Articles, Page 10 of 200
One of American’s not hostile drones has been captured by the Iranians after it crashed 140 miles into their country (off the Afghanistan border). It’s a model known as the RQ-170 and is now being associated to über-secret CIA efforts to monitor Iranian nuclear development. Since the crash, Iran has released a video showing Iranian officials examining the captured drone on display. As one might assume, the US government has neither confirmed nor denied the authenticity of the video given the seemingly intact nature of the drone despite crashing from over 50,000 feet. Higher resolution pictures from TheAviationist show little to no damage at all on the displayed drone with only minor abrasions to the lower wing and what appears to be putty work. Stories have varied as to the reasoning for the drone’s loss ranging from Iran claiming to have shot it down to have hacked it’s C2 causing the crash. Regardless of the reason, adversaries are chomping at the bit to reverse engineer the technologies on board.
In the 1960s, Stanley Milgram proposed the “small world” concept that everyone on the planet could be linked within six acquaintance hops. This is the basis for the Six Degrees of Kevin Bacon game showing his relationship to just about any actor/actress one can think of.1 The “small world” theory was attacked pretty hard in 2002 (pdf) when researchers looked at Milgram’s analysis and found it was based on relatively flaky empirical evidence. Needless to say, Facebook’s 800 million active users provide relatively solid empirical evidence for Internet connected users that global relationships can be achieved in not 6 hops, but a mere 4.7.
Having an embassy in Iran is risky business as the UK can attest to with its recent run in with Iranian protesters. The United States has not held a diplomatic presence in Iran since November of 1979 when protesters stormed the American embassy and took hostages. Recognizing the need to inform interested Iranians about the West without [local] state control spin, the United States has launched a virtual embassy to Iran through the Internet. According to the State Department, “This website is not a formal diplomatic mission, nor does it represent or describe a real US embassy accredited to the Iranian government. But, in the absence of direct contact, it can work as a bridge between the American and Iranian people.”
Only last month, CERN researchers stirred up controversy when a neutrino experiment produced a result indicating faster-than-light (FTL) speeds. While the back and forth about the experiment being flawed continues, the researchers pushed ahead and repeated their experiment while addressing many of the most vocalized concerns. Their result? A statistically significant number of neutrinos are still showing FTL speeds in the experiment such that many of the original CERN researchers that were on the fence are now buying into the results.
Back in the days of yore, hackers used to threaten users with physical damage like burning a hole into their CRT.1 It’s been a long time since true, physical damage threats have percolated but now security researchers are proposing they could set your printer on fire. The simplicity of network connected printers has also made a persistent presence on a target’s network much easier. Essentially, nobody ever checks whether the firmware loaded on a printer is the version provided by the OEM and their ubiquitous presence and 24/7 uptime make them prime targets. The hackers are completely replacing the embedded firmware in popular printer models with their own custom brew allowing them to steal printed documents remotely or finagle with the printer’s internal mechanism (like overheating a laser fuser). HP responded to the claims that it’s newer printers require digitally signed firmware and that the threat of fire is impossible due to thermal safeguards on the fuser element.
Years ago, Google was recruiting employees through the use of puzzles. GCHQ, Great Britain’s intelligence service, recently ran a similar campaign over the weekend entitle Can You Crack It featuring ciphertext in hexadecimal. It only took a weekend for the challenge to be broken with a complete write-up in video snippets on the technique available from Dr. Gareth Owen. Apparently, the job offer hidden within pays a mere £25,000 which many of the folks skilled enough to solve the puzzle are laughing at as absurdly small.
The United States has always stayed pretty mum about its offensive cyber-warfare intentions though the rhetoric has been shrouded in less and less secrecy and become more overt of late. Earlier in 2011, the White House released its International Strategy For Cyberspace (pdf) which first officially opened the can-of-worms regarding attack possibilities. USCYBERCOM, a sub-command to USSTRATCOM, finally has its operating guidance through the recent Department of Defense Cyberspace Policy Report (pdf) issued to Congress. Perhaps the most important bullet from that document explicitly states that both kinetic and non-kinetic cyber options are at the President’s disposal when dealing with attacks against the United States.
