply is more skilled at using the same procedures available to the government. Apple declined to discuss its law enforcement policies when contacted this week by CNET.

It's not clear to me from the above whether Google "resetting the password" for Android devices merely bypasses the lock-screen or actually decrypts the mass storage on the phone if it has been encrypted.

I also wonder if the "decryption" Apple undertakes relies on people habitually using short passwords for their phones -- the alternative being a lot of screen-typing in order to place a call.

Apple deluged by police demands to decrypt iPhones [Declan McCullagh/CNet]

(via /.)

Anatomy of a state-sponsored phishing attack: how the Syrian Electronic Army hacked The Onion

Cory Doctorow — Fri, 10 May 2013 20:06:57 +0000

As I blogged earlier this week, the Syrian Electronic Army hacked The Onion's Twitter account and used it to post a bunch of dumb messages attacking Israel, the US, and the UN. Now, the Onion's IT administrators have posted a detailed account of how Syrian hackers used a series of staged and careful phishing attacks to escalate from a single naive user's email credentials to the password for the Onion's social media accounts.

Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.
After discovering that at least one account had been compromised, we sent a company-wide email to change email passwords immediately. The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link. This dupe email was not sent to any member of the tech or IT teams, so it went undetected. This third and final phishing attack compromised at least 2 more accounts. One of these accounts was used to continue owning our Twitter account.
At this point the editorial staff began publishing articles inspired by the attack. The second article, Syrian Electronic Army Has A Little Fun Before Inevitable Upcoming Deaths At Hands Of Rebels, angered the attacker who then began posting editorial emails on their Twitter account. Once we discovered this, we decided that we could not know for sure which accounts had been compromised and forced a password reset on every staff member’s Google Apps account.

I'm impressed by the cleverness of triggering a "password reset" message from the IT team, then sending out fake password-reset messages to users who aren't on the IT team to get them to click on yet another link. Most of the recommendations the IT team make are pretty bland ("educate your users"), but these two reccos are good:

The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).

and

If possible, have a way to reach out to all of your users outside of their organizational email. In the case of the Guardian hack, the SEA posted screenshots of multiple internal security emails, probably from a compromised email address that was overlooked.

How the Syrian Electronic Army Hacked The Onion (via /.)

HOWTO fix security after the Boston bombing

Cory Doctorow — Fri, 10 May 2013 00:22:54 +0000

As we think about the postmortem on security procedures following from the Boston Marathon attack and plan on new procedures, Bruce Schneier has some crucial security design advice: don't forget transparency and accountability. Without these two crucial elements, security can't work:

Long ago, we realized that simply trusting people and government agencies to always do the right thing doesn't work, so we need to check up on them. In a democracy, transparency and accountability are how we do that. It's how we ensure that we get both effective and cost-effective government. It's how we prevent those we trust from abusing that trust, and protect ourselves when they do. And it's especially important when security is concerned.
First, we need to ensure that the stuff we're paying money for actually works and has a measureable impact. Law-enforcement organizations regularly invest in technologies that don't make us any safer. The TSA, for example, could devote an entire museum to expensive but ineffective systems: puffer machines, body scanners, FAST behavioral screening, and so on. Local police departments have been wasting lots of post-9/11 money on unnecessary high-tech weaponry and equipment. The occasional high-profile success aside, police surveillance cameras have been shown to be a largely ineffective police tool.
Sometimes honest mistakes led organizations to invest in these technologies. Sometimes there's self-deception and mismanagement -- and far too often lobbyists are involved. Given the enormous amount of security money post-9/11, you inevitably end up with an enormous amount of waste. Transparency and accountability are how we keep all of this in check.
Second, we need to ensure that law enforcement does what we expect it to do and nothing more. Police powers are invariably abused. Mission creep is inevitable, and it results in laws designed to combat one particular type of crime being used for an ever-widening array of crimes. Transparency is the only way we have of knowing when this is going on.

Transparency and Accountability Don't Hurt Security—They're Crucial to It

Dan Kaminsky on BitCoin

Cory Doctorow — Sat, 04 May 2013 18:54:25 +0000

Ever since BitCoin appeared, I've been waiting for two security experts to venture detailed opinions on it: Dan Kaminsky and Ben Laurie. Dan has now weighed in, with a long, thoughtful piece on the merits and demerits of BitCoin as a currency and as a phenomenon.

Bitcoin’s fundamental principle of fraud management is one of denial. If we drop our wallet on the street, the U.S. government is not going to compensate us for our lost cash. Bitcoin attempts to make the same deal, to the point where it calls its stores of keys, “wallets.” If we drop our wallet on the street — heck, if someone picks it out of our pockets — the money’s gone.
There have been bitcoin thefts. A few years ago, I tried to break Bitcoin, and failed quite gloriously. The system and framework itself is preternaturally sound. But it too is built on the foundation of buggy technologies we call the internet, and so Bitcoin must experience failures from the code around it. Hackers don’t care whose code they broke on their way to bitcoin, any more than pickpockets care that they’re exploiting the manufacturer of one’s jeans or leather wallet. So they break the server below the money, or the web interface above it. They still win.
At least, that’s the theory. Reality is more complicated. Of all the millions of dollars of purloined bitcoin that’s floating around out there, not one Satoshi of it has been spent. That’s because while most other stolen property becomes relatively indistinguishable from its legitimate brethren, everybody knows the identity of this particular stolen wealth, and can track it until the end of time.

