Blockchain, Cryptocurrency, Consensus tokens, Russia and AMS systems

tendenci cloud security monitoring

The headline is ridiculous. But I couldn’t make this up in my wildest dreams. Yes, cryptocurrency, blockchain, and association management systems (AMS) are all interconnected. And the primary connection is Russia.

Stay with me for a second, get a cup of coffee, and read on.

First cryptocurrency isn’t a thing. It’s two parts. I try to explain cryptocurrency like this:

  1. BlockChain = Clipboard with a piece of paper. You check stuff in and out until you are out of paper. Some clipboards have more sheets of paper than others.
  2. Scarcity – Scarce object = some mathematically difficult to produce number. Or controlled by an authority like the Private Federal Reserve in the US.

Picture a clip board. And you are checking in and out some token. That token only has value if it delivers value. And the best way to determine that is really a classic economics popularity contest.

Note: This author does a GREAT job of explaining concensus capital: https://medium.com/@tompocock/consensus-capital-part-1-dff72ba39a63

These are not tulips. Blockchain is a tech that will disrupt everything from how we do a Turn-Around at the Olefins units at LyondellBassell, to how BP manages wind farms, to how carfax will be disrupted by a VIN blockchain startup.

What does this have to do with Association Management Systems?

Believe it or not, they are intertwined. So be careful on your selection of crypto for smart contracts. I’d recommend looking at HyperLedger  (https://www.hyperledger.org/) as an alternative to Russian Bank backed by Dmitry Buterin and his son Vitalik’s Ethereum .  ( https://futurism.com/ethereums-founder-struck-a-deal-with-a-russian-bank-to-create-ethereum-russia/ )

Not everyone in the crypto community is fond of Ethereum and Russian owned AMS Wild Apricot, now Personify, even in the crypto community. ( https://medium.com/@rateico_32282/how-much-would-you-sell-your-homeland-the-secret-of-ethereums-success-748f0b763c62 )

 

If you can’t access the code, self host if you want, and export ALL of your data when you want, well, why not? Why does anyone in the NonProfit / NPO / NGO / Association Management space tolerate that in 2018? It is 2018, right?

If you signed up with a company where the deal was “too good to be true”…. um…. ya, think that one through again. They have to pay people, so they are either funded by someone, or they are selling your data.

YOU are part of the problem with InfoWars and Propaganda in the US. (is that too blunt? Nope.) For example: Wild Apricot / Personify.

Wild Apricot, Russia, AMS
25% of American Constituents in Russian Backed Wild Apricot

Ethereum is at least open source ( https://github.com/ethereum ) so you can view the code. With the exception of Tendenci ( https://www.tendenci.com ) and CiviCrm, ( https://civicrm.org/ ) most AMS vendors aren’t open,  not even ones created and financed by Russia and the Chief Apricot ( https://www.linkedin.com/in/chiefapricot/ ), who is also coincidentally the father of Vitalik himself ( https://twitter.com/VitalikButerin ).

On the plus side, after years of joking about it, for once we can legitimately blame Canada and their dual-citizenships.

We’re building a wall with Mexico and allowing Russian company’s interests to mine Uranium ( https://www.csmonitor.com/USA/Politics/2017/1114/What-s-the-real-story-behind-Hillary-Clinton-Russia-and-uranium ) in the US. And Russian programmers to control 25% (according to the Personify web site https://personifycorp.com/ ) of US Constituents like Washington’s League of Women Voters ( https://leagueofwomenvotersofwashington.wildapricot.org/issues ) .

And then we act surprised that Russia is meddling in our elections and knows know how to target voters.. Baroo?

These are strange times. But yes, Canada? I’m looking at YOU!

And as a reminder, as if y’all needed me to state this again, but we strongly encourage you to use an OPEN SOURCE solution with transparency. If it’s Tendenci, WordPress, Drupal, CiviCRM, Joomla,

Just please stand up for what’s right.

Demand access and transparency.

Tendenci is a movement.

Tendenci is a community committed to open association technology.

Global. Multilingual. Collaborative. Positive. Respectful of your privacy and functional at a level as you would expect from a product approaching 20 years old.

Associations are Powerful – and therefore Targets for Hackers

Associations are very powerful, particularly in America.

Think about it. Your Doctor is approved by the American Medical Association. Your Attorney is approved by the American BAR association. Your Accountant is approved by the American Association of CPAs (certified public accountants).  A person’s license /certifications may be “recognized” by the government, but ultimately it is a group of peers that form the association.

Americans of all ages, all stations of life, and all types of disposition are forever forming associations… In democratic countries knowledge of how to combine is the mother of all other forms of knowledge; on its progress depends that of all the others.

– Alexis de Tocqueville – Book Two, Chapter V. (source)

This may sound philosophical, and we’ve blogged about this before, but it’s important for associations to remember just how much power they have.  And with power comes great responsibility.

