— FEATURED —
— FOLLOW US —
Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.
— POLICIES —
Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution
— FONTS —
Cory Doctorow at 8:18 am • 
• 
Projectophile's Clare has a funny post about the hazards presented by beautiful mid-century modern home designs to children. My grandparents had a proper split-level MCM when I was a kid, and it's a wonder we survived. As Clare says, "I love open, flowing space as much as the next modern girl. But I know it would only be a matter of minutes before my kid flings himself off one of these deadly ledges..."
15 Mid-Century Modern Dream Homes that will Kill Your Children (via MeFi)
Rob Beschizza at 10:02 am • •
At The Verge, Tim Carmody reports on Apple's seeming inability to get to grips with account security.
"The conventional wisdom is that this was a run-of-the-mill software security issue. ... No. It isn’t. It’s a troubling symptom that suggests Apple’s self-admittedly bumpy transition from a maker of beautiful devices to a fully-fledged cloud services provider still isn’t going smoothly. Meanwhile, your Apple ID password has come a long way from the short string of characters you tap to update apps on your iPhone. It now offers access to Apple’s entire ecosystem of devices, stores, software, and services."
Cory Doctorow at 9:28 pm • •
Bruce Schneier presents a very cogent and convincing argument that "security awareness training" is a waste of money -- specifically, because the benefits of "security" are intangible, while the benefits of getting your work done are apparent.
To those who think that training users in security is a good idea, I want to ask: "Have you ever met an actual user?" They're not experts, and we can't expect them to become experts. The threats change constantly, the likelihood of failure is low, and there is enough complexity that it's hard for people to understand how to connect their behavior to eventual outcomes. So they turn to folk remedies that, while simple, don't really address the threats.
Even if we could invent an effective computer security training program, there's one last problem. HIV prevention training works because affecting what the average person does is valuable. Even if only half the population practices safe sex, those actions dramatically reduce the spread of HIV. But computer security is often only as strong as the weakest link. If four-fifths of company employees learn to choose better passwords, or not to click on dodgy links, one-fifth still get it wrong and the bad guys still get in. As long as we build systems that are vulnerable to the worst case, raising the average case won't make them more secure.
The whole concept of security awareness training demonstrates how the computer industry has failed. We should be designing systems that won't let users choose lousy passwords and don't care what links a user clicks on. We should be designing systems that conform to their folk beliefs of security, rather than forcing them to learn new ones. Microsoft has a great rule about system messages that require the user to make a decision. They should be NEAT: necessary, explained, actionable, and tested. That's how we should be designing security interfaces. And we should be spending money on security training for developers. These are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system.
Cory Doctorow at 7:40 am • •
The National Security Agency has released an archive of back issues of Cryptolog, its secret, in-house magazine, in a repository spanning 1974 to 1997. The issues are heavily redacted in places, but still look like a promising source of interesting and curious facts.
(via Schneier)
Cory Doctorow at 6:22 am • •
The Internet has been groaning under the weight of a massive distributed denial of service (DDoS) attack on the Domain Name Service, apparently aimed at anti-spam vigilantes Spamhaus, in retaliation for their blacklisting of Dutch free speech hosting provider Cyberbunker. At 300 mbps, the DDoS is the worst in public Internet history.
“These things are essentially like nuclear bombs,” said Matthew Prince, chief executive of Cloudflare. “It’s so easy to cause so much damage.”
The so-called distributed denial of service, or DDoS, attacks have reached previously unknown magnitudes, growing to a data stream of 300 billion bits per second.
“It is a real number,” Mr. Gilmore said. “It is the largest publicly announced DDoS attack in the history of the Internet.”
Spamhaus, one of the most prominent groups tracking spammers on the Internet, uses volunteers to identify spammers and has been described as an online vigilante group.
In the past, blacklisted sites have retaliated against Spamhaus with denial-of-service attacks, in which they flood Spamhaus with traffic requests from personal computers until its servers become unreachable. But in recent weeks, the attackers hit back with a far more powerful strike that exploited the Internet’s core infrastructure, called the Domain Name System, or DNS.