Many of the servers I’m operating exist in a VMware environment and were created on their Workstation platform before migrating to ESX. I had configured rolling, automatic snapshots under the Workstation environment where it was easily configurable and allowed me to, obviously, rollback any stupid changes I had made to my production images. However, after porting my images to ESX, the vSphere client did not allow me to edit this settings in any obvious fashion.
Laziness ensued and I went on my merry way only to discover these servers were consuming hundreds of gigabytes of provisioned space after several months had passed due to the fashion in which these snapshots were taken. I typically had to manually delete all the snapshots or consolidate them in order to recover diskspace. I passed this problem along to a VMware employee buddy of mine who advised:
Do you use all your vacation days? Or do you end up forfeiting them to your company’s policy at the end of the year. Apparently, most Americans simply give up an average of two vacation days a year, giving their employers free labor. To put those numbers into a little more perspective, estimates indicate that given present day labor figures, Americans give up 226 million vacation days valued at approximately $34.3 billion in man hours.
Matters continue to shake up in the Middle East following the recent IAEA report on the Iranian’s current nuclear program before the fallout was largely amongst political figureheads in discussing new or increased international sanctions against Iran, various countries proceeded with their own actions to include Britain cutting all financial ties with Iranian banks. A week later, Iranians stormed the British embassy after a rally escalated toward violence where the protesters replaced the flag, threw around office equipment and set parts of the embassy on fire. British Foreign Secretary William Hague admonished Iran in his statement, “the idea that the Iranian authorities could not have protected our embassy or that this assault could have taken place without some degree of regime consent is fanciful.” Following the actions, the UK has ordered all Iranian diplomats out of their country within 48 hours.
Simple question – how do you test your software?
There are, of course, many levels to a question like that. There are unit tests in order to flex individual functions within a program, test harnesses designed to feed situations to larger chunks of a program, manual debugging sessions and alpha releases with corresponding bug tracking measures. I’m really looking for that intermediate step between where test harnesses have confirmed that modules within a program are functional and an alpha release where the users tell you how broken it is. Maybe my Google-fu is just poor this week, but for example, I’d like to know how a team working on MySQL, LibreOffice or something of that significance can go from the step where they know “my-SQL-parser-works” or “my-atomic-transaction-logging-works” to knowing “I-just-compiled-MySQL-and-the-whole-shebang-works.”
Routers are the ubiquitous network devices operating quickly behind the scenes making Internet traffic possible. The recently published Foreign Economic Collection and Industrial Espionage report that called out Russia and China has caused lawmakers to begin an investigation into Chinese ZTE and Huawei network devices. According to the report, “Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the intelligence community cannot confirm who was responsible.” The Chinese companies have responded, essentially calling the report baseless and irresponsible without investigation. Considering the level of overt intrusion attempts already documented from the Chinese (and that’s six years ago), the risk is whether or not the devices contain covert, embedded firmware backdoors allowing the Chinese government (and state-sponsored industry) limitless access to the networks where their equipment is installed or even the possibility of crippling targeted infrastructure on demand.
Everybody has a somewhat different “house-rules” twist on Thanksgiving. Whether it’s food gluttony, football or both … what interesting add-on traditions are worthy of an OmniNerd thanksgiving?
Siri has been the talk of the iPhone 4s with it’s fancy responses to amusing questions. But, the app is entirely restricted to 4s owners which naturally irritates all the have-nots. Some French reverse engineers at Applidium has succeeded at figuring out how to talk to Apple’s Siri servers … without Siri. Their procedure was a matter of setting up a proxy to decrypt the SSL data sent between the phone and the server. Then they replayed the data to Apple while capturing the traffic in the middle whereupon they discovered the extensions to the HTTP header, the Speex codec for compressing the voice and the compressed plist data returned by the server to the device. Technically, with their discoveries, nothing is really preventing independent users from becoming Siri enabled other than a little programming know how.