Errata: Ellis on Murder, Oliver on Snowden, Liberalism, Passwords, Linux lockscreen

Great, short video of Warren Ellis talking about murder. The Original Series: Warren Ellis on Murder (YouTube, 4mins)

Last Week Tonight With John Oliver did a fantastic piece on Edward Snowden and NSA spying this week, layering the discussion upon the common denominator framework of dick pics. Last Week Tonight With John Oliver: Government Surveillance (YouTube, 33mins)

I am as liberal as the day is long but it’s always good to check myself, challenge where I’m coming from at micro and macro levels. In that spirit, NPR’s recent Intelligence Squared Debate is excellent and important listening. Do Liberals Stifle Intellectual Diversity On The College Campus? (NPR site w/ MP3 download, 50mins)

French TV network TV5Monde was “hacked by ISIS sympathizers” through the sophisticated means of having broadcast an interview with all TV5’s social media passwords in the background. (Article)

Linux computers running GNOME are subject to a CVE in which the screen lock can be bypassed to a terminal. (Article)

We’ll end with my ideal desk setup:

IMG_0107

(Traffic monitoring system in I-Forget-What-City. Have totally forgotten where I grabbed this image.)

Darknet Market ‘Evolution’ Appears to be Exit-Scamming

Haven’t paid attention to darknet market stuff the past week or two but was notified this morning by a pingback that Evolution, the bitcoin-fueled online drug market, looks to have closed up and absconded with something like $12 million in user and vendor funds.

Via Qntra:

Just an hour prior to the site going offline, a former Evolution staff member by the name of NSWGreat informed his fellow users that Verto and Kimble, the site’s two owners, were exiting with all funds. NSWGreat posted:

I hate to the bearer of bad news, but I’ve been suspicious the past few days with withdrawals not working and admins usually are more forth coming in explaining to me why they’re slow but they weren’t this time. Just kept giving me time-frames

I have admin access to see parts of the back end, the admins are preparing to exit scam with all the funds. Not a single withdrawal has gone through in almost a week. Automatic withdrawals has been disabled which is only doing on rare occasions

I am so sorry, but Verto and Kimble have fucked us all. I have over $20,000 in escrow myself from sales.

I can’t fucking believe it, absolute scum. I am giving this warning to you all as soon as I possibly could of.

Confronted Kimble and Verto about it, they confirmed it and they’re doing it right now..

EDIT: Servers have gone down, including back up server for staff. I’m sorry for everyone’s loses, I’m gutted and speechless. I feel so betrayed.

EDIT2: Yes this is real, no this isn’t maintenance. No I can’t help anyone. Evolution can officially be put on the Wall of Shame.

I wish I could of done more, I hope you can forgive me for not noticing and speaking up earlier.

Back in December the synchronicity between the shutdown of Tor Carding Forum and the arrest of counterfeiter Willy Clock (who vended through TCF) caused me to ponder if TCF had been compromised by law enforcement. If so then Evolution would’ve been compromised just as deeply, since Verto ran both. So I’m not sure it’s an exit-scam we’re watching but wouldn’t be surprised either way.

Security Through Platform Inflexibility: GTA Online’s New Heists Are Broken

After a wait that spans as long as the game has been out, Rockstar finally released the Heists update for Grand Theft Auto Online. This comes after numerous delays shooting straight past specific release dates and breaking the hearts of people like me.

I’ve probably got a few hundred hours logged on the game so far. If it tells you anything, I bought GTA V and haven’t played a single minute of the single-player/story mode. I bought the game to play online, with friends, and do terrible terrible things to them and other players. Even friends know the fear of playing with me and suddenly seeing the blinking red light of a sticky bomb appear on their car or the ground beneath them, or the sudden violence of being sniped from invisibly far away.

Heists promised to up the ante for my friends and I partly because of another game we play: Payday 2. Payday’s a much less open world in which you commit robberies on banks, nightclubs and jewelry stores. In some ways it served as the Heist function we longed for deeply in GTA.

So imagine our delight once the GTA Heists Update dropped last week. And then imagine our horror as we realized how broken they are.

GTA heists are locked to a certain number of players; no more and no less. This is largely and somewhat understandably because the heists are scripted much more tightly than the open game. Payday heists give you multiple ways to accomplish each job; in GTA you have a single fairly linear path which it’s easy to stray off and fail.

