Please Support SilentVector:

Monday, August 31, 2015

Electronic Education - Part II - RF Continuation, and the Languages of Machines


In my last article, we discussed some fundamental terms we will use to define electromagnetic concepts in the coming columns.  As I have studied over the years, I've felt how exciting it is when the concepts sink a little bit.  When you formulate questions about the world around you (why do cellphone towers look like that?  What do each of those little wires do in a LAN cable?) and learn about them, more advanced concepts will come together more easily in your head.

Before we dive into the fascinating, complex, sometimes frustrating world cryptography, we are going to discuss a few more electromagnetic and computer language concepts.




Important Influences on EM Energy

Just like sound and light waves, electromagnetic waves have similar properties such a reflection (like an echo or a reflection in a mirror), dimming (or fading via signal loss), resonance (similar to tuning a stringed instrument), and refraction (similar to reflection, but not quite).

In the previous chapter we talked a little bit about antenna propagation patterns (bi-directional, omni-directional) and how the way the antenna is designed causes these patterns to change.  Through the use of reflectors and directors, antenna can be made to transmit (and receive) signal in a single direction (sometimes called a "beam" propagation pattern, or uni-directional).

Reflection - When we're talking about EM, this is when the signal "bounces" or glances off a surface, or the turning back of a radio wave from an object or the surface of the Earth.  Substances that reflect electromagnetic waves more efficiently are usually conductive (metal surfaces, pipes, wires, etc.).  This is useful for reflecting a more powerful signal in a single direction or around obstacles, but it's terrible when trying to get a weak WiFi signal in the basement corner in a house.


Image courtesy of kke.co.jp

There are a couple of important considerations regarding reflection and WiFi protection and exploitation, and the antennas that may be used to attempt to intercept your signal.  If at all possible, install your router in the room furthest from the street.  A common practice for kids learning how to break into WiFi is called wardriving.  Wardriving is the act of searching for WiFi wireless networks by a person in a moving vehicle, using a portable computer, smartphone, or personal digital assistant (PDA).(1)

If it's difficult to get a WiFi signal in the corner of your basement, try swapping rooms if you have a cable hookup in the back.  Not only will you transmit a WiFi signal that is as weak as possible before it enters the street outside your house, you may improve the signal connection in that pesky basement corner.  The more obstacles you put between your signal and a possible point of exploitation the better.

Antenna Gain - If you're especially interested in mathematics, you can look up the definition for this one and go to town with your mathy self.  In layman's terms, if antenna transmits and receives in only one direction, it is said to "have significant antenna gain" in the specific direction it is transmitting (this can also be loosely associated with an antenna's "takeoff angle").  Gain is measured in decibels (dB).  This definition will become important in further discussions about why that basement corner is so bad for WiFi reception and what we use to quantify those measurements.

Resistance - This is the property of a material or substance, to oppose the passage of electric current through it, thus causing electrical energy to be converted into heat.  Resistance lost as heat is (mostly) what causes electronics to warm up when they circulating electricity.  Resistance is also the reason why copper is better than steel at conducting electricity; copper has less electrical resistance than steel.  When constructing antennas, you want to select materials that have the lowest possible resistance.  To learn more about electrical resistance and conductance, follow the link provided at the bottom of the column.(2)

Resonance - When speaking about electromagnetism, resonance is the electrical state or frequency in which forces that impede signal propagation are at a minimum.

When I tune a guitar by twisting its tuning pegs, I am changing the physical and mechanical length of its strings so it resonates at the correct frequency, bring it in tune with its corresponding note.  When I adjust the mouthpiece on a woodwind instrument, I am changing the physical length of the instrument, changing the pitch at which the instrument resonates.


Image by Scott Thistlethwait - courtesy of images.fineartamerica.com

The concept is similar when adjusting the length of an antenna; higher frequencies usually utilize smaller antennas, while larger antennas are used to propagate lower frequencies.  This is why modern cellphone antennas don't stick a foot up in the air; those types of antennas aren't necessary to transmit and receive on such high frequencies.

Thus, when I design and construct WiFi antennas, or HF antennas, I cut them to a specific length and test them to determine whether they are resonant on their intended frequencies.  If they are not resonant, I adjust their length by shortening them, adding material to them, or more carefully cutting them to specification.




Links at the bottom of this article will take you to an especially useful webpage that will help you determine the length of any antenna you want to construct.(3)  We will discuss specific lengths of cantenna and double bi-quad WiFi antennas in a future column.

Refraction - Refraction is the bending of a wave when it enters a different medium (such as glass, the ionosphere, water, etc.).  This is why light looks the way it does at the bottom of a swimming pool, or when a beam of light is famously refracted through a prism:


Image courtesy of www.allmusic.com

Radio waves act similarly when they pass through different mediums.  The next section is on High Frequency (HF) propagation, specifically what happens when it is refracted in the ionosphere.    While this phenomenon is not required to learn about WiFi protection or exploitation techniques, I will tell you that when studying things in the macro-scale, it becomes easier to understand fundamental concepts in the micro-scale.  A little side-note reading never hurt anyone, and I'll litter the section with pretty pictures.