Bitcoin Is Not as Secure, Unregulated, or Lucrative as You Might Think

Why "connecting the dots" is the wrong way to think about stopping terrorism

Cory Doctorow — Fri, 03 May 2013 23:13:57 +0000

Bruce Schneier has a great op-ed on CNN on why it's stupid to talk about whether the FBI should have "connected the dots" on the Boston bomber. As Bruce points out, it's only in hindsight that there's a neat trail of dots to connect, a narrative we can make sense of. Before the fact, it's a hairy, swirling hotchpotch of mostly irrelevancies, and it's only the "narrative fallacy" that makes it seem like a neat story in retrospect. The risk here is that intelligence agencies and the press will push this fallacy as grounds for taking away more rights and more privacy in order to "connect the dots" next time.

Rather than thinking of intelligence as a simple connect-the-dots picture, think of it as a million unnumbered pictures superimposed on top of each other. Or a random-dot stereogram. Is it a sailboat, a puppy, two guys with pressure-cooker bombs or just an unintelligible mess of dots? You try to figure it out.

It's not a matter of not enough data, either.

Piling more data onto the mix makes it harder, not easier. The best way to think of it is a needle-in-a-haystack problem; the last thing you want to do is increase the amount of hay you have to search through.

The television show "Person of Interest" is fiction, not fact.

There's a name for this sort of logical fallacy: hindsight bias.

Why FBI and CIA didn't connect the dots (Thanks, Bruce!)

(Image: connect-the-dots, a Creative Commons Attribution Share-Alike (2.0) image from whitneywaller's photostream)

Rumored Statue of Liberty face-recognition supplier harasses and threatens journalist

Cory Doctorow — Tue, 30 Apr 2013 22:38:13 +0000

Slate's Ryan Gallagher caught wind of a new face recognition software being rolled out at the Statue of Liberty. He interviewed a rep from Total Recall, who were reported to be representing Cognitec, the German company whose product, FaceVACS was going in on Liberty Island. Halfway through the interview, Total Recall's director of business development Peter Millius terminated the call, saying that the project was on hold, or possibly cancelled, "vetoed" by the Park Police.

Then it got weird. Cognitec and its lawyers began to barrage Gallagher with emails and letters warning him that if he wrote about this, they'd sue him. When he asked Total Recall for clarification, they threatened to sue him, personally, for harassment. The National Park Service didn't have much to say about the bid, saying "I'm not going to show my hand as far as what security technologies we have." Go, security-through-obscurity! Hurrah for spending tax dollars without any transparency!

Gallagher reported the whole story, including the threats. Whatever merits or demerits Total Recall and Cognitec have as companies, turning into weird, opaque legal-threat-generating machines in the middle of an interview and harassing and intimidating journalists sounds like the kind of thing that should disqualify them from getting any of the American public's money.

“We do work with Cognitec, but right now because of what happened with Sandy it put a lot of different pilots that we are doing on hold,” Peter Millius, Total Recall’s director of business development, said in a phone call. “It’s still months away, and the facial recognition right now is not going to be part of this phase.” Then, he put me hold and came back a few minutes later with a different position—insisting that the face-recognition project had in fact been “vetoed” by the Park Police and adding that I was “not authorized” to write about it.
That was weird, but it soon got weirder. About an hour after I spoke with Total Recall, an email from Cognitec landed in my inbox. It was from the company’s marketing manager, Elke Oberg, who had just one day earlier told me in a phone interview that “yes, they are going to try out our technology there” in response to questions about a face-recognition pilot at the statue. Now, Oberg had sent a letter ordering me to “refrain from publishing any information about the use of face recognition at the Statue of Liberty.” It said that I had “false information,” that the project had been “cancelled,” and that if I wrote about it, there would be “legal action.” Total Recall then separately sent me an almost identical letter—warning me not to write “any information about Total Recall and the Statue of Liberty or the use of face recognition at the Statue of Liberty.” Both companies declined further requests for comment, and Millius at Total Recall even threatened to take legal action against me personally if I continued to “harass” him with additional questions.

Lady Liberty’s Watching You (via Reddit)

(Image: Statue of Liberty Paris, a Creative Commons Attribution (2.0) image from francehousehunt's photostream)

If you see something, say something: Liveblogging from a lecture about terrorism, security, and visual narratives

Maggie Koerth-Baker — Tue, 16 Apr 2013 20:07:37 +0000

When bombs explode in a crowded city street, individuals and governments naturally ask themselves, "Could we have prevented this if we had been paying better attention to people and things that were out of place?" Trouble is, that question leads to a whole cascade of other questions — covering everything from personal privacy to racism.