The introductory GTA heist requires two players, a driver and a driller. I generally play with two other (totally great) guys, so we had to keep switching off to get the first one accomplished and unlock the rest. There’s no reason we could not have picked up a third member who, say, roamed around as a lookout or assisted in controlling the hostages in the bank. Hell, the third guy could’ve entered the vault and rubbed my feet while I drilled into a safety deposit box. But nope. Two only.

Having finished that heist three times over (so each of us unlocked heists) we approached the wider GTA heist ecosystem cautiously optimistic. Maybe the intro heist was a one-off, arbitrarily restricted for some reason we couldn’t see. That optimism turned to quiet, awkward loathing. Upon entering the next heist setup – Prison Break – we found that it required four players. Being only three, we began to invite people we didn’t know into the game lobby to play with us.

And things broke down.

Prior to playing the heists and out in the open world I had received an inordinate amount of invites to the games of strangers. I put this up to the newness of heists and everyone playing them, excited and hoping for some help. My ingame phone (where game invites are stored) started showing half a dozen, then a dozen invites. Odd and a little annoying since they pop up on screen when you receive an invite, but whatever. Then they kept coming. And often from the same players. Over the evening I had several instances where the same player would repeatedly spam an invite to his heist EVERY TEN SECONDS.

After sitting in our own heist lobby for five minutes with no one accepting invites the true monster of GTA heists finally appeared on camera, so to speak. Heists are thoroughly broken because those that’ve already done a particular heist don’t want to do it again immediately and unless you specifically have three other friends to play with you are dependent upon the good will of a stranger to join your session.

We finally hooked up with a stranger and completed the second heist, and I’ll admit this: GTA heists are damn fun and, while displaying a linearity that betrays the open world of the larger game, well designed. I want to play them. I want to play them badly. But I couldn’t. Three more times we attempted to do a new heist and were foiled because we did not have a fourth player and no one would accept an invite.

So we’re back to a nearly pre-heists GTA. Between server problems, player count inflexibility and the fact that other players aren’t incentivized to join and help out others we are left adrift. We are left, the three of us, staring longingly at the heist lobby hoping someone, ANYONE, joins our game.

For now the institutions of Los Santos seem largely safe from our nigh-unstoppable three man crew.

SanDisk’s Wireless USB Drive Makes Me Sad

As one of the many hapless individuals stuck with a small-capacity iPhone, I’m always on the lookout for ways to extend its size and usefulness. Complicating this process is the fact that I’m hopelessly addicted to information. I crave it day and night, especially in audiobook and podcast form. So you can imagine my chagrin at being stuck with an 8GB iPhone.

I’ve been tied into the Apple ecosystem for a long time, often as an early adopter. Within relatively short order I’ve sported a first-gen iPod Nano and Touch, as well as a first-gen iPad purchased within a month of them coming on the market (my luck extends only so far, though, as I’ve never had the scratch for a Mac). The overwhelming majority of my music came straight through iTunes. I slogged through edu institution podcasts before iTunes U was a thing and then raided iTunes U on a weekly basis once it was. So, yeah. The platform works for me.

I spent years with Android phones, though. Didn’t have the money for an iPhone for a long time (I stuck primarily to prepaid carriers and would’ve had to shell out $600 up front for one). So for a long time I carried my Android phone and my 32GB second-gen iPod Touch.

Life got even better for a while. I worked a good job, made good money and decided to take the plunge back into wireless contracts so I could grab an iPhone; my first, a 5C 16GB “free” on contract. I immediately found the size constraining but made do for months on end shuffling things around and keeping a minimum of apps on the phone.

Life got worse. In December I lost my job of ten years and found it necessary to, embarrassingly enough, jump on my father’s wireless plan. But not to fear! We could get iPhones.

I ended up with a 5C, 8GB. I’ll spare you the details and just emphasize here that there is no way this device can meet my demands. Which is not its fault; and I’m not really complaining here. I’m damn happy to have a phone at all. But realities being what they are, I had to find a way around all this crap that didn’t involve carrying around 2-3 devices.

