Violet Blue is creating cybersecurity news, and a San Francisco memoir

[Chief Cattterer to Russia]

"https://www.patreon.com/violetblue"

Violet Blue is creating cybersecurity news, and a San Francisco memoir

I'm Violet Blue. Some of you know me from the journalism world, where I've broken big stories about hacking and reported extensively about cybersecurity since 2010. Others may know me from being the first female podcaster, with my Open Source Sex podcast from 2004. Or, you might know me from my sex blog, which began in 2001, or my award-winning sex and erotica books, my books about digital security and privacy, or my appearance on Oprah to talk about women and porn. I write about hacking, security, privacy, and sex.

Right now I need your help. I'm bootstrapping a weekly cybersecurity news roundup that's free for all to read, and it's an enormous amount of work. (Work that I love doing.) I'm also researching and writing a book about growing up in San Francisco and Silicon Valley as the child of a female Stanford engineer who became a high-volume drug dealer (and addict) -- that's my birth mother, who I discovered lied to me about who my real father is. I don't only want to tell my mother's story, or mine, but also the stories of the little kids I was on the streets with, and the place they occupy in San Francisco's rich history.

You can read about my recent experience contacting the SFPD here.

I want to fund this book through Patreon, rather than a Kickstarter, so my patrons can participate closely in the process with me.

Posts about this book will be private posts for the $25 level and up patrons.

This gets me closer to sustainability while I tackle the manuscript, and should help screen out the looky-loos a little bit. It establishes a relationship balanced on cash and access that's meaningful to me. At this level, every two weeks you'll get an update (one that is also sent to your inbox when I publish). You can give me feedback, ask questions, and comment privately. Every supporter at the $25 level and up will get a copy of the book when it's finished.

I hope you'll consider becoming a patron. If you follow my work, you see how hard I fight for at-risk populations to have a voice in their own conversations. My work draws attention to hypocrisy and injustice; it is powerfully grounded in gender and orientation inclusivity and diversity. Like my reporting on PayPal's financial discrimination against sex workers, and getting Tumblr's NSFW search reinstated properly. I regularly report on hacking issues that big outlets don't cover, attempt to cover up, or try to lie about. So you've seen how much I get attacked and censored (Libya, Apple, Focus on the Family, Amazon search, Facebook, and many more).

I've bootstrapped everything. I work at industry rates (which aren't great), I constantly have to chase down people who take months to pay invoices for my writing, and I was homeless as a kid, so I'm out here on the financial edge of things.

It's no secret that I'm having tough times financially, and so is almost every writer I know. The book industry is suffering and everyone who isn't lucky to have mainstream book industry privilege and access -- which gets you favored by algorithms -- is seeing sales on a hellish, slow decline. The journalism industry is incredibly lean (I know you see me hustling for writing gigs all the time - hire me!). This is complicated further by my (unfortunate) decision to support my now ex-partner for a period that ambushed my expectations (and my limits) by becoming a couple of years. It blows my mind that even with all I've accomplished, I'm still struggling.

Anything -- even from $1/month up -- is hugely helpful.

If you've read this far and don't feel like contributing, that's okay. You already have. And I thank you.

Thank you.
-Violet

RECENT POSTS BY VIOLET BLUE
There’s more! If you become a patron to Violet Blue, you’ll immediately get access to as many as 7 patron-only posts.
Violet Blue
Nov 11 at 8:32pm
$25+ patrons
POST FOR $25+ PATRONS

UNLOCK IT NOW
Dear Patrons
memoir
3 Comments
5 Likes
Violet Blue
Nov 7 at 6:30am

Cybersecurity news: November 7, 2017

Real Sexy Cyborg under attack, an arrest in the FireEye hacking attack, Russia fingered as behind the WikiLeaks-DNC hacks, failed attempts to hack Face ID, employees often personally pay for ransomware, and much more.
Cybersexism

Maker Media (Make Magazine, Maker Faire, the media events and ecommerce platform) is in a shitstorm of its own making thanks to their CEO and Founder Dale Dougherty attacking cult fave Chinese maker Naomi Wu -- saying she is "not a real person" and a "fake" maker, among other distasteful suggestions.

Wu, in case you're not familiar, is a well-established and widely respected hardware hacker with a popular YouTube and Twitter, as well as her Patreon, where she's done solo hacking and collaborative projects with many other hackers (including the wonderful Andrew "Bunnie" Huang). Wu goes by the handle @RealSexyCyborg, which accurately describes her appearance and fun approach to femme-power hacking projects, openly embracing the strength of female sexuality as it meets the forefront of technology and feminine empowerment through physical and environmental tech modifications.

Dougherty dug himself in deep, and has since deleted his tweets. To say that hacking communities are angry at Make and its CEO for the pointless gender-fueled accusations and attacks would be an understatement -- though as you'd expect, like any woman online, Wu is experiencing hate and attacks by a crowd of trolls who feel vindicated by Dougherty's attacks and are out in force. Female makers are incensed at Make, and it's no surprise, as hacking and making is a male environment constantly questioning the validity of female hackers.

It reminds me of an experience I had being interviewed by the New York Times in 2007 (for this article). At the time I was a celebrity in the world of online harassment, death threats, and stalking (I gave a talk on it at ETech in 2008). The man who wrote the article was very frustrated with the interview: he wanted to tell a story of me being frightened and bullied, and very specifically wanted me to say that I'd begun to hide my femininity and gender in order to be taken seriously.

But that wasn't true. I explained to him that being threatened, harassed, and relentlessly bullied about my gender and femininity made me wear my gender and femininity louder than ever before. I told him that because it was so threatening to those who would have me devalued and silenced, that threat was powerful. And it was a road that must be forged. He very, very clearly didn't like it at all, and I was not included in the article. His reaction shaped my resolve to fuck with those who would oppress by gender stereotypes by being sexy and smart, and it's part of who I am today. Clearly, based on what we're seeing with Wu and Make, the combination of female, smart, and proudly sexy is still a potent threat.

Check out Wu's Twitter timeline to see what she's been saying about perceptions of gender and race in reaction to Make's CEO -- it's highly recommended. As for Make Media and its problems with gender, well, it clearly has a long way to go.

Some animals are more equal than others

Over the weekend the Aaron Swartz Day event and hackathon happened with a lineup of hacktivist who's-whos -- but only ones the organizers deemed "good" or "real" activists, and not hackers associated with Anonymous. Not the unfamous ones anyway; Martin Gottsfeld wrote on Huffington Post, "While she is obviously no fan of Anonymous, that didn’t stop her from inviting Barrett Brown and Gabriella Coleman to mark the occasion either."

It all came to light just prior to Aaron Swartz Day when texts by organizer Lisa Rein, who ran Chelsea Manning's Twitter account -- were published on Huffington Post revealing her stance on hackers and what she believes Aaron Swartz would've found acceptable in terms of who would be allowed or not to participate in his day.

WikiWeak

Remember those DNC hacks? It feels like they happened ten years ago. To refresh your memory, the 2016 Democratic National Committee email hack and dump was a collection of DNC emails handed to and subsequently published by WikiLeaks on July 22, 2016. WikiLeaks denied that it was Russia. Now federal investigators have officially identified several Russian government hackers

Washington Post reports that while this is illuminating, we might not see any action. "Gathering the evidence necessary to bring charges against them has proven to be a challenge," the outlet wrote, "and it is not clear when that might happen, the individuals said. Prosecutors and FBI agents have been in discussions about the case and could bring charges next year"

Just don't use the B-word

In early August Mandiant -- aka FireEye and our favorite descendant of Viking gods and pew-pew maps -- was in the crosshairs of a hacker who claimed to have popped the company's systems and shared the goods on Twitter with the hashtag #LeakTheAnalyst. FireEye responded by making a post in a statement from the "Executive Perspective" saying the hacker of the alleged breach was a big ol fatty liar (wording not exact) and that "after six days of intensive investigation" the company has concluded that there is nothing to see and everyone should just move along. FireEye did say they were victims, though, and were careful to capitalize the word "Victim."