M. Neelika Jayawardane is associate professor of English at SUNY-Oswego. She's giving a talk this afternoon on "If you see something, say something" and other campaigns aimed at getting average people involved in public security. I happened to be here on campus for a separate speaking engagement and thought this was something that BoingBoing readers would be interested in "sitting in" on, given the recent tragedy in Boston.

I'll be liveblogging this, updating regularly with key points and ideas from Jayawardane's talk. It's worth noting that her perspective is not the only way to think about these issues. I'm posting this in hopes that it will present some interesting information and spark good conversations. If you're interested in engaging with Jayawardane afterwards, she said that you can reach her via Twitter. In the meantime, I'm looking forward to seeing what she has to say — and what you all have to say about that.

The Talk

First thing worth noting: The actual title of this talk — "Extraordinary renditions: imaging, mapping, and immobilizing the lives of others."

"I was trained in literary studies, but I'm really interested in how we read our environments as well as books"

She's particularly interested in the ways that race, ethnicity, and culture play into those readings. Jayawardane is Sri Lankan, but grew up in South Africa. She's never been a part of a dominant culture. Talks about the strange experience of visiting Sri Lanka for the first time as an adult and being, suddenly, the privileged ethnic group.

Advertisements and media make marginal societies more visible. In the wake of 9/11 media created a new fact for terror and gave us all physical signals that we now associate with our own fear of bodily injury.

The image of the "classic terrorist" now means that people monitor their environments for people who fit that image — an action that affects how the people who, inadvertently, look like "terrorists" can move around and engage in their own communities.

Jayawardane sees an increase in "oriental" stereotypes and security-inspired images in fashion magazines happening at the same time. She's showing a Vogue spread that shows a model stripping out of her skirt in front of the TSA.

The images of terror and terrorism have become saturated throughout Western media since 9/11, even in places where you don't expect them, life fashion. Another fashion spread shows riot police groping models who have been thrown up against a cop car in stress positions.

She believes these images have been crucial to incorporating us (the public) into the discourse and process of security and terror post-9/11.

The use of this imagery highlights and encourages our fears and normalizes oppressive levels of security routine.

After 9/11, friends of Jayawardane encouraged her to look "less threatening" in airports, by wearing big hoop earrings and trying to "look more like you're Puerto Rican."

Moustafa Hassan Nasr was abducted by the CIA off the streets of Milan in February 2003. He reports being tortured and was eventually released when the CIA realized he wasn't actually a bad guy. Americans were tried for this crime in absentia in Italy in 2007. Rarely did American newspapers report on this and similar incidents, Jayawardane says.

Visual arts do a better job of shaping our ideas and building propaganda than language does, she says. Human beings are very savvy readers of images. We're being sent these visual signals about who is dangerous, and who is the other. And that ends up controlling the mobility and lives of people the West considers "threatening".

You see a picture of Nasr now, and you create a narrative for him that doesn't necessarily fit with what really happened to him.

The idea of putting a photo on an identity document began with methods of tracking criminals, and cataloging people into ethnic groups for the purpose of apartheid, Jayawardane says.

The more your body is considered "threatening" the more mapping and documenting of your body happens to you as you enter and leave and move about countries. The more you are under public surveillance.

But, at the same time, threatening bodies are "disappeared" into a symbolic, rather than individual existence. Think of the parade of hooded figures in Guantanamo. Those individuals becomes representations of threats to the state, or proof that the state is making you safe, or symbolic representations of the failures and excesses of the security apparatus. Either way, their private selves get erased, she says.

Individual characteristics are lost as they merge into this this strange, threatening, brownish man. "My partner, on a certain day and certain look, could look like one of the 9/11 bombers. And we now conflate that look with danger," Jayawardane says.

Photography and image banks of wanted posters are our sort of medieval stained glass, giving us symbolic understandings of what we should fear and who we should think of as "out of place".

Which brings us to campaigns like "If you see something, say something" that turn up in transport hubs like bus stations, trains, and airports. These turn up more in bus stations and trains than in airports, she says.

Posters encourage you to ask "What's wrong with this picture". They ask you to seek out what you might think of as threatening. To be a good citizen, you have to be a part of surveillance.

None of these things ever tell you what you should be on alert for. So what do we fall back on? What becomes "threatening" to us? Not the big guy with a gun patrolling the Amtrak station, she says. That's the cop. And we've been taught to not fear him. Instead, we revert to the visual training we've been getting from the media for the last decade.

Very similar messages were disseminated in South Africa during apartheid, she says. And it's nothing new in the United States, either. "I got interested because so much of these rules and images affect my mobility and how my identity shifts and changes in the minds of other people."

Now a response from Craig Warkentin, political science professor.