Riding the Skywaves

Hopefully, everyone reading this is aware that Earth has an atmosphere.  Thank goodness the atmosphere happens to be there, or life would not be possible on Earth.  The atmosphere is divided into sections based on how far away from the Earth's surface the sections are.  The section that we are going to focus on in this section is named the ionosphere.


Image courtesy of nasa.gov

The ionosphere is a portion of the Earth's atmosphere at which ionization of gases will effect the transmission of radio waves.  Ionization is the separating of molecules into positive and negative charges, or ions, by adding or subtracting electrons from atoms.  Be thankful the ionosphere persistently lingers above our heads, because if it suddenly disappeared we would all be cooked by the sun's radiation.

In the words of Elon Musk, "the sun, we have this handy fusion reactor in the sky called the sun.  You don't have to do anything, it just works.  It shows up every day and produces ridiculous amounts of power."(4)

A ridiculous amount of this power travels outward into space in what is called solar wind, and some of it strikes the ionosphere.  Because the ionosphere is electrically charged, this solar wind glides across its surface like oil on water.  This happens much more on the side of the planet where it is currently daylight, and less during the evening hours, thus changing the properties of the ionosphere.

This is where the HF radio mantra "sun up frequency up, sun down frequency down" comes from.  If the wrong frequencies are used at the wrong time of day, those HF radio signals will either be absorbed into the ionosphere or ejected into the vacuum of space.  If the transmitting frequency is within a certain tolerance, it will be refracted (or bent) back toward the surface of the Earth and can be received great distances away.



This is a source of nerd joy for people like me, and people that post elaborate radio antenna construction videos on YouTube.  Skilled HAM and military radio operators use the ionosphere to their advantage when transmitting long distances.  Some are so skilled, that they see the discipline as an art form in bridling the sometimes chaotic electromagnetic environment that is HF.

Sunspots are temporary phenomena on the Sun that appear visibly as dark spots.  They correspond to concentrations of magnetic field flux.  A Coronal Mass Ejection (CME) is a massive burst of gas and magnetic field arising from the Sun and being released into space as solar wind.


Image courtesy of nasa.gov

These CME events can have interesting and unintended effects on the ionosphere, which can sometimes be experienced on the surface of the Earth.  Often, large CME events coincide with brilliant displays of Northern Lights or Aurora Borealis, as the solar wind collides with the ionosphere.  The glowing patterns displayed are caused by electronics streaking down the gaseous surface of the ionosphere.


Image courtesy of 14jbella - Wikipedia.org

Ionospheric disturbances cause by CME's can either cause HF transmissions to "duct" or propagate through the ionosphere and carry transmissions much further than usual, or they can interfere with satellite communications and the functions of electronics on the planet's surface.


Image courtesy of grazinspace.oeaw.ac.at

An interesting side note about Maxwell's Equations we talked about in the previous column is the Carrington Event of 1859.  A CME hit the Earth's magnetosphere and created one of the largest geomagnetic storms on record.  The CME took 17.6 hours to make the 93 million mile trip to Earth.  The Aurora Borealis was able to be seen around the world and lit up the night sky, so much so that people that it was morning and began preparing for their day.

Because of phenomena explained by Maxwell's Equations, there was such a severe amount of electrical charge in the atmosphere that it created electrical current on the wires connecting telegraphs that it manifested itself as fires, sparks, and the ability to transmit telegraphs even when power supplies were disconnected.

A similar event occurred in 2012, but Earth was not aligned with the trajectory of the CME and it missed our planet.  It's a good thing it did, because our heavy reliance on electronic components destroyed by the event would have us all banging stones together trying to remember how to make fire.

You can learn more about the Carrington Event by clicking the link at the bottom of the column.(5)

While that story isn't completely relevant to communication security, hopefully it spawns some further thought about the nature of modern society.  Skills and knowledge would quickly become more important than "things" in that kind of situation.  To whom would people address their questions if Google was no more?



The Languages of Machines

Since (what I imagine) the beginning of consciousness, humans have used tools to express and control their needs, wants, and desires.  When written languages were created, humans needed a way to create records to pass on after their creators were gone.  From chisels to paint, the technology we've created has evolved into the modern computer and the Internet.  As machines progressed from the simplest of ideas, to mechanical, to electrical, to digital information, humans have always needed a "language" to communicate with their creations.

In modern times we don't pull levers or turn dials as much as we used to when communicating with out machines.  Our technology has gotten to the point where computers will operate mechanical machines for us, while we interact with a software user interface (UI).    But what are some of the most basic building blocks we use to communicate with our devices?

You might have heard the joke stating "there are 10 kinds of people: those who understand binary and those who don't."  You might have heard the statement "it's all zeros and ones to me."  If you don't understand yet, let me explain.

When rudimentary modem technologies were first developed, it was easiest to display either an "on" or an "off" position to convey information.  The first smoke signals, some military flag or torch displays, transmit information via visual cues.  Morse Code is another visual (and also electronic) method of transmitting information, using similar principles of "off" and "on" or silence interrupted by "dits" and "dahs".




