Four short links: 17 November 2009

Digital Natives, Supersexy C64 Debugger, a Google Tripwire, and a Patient Botnet

by Nat Torkington | @gnat | comments: 1

1. Digital Natives (Ze Frank) -- digital natives have grown up in a landscape where access to information and influence has been flattened. they have watched media distribution bottlenecks in the form of networks and studios lose influence to youtube and independent production houses. They have watched companies bow down to viral video critiques, and watched political systems get hacked by social networks. this is a generation that doesn't understand restrictions on access to media if those restrictions are inefficient or obviously detrimental to the system as a whole. this is a generation that has been at war with DRM and copyright right from the start. it is a generation awash with free tutorials and download-able source code. When is a conversation with a precocious 17 year old a glimpse into an inter-generational gulf with implications for the role and status of formal education, and when is it just an encounter with a brat? Ze's piece is worth reading, whichever way it comes out.
2. ICU64 -- an open source Commodore 64 emulator (Frodo) hacked to visually and textually display memory. Watch the video embedded below, it's hypnotic and seductive. It immediately made me want one for my programs (without having to port my code back to 6502 assembler). (via waxy whose return from pneumonia is greatly welcomed)
3. Me and Belle du Jour -- interesting story from a UK blog master who guessed her identity but kept it secret, creating a googlewhacked page as a tripwire to let him know when someone else guessed. He tipped her off that her cover was blown. (via waxy again)
4. The Hail Mary Cloud -- the world's slowest yet effective brute force attack. If you publish your user name and password, somebody who is not you will use it, sooner or later. A botnet is brute-force trying every known username and password combination against every known ssh server. Each attempt in theory has monumental odds against succeeding, but occasionally the guess will be right and they have scored a login. As far as we know, this is at least the third round of password guessing from the Hail Mary Cloud (see the archives for earlier postings about slow bruteforcers), but there could have been earlier rounds that escaped our attention.

Four short links: 5 November 2009

Heat Maps in R, EC2 Blackhat Tricks, Snickersome Unicode, and Decoding Statistics

by Nat Torkington | @gnat | comments: 0

1. Heat Maps in R -- We used financial data here because it's easier to access than the airline data, but it's actually a pretty interesting way of looking at a financial time series. Weekend and holiday effects are a bit more obvious, and it's a bit like being able to see the daily, weekly, monthly and yearly closes all at once (by scanning your eye over the calendar in different directions). Includes source code. (via migurski on Delicious)
2. BlackHat and EC2 -- Theft of resources is the red-headed step-child of attack classes and doesn't get much attention, but on cloud platforms where resources are shared amongst many users these attacks can have a very real impact. With this in mind, we wanted to show how EC2 was vulnerable to a number of resource theft attacks and the videos below demonstrate three separate attacks against EC2 that permit an attacker to boot up massive numbers of machines, steal computing time/bandwidth from other users and steal paid-for AMIs. (via straup on Delicious)
3. Funny Characters in Unicode -- I never get tired of the wacky stuff in Unicode. I love the thought of a Unicode committee somewhere arguing passionately about the number of buttons on the snowman .... (via Hacker News)
4. Statistics to English Translation -- The terms sensitivity and specificity generally refer to diagnostic or screening procedures, such as an HIV or allergy tests. The sensitivity of a test is its true positive rate; the specificity is its true negative rate, although it can be more intuitive to think of specificity as the complement of the false positive rate. This matters. Bandying around numbers with misleading labels, or misinterpreting numbers that have a precise and defined meaning, does not further understanding. (Said 78.4% of statisticians, with a 20% confidence factor probability of false positives)

 

Four short links: 3 November 2009

Electoral Cryptography, Dataless Airport Security, Visualising Transport Data, Mathematically Insecure Social Asymmetry

by Nat Torkington | @gnat | comments: 0

1. First Test for Election Cryptography (MIT Technology Review) -- The first government election to use a new cryptographic scheme that lets both voters and auditors check that votes were cast and recorded accurately will be held tomorrow in Takoma Park, MD. Founder of the company behind the technology is David Chaum, who ran the first electronic currency company in the 90s. That was ahead of its time (Internet faced a credibility problem, not a convenience problem), but his timing for this seems spot-on. (via timoreilly on Twitter)
2. Do I Have The Right To Refuse This Search? -- a former police officer questions the efficacy of TSA screenings and is doubly worried by by the lack of data collected. For years in policing, we relied on random patrols to curb crime. We relied upon this “strategy” until someone went out and captured some data, and did a study that demonstrated conclusively that random patrols do not work (Kansas City Study). As police have employed other types of “random” interventions, as in DWI checkpoints, they have had to develop policies, procedures and training to ensure that the “random” nature of these intrusions is truly random. Whether every car gets checked, or every tenth car, police must demonstrate that they have attempted to eliminate the effects of active and passive discrimination when using “random” strategies. No such accountability currently exists at TSA. Trend I see lately is a return to quantitative decision making, reality-based data-directed system interventions. (via BoingBoing)
3. Visualising Transport Data -- It can be hard to make meaningful information from huge amounts of data, a graph and a table doesn't always communicate all it should do. We have been working hard on technology to visualise big datasets into compelling stories that humans can understand. We were really pleased with what we came up with in just one and a half days. Like many places, the UK data.gov ran a dev camp to jumpstart people using their data. These appear to be successful, but I'm not aware of studies into the longterm effects nor the "value" of different types of developers.
4. Why Your Friends Have More Friends Than You Do -- there's a numerical optical illusion at work here: count your friends, then ask them to count their friends. If you average the friend counts of your peers, it'll probably be higher than your friend count. The reason for this is also why (on average!) your sexual partners seem to have had more sexual partners than you, and why previous generations seem more fecund than current generations. It's because connectors (with large numbers of friends) distort the average, so unless you're the connector (and if you're reading this, you might well be!) the average will be bigger than a normal person's friend count. Left unmentioned is what kind of person would count the number of friends they have, then ask their friends for their counts .... (via Hacker News)

