Readings: BTK and OpSec, Facebook gets fugitive nabbed, Driverless Car Fearmongering

grugq: Don’t Take OPSEC Advice From the Police – “In his letters to police, Rader asked if his writings, if put on a floppy disk, could be traced or not. The police answered his question in a newspaper ad posted in the Wichita Eagle saying it would be safe to use the disk.” – I knew the serial killer known as “BTK” was caught over data found on a disk he had sent in; had no idea it was after he had apparently asked for and received advice from the police on whether it was traceable. (Also, if you’re interested in operational security and similar issues, grugq’s tumblr is a fantastic trove of information.

Ars Technica: On the lam for decades, fugitive’s Facebook account dooms him – ‘US Attorney Melinda Haag’s office in San Francisco said the 61-year-old fugitive was apprehended “after the US Department of State’s Bureau of Diplomatic Security researched social media websites and found Legaspi’s Facebook page. The Royal Canadian Mounted Police used the information to apprehend Legaspi.”‘ – I have no words.

Verge: The FBI is worried driverless cars will be used as bombs

Criminals could use driverless cars to evade law enforcement, shoot cops from the back of the vehicle, and “conduct tasks that require use of both hands or taking one’s eyes off the road which would be impossible today,” according to an internal report obtained by The Guardian. The last concern was outlined in a section called “multitasking.”

Another fear is that criminals will pack a driverless car with explosives and program it to drive itself into a target.


Readings: Cryptolocker Redemption, Third Intel Leaker, WiFi as X-Ray

BBC: Cryptolocker victims to get files back for free – “Now, security firms Fox-IT and FireEye – which aided the effort to shut down the Gameover Zeus group – have created a portal, called Decrypt Cryptolocker, via which any of the 500,000 victims can find out the key to unlock their files.” – Some surprising numbers in there, including the fact that only 1.3% of victims paid up. I would’ve expected it to be higher.

Schneier: The US Intelligence Community has a Third LeakerSchneier has a brief, convincing argument for not just the second leaker being talked about now but a third.

Verge: Robots can use Wi-Fi as X-ray vision – “Their method works by having two autonomous robots make their way around an unknown structure, with one sending a signal off to another. Eventually, the receiver will collect enough data about where the signal is strong and weak to build a two-dimensional picture of what it’s been looking at.” – An interesting idea to come across with the Signal Strength image still in my head. Serious implications for privacy.

Readings: Brazil Gyno Teacher Tests, Open Access Surveillance Oops, Xiaomi Phones Home

Telegraph: Brazil anger over gynaecological tests for teachers – “Women’s rights advocates in Brazil have denounced requirements by the country’s most populous state for prospective female teachers to submit to gynaecological exams or prove their virginity in order to work.” – I have no words.

Forbes: Whoops, Anyone Could Watch California City’s Police Surveillance Cameras – “The cameras used a proprietary mesh protocol to communicate but were not password-protected. Hoffman and Kinsey said that the protocol was fairly easily reverse-engineered and that tapping into the network was then easy, requiring no specialized hardware, and allowing anyone to have a police-eye’s view of the town.” – Police department became aware of the problem, subsequently “secured” the mesh network through WEP encryption…which has been entirely broken for years. This is why we can’t have nice things, Law Enforcement.

TNW: Xiaomi makes its cloud messaging service optional for users following security concerns – “However, a recent report from F-Secure highlighted that the service appears to share a range of information with a server in China — including the device’s IMEI number, customer’s phone number, phone contacts and text messages received. The idea of sharing such data to a server in China, where it could be open to access from the government, naturally raised some concerns, particularly since there was no way to opt out.” – Given that Huawei got blackballed for much less, I wonder if this has closed off the US market to Xiaomi.

Mark 39

“The B-52 [over North Carolina] was carrying two Mark 39 hydrogen bombs, each with a yield of 4 megatons. As the aircraft spun downward, centrifugal forces pulled a lanyard in the cockpit. The lanyard was attached to the bomb release mechanism. When the lanyard was pulled, the locking pins were removed from one of the bombs. The Mark 39 fell from the plane. The arming wires were yanked out, and the bomb responded as though it had been deliberately released by the crew above a target. The pulse generator activated the low-voltage thermal batteries. The drogue parachute opened, and then the main chute. The barometric switches closed. The timer ran out, activating the high-voltage thermal batteries. The bomb hit the ground, and the piezoelectric crystals inside the nose crushed. They sent a firing signal. But the weapon didn’t detonate.”

Eric Schlosser, Command and Control: Nuclear Weapons, the Damascus Accident, and the Illusion of Safety

Readings: Ebola Papers, Check Your Science, Zimbardo’s Ugly Problems

reddit: Understand the Dynamics of Ebola EpidemicsFor the bored, curious, and comorbidly morbid, a handful of open-access papers on Ebola (mostly epidemiological in nature) available in this reddit thread. Possibly made more relevant by an index patient in Sierra Leone disappearing from the hospital, and the top Sierra Leonan ebola virologist coming down with the virus.

Also reddit: A toxicology professor from McGill did an AMA (“Ask Me Anything”) on his research into electromagnetic radiation and health effects. Redditors ripped apart his shoddy science and he basically refused to answer a single hard question.

BPS Research Digest: What the textbooks don’t tell you – one of psychology’s most famous experiments was seriously flawed

The SPE was criticised back in the 70s, but that criticism has noticeably escalated and widened in recent years. New details to emerge show that Zimbardo played a key role in encouraging his “guards” to behave in tyrannical fashion. Critics have pointed out that only one third of guards behaved sadistically (this argues against the overwhelming power of the situation). Question marks have also been raised about the self-selection of particular personality types into the study. Moreover, in 2002, the social psychologists Steve Reicher and Alex Haslam conducted the BBC Prison Study to test the conventional interpretation of the SPE. The researchers deliberately avoided directing their participants as Zimbardo had his, and this time it was the prisoners who initially formed a strong group identity and overthrew the guards.