Rhey T. Snodgrass & Victor F. Camp, 1922 - Wikipedia.org

The most basic of electronic modem technologies incorporated this simple on or off idea; it is simple to derive information from simple "current on" and "current off" states on a transmission medium.  From this simple idea, binary code was born.

Most of us learned the decimal system in school; it is the "ten" based numbering system that shows 10 sets of 10 equals 100.  Binary is a "two based" numbering system.  When speaking about computers, we say the "on" position is equal to 1 and the "off" position is equal to a "zero".

The first time I heard that, my brain exploded.  So how do I express the number 25?  How do I show the letter "A" on a computer screen if it's "all just zeros and ones."

Simple: 25 = 11001 and A = 1000001.  That still didn't make any sense to me.

It wasn't until it was explained to me in a visual form:



Displayed above is a blank byte (or eight bits of information).  Each one of those boxes can contain either a "0" or a "1" (or an "off" or "on") in each position.  If any of the bit spaces have a one in them, add the corresponding numbers below them up for its decimal equivalent.

When I initially teach anyone how to read binary, I usually truncate the first four positions off to create a "nibble", or four bits so it's easier to grasp.  So, below I've done that and displayed the number 1 in binary code:



Notice how the 1 position is turned "on" because of the number "1" in that slot.  Without all the boxes and identifying numbers it would simply look like 0001.  Now let's take a look at two and three:



Notice how adding up the numbers highlighted by green, below the "switched on" boxes produces its corresponding decimal equivalent.  Now take a look at the number 4:



It isn't usually necessary to memorize a large number of binary numbers, as long as you know how the system works and know where to find references in case you forget.  Now that you understand the concept of basic binary code, you've been opened up to a whole new genre of annoying tee shirts.

What if we want to encode really large numbers?  If we look at the whole byte again and add up each of the bits, we get the number 255.



If I want to make the number 256, the computer will string bytes together like this:



To display other characters besides numbers, your computer uses a system called American Standard Code for Information Interchange (ASCII), which is part of (and backward compatible with) the UTF-8 character encoding standard.  For simplicity's sake, we'll focus on ASCII for now.  The following diagram is an ASCII chart from a 1972 printer manual that I color coded a little bit:



Original image courtesy of Namazu-tron - Wikipedia.org

ASCII was originally developed from English telegraphic codes, contains 128 specified characters in seven-bit binary integers.(6)  The light blue characters on the left are known as "control characters" (there are 33 of them) that are non-printing characters, which perform functions such as line spacing, acknowledgements, and can be used to emit warnings.  I have included the DEL character in the light blue control characters (I didn't count it as one of the 33 control characters though).

Green characters are printable punctuation, symbols, and operators.  Yellow characters are the decimal numbers.  Red characters are capitalized and lower-case letters of the English alphabet.

If you find the capitalized letter "A" on the chart and match up its corresponding binary bit codes (b1, b2, etc.) you'll see we come up with 1000001.

So every time you write an email, or a text, or interact with machines that display text and characters, you are probably using ASCII codes.  In fact, when you entered this website, everything displayed on this page zipped across network lines and the air as "zeros and ones" and was reconstructed as text by your web browser.

This is important, because now that you can explain binary code, we can grasp an understanding of how information is passed via wired and wireless communications protocols.  You now have the framework in your head to discern how other such machine languages might work.  


Image courtesy of skyscrapercity.com

Before we continue, let's talk about a simple example of wireless transmission via an Xbox controller.  Every time I hit the green "A" button, the controller transmits a modulated (made of zeros and ones) signal on the 2.4 GHz frequency, which is interpreted by the software running on your console as "jump" (for example) depending on which game you're playing.

The process is nearly similar for television remote controls, car key fobs, and garage door openers.  You press a button and a corresponding code is transmitted, and (hopefully) the corresponding action programmed into the machine takes place.  If you want to know what frequencies your devices are talking on, find the FCC label on the device, or just Google it.  You will be surprised to see the diversity of frequencies and types of modulation your devices communicate with.


A huge amount of information about a device can be learned by searching for the FCC ID and part numbers.
Image courtesy of overheaddooronline.com

Back to our discussion about other machine languages, we should have a firm understanding of how text and simple commands are transmitted.  What about images and color?  Maybe you've been asking yourself how all of this information is stored?

Color is encoded using hexadecimal codes.  Just like binary is a base 2 machine language, hexadecimal is know as a base 16 language.  That means it uses a combination of numbers (0 - 9) and letters (A, B, C, D, E, F) to tell your computer how to display color information on your screen.  The following is a chart of hexadecimal color codes:


Click here for a larger version of this image. Courtesy of pagetutor.com

Now you should be able to understand this joke:


Image courtesy of 9gag.com

Most pictures you view on a computer are constructed as a grid of pixels which are physical points, described by an address and color information.(7)  When you email a picture, all of that pixel address and corresponding hexadecimal color information is broken down into binary code, transmitted as zeros and ones, and reconstructed on other devices based on the encoding standards we've discussed.  Movies are simply a series of high definition pictures, reconstructed on your screen extremely quickly.