His question: So what? Well, he says, we become unwitting participants in a surveillance state. It does matter, even if you aren't the subject of the othering.

This idea of framing a topic — how we discuss a topic or conceptualize it for ourselves — isn't something outside the norm for political science. People have used framing to help make political change, the same way the visual framing is training us to think of certain people as threatening, but in different ways. For instance, using media and images and story telling to start getting people to think about land mines as things that violate human rights, rather than things that make us safe.

The downside of effective framing: If you can get people to think in a certain way it becomes normal after a while. At that point it becomes something we think of as "natural" and we take it for granted. And people stop questioning it.

To create change, you have to do more than point out that this isn't normal. You have to get people to be willing to accept that it's not normal. "The extent to which othering certain bodies and accepting security state is normal is the degree to which I am concerned about it," he says.

People who are aware this isn't normal will use the people who think this is normal to implement their goals. As long as we believe it's natural, we'll go along with it.

"Be aware of why you do the things you do. Why you think the way you think. That will help you avoid being manipulated."

And now the Q&A.

It is now 4:56 p.m. Eastern, if you have questions about this, post them, and I'll ask for you in the Q&A session.

Jayawardane says she doesn't blame people who look at her and partner in an airport and express fear. They're responding to what they have learned. Interestingly, strangers ask them kind of obtrusive questions about their relationship, and gender roles.

Comment from the audience: "Craig, you're making an assumption I don't think I can accept. Whoever it is who is arranging PR campaign is aware of the fact that it isn't normal. I don't think you can safely say that we are being manipulated."

Warkentin replies: In the case of the land mines for example, we had historical legacy for how those devices were talked about. It was a case of private citizens organizing and intentionally changing the way we talk about it. Political leaders do have an idea of what normal should be — i.e., what normal will help them reach their objectives. There's different interpretations of the war on terror. Normal way to respond to terror before 9/11 was to treat it as a criminal act. You arrest somebody, you put them on trial. U.S. chose to address it in a different way and got us to start talking about it in terms of a war. And that has lots of other baggage that goes along with it. But historically we KNOW that's not the only way to talk about. There can be more than one normal and leaders can choose which normal they push to make their point.

That said, he says, those leaders do sometimes genuinely believe that the "normal" they want us to believe in is the actual "normal".

Question: "I kind of want to flip your normal. As the talk has been going, I've been thinking that it's more an abnormal discourse than anything. We're being shamed into loving our safety. We're told it's abnormal to not be afraid of these people. War was framed as an extreme act of love. Rather than thinking in terms of normalizing, if what goes out is an abnormalizing, is it that much more powerful?"

Warkentin: There are multiple layers to this. Part of the framing thing is that it only works if it doesn't ring true with people. Land mind thing wouldn't have worked if it wasn't something people believed in. You have to use things that connect to people's experience and predispositions.

Jayawardane asks: As you walk through our modern American landscape, how do you experience this? Is it normal for you? Do you question?

Audience question: "I struggle with wondering how people can believe in something that looks so doubtful. Is it not part of the packaging of democracy that you must trust ... even things that become empty? To me, coming from a Soviet background, it's more natural not to trust anything. Marx had the idea that ideology becomes naturalized and that's why you don't question. It's packaged as something sweet and trustworthy the way it is."

I then asked about how we balance that need for skepticism with the black hole of conspiracy theories that we can fall into as we realize that we can't trust without question.

Jayawardane: I started reading a book about how conspiracy theories come about and it has to do with knowing that there are things you're not privy to. But you don't know it. But you know something is wrong. That general sense of feeling unbalanced leads people to create platforms on which you can feel like you are stable. Even if it's a false platform, it feels more stable than the place where you know things aren't stable.

There is a place in a classroom to be able to have these conversations. To be able to voice your fears and debate them. To be able to talk about and educate each other on things that could be seen as racist. There are places where you can have productive conversations. But, on the other hand, I don't want to do that job at a faculty picnic or with a stranger in the airport.

Audience member makes an interesting point: When you indoctrinate people to see themselves as an arm of the law or a part of the security state, you create situations like what happened in the Trayvon Martin case.

It is now 5:31 and we've run out of time. Thanks for following along, folks.

• If you'd like to see Jayawardane's slides, including samples of the fashion shoots she discussed in her talk, you can view her PowerPoint through Google Docs.
• You can also read the full notes from her talk.

Image: MTA: Off by a Factor of at Least 10^3, a Creative Commons Attribution (2.0) image from carbonnyc's photostream

Don't let the Boston Marathon bombing terrorize you, or the bombers win

Cory Doctorow — Tue, 16 Apr 2013 19:05:00 +0000

Bruce Schneier's terrific Atlantic essay on the Boston Marathon bombings is a must-read. As he points out, the terrorists win only if we let this sort of thing scare us. By being empathic toward the victims and indomitable and fearless toward the criminals, we can create a climate where politicians can get away with telling us the truth -- there's no such thing as perfect security -- instead of politically expedient lies that lead to an out-of-control security state that takes away our freedoms, diverts our education, unemployment and health money to security theater, and leaves us no safer.