The SanDisk Connect Wireless Flash Drive entered my consciousness early this year with vague promises to cure my phone storage woes. “Stream music and videos straight from the device! Use on the go without a network around! Augment your phone or tablet with up to 64GB of extra storage!” And yes. I should’ve known better. But this seemed like a tailor-made answer to many of my problems. For some it was.

The Connect comes in two models: a 32GB model or 64GB model. Really, they’re USB/wireless chassis for Micro SD cards, but with an important distinction: the 32 only supports FAT32 formatting (you’ll see why this is a problem in a minute). The Connect also sports two modes: one where it broadcasts its own wifi network and you connect directly, or another mode in which you set it up to connect to a nearby wifi network so that you can maintain your mobile device’s connection to the internet while still accessing the Connect. The two different modes and the multiple connections they can service simultaneously are pretty neat.

Problems appeared as soon as I began to set the device up. The first? The Sandisk Connect’s default mode of operation is to broadcast an unprotected wireless network through which you must connect, via a mobile app, to set the device up. There is no way to set up the drive through a physical connection, no attempt at a unique generated key printed on the device or even a default password. Just an open wifi network until you work your way through the setup and reboot the damn thing into broadcasting a password-protected network instead.

The second problem is the app. Apps are available on iOS and Android, and both appear to be relatively buggy. The iOS app was worse, often inexplicably losing connection to the drive in either direct or indirect mode. This occurred over two different iPhone 5Cs, an iPad Mini, a Nexus 7 and a prepaid Android 4.4 phone whose make and model I’m forgetting at the moment. But was much more pronounced on iOS. The iOS app occassionally crashed or failed to see any drives, or simply failed to navigate or load folders on the drives. Manually killing and restarting the app often fixed these problems, but that’s no real fix at all.

The third problem hit me where it hurts. As stated above, these are simply chassis for Micro SD cards, so I grabbed a SanDisk 64GB microsd and put it into the lesser M model. No dice: it wasn’t formatted FAT32. So I format the card, through a whole lot of data on and everything’s going swimmingly. I now have *two* 64GB Connect drives. Wanting to see how one of SanDisk’s major selling points worked, photo transfers from phones, I began the (relatively easy) process of uploading saved iOS photos to the drive Connect. Here’s the problem: formatting microsd cards over 32GB as FAT32 can lead to data problems. So when I tried to download the photos *from* the Connect, I began getting significant errors. I was able to salvage 20 out of 132 transferred pictures. Admittedly I was pushing the bounders of the lesser model, but if one push merits unrecoverable data…

The fourth problem occurred when I engaged with the music/audio functions of the Connect. On iOS this requires playing through the Connect app rather than the native Music app. I often go to sleep listening to audiobooks of books I’ve previously read so I set my iPhone up to stream one off the Connect, locked the screen and laid back. Some time later silence prematurely descended and I realized the book had stopped. Perplexed, I checked my iPhone and realized that the wireless connection had quit and the Connect app only played until the end of the cached file rather than continuing to the next track. Confirmed in a conversation with a SanDisk rep the next morning: once you lock the device it will only play until the end of the file. Streaming is not maintained despite a number of apps (think Pandora or other radio) having figured this out long ago.

SanDisk has known about this problem for several years, as the message board postings I’ve seen go back that far. And apparently have no plans to fix it.

So, okay. I can download whatever book I want to listen to that night *into* the Connect app on my phone instead. It’ll take up room and is a little more cumbersome but it means one less device (an audiobook-heavy one) to lug around. This worked only passingly because the SanDisk Connect app is the most spartan app I’ve seen since “Yo.” You can download files to your phone or tablet, even create folders and subfolders. But you can’t arrange tracks or set up playlists at all. The files are simply *there.* And given that more than a few times the app arranged tracks in an odd order, that meant that multi-track listening was out unless the order was inherently correct OR I just wanted to listen on shuffle. There’s no way to port tracks to the native iOS Music app from Connect, so you’re stuck dealing with their simple no-frills player and half-cocked file organization structure.

Not surprisingly, Android did not have this problem. Once you’ve downloaded an audio file into the Connect app from the wireless drive, Android indexes it and automatically adds it to the native Android music app. This approaches pretty passable functionality and had my experience only been on Android it would be much more glowing.