As a result, #LeakTheAnalyst spent the weekend as the most popular post on Pastebin, with the hackers returning to drop a second batch of FireEye docs, once again under the #LeakTheAnalyst tag.

At the dump's start, the hackers talk about things they accessed, detailing what they say are FireEye's lies, adding, "And they lied to the world, after 10 days of absolute silence. Guess what, we're going to punish the lairs, the fat riches who care only about their stock shares. How do you call this being truthful?" They also gave "special thanks" to APT28 and The Shadow Brokers.

Deep in the backwoods security blogs this week it was reported that an arrest has been made in the FireEye hacks. CRN tells us that a hacker "was arrested and taken into custody Thursday by international law enforcement" but that FireEye still maintains it was not breached -- "that the hacker didn't breach, compromise or access the company's corporate network." As we all know, this sort of thing remains to be seen.

Hacking on a curve

For some, hacking your grades would be a sensible use of a keylogger, but for the FBI, not so much. Naked Security writes:

Trevor Graves, 22, is accused in an FBI affidavit of working with an unnamed accomplice to secretly plug keyloggers into university computers in classrooms and in labs. The FBI says keyloggers allowed Graves to record whatever his professors typed, including credentials to log into university grading and email systems.
... The FBI affidavit claims that Graves changed his grades more than 90 times during those 21 months. He also allegedly changed grades on numerous occasions for at least five of his classmates.


Other odd clicks worth your time:

Hackers Compromised the Trump Organization 4 Years Ago—and the Company Never Noticed (Mother Jones)

Twitter exploit let two pranksters post a 35,000-character tweet (Engadget)

Going rogue in Silicon Valley (exceptional piece; The Outline)

We Tried Really Hard To Beat Face ID—and Failed (So Far) (Wired)

Majority of Employees Hit with Ransomware Personally Make Payment (Dark Reading)

Hilton Was Fined $700K for a Data Breach. Under GDPR It Would Be $420M (Digital Guardian)



This brief needs your support

Putting this weekly brief together is a 7-days-a-week operation, plus the day spent culling, editing, and writing it. And I love doing it! But it needs your support to keep going. Please consider even the smallest donation as a patron, and if you're broke I totally understand -- if you can't help out, I hope you'll share this post, because every little bit helps. Either way, thank you for reading this little labor of love.

If you want to support my work even further, you can. When I'm not chasing freelance work, I'm spending my extra time researching and writing about growing up in San Francisco, and the city's unusual history that led to the intersection of poverty, drugs, homelessness, and crime that shaped my childhood. If you become a patron at the $25 level you'll get access to these private posts.

Main post image via @PixelatedBoat.

Continue reading
4 Likes
4
Michael Wild
I am surprised at the attacks on @RealSexyCyborg as she seems real and does some interesting hardware work. I am not sure what is wrong with Make. DNC hacks do concern me as I am worried about the lack of investigation. Thank you again for reporting on things I missed in the news.
2
5d
Violet Blue
The attacks ... wow. I didn't expect that from Make, either. I do think it's positive that she's using it as an opportunity to talk a little bit about what she goes through. Here's hoping for an apology at the very least.
5d
James Armstrong
When the rogue Twitter employee deactivated Trump's account, my first thought was that Twitter was finally applying their terms of service forbidding bullying and abuse to that account. Oh well, I guess some people are above the rules.
3
5d
Violet Blue
I'm with you. I hate that social media became even more "Animal Farm" than it was when it started.
5d
Log in to comment ...
Violet Blue
Oct 31 at 6:30am

Cybersecurity news: October 31, 2017


The 400-lb hacker comes home to roost, US Deputy Attorney General Rod Rosenstein insists he's not a backdoor man, the Equifax breach somehow gets worse, Heathrow's security plans literally found on the street, a hacker holds hacking forum for ransom, NotPetya responsible for HPV vaccine shortage, and much more.
Putin the finger

Remember July 2016 when Trump publicly called for Russia to hack Hilary Clinton's server to find those 33K emails, saying "you will probably be rewarded mightily by our press," which was later played off as a joke? (July '16 was when Trump was formally nominated as the Republican presidential nominee.)

Or September 2016 when Ms. Clinton said Russia was behind the DNC hacks? "I don't think that anybody knows it was Russia that broke into the DNC," Trump responded. "It could also be China or it could also be lots of other people -- it also could be somebody sitting on their bed that weighs 400 pounds."

We found out yesterday in the first guilty plea of special counsel Robert Mueller’s investigation that Trump's campaign team knew Russia had Clinton's emails months before Trump told that July 2016 news conference, "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing."

Lawfare Managing Editor Susan Hennessey commented on Twitter, "And it appears that at no point did it even occur to anyone in the Trump campaign that the right thing to do would be to contact the FBI."

Let's also keep track of the fact that Trump in January asserted that "Assange... said Russians did not give him the info!"

Stay away from my backdoor

Two weeks ago US Deputy Attorney General Rod Rosenstein introduced us to the concept of "responsible encryption" and was promptly laughed out of the collective infosec room. This week he backed away form the term "backdoor" and doubled-down on "responsible encryption" with (ahem) certain features in his speech to the 2017 North American International Cyber Summit.

"Responsible encryption is effective secure encryption, coupled with access capabilities," he said.

He suggested that the feds won't mandate encryption backdoors "so long as companies can cough up an unencrypted copy of every message, call, photo or other form of communications they handle," according to The Register.

Last Friday I took a look at Rosenstein's "responsible encryption" campaign and the administration's attempt to market the phrase to push its backdoor agenda -- and how it's not going away anytime soon.

Equifucked

Great scoop at Motherboard: "Months before its catastrophic data breach, a security researcher warned Equifax that it was vulnerable to the kind of attack that later compromised the personal data of more than 145 million Americans," the outlet wrote.

Six months after the researcher first notified the company about the vulnerability, Equifax patched it—but only after the massive breach that made headlines had already taken place, according to Equifax's own timeline.
This revelation opens the possibility that more than one group of hackers broke into the company.
Meanwhile, one poor woman has reported that her identity has been stolen repeatedly after the Equifax data breach. "Katie Van Fleet of Seattle says she’s spent months trying to regain her stolen identity, and says it has been stolen more than a dozen times," reports NBC. “I didn’t sign up to use Equifax, so I feel all of that stuff has been taken, and now I am left here trying to sweep up the pieces and just trying to protect myself and protect my credit,” Van Fleet said.

Last week Britain's markets watchdog, the Financial Conduct Authority, said it has opened its own investigation into the Equifax breach, which affected nearly 700,000 UK citizens.

Making TSA look good

The TSA is awful terrible, horrible, and truly bad at cybersecurity. So what happened with a Heathrow USB security stick being found literally on the street -- no password, unencrypted -- can give us some cold comfort.

Heathrow Airport says it has launched an internal investigation after a USB stick containing security information was reportedly found on the street.
The Sunday Mirror reported that the USB stick had 76 folders with maps, videos and documents, including details of measures used to protect the Queen. ... Some files disclosed the types of ID needed to access restricted areas, a timetable of security patrols and maps pinpointing CCTV cameras, the paper said.
One document highlighted recent terror attacks and talked about the type of threat the airport could face, it said.
What a bunch of hacks

Underground hacking forum Basetools.ws (stolen credit card information, profile data, and spamming tools) got pwned when an anonymous user "uploaded samples of its database online along with a ransom demand."