Four short links: 2 November 2009

Inside Botnets, Creating Choropleths, Privacy Simplified, Massively Machiavellian Online Social Gaming

by Nat Torkington | @gnat | comments: 1

1. Your Botnet is My Botnet (PDF) -- 2008 USENIX Security paper analysing >70G of data gathered when security researchers hijacked the Torpig botnet. A major limitation of analyzing a botnet from the inside is the limited view. Most current botnets use stripped-down IRC or HTTP servers as their command and control channels, and it is not possible to make reliable statements about other bots. In particular, it is difficult to determine the size of the botnet or the amount and nature of the sensitive data that is stolen. One way to overcome this limitation is to “hijack” the entire botnet, typically by seizing control of the C&C channel. [...] As a result, whenever a bot resolves a domain (or URL) to connect to its C&C server, the connection is redirected or sinkholed. This provides the defender with a complete view of all IPs that attempt to connect to the C&C server as well as interesting information that the bots might send..
2. cartographer.js -- build thematic maps using Google Maps. To be precise, you can build a choropleth, which is my word of the day. (via Simon Willison)
3. Making Privacy Policies Not Suck (Aza Raskin) -- interested in developing a standard set of privacy policy components the way that Creative Commons has created a standard set of copyright license components.
4. Scamville: The Social Gaming Ecosystem of Hell (TechCrunch) -- many of those games on Facebook that your friends play are evil. To get in-game money or objects, they'll let you take a survey but at the end you're signed up for crap you never wanted. Related: this article on monetizing social networks which talks about social gaming's business model.

Four short links: 28 September 2009

Science Blogs, Concussion Games, Packet Sniffer, and an Astonishing Product Name

by Nat Torkington | @gnat | comments: 0

1. Sci Blogs -- aggregated and hosted blogs from New Zealand scientists and researchers. A planet aggregator has become a key part of building a community, even outside programming.
2. Super Better, or How To Turn Recovery Into a Game -- Jane McGonigal had a concussion, and created a game to keep her doing things that aided her recovery. Interesting discussion of how to build a game around a serious real-life problem. And honestly, people: if she can make concussion into a game, surely you can make your crap websites suck less?
3. Justniffer -- packet sniffer that identifies HTTP requests and emits an Apache-style logfile showing what was requested. (via Simon Willison)
4. Vegemite Names New Spread -- the original name was crowdsourced in 1923. They decided to repeat the process for their new product, a spread made from Vegemite and Cream Cheese. The winning name came from an Australian web designer: "Vegemite iSnack 2.0". This does not appear to be a joke (no mention that the commercial will use music from Rick Astley). Unsure which will make Americans more ill: the name, the idea of eating Vegemite mixed with cream cheese, or the idea of eating Vegemite at all.

Four short links: 4 September 2009

Flood Maps, Govt Permalinks, Ops, and Security

by Nat Torkington | @gnat | comments: 1

1. Flood Maps -- what the world will look like when the oceans rise. Interactive, so you can dial up your preferred level of environmental horror. (via Hans Nowak)
2. Citability -- making government accessible, reliable, and transparent with advanced permalinks, as Government websites are ever changing and cannot be cited. Content changes without notice or accountability.
3. Bootstrapping EC2 Images as Puppet Clients -- This is a post on how to get to the point of using Puppet in an EC2 environment, by automatically configuring EC2 instances as Puppet clients once they're launched. I've been learning that if you're using a cloud hosting service, you need an automated admin tool. (via Grig Gheorghiu). See also the APT repository for Chef.
4. USB Snoop Stick -- Trojan in a convenient form factor, malware on a stick, back doors in your pocket ... and best of all, it's sold to consumers.

