m Quec.lim's republished posts.http://quec.li/~m /Lightning storm over Manhattanhttp://aboutphotography-tomgrill.blogspot.com/2016/08/lightning-storm-over-manhattan.htmltag:blogger.com,1999:blog-8331638045168087261.post-633571476039868150Tue, 16 Aug 2016 21:44:00 -0400For the past week or so we've been treated to late afternoon and evening thunderstorms with dramatic cloud formations often accompanied by lightning strikes. Last night we had a dry storm with lightning. I set up my X-Pro2 on a tripod to try to capture some of the strikes. With an aperture of f/11 and ISO 200 (This is when I wish Fuji had a lower 100 as the base ISO.) I ended up with a shutter speed of 4 seconds. When photographing lightning you need to keep snapping away with a slow shutter speed. In this case, I was using a 4 second exposure. I usually time my exposures by waiting several seconds after a strike and then opening the shutter for a time exposure. Then you've got to be lucky.<br /><br /><div><a href="https://2.bp.blogspot.com/-89qItpbmt7w/V7O_GQXTPLI/AAAAAAAAby4/vFQCNsSYEsM1mQ5Jp6zD_M5t48ldAWxXgCLcB/s1600/ti0109439bwbl.jpg" imageanchor="1"><img border="0" src="https://2.bp.blogspot.com/-89qItpbmt7w/V7O_GQXTPLI/AAAAAAAAby4/vFQCNsSYEsM1mQ5Jp6zD_M5t48ldAWxXgCLcB/s1600/ti0109439bwbl.jpg" /></a></div><br />http://quec.li/EntryComments?feed=http%3A%2F%2Faboutphotography-tomgrill.blogspot.com%2Ffeeds%2Fposts%2Fdefault&entry=tag%3Ablogger.com%2C1999%3Ablog-8331638045168087261.post-633571476039868150Major NSA/Equation Group Leakhttps://www.schneier.com/blog/archives/2016/08/major_nsaequati.htmltag:www.schneier.com,2016:/blog//2.10740Tue, 16 Aug 2016 11:43:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10740Powerful Bit-Flipping Attackhttps://www.schneier.com/blog/archives/2016/08/powerful_bit-fl.htmltag:www.schneier.com,2016:/blog//2.10736Tue, 16 Aug 2016 08:09:00 -0400<p>New research: "<a href="https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_razavi.pdf">Flip Feng Shui: Hammering a Needle in the Software Stack,</a>" by Kaveh Razavi, Ben Gras, Erik Bosman Bart Preneel, Cristiano Giuffrida, and Herbert Bos.</p> <blockquote><p><b>Abstract</b>: We introduce Flip Feng Shui (FFS), a new exploitation vector which allows an attacker to induce bit flips over <i>arbitrary</i> physical memory in a <i>fully controlled way</i>. FFS relies on hardware bugs to induce bit flips over memory and on the ability to surgically control the physical memory layout to corrupt attacker-targeted data anywhere in the software stack. We show FFS is possible today with very few constraints on the target data, by implementing an instance using the <i>Rowhammer bug</i> and <i>memory deduplication</i> (an OS feature widely deployed in production). Memory deduplication allows an attacker to reverse-map any physical page into a virtual page she owns as long as the page's contents are known. Rowhammer, in turn, allows an attacker to flip bits in controlled (initially unknown) locations in the target page. <p>We show FFS is extremely powerful: a malicious VM in a practical cloud setting can gain unauthorized access to a co-hosted victim VM running OpenSSH. Using FFS, we exemplify end-to-end attacks breaking OpenSSH public-key authentication, and forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian update mechanism. We conclude by discussing mitigations and future directions for FFS attacks.</p></blockquote>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10736Yet Another Government-Sponsored Malwarehttps://www.schneier.com/blog/archives/2016/08/yet_another_gov.htmltag:www.schneier.com,2016:/blog//2.10737Mon, 15 Aug 2016 14:43:00 -0400<p>Both <a href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf">Kaspersky</a> and <a href="http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets">Symantec</a> have uncovered another piece of malware that seems to be a government design:</p> <blockquote><p>The malware -- known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec -- has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. <p>[...]</p> <p>Part of what makes ProjectSauron so impressive is its ability to collect data from computers considered so sensitive by their operators that they have no Internet connection. To do this, the malware uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the "air-gapped" machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.</p> <p>Kaspersky researchers still aren't sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn't in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.</p> <p>"Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a <a href="https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/">separate blog post</a>. "This method of operation ensures Project Sauron's extended persistence on the servers of targeted organizations."</p></blockquote> <p>We don't know who designed this, but it certainly seems likely to be a country with a serious cyberespionage budget.