All of these types of digital information can be stored.  One of the most common methods is on a magnetic hard disk drive (HDD).  Inside a hard drive, magnetic platters are encoded by actuator arms, which can detect (and write) changes in magnetic fields.  These microscopic magnetic fields represent either a 0 or a 1.


Image courtesy of engadget.com

Disc technologies are similar, but instead of magnetic fields, optical lasers are used to encode and read the data on the surface of a disc.  Tiny "pits" and "lands" are used to store data, but the encoding process is different than simple binary.(8)



Locard's Exchange Principle

There has been a lot of talk about "missing data" on the news lately.  It is true, data on hard disk drives and removable media can be overwritten with random information.  It can be overwritten several times to make it more difficult to pull old data off a drive, but it is still technically possible.  With enough time, money, and a good enough reason, data can be recoverable under even the most extreme of circumstances.

Even if a criminal takes an email server and dumps the whole rig in a vat of molten steel and incinerates it, the data may still not be completely gone because of Locard's Exchange Principle.  With digital communications in mind, consider the following paragraph from Paul Kirk's Crime Investigation:

"Wherever he steps, wherever he touches, whatever he leaves, even without consciousness, will serve as a silent witness against him.  His fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects.  All of these and more bear mute witness against him.  This is evidence that does not forget.  It is not confused by the excitement of the moment.  It is not absent because human witnesses are.  It is factual evidence.  Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent.  Only human failure to find it, study and understand it, can diminish its value."(9)(10)


Image courtesy of gamefront.com

Every time you text, send a picture, make a phone call, and send an email, the system you use to do those things interacts with other systems you may be completely unaware of.  Each time information is transmitted, it bounces between several systems where it is sometimes recorded, creates a log entry, or changes some digital detail somewhere on one of those systems.

Even if the original device is incinerated and completely melted down, a careful analysis of the systems the device has interacted with can reveal information about the originally transmitted information.  This is why "wipe it with a cloth" and "I don't understand how it works digitally at all" doesn't fly, when people are taking a digital forensic investigation seriously.  Locard's Exchange Principle says the information, or evidence of the information and how it was lost, is somewhere.  Think about that when you step to the ballot in 2016.


Read my blog, then you'll understand how it work digitally, Mrs. Clinton
Image courtesy of frontpagemag.com

How is Information Kept Private?

In the next column we will build on what we have learned about electromagnetism and the different languages of machines and talk about methods of encryption.  Encryption is used to "scramble" the contents of a transmission so it is unintelligible if it is intercepted.  All data is encoded in some way and it is very easy to ascertain information that is encoded according to an industry standard.  It is much more difficult to read the contents of a transmission if it is encrypted.

We will discuss how encryption works, look at some examples of important or famous encryption algorithms, and learn about common methods used to break encryption algorithms.


References

(1) Wardriving - Wikipedia - https://en.wikipedia.org/wiki/Wardriving

(2) Electrical Resistance and Conductance - Wikipedia - https://en.wikipedia.org/wiki/Electrical_resistance_and_conductance

(3) List of Useful Antenna Length Guides and more information on wavelength:

- Wavelength Frequency Calculator - This is my favorite wavelength to frequency conversion calculator I've found online.  It's great because it allows you to calculate in hertz (Hz) all the way up to gigahertz (GHz), and allows quick conversion between the imperial and metric systems.  There is also a short, elegant description of the Wavelength Frequency Formula on the page - http://www.wavelengthcalculator.com/

- For more information on Wavelength, visit https://en.wikipedia.org/wiki/Wavelength

(4) Elon Musk Debuts the Tesla Powerwall - Youtube - https://youtu.be/yKORsrlN-2k

(5) The Solar Storm of 1859 - Wikipedia - https://en.wikipedia.org/wiki/Solar_storm_of_1859

(6) ASCII - Wikipedia - https://en.wikipedia.org/wiki/ASCII

(7) Pixel - Wikipedia - https://en.wikipedia.org/wiki/Pixel

(8) Compact Disc - Wikipedia - https://en.wikipedia.org/wiki/Compact_disc

(9) Crime Investigation - Paul Kirk

(10) Computer Hacking Forensic Investigator Certification Exam Guide - Charles L. Brooks (page 17)

Notes: if my insistence on using Wikipedia is offensive to you, or somehow undermines the integrity of my writing, you can purchase a complete set of Encyclopedia Britannica here for $1738.02 USD.  Information is free.

Also, if an image is not credited correctly anywhere on this site, it's because I cannot find the original source to mention.  If you have created or own any of the images on this site, please email me at admin@silentvector.org and I will attribute the image to you immediately.

Tuesday, July 21, 2015

Bitcoin: A Solution to the Financial Data Breach Debacle



Financial Data Breach Statistics


Since 2005 there have been at least 5,377 high-profile data breaches, totaling 786,098,214 (financial, medical, corporate, and intellectual property) records stolen.(1)  The monetary impact these breaches has cost governments, companies, and consumers is widely approximated and can never completely be known.  Some large companies that have been breached within recent years are Target, Citibank, Heartland, Bank of New York Mellon, Countrywide Financial, T.J. Maxx, and CardSystems Solutions.  There are hundreds, if not thousands of more breaches; the ones listed are only the ones that have been formally identified and reported.  This article addresses financial records, specifically.