YOUR ASSOCIATION IS A HACKER TARGET

Why? Because it’s logical.

If you were a dictator in a country that had sanctions against it, I dunno, maybe they didn’t allow US Companies to help you drill for your oil reserves and you lacked the technology to do it yourself, wouldn’t it make sense to go after an association of accomplished professionals in that area?

St. Petersburg IP Address Alerts
Security Alerts with  IP addresses (listed as) St. Petersburg Targeting Associations. NOTE: IP Addresses are easy to fake so it could be a false positive.

It sounds horrible, but it is logical in a Machiavellian kind of way.

A story for y’all. I was talking to a client who had a Tendenci Open Source AMS site for a group of students at universities in the liberal arts. He said

nobody is going after English majors“.

“Oh really?” I asked.

Then I asked If any of his students attended X University (really I could have picked any University). He said “yes.” I pointed out that exact University also has extensive Chemistry, Energy and Engineering programs that do cutting edge work.

My point was if you can do spear phishing on a student to get closer to an Engineering Professor with expertise in Directional Drilling, wouldn’t Russia be interested in that? Would North Korea be interested in obtaining information on the latest tech in chemistry? Of course they would.

Those countries might not even be directly doing the hack attempt. But a entrepreneurial hacker knows there is a market for that data. Would Russia buy it? Yes. Would the US buy it? Yes.

My point was simply that if you can infect the computer or phone of one student, any student, then you can get into the network. And then move laterally. You are in.

Again – to the POWER of ASSOCIATIONS:

Americans combine to give fêtes, found seminaries, build churches, distribute books, and send missionaries to the antipodes. Hospitals, prisons, and schools take shape in that way. Finally, if they want to proclaim a truth or propagate some feeling by the encouragement of a great example, they form an association. In every case, at the head of any new undertaking, where in France you would find the government or in England some territorial magnate, in the United States you are sure to find an association. I have come across several types of association in America of which, I confess, I had not previously the slightest conception, and I have often admired the extreme skill they show in proposing a common object for the exertions of very many and in inducing them voluntarily to pursue it.

– Alexis de Tocqueville – Book Two, Chapter V. (source)

This is not to scare users of any association management software. It is pointing out facts and hopefully increasing awareness among NGO technology professionals, association executives, association leadership and in fact (hopefully) the whole country, that there is a serious vulnerability if not addressed seriously.

ALERT: Fruitfly/Quimitchin malware for Mac in the Wild

darkreading malware for mac article

Mac users, particularly in academia or the biomedical or academic field. Be aware of the Fruitfly/Quimitchin malware. It includes a keystroke logger, accesses your cam, takes screenshots of your desktop frequently which are then  uploaded, and more. What to do:

  1. Learn about Quimitchin malware at https://www.darkreading.com/partner-perspectives/malwarebytes/meet-fruitfly–mac-malware-targeting-biomedical-research-centers/a/d-id/1327953
  2. Put a sticker over your camera when not in use. I am a member of EFF and put one of their stickers over your camera.
  3. Install an antivirus like Avira Antivirus for Mac (only from official site or app store). If you can afford it, support them by buying their products.
  4. Install Malwarebytes or a similar anti-malware program (only from official site or app store)
  5. Use different passwords on different sites. Variations on a password like “Smoking Chair Hat5!” is far better than “zds9bhy4@”. It’s just statistics, you won’t use the second one because you can’t remember it. Just change the first one a bit every time for each site. Password crackers can’t “partially” crack a password. Plus we use Rainbow tables anyway.
    1. Remember, if you have a keystroke logger installed, then how complex your password is, well, irrelevant. Therefore first clean the computer. Don’t think Macs or Linux can’t be infected – they can and frequently ARE.
  6. Use common sense and DON’T CLICK THAT LINK IN YOUR EMAIL.

Stay alert folks. Because they really are out to get you. That’s not paranoia, it’s just reality unfortunately.

 

installing lynis on ubuntu 16.04 notes

auditing linux security

Security auditing on Ubuntu 16.04? If not you should be. One great tool you can use in your arsenal is Lynis security auditing. Yes this is completely redundant with OSSEC wazuh and third party Cloud Trail audits, but there is no harm in triple checking.

Why the paranoia? Because you can’t completely rely on any one system imho so human spot checks, particularly on your endpoints (or honeypots #heh) is an essential part of the process. Plus at AWS you can create a temp “hot” AMI and tear the thing apart while it is in an ACL/Security Group cage, and then delete it without an attacker ever knowing.

Regarding Lynis security auditing, the ubuntu apt package for lynis (e.g. apt install) is still on version 2.1 and the current version is 2.6. First off 2.6 is much faster. Secondarily it gives a lot fewer false positives on Ubuntu 16.04.