Four short links: 20 August 2009

DIY SPY, Screencasting, Social Network Analysis, Term Extraction

by Nat Torkington | @gnat | comments: 1

1. DIY SPY - a homebrew 2.4GHz wi-fi spectrum analyzer -- As proof of concept (and a cool toy for anyone who has one of these lying around), I have implemented a working Wi-Fi spectrum analyzer on TI’s ez430-RF2500 development kit ($50), a 2-part USB dongle which consists essentially of a CC2500 radio strapped to an MSP430 low-power microcontroller (detachable bottom half) and a USB interface which enumerates as a virtual serial port (top half). The top half doubles as a standalone MSP430 programmer, so this kit is a great cheap way to get started playing with them. (via joshua on Delicious)
2. Screenr -- Instant screencasts for Twitter. Flash-based, uploads to their site and tweets the URL. The whole "for Twitter" thing is going a little too far: who records screencasts only for Twitter? It's like having a spellchecker only for three-letter words.
3. Social Network Analysis in R -- video and slides for talk on doing social network analysis with R.
4. We're Keeping the Term Extraction Service -- Yahoo!'s useful API gets a stay of execution. OK, we heard you. You’ve made it clear to us that shutting down the Term Extraction Service would be a mistake. So, we’ve changed our plans. We're leaving the service up and running indefinitely. (via Simon Willison)

Four short links: 18 August 2009

iPhone App Backstory, Cookie Resurrection, The Entrepreneuralism Lickmus test, and An Interesting Database

by Nat Torkington | @gnat | comments: 2

1. The Making of the NPR News iPhone App -- interesting behind-the-scenes look, with sketches and all. Station streams, however, presented a larger challenge. To begin with, NPR didn't have direct stream links for any of its stations, so we built a Web spider that identified and captured more than 300 iPhone-compatible station streams. After that first pass, we worked with our station representatives to manually test each stream. In the process they found enough new streams to double our database. All of these streams are delivered to the app from NPR's Station Finder API. (via mattb on Twitter)
2. You Deleted Your Cookies? Think Again (Wired) -- Flash keeps its own cookies, which are harder to delete. Several services even use the surreptitious data storage to reinstate traditional cookies that a user deleted, which is called ‘re-spawning’ in homage to video games where zombies come back to life even after being “killed,” the report found. So even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as the “backup.” (via Simon Willison)
3. Would You Lick It? (Rowan Simpson) -- clever example of what it takes to be an entrepreneur.
4. FluidDB -- a shared "in the cloud" database built around tags: an object is a container for a set of tags which are name:value pairs, tag names have simple namespaces (e.g., "gnat/review" is the "review" tag in my namespace), all objects are world readable and writable but there are ACLs for tags, values can be any type (string, number, URL, Excel spreadsheet), and there's a simple query language. I'm curious to see what applications spring up around shared data. They're in limited alpha, controlling the # of users, so register now to play before everyone else.

Four short links: 7 August 2009

Recovery.gov, Meme tracking, RFID Scans, Open Source Search Engines

by Nat Torkington | @gnat | comments: 1

1. Defragging the Stimulus -- each [recovery] site has its own silo of data, and no site is complete. What we need is a unified point of access to all sources of information: firsthand reports from Recovery.gov and state portals, commentary from StimulusWatch and MetaCarta, and more. Suggests that Recovery.gov should be the hub for this presently-decentralised pile of recovery data.
2. Memetracker -- site accompanying the research written up by the New York Times as Researchers at Cornell, using powerful computers and clever algorithms, studied the news cycle by looking for repeated phrases and tracking their appearances on 1.6 million mainstream media sites and blogs [...] For the most part, the traditional news outlets lead and the blogs follow, typically by 2.5 hours [...] a relative handful of blog sites are the quickest to pick up on things that later gain wide attention on the Web. Confirming that blogs and traditional media have a symbiotic relationship, not a parasitic one. (via Stats article in NY Times)
3. Feds at DefCon Alarmed After RFIDs Scanned (Wired) -- RFID badges make for convenient security, and for convenient attack. Black hats can read your security cards from 2 or 3 feet away, and few in government are aware of the attack vector. To help prevent surreptitious readers from siphoning RFID data, a company named DIFRWear was doing brisk business at DefCon selling leather Faraday-shielded wallets and passport holders lined with material that prevents readers from sniffing RFID chips in proximity cards.
4. A Comparison of Open Source Search Engines and Indexing Twitter -- Detailed write-up of the open source search options and how they stack up on a pile of Tweets. While researching for the Software section, I was quite surprised by the number of open source vertical search solutions I found: Lucene (Nutch, Solr, Hounder), Sphinx, zettair, Terrier, Galago, Minnion, MG4J, Wumpus, RDBMS (mysql, sqlite), Indri, Xapian, grep … And I was even more surprised by the lack of comparisons between these solutions. Many of these platforms advertise their performance benchmarks, but they are in isolation, use different data sets, and seem to be more focused on speed as opposed to say relevance. (via joshua on Delicious)

John Adams on Fixing Twitter: Improving the Performance and Scalability of the World's Most Popular Micro-blogging Site

by Jesse Robbins | @jesserobbins | comments: 2

Twitter is suffering outages today as they fend off a Denial of Service attack, and so I thought it would be helpful to post John Adams’ exceptional Velocity session about Operations at Twitter.

Good luck today John & team… I know it’s going to be a long day!

Update: Apparently Facebook & Livejournal have had similar attacks today. Rich Miller from Data Center Knowledge reminds us that this is just the latest in a series of major attacks.