Where the Connect did help significantly was my podcast habit. I’m subscribed to about forty podcasts at this point and try to listen to at least one or two a day. An 8GB iPhone interferes mightily with that as I regularly have less than 1GB of space left at any given moment. What I’ve found is that I can download all my podcasts via iTunes on my PC and simply transfer the Podcasts folder to the Connect. From there I download a few a day directly to the phone and play through the (ugh) SanDisk app. But the workflow does make the process simpler.

Management of other file types felt surprisingly better. Grabbing a PDF from the Connect and opening it in any app of my choice worked well, as did ebooks, word processing files and comic book files. I could throw my digital/non-DRM comic book collection on the Connect in its entirety and while on the go decide to read any of them within about a minute.

You can access it by way of computers, too. Unfortunately SanDisk has failed to provide any kind of app to support the Connect for computers so you’re stuck accessing it through a slightly convoluted web browser mode that only allows you to browse the drive and download. No uploading at all. Which seems…pretty sortsighted.

I had such high hopes for the SanDisk Connect Wireless USB Drive. It could have supercharged my iPhone like nothing else I’ve found, in so many ways. But after engaging with it deeply, dealing with streaming and playback issues, app and wireless flakyness and even some inherent limitations of iOS I find it to be seriously hampered.

If it worked on iOS like it worked on Android: B

If streaming worked like the marketing suggested: a goddamn A

Half a grade taken off for:
-iOS being hampered but that not acknowledged in the least in marketing material
-App unreliability
-Inability to do much wirelessly from PC
-Broadcasting unprotected by default!

Full grade taken off for:
-No background streaming
-The lack of thought, design and operability in the mobile apps
-SanDisk’s lackluster response to the streaming issue

Full grade GIVEN for:
-how easy it makes my podcast habit, given the storage-handicapped iPhone
-Good for dealing with non-audio/video files such as PDFs, digital comics

Which leaves what could have been a remarkable, beautiful device like the SanDisk Wireless Connect USB drive with a grade of: D.

I know I expect a lot. And I push things harder than they’re meant. But I expect a hell of a lot more than that, SanDisk.

Readings: Knightmare, Ulbricht Convicted, Franklin on Vaccinations

Doug Seven: Knightmare: A DevOps Cautionary Tale – “This is the story of how a company with nearly $400 million in assets went bankrupt in 45-minutes because of a failed deployment.” – I remember watching Knight explode in real time, had never heard the actual story. This is amazing. A great, and relatively short, post.

Wired: Silk Road Mastermind Ross Ulbricht Convicted of All 7 Charges – “Ulbricht faces a minimum of 30 years in prison; the maximum is life.” – No surprise. Defense was firing on half a cylinder, jury was confused and weakly led. May post about the path they should’ve taken soon.

Vox: Benjamin Franklin had the perfect response to anti-vaxxers back in the 18th century

In 1736 I lost one of my sons, a fine boy of four years old, by the small-pox, taken in the common way. I long regretted bitterly, and still regret that I had not given it to him by inoculation. This I mention for the sake of parents who omit that operation, on the supposition that they should never forgive themselves if the child died under it; my example showing that the regret may be the same either way, and that, therefore, the safer should be chosen.

Readings: Silk Road shenanigans, Great Firewall, Marriott backdown, Bitcoin in Britain, Google bug

Ars Technica: Defense bombshell in Silk Road trial: Mt. Gox owner “set up” Ulbricht – “In just over an hour of staccato cross-examination, Dratel’s strategy became clear: he was going to pursue a line of questioning suggesting that the man who really controlled Silk Road wasn’t his young client, but Mark Karpeles, the wealthy former owner of the Mt. Gox Bitcoin exchange.” – This is some serious tinfoil. I’d love to know the evidence behind it beyond “well, he knows bitcoin.”

Ars Technica: Behind the Great Firewall: using my laptop and phone in China – “I’m doing one of the biggest trips of my life using a four-year-old cell phone and a discontinued laptop that I hate. There’s a technology angle to traveling these days, and going to Shanghai has really complicated that situation.” – Interesting operational suggestions…worth doing in the US now too? Maybe.

Engadget: Marriott no longer wants to block guests’ WiFi devicesGlad to hear it.