My notes from:
https://packages.cisofy.com/community/#debian-ubuntu

# auditing -posts age CHECK THE LINK ABOVE
sudo su
apt install lynis
wget -O - https://packages.cisofy.com/keys/cisofy-software-public.key | sudo apt-key add -
apt install apt-transport-https
echo 'Acquire::Languages "none";' | sudo tee /etc/apt/apt.conf.d/99disable-translations
echo "deb https://packages.cisofy.com/community/lynis/deb/ xenial main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
apt update
apt upgrade
lynis show version

Again – check your version! Note I specified xenial in my notes, because that particular server is on xenial. You might not be. Read the Lynis docs. And happy auditing!

We can reduce mass shooting with AI, Robotics and Non-Lethal Defense

Robotics and AI to Respond to Mass Shootings

Mass shootings are a horrible American phenomena. We have a problem with guns crossed with an overly aggressive society. I believe the number of mass shootings *can* be reduced even if our politicians won’t act on gun control. How? By using AI, Computer Vision, and non-lethal robotic responses to help people fight back against shooters. A summary of robotic self defense of soft targets like schools against shooters 24 seconds:

There are many details. Yes, it’s complex as hell. I KNOW. HELP US.

Because it IS possible to “help people fight back.”

An MVP model for robotic self defense is as simple as a human who points at the bad actor from a remote location on their iphone/android and activates the wall mounted robots. The robots, under human control, act in unison to disorient the shooter. Yes, it still requires a human response against the shooter. But we don’t have a damn thing right now. Can we just admit that our babies, our kids, our kids’ teachers are the first responders before the first responders get there?

We can possibly defend ourselves, and AI can help us using non-lethal means to defend ourselves, to enable our kids in their schools to defend themselves, when some evil person brings in an AR15 to attack the innocents. We CAN fight back.

Starting SOMA Robotics is why I went to San Francisco for the last year. To try to get funding to save lives.

I failed.

I don’t know the game. But surely someone out there does. Please?

I’ve been busting my ass trying to get funding for Tendenci in the valley since 2011. As I’ve said before, I have a phd in f’n up. Yet damnit, this might work. Right?

I still believe that we CAN reduce the impact of mass shooters at schools and other “soft targets” using existing technology.

Watch the video. Slow it down and then if you think it has potential, the potential to help US THE PEOPLE, THE KIDS, FIGHT BACK before our heroic first responders arrive, then please HELP ME.

This isn’t about the money, it’s about the kids.

Black Panther – something I’m looking forward to!

Yes, I’m a programmer and full stack developer, speaker, etc, but… at TAMU I minored in history. One of my focus areas was African history (the continent. Think 1000+ years of history.) Thus I’m really looking forward to watching Black Panther.

Let me count the ways:

First – I’ve heard it is a GREAT movie.

Second – I’m hoping to learn more from what is hopefully a historically “aware” science fiction movie that will open minds to the richness and culture. We must learn from our origin.

https://www.imdb.com/title/tt1825683/

Primary voting reg deadline Monday Feb 7, 2018

You must register to vote in the party primaries by tomorrow.

From an email from our Houston district rep Culberson:

“If you were displaced by Hurricane Harvey, like my brother and his wife, and you have temporarily moved until you can repair your house, your voter registration may have been suspended because the Post Office is prohibited from forwarding our new voter registration cards.  You are still registered, but you will need to fill out a Certificate of Residency form, which you can print from this link, and give it to the Election Judge so you can vote in your home precinct.”

First – do what John says. Vote in the primaries NOW.

Further:

Register as a Republican if you are in Texas. Seriously. You can vote for whoever you want in the actual election.

But as y’all know, human-ballot-robots will just click a party-line-vote.

Yes, sure they are smart people. But smart is a dime a dozen and few have the time to research. Thus lacking the discipline to study and gain knowledge on the candidates themselves, they click a party (the party of the North in the “War Between the States” if you are curious) and then walk out.

Bottom line:

Voting in the Texas primaries matters because most voters in Texas straight-line party vote like robots for the carpet-bagger party. (Google it. History is good for you.)

Example: despite every major city in Texas voting Blue in the last Presidential election, despite the terrible options given to us by both parties, there are still the rural voters who straight party line vote. I know they are smart.

I’m was privileged to be an Aggie myself, I studied POLS at TAMU which required critical thinking. I believe I am qualified to speak to this topic.

I have voted in primaries for both parties over the years. (So what? I’m pro-America and pro-Earth) I volunteered for Bush 41’s re-election campaign. I volunteered in support of Mayor Bill White. I supported Mayor Annise Parker. I’ve volunteered (at great personal expense) to support Congressman Culberson in DC when he was on the cutting edge of tech and they we’re blocking his push for the latest tech.

To be clear, John is a good man. I first met him because we went to the same Church (MDUMC) in the Energy Corridor in West Houston. Our kids we’re in different Sunday School classes that all of us volunteered to teach.