How well this attack succeeds depends much less on what happened in Boston than by our reactions in the coming weeks and months. Terrorism isn't primarily a crime against people or property. It's a crime against our minds, using the deaths of innocents and destruction of property as accomplices. When we react from fear, when we change our laws and policies to make our country less open, the terrorists succeed, even if their attacks fail. But when we refuse to be terrorized, when we're indomitable in the face of terror, the terrorists fail, even if their attacks succeed.
Don't glorify the terrorists and their actions by calling this part of a "war on terror." Wars involve two legitimate sides. There's only one legitimate side here; those on the other are criminals. They should be found, arrested, and punished. But we need to be vigilant not to weaken the very freedoms and liberties that make this country great, meanwhile, just because we're scared.
Empathize, but refuse to be terrorized. Instead, be indomitable -- and support leaders who are as well. That's how to defeat terrorists.

The Boston Marathon Bombing: Keep Calm and Carry On

Google adds a "dead-man's switch" -- uses cases from torture-resistance to digital wills

Cory Doctorow — Sun, 14 Apr 2013 03:12:55 +0000

Google's rolled out an "Inactive Account Manager" -- a dead-man's switch for your Google accounts. If you set it, Google will watch your account for protracted inactivity. After a set period, you can tell it to either squawk ("Email Amnesty International and tell them I'm in jail," or "Email my kids and tell them I'm dead and give them instructions for probating my estate") and/or delete all your accounts. This has a lot of use-cases, from preventing your secrets from being tortured out of you (before you go to a protest, you could set your dead-man's switch to a couple hours -- if you end up in jail and out of contact, all your stuff would be deleted before you were even processed by the local law) to easing the transition of your digital "estate."

No one wants to think about their own death, but not thinking about it has a zero percent chance of preventing it. The Inactive Account Manager (great euphemism) can send your data from many Google services to your digital heirs, alert your contacts, delete the accounts, or do all or none of the above. It affects Blogger, Contacts/Circles (in Google+) Drive, Gmail, Google+ profiles, Pages and Streams, Picasa albums, Google Voice, and YouTube.
It also serves as a useful self-destruct button. Don’t want anyone watching your stupid YouTube videos after you’ve long forgotten that you had an account? Don’t want your kids to find your password notebook years after you’re gone and read your dirty chat sessions with their dad? You can have your account auto-destruct after trying to reach you using other e-mail addresses and by text message. You know, in case you just get tired of Gmail and wander off somewhere else.

Google Introduces Dead Man’s Switch For Your Accounts

How cognitive blind-spots compromise security systems

Cory Doctorow — Wed, 10 Apr 2013 17:25:14 +0000

Tanya Khovanova has a fascinating and illuminating story about the blind-spots that can leave security systems vulnerable. She describes a clever one-way function using real-world tools:

Silvio Micali taught me cryptography. To explain one-way functions, he gave the following example of encryption. Alice and Bob procure the same edition of the white pages book for a particular town, say Cambridge. For each letter Alice wants to encrypt, she finds a person in the book whose last name starts with this letter and uses his/her phone number as the encryption of that letter.
To decrypt the message Bob has to read through the whole book to find all the numbers. The decryption will take a lot more time than the encryption. If the book increases in size the time it takes Alice to do the encryption almost doesn’t increase, but the decryption process becomes more and more draining.
This example is very good for teaching one-way functions to non-mathematicians. Unfortunately, the technology changes and the example that Micali taught me fifteen years ago isn’t so cute anymore. Indeed you can do a reverse look-up online of every phone number in the white pages.

Then she explains how a student pointed out her own blind-spot that made the system trivial to defeat:

I still use this example, with an assumption that there is no reverse look-up. I recently taught it to my AMSA students. And one of my 8th graders said, “If I were Bob, I would just call all the phone numbers and ask their last names.”
In the fifteen years since I’ve been using this example, this idea never occurred to me. I am very shy so it would never enter my mind to call a stranger and ask for their last name. My student made me realize that my own personality affected my mathematical inventiveness.

As Bruce Schneier points out, the young student is demonstrating "security mindset," imagining an attack on a security system that works on the weakest flank.

One-Way Functions (via Schneier)

ISPs and creepy ad company injecting traffic into secure Web sessions

Cory Doctorow — Mon, 08 Apr 2013 06:11:26 +0000

A company called RT66 appears to be injecting code into secure Web-sessions, possibly with collusion from ISPs like CMA Communications. No one's sure how they're doing this, neither RT66 or CMA are answering questions, and it's bad news all around.

Lethal weapons from duty-free stores

Cory Doctorow — Sun, 07 Apr 2013 17:48:42 +0000

Here's a writeup of Evan Booth's Hack the Box conference presentation on making lethal weapons out of items bought in airport duty-free shops. It's pretty ingenious stuff (the video above is from a related presentation at CarolinaCon 2013).