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10737EFF DES CRACKER MACHINE BRINGS HONESTY TO CRYPTO DEBATEhttps://www.eff.org/press/releases/eff-des-cracker-machine-brings-honesty-crypto-debate92585 at https://www.eff.orgTue, 09 Aug 2016 17:26:00 -0400<div><div><div>ELECTRONIC FRONTIER FOUNDATION PROVES THAT DES IS NOT SECURE</div></div></div><div><div><div><p>SAN FRANCISCO, CA -- The Electronic Frontier Foundation (EFF) today raised the level of honesty in crypto politics by revealing that the Data Encryption Standard (DES) is insecure. The U.S. government has long pressed industry to limit encryption to DES (and even weaker forms), without revealing how easy it is to crack. Continued adherence to this policy would put critical infrastructures at risk; society should choose a different course.</p> <p>To prove the insecurity of DES, EFF built the first unclassified hardware for cracking messages encoded with it. On Wednesday of this week the EFF DES Cracker, which was built for less than $250,000, easily won RSA Laboratory's "DES Challenge II" contest and a $10,000 cash prize. It took the machine less than 3 days to complete the challenge, shattering the previous record of 39 days set by a massive network of tens of thousands of computers. The research results are fully documented in a book published this week by EFF and O'Reilly and Associates, entitled "Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design."</p> <p>"Producing a workable policy for encryption has proven a very hard political challenge. We believe that it will only be possible to craft good policies if all the players are honest with one another and the public," said John Gilmore, EFF co-founder and project leader. "When the government won't reveal relevant facts, the private sector must independently conduct the research and publish the results so that we can all see the social trade-offs involved in policy choices."</p> <p>The nonprofit foundation designed and built the EFF DES Cracker to counter the claim made by U.S. government officials that governments cannot decrypt information when protected by DES, or that it would take multimillion-dollar networks of computers months to decrypt one message. "The government has used that claim to justify policies of weak encryption and 'key recovery,' which erode privacy and security in the digital age," said EFF Executive Director Barry Steinhardt. It is now time for an honest and fully informed debate, which we believe will lead to a reversal of these policies."</p> <p>"EFF has proved what has been argued by scientists for twenty years, that DES can be cracked quickly and inexpensively," said Gilmore. "Now that the public knows, it will not be fooled into buying products that promise real privacy but only deliver DES. This will prevent manufacturers from buckling under government pressure to 'dumb down' their products, since such products will no longer sell." Steinhardt added, "If a small nonprofit can crack DES, your competitors can too. Five years from now some teenager may well build a DES Cracker as her high school science fair project."</p> <p>The Data Encryption Standard, adopted as a federal standard in 1977 to protect unclassified communications and data, was designed by IBM and modified by the National Security Agency. It uses 56-bit keys, meaning a user must employ precisely the right combination of 56 1s and 0s to decode information correctly. DES accounted for more than $125 million annually in software and hardware sales, according to a 1993 article in "Federal Computer Week." Trusted Information Systems reported last December that DES can be found in 281 foreign and 466 domestic encryption products, which accounts for between a third and half of the market.</p> <p>A DES cracker is a machine that can read information encrypted with DES by finding the key that was used to encrypt that data. DES crackers have been researched by scientists and speculated about in the popular literature on cryptography since the 1970s. The design of the EFF DES Cracker consists of an ordinary personal computer connected to a large array of custom chips. It took EFF less than one year to build and cost less than $250,000.</p> <p>This week marks the first public test of the EFF DES Cracker, which won the latest DES-cracking speed competition sponsored by RSA Laboratories (<a href="http://www.rsa.com/rsalabs/">http://www.rsa.com/rsalabs/</a>). Two previous RSA challenges proved that massive collections of computers coordinated over the Internet could successfully crack DES. Beginning Monday morning, the EFF DES Cracker began searching for the correct answer to this latest challenge, the RSA DES Challenge II-2. In less than 3 days of searching, the EFF DES Cracker found the correct key. "We searched more than 88 billion keys every second, for 56 hours, before we found the right 56-bit key to decrypt the answer to the RSA challenge, which was 'It's time for those 128-, 192-, and 256-bit keys,'" said Gilmore.