The attacker is asking for $50,000 or he'll share data on the site's administrator with US authorities, such as the FBI, DHS, DOJ, and the DOT (Department of Treasury).
To prove the validity of his claims, the hacker shared an image of the Basetools admin panel and an image containing the site admin's login details and IP address.
(...) the hacker also dumped tools that Basetools users were selling on the site, such as login credentials for C-Panel accounts; login credentials for shells, backdoors, and spambots hosted on hacked sites; credentials for RDP servers; server SSH credentials, user data leaked from various breaches at legitimate sites, and many other more.
HEY I CAN THINK OF A MOTIVE

Maybe think twice before going with the "but I'm a white hat" defense. Louisiana private investigator Jordan Hamlett stands accused of trying to obtain Donald Trump’s tax returns, and his attorney told a court last week that he's a good guy “white hat hacker” who was trying to test and report a security flaw in a government website.

Federal prosecutors haven’t offered any possible motives for Hamlett’s alleged attempt to get Trump’s tax records. But they’re asking a judge to bar Hamlett’s lawyer from presenting any evidence of a “white hat” defense at trial.
“It is essentially nothing more than a belated excuse for a crime,” they wrote in a court filing last week. “As the law in this circuit makes clear, however, such after-the-fact excuses and self-justifications for crimes are irrelevant and immaterial.”


More clickables:

Two lawmakers want to give consumers a way to know if their IoT devices are secure (CyberScoop)

Researchers Devise 2FA System That Relies on Taking Photos of Ordinary Objects (BleepingComputer)

NotPetya Infection Left Merck Short of Key HPV Vaccine (The Security Ledger)

How I Hacked DEF CON (Amanda Mork – Medium)

Investigation: WannaCry cyber attack and the NHS (.pdf, UK National Audit Office - UK blames North Korea)



Help keep this brief going

If you missed it, last week I met with Patreon about their adult content policies and did some advocacy. I was able to do that -- take time out of chasing freelance work, on top of working on this weekly brief -- thanks to patrons who support my work via my Patreon.

To keep going, I need your help. Please consider becoming a patron on any level, or if you're too broke (I understand!) I sincerely hope you'll share this post and spread the word. It's definitely frustrating to watch stories I see from a different angle and present here get repackaged for big-league media pieces without even a mention or a nod. It's happening more often these days -- a twisted compliment, for sure!

There's something else you'll want to consider. When I'm not working, I'm spending all my extra energy researching and writing a memoir about growing up in San Francisco, and the city's unusual history that led to the intersection of poverty, drugs, homelessness, and crime that shaped my childhood. Those who become a patron at the $25 level and up get access to my work on this, as they are private posts. I'm interviewing police officers, retired DEA, former military weapons systems engineers, and more. Come with me on this strange journey.

Continue reading
7 Likes
7
Errilhl
"Responsible encryption"... just because you(!) (the government) can't "listen in", does not make it "irresponsible". They seem to operate under the delusion that their goals are always "good", and that such tools / availability won't ever affect anyone unduly. I wonder what kind of thought-process is involved in something like this. I'm assuming there's a lot of fear in there... "omg, the terroris might talk together without us being able to listen in", some lack of privacy concerns... "oh, nothing to worry about, most people won't have anything to hide anyway", and a lack of understandig of what they're actually asking... "oh, don't worry, this will only be available to us, the goverment. Never will we, or the companies themselves, allow this to be misused". Without ever understanding that once it's made, it's public. By definition.
2
2w
Michael Wild
Sorry for the delay. I would like to learn more about the 400 lb hacker if you have that. I am not sure what I missed there. Thanks again.
1
1w
Ray Hayes
https://www.usatoday.com/story/tech/news/2016/09/27/tech-crowd-goes-wild-trumps-400-pound-hacker/91168144/
1
1w
Load 1 reply
Log in to comment ...
Violet Blue
Oct 29 at 1:44am
$25+ patrons
POST FOR $25+ PATRONS

UNLOCK IT NOW
Dear Patrons
memoir
6 Comments
4 Likes
Violet Blue
Oct 27 at 4:31pm

My meeting with Patreon

I went down to the Patreon offices today here in San Francisco. I met with a small team, and grilled them for a little over an hour. To my surprise, they answered every single one of my questions, and we've started a conversation -- and a plan of action -- I expect to continue over the next six months at least.
This meeting came after the two-week media storm that came out of changes to the language in their guidelines, reactions from us, the adult content communities here on Patreon, and the subsequent reactions between the two. Much of what I discussed with Patreon's team isn't ready for prime time yet. But I now have a very clear understanding of what's going on, where their values lie, and what to expect.

I spoke at length with the team lead who evaluates adult-themed Patreon accounts. I asked them what everyone who is scared right now should do; people who are worried about losing their accounts, people who don't trust the language used in the guidelines, people who are scared of losing their patrons -- and livelihood -- overnight.

The person I asked this question to is the one who answers all the email sent to guidelines @ patreon.com. Personally. Now, if you email this address and ask about your Patreon account in light of the change in wording to the guidelines, you will:

* Not be singled out, flagged, or penalized.

* You will have this real human email you back.

* (At their request, allow for a small delay because they're flooded right now. Nothing will fall apart in the meantime.)

* This human will personally take the time to assess your account and walk you through anything you might need to do to meet the guidelines.

Patreon invited me to come talk to them based on my tweets and quotes in press about their guidelines changes, and my commentary on the impact companies like Patreon have on artists -- specifically adult content creators. I was up front about the fact that I was concerned they were trying to somehow placate me; all too often, I see people speak out only to soften on their positions once a company gives them attention. This, I made clear, would not be the case. We who get put in the "porn" bucket by Facebook and its ilk are used to being deceived, used and discarded, and told that a company stands for "free speech" while it censors anyone with content pertaining to human sexuality (who are mostly women, LGBTQ people, and people of color). I explained all of this and more.

They listened, they didn't withhold questions, and asked for advice. Having dealt with companies trying to pacify me over their sex censorship since the days of Tribe net, this surprised me. Input, notes, value sharing, information exchange, discussions of language, and making plans to continue the discussion in a meaningful way (real advocacy) was not what I expected.

Hang tight, creators. Email them; ask before you self-censor.

More importantly, don't go away. We're not done here.

Continue reading
51 Likes
51
Load more comments
2 of 8
Gamersglory
As much as i am not fond of the alt-right I may have to move to https://hatreon.net/ as they got the right kind of Payment Prosser for all adult content and there TOS allows anything legal
2w
Gamersglory
Patreon is not being accommodating to most still
1w
Log in to comment ...
Violet Blue
Oct 24 at 6:31am

Cybersecurity news: October 24, 2017

Trump's cyber czar is MIA, hack attacks on cybersecurity conference peeps, how to pass a red team interview, PornHub's forthcoming OS, the FBI hates on encryption again, and much more weirdness is below.
Tales from the crypto

If it wasn't for those meddling kids and their totally-not-responsible encryption, the FBI would've been able to access the nearly 7,000 devices they couldn't break into. At least that's what the AP reports this week, saying "the FBI hasn’t been able to retrieve data from more than half of the mobile devices it tried to access in less than a year, FBI Director Christopher Wray said Sunday."

In the first 11 months of the fiscal year, federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech at the International Association of Chiefs of Police conference in Philadelphia.
“To put it mildly, this is a huge, huge problem,” Wray said. “It impacts investigations across the board — narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation.”

Daphne and Velma were apparently unavailable for comment, as the AP centered its report on the encryption debate, but didn't offer the other side of the actual encryption debate. Scooby did remark that the article really felt like a press release from the FBI, and Shaggy, like, totally concurred, man.