Action Items:

Register as a Republican and pick your next Rep. Because the actual vote won’t matter in Texas state level elections.

Congressman John Culberson is a friend, was a long time client, and I like what he says in person. Yet I don’t like that some DC dorks and K-street absorbed him into party line votes.

Davey Crockett would, actually he did, die fighting for our rights. But DC can consume a person apparently. I still have hope for John as a leader. Right now every time I read a roll call vote summary in the Chronicle I’m kinda disappointed to see party/pac money “trumps” representative leadership. (We want you back John!)

To repeat – go vote in the primaries. If you aren’t registered with a party then tomorrow is the deadline in Texas.

Note: I’m from the party of George Washington. (Google it)

As an independent, I have no problem voting in either primary, and I have, in a nation that has distorted the electoral college and gerrymandered districts like schoolyard bullies. (I’m looking at you Tom Delay.)

It bears repeating – “I have a dream” – MLK

American Flag in Honor of MLK

To Make America Great – we should listen to the Words of Martin Luther King, Jr. from 1963.

In a peaceful protest in Washington, when speaking on Jobs and Freedoms, MLK spoke. And when I say spoke, I mean… daaaammmn …. he inspired. I read this speech every year on MLK day. I read them with my heart. I  reread them every year to measure where we are. In 2018 I feel we have lost sight of the American Dream.  I WANT to reread them because they are a message of hope and vision for what our country could be someday. Sometimes I go down a rabbit hole of not only self-doubt, but doubt in my own country, which I love so much. Dr. King gives me hope. This speech is what a Great America could be.

Transcript Source: King Institute at Stanford

I am happy to join with you today in what will go down in history as the greatest demonstration for freedom in the history of our nation. [applause]

Five score years ago, a great American, in whose symbolic shadow we stand today, signed the Emancipation Proclamation. This momentous decree came as a great beacon light of hope to millions of Negro slaves [Audience:] (Yeah) who had been seared in the flames of withering injustice. It came as a joyous daybreak to end the long night of their captivity. (Hmm)

But one hundred years later (All right), the Negro still is not free. (My Lord, Yeah) One hundred years later, the life of the Negro is still sadly crippled by the manacles of segregation and the chains of discrimination. (Hmm) One hundred years later (All right), the Negro lives on a lonely island of poverty in the midst of a vast ocean of material prosperity. One hundred years later (My Lord) [applause], the Negro is still languished in the corners of American society and finds himself in exile in his own land. (Yes, yes) And so we’ve come here today to dramatize a shameful condition.

In a sense we’ve come to our nation’s capital to cash a check. When the architects of our republic wrote the magnificent words of the Constitution and the Declaration of Independence (Yeah), they were signing a promissory note to which every American was to fall heir. This note was a promise that all men, yes, black men as well as white men (My Lord), would be guaranteed the unalienable rights of life, liberty, and the pursuit of happiness. It is obvious today that America has defaulted on this promissory note insofar as her citizens of color are concerned. (My Lord) Instead of honoring this sacred obligation, America has given the Negro people a bad check, a check which has come back marked insufficient funds. [enthusiastic applause] (My Lord, Lead on, Speech, speech)

But we refuse to believe that the bank of justice is bankrupt. (My Lord) [laughter] (No, no) We refuse to believe that there are insufficient funds in the great vaults of opportunity of this nation. (Sure enough) And so we’ve come to cash this check (Yes), a check that will give us upon demand the riches of freedom (Yes) and the security of justice. (Yes Lord) [enthusiastic applause]

We have also come to this hallowed spot (My Lord) to remind America of the fierce urgency of now. (Mhm) This is no time (My Lord) to engage in the luxury of cooling off or to take the tranquilizing drug of gradualism. [applause] (Yes, Speak on it!) Now is the time (Yes it is) to make real the promises of democracy. (My Lord) Now is the time to rise from the dark and desolate valley of segregation to the sunlit path of racial justice. Now is the time [applause] to lift our nation from the quicksands of racial injustice to the solid rock of brotherhood. Now is the time (Yes) [applause] (Now) to make justice a reality for all of God’s children.

It would be fatal for the nation to overlook the urgency of the moment. This sweltering summer of the Negro’s legitimate discontent (Yes) will not pass until there is an invigorating autumn of freedom and equality. (My Lord) 1963 is not an end, but a beginning. (Yes) And those who hope that the Negro needed to blow off steam and will now be content will have a rude awakening if the nation returns to business as usual. [enthusiastic applause] There will be neither rest nor tranquility in America until the Negro is granted his citizenship rights. The whirlwinds of revolt will continue to shake the foundations of our nation until the bright day of justice emerges.