Motherboard: The Struggle Between Bitcoin Traders and British Banks – “In each of these cases, the customer identified the buying and selling of Bitcoin as the only change in how they were using their bank accounts.” – Appears to be happening a bit in the US as well: bitcoin traders having their bank accounts abruptly closed. Given that bitcoin isn’t illegal, the question becomes: backdoor government pressure to marginalize bitcoin, or industry decision? Both?

Engadget: Why Google won’t fix a security bug in almost a billion Android phones – “Rafay Baloch, an independent researcher, and Joe Vennix, an engineer at Rapid7 (a security and data analytics firm) found a serious bug in the WebView component of Android 4.3 and below. It’s an older bit of software that lets apps view webpages without launching a separate app, and the bug in question potentially opens up affected phones to malicious hackers. Android 4.4 and 5.0 are unaffected by the bug, but as 60 percent of Android users — that’s close to a billion people — still use Android 4.3 or lower, it still affects a lot of people.” – Troubling.

Readings: Cheap USB Keylogger, Ridiculous Reasons to Call 911, Charlie Hebdo’s Legacy

Ars Technica: Meet KeySweeper, the $10 USB charger that steals MS keyboard strokes – “KeySweeper is the brainchild of Samy Kamkar, a hacker who has a track record of devising clever exploits that are off the beaten path. The namesake of the Samy worm that inadvertently knocked MySpace out of commission in 2005, Kamkar has concocted drones that seek out and hack other drones and devised exploits that use Google Streetview and Google Wi-Fi location data to stalk targets. His hacks underscore the darker side of the connected world that makes it possible for bad guys to monitor our most private communications and everyday comings and goings.”

CBC: Worst 911 calls of 2014, from B.C.’s E-CommAs a former 911 dispatcher of ten years or so, I can sympathize. And as silly as they seem to be I believe them.

From a French leftist and longtime Hebdo reader, via @michaeldweiss:

B7F7x1LCMAAuT7q

Readings: Dreams, Dresses, Petraeus, Twitter, North Korea

via Morgan Housel:

dream

Well, I’m glad that’s finally settled.

Verge: Prosecutors recommend felony charges against General Petraeus for email leak – “Today, The New York Times is reporting that the FBI and Justice Department have recommended felony charges against the General for leaking classified information to his mistress, Paula Broadwell. Petraeus hasn’t commented on the charges, but has apparently told the Justice Department that he has no interest in a plea deal.” – This’ll be fascinating to watch, if it happens.

Lifehacker: Falcon Pro Returns to the Play Store with Columns, Multi-Account, More - Pretty terrible relaunch. Given that they stopped supporting the original Falcon Pro app, charge for extra features and the app itself doesn’t seem to be working all that well, I’m going to avoid this one. Reviews in the Play store are abysmal. A shame. I loved the original.

Ars Technica: FBI Director says Sony hackers “got sloppy,” exposed North Korea connectionSo an easily engineered false lead is their strongest evidence? Huh. Also – Comey takes the moment to fire shots at device encryption, signaling a renewed war by the government on secure communications.

via Theremina:

Meet the Robotic Spider Dress. Techno Couture from Anouk Wipprecht, a dress with insect-like robotic limbs which react to the proximity of others.

dress

Sony Hack, attack on North Korea and the Attribution Problem

I’m wrapping myself in all sorts of tinfoil lately.

A whole lot’s been made of North Korea undergoing a Distributed Denial of Service attack yesterday that basically cut it off from the rest of the internet. There’s been speculation that the DDoS was perpetrated by the US, or by Sony, in response to the hack of Sony that North Korea’s currently being blamed for.

In regards to both the Sony hack and Korean DDoS, we don’t know at this point who did them. The FBI is obviously blaming North Korea for the former, but a number of experts find that implausible, as does this layperson. This is one of the major problems to the idea of “responding” to a cyberattack: unlike a gunshot, mortar or missile it’s hard as hell to tell where it came from. And the technologies to change that are the same technologies being abused by major governments around the world to spy on whole populations.

I’m going to go out on a limb here, though. And I’m going to make a stab at identifying the people that attacked North Korea and cut them off the internet.

It was the same damn people that hacked Sony.