Schrödinger's cyber czar

ABC News tells us that "A clearly frustrated, bipartisan panel of senators today threatened to subpoena the Trump administration’s cyber czar, demanding to know how the White House plans to address "the disarray" that has embodied the U.S. government's response to cyber threats from Russia and other adversaries.

At the end of the hearing's witness table, sitting beside Defense Department Assistant Secretary Kenneth Rapuano, was an empty chair that had been set aside for White House Cybersecurity Coordinator Rob Joyce, who declined an invitation to appear before the committee today.
I'm sure this will end well. But not for us! Also, they made grandpa mad. "Mr. Joyce’s absence here, whose job it is to do all this, is an example of the disarray in which this whole issue rests," said McCain, the committee's chairman. McCain also accused the Defense Department of deflecting this responsibility over to the DHS.

"I steadfastly reject your shuffling off the responsibilities of cyber over to the Department of Homeland Security," McCain said.

Teach a man to stop a phisher

Cool attacks coming your way, hackers! Literally. Especially if you're organizing or attending a conference that has to do with international cyber conflicts. Talos Intelligence found a phishing attack with its payload buried in a Word document that was expressly targeting those attending the conference CyCon 2018.

The decoy document is a flyer concerning the Cyber Conflict U.S. conference with the following filename Conference_on_Cyber_Conflict.doc. It contains 2 pages with the logo of the organizer and the sponsors (...)
Due to the nature of the document, we assume that the targeted people are linked or interested by the cybersecurity landscape. The exact content of the document can be found online on the conference website. The attackers probably copy/pasted it into Word to create the malicious document.
A slow Kaspersky news week

In the same vein that every no-name security company clamors for a mention or a quote just to be in the spotlight once, Kaspersky gets a media mention every week now -- but it was apparently a devil's bargain. This week saw security journalist Kim Zetter snatch the flag and run with it, in two lengthy pieces for the reputation-beleaguered Intercept.

Monday Zetter reported on Kaspersky's new bid to regain public trust, though its just-announced "comprehensive transparency initiative." Zetter explained that it's "to allow independent third parties to review its source code and business practices and to assure the information security community that it can be trusted."

Last week, her deep dive explained that she was not convinced:

(...) a closer look at the allegations and technical details of how Kaspersky’s products operate raises questions about the accuracy of the narrative being woven in news reports and suggests that U.S. officials could be technically correct in their statements about what occurred, while also being incorrect about collusion on the part of Kaspersky.
Zetter's articles came on the heels of a WSJ report on a 2015 incident in which Russian state spies used Kaspersky antivirus to exfil sekrit NSA datas off some loosey-goosey contractor's computer. I think it would be neat to know who the contractor's company was. Press who had no idea that hackers even here in the good 'ol USA use AV to do naughty things were shocked, I tell you, just shocked, and confused, but mostly adamant that there was a smoking gun in there somewhere.

But no one's letting up with the think pieces on how hard it is to trust Kaspersky and stuff because !reasons! and it's getting a little ridiculous. Monday Lawfare went so far as to suggest Kaspersky should "have all communications between the company's servers and the 400 million or so installations on client machines go through an independent monitoring center." Which no security company would do, ever.

All I'm saying is, there are good points to be made about the Kaspersky drama, but we aren't finding them in the press.

Bug bounty clapback

Microsoft security threw shade at Chrome security in a blog post chiding Google's team for handling a recent patch. "Prior to the patch's official rollout, the source code for the fix was made public on GitHub," press wrote about the post. "That meant attentive hackers could have learned about the vulnerability before the patch was pushed out to customers, Microsoft claimed."

The post, written by Microsoft security team member Jordan Rabet, mainly poked at Chrome for the reason the patch was needed in the first place: A Javascript bug that Microsoft had found. "Microsoft notified Google about the problem, which was patched last month. The company even received a $7,500 reward for finding the flaw."

Cybersecurity, terrifying tool of oppression

I prefer to make light of our cyberpain in this weekly brief, but this item is too serious to play with -- and it's something I think we need to pay close, cautionary attention to.

At the beginning of October the government in abysmally repressive Zimbabwe created its Ministry of Cyber Security, Threat Detection and Mitigation. According to a government spokesperson, reported CFR, its mission will focus on eliminating “abuse and unlawful conduct” in cyberspace like “a trap used to catch rats.”

In an attempt to head off the expected outcry over its sweeping surveillance powers, the Mugabe government has expediently used the language of national security to justify the new ministry, as well as the government’s newfound, and now legally legitimate powers, to clamp down on constitutionally protected rights to free speech and to hinder political participation.
But wait, there's more:

How to Pass a Red Team Interview (Tim MalcomVetter – Medium)

How I Socially Engineer Myself Into High Security Facilities (Motherboard)

Hackers Steal Photos From Plastic Surgeon to the Stars, Claim Trove Includes Royals (Daily Beast)

PornHub is making an OS. Wait, what? Here's their post, PornHubOS - PornAOSP - PAOSP - the ROM of your dreams (paosp.github.io)

Supreme Court: Hacking conviction stands for man who didn’t hack computer (Ars Technica)

The New York Times Misleads on North Korean Cyber Operations (Lawfare)

Your help is needed

In case you haven't heard, Patreon is acting poorly about adult content and funding people like me who have porny websites -- but your donations here are exactly how it's possible for me to write, and raise awareness about their behavior.

It also makes possible this weekly security brief, keep my rent paid, and yes, to keep a site going that Patreon might penalize. Becoming my patron quite literally helps fight against this kind of censorship right now, and every dollar makes a difference. I hope you'll consider supporting my work here. If you're already a patron, thank you. I can't make it without your help. If you can't afford it, please share this post -- every little bit helps.

Those who become a patron at the $25 level and up get access to my private posts. Those are personal, and are me chronicling the researching and writing of (what I'm finding out) were unbelievable things to happen to me as a kid. I'm interviewing police officers, retired DEA, former military weapons systems engineers, and more. Come with me on this strange journey. My next update and writing installment is this Saturday, October 28.

Main post image via r/techsupportgore.

Continue reading
7 Likes
7
Michael Wild
I really enjoyed this. The Cyber Czar missing was not in any news I read. Thank you for that.
3w
Log in to comment ...
Violet Blue
Oct 17 at 6:30am

Hacking and infosec news: October 17, 2017


BAE Systems isn't run by Beyoncé, everyone's freaking out about Krack, "responsible encryption" was invented, the Infineon RSA key gen issue will make the world explode, something-something Kaspersky, a bank heist done with a magnet, and much more.
Plumber's Krack

There's a wifi thing and it's making all the infosec thought leaders race to get quoted by press about their expertise again. Yes it has a shiny website and overdesigned logo already.

Wise reporters waited out the storm of clickbait articles telling people not to use wifi ever again. This is the best summary of the WPA2/wifi vulnerability called Krack, and what, if anything, aside from update your devices and crap, that you should do.

Also called "alt-backdoor"

Deputy Attorney General Rod Rosenstein gave a speech last week about encryption to the U.S. Naval Academy, and said some pretty wack-a-doo things about the topic at hand. Notably, he introduced a new Defcon buzzword bingo entry, "responsible encryption" -- turning the noses of many casual Twitter observers into coffee shooters.

He said:

Responsible encryption is achievable. Responsible encryption can involve effective, secure encryption that allows access only with judicial authorization.
The full text of his speech is on Lawfare.

Hold my Krack

PSA: Do you use a Yubikey? I do. Verify if it's affected by the Infineon RSA Key generation issue and get a free replacement.

If you're unfamiliar, the Infineon RSA Key gen issue is probably worse than Krack. Researchers in the Czech Republic uncovered a huge vuln in RSA keys generated by Infineon Technologies-produced chips (found in Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba and Chromebook products).