</p> <p>Many of the world's top cryptographers agree that the EFF DES Cracker represents a fundamental breakthrough in how we evaluate computer security and the public policies that control its use. "With the advent of the EFF DES Cracker machine, the game changes forever," said Whitfield Diffie, Distinguished Engineer at Sun Microsystems and famed co-inventor of public key cryptography. "Vast Internet collaborations cannot be concealed and so they cannot be used to attack real, secret messages. The EFF DES Cracker shows that it is easy to build search engines that can."</p> <p>"The news is not that a DES cracker can be built; we've known that for years," said Bruce Schneier, the President of Counterpane Systems. "The news is that it can be built cheaply using off-the-shelf technology and minimal engineering, even though the department of Justice and the FBI have been denying that this was possible." Matt Blaze, a cryptographer at AT&amp;T Labs, agreed: "Today's announcement is significant because it unambiguously demonstrates that DES is vulnerable, even to attackers with relatively modest resources. The existence of the EFF DES Cracker proves that the threat of "brute force" DES key search is a reality. Although the cryptographic community has understood for years that DES keys are much too small, DES-based systems are still being designed and used today. Today's announcement should dissuade anyone from using DES."</p> <p>EFF and O'Reilly and Associates have published a book about the EFF DES Cracker, "Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design." The book contains the complete design details for the EFF DES Cracker chips, boards, and software. This provides other researchers with the necessary data to fully reproduce, validate, and/or improve on EFF's research, an important step in the scientific method. The book is only available on paper because U.S. export controls on encryption potentially make it a crime to publish such information on the Internet.</p> <p>EFF has prepared a background document on the EFF DES Cracker, which includes the foreword by Whitfield Diffie to "Cracking DES." (See <a href="http://www.eff.org/descracker/">http://www.eff.org/descracker/</a>). The book can be ordered for worldwide delivery from O'Reilly &amp; Associates via the Web (<a href="http://www.ora.com/catalog/crackdes">http://www.ora.com/catalog/crackdes</a>), or phone (1 800 998 9938, or +1 707 829 0515.)</p> <p>The Electronic Frontier Foundation is one of the leading civil liberties organizations devoted to ensuring that the Internet remains the world's first truly global vehicle for free speech, and that the privacy and security of all on-line communication is preserved. Founded in 1990 as a nonprofit, public interest organization, EFF is based in San Francisco, California. EFF maintains an extensive archive of information on encryption policy, privacy, and free speech at the EFF Web site (<a href="http://www.eff.org">http://www.eff.org</a>).</p> </div></div></div><div><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%20DES%20CRACKER%20MACHINE%20BRINGS%20HONESTY%20TO%20CRYPTO%20DEBATE&amp;url=https://www.eff.org/press/releases/eff-des-cracker-machine-brings-honesty-crypto-debate&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%20DES%20CRACKER%20MACHINE%20BRINGS%20HONESTY%20TO%20CRYPTO%20DEBATE&amp;u=https://www.eff.org/press/releases/eff-des-cracker-machine-brings-honesty-crypto-debate" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https://www.eff.org/press/releases/eff-des-cracker-machine-brings-honesty-crypto-debate" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%20DES%20CRACKER%20MACHINE%20BRINGS%20HONESTY%20TO%20CRYPTO%20DEBATE&amp;url=https://www.eff.org/press/releases/eff-des-cracker-machine-brings-honesty-crypto-debate" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join">Join EFF</a></div>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.eff.org%2Frss%2Fupdates.xml&entry=92585+at+https%3A%2F%2Fwww.eff.orgcompressing dynamic range with exposure fusionhttp://www.darktable.org/2016/08/compressing-dynamic-range-with-exposure-fusion/http://www.darktable.org/?p=4181Tue, 09 Aug 2016 14:14:00 -0400<p>modern sensor capture an astonishing dynamic range, namely some sony sensors or canon with <a href="http://www.magiclantern.fm/forum/?topic=7139.0">magic lantern's dual iso feature</a>.</p> <p>this is in a range where the image has to be processed carefully to display it in pleasing ways on a monitor, let alone the limited dynamic range of print media.</p> <h2>example images</h2> <h3>use graduated density filter to brighten foreground</h3> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0016.jpg" alt="original" width="1617" height="1080" class="alignnone size-full wp-image-4183" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0016.