The problem here is that legitimate purpose of airport security is not protecting passengers and flight attendants from harm. In reality, there's no way to accomplish that goal against a determined attacker. The real and legitimate purpose of airport security is to protect airplanes and cockpits from harm -- to stop people from hijacking and/or crashing airplanes (this is why the TSA correctly relaxed its rules about carrying small knives onto planes -- and why so many of their other rules are pointless and stupid). So long as none of these lethal weapons can crash an airplane or beat an armored, bolted cockpit door, they embody no new incremental threat to aviation -- on the other hand, the improvised battery-bombs are a real threat.

Besides a bomb knew Booth also easy to make a bow and arrow of stuff he had bought in a shop in an airport. For this he used an umbrella, hair dryer, socks, a leather belt and condoms. Too obvious things like a lighter and deodorant as alternative gas burner he did not elaborate.
Booth also made a crossbow of an umbrella, floss, grab a toy, a rolkoffertje, a straw and tape. With a straw, cotton and a piece of metal from a remote controlled helicopter he was able to make a blow gun for firing arrows.
Remarkable is also a club that he made a gift, what magazines, floss, a leather strap and tape. In a test showed that so firmly, that he with a single blow a coconut in several parts stores.

Onderzoeker maakt bom van artikelen luchthavenwinkels [Dutch, Nu.nl]

Researcher makes bomb Articles airport shops [Google Translate]

(via /.)

Mid-Century Modern housing designs vs children

Cory Doctorow — Sun, 07 Apr 2013 15:18:38 +0000

Projectophile's Clare has a funny post about the hazards presented by beautiful mid-century modern home designs to children. My grandparents had a proper split-level MCM when I was a kid, and it's a wonder we survived. As Clare says, "I love open, flowing space as much as the next modern girl. But I know it would only be a matter of minutes before my kid flings himself off one of these deadly ledges..."

15 Mid-Century Modern Dream Homes that will Kill Your Children (via MeFi)

Apple's security problems

Rob Beschizza — Fri, 29 Mar 2013 17:02:34 +0000

At The Verge, Tim Carmody reports on Apple's seeming inability to get to grips with account security.

"The conventional wisdom is that this was a run-of-the-mill software security issue. ... No. It isn’t. It’s a troubling symptom that suggests Apple’s self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn’t going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple’s entire ecosystem of devices, stores, software, and services."

Why security awareness training is a waste of time

Cory Doctorow — Thu, 28 Mar 2013 04:28:04 +0000

Bruce Schneier presents a very cogent and convincing argument that "security awareness training" is a waste of money -- specifically, because the benefits of "security" are intangible, while the benefits of getting your work done are apparent.

To those who think that training users in security is a good idea, I want to ask: "Have you ever met an actual user?" They're not experts, and we can't expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it's hard for people to understand how to connect their behavior to eventual outcomes. So they turn to folk remedies that, while simple, don't really address the threats.
Even if we could invent an effective computer security training program, there's one last problem. HIV prevention training works because affecting what the average person does is valuable. Even if only half the population practices safe sex, those actions dramatically reduce the spread of HIV. But computer security is often only as strong as the weakest link. If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in. As long as we build systems that are vulnerable to the worst case, raising the average case won't make them more secure.
The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones. Microsoft has a great rule about system messages that require the user to make a decision. They should be NEAT: necessary, explained, actionable, and tested. That's how we should be designing security interfaces. And we should be spending money on security training for developers. These are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system.

Security Awareness Training

Back issues of the NSA's secret, in-house mag

Cory Doctorow — Wed, 27 Mar 2013 14:40:41 +0000

The National Security Agency has released an archive of back issues of Cryptolog, its secret, in-house magazine, in a repository spanning 1974 to 1997. The issues are heavily redacted in places, but still look like a promising source of interesting and curious facts.

Cryptologs

Mirror

(via Schneier)

DDoS storm breaks records at 300 Gbps

Cory Doctorow — Wed, 27 Mar 2013 13:22:00 +0000

The Internet has been groaning under the weight of a massive distributed denial of service (DDoS) attack on the Domain Name Service, apparently aimed at anti-spam vigilantes Spamhaus, in retaliation for their blacklisting of Dutch free speech hosting provider Cyberbunker. At 300 mbps, the DDoS is the worst in public Internet history.

“These things are essentially like nuclear bombs,” said Matthew Prince, chief executive of Cloudflare. “It’s so easy to cause so much damage.”
The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.
“It is a real number,” Mr. Gilmore said. “It is the largest publicly announced DDoS attack in the history of the Internet.”
Spamhaus, one of the most prominent groups tracking spammers on the Internet, uses volunteers to identify spammers and has been described as an online vigilante group.
In the past, blacklisted sites have retaliated against Spamhaus with denial-of-service attacks, in which they flood Spamhaus with traffic requests from personal computers until its servers become unreachable. But in recent weeks, the attackers hit back with a far more powerful strike that exploited the Internet’s core infrastructure, called the Domain Name System, or DNS.