The costs of these heists are passed directly to the consumer by proxy payments of higher insurance premiums, expensive encryption algorithms (that often aren't applied at all), security hardware, and software.  The monetary second and third order effects of these initial costs are also inflated by the costs of training financial employees to use encryption software (which lowers overall productivity in time lost encrypting and decrypting customer information databases), and familiarization of IT employees with proper implementation and protocols associated with new security hardware and software.

Regardless of whether a company experiences a financial breach in security or not, the costs incurred just trying to keep up with the computer security arms race to keep financial data secure, costs consumers.

Maintaining Your Financial Information Costs Money

The United States military uses sophisticated, time-based, "rotating key" encryption algorithms to secure even the most benign communications.  These methods are effective, because as a code-breaker gains enough information about the encryption and "pools of relevant data" to attempt to break the algorithm, the time-based protocols will modify the electronic keys before it is computationally possible to exploit the communications they protect.

The personal information you transmit during any electronic financial transaction already presents an attacker with "pools of relevant data" that cuts their work into smaller pieces.  For example, the majority of credit card numbers are 16 digits, are accompanied by a four digit expiration date, a 3 digit CVV/CVC, and are always paired with your first and last name and your billing address.


Image from deltecsolutions.com

This makes databases of your financial data some of the most lucrative electronic targets on the planet, simply because so much personal information is stored in one place.  Quite often, it sits on computer hardware whose security settings are factory defaulted (and easily searchable on Google).  It is often situated in poorly protected areas of corporate infrastructure.  It is also either shoddily encrypted or not encrypted at all to save productivity overhead time spent encrypting and decrypting portions of the database.

When a system breach and data purge occurs, there are corporate protections in place to compensate immediate victims and mitigate damage control.  What is not usually taken into account, are the financial hardships of the consumer when their identity is stolen.  The process of rebuilding mistakes on a credit score and recouping lost savings does not favor the individual consumer.  Often, companies will issue free subscriptions to identity theft protection services, which are themselves vulnerable to electronic attack.

Bitcoin and the Blockchain

Bitcoin was released in 2009 by Satoshi Nakamoto.  Bitcoin is a decentralized form of currency that operates outside of the industry standard "pool of relevant data" vulnerabilities I mentioned earlier.  It does not require a bank account, a credit card number, or your personal information to be transmitted along with financial transactions.

Bitcoin derives its value from the continued development of an encryption technology called the Blockchain.  The Blockchain is a complete record of all encrypted financial transactions that have ever occurred through the Bitcoin financial network.  Each Bitcoin transaction relies on a mathematical derivative (called a "hash") of every transaction that has occurred through the Blockchain, ever.

Each time a transaction is fed into the Blockchain, it is independently verified (by Bitcoin mining computers) against the entire history of the Blockchain.  Each time the individual transaction is verified, a new "hash" is encoded into the Blockchain.  When enough Bitcoin mining computers reach a consensus, or "verify" the transaction, it is permanently recorded into the Blockchain to be used in future transactions.  A new, temporary "CryptoAccount Key" is issued to the user's Bitcoin "wallet" as the old one is encoded in the Blockchain (although, permanent CryptoAccount Keys can be used as merchant accounts).

Bitcoin Miners use specialized computers to process these transactions back through the Blockchain, usually for a "miner fee" of 0.0001 Bitcoins (BTC).  Using the BTC to $USD exchange rates, that equates to approximately 25 to 30 cents.


Image from cryptocoinsnews.com

The incredible utility of this system is derived from the mathematical elegance of its "rotating-key" Blockchain technology.  It is essentially a military-grade method of encrypting financial transactions that is essentially free for the public to use.  Personally, I am more than happy to pay a quarter of one dollar to instantaneously order products from my favorite companies without the fear of my financial data being siphoned off by an electronic criminal.  Any malicious attempt to modify transaction data or inject nefarious code into the Blockchain is immediately purged, because the customer to vendor "end to end encryption" cannot be verified against the copy of the Blockchain that is kept on all Bitcoin mining computers.  

Get With the Times, Crypto-Currency Is the Future

According to Judd Bagley, CEO of overstock.com, Bitcoin users are between the ages of 18 and 34 years old.(2)  If we examine that demographic from outside the lens of crypto-currency users, these are the prime ages of American citizens attending colleges as computer science, software, and hardware engineering majors.

As a computer scientist attending school myself, I would rather not work in the financial sector of a company that has had any history of being breached.  These incidents are bad for the reputation of any company I may be employed by: my overall job security suffers, the amount of income I make while working for one of these companies is lessened any time their security is breached.  If I work as an electronic security manager when one of these companies is breached, my personal reputation suffers.