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0016-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0016-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0016-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0016-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0015.jpg" alt="graduated density filter" width="1617" height="1080" class="alignnone size-full wp-image-4184" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0015.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0015-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0015-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0015-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0015-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p>using the <a href="http://www.darktable.org/usermanual/ch03s04s05.html.php#graduated_density">graudated density iop</a> works well in this case since the horizon here is more or less straight, so we can easily mask it out with a simple gradient in the graduated density module. now<br /> what if the objects can't be masked out so easily?</p> <h3>more complex example</h3> <p>this image needed to be substantially underexposed in order not to clip the interesting highlight detail in the clouds.</p> <p>original image, then extreme settings in <a href="http://www.darktable.org/2012/02/shadow-recovery-revisited/">the shadows and highlights iop</a> (heavy fringing despite bilateral filter used for smoothing). also note how the shadow detail is still very dark. third one is <a href="http://www.darktable.org/usermanual/ch03s04s02.html.php#global_tonemap">tone mapped (drago)</a> and fourth is default darktable processing with +6ev exposure.</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0007.jpg" alt="original" width="1617" height="1080" class="alignnone size-full wp-image-4189" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0007.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0007-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0007-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0007-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0007-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0008.jpg" alt="shadows/highlights" width="1617" height="1080" class="alignnone size-full wp-image-4188" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0008.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0008-2.jpg" alt="tonemap" width="1617" height="1080" class="alignnone size-full wp-image-4187" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0008-2.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-2-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-2-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-2-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-2-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0008-3.jpg" alt="+6ev" width="1617" height="1080" class="alignnone size-full wp-image-4186" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0008-3.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-3-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-3-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-3-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0008-3-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p>tone mapping also flattens a lot of details why this version already has some local contrast enhancement applied to it. this can quickly result in unnatural results. similar applies to colour saturation (for reasons of good taste, no link to examples at this point..).</p> <p>the last image in the set is just a regular default base curve pushed by six stops using the exposure module. the green colours of the grass look much more natural than in any of the other approaches taken so far (including graduated density filters, these need some fiddling in the colour saturation..). unfortunately we lose a lot of detail in the highlights (to say the least).</p> <p>this can be observed for most images, here is another example (original, then pushed +6ev):</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0004.jpg" alt="original" width="1617" height="1080" class="alignnone size-full wp-image-4191" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0004.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0004-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0004-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0004-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0004-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0005.jpg" alt="+6ev" width="1617" height="1080" class="alignnone size-full wp-image-4190" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0005.