As bad as this is, it could be a lot worse. An anonymous paper called Internet Census 2012: Port scanning /0 using insecure embedded devices reports on a researcher's project to scan every IPv4 address for publicly available machines that will accept a telnet connection and yield up a root login to a default password. The researcher reports that 1.2 million such devices are available online (s/he compromised many of these machines in order to run the census). These machines are things like printers and routers with badly secured firmware, visible on the public net. They are often running an old version of GNU/Linux and can be hijacked to form part of a staggeringly large botnet that would be virtually unkillable, since the owners of these devices are vanishingly unlikely to notice that they are silently running attackware, and the devices themselves are completely unregarded.
Firm Is Accused of Sending Spam, and Fight Jams Internet [NYT/John Markoff & Nicole Perlroth]
(via Hacker News)
Cory Doctorow at 8:05 pm • •
Ars Technica's Nate Anderson decided to try cracking passwords (from a leaked file of MD5 hashes), to see how difficult it was. After a very long false start (he forgot to decompress the word-list file) that's covered in a little too much detail, Anderson settles down to cracking hashes in earnest, and provides some good data on the nuts and bolts of password security:
By this point I had puzzled out how Hashcat worked, so I dumped the GUI and switched back to the command-line version running on my much faster MacBook Air. My goal was to figure out how many hashes I could crack in, say, under 30 minutes, as well as which attacks were most efficient. I began again on my 17,000-hash file, this time having Hashcat remove each hash from the file once it was cracked. This way I knew exactly how many hashes each attack solved.
This set of attacks brought the number of uncracked MD5 hashes down from 17,000 to 8,790, but clearly the best "bang for the buck" came from running the RockYou list with the best64.rule iterations. In just 90 seconds, this attack would uncover 45 percent of the hashed passwords; additional attacks did little more, even those that took 16 minutes to run.
Cracking a significant number of the remaining passwords would take some much more serious effort. Applying the complex d3ad0ne.rule file to the massive RockYou dictionary, for instance, would require more than two hours of fan-spinning number-crunching. And brute force attacks using 6-character passwords only picked up a few additional results.
The point, really, is that if you want to understand the relative security of different password-generation techniques, you need to understand what's involved in state-of-the-art password cracking techniques.
Cory Doctorow at 5:32 pm • •
An empty cake-shipping box abandoned at the Tampa airport reportedly freaked out passengers and Portal players: "My visit to Tampa has drawn to a close, and The Lady just dropped me off at the airport. Right by the Air Canada entrance, this styrofoam box marked “CAKE” has been unnerving passengers. It’s empty — it probably held cake for transport but was too big to fit into the car that picked it up — but I let some airport staff know that it was beginning to worry some people. Namely, the security-conscious and Portal players."
Cory Doctorow at 9:45 am • •
Every networked sensor package in your immediate vicinity can be used to spy on you unless it is well-designed and transparent to you and the wide community of security researchers. If that sounds paranoid, check out the video above, wherein some security researchers show that they can covertly operate WiFi-enabled personal cameras and turn them into bugs.
But, as proven by Daniel Mende and Pascal Turbing, security researchers with German-based IT consulting firm ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices.
Mende and Turbing chose to compromise Canon's EOS-1D X DSLR camera an exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it.
In this presentation from Shmoocon 2013, they explained in detail how they managed to mount the attacks, and have also offered advice for users on how to secure their cameras and connections against these and similar attacks.
Stuff like this is why DRM and EULAs are so insidious. The existence of devices that attack their owners affects us all. It is a public health problem. Any time we pass a law that makes it illegal or legally perilous to point out flaws in technology, we make it harder to solve the public health problem, and we're all at risk.
Digital cameras easily turned into spying devices, researchers prove (via /.)
Cory Doctorow at 6:04 pm • •
It's been more than a year since the WSJ reported that Skype leaks its users' IP addresses and locations. Microsoft has done nothing to fix this since, and as Brian Krebs reports, the past year has seen the rise of several tools that let you figure out someone's IP address by searching for him on Skype, then automate launching denial-of-service attacks on that person's home.
In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name).
Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel.
Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states.
Cory Doctorow at 3:07 pm • •
Last week, Brian Krebs (a respected security researcher and journalist who often publishes details about high-tech crime) was SWATted -- that is, someone defrauded his local police department into sending a SWAT team to his house, resulting in his getting confronted by gun-wielding, hair-trigger cops who had him lie on the ground and cuffed him before it was all sorted out.
Krebs, being a talented investigator, is hot on the trail of the people or person responsible for this. And a variety of sources point to a 20-year-old hacker who goes by "Phobia," and whose real name, according to Krebs, is Ryan Stevenson. Phobia was implicated in the attack on Wired reporter Mat Honan, wherein his laptop drive and online backup were deleted, including irreplaceable photos of his child's first year, and eight years' worth of email.
Krebs phoned "Phobia" up and ended up speaking to Phobia and his father. Phobia denied attacking Krebs and insisted that he had nothing to do with the gamer/fraudster clan behind it (though Krebs pointed out that Phobia can be heard speaking in the group's YouTube videos, which document their attacks), but admitted that he had been the culprit in hacking Honan (his father then came onto the line to deny this). The transcript is the most interesting part of the piece:
BK: Uh huh. And is Honan referring to you in this article?
RS: Yeah.
BK Yes?
RS: Uh huh.
BK: Did anything bad ever happen to you because of this?
RS: No.
BK: So, this was your doing with the Mat Honan hack, but you say you would never use a site like a stresser or…
RS: Yeah, I would never do that. That’s stupid.
BK: …or hack a reporter’s account or launch a denial of service attack against a reporter, or SWAT his house….
RS:
BK: So what’s the point of hacking a reporter’s iCloud account? Why’d you do that?
RS: Just to prove a point that, like…the security is breachable.
Cory Doctorow at 8:12 pm • •
A rich, high-stakes gambler was dragged out of his opulent comp suite at the Crown Towers casino in Melbourne, accused of participating in a $32M scam that made use of the casino's own CCTV cameras to cheat.
The Herald Sun understands remote access to the venue's security system was given to an unauthorised person.
Images relayed from cameras were then used to spy on a top-level gaming area where the high roller was playing.
Signals were given to him on how he should bet based on the advice of someone viewing the camera feeds. Sources said the total stolen was $32 million.
They are capable of transmitting the most intricate detail of goings-on inside the building.
Casinos were the world leaders in CCTV use, and really represent ground zero for the panopticon theory of security. What is rarely mentioned is that "security" measures can be turned against defenders if attackers can hijack them. This is as true when a mugger uses his victim's gun against him as it is when a casino's own CCTVs are used to defeat its own anti-cheating measures. This is the high-stakes gambling version of all those IP-based CCTVs that leak sensitive footage of the inside of peoples' houses onto the public Internet.
Crown casino hi-tech scam nets $32 million [Mark Buttler/Herald Sun]
(via /.)
Cory Doctorow at 6:17 am • •
Control-Alt-Hack is a tremendously fun, hacker-themed strategy card game that uses the mechanic of the classic Steve Jackson Ninja Burger game. It comes out of the University of Washington Computer Security and Privacy Research Lab, and features extremely entertaining and funny computer-security-themed scenarios, buffs, attacks and characters.
The gameplay is very well-thought-through (here's a PDF of the rules). Three of us sat down to play it this weekend with only a cursory glance at the rules beforehand. By following the quickstart instructions, we were able to jump straight into play, and within a few turns, we really had the rhythm and were busily sabotaging one another and cursing at the dice when they rolled against our favor.
Based on my play session, I'm really impressed. Though one player led the game early on, there were several reversals, wherein the leading and trailing players traded places -- always the mark of a great game. There was a good mix of skill, strategy and luck, and things were just complicated enough that it absorbed our full attention, without lagging or flagging.
A full game takes about an hour, and between three and six people can play at once. We played it after Sunday brunch and it was a great digestive aid. All three of us loved the geeky, info-sec-y references, the funny scenarios (everything from devising a cryptographic protocol for implanted medical devices to pranking a labmate with a gag WiFi keystroke-inserter), and the grace-notes (like a scenario that is encoded as a cryptogram). There were moments of unlikely hail-mary-heroism, crushing defeat, and lots of laughs. We'll play this one again.