Four short links: 21 July 2009

Semweb, Comedy Java, Mobile Spyware, Crypto

by Nat Torkington | @gnat | comments: 0

1. On Data Reconciliation Strategies and Their Impact on the Web of Data -- For years, I’ve been a fairly vocal advocate for the elegance and scalability of a-posteriori reconciliation via equivalence mappings as a superior mechanism (scale-wise) to a-priori reconciliation efforts… but this started to change very rapidly once I started working for Metaweb and saw first hand how much more effective a-priori reconciliation can be, even if drastically more expensive and limiting in the data acquisition front. (via straup on Delicious)
2. Java Spring's Biggus Dickus Effect -- Nonstop administrative debris as dadaist poetry. Écriture automatique of the programming office manager or his parrot. (via mattb on Delicious)
3. Arabic Blackberry Spyware -- update pushed out to Arabic Blackberries CC:ed all email to the authorities. A powerful case for multi-distro platforms, which reduces the size of the market captured with one distro is pwned like this.
4. NaCl - Networking and Cryptography Library -- open source high-level crypto library. NaCl (pronounced "salt") is a new easy-to-use high-speed software library for network communication, encryption, decryption, signatures, etc. NaCl's goal is to provide all of the core operations needed to build higher-level cryptographic tools. Of course, other libraries already exist for these core operations. NaCl advances the state of the art by improving security, by improving usability, and by improving speed. Creator of qmail is one of the developers. (via Simon Willison)

Dramatic Increase in Number of Tor Clients from Iran: Interview with Tor Project and the EFF

by Timothy M. O'Brien | comments: 2

Anonymous proxies are in the news this week as Iranians are using proxies outside of Iran to communicate information about ongoing protests to others within the country. I've received several queries this week from non-technical colleagues about proxy servers. Is it legal to run a proxy server? Does running a proxy server violate my agreement with my broadband provider? I decided to track down some experts and get some perspective on different proxy servers and the laws surrounding them. In this entry, I speak with Andrew Lewman, the Executive Directory of the Tor Project about Tor and I also get some legal guidance from Peter Eckersley of the Electronic Frontier Foundation.

In this interview I ask Andrew to briefly introduce Tor and talk about some interesting useage statistics that show adoption of this anti-surveillance technology from within Iran. He answers a question about whether Tor is "unstoppable" and comments on the legality of running a Tor node. For the full interview, listen here.

The Tor Project

First, what is Tor? From The Tor Project:

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers, instant messaging clients, remote login, and other applications based on the TCP protocol.

When you run a Tor node, you are adding another node to a grid of computers that are used to establish random encrypted paths between each node to satisfy any given request. Law enforcement, military agencies, intelligence networks, journalists, and dissidents frequently use Tor to bypass restrictions and avoid surveillance. Andrew Lewman, Tor's Executive Director, wanted to be very clear that the Tor Project itself does not take positions on conflicts, and does not involve itself in resisting oppressive regimes. In response to a question about traffic from Iran, Andrew Lewman produced the following data:

New client connections from within Iran have increased nearly 10x over the past 5 days. Overall, Tor client usage seems to have increased 3x over the past 5 days. There are a lot of rough numbers in these statements, and they are very conservative. However, the source data we're reviewing continues to show these results.

For more information, see Andrew's blog post from last night: "Measuring Tor and Iran". Here's a graph from Andrew Lewman of Tor client count over the past few days, it appears that Tor is becoming an increasingly popular way for people in Iran to use the network to avoid surveillance.

But is it legal? The Legality of Running a Proxy Server

Peter Eckersley, Staff Technologist at the EFF, took some time to answer some very simple questions about EULAs, Tor, and the legality of running a proxy server.

Q: Various broadband providers state in EULAs that a customer must secure the equipment used to provide access to the Internet. What is the position of the EFF with regard to the legality of these EULAs? Are people breaking the law by providing an open access router?

Peter Eckersley: It's impossible to comment on broadband EULAs in general; each of them has different specific language and ISPs deploy them in different ways. We aren't aware of any case in which a broadband subscriber was sued for running an open wireless router, a proxy, or similar technology for sharing their connection with others.

Q: The last update to the Tor FAQ from the EFF on the Tor site was from 2005. Have there been any developments with the EFF in relation to Tor? Since 2005 is there more clarity as to the legality of running an Exit Node in a Tor network?

Peter Eckersley: The EFF Tor FAQ still reflects our opinions about the legality of Tor. It hasn't changed since 2005 because there haven't been any published cases or other events that have changed our views.

Q: What advice would the EFF have for anyone new to setting up a proxy server this week (as many have done to support protestors in Iran)? Is it legal? What issues do people need to be aware of?

Peter Eckersley: EFF's advice at this point is that people should consider setting up Tor bridge nodes or Tor routers instead of proxy servers. Several thousand new proxy servers have appeared in the past week, but we fear than unencrypted proxies leave Iranians vulnerable to surveillance and continued censorship by the Iranian government. SSL ecrypted proxies are better in this respect, but they are harder to set up than Tor routers, and there are some reports that the Iranian government has succeeded in blocking access to at least some encrypted proxies.