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0005-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0005-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0005-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0005-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <h2>exposure fusion</h2> <p>this is precisely the motivation behind the great paper entitled <a href="http://web.stanford.edu/class/cs231m/project-1/exposure-fusion.pdf">Exposure Fusion</a>: what if we develop the image a couple of times, each time exposing for a different feature (highlights, mid-tones, shadows), and then merge the results where they look best?</p> <p>this has been available in software for a while in <a href="http://wiki.panotools.org/Enfuse">enfuse</a><br /> even with a gui called <a href="http://software.bergmark.com/enfuseGUI/Main.html">EnfuseGUI</a>.<br /> we now have this feature in darktable, too.</p> <p>find the new fusion combo box in the darktable base curve module:</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/gui.png" alt="gui" width="523" height="618" class="alignnone size-full wp-image-4192" srcset="http://www.darktable.org/wp-content/uploads/2016/08/gui.png 523w, http://www.darktable.org/wp-content/uploads/2016/08/gui-159x188.png 159w, http://www.darktable.org/wp-content/uploads/2016/08/gui-418x494.png 418w, http://www.darktable.org/wp-content/uploads/2016/08/gui-254x300.png 254w" sizes="(max-width: 523px) 100vw, 523px" /></p> <p>options are to merge the image with itself two or three times. each extra copy of the image will be boosted by an additional three stops (+3ev and +6ev), then the base curve will be applied to it and the laplacian pyramids of the resulting images will be merged.</p> <h2>results</h2> <p>this is a list of input images and the corresponding result of exposure fusion:</p> <p>0ev,+3ev,+6ev:</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0004-1.jpg" alt="original" width="1617" height="1080" class="alignnone size-full wp-image-4194" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0004-1.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0004-1-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0004-1-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0004-1-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0004-1-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0003.jpg" alt="0ev,+3ev,+6ev" width="1617" height="1080" class="alignnone size-full wp-image-4193" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0003.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0003-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0003-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0003-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0003-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p>0ev,+3ev:</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0002.jpg" alt="original" width="1617" height="1080" class="alignnone size-full wp-image-4195" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0002.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0002-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0002-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0002-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0002-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0001.jpg" alt="0ev,+3ev" width="1617" height="1080" class="alignnone size-full wp-image-4196" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0001.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0001-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0001-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0001-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0001-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p>0ev,+3ev,+6ev:</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0007-1.jpg" alt="original" width="1617" height="1080" class="alignnone size-full wp-image-4197" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0007-1.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0007-1-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0007-1-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0007-1-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0007-1-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0006.jpg" alt="0ev,+3ev,+6ev" width="1617" height="1080" class="alignnone size-full wp-image-4198" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0006.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0006-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0006-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0006-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0006-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p>0ev,+3ev,+6ev:</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0010.jpg" alt="original" width="721" height="1080" class="alignnone size-full wp-image-4199" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0010.jpg 721w, http://www.darktable.org/wp-content/uploads/2016/08/img_0010-126x188.jpg 126w, http://www.darktable.org/wp-content/uploads/2016/08/img_0010-330x494.jpg 330w, http://www.darktable.org/wp-content/uploads/2016/08/img_0010-200x300.jpg 200w" sizes="(max-width: 721px) 100vw, 721px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0009.jpg" alt="fusion" width="721" height="1080" class="alignnone size-full wp-image-4200" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0009.jpg 721w, http://www.darktable.org/wp-content/uploads/2016/08/img_0009-126x188.jpg 126w, http://www.darktable.org/wp-content/uploads/2016/08/img_0009-330x494.jpg 330w, http://www.darktable.org/wp-content/uploads/2016/08/img_0009-200x300.jpg 200w" sizes="(max-width: 721px) 100vw, 721px" /></p> <p>0ev,+3ev:</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0012.jpg" alt="original" width="1617" height="1080" class="alignnone size-full wp-image-4201" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0012.