Like the person that insists on writing a check in line during peak hours at the grocery store, the continued use of non-secure financial technologies is becoming culturally annoying.  There needs to be a push from computer scientists working in all financial sectors to broaden the understanding of Blockchain technologies and crypto-currencies in general.  While others feel content to pay insurance premiums for financial institutions through service fees (on accounts and at ATM's), I feel quite comfortable paying 25 cents per use when I make purchases with my Bitcoin wallet.

References:

For more information on Bitcoin and Blockchain technologies, visit: https://en.wikipedia.org/wiki/Bitcoin

The author uses Mycelium Bitcoin Wallet, which I have found to be secure and user-friendly: https://mycelium.com









Friday, July 17, 2015

U.S. Marines Mourn on Camp Pendleton

Submitted Anonymously on July 17, 2015.

In remembrance of those who gave the ultimate sacrifice on American soil on July 16, 2015.



To help combat ISIS online, follow the Controlling Section (@CtrlSec) on Twitter.

www.GhostSec.org
#GhostSec
#OpISIS



" We are the ghosts you have created. "

One Hacker Walks, Another Falls - An Odd Timeline of Events


Thanks For the Story, Fox

While sifting through the coverage of the DarKode website take-down on July 15, none of the articles caught my eye except one from Fox News.  I am not particularly a fan of Fox, but two paragraphs caught my attention:

"Some of the targets were responsible for hacking into Sony's PlayStation Network and Microsoft's Xbox Live services last year around Christmas, authorities said.

British authorities in January arrested an 18-year-old man for computer hacking offenses related to the disruptions but hadn't released his name. The South East Organized Crime Unit said then it had worked with the FBI."(1)

I ignored the rest of Fox's article because it was the same drivel everyone else was posting on their news sites.  The only high profile hack involving Xbox and PlayStation I could remember from around that time involved the Lizard Squad.  It seems Fox might have been on to something if they would have followed their leads a little deeper.


KMS and #freeKMS

After a bit of looking around Lizard Squad's Twitter, I found the following Tweet:


Rory Stephen Guidry a.k.a "KMS" has a court hearing scheduled for Friday July 17 at 10:00 am at the United States District Court, Western District in Louisiana(2).  A report on The Daily Dot(3) alleges Mr. Guidry was acting as an informant for the FBI.  The #freeKMS hashtag on Twitter is another interesting source of information and will most likely continue to be after KMS' hearing.

An Odd Timeline of Events

There have been a series of interesting computer security events in the past four years:

- In the summer of 2011, hacktivist blackhat Hector Monsegur (known as Sabu) became an informant for the FBI.

- Computer hacker Jeremy Hammond was arrested on March 5, 2012 for allegations of hacking the Stratfor security firm.
- Journalist Barrett Brown confirmed one of his arrests via Twitter on March 6, 2012.  Mr. Brown was arrested again on September 24, 2012 for allegedly threatening an FBI agent.  He was held in pre-trial confinement until he was indicted on additional charges relating to Jeremy Hammond's Stratfor case.

- In April 2012, NSA security contractor Edward Snowden uncovers Project PRISM.  Further "Snowden Leaks" show the unconstitutional surveillance by the United States of its own citizens, as well as foreign governments and persons of interest around the world.  Mr. Snowden remains in Russia under asylum.

- Ross Ulbricht was arrested in early October 2013 for his alleged administration of the DarkNet market Silk Road under the alias "Dread Pirate Roberts."

Jeremy Hammond was convicted in November 2013 for hacking Stratfor.

- Lizard Squad conducts DDoS attacks against Sony PlayStation in 2014, Tweets a bomb scare, and forces an American Airlines flight to make an emergency landing.  The flight was carrying Sony Online Entertainment President, John Smedley.
- On November 24, 2014 a hacking spree begins against Sony and ends up costing the company approximately $100 million in damages.  The attack was supposedly carried out by North Korea in retaliation for the production of the comedy film, The Interview.  There are conflicting reports, but the attack is said to have "ended" on December 24, 2014.

- Lizard Squad begins a DDoS attack against Sony PlayStation and Microsoft Xbox networks in December 2014.  After a slight reprieve after Christmas 2014, attacks picked back up again in January 2015.

- In January 2015, British authorities "arrest an 18-year-old man for computer hacking offenses related to the disruptions but hadn't released his name. The South East Organized Crime Unit said then it had worked with the FBI."(see 1)

- Ross Ulbricht's trial begins on January 12, 2015 and comes to be known as the "Silk Road Trial."

- Barrett Brown is convicted on January 22, 2015.

- Ross Ulbricht is convicted on February 4, 2015.

- In June 2015, the information of 4 million United States federal employees is stolen from the servers of the Office of Personnel Management (OPM).

- Italian-based security firm "Hacking Team" is breached on July 5, 2015.  400 gigabytes of emails and company information is posted to the website WikiLeaks.

- On July 8, 2015 unnamed Lizard Squad member walks free after being convicted of 50,700 counts of computer crime.  The same day, the New York Stock Exchange (NYSE) is knocked offline for nearly four hours, the Wall Street Journal is taken offline, and United Airlines flights are grounded because of a "computer glitch."  Authorities claim the attacks are not connected.  The White House reports there is no suspected "nefarious actor" involved in the NYSE blackout, even though a popular Anonymous account on Twitter seemingly "predicted" the outage the evening before.