But there is something that I must say to my people, who stand on the warm threshold which leads into the palace of justice: in the process of gaining our rightful place, we must not be guilty of wrongful deeds. Let us not seek to satisfy our thirst for freedom by drinking from the cup of bitterness and hatred. (My Lord, No, no, no, no) [applause] We must forever conduct our struggle on the high plane of dignity and discipline. We must not allow our creative protest to degenerate into physical violence. (My Lord) Again and again (No, no), we must rise to the majestic heights (Yes) of meeting physical force with soul force. (My Lord) The marvelous new militancy which has engulfed the Negro community must not lead us to a distrust of all white people (Hmm), for many of our white brothers, as evidenced by their presence here today, have come to realize that their destiny is tied up with our destiny [sustained applause], and they have come to realize that their freedom is inextricably bound to our freedom. We cannot walk alone.

And as we walk, we must make the pledge that we shall always march ahead. We cannot turn back. There are those who are asking the devotees of civil rights, “When will you be satisfied?” (Never) We can never be satisfied as long as the Negro is the victim of the unspeakable horrors of police brutality. (Yes) We can never be satisfied [applause] as long as our bodies, heavy with the fatigue of travel, cannot gain lodging in the motels of the highways and the hotels of the cities. [applause] We cannot be satisfied as long as the Negro’s basic mobility is from a smaller ghetto to a larger one. (Yes) We can never be satisfied as long as our children are stripped of their selfhood and robbed of their dignity by signs stating for whites only. [applause] (Yes, Hallelujah) We cannot be satisfied as long as a Negro in Mississippi cannot vote and a Negro in New York believes he has nothing for which to vote. (Yeah, That’s right, Let’s go) [applause] No, no, we are not satisfied and we will not be satisfied until justice rolls down like waters (Yes) and righteousness like a mighty stream. [applause] (Let’s go, Tell it)

I am not unmindful that some of you have come here out of great trials and tribulations. (My Lord) Some of you have come fresh from narrow jail cells. (My Lord, That’s right) Some of you have come from areas where your quest for freedom left you battered by the storms of persecution (Yeah, Yes) and staggered by the winds of police brutality. You have been the veterans of creative suffering. Continue to work with the faith (Hmm) that unearned suffering is redemptive. Go back to Mississippi (Yeah), go back to Alabama, go back to South Carolina, go back to Georgia, go back to Louisiana, go back to the slums and ghettos of our northern cities (Yes), knowing that somehow this situation can and will be changed. (Yes) Let us not wallow in the valley of despair. (My Lord)

I say to you today, my friends [applause], so even though we face the difficulties of today and tomorrow (Uh-huh), I still have a dream. (Yes) It is a dream deeply rooted in the American dream. (Yes)

I have a dream (Mhm) that one day (Yes) this nation will rise up and live out the true meaning of its creed (Hah): “We hold these truths to be self-evident, that all men are created equal.” (Yeah, Uh-huh, Hear hear) [applause]

I have a dream that one day on the red hills of Georgia (Yes, Talk), the sons of former slaves and the sons of former slave owners will be able to sit down together at the table of brotherhood.

I have a dream (Yes) [applause] that one day even the state of Mississippi, a state sweltering with the heat of injustice (Yeah), sweltering with the heat of oppression (Mhm), will be transformed into an oasis of freedom and justice.

I have a dream (Yeah) [applause] that my four little children (Well) will one day live in a nation where they will not be judged by the color of their skin but by the content of their character. (My Lord) I have a dream today. [enthusiastic applause]

I have a dream that one day down in Alabama, with its vicious racists (Yes, Yeah), with its governor having his lips dripping with the words of “interposition” and “nullification” (Yes), one day right there in Alabama little black boys and black girls will be able to join hands with little white boys and white girls as sisters and brothers. I have a dream today. [applause] (God help him, Preach)

I have a dream that one day every valley shall be exalted (Yes), every hill and mountain shall be made low, the rough places will be made plain (Yes), and the crooked places will be made straight (Yes), and the glory of the Lord shall be revealed [cheering], and all flesh shall see it together. (Yes Lord)

This is our hope. (Yes, Yes) This is the faith that I go back to the South with. (Yes) With this faith (My Lord) we will be able to hew out of the mountain of despair a stone of hope. (Yes, All right) With this faith (Yes) we will be able to transform the jangling discords of our nation (Yes) into a beautiful symphony of brotherhood. (Talk about it) With this faith (Yes, My Lord) we will be able to work together, to pray together, to struggle together, to go to jail together (Yes), to stand up for freedom together (Yeah), knowing that we will be free one day. [sustained applause]

This will be the day, this will be the day when all of God’s children (Yes, Yeah) will be able to sing with new meaning: “My country, ‘tis of thee (Yeah, Yes), sweet land of liberty, of thee I sing. (Oh yes) Land where my fathers died, land of the pilgrim’s pride (Yeah), from every mountainside, let freedom ring!” (Yeah)