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0012-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0012-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0012-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0012-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0011.jpg" alt="fusion" width="1620" height="1080" class="alignnone size-full wp-image-4202" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0011.jpg 1620w, http://www.darktable.org/wp-content/uploads/2016/08/img_0011-188x125.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0011-768x512.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0011-494x329.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0011-450x300.jpg 450w" sizes="(max-width: 1620px) 100vw, 1620px" /></p> <h2>conclusion</h2> <p>image from beginning:</p> <p><img src="http://www.darktable.org/wp-content/uploads/2016/08/img_0017.jpg" alt="fusion" width="1617" height="1080" class="alignnone size-full wp-image-4203" srcset="http://www.darktable.org/wp-content/uploads/2016/08/img_0017.jpg 1617w, http://www.darktable.org/wp-content/uploads/2016/08/img_0017-188x126.jpg 188w, http://www.darktable.org/wp-content/uploads/2016/08/img_0017-768x513.jpg 768w, http://www.darktable.org/wp-content/uploads/2016/08/img_0017-494x330.jpg 494w, http://www.darktable.org/wp-content/uploads/2016/08/img_0017-449x300.jpg 449w" sizes="(max-width: 1617px) 100vw, 1617px" /></p> <p>note that the feature is currently merged to git master, but unreleased.</p> <h2>links</h2> <ul> <li><a href="http://www.magiclantern.fm/forum/?topic=7139.0">magic lantern dual iso</a></li> <li><a href="http://www.darktable.org/usermanual/ch03s04s05.html.php#graduated_density">graudated density iop</a></li> <li><a href="http://www.darktable.org/2012/02/shadow-recovery-revisited/">shadows and highlights iop</a></li> <li><a href="http://www.darktable.org/usermanual/ch03s04s02.html.php#global_tonemap">tone mapping iop</a></li> <li>Tom Mertens, Jan Kautz, and Frank Van Reeth. 2007. <a href="http://web.stanford.edu/class/cs231m/project-1/exposure-fusion.pdf">Exposure Fusion</a>. In Proceedings of the 15th Pacific Conference on Computer Graphics and Applications (PG '07). IEEE Computer Society, 382-390. </li> <li><a href="http://wiki.panotools.org/Enfuse">enfuse</a></li> <li><a href="http://software.bergmark.com/enfuseGUI/Main.html">EnfuseGUI</a></li> </ul>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.darktable.org%2Ffeed%2F&entry=http%3A%2F%2Fwww.darktable.org%2F%3Fp%3D4181Obama?s Commuted Sentenceshttp://blogs.harvard.edu/philg/2016/08/09/obamas-commuted-sentences/http://blogs.harvard.edu/philg/?p=12129Tue, 09 Aug 2016 13:52:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.harvard.edu%2Fphilg%2F%3Fp%3D12129How the Iranian Government Hacks Dissidentshttps://www.schneier.com/blog/archives/2016/08/how_the_iranian.htmltag:www.schneier.com,2016:/blog//2.10725Tue, 09 Aug 2016 06:26:00 -0400<p>Citizen Lab has a new report on an Iranian government hacking program that targets dissidents. From a <i>Washington Post</i> <a href="https://www.washingtonpost.com/posteverything/wp/2016/08/02/how-foreign-governments-spy-using-email-and-powerpoint/">op-ed</a> by Ron Deibert:</p> <blockquote><p>Al-Ameer is a net savvy activist, and so when she received a legitimate looking email containing a PowerPoint attachment addressed to her and purporting to detail "Assad Crimes," she could easily have opened it. Instead, she shared it with us at the <a href="https://citizenlab.org/">Citizen Lab</a>. <p>As we detail <a href="https://citizenlab.org/2016/08/group5-syria/">in a new report</a>, the attachment led our researchers to uncover an elaborate cyberespionage campaign operating out of Iran. Among the malware was a malicious spyware, including a remote access tool called "Droidjack," that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails. Had she opened it, she could have put herself, her friends, her family and her associates back in Syria in mortal danger.