m Quec.lim's republished posts.http://quec.li/~m /The NO-NAME vuln: <tt>wget</tt> mess patched without a fancy brandhttp://go.theregister.com/feed/www.theregister.co.uk/2014/10/30/no_poodle_for_you_wget_vuln_patched_without_fancy_brand/tag:theregister.co.uk,2005:story/2014/10/30/no_poodle_for_you_wget_vuln_patched_without_fancy_brand/Wed, 29 Oct 2014 20:39:00 -0400<h4>Directory overwrite bug threatens all *nix boxen</h4> <p>Sysadmins: another venerable and nearly-ubiquitous *nix tool, wget, needs patching because of a bug first reported by HD Moore.?</p><!--#include virtual='/data_centre/_whitepaper_textlinks_top.html' -->http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.theregister.co.uk%2Fheadlines.rss&entry=tag%3Atheregister.co.uk%2C2005%3Astory%2F2014%2F10%2F30%2Fno_poodle_for_you_wget_vuln_patched_without_fancy_brand%2FDeanonymizing Taxi Passenger and Fare Datahttps://www.schneier.com/blog/archives/2014/10/deanonymizing_t.htmltag:www.schneier.com,2014:/blog//2.6373Wed, 22 Oct 2014 06:54:00 -0400<p>Interesting <a href="http://research.neustar.biz/2014/09/15/riding-with-the-stars-passenger-privacy-in-the-nyc-taxicab-dataset/">essay</a> on the sorts of things you can learn from anonymized taxi passenger and fare data.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6373NSA Classification ECI = Exceptionally Controlled Informationhttps://www.schneier.com/blog/archives/2014/10/nsa_classificat.htmltag:www.schneier.com,2014:/blog//2.6365Thu, 16 Oct 2014 07:22:00 -0400<p>ECI is a classification above Top Secret. It's for things that are so sensitive they're basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies.</p> <p>As part of the <i>Intercept</i> <a href="https://firstlook.org/theintercept/2014/10/10/core-secrets/">story</a> on the NSA's using agents to infiltrate foreign companies and networks, it published a <a href="https://firstlook.org/theintercept/?p=6630">list of ECI compartments</a>. It's just a list of code names and three-letter abbreviations, along with the <a href="https://en.wikipedia.org/wiki/National_Security_Agency#Structure">group</a> <a href="http://www.matthewaid.com/post/58339598875/organizational-structure-of-the-national-security">inside</a> the NSA that is responsible for them. The descriptions of what they all mean would <i>never</i> be in a computer file, so it's only of value to those of us who like code names.</p> <p>This designation is why there have been no documents in the Snowden archive listing specific company names. They're all referred to by these ECI code names.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6365The Ruleshttp://dandreamsofcoding.com/2014/10/13/the-rules/http://dandreamsofcoding.com/?p=2311Mon, 13 Oct 2014 09:00:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fdandreamsofcoding.com%2Ffeed%2F&entry=http%3A%2F%2Fdandreamsofcoding.com%2F%3Fp%3D2311Online Activism and the Computer Fraud and Abuse Acthttps://www.schneier.com/blog/archives/2014/10/online_activism.htmltag:www.schneier.com,2014:/blog//2.6360Fri, 10 Oct 2014 13:31:00 -0400<p>Good <a href="http://boingboing.net/2014/09/26/fuckthecfaa.html">essay</a> by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet.</p> <p>Also note Sauter's new book, <a href="http://www.amazon.com/The-Coming-Swarm-Hacktivism-Disobedience/dp/1623564565"><i>The Coming Swarm</i></a>.