And if America is to be a great nation (Yes), this must become true. So let freedom ring (Yes, Amen) from the prodigious hilltops of New Hampshire. (Uh-huh) Let freedom ring from the mighty mountains of New York. Let freedom ring from the heightening Alleghenies of Pennsylvania. (Yes, all right) Let freedom ring (Yes) from the snow-capped Rockies of Colorado. (Well) Let freedom ring from the curvaceous slopes of California. (Yes) But not only that: (No) Let freedom ring from Stone Mountain of Georgia. [cheering] (Yeah, Oh yes, Lord) Let freedom ring from Lookout Mountain of Tennessee. (Yes) Let freedom ring from every hill and molehill of Mississippi. (Yes) From every mountainside (Yeah) [sustained applause], let freedom ring.

And when this happens [applause] (Let it ring, Let it ring), and when we allow freedom ring (Let it ring), when we let it ring from every village and every hamlet, from every state and every city (Yes Lord), we will be able to speed up that day when all of God’s children (Yeah), black men (Yeah) and white men (Yeah), Jews and Gentiles, Protestants and Catholics (Yes), will be able to join hands and sing in the words of the old Negro spiritual: “Free at last! (Yes) Free at last! Thank God Almighty, we are free at last!” [enthusiastic applause]

Source:

MLKEC-INP, Martin Luther King, Jr. Estate Collection, In Private Hands

https://kinginstitute.stanford.edu/king-papers/documents/i-have-dream-address-delivered-march-washington-jobs-and-freedom

Y’all – please don’t give up hope on America. This is our country. #resist

FCC Repeals Net Neutrality because … WHY?

The FCC has repealed Net Neutrality as pressured by Congress and the President. Just … wtf?

HOWEVER: Note: Congress just passed a tax law nobody really understands. And economists have no idea if the projections are in any way realistic. They literally do NOT know what will happen, just that they lowered corporate taxes and eliminated the health care mandate. I’ll get back to that topic.

To distract all of us, in obvious post-dystopian style, they repealed NetNeutrality. Hence everyone who cares about equality and has a voice is now distracting everyone from the tax bill which reduces equality further. #awesome

From the NYT on the repeal of Net Neutrality by Ajit Pai of the FCC

https://www.nytimes.com/2017/12/14/technology/net-neutrality-repeal-vote.html

Here are …. well at least as many as they can figure out, the congressmen who voted for it and just how much money they were paid to do it.

https://motherboard.vice.com/en_us/article/7xwknx/republican-members-of-congress-fcc-letter

Net Neutrality works like this.

You go to the gym. You pay for a gym membership. The gym is a business and it’s gotta pay the bills. I’m cool with that. When you lift, there is etiquette..  but basically we all share the same machines or weights. Sometimes we have to wait in the same line if the gym is busy. That’s life.

Now…. imagine going to the gym in an alternate universe without Net Neutrality. It works like this:

Or…. if you are poor. Or small. Or different. You can only use the first three machines and you have to wait to do it.

If you are middle class, you get to use the first 6 machines but you also have to wait,just not as long.

BONUS ROUND! – If you are in Government or RICH you get to use all 500 machines at the gym with no wait.

The site https://www.battleforthenet.com/ describes it like this;

Cable companies are famous for high prices and poor service. Several rank as the most hated companies in America. Now, they’re lobbying the FCC and Congress to end net neutrality. Why? It’s simple: if they win the power to slow sites down, they can bully any site into paying millions to escape the “slow lane.” This would amount to a tax on every sector of the American economy. Every site would cost more, since they’d all have to pay big cable. Worse, it would extinguish the startups and independent voices who can’t afford to pay. If we lose net neutrality, the Internet will never be the same.

They literally just broke the Internet. #WTF

I’m speechless. Excuse the pun. But feel free to google a few terms.

And the tech sector should realize it’s own values: if Apple doesn’t think it’s worth a few Billion Dollars of repatriated earnings to defend Net Neutrality and support the EFF, if Zuckerberg doesn’t buy his own congressmen, if Microsoft doesn’t use it’s leverage to defend free speech, then Silicon Valley needs to accept that WE ARE PART OF THE PROBLEM.

Mac OS High Sierra Turns on User Tracking by Default Again

Apple – I’m disappointed in y’all for adding/enabling “significant locations” to my laptop in the latest update to Mac OS High Sierra. “Frequent Locations” as it is called in IOS, being added to laptops is just as bad as when you added to the iPhone. It can put people in danger. And at a time when we are having a national debate on the predatory behavior of so many people. 

Readers – Has your laptop said “You were just at xyz yesterday. Why not submit a rating?” Yup. That. 