<br /> </p></blockquote> <p>Here's the <a href="https://citizenlab.org/2016/08/group5-syria/">report</a>. And a <a href="http://bigstory.ap.org/article/6ab1ab75e89e480a9d12befd3fea4115/experts-iranian-link-attempted-hack-syrian-dissident">news article</a>. </p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10725Frequent Password Changes is a Bad Security Ideahttps://www.schneier.com/blog/archives/2016/08/frequent_passwo.htmltag:www.schneier.com,2016:/blog//2.10717Fri, 05 Aug 2016 08:53:00 -0400<p>I've been saying for years that it's bad security advice, that it encourages poor passwords. Lorrie Cranor, now the FTC's chief technologist, agrees:</p> <blockquote><p>By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like "tarheels#1", for instance (excluding the quotation marks) frequently became "tArheels#1" after the first change, "taRheels#1" on the second change and so on. Or it might be changed to "tarheels#11" on the first change and "tarheels#111" on the second. Another common technique was to substitute a digit to make it "tarheels#2", "tarheels#3", and so on. <p>"The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation," Cranor explained. "They take their old passwords, they change it in some small way, and they come up with a new password."</p> <p>The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.</p></blockquote> <p>That data refers to <a href="https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf">this study</a>.</p> <p>My advice for choosing a secure password is <a href="https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html">here</a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10717Detecting When a Smartphone Has Been Compromisedhttps://www.schneier.com/blog/archives/2016/07/detecting_when_.htmltag:www.schneier.com,2016:/blog//2.10702Wed, 27 Jul 2016 14:09:00 -0400<p>Andrew "bunnie" Huang and Edward Snowden have designed a smartphone case that detects unauthorized transmissions by the phone. <a href="https://www.pubpub.org/pub/direct-radio-introspection/">Paper</a>. <a href="https://www.theguardian.com/us-news/2016/jul/21/phone-case-privacy-data-monitor-bluetooth-wifi-snowden-introspection-engine">Three</a> <a href="https://www.wired.com/2016/07/snowden-designs-device-warn-iphones-radio-snitches/">news</a> <a href="http://www.bbc.com/news/technology-36865209">articles</a>.</p> <p>Looks like a clever design. Of course, it has to be outside the device; otherwise, it could be compromised along with the device. Note that this is still in the research design stage; there are no public prototypes. </p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10702The NSA and &quot;Intelligence Legalism&quot;https://www.schneier.com/blog/archives/2016/07/the_nsa_and_int.htmltag:www.schneier.com,2016:/blog//2.10704Wed, 27 Jul 2016 07:47:00 -0400<p>Interesting law journal paper: "<a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2495844">Intelligence Legalism and the National Security Agency's Civil Liberties Gap</a>," by Margo Schlanger:</p> <blockquote><p><b>Abstract</b>: This paper examines the National Security Agency, its compliance with legal constraints and its respect for civil liberties. But even if perfect compliance could be achieved, it is too paltry a goal. A good oversight system needs its institutions not just to support and enforce compliance but also to design good rules. Yet as will become evident, the offices that make up the NSA's compliance system are nearly entirely compliance offices, not policy offices; they work to improve compliance with existing rules, but not to consider the pros and cons of more individually-protective rules and try to increase privacy or civil liberties where the cost of doing so is acceptable. The NSA and the administration in which it sits have thought of civil liberties and privacy only in compliance terms. That is, they have asked only "Can we (legally) do X?" and not "Should we do X?" This preference for the can question over the should question is part and parcel, I argue, of a phenomenon I label "intelligence legalism," whose three crucial and simultaneous features are imposition of substantive rules given the status of law rather than policy; some limited court enforcement of those rules; and empowerment of lawyers. Intelligence legalism has been a useful corrective to the lawlessness that characterized surveillance prior to intelligence reform, in the late 1970s. But I argue that it gives systematically insufficient weight to individual liberty, and that its relentless focus on rights, and compliance, and law has obscured the absence of what should be an additional focus on interests, or balancing, or policy. More is needed; additional attention should be directed both within the NSA and by its overseers to surveillance policy, weighing the security gains from surveillance against the privacy and civil liberties risks and costs. That attention will not be a panacea, but it can play a useful role in filling the civil liberties gap intelligence legalism creates.