Article goes on to talk about how the Stanford Prison Experiment is covered in top US psychology textbooks, which is less than inspiring. While I was studying the SPE was certainly regarded as a staple in psych education, a bit of a monolith. I should’ve known better!

Readings: Tea Party Congressman Is An Idiot, Tasers and Suicide Bombers, The More Media Changes

FP: Freshman Congressman Mistakes Senior Government Officials for Foreigners – “In an intensely awkward congressional hearing of the House Foreign Affairs Committee on Thursday, freshman Rep. Curt Clawson misidentified two senior U.S. government officials as representatives of the Indian government.” – Tea partier from Florida. Shocker.

Speaking of shockers, from the Journal of Forensic Sciences: Sensitivity of TATP to a TASER Electrical Output – “A series of experiments were performed to evaluate and document the effect of a TASER (“stun gun”) on triacetone triperoxide (TATP), an easily manufactured explosive used often in IEDs and suicide bombing vests…The TATP reacted in 17/17 tests when the TASER arced through the TATP and 0/4 times when the TATP was configured in such a way that the TATP was not subjected to the electrical arc. Based on the experimental data, TATP will readily explode in a variety of configurations by a TASER or similar device.” – The lesson here: don’t tase suspected suicide bombers, it’ll likely end up worse than tasing someone after they’ve been dosed with alcohol-based pepper spray (hint: they immolate).

And this fantastic find from @AdrienneLaF: ‘Complaints @nytimes had about the telegraph in 1858: “superficial, sudden, unsifted, too fast for the truth…”‘ –


Readings: Gameover Botnet Interview, Memory-Enhancing Implants, Snowpiercer Release

Krebs: Backstage with the Gameover Botnet Hijackers – “Defending a system that is as complex as this one is very hard. Complexity is the enemy of security. I won’t go into specifics, but let’s just say there are examples in the code where they clearly overreacted and introduced features that we could later use against them.” – An interesting lesson in the midst of a great interview, and a lesson that can be applied pretty broadly. Overreaction is an enemy in just about every field I can think of.

Ars Technica: Human memory-saving devices get $37.5m research boost from DARPA – “Both will initially work with people with epilepsy who have been given implants to locate where their seizures originate. The researchers will reuse the data gathered during this process to monitor other brain activity, such as the patterns that occur when the brain stores and retrieves memories.”

Verge: Post-apocalyptic thriller ‘Snowpiercer’ available for download just two weeks after release – ‘He added: “The motto at Radius is ‘a screen is a screen is a screen’ … We’re screen-agnostic, and as consumer habits change, film audiences today are becoming screen-promiscuous. Starting Friday, 85 million-plus consumers will have access to Snowpiercer on VOD. The film will be more widely available than every other film on screen this weekend combined. One way or the other, we’re going to find you somewhere.”‘ – Incredibly smart tactic on their part. Multi-platform releases that focus on accessibility and timeliness are a great step toward a really thriving digital future.

Readings: Domestic Cessna Spyplanes, Hotel Computers Keylogged, Sentient Teen It Was Not

BoingBoing: Airborne police surveillance is a PVR for every car-journey in a city – “A Dayton-based company called Persistent Surveillance Systems wants to loft Cessnas with high-resolution cameras over cities, setting them circling and recording all automobile journeys is 25 square mile areas.” – This seems like a fascinatingly extravagant plan in an age where similar drones are more or less available now, and the entire system could be much more easily implemented at ground level with much less sophisticated technology. I drew up a scenario a few weeks ago that did this using simple plate-reading traffic cameras, cross-referencing available law enforcement databases and geotagging entries into ‘investigational databases’ (which, scarily, exist). The Cessna angle seems like an end run around both FCC drone issues and regulations on aerial surveillance.

Krebs: Beware Keyloggers at Hotel Business Centers – ‘“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts,” the warning continues. “The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”’ – Great points by Krebs here on the near impossibility of reliably securing a computer to which attackers have physical access.

Verge: Google futurist Ray Kurzweil and other experts say chatbot didn’t pass Turing TestAs I figured earlier, the arbitrary nature of the test conditions leaned towards a pass for an otherwise unremarkable piece of software.

Readings: CDC Flu Debacle, Dark Wallet, Predator Alert

Global News: What happened at the CDC’s flu lab? – “But the USDA lab noticed that the virus that was supposed to be H9N2 wasn’t behaving the way they would have expected it to – which likely means chickens started to die. So they tested it to see what they actually had on their hands. And they discovered the CDC had sent by error a sample that also contained H5N1. In the lab world, this is a bad mistake to make.” – So an anthrax mistake, a smallpox mistake and now a flu mistake all happening in pretty short order for the government. What is going on here?

Wired: Waiting For Dark – “It’s May Day, every anarchist’s favorite holiday, and the two 26-year-olds have marked the occasion by releasing a piece of software that represents their best attempt so far to undermine every government in the world. A call from a lawyer friend has reminded them that creative US prosecutors might hit them with conspiracy or other charges. So they’ve decided to skip town.” – Interesting article on some possible next steps for bitcoin, and an interesting profile of two pretty prominent community figures. I don’t buy into the libertarian theology but the tech is worth diving into.

Lifehacker: Predator Alert Warns You If Your OkCupid Prospect May Be DangerousScript that relies on two different things: a self-report scheme and face recognition. The idea that predators would self-report honestly, either externally or within themselves, is a bit laughable. But the second mechanism by which the user’s dating website profile picture is run through the US Sex Offender Registry is a bit fascinating.