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6360California regulators ruin sofa shopping in Massachusettshttp://blogs.law.harvard.edu/philg/2014/10/10/california-regulators-ruin-sofa-shopping-in-massachusetts/http://blogs.law.harvard.edu/philg/?p=6349Fri, 10 Oct 2014 12:08:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6349The Sake of Argumenthttp://xkcd.com/1432/http://xkcd.com/1432/Fri, 10 Oct 2014 00:00:00 -0400<img src="http://imgs.xkcd.com/comics/the_sake_of_argument.png" title="'It's not actually ... it's a DEVICE for EXPLORING a PLAUSIBLE REALITY that's not the one we're in, to gain a broader understanding about it.' 'oh, like a boat!' '...' 'Just for the sake of argument, we should get a boat! You can invite the Devil, too, if you want.'" alt="'It's not actually ... it's a DEVICE for EXPLORING a PLAUSIBLE REALITY that's not the one we're in, to gain a broader understanding about it.' 'oh, like a boat!' '...' 'Just for the sake of argument, we should get a boat! You can invite the Devil, too, if you want.'" />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1432%2FUSB Cufflinkshttps://www.schneier.com/blog/archives/2014/10/usb_cufflinks.htmltag:www.schneier.com,2014:/blog//2.6357Thu, 09 Oct 2014 08:12:00 -0400<p>Just the thing for <a href="http://www.dalys1895.com/designer/dalys/dalys1895-silver-rectangular-usb-16gb-cufflinks.html">smuggling data</a> out of secure locations.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6357Portrait Photography then and nowhttp://blogs.law.harvard.edu/philg/2014/10/07/portrait-photography-then-and-now/http://blogs.law.harvard.edu/philg/?p=6339Tue, 07 Oct 2014 16:42:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6339iPhone Encryption and the Return of the Crypto Warshttps://www.schneier.com/blog/archives/2014/10/iphone_encrypti_1.htmltag:www.schneier.com,2014:/blog//2.6353Mon, 06 Oct 2014 07:50:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6353William Binney Explains NSA Surveillance Using Snowden's Documentshttps://www.schneier.com/blog/archives/2014/10/william_binney_.htmltag:www.schneier.com,2014:/blog//2.6348Fri, 03 Oct 2014 07:59:00 -0400<p>Former NSA employee -- not technical director, as the link says -- <a href="http://www.alexaobrien.com/secondsight/wb/binney.html">explains</a> how NSA bulk surveillance works, using some of the Snowden documents. Very interesting.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.6348The 20f1.8 ? WOW!http://www.moosepeterson.com/blog/2014/10/03/the-20f1-8-wow/http://www.moosepeterson.com/blog/?p=36452Fri, 03 Oct 2014 07:30:00 -0400<p><a href="http://www.moosepeterson.com/blog/wp-content/uploads/2014/10/DLCGCSR5949.jpg" rel="lightbox[36452]"><img src="http://www.moosepeterson.com/blog/wp-content/uploads/2014/10/DLCGCSR5949.jpg" alt="DLCGCSR5949" width="800" height="534" class="aligncenter size-full wp-image-36453" /></a></p> <p>The Grand Canyon is simply, breath taking! But the photo Gods haven&#8217;t been really kind to us, bald skies. This limits our shooting hours in the morning to less than an hour. Not really an issue, plenty to shoot and it&#8217;s simply gorgeous. I shot the whole morning with just the <a href="http://www.bhphotovideo.com/c/product/1082599-REG/nikon_d750_dslr_camera_body.html/BI/8449/KBID/9350/kw/NID750/DFF/d10-v2-t1-xNID750" target="_blank">D750</a> and <a href="http://www.bhphotovideo.com/c/product/1082607-REG/nikon_20mm_f_1_8g_fx_lens.html/BI/8449/KBID/9350/kw/NI2018/DFF/d10-v2-t1-xNI2018" target="_blank">20f1.8AFS</a> and I&#8217;m blown away by the 20f1.8. I love the pattern its aperture creates for starbursts. I love its light weight but most of all, I LOVE its quality! Man, it&#8217;s a sharp lens!!!