</p></blockquote> <p>This is similar to what I wrote in <a href="https://www.schneier.com/books/data_and_goliath/"><i>Data and Goliath</i></a>:</p> <blockquote><p>There are two levels of oversight. The first is strategic: are the rules we're imposing the correct ones? For example, the NSA can implement its own procedures to ensure that it's following the rules, but it should not get to decide what rules it should follow.... <p>The other kind of oversight is tactical: are the rules being followed? Mechanisms for this kind of oversight include procedures, audits, approvals, troubleshooting protocols, and so on. The NSA, for example, trains its analysts in the regulations governing their work, audits systems to ensure that those regulations are actually followed, and has instituted reporting and disciplinary procedures for occasions when they're not.</p></blockquote> <p>It's not enough that the NSA makes sure there is a colorable legal interpretation that authorizes what they do. We need to make sure that their understanding of the law is shared with the outside world, and that what they're doing is a good idea.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10704Inflectionhttp://xkcd.com/1709/http://xkcd.com/1709/Wed, 20 Jul 2016 00:00:00 -0400<img src="http://imgs.xkcd.com/comics/inflection.png" title="&quot;Or maybe, because we're suddenly having so many conversations through written text, we'll start relying MORE on altered spelling to indicate meaning!&quot; &quot;Wat.&quot;" alt="&quot;Or maybe, because we're suddenly having so many conversations through written text, we'll start relying MORE on altered spelling to indicate meaning!&quot; &quot;Wat.&quot;" />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1709%2FVisiting a Website against the Owner's Wishes Is Now a Federal Crimehttps://www.schneier.com/blog/archives/2016/07/visiting_a_webs.htmltag:www.schneier.com,2016:/blog//2.10685Wed, 13 Jul 2016 15:10:00 -0400<p>While we're on the subject of <a href="https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/12/9th-circuit-its-a-federal-crime-to-visit-a-website-after-being-told-not-to-visit-it/">terrible 9th Circuit Court rulings</a>:</p> <blockquote><p>The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act.... Its reasoning appears to be very broad. If I'm reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they're committing a federal crime of accessing your computer without authorization.</p></blockquote>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10685Password Sharing Is Now a Crimehttps://www.schneier.com/blog/archives/2016/07/password_sharin_1.htmltag:www.schneier.com,2016:/blog//2.10684Wed, 13 Jul 2016 12:07:00 -0400<p>In a truly terrible ruling, the US 9th Circuit Court ruled that using someone else's password with their permission but without the permission of the site owner is a <a href="https://motherboard.vice.com/read/password-sharing-is-a-federal-crime">federal crime</a>.</p> <blockquote><p>The argument McKeown made is that the employee who shared the password with Nosal "had no authority from Korn/Ferry to provide her password to former employees." <p>At issue is language in the CFAA that makes it illegal to access a computer system "without authorization." McKeown said that "without authorization" is "an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission." The question <a href="https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/06/password-sharing-case-divides-ninth-circuit-in-nosal-ii/">that legal scholars</a>, groups such as the <a href="https://www.eff.org/issues/cfaa">Electronic Frontier Foundation</a>, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?</p> <p>Reinhardt argues that Nosal's use of the database was unauthorized by the firm, but was authorized by the former employee who shared it with him. For you and me, this case means that unless Netflix specifically authorizes you to share your password with your friend, you're breaking federal law.</p></blockquote> <p>The <a href="https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses-password-go-jail-says-ninth-circuit">EFF</a>:</p> <blockquote><p>While the majority opinion said that the facts of this case "bear little resemblance" to the kind of password sharing that people often do, Judge Reinhardt's dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husband's user credentials to access his bank account to pay bills, Judge Reinhardt noted: "So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates." As a result, although the majority says otherwise, the court turned anyone who has ever used someone else's password without the approval of the computer owner into a potential felon.</p></blockquote> <p>The <a href="https://www.law.cornell.edu/uscode/text/18/1030">Computer Fraud and Abuse Act</a> has been a disaster for many reasons, this being one of them. There will be an appeal of this ruling.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2016%3A%2Fblog%2F%2F2.10684