Fixed Typo @ 3:23 PM Central Saturday: One of my questions for the EFF had a rather important typo - I had typed Iraq instead of Iran. Fixed.

Four short links: 17 June 2009

Word Mining, Open Ideas, Power Meter BotNet, and Realtime Web Traffic Tracking

by Nat Torkington | @gnat | comments: 0

1. NY Times Mines Its Data To Identify Words That Readers Find Abstruse -- the feature that lets you highlight a word on a NY Times web page and get more information about it is something that irritates me. I'm fascinated by the analysis of their data: boggling that sumptuary is less perplexing than solipsistic. Louche (#3 on the list) has been my favourite word for two years, by the way, since I heard Dylan Moran toss it out in that uniquely facile way the Irish have with words. I think Irish citizens get this incredible competence with the English language for free, along with staggering house prices and beer you can walk on.
2. Open Ideas -- Alex Payne's blog of Concepts in the public domain, awaiting collaboration and appropriation.
3. Buggy 'smart meters' open door to power-grid botnet (The Register) -- Paul Graham said that we've found what we get when we cross a television with a computer: a computer. Similarly, intelligent power meters are computers, computers that apparently haven't been well-secured. To prove his point, Davis and his IOActive colleagues designed a worm that self-propagates across a large number of one manufacturer's smart meter. Once infected, the device is under the control of the malware developers in much the way infected PCs are under the spell of bot herders. Attackers can then send instructions that cause its software to turn power on or off and reveal power usage or sensitive system configuration settings.
4. Chartbeat -- the sexiest web analytics ever. It gives realtime count of users, whether they're reading or writing (based on whether focus is in a form element), where they're from, mentions on Twitter, and more and more and more. This is a different form of analytics than Google Analytics, which tells you trends and historical access. Love this for the pure sex appeal of a heads-up dashboard that can tell you exactly how many people are on your site and exactly what they're doing. (via Artur)

John Viega Talks About Beautiful Security

by James Turner | comments: 1

John Viega is the co-editor of Beautiful Security, the latest in O'Reilly's "Beautiful" series. He recently talked to me a bit about what makes security beautiful, and what demands modern security problems place on end users and administrators.

James Turner: With Beautiful Code and Beautiful Data, you can think about code or data that's elegant or has a simplicity to it. When you think about security, you tend to think about diligence and slogging and going through logs and not things you would associate with being beautiful. How do you make security beautiful?

John Viega: The idea behind Beautiful Security was that -- you're right, security is not beautiful in the same way that code is. It's often a lot of grunt work, and it's just very challenging to build a good system, not necessarily fun. Although, there are a lot of people who do enjoy it. The idea behind Beautiful Security is more that it's beautiful when you can actually provide somebody an experience that's both secure and easy to use.

James Turner: To some extent, isn't that, in most organizations, diametrically opposed in that the more secure things get, the more you start hearing, "Oh, we can't do that because we can't open that port up or whatever"? And, in my experience, the more of one you get, the less of the other you get.

John Viega: It's usually the case that as you add more security, the usability goes away or as you add more usability, the security goes away. But it doesn't have to be that way. With a well designed system, often you can make it both easy to use and more secure at the same time. And there are certainly examples of that in Beautiful Security, the book. Things like password systems, for instance. If you do them very well, you can make something that's more easy to use and more secure than a traditional password system.

James Turner: When you think about security, there's different layers depending on your level of savviness and the needs you have. If we could just take a couple of minutes to address the various levels. Let's start at the lowest level. For Joe Blow, home user with cable or a fiber or a DSL line, has it gotten to the point where they have no way of realistically knowing if they're secure or not?

John Viega: For the home user, I think the security industry does a disservice about making things seem a lot worse than they really are. The security industry sells fear, uncertainty and doubt. Pretty recently, it was revealed that Symantec had been giving gross overestimations of the number of people infected by Conficker, I think. The average home user, as long as they are not doing anything dangerous that leaves them prone to social engineering or out in a very hostile environment like potentially a conference, they're usually okay. So on your home network, you're behind a NATing firewall usually. So there's really little threat from the outside world, except what the user browses to. And then there are tools like Site Advisor that can help make the browsing experience a lot more safe as well.

(continue reading)

Loki's Net

The National Security Risks of Gov 2.0 and the Social Web

by Jeff Carr | comments: 16

Every culture has its Trickster myths because Trickster lives on the edge of what the rest of us perceive as "real." He crosses boundaries so often and with such ease, not to mention panache, that our own boundaries expand because of him. Trickster is “the doorway leading out, the spirit of the road at dusk” (Lewis Hyde) that doesn't belong to any town but is in-between all towns; the province of thieves and spies.

Here's an updated version of an old Trickster tale that I think is particularly relevant to the topic of this post--the national security risks associated with a more open Government in general and social software in particular.

Loki, the Norse God of mischief and mayhem, had taken to the mountains for refuge after angering the other Gods with his latest antics. The first thing he did was build a house with four doors; one on every side so that he could see in all directions. With his Intrusion Detection System in place, Loki spent the rest of his time playing in the water as a salmon, leaping waterfalls and negotiating mountain streams.