How to turn off Significant Locations

 

Step 1 – In Settings go to Security and Privacy

location services tracking
Turn off location tracking but not all of location services

After unlocking it Step 2

Frequent Locations is NOT needed and unsafe
Frequent Locations is NOT needed and unsafe

Step 3

The Map Showing Every Place You Go – Clear History First

Step 4 – After Clearing History

Clearing History Will Prompt You to Reconsider

Step 5 – Uncheck Frequent Locations

Uncheck Frequent Locations After History is Cleared

Why is turning of significant locations important? Because if your laptop gets stolen and it’s not encrypted and / or uses a weak password, then they get to know every place you frequent (like your home, work, gym, grocery store, you name it. Even how long you stay there.

Company issued laptop? Your boss could learn you are interviewing. Or that your sick day was really just a day to go to the beach.

Victim of domestic violence? That person could track every place you go, like to a shelter or the authorities. And they probably have access to your computer.

Have nothing to hide? Maybe some of your friends don’t want their address stored in your laptop for advertisers to cross reference.

Traveling? Authorities in another country could determine the location of your family and friends for coercion. And at the border people can now be compelled to turn over their social media logins. You may think you have nothing to hide, but if you care for others, then you owe it to them to maintain reasonable privacy.

Tracking people has far more down sides than up sides.

And Apple – burying those tracking settings where normal humans can’t find them to protect themselves isn’t cool. It just makes phishing scams easier and literally threatens people’s lives if abused. Please stop.

Marissa Mayer Testifies Russian Agents Behind 2013 Yahoo Attack

Marissa Mayer

Nov 8, 2017.  From the Reuters article regarding former CEO of Yahoo Marissa Mayer’s testimony before Congress:

WASHINGTON (Reuters) – Former Yahoo Chief Executive Marissa Mayer apologized on Wednesday for two massive data breaches at the internet company, blaming Russian agents for at least one of them, at a hearing on the growing number of cyber attacks on major U.S. companies.

Having spent the majority of the last three years doing almost exclusively InfoSec and Security on the Tendenci SaaS Cloud, not by choice but out of necessity, I do feel a bit of vindication as they confirm the facts. This is DATA people. Not opinion. I see it every day.
Tendenci has always kept logs, but never before have we had to have three (and sometimes four) sets of logs kept in different locations. Log verification, audit, cross references, searching through millions of logs DAILY. Just the expense … it’s frustrating for us in the security community for several reasons:
  1. We can’t talk fully openly about it for confidentiality reasons

  2. We sound kra-kra.

  3. When we do, everyone thinks we are crazy and it’s a conspiracy theory.

It turns out reality is like an idiom, what everyone initially thought was wrong and like so many other things, people get silenced. That shit Cray . Oh, and that reference doesn’t mean what you think it means either. Because Jay-Z is smart as f*ck and he is making a damn point.

All I can say is … what he said. Because THIS shit is Cray.

By World Economic Forum – “An insight, an idea: Marissa Mayer” at Flickr, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=24851211

NSA tools release to Dark Web Date 2014 (likely earlier imho)

Kaspersky tools removal update. But keep reading – it gets better:

http://www.mcclatchydc.com/news/politics-government/congress/article180707721.html

Now for the punchline – They’ve documented that Kaspersky, a Russian company close to Putin, was hacked by Israel. Kaspersky security researchers have confirmed the NSA hacking tools existence when they discovered it in the spring of 2014. The article;

http://www.businessinsider.com/russia-kaspersky-lab-nsa-spy-us-computer-2017-10

In a statement, the company (Kaspersky) said it stumbled on the (NSA) code a year earlier than the recent newspaper reports had it (ed: Comey stated summer 2015), in 2014. It said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious.

And it further states, again from the article:

Kaspersky’s Equation Group report was one of its most celebrated findings, since it indicated that the group could infect firmware on most computers. That gave the NSA almost undetectable presence.

Kaspersky later responded via email to a question by Reuters to confirm that the company had first discovered the so-called Equation Group programs in the spring of 2014.

So a Russian antivirus software found a zip file with NSA hacking tools in 2014. Hacking tools that target Microsoft and other business software, again, in the Spring of 2014. Confirmed by Israeli Security researchers who hacked Kaspersky.

Now, what they found was a compressed, portable, easily emailed or traded via email even as nobody else had the signatures to detect. A zip file.

A zip file.

For those unfamiliar with the industry, by the time an exploit is being traded in a 7 z it’s long been in the wild. That is the commodity phase of the economic curve.

The economics of the dark web have been researched and are well documented (hint: look at DEFCON and Blackhat presos from a few years back.)

If you are a reporter or security researcher – keep digging. Basic economics say it had to have been being traded early 2013 for high bids with a quick pricing decline as is typical with shrink wrap software.

It remained unpatched. Every company using common business software was, and probably still is, an open book. A trivial metasploit script and your movies, your directional drilling tech, your seismic data, patents, medical history, your porn habit, email, fb, you name it, was and probably still is wide open.