As bad as this is, it could be a lot worse. An anonymous paper called Internet Census 2012: Port scanning /0 using insecure embedded devices reports on a researcher's project to scan every IPv4 address for publicly available machines that will accept a telnet connection and yield up a root login to a default password. The researcher reports that 1.2 million such devices are available online (s/he compromised many of these machines in order to run the census). These machines are things like printers and routers with badly secured firmware, visible on the public net. They are often running an old version of GNU/Linux and can be hijacked to form part of a staggeringly large botnet that would be virtually unkillable, since the owners of these devices are vanishingly unlikely to notice that they are silently running attackware, and the devices themselves are completely unregarded.

Firm Is Accused of Sending Spam, and Fight Jams Internet [NYT/John Markoff & Nicole Perlroth]

(via Hacker News)

Nuts-and-bolts look at password cracking

Cory Doctorow — Wed, 27 Mar 2013 03:05:04 +0000

Ars Technica's Nate Anderson decided to try cracking passwords (from a leaked file of MD5 hashes), to see how difficult it was. After a very long false start (he forgot to decompress the word-list file) that's covered in a little too much detail, Anderson settles down to cracking hashes in earnest, and provides some good data on the nuts and bolts of password security:

By this point I had puzzled out how Hashcat worked, so I dumped the GUI and switched back to the command-line version running on my much faster MacBook Air. My goal was to figure out how many hashes I could crack in, say, under 30 minutes, as well as which attacks were most efficient. I began again on my 17,000-hash file, this time having Hashcat remove each hash from the file once it was cracked. This way I knew exactly how many hashes each attack solved.
This set of attacks brought the number of uncracked MD5 hashes down from 17,000 to 8,790, but clearly the best "bang for the buck" came from running the RockYou list with the best64.rule iterations. In just 90 seconds, this attack would uncover 45 percent of the hashed passwords; additional attacks did little more, even those that took 16 minutes to run.
Cracking a significant number of the remaining passwords would take some much more serious effort. Applying the complex d3ad0ne.rule file to the massive RockYou dictionary, for instance, would require more than two hours of fan-spinning number-crunching. And brute force attacks using 6-character passwords only picked up a few additional results.

The point, really, is that if you want to understand the relative security of different password-generation techniques, you need to understand what's involved in state-of-the-art password cracking techniques.

How I became a password cracker

Abandoned cake-box at airport turns into inadvertent Portal-themed security worry

Cory Doctorow — Wed, 27 Mar 2013 00:32:38 +0000

An empty cake-shipping box abandoned at the Tampa airport reportedly freaked out passengers and Portal players: "My visit to Tampa has drawn to a close, and The Lady just dropped me off at the airport. Right by the Air Canada entrance, this styrofoam box marked “CAKE” has been unnerving passengers. It’s empty — it probably held cake for transport but was too big to fit into the car that picked it up — but I let some airport staff know that it was beginning to worry some people. Namely, the security-conscious and Portal players."

Unnerving People at the Airport (or: The Cake is a Lie!)

Your WiFi-enabled camera might be spying on you

Cory Doctorow — Tue, 26 Mar 2013 16:45:04 +0000

Every networked sensor package in your immediate vicinity can be used to spy on you unless it is well-designed and transparent to you and the wide community of security researchers. If that sounds paranoid, check out the video above, wherein some security researchers show that they can covertly operate WiFi-enabled personal cameras and turn them into bugs.

But, as proven by Daniel Mende and Pascal Turbing, security researchers with German-based IT consulting firm ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices.
Mende and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it.
In this presentation from Shmoocon 2013, they explained in detail how they managed to mount the attacks, and have also offered advice for users on how to secure their cameras and connections against these and similar attacks.

Stuff like this is why DRM and EULAs are so insidious. The existence of devices that attack their owners affects us all. It is a public health problem. Any time we pass a law that makes it illegal or legally perilous to point out flaws in technology, we make it harder to solve the public health problem, and we're all at risk.

Digital cameras easily turned into spying devices, researchers prove (via /.)

Skype's IP-leaking security bug creates denial-of-service cottage industry

Cory Doctorow — Sat, 23 Mar 2013 01:04:14 +0000

It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.

In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).
Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.
Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.

Privacy 101: Skype Leaks Your Location

Brian Krebs talks to hacker who may have SWATted him and attacked Wired's Mat Honan

Cory Doctorow — Tue, 19 Mar 2013 22:07:46 +0000

Last week, Brian Krebs (a respected security researcher and journalist who often publishes details about high-tech crime) was SWATted -- that is, someone defrauded his local police department into sending a SWAT team to his house, resulting in his getting confronted by gun-wielding, hair-trigger cops who had him lie on the ground and cuffed him before it was all sorted out.