I’m pretty sure the US wouldn’t respond with something as blatant as a DDoS attack, but it’s the perfect move to escalate US/North Korean tensions sky high. And it’s startlingly easy:

Prince and others bet that a run-of-the-mill DDoS attack took down North Korea’s Internet because the isolated country has a “pipe” to the Internet so narrow that a routine attack could easily flood its capacity and take it offline.

Ofer Gayer, security researcher at Incapsula, estimated North Korea’s total bandwidth at 2.5 Gbps, far under the capacity of many recent DDoS attacks, which typically are in the 10Gbps to 20Gbps range. “Even if North Korea had ten times their publicly reported bandwidth, bringing down their connection to the Internet would not be difficult from a resource or technical standpoint,” Gayer said, also in an email.

Almost all of North Korea’s Internet traffic passes through a connection provided by China Unicom, the neighboring country’s state-owned telecommunications company. North Korea has just a single block of IP (Internet protocol) addresses, or just 1,024 addresses, another vulnerability; in comparison, the U.S. boasts 1.6 billion IP addresses.

As the Computer World article states, there’s even the chance this is some random “kid in a Guy Fawkes mask.” But I’m willing to bet a small amount of money that it’s the same people that hacked Sony, who have no affiliation to North Korea whatsoever. It’s a fascinatingly easy way to screw around in the International Relations game, and a logical second step to their first with Sony. The inability to attribute hacks and cyberattacks means that a single actor can easily pretend to be both aggrieved sides.

The first attack had them down for nine hours yesterday. According to the folks that broke the story, DynResearch, North Korea is down again.

Let’s see what happens next.

Tor Carding Forum Shutdown Synchronicity

Tracking a slight synchronicity that I imagine no one but me finds interesting. Journalist and all-around security news badass Brian Krebs posted yesterday about the arrest of alleged counterfeiter Willy Clock:

In September 2014, I wrote about receiving a package of $500 in counterfeit U.S. currency from an unknown sender, after mentioning in a blog post about a rash of funny money resellers flooding underground cybercrime markets. Last week, U.S. authorities announced the arrest of a Texas man charged with leading the international counterfeit currency operation from a location in the Republic of Uganda.

The story’s interesting and worth reading on its own merits when you have a moment, but a particular facet of the investigation stood out to me. Clock used Tor Carding Forum to vend his counterfeit bills:

The government says Gustafson sold the bills through the Tor Carding Forum, a cybercrime shop that is unreachable from the regular Internet. Rather, visiting the Tor Carding Forum requires the visitor to route his communications through Tor, a free software-based service that helps users maintain anonymity by obfuscating their true location online.

Willy Clock’s phony currency wasn’t only available via Tor. By the middle of 2014, ads for his funny money were showing up on regular, Internet-based cybercrime forums. One reseller of Willy Clock’s notes even set up his own sales thread on Reddit.

That’s interesting to me not on its own but in combination with the announcement last Thursday that Tor Carding Forum is shutting down, relayed to me by Ars Technica (and linked in yesterday’s readings):

After many successful years I have decided to close TCF. There are several reasons including significant decline of quality contributions, what to do with sales/escrow, but ultimately I no longer have the time to run both TCF and Evolution. The site will remain online for a while to allow members to save any important messages or conclude any outstanding business, however new registrations are permanently disabled.

On behalf of current and former TCF staff, thanks for all your support and we’ll see you around Evolution Forums!

A TCF vendor getting thoroughly nailed and TCF almost simultaneously announcing that it’s winding operations down reminded me pretty keenly of a few previous carder forums that had been compromised and run by federal investigators in order to bust yet more vendors and buyers. Until the investigation is ended or consolidated, and the site is either formally raided or shut down “organically” by its administrators.

In this case the admin in question, Verto, also administrates one of the biggest dark net markets still going: Evolution. If (and that’s a damn big if) TCF was compromised, Evo almost certainly is. Which would be a huge coup for law enforcement. It’d also make sense to consolidate the TCF/Evo investigation into just one, which might’ve warranted the shutdown.

There are quite a few problems with this scenario, not the least is that TCF was the problem of the Secret Service, and I’m not sure their jurisdiction would cover Evo. But the vendor bust – site shutdown timing is just wickedly convenient to me.