Bottom line: My opinin is the timeline of the NSA hacking tools being released is 2013. If not earlier. (But I’ll stick with my mid-2013 estimated release to the wildebeasts estimate.) NSA let them into the wild as discovered by Russians (current media puts this at 2014) who were then hacked by our allies Israel. Israel then reported this to the US.

And we did nothing. Think about it.

Just add that up and you get Russia hacking US companies and associations using our own tools paid for by YOU. NSA hacking tools discovered and reported to the US by our allies in Israel. 2014 or earlier.

What did NOT happen was responsible reporting to vendors like Microsoft who only patched it when the Shadow Brokers released it on github in 2017.  Thus from 2014 (or earlier), our allies, our foes, and our own security agencies did nothing to protect US intellectual property, infrastructure, companies, jobs, and people.

Noodle that one.

…. this story will continue to unfold. And if you are an investigative journalist, maybe ask around the community politely regarding who’s zoo had the code and when.

Update;  http://www.theregister.co.uk/2017/10/25/kaspersky_nsa_keygen_backdoor_office/

Triangulate Shooter Location with Mobile App – Possible?

Text exchange with a friend about how to defend crowds from threats like the shooter in Las Vegas.

[redacted section]




Yup, saving the world, or trying to, one bear at a time.

Triangulating on a sound with data from thousands of willing opt-in smart phones is possible. Pitch, yaw, acceleration, relative volume compared to those in proximity to normalize. Calculate position from last known good if towers go out.

Mesh grid relative to each other if no service. Share UDP 5353 and change multicast DNS into a “people finder”.

The app, when turned on, would send a cascade of data flowing in with lots of noise. The analysis is the same thing anyone who has done log analysis with an ELK stack is familiar with. Have a buffer of say 10 seconds backwards until triggered.

With a few datasets from simulations (like having 30 people in a room and see if the app can figure out who blew the dog whistle.

Sensor based smart phone triangulation is one way we could defend ourselves in an attack on any soft target.

Note: the concept is somewhat related to what we are building at somarobotics.com. However I’m putting it out there because I’d love to see someone build a system to automatically respond and help.

tragedy in las vegas – a city that changed my life years ago

Nothing can explain away the tragedy that happened last night in Las Vegas. A terrorist act by a cowardly American white male terrorist. And nothing SHOULD explain it away. It’s inexcusable in every way.

A wise person recently told me that “POTUS is not the problem. He is a symptom of the problem.” I believe they make a valid point that we have major issues that have been building for years. And we need to STOP IT.

Now is a time to support the families.

But very shortly, we need to have some serious dialog …. and the burden of finding the right balance of legislation falls 100% on the gun lobby itself.

On a positive note, this is how I think of Las Vegas. Still.

Lake Las Vegas

PS: There are no links in this post because there are much smarter people than me working together with the victims right now and I have no desire to distract. 

Even if we lived in a color-blind society

From the article:
 
“Here’s the thing: Even if we lived in a color-blind society, that would be a dangerous sentiment. After all, freedom of expression is right there in the First Amendment. And our brave soldiers didn’t fight and die so that everyone stood during the national anthem. They fought so people could have the right to make a choice about whether or not they wanted to stand. That’s the whole damn point of the First Amendment.”
 

Equifax Breach via Apache Struts Framework

Equifax Hack via Apache Struts

As reported last Friday, the 2017 Equifax personal credit reporting agency had a data breach of 143 Million people’s identities. It started in May 2017 and is just now (August 2017) being disclosed. It is going to impact all of us. Sources:

  1. Equifax data leak could involve 143 million consumers
  2. PSA: no matter what, Equifax may tell you you’ve been impacted by the hack
  3. Did Lack of Visibility into Apache Struts Lead to the Equifax Breach?

From the second article on the Equifax breach linked above, this portion really galls me:

… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.

It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.

Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.

The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:

The wording is such that anyone signing up for the product is barred from suing the company after.

I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.

Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:

Questions continue to be raised about the arbitration clause and class action waiver language that was originally in the terms of use for the free credit file monitoring and identity theft protection products that we are offering called TrustedID Premier.
(Editor: well ya, duh!?)

We have removed that language from the TrustedID Premier Terms of Use and it will not apply to the free products offered in response to the cybersecurity incident or for claims related to the cybersecurity incident itself. The arbitration language will not apply to any consumer who signed up before the language was removed.
(Editor: but did you fire the person who did it in the first place?)

I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.

What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!

This boggles the mind of a PR Professional.

The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.

I hate to say it folks, but we are playing whack-a-mole with your identity and money.  It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.

As reported by Black Duck (awesome people btw), the specifics of the attack on Equifax are currently easily exploitable on similar sites.

This is like Hurricane Harvey – it’s not even close to over.