Krebs, being a talented investigator, is hot on the trail of the people or person responsible for this. And a variety of sources point to a 20-year-old hacker who goes by "Phobia," and whose real name, according to Krebs, is Ryan Stevenson. Phobia was implicated in the attack on Wired reporter Mat Honan, wherein his laptop drive and online backup were deleted, including irreplaceable photos of his child's first year, and eight years' worth of email.

Krebs phoned "Phobia" up and ended up speaking to Phobia and his father. Phobia denied attacking Krebs and insisted that he had nothing to do with the gamer/fraudster clan behind it (though Krebs pointed out that Phobia can be heard speaking in the group's YouTube videos, which document their attacks), but admitted that he had been the culprit in hacking Honan (his father then came onto the line to deny this). The transcript is the most interesting part of the piece:

BK: Uh huh. And is Honan referring to you in this article?
RS: Yeah.
BK Yes?
RS: Uh huh.
BK: Did anything bad ever happen to you because of this?
RS: No.
BK: So, this was your doing with the Mat Honan hack, but you say you would never use a site like a stresser or…
RS: Yeah, I would never do that. That’s stupid.
BK: …or hack a reporter’s account or launch a denial of service attack against a reporter, or SWAT his house….
RS:
BK: So what’s the point of hacking a reporter’s iCloud account? Why’d you do that?
RS: Just to prove a point that, like…the security is breachable.

The Obscurest Epoch is Today

Casino cheats used house CCTVs to score $32M

Cory Doctorow — Tue, 19 Mar 2013 03:12:24 +0000

A rich, high-stakes gambler was dragged out of his opulent comp suite at the Crown Towers casino in Melbourne, accused of participating in a $32M scam that made use of the casino's own CCTV cameras to cheat.

The Herald Sun understands remote access to the venue's security system was given to an unauthorised person.
Images relayed from cameras were then used to spy on a top-level gaming area where the high roller was playing.
Signals were given to him on how he should bet based on the advice of someone viewing the camera feeds. Sources said the total stolen was $32 million.

They are capable of transmitting the most intricate detail of goings-on inside the building.

Casinos were the world leaders in CCTV use, and really represent ground zero for the panopticon theory of security. What is rarely mentioned is that "security" measures can be turned against defenders if attackers can hijack them. This is as true when a mugger uses his victim's gun against him as it is when a casino's own CCTVs are used to defeat its own anti-cheating measures. This is the high-stakes gambling version of all those IP-based CCTVs that leak sensitive footage of the inside of peoples' houses onto the public Internet.

Crown casino hi-tech scam nets $32 million [Mark Buttler/Herald Sun]

(via /.)

Control-Alt-Hack: delightful strategy card game about white-hat hacking

Cory Doctorow — Mon, 18 Mar 2013 13:17:48 +0000

Control-Alt-Hack is a tremendously fun, hacker-themed strategy card game that uses the mechanic of the classic Steve Jackson Ninja Burger game. It comes out of the University of Washington Computer Security and Privacy Research Lab, and features extremely entertaining and funny computer-security-themed scenarios, buffs, attacks and characters.

The gameplay is very well-thought-through (here's a PDF of the rules). Three of us sat down to play it this weekend with only a cursory glance at the rules beforehand. By following the quickstart instructions, we were able to jump straight into play, and within a few turns, we really had the rhythm and were busily sabotaging one another and cursing at the dice when they rolled against our favor.

Based on my play session, I'm really impressed. Though one player led the game early on, there were several reversals, wherein the leading and trailing players traded places -- always the mark of a great game. There was a good mix of skill, strategy and luck, and things were just complicated enough that it absorbed our full attention, without lagging or flagging.

A full game takes about an hour, and between three and six people can play at once. We played it after Sunday brunch and it was a great digestive aid. All three of us loved the geeky, info-sec-y references, the funny scenarios (everything from devising a cryptographic protocol for implanted medical devices to pranking a labmate with a gag WiFi keystroke-inserter), and the grace-notes (like a scenario that is encoded as a cryptogram). There were moments of unlikely hail-mary-heroism, crushing defeat, and lots of laughs. We'll play this one again.

Control-Alt-Hack: White Hat Hacking for Fun and Profit

Control-Alt-Hack [Publisher's site]

MD used "silicone fingers" to trick biometric time clock on colleagues' behalf

David Pescovitz — Wed, 13 Mar 2013 19:01:00 +0000

Brazilian doctor Thaune Nunes Ferreira, 29, was arrested for fraud for allegedly covering up her colleagues' absence from work by using prosthetic fingers to sign them in on a biometric time clock at the hospital near Sao Paulo. According to the BBC, "police said she had six silicone fingers with her at the time of her arrest, three of which have already been identified as bearing the fingerprints of co-workers." Ferreira's attorney claims "she was forced into the fraud as she faced losing her job." (BBC News)