"A remote attacker can compute an RSA private key from the value of a public key. The private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks," according to their report.

"The vulnerability does NOT depend on a weak or a faulty random number generator - all RSA keys generated by a vulnerable chip are impacted," they said.

"The RSA keys generated by Infineon's chips are used in government-issued identity documents, during software signing, in authentication tokens, with message protection like PGP, in programmable smartcards and during secure browsing," Engadget reported.

Kasperger's syndrome

Last week everyone enjoyed another round of hating on Kaspersky thanks to a report in WSJ saying that US government officials believe Russian state spies buried payload in Kaspersky antivirus to pilfer NSA data off a contractor's computer back in 2015.

Say whatcha will, but now the company has announced the discovery of a new Adobe Flash zero day exploit, found being delivered through a Microsoft Office doc with a final payload of the newest FinSpy malware. It's from an APT they've been tracking called "BlackOasis." Securelist wrote:

BlackOasis’ interests span a wide gamut of figures involved in Middle Eastern politics and verticals disproportionately relevant to the region. This includes prominent figures in the United Nations, opposition bloggers and activists, and regional news correspondents.
Also, raise your hand if you stash payloads in AV. It's not at all new, and yet somehow this was shocking news. I know a few of you who do this, and I really wish the reporting on things like this would include you (or at least your delightful body of work), so both reporters and public wouldn't be so damn shocked to learn about it for the first time.

An attractive technique

There's something really admirable about the guy who robbed a bank in Damansara Heights, Kuala Lumpur armed only with social engineering skills and a magnet to defeat the auto-latch on a safe room door.

Our protagonist walked into the bank at lunchtime with his backpack and told staff he was there to inspect the fire extinguishers. The bank manager asked him for ID and he didn't have any -- and the the manager left for lunch, leaving the thief to linger and eventually walk into the restricted areas of the bank.

From there, he pretended to inspect fire extinguishers, edging closer to the safe room, slapping a magnet onto the door latch after an employee went through. The magnet (as many of you probably know) froze the latch in its open position. Then he went in, stuffed his backpack with cash, and left. He walked out with RM600k (just under $150K).

Ocean's 15 will be really boring

I might've been the only one last week to write more than a passing mention about the new round of SWIFT bank heists, but now that story is back with an (allegedly) bigger bang. The new information comes from BAE Systems, which disappoints me every damn time by not actually being Beyoncé's very own infosec company. I can't be the only one.

We previously learned there was yet another SWIFT snatch and grab at the Far Eastern International Bank of Taiwan, in which thieves made off with over $60 million thanks to malware generating fake SWIFT messages. Yesterday BAE Systems Plc told Reuters by phone that it believes Lazarus (NK hacking group) is "likely" responsible for the recent SWIFT heist in Taiwan.

"The British firm has previously linked Lazarus to last year’s $81 million cyber heist at Bangladesh’s central bank, as have other cyber firms including Russia’s Kaspersky Lab and California-based Symantec Corp," Reuters wrote.

The correct term is "cyber-capable"

Once again, the NYT pubbed another article that had researchers sighing and WTFing on Twitter. This time, a distressingly meandering treatise on why we should all stop laughing at North Korea's state hackers, though I don't think any of us actually were. Maybe it's their internalized racism? Anyway.

Reuters reporter Dustin Volz helpfully collected and listed all the times NYT made up a new word by pinning "cyber" to the beginning of it, in what might be the paper's clearest example of seriously fucking lazy shorthand for actual writing.

He wrote, "The use of the cyberprefix in this story is OFF THE CYBERCHART" and listed:

1) cyberprogram

2) cyberstrike

3) cyberpotential

4) cyberretaliation

5) cyberconflict

6) cyberoperations

7) cybermission

8) cyberpolicy

9) cybercapabilities

10) cyberbattle

11) cyberactivities

12) cyber arms race

13) cyberwarriors



More items worth a click:

How an inmate hacker hid computers in the ceiling and turned his prison upside down (Verge)

If You're Going to Defraud the Defense Department Maybe Don't Write About It On LinkedIn (Gizmodo)

Unpatched Exploit Lets You Clone Key Fobs and Open Subaru Cars (Bleeping Computer)

Facebook takes down data and thousands of posts, obscuring reach of Russian disinformation (Washington Post)

Justice Department Drops Request for Names of People Who 'Liked' Anti-Trump Facebook Page (Gizmodo)

U.S. Supreme Court declines to review computer hacking cases (Reuters)



Like this brief? it needs your help.

I love doing this weekly roundup, and a lot of people read it. If only half the people who read it would become a patron at any level, it would be sustainable! That's why I'm asking: Please help support this endeavor however you can -- social media sharing, become a patron, or a link back if you base reporting on what you found here. And if you are already a patron, THANK YOU.

Those who become a patron at the $25 level and up get access to my private posts. Those are personal, and are me chronicling the researching and writing of (what I'm finding out) were unbelievable things to happen to me as a kid. I'm interviewing police officers, retired DEA, former military weapons systems engineers, and more. Come with me on this strange journey.

Main post image via Ned Pyle.

Continue reading
6 Likes
6
Load more comments
2 of 3
Michael Wild
NYT is one of my favorite reads. To me their writing style is excellent, and I genuinely enjoy their articles. Their recent reporting on gravity waves was beautiful. The computer stuff is not so good. I become concerned when I read attacks on NYT, but I will keep an open mind. ​
1
4w
Brian Martin
With the nature of InfoSec (primarily it being a shitty place), I think "Kasperger's syndrome" is brilliant and might be a term we see come up again for the next similar case.
1
4w
Log in to comment ...
Violet Blue
Oct 14 at 4:18pm
$25+ patrons
POST FOR $25+ PATRONS

UNLOCK IT NOW
Dear Patrons
memoir
5 Comments
5 Likes
Violet Blue
Oct 10 at 6:31am

Hacking and infosec news: October 10, 2017


"The source code shown in Star Trek Discovery was actually decompiled Stuxnet, not Windows" -- Main post image via @campuscodi and Movie Code.
Every week of 2017 feels like a year of cybersecurity reporting. In this week's brief: The true horrors of vote hacking to be revealed later today, Kaspersky haters are having a banner year, the White House Chief of Staff's phone was owned sooo hard, another SWIFT malware bank heist, actual fugitives hiding in escape rooms, and much more.

National insecurity

Today CSPAN will be covering the release of a special DEF CON report on its Voting Village findings from August at this year's conference (Tuesday 10/10, 12pm ET live on CSPAN 2).

I've been looking forward to this report since the conference. The weekend-long Voting Machine Hacking Village was widely covered by the biggest news outlets this year without that report, and minus the context of the conference's long history in exposing these very serious problems.

As I wrote back in August, this year was groundbreaking because it was officially the first time large-scale hacking of voting machines has happened (openly, anyway) because it's considered illegal. Thanks to the hard work of law professor Andrea Matwyshyn, scores of hackers could throw everything they had at voting machines for all to see. The results were problematic for any democracy, to say the least.

For instance, they found that all Sequoia brand voting machines shared a common, hard-coded password.

It was scary. @pwnallthethings wrote, "Every single e-vote machine at @Defcon got hacked in < 2.5 days (some in minutes) to hackers without inside or domain-specific knowledge." He added, " Horrifyingly, some were hacked wirelessly (ie no physical access). Many hadn't had OS or basic software patches in over a decade." ... "Others had been sold off after use, but hadn't been wiped; still had voter data on them. Didn't hear of any with any credible audit trail."

In addition journalist Kim Zetter noted, "One of the Express epollbooks at the Defcon voting machine hacking village had 600,000 voter reg records on it from Shelby County, TN."