- Nearly 22 million more federal employee records are stolen from the OPM's servers on July 9, 2015.

- On July 15, 2015 the malware marketplace DarKode is taken offline.  The United States Justice Department cites 12 charges in relation to the site, 28 arrests are reported by Europol in a coordinated effort the FBI has called "Operation Shrouded Horizon."

- KMR's pre-trial hearing is scheduled for July 17, 2015.  KMR allegedly used to have ties with the Lizard Squad.

"Shrouded Connections"

It seems many of the events listed overlap one another at opportunistic times to draw media and therefore, public attention away from high-profile anomalies and the actions leading up to important court cases.  Many of these cases are surrounded by uncertain evidence introduced that allegedly violates American constitutional 4th Amendment rights.  There are also interesting examples of the Justice Department deciding, or not deciding, to press charges in relation to these alleged crimes.

Unexpectedly, Lizard Squad also announced on July 16 that it would no longer keep a record of any of its main Twitter accounts tweets for longer than one week.

As these and similar stories unfold, electronic and computer laws will continue to be a matter of concern among journalists and activists.  Voices of protest and dissent are important for the accountability of governments and the continuation of democracy and its processes.

DarKode Continuation

DarKode was an invitation-only website, where potential members were nominated by existing members.  A list of electronic exploits and accesses were listed by potential members after their nomination as a form of resume.  Existing members would vote potential members into the group.

DarKode's wares included bot-net rentals, computer code, malware, and access to databases of sensitive information.

Among those charged in connection with Operation Shrouded Horizon was Synthet!c, also known as Johan Anders Gudmunds of Sollebrunn, Sweden.  Synthet!c was allegedly DarKode's administrator.


References:

(1) Fox News, July 15, 2015 (http://fxn.ws/1GlUXey)

(2) KMS' detention hearing scheduled for Friday, 17 July at 10:00 AM at the United States District Court, Western District, Louisiana. #FreeKMS
(3) The Daily Dot, July 16, 2015 (http://bit.ly/1e3dgyw)




Original FBI press release on Twitter:


Monday, July 13, 2015

Ethics of Harnessing Crowd-Sourcing Technologies

Ethics of Harnessing Crowd-Sourced Technologies

     I have always been in awe of the collective power created by connecting people through the Internet.  Part of these incredibly potent abilities comes from crowd-sourcing.  Crowd-sourcing is the collective accomplishment of a task by giving a group of people small segments of work to be completed.  When each piece of work is completed, the individual parts are reassembled into a functioning product or information utility.  Examples of this are seen in crowd-funding, social networking, and the assignment of metadata to digital information to create meaningful content.

     When “Web 2.0” was built, the function of the Internet shifted.  In 2006, Time Magazine chose “You” as the person of the year because of the amount of useful information being produced by the general population.  Seamlessly, all around us all the time, we create information that is collectively changing the world.  Some of the smallest things we do on the Internet are having the largest impacts.  If we are the primary creators of Internet content, interesting ethical questions arise when owners of crowd-sourced products use our collective accomplishments in ways we did not intend.  Technology continues to pervade the most intimate aspects of our lives rapidly and lawmakers scramble to keep abreast of this development.  An important, modern, poorly documented and sparsely discussed question arises: If we produce so much valuable content, how much of the created products do we actually own and what is the difference between ethical and unethical use of information we create?

     One of the positive examples of crowd-sourcing I mentioned is the reCAPTCHA (Completely Automated Public Turn test to tell Computers and Humans Apart) project owned and run by Google.  Google uses reCAPTCHA information for a variety of projects, to include Google Books.  It is in the process of digitizing scans of books for wider availability and distribution.  Google Maps is in the process of tagging numbered addresses to be used on Google Maps and Google Street View.

     Google uses high resolution digital cameras and software called Optical Character Recognition (OCR) when it scans books or addresses.  Words and numbers the OCR software cannot identify are sent to reCAPTCHA on websites to be translated by humans.  Luis Von Ahn, co-creator of reCAPTCHA says “According to our estimates, humans around the world type more than 100 million CAPTCHAs every day” (“ReCAPTCHA: Human-Based Character Recognition via Web Security Measures,” 2008).

     Based on Mr. Von Ahn’s estimates of how many reCAPTCHAs are processed per day, the following chart shows how long it would take to digitize famous literary works:



Figure 1:  According to Luis Von Ahn, co-founder of reCAPTCHA, how long it would take to digital famous novels based on their world counts and daily reCAPTCHA usage statistics.  Data source: www.commonplacebook.com, “Word Count for Famous Novels”: http://commonplacebook.com/culture/literature/books/word-count-for-famous-novels/

     I excluded data on my graph about the 44 million words included in the Encyclopedia Britannica because the data dwarfs the other page counts. If reCAPTCHA focused the output of all its users on digitizing the Encyclopedia Britannica, our collective effort would transcribe its data in less than twelve hours. This is an immensely powerful tool for the enrichment and dissemination of human knowledge, but it also provides useful benefits to its users.