</p> <p><a href="http://www.moosepeterson.com/blog/wp-content/uploads/2014/10/DLCGCSR5972.jpg" rel="lightbox[36452]"><img src="http://www.moosepeterson.com/blog/wp-content/uploads/2014/10/DLCGCSR5972.jpg" alt="DLCGCSR5972" width="800" height="534" class="aligncenter size-full wp-image-36454" /></a></p> <p>And I&#8217;m talking sharp at f/1.8. Both of these photos were taken at f/1.8. F/1.8 for a landscape photo? Ya, f/1.8 for a landscape photo because the subject is at infinity and infinity has no depth of field. Now that fact won&#8217;t sit well with most but that&#8217;s the way it is. You don&#8217;t need to crank the aperture down to f/16 or more to have a sharp landscape photo. Just look above. And you don&#8217;t have to own the 20f1.8 or take my word to this fact. Just go shoot a subject at infinity and look for yourself. mtc</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.moosepeterson.com%2Fblog%2Ffeed%2Frss%2F&entry=http%3A%2F%2Fwww.moosepeterson.com%2Fblog%2F%3Fp%3D36452White House Securityhttp://blogs.law.harvard.edu/philg/2014/10/01/white-house-security/http://blogs.law.harvard.edu/philg/?p=6328Wed, 01 Oct 2014 20:55:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6328Breaking Bad Questionshttp://blogs.law.harvard.edu/philg/2014/09/24/breaking-bad-questions/http://blogs.law.harvard.edu/philg/?p=6294Wed, 24 Sep 2014 12:57:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6294DSA-3032 bash - security updatehttps://www.debian.org/security/2014/dsa-3032https://www.debian.org/security/2014/dsa-3032Tue, 23 Sep 2014 20:00:00 -0400<p>Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed. In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.</p>http://quec.li/EntryComments?feed=https%3A%2F%2Fwww.debian.org%2Fsecurity%2Fdsa-long&entry=https%3A%2F%2Fwww.debian.org%2Fsecurity%2F2014%2Fdsa-3032Fake Cell Phone Towers Across the UShttps://www.schneier.com/blog/archives/2014/09/fake_cell_phone.htmltag:www.schneier.com,2014:/blog//2.5958Fri, 19 Sep 2014 07:11:00 -0400<p>Earlier this month, <a href="http://www.wired.com/2014/09/cryptophone-firewall-identifies-rogue-cell-towers/">there</a> <a href="http://www.popsci.com/article/technology/mysterious-phony-cell-towers-could-be-intercepting-your-calls">were</a> <a href="http://io9.com/fake-cell-phone-towers-could-be-taking-control-of-your-1630378142">a</a> <a href="http://gizmodo.com/phony-cell-towers-could-be-intercepting-your-data-1629478616">bunch</a> <a href="http://venturebeat.com/2014/09/02/who-is-putting-up-interceptor-cell-towers-the-mystery-deepens/">of</a> <a href="https://news.ycombinator.com/item?id=8264540">stories</a> about fake cell phone towers discovered around the US These seems to be ISMI catchers, like Harris Corporation's <a href="http://www.extremetech.com/mobile/184597-stingray-the-fake-cell-phone-tower-cops-and-providers-use-to-track-your-every-move">Stingray</a>, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the <i>Washington Post</i> ran <a href="http://www.washingtonpost.com/world/national-security/researchers-try-to-pull-back-curtain-on-surveillance-efforts-in-washington/2014/09/17/f8c1f590-3e81-11e4-b03f-de718edeb92f_story.html">a story</a> about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used by security software that's part of CryptoPhone from the German company GSMK. And in both cases, we don't know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?</p> <p>This is the problem with building an infrastructure of surveillance: you can't regulate who gets to use it. The FBI has been protecting Stingray like its an enormous secret, but it's <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2437678">not a secret anymore</a>. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.</p> <p>We have one infrastructure. We can't choose a world where the US gets to spy and the Chinese don't. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I'm tired of us choosing surveillance over security.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.5958Payment for surrogate mothershttp://blogs.law.harvard.edu/philg/2014/09/18/payment-for-surrogate-mothers/http://blogs.law.harvard.edu/philg/?p=6280Thu, 18 Sep 2014 10:07:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6280Aerials of New York with the World Trade Centerhttp://aboutphotography-tomgrill.blogspot.com/2014/09/aerials-of-new-york-with-world-trade.htmltag:blogger.com,1999:blog-8331638045168087261.post-6962061277375973270Thu, 18 Sep 2014 08:20:00 -0400Last night I did some helicopter aerials of lower Manhattan at sunset. Haven't had time to process them yet, but decided to begin this post, and will add to it later. <br /><br /><br /><div><a href="http://1.bp.blogspot.com/-VnUatEndTOY/VBrNKklOTrI/AAAAAAAAPmw/xWu54eQWCu4/s1600/ti01077319bl.jpg" imageanchor="1"><img border="0" src="http://1.bp.blogspot.com/-VnUatEndTOY/VBrNKklOTrI/AAAAAAAAPmw/xWu54eQWCu4/s1600/ti01077319bl.jpg" /></a></div><br /><div></div><br /><div></div><div><a href="http://1.bp.blogspot.com/-NHdGql2GM-k/VBrNp2Tr_nI/AAAAAAAAPnE/zqZGXk4muP4/s1600/ti01077323bl.jpg" imageanchor="1"><img border="0" src="http://1.bp.blogspot.com/-NHdGql2GM-k/VBrNp2Tr_nI/AAAAAAAAPnE/zqZGXk4muP4/s1600/ti01077323bl.jpg" /></a></div><br />http://quec.li/EntryComments?feed=http%3A%2F%2Faboutphotography-tomgrill.blogspot.com%2Ffeeds%2Fposts%2Fdefault&entry=tag%3Ablogger.com%2C1999%3Ablog-8331638045168087261.post-6962061277375973270The Full Story of Yahoo's Fight Against PRISMhttps://www.schneier.com/blog/archives/2014/09/the_full_story_.htmltag:www.schneier.com,2014:/blog//2.5956Thu, 18 Sep 2014 08:13:00 -0400<p>In 2008 Yahoo <a href="http://gizmodo.com/the-nsa-was-going-to-fine-yahoo-250k-a-day-if-it-didnt-1633677548">fought</a> the NSA to avoid becoming part of the PRISM program. They eventually lost their court battle, and at one point were threatened with a $250,000 a day fine if they continued to resist. I am continually amazed at the extent of the government coercion.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.5956Prices in the Good Old Dayshttp://blogs.law.harvard.edu/philg/2014/09/18/prices-in-the-good-old-days/http://blogs.law.harvard.edu/philg/?p=6278Thu, 18 Sep 2014 01:02:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D6278Identifying Dread Pirate Robertshttps://www.schneier.com/blog/archives/2014/09/identifying_dre.htmltag:www.schneier.com,2014:/blog//2.5955Wed, 17 Sep 2014 15:30:00 -0400<p>According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page <a href="http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-captcha/">leaked</a> the users' true location.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.5955Tracking People From their Cellphones with an SS7 Vulnerabilityhttps://www.schneier.com/blog/archives/2014/09/tracking_people_3.htmltag:www.schneier.com,2014:/blog//2.5954Wed, 17 Sep 2014 08:15:00 -0400<p>What's interesting about <a href="http://www.washingtonpost.com/business/technology/for-sale-systems-that-can-secretly-track-where-cellphone-users-go-around-the-globe/2014/08/24/f0700e8a-f003-11e3-bf76-447a5df6411f_story.html">this story</a> is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What's interesting about this story is that <i>anyone</i> can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and <a href="http://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf">hackers</a> have demonstrated the capability.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2014%3A%2Fblog%2F%2F2.5954