Control-Alt-Hack: White Hat Hacking for Fun and Profit
Control-Alt-Hack [Publisher's site]
David Pescovitz at 12:01 pm • •
Brazilian doctor Thaune Nunes Ferreira, 29, was arrested for fraud for allegedly covering up her colleagues' absence from work by using prosthetic fingers to sign them in on a biometric time clock at the hospital near Sao Paulo. According to the BBC, "police said she had six silicone fingers with her at the time of her arrest, three of which have already been identified as bearing the fingerprints of co-workers." Ferreira's attorney claims "she was forced into the fraud as she faced losing her job." (BBC News)
Cory Doctorow at 8:39 am • •
Nate Anderson's long Ars Technica piece on RATters -- men who use "Remote Administration Tools" to spy on others, mostly women, via their laptop cameras, and to plunder their computers for files and passwords -- is a must-read. Anderson lays out the way that online communities like Hack Forums provide expertise, tools, and, most importantly, validation for the men who participate in this "game." Anderson explains the power of software like DarkComet, which allows for near-total control of compromised computers (everything from opening the CD trays to disabling the Start menu in Windows); the dehumanizing language used by Ratters (they call their victims "slaves"); and the way that these tools have found their way into the arsenals of totalitarian governments, like the Assad regime in Syria, which used these tools to spy on rebels.
For many ratters, though, the spying remains little more than a game. It might be an odd hobby, but it's apparently no big deal to invade someone's machine, rifle through the personal files, and watch them silently from behind their own screens. "Most of my slaves are boring," wrote one aspiring ratter. "Wish I could get some more girls with webcams. It makes it more exciting when you can literally spy on someone. Even if they aren't getting undressed!"
One poster said he had already archived 200GB of webcam material from his slaves. "Mostly I pick up the best bits (funny parts, the 'good' [sexual] stuff) and categorize them (name, address, passwords etc.), just for funsake," he wrote. "For me I don't have the feeling of doing something perverted, it's more or less a game, cat and mouse game, with all the bonuses included. The weirdest thing is, when I see the person you've been spying on in real life, I've had that a couple of times, it just makes me giggle, especially if it's someone with an uber-weird-nasty habit."
By finding their way to forums filled with other ratters, these men—and they appear to be almost exclusively men—gain community validation for their actions. "lol I have some good news for u guys we will all die sometime, really glad to know that there are other people like me who do this shit," one poster wrote. "Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves."
Everything we do today involves computers and everything we do tomorrow will require computers. It's imperative that computers be designed to reveal themselves to their users and owners -- every program and process accessible to users and owners by design. But we continue to erode this fundamental through bans on jailbreaking and unlocking, and through the governmental trade in "zero-day" exploits intended for use in so-called cyberwar.
Meet the men who spy on women through their webcams [Nate Anderson/Ars Technica]
David Pescovitz at 2:44 pm • •
"Cypherpunk rising: WikiLeaks, encryption, and the coming surveillance dystopia"(EFF co-founder) John Gilmore summed up the accomplishments of the cypherpunks in a recent email: "We did reshape the world," he wrote. "We broke encryption loose from government control in the commercial and free software world, in a big way. We built solid encryption and both circumvented and changed the corrupt US legal regime so that strong encryption could be developed by anyone worldwide and deployed by anyone worldwide," including WikiLeaks.
As the 1990s rolled forward, many cypherpunks went to work for the man, bringing strong crypto to financial services and banks (on the whole, probably better than the alternative). Still, crypto-activism continued and the cypherpunk mailing list blossomed as an exchange for both practical encryption data and spirited, sometimes-gleeful argumentation, before finally peaking in 1997. This was when cypherpunk’s mindshare seemed to recede, possibly in proportion to the utopian effervescence of the early cyberculture. But the cypherpunk meme may now be finding a sort of rebirth in one of the biggest and most important stories in the fledgeling 21st century.