It'll be really interesting to find out more in the coming days. "The report, to be unveiled at an event at the Atlantic Council, comes as the investigation continues by four Hill committees, plus Justice Department special counsel Robert Mueller, into Russian meddling in the 2016 elections, on top of the firm intelligence community assessments of interference," wrote Politico.

I wrote about why I think US voting databases were hacked prior to the 2016 election in my most recent column -- check it out.

They are, however, smoking gun adjacent

U.S. government officials believe Russian spies used Kaspersky antivirus to steal NSA secrets by way of a contractor who stole the secrets, then had his computer pwned (allegedly) via Kaspersky's AV. The Wall Street Journal reported last Thursday that "An NSA contractor took highly sensitive data from the complex and put it on his home computer, from which it was stolen by hackers working for the Russian government," according to "people familiar with the matter."

The article was clear that the 2015 incident is the first known instance of Kaspersky AV being exploited in this manner, the article did not say how the AV was exploited, and importantly, the article didn't lay blame at Kaspersky's doorstep. WSJ wrote, "The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said."

Nonetheless, online personalities who regularly beat the anti-Kaspersky drum took it an ran, accusing the security form of being complicit and announcing on social media that Kaspersky was "done." Notably, New York Times reporter Nicole Perloth, who really doesn't seem to like Kaspersky. And, she made sure to drive her point home with an article the NYT.

Whether or not Kaspersky is a tool for the Russian government -- we're still waiting for concrete evidence -- the anti-Kaspersky personalities charging forward with beliefs layered on article like WSJ's are making me dig my feet in about being objective.

I'm not the only one interested in objectivity here. After a few articles and blog posts came out tying the WSJ piece together with Twitter opinions to damn Kaspersky, people in infosec with no horse in the race started to say hey, wait a minute.

Meanwhile, yet another piece came out about Best Buy removing Kaspersky AV from its stores, a decision the retail giant is currently implementing. Those cheering the move must take cold comfort that Best Buy is offering its customers a free replacement in the form of everyone's hated malware-cum-AV, McAfee.

Gettin' SWIFT-y

I don't think those SWIFT bank heists are going away anytime soon: There's been another one at the Far Eastern International Bank of Taiwan, in which thieves made off with over $60 million thanks to malware generating fake SWIFT messages.

As you may recall, the central bank of Bangladesh was hit in February 2016, where attackers similarly infected the bank's computers with malware. This "allowed them to subvert SWIFT's client software and inject fraudulent money-moving requests into the SWIFT interbank messaging network," wrote Bank Infosecurity. "The attackers attempted to steal $951 million from the bank's Federal Reserve of New York account. Ultimately, they made off with $81 million."

"Following the Bangladesh Bank heist," they wrote, "other banks revealed similar attack attempts, some of which predated that heist and some of which have been successful. Those revelations triggered a public relations disaster for SWIFT, leading the cooperative to try and reboot its security approach." It also triggered the bank's PR department to try and get me, and my editors, to change wording in one of my articles to make SWIFT seem less ... vulnerable.

And no, we did not massage the text to make SWIFT look better.

Hacking the low-hanging fruit

Can you imagine what a nightmare it must be to try and secure this administration?

That nightmare is real -- especially for us. Three White House officials told Politico that Chief of Staff John Kelly’s personal cellphone was compromised as far back as December 2016. The pwnage was discovered sometime this summer, when Kelly turned his cellphone over to White House IT staff -- because it was acting funny and not updating software like it should.

Apparently a White House official also told Politico that Kelly "had not used the personal phone often since joining the administration," which is obviously bullshit, because otherwise Kelly would have no knowledge of the phone not updating or operating properly.

"The discovery raises concerns that hackers or foreign governments may have had access to data on Kelly’s phone while he was secretary of Homeland Security and after he joined the West Wing," they wrote. Kelly joined the Trump administration in January.

More notable clickables:

Prison escapees caught at Canadian escape room interactive game (Guardian)
The Szechuan sauce fiasco proves Rick and Morty fans don’t understand Rick and Morty (Polygon)
Equifax rival TransUnion has hired cybersecurity lobbyists in Washington, D.C. (Recode)
Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI (BleepingComputer)
This Is What It Looks Like When the President Asks People to Snitch on Their Neighbors (Splinter News)
The Prison Guards Who Stole a Salvador Dalí Painting (Daily Beast)


This roundup needs your support

By the time this weekly roundup is published, I'm already working on the next brief -- and it's a labor of love. That may sound odd considering how cringeworthy it is to chronicle, collect and summarize the latest cybersecurity news stories. It's an obsession I think you understand (at least because you've read this far). Please help support this endeavor however you can -- a social media share, become a patron, or give a link back if you base your reporting or blog post on what you found here. And if you are already a patron, thank you.



Continue reading
8 Likes
8
Michael Wild
It is amazing that Kelly's phone was compromised.
4w
Log in to comment ...
Violet Blue
Oct 3 at 6:31am

Hacking and infosec news: October 3, 2017


Problems with NYT's vote hacking coverage, we'll never know who cracked the FBI's iPhone (wink), Equifax continues to horrify, Trump's 4Chan strategy against North Korea, Kushner's other other other private White House email account, a cool silicon heist story, and much more.
Trouble in Perlothdise

Bad reporting from the New York Times on vote hacking is bad. At least that's the very sharp opinion from the Washington Post, who tore into a piece by by Nicole Perlroth, Michael Wines and Matthew Rosenberg that had a boatload of problems, was over-aggressively defended, and was not corrected correctly.

Among the issues, The Post's Erik Wemple wrote that "publication of the story touched off some contentious correspondence between elections officials in North Carolina and the New York Times. The Durham County Board of Elections issued a news release attacking the newspaper."

They wrote: “Many of the allegations contained in the coverage are based on remote hearsay or were otherwise unverified by election officials in North Carolina before the story was published. In response to these concerns, the Durham County Board of Elections, along with the State Board of Elections & Ethics Enforcement, is respectfully requesting that The New York Times retract or correct its coverage unless verifiable evidence is provided.”

Wemple added, "The New York Times did publish a correction on the elections piece. It stated that the story had referred “incorrectly to problems with voter rolls in three North Carolina counties that included the cities of Raleigh, Winston-Salem and Charlotte. The problems involved paper rolls, not e-poll books.” In the revised sentence, the only change was that “e-poll book incidents” was replaced with “paper roll incidents.”

There's more, but wow, what a mess -- and it was one that got picked up and re-reported before its (apparently weak) corrections) as well.

Low orbit ion Bannon

Reassuring to none, we're just finding out now that Trump secretly signed a directive in March outlining and ordering a strategy against North Korea that included cyberattacks.

According to new reports, "As part of the campaign, U.S. Cyber Command targeted hackers in North Korea’s military spy agency, the Reconnaissance General Bureau, by barraging their computer servers with traffic that choked off Internet access." As in, DDoSing, because we're apparently like 12 year olds on 4Chan now when it comes to diplomacy. Maybe they should just use Cloudflare...

Loose lips sink bullshit

A federal judge ruled this week that the feds don't have to tell anyone that it was probably Cellebrite who cracked that iPhone belonging to the San Bernardino shooter for what everyone thinks was a million dollars.

"Three news organizations — USA Today, The Associated Press and Vice Media — sued under the Freedom of Information Act to try to force the FBI to reveal the amount of the payment and the identity of the company that received it," wrote Politico, "but U.S. District Court Judge Tanya Chutkan ruled Saturday that information is exempt from mandatory disclosure under the landmark transparency statute."

Sen. Dianne Feinstein (D-Calif.) blabbed to press earlier this year that the FBI paid $900,000 to crack the iPhone, but no one was able to confirm it. Her loose-lips slip came was after a protracted war of words in the press between then-FBI director James Comey and Apple, in which everyone got upset and argued about encryption. Again.