     The security created by reCAPTCHA prevents fake accounts and bot programs from flooding Internet websites with Spam. Words and number sequences correctly identified by users are collected by Google. This information is used to complete books and maps, strengthening the usability of Google’s products. In my opinion, this is a great use of crowd-sourcing because both the users and the company providing the service both equally benefit. I found another product that leveraged the unique qualities of crowd-sourced information for more secretive, ethically ambiguous reasons.

     The majority of Facebook’s content is created by its users. Wall Street will disagree with me, but I believe Facebook’s value is determined by its customers. If Facebook didn’t have users to create content for the site, it would be an online advertising billboard; I wouldn’t visit. I assumed a website dependent on its customers for the existence of its business would be transparent and forthcoming when dealing with crowd-sourced information.

     I vaguely remembered a story that broke in the news about Facebook manipulating user’s feeds for some kind of psychological experiment. During my research, I came across the original study and read it in its entirety. What I found was a terrifying example of crowd-sourcing gone wrong. According to a study published in the National Academy of Sciences (“Experimental Evidence of Massive-scale Emotional Contagion Through Social Networks,” 2014), English Facebook users were selected and the “experiment manipulated the extent to which people were exposed to emotional expressions in their News Feed. This tested whether exposure to emotions led people to change their own posting behaviors, in particular whether exposure to emotional content led people to post content that was consistent with the exposure—thereby testing whether exposure to verbal affective expressions leads to similar verbal expressions, a form of emotional contagion.”

     In 2014, the study famously brought to light a peculiar social experiment being conducted by Facebook. In summary, Facebook crowd-sourced its users to test the propagation of “emotional contagions” (i.e. contentment, depression, happiness, anger) based on posts from Facebook user walls. Experiences with Facebook were deliberately distorted, evoking measurable positive or negative emotional responses in users who conveyed their feelings as new posts. This user-generated data further manipulated the moods of others involved in the project. Facebook users were oblivious to the experiment until the story broke in 2014. The reaction of the public was disappointing and became as fleeting as the Facebook timelines it was manipulating.

     As a user of social media, I am alarmed research like this is being conducted at all. I ponder what purpose it serves. It is an unsettling feeling to second guess if what I see on social media is a genuine representation of my personal network of friends and family. It is also concerns me that my colleagues, friends, and relatives may perceive my digital persona inaccurately if Facebook is manipulating my data for frivolous social experiments. Were any of my posts distributed or weighted differently with unfair bias, possibly casting me in an unfavorable light with people I work with, trust, and love?

     Most concerning, I do not recall an option to opt in or out of the experiment (other than to stop using Facebook or learn another language besides English). It is also interesting to point out Facebook has since introduced a new suicide hotline function on their website, only after the experiment was brought to light. The value of this tool in saving human life will prove to be invaluable, but I wonder if it doesn’t serve another purpose to deflect possible litigation hinged on public knowledge of Facebook’s experiment.

     Even in 1942, Doctors and ethics professionals had a clear vision of the parameters in which to conduct their experiments on human beings. Dr. A.N. Richards, chairman of the University of Pennsylvania School of Medicine explained in a letter that “when any risks are involved, volunteers only should be utilized as subjects, and these only after the risks have been fully explained and after signed statements have been obtained which shall prove that the volunteer offered his services with full knowledge and that claims for damages will be waived. An accurate record should be kept of the terms in which the risks involved were described” (Richards, 1942).

     The experiment Dr. Richards is referring to was a bioethics experiment during World War II, but the intent of his words applies today. The spirit of responsibility and accountability is undeniable in this decades old correspondence; so what happened? What thought processes took place in the designers of Facebook’s experiment? What made them believe they could bypass regulation, conduct emotional research, misinform their consumers, and conceal the purpose of their research. The most disconcerting aspect of the whole situation is from Facebook’s users: silence.

     It is my position that legal, ethical crowd-sourcing will positively change the Internet and many of its associated products. Clever uses of crowd-sourcing will continue to be an engine for the accomplishment of undesirable, menial tasks for the benefit of a broader consumer base. With oversight and careful consideration of data quality, crowd-sourcing can construct literal libraries of useful information. A dangerous line is crossed when consumers are not made aware of how their digital personas are manipulated, for any reason. This practice sows distrust between consumers and ultimately undermines a company’s business when they exercise unethical liberties on their users.


References:

Von Ahn, L., Maurer, B., Mcmillen, C., Abraham, D., & Blum, M. (2008). “ReCAPTCHA: Human-Based Character Recognition via Web Security Measures.” Science, 321(5895), 1465-1468.

Kramer, Adam D. I., Guillory, Jamie E., and Hancock, Jeffrey T. (2014) "Experimental Evidence of Massive-Scale Emotional Contagion Through Social Networks." Proceedings of the National Academy of Sciences of the United States of America 111.24 (2014) http://www.pnas.org/.

Richards, A. N., (1942) “Reply of A. N. Richards, Chaiman, To Dr. J. E. Moore” Reproduction of the National Archives.  http://bioethics.gov/sites/default/files/NARA-II_0000132.pdf