One morning, Loki sat by a fire and considered how the gods might capture him. Since he spent much of his time as a fish, Loki grabbed some linen string and fashioned a fishing net of a size and weight sufficient to snare him. Unfortunately, just as he finished, the other Gods rushed in. Loki threw the net into the fire, transformed into a salmon, and swam away. Acting quickly, the Gods extracted the ashes of the net from the fire and, from the remnants, rebuilt Loki’s net, eventually ensnaring him in it.

Like Loki, we construct through our Twitter posts, Facebook Wall entries and LinkedIn profiles our own unique “net” that sets us up for a social engineering exploit, a financial crime, or an act of espionage.

The Trickster archetype aptly frames this discussion about the risks and benefits of bringing Government into a Web 2.0 world because the classic Trickster is neither good nor bad, but encompasses elements of both. Too often, the debate surrounding Gov 2.0 becomes polarizing. Critics are frequently grouped together as Gov 1.0 thinkers struggling against a 2.0 world, while advocates sometimes embrace Gov 2.0 as a holy quest, refusing to acknowledge any significant risks whatsoever.

I cannot emphasize enough that the surest way to slow our progress toward a more technologically open Government is to try to craft this debate in dualistic terms. Indigenous Trickster tales teach us that a more valuable approach is to substitute utility for morality. Loki and Coyote (a famous Trickster in Native American lore) both understand how to trap a fish because they have swum as fish. Hyde writes in his book Trickster Makes This World that “nothing counters cunning like more cunning. Coyote's wits are sharp precisely because he has met other wits.”

There are serious and significant risks associated with Government 2.0 and the use of Social Software from a national security perspective that need to be talked about and addressed. It is a topic that is both complex and far-ranging and deserves much more coverage than I can provide in this post, although I hope to at least start the conversation at a new and edgier level. To give some perspective to the problem, there are 22,000,000 employed by the U.S. government, not counting government contractors. That fact alone makes Gov 2.0 a very significant technological evolution.

There is ample evidence that state and non-state actors are engaged in finding ways to exploit vulnerabilities in the U.S.'s critical infrastructure as well as the Department of Defense's secure (SIPRNET) and non-secure (NIPRNET) networks. Many of these attacks have been well-documented by Inspectors General (IG) and Government Accountability Office (GAO) investigations as well as through Congressional committee testimony by experts. One of the easiest ways for an attacker to gain access to those protected networks is not through the firewall, but through the user. In any secure system, the human element is always the weakest link. As Tim Thomas wrote in his excellent "Cyber-Skepticism" article for IO Sphere, the mind has no firewall but skepticism. The attack vector that best takes advantage of that vulnerability is known as social engineering.

Do you recall how Matthew Broderick's character cracked the password for the DOD computer Joshua in the 1983 movie “War Games?" He studied details about the life of its creator. That's the same strategy that David Kernell used when he allegedly hacked into Governor Palin's Yahoo account, except he had the benefit of a Web 2.0 invention known as Wikipedia.

How did the individuals behind the GhostNet espionage ring manage to entice so many people (1300 computers in 103 countries) to open an infected document which loaded a Chinese trojan named ghostRAT onto their system? They crafted an enticing email and document that was tailor-made for their audience -- supporters and/or employees of the Office of His Holiness the Dalai Lama. It was such an effective social engineering campaign that 30% of the infected computers were in sensitive government offices. And to make matters worse, most anti-virus programs failed to identify the Trojan.

In Cyber Warfare terms, these types of hacks are a part of Computer Network Operations (CNO) known as Computer Network Exploitation (CNE). Today, over 130 countries are developing a cyber warfare capability with CNE as one component.

Social media like Twitter, Facebook, MySpace, LinkedIn, GovLoop, and many others are very attractive venues for CNE by our adversaries because they are easily accessible, target-rich environments that can be exploited with little to no risk under cover of anonymity.

According to a recent study conducted for one of the U.S. Armed Services, 60% of the service members involved in the study have posted enough information on MySpace to make themselves vulnerable to adversary targeting. And these weren’t only young recruits making bad Operations Security (OPSEC) decisions. The 60% group included officers and enlisted troops from Intelligence and Security postings as well as other sensitive positions posting such things as units they have deployed with, new duty stations, personal medical data, job duties, information about training, and pictures of themselves at deployed locations.

In their paper “Social Software and National Security," Mark Drapeau and Linton Wells discuss the use of Twitter by Colleen Graffy, formerly Deputy Assistant Secretary of State for Public Diplomacy, to “impress her personality and message on foreign media prior to arriving in their countries, and after leaving.” As the authors point out, there are positives and negatives to Graffy’s method of using Twitter. One of the negatives that they do not address is that Graffy’s Twitter usage can become a vector for a non-state hacker to exploit with a @colleen_graffy tweet containing a malicious link disguised as a tiny URL. All of a sudden, Graffy‘s public diplomacy 2.0 effort could result in a State Department computer becoming a zombie.