It's almost like he knew it would happen

As much as we'd prefer it, Equifax just won't go away and journos won't stop cranking out the cringeworthy articles desperately trying to frame the exploitation of an unpatched vuln as "sophisticated." Bloomberg stepped in the "sophisticated" and tracked it all over their piece offering an inside look at the Equifax disaster, which said it was scary state actors while also saying it was hard to know who really did it. Super helpful, guys.

After that washed over us with all the excitement of a fart in a nursing home, we found out that Equifax's now-former CEO Rick Smith got a cool $90 million when he bailed out. A talk he gave in August surfaced on Fortune in which he talked about cybersecurity... in which Smith trotted out the most tired old adage in the game, saying:

There's those companies that have been breached and know it, and there are those companies that have been breached and don't know it.
For some reason no one had heard this saying that every hacker in a nursing home hates because it's so tired, but it was apparently exciting news for some news outlets. Smith also foreshadowed our future fates in his inept hands, telling the audience on the evils that hackers can do with consumers' personal information, like selling it on the Dark Web -- which is where our Equifax info is now. "It is a very lucrative way to make money," he said. With that $90 million golden parachute, he should know.

Meanwhile, the bad news just keeps coming. Yesterday Equifax admitted that there is an additional 2.5 million people affected by their breach.

What could possibly go wrong

Back in June, the Russian government stepped up its demands for reviewing source code of products sold in its country by foreign companies. Cisco, IBM and SAP, were among the first big companies to give in to the country's renewed demands.

This week we learn that, as part of acceding to these demands, Hewlett Packard Enterprise has handed the Russian government source code for its ArcSight security platform so it can continue selling the product in Russia. That's got more than a few people freaking out because one of ArcSight's big customers is the Pentagon, which uses it "to trawl through millions of log files looking for suspicious activity, in its Secret Internet Protocol Router Network, aka SIPRNet, that manages secure communications for the US intelligence services," according to The Register.

In other words, if there are any exploitable vulnerabilities in the ArcSight code, and therefore in SIPRNet, then the Russians may well also know about them, which would be very handy in snooping on American spies.
"It's a huge security vulnerability," Greg Martin, a former security architect for ArcSight, told Reuters. "You are definitely giving inner access and potential exploits to an adversary."

Other cool clickables:

Who will take responsibility for Facebook? (Wired)
Ajit Pai gets new term on FCC despite protest of anti-net neutrality plan (Ars Technica)
Jared Kushner Had Third, Previously Undisclosed Private Email Account (Mediate)
When a tanker vanishes, all the evidence points to Russia (Wired Uk)
The Inside Story of the Great Silicon Heist (Wired)
Your support is needed -- and deeply appreciated

This weekly brief is imitated, used as a crib sheet by other reporters, is made possible by your donations and support, and put together by my stern yet loving paws every week. It can't happen without patrons, so please consider a contribution if you haven't made one yet, and if you can't afford it, that's okay: There's room for everyone at this table. Pull up a seat, make a comment, share this little labor of love with your friends and followers, and enjoy :)

PS - I'm going through something really weird right now involving police, dangerous criminals from my past, and the luck of having friends in the right places. Read more about it here.

Continue reading
9 Likes
9
Kris Jones
Excellent round up, as always. Love this weeks (stock?) header photo - lots going on here. Those pumps! haha.
3
1m
Carl Tyer
Thanks for the labor of love Violet, read your personal letter on the new book you are working on, be safe.
1
1m
Log in to comment ...
See more today! If you become a patron to Violet Blue, you’ll immediately get access to as many as 7 patron-only posts.
Violet Blue
Sep 30 at 3:16pm
Dear Patrons


This week I received a message from an intermediary between myself and the SFPD. The message sent to me is one of concern.
Let me back up a little bit. I've begun work to write a book about growing up on the streets of San Francisco. The short version is that my birth mother was a Stanford-grad engineer who worked in Silicon Valley for government contractors until she decided the glamorous life of coke dealing and addiction was worth more than anything in the world, including me. I ran away from her on the eve of my 14th birthday.

I lived on the streets of San Francisco until I was 17 and 1/2. Two years before I ran -- escaping the absolute madness of my mother's coke-fueled nervous breakdowns and trying to trade me for drugs -- she did something that I'm still trying to understand. It involved some very powerful drug importers, the SFPD and DEA, and an event that made headlines in the San Francisco Chronicle.

After that, we were relocated and she was given a new identity. Six months later we were right back in San Francisco and my mother was doing and dealing coke again, an addiction she soon traded for crack. I went from cutting coke and weighing bindles at 12 to cooking crack at 13, staying away from her verbal abuse as much as possible, and avoiding being left alone with my mother's "friends." This was all in the Sunset District, at a house we were crashing in located on the foggy side of SF's iconic Sutro Tower.

Half of what my mother told me about my family, and her life, wasn't accurate. I'm starting to unravel the truth of things in a effort to find out what happened to me. It's difficult because my mother kept the existence of my real father a secret, and her own family disowned her -- and me -- when I was too young to understand what was happening.

But I remember that article in the Chronicle. And I remember so much more.

A few weeks ago I reconnected with a couple of old SF Chronicle friends (and yes: I miss writing my column for the Chronicle every day of my life and would do it again in a heartbeat). I told my friends what I was trying to find out around that news article and my birth mother. One of my friends, being a crime reporter, said they'd hit up some sources to see if anyone would want to talk to me. Looking at the message I got this week, it's safe to say I hit paydirt. But it wasn't what I expected.

The message I received was long, extremely helpful and supportive, and came with a generous offer to help me even further; to help me track down people for interviews. This message also came with strong concerns; a warning. The people involved with whatever my mother did, I was cautioned, don't forgive and forget. Despite the fact that I was a child, and have no contact with my mother (last contact: 20 years ago, and she ripped me off for all the money I had), writing it down for all to see would most likely put my life at risk.

I'm still deciding on my next course of action.

So why am I telling you this, here? It's no secret that I'm having tough times financially, and so is almost every writer I know. The book industry is suffering and everyone who isn't lucky to have mainstream book industry privilege and access -- which gets you favored by algorithms -- is seeing sales on a hellish, slow decline. The journalism industry is incredibly lean (I know you see me hustling for writing gigs all the time - hire me!). This is complicated further by my (unfortunate) decision to support my now ex-partner for a period that ambushed my expectations (and my limits) by becoming a couple of years. It blows my mind that I'm still struggling. I'm out here alone, though I do prefer being alone most days.

Still, I've started work on this book, and I hold onto the faith that maybe it can be a breakthrough book for me. I don't only want to tell my mother's story, or mine, but also the stories of the little kids I was on the streets with, and the place they occupy in San Francisco's rich history.

The reason I've put this post on Patreon is twofold. One, patrons like you are keeping me going in more ways than financial. You make me feel less alone in a truly meaningful way while making it possible for me to pay rent. Patreon has become where I connect with readers in a deeper way than Twitter. Two, I want to fund this book through Patreon, rather than a Kickstarter.

That's because I want to share my process, my research, my writing, even the slang we used as punks on the streets and experiences we had with you, my patrons. With this book I also hope to change our cultural conversations about poverty, family, mental health, and resilience. But because of the sensitive nature of the material, and the risks I'm now aware of, I don't want to do this in the public square, as it were.

Posts about this book will be private posts for the $25 level and up patrons.

This gets me closer to sustainability while I tackle the manuscript, and should help screen out the looky-loos a little bit. It establishes a relationship balanced on cash and access that's meaningful to me. At this level, every two weeks you'll get an update (one that is also sent to your inbox when I publish). You can give me feedback, ask questions, and comment privately. Every supporter at the $25 level and up will get a copy of the book when it's finished.