The Open APIs on Twitter and Facebook provide a virtually unlimited resource for building target profiles on employees of sensitive government agencies like the Departments of Defense, State, Justice, Energy, Transportation, and Homeland Security. The Twitter stream, for example, adds a timeline for tracking when you’re at work, where you’re going after work, and what you are doing right now.

Another risk category is disinformation. Twitter received a lot of coverage during the Mumbai terror attacks of November, 2008 for its role in covering the events in real time. Part of what emerged was the potential for terrorists to use Twitter to propagate disinformation about their whereabouts; i.e., to announce a new attack occurring at a wrong address, thus adding chaos and confusion to an already chaotic situation.

Finally, there is the phenomenon of online trust. If you work in a targeted industry, you will be approached, sooner or later, by someone who isn’t who she claims to be for the purpose of gaining and exploiting your trust to further her own nation’s intelligence mission. One of the quickest ways to establish trust online is by finding things you both hold in common. Both Twitter and Facebook postings excel at that discovery effort.

How do you mitigate the risks while enjoying the benefits of Gov 2.0 and the social web? You do it by thinking like your opponent; or like the Trickster. Read your post twice before you hit send; once as you and once as your adversary who is looking to exploit you. If you work for the DOD or a government contractor, start by re-reading your employer's OPSEC guidelines and edit your profile and your posts accordingly. If your office hasn’t created any OPSEC guidelines for social media yet, please let me know. My company GreyLogic is creating training for precisely that purpose. In the meantime, here are five things that you can do right now to reduce your risk profile:

1. Involve your family members. They should understand that by virtue of your employment with a department, agency, or service, their posts are prime fodder for CNE. You can start by having them read this article.

2. Make OPSEC fun by making a game of it. For example, trade Twitter or Facebook aliases among your coworkers and see how much information you can learn about each other by using publicly available search tools. Then draft two or three email topics that would entice that person to take your bait if you were an adversary running a Spear Phishing operation. I promise that you’ll be amazed at the results. In fact, you should do this same exercise with your family members.

3. Be more skeptical about anyone who contacts you as a result of your posting on a social network. See if you can find their Internet footprint by searching on their name and email address. An alias with no Internet history should immediately raise a red flag.

4. Anyone can start a DOJ, DHS, DOE or other government agency community on Ning, LiveJournal, Facebook, etc. Don’t affiliate yourself with any community that you don’t know for sure is an officially sponsored and sanctioned one. Talk about shooting fish in a barrel.

5. Facebook recently reported that 70% of its traffic comes from overseas. Become more cautious about who you friend and who is privy to reading your posts.

In myth, like in life, the Trickster relies on the instincts and appetites of his prey to spring his trap. For those of us in Government or affiliated with Government, we would do well to remember that as we engage with Gov 2.0 on the social web.

Four short links: 28 May 2009

Mobile Viruses, Open Data, Twitter Bookmarks, Sexy Geek Skills

by Nat Torkington | @gnat | comments: 0

1. Viral Epidemics Poised to go Mobile -- Albert-Laszlo Barabasi (author of Linked: How Everything Is Connected To Everything Else) modelled mobile phone virus epidemiology for NSF and concluded that (in accordance with experience) no single OS has critical mass for viruses to break-out. I wonder: will Android or iPhone reach that point first? (via ACM TechNews)
2. Socrata -- formerly "Blist", the first of what will undoubtedly be many startups "refocusing" attempting to profit from the new US administration's fondness for Web 2.0. The business model, however, is "we'll offer your data to citizens in a useful form" and it seems to me that this is a responsibility that Government should embrace rather than outsource. (via Jesse)
3. Tag This -- tweet @tagthis with a link and keywords to post the link as bookmark in your Delicious/Magnolia account.
4. Three Sexy Skills of Geeks -- statistics, data munging, and visualization. I'm reading Visualizing Data right now and expect the universe to bury me in bootie before the day is out. "Processing: it's cheaper than couple's therapy and you can post pictures of it on the Internet without being fired." (via mattb on Twitter)

Four short links: 22 May 2009

Villainous Javascript, Funding the Arts, Peak Web, and Crowdsourced Quality Control at a Museum

by Nat Torkington | @gnat | comments: 0

1. Hiding Dirty Deeds: "Encrypted" Client-Side Code -- obfuscated Javascript from a Facebook phishing site, deconstructed and reconstructed, parsed and glossed for understanding. It reminds me of the best obfuscated Perl: Latin, string substitution, runtime and compile-time semantics ... a work of evil art. (via waxy)
2. Kickstarter -- artistic commercial version of PledgeBank. You say "I want to do [X] by Y and it takes $Z" and people can donate to your goal. (via waxpancake on Twitter)
3. Peak Web (Chris Heathcote) -- My biggest problem is that people always perceive the near-past, present and near-future as having the most technological change, and the speed of decline of the old new media feels wrong. I am, however, thinking that there’s something true in one reading of the graph: we may be at or past Peak Web.
4. Crowdsourcing the Cleanup with Freeze Tag -- The Awe-Worthy Brooklyn Museum, like all cultural institutions, have more objects than they can add metadata to. They let users provide metadata through tagging, but all crowdsourcing projects permit vandals. Their solution: crowdsource the cleanup. My only question is whether this will become a game between vandals and janitors. Brooklyn Museum is noteworthy for their insanely great use of the web, check them out and please support them if you like what you see.

Warning sign of peak web

Up Close with an Enigma

by Ben Lorica | @dliman | comments: 6

At last month's RSA conference in San Francisco, I stumbled upon a vintage 1944 model of the German crypothographic machine, popularly known as the Enigma. This particular machine was owned by the National Cryptologic Museum, and was part of a larger booth hosted by the National Security Agency. The staff at the exhibit were quite friendly and it didn't take much to convince someone from the NSA to talk on-camera about the Enigma. (I did decide to submit the video to the NSA public affairs office for final review.) Reading through the accompanying historical pamphlet and listening to NSA staffers, I developed a better appreciation for the contributions made by Polish authorities (and mathematicians) towards breaking what was then, the most important cryptographic machine in the world.

Also from RSA 2009:

Making Mashups Safe(r) with MashSSL: Of the ten presentations at the inaugural RSA Innovation Sandbox, I thought the most intriguing technology came from SafeMashups (a startup out of UT San Antonio). They use SSL certificates and handshakes as the foundation for a scalable trust infrastructure.

Four short links: 29 Apr 2009

4chan, urban redesign, 3d printing, python

by Nat Torkington | @gnat | comments: 4

1. Moot Wins, Time Inc. Loses -- summary of how the 4chan group Anonymous rigged the voting in Time's 100 Most Influential poll to not just put their man at the top, but also spell an in-joke with the initial letters of the first 21 people. Time tried weakly to prevent the vote-rigging, and ReCAPTCHA gave the Internet scalliwags their biggest setback, but check out how they automated as much as possible so that human effort was targeted most effectively. It's the same mindset that build Google's project management, ops, and dev systems. Notice how they tried to game ReCAPTCHA, a collective intelligence app whose users train the system to read OCRed words, by essentially outvoting genuine users so that every word was read as "penis". Collective intelligence should never be the only security/discovery/etc. feature because such apps are often vulnerable to coordinated action.
2. The old mint in downtown SF painted by 7 perfectly mapped HD projectors -- looks absolutely spectacular. I love the combination of permanent and fleeting, architecture and infotexture. (via BoingBoing)
3. 3-D Printing Hits Rock-bottom Prices With Homemade Ceramics Mix (Science Daily) -- University of Washington researchers invent, and give away, a new 3D printer supply mix that costs under a dollar a pound (versus current commercial mixes of $30-50/pound).
4. Haystack and Whoosh Notes (Richard Crowley) -- notes on installing the search framework Haystack and the search back-end Whoosh, both pure Python. It's a quick get-up-and-go so you can add quite sophisticated search to your Django apps. (via Simon Willison)

Building Bridges with the U.S. Intelligence Community

by Jeff Carr | comments: 3

Guest blogger Jeffrey Carr is a cyber intelligence expert, Principal of GreyLogic, columnist for Symantec's Security Focus, and author who specializes in the investigation of cyber attacks against governments and infrastructures by State and Non-State hackers. Jeff is the Principal Investigator for Project Grey Goose, an Open Source intelligence investigation into the Russian cyber attacks on Georgia in August, 2008.

About three weeks before the start of the Russia-Georgia war last August, the Office of the Director of National Intelligence issued a directive entitled “Analytic Outreach”. In it, DNI McConnell authorized members of the 16 agencies that comprise the U.S. Intelligence Community (IC) to reach out to people outside the IC, “to explore ideas and alternate perspectives, gain new insights, generate new knowledge, or obtain new information.”

As someone who writes about Intelligence and National Security matters, particularly in the area of Cyber Warfare, this Directive was pretty inspiring to me. I had long held the opinion that Web technologists and researchers had an important role to play in Government. Unfortunately, I had no way of communicating that vision to anyone who mattered so I just decided to act on my own and launched an Open Source Intelligence gathering effort called Project Grey Goose, which brought together an eclectic mix of hackers, spooks, and techies from inside and outside the Intelligence Community.

Imagine how happy I was six months later to hear about a formalized and much easier way to bring outside expertise into the IC thanks to the dedicated efforts of a few intelligence professionals and the Deputy Director of National Intelligence for Analysis. Appropriately enough, this project is named BRIDGE.

According to its creator, Dan Doney, BRIDGE hopes to do for Public-Private collaboration what the iPhone Apps Store has done for the iPhone and its customers--produce a mind-boggling explosion of innovative applications for use by the Intelligence Community. We aren't at the mind-boggling stage yet because BRIDGE is still in its infancy, but there are some pretty cool apps which I'll describe in a moment.

In addition to being a development sandbox, BRIDGE also allows intelligence analysts to interact with outside experts whether they be in industry, academia, or other government agencies at the Federal, State, Local or Tribal level. Alternative analysis has long been a recommended approach to avoid myopic thinking by specialists. BRIDGE provides a platform for debating alternative viewpoints and comparing evidence across agencies, specialties, and borders of all kinds.

(continue reading)