Our weekly cybersecurity brief will continue, of course. It hurts so good, you know?

This post is practically a little novel all on its own. Thanks for reading this far. If you can't contribute, please help spread the word. In the meantime, please be well in this harsh world. The night may be dark and full of terrors, but I know for a fact that light always comes.

Continue reading
memoir
33 Likes
33
Load more comments
2 of 8
Neil Ford
I’m in also, but they won’t take the first pledge until Nov 1. Any way to make a contribution before then?
1
1m
ChrisBuzon
Neil, may I suggest catnip toys? Max has a penchant for bananas.
1
1m
Log in to comment ...
Violet Blue
Sep 26 at 6:31am

Hacking and infosec news: September 26, 2017



Showtime is running a cryptocurrency miner, college degrees and infosec, CCleaner was used for espionage attacks, ISPs are colluding to taint apps with spyware, the Deloitte hack could have Trump info involved, and much more.
Miner threat

In last week's roundup I included an item about the Pirate Bay attempting to run a cryptocurrency miner off their website -- one which pissed off the site's users because it used the browser resources of visitors, without their consent.

Now we're starting to see headlines saying that TV channel Showtime's websites have been hacked and are running Coinhive, a JavaScript library that mines Monero using the CPU resources of users visiting Showtime's websites. Except there's one thing: It appears to be voluntarily, and carefully calibrated as to not be disruptive to visitors (probably in hopes of remaining undetected).

This indicates that Showtime may be testing the new trend of supplementing advertising with cryptocurrency mining, because "Coinhive has been advertised as a technology that could replace ads by allowing site owners to mine for the Monero cryptocurrency," according to press. This is the most likely explanation," they added, "as the setThrottle value is 0.97, meaning the mining script will remain dormant for 97% of the time."

Pirate Bay was also using Coinhive, which was officially launched on September 14. BleepingComputer wrote,

Coinhive has been recently adopted by a large number of malware operations, such as malvertisers, adware developers, rogue Chrome extensions, and website hackers, who secretly load the code in a page's background and make money off unsuspecting users.
One hacker has made a list of shady sites using the Coinhive script on visitors and published it on Pastebin.

Hacking the system

Last week everyone was up in arms about a music composition degree held by a female ex-Equifax security executive; the online arguments highlit sexism in infosec and ignited debates about cybersecurity qualifications.

A supporter of this Patreon messaged me about an upcoming (November) report from internet infrastructure organization Packet Clearing House and professor Coye Cheshire at the U.C. Berkeley School of Information -- that is a fascinating, game-changing deep-dive on the educational backgrounds of infosec workers.

If you've ever wonder if a degree matters, or what kinds of degreed successful cybersecurity workers have, check it out.

Holy crap (cleaner)

Another previous item snowballing into a full-blown mess is the malware-infected PC disk-maintenance utility software CCleaner, which we learned had infected 2.2 million people. Now we know much more, and it's not good.

The infection was actually a range of targeted attacks. "In August, some unknown hacking group inserted a backdoor into the CCleaner software, which was then dutifully installed on more than 700,000 machines," wrote Fortune. "With that foothold, the attackers then attempted to drill down deeper into the networks of at least 18 big tech company targets, including Google, Intel, Microsoft, Samsung, HTC, and Cisco. Presumably, the intruders sought trade secrets."

At least 40 PCs infected by the malware got an advanced second-stage payload that researchers are still scrambling to understand, according to officials from CCleaner's parent company.

Charged for crappy internet, spyware is free

Well-known surveillance tool FinFisher, used in the US for "lawful interception," has been found in some installs of WhatsApp, Skype, Avast, WinRAR, and VLC Player -- inserted into the apps at the ISP level

According to ESET’s blog, where the discovery was announced, the GammaGroup product -- also called FinSpy -- has shown up in the apps in at least seven countries, though ESET is not naming the countries.

Adobe Riiiiiiick

The afternoon of September 22 security researcher Juho Nurminen pointed out that an Adobe team member had posted the the private PGP key for PSIRT's e-mail account (along with the public one). Both keys were taken down, and public key was replaced with a new one, but it was still a pretty huge gaffe.

Worse, Nurminen had found the key on Adobe's Product Security Incident Response Team blog. Three days later Adobe finally responded to requests for comment saying, "The PGP key in question was used exclusively for email correspondence between external security researchers and the Adobe security team, and there is no impact to Adobe customers."

A breach to watch

Global accounting firm Deloitte was the victim of a targeted attack that affected the confidential emails and plans of its blue-chip clients, clients. The company provided few details on the breach, issuing a statement Monday saying that only a small number of clients were affected -- though I think we all know statements like that are a wait-and-see situation.

"The attack appeared to target the firm’s U.S. operations, was discovered in March and could have begun as early as October 2016," wrote Reuters.

The Guardian broke the story Monday saying that Deloitte clients across all the sectors of "banks, multinational companies, media enterprises, pharmaceutical firms and government agencies ... had material in the company email system that was breached. The companies include household names as well as US government departments."

Guardian adds:

In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.
Under Trump, Rex Tillerson is working with Deloitte to downsize and slash the budget of the State Department (many believe he is doing permanent damage to the department after being tasked by Trump to diminish it) Deloitte was also a donor to Trump's inauguration. It would be interesting if any of Deloitte's current work with the Trump administration was in the hack's spoils.

More like totally baked Sierra

Reports are piling up about an alleged security problem with Apple's new High Sierra OS, in which someone can allegedly extract plaintext passwords from the Keychain. Synack researcher Patrick Wardle published a video proof of concept demonstrating his “keychainStealer” app, though it hasn't been independently verified and Wardle has not published the full exploit code. Apple has not commented on the attack.

More from around the web:

How Apple Will Stop Companies Abusing Facial Recognition (doesn't actually say how, but has fascinating analysis on exactly what will go wrong with Face ID; Fortune)
The Untold Story of Kim Jong-nam’s Assassination (GQ)
DHS tells states about Russian hacking during 2016 election (Washington Post)
After the breach, Equifax now faces the lawsuits (Chicago Tribune)
Hackers create memorial for a cockroach named Trevor (CS Online)
OPM Data Breach Lawsuit Tossed, Fed Plaintiffs will Appeal (DarkReading)
Help spread the word

This weekly roundup is 100% indie -- no company is behind this, and no advertisers control its content. That's only possible because patrons subscribe and donate to support independent journalism like this. Please help! More donations are needed to keep it going, so please consider making a contribution. If things are too tight, please help spread the word so people who can afford to support it can find out.

If you're already a patron, thank you. Your support means more than you know.

Main post image via @p01arst0rm. See also: Macro Rick, Java Rick, p-public key Rick, and Sealed Indictment Rick.

Continue reading
10 Likes
10
Michael Wild
I was really surprised by the mining story. Coin mining reminds me of a version of a pyramid scheme but others seem to think it is OK. I find it odd to loan compute from my browser to help cover the costs of a website. My research into block chains showed that you can even write programs in the block chains themselves and run them. I was thinking about how to create a giant distributed system where folks gave part of their computer resources to be part of the distributed system. Just leave a few spare Raspberry Pi's up and running to cover your donation and then have access 7/24 to nearly unlimited compute power when you need it. This seems to be approaching that. Just a few random thoughts. Thank you again!
1
2m
Gamersglory
Legit Coin mining can bring a great ROI if you have enough money to invest in the mining ASIC's and GPU's.
2w
Log in to comment ...

LOAD MORE

SHARE

TWEET
REWARDS
PATRON
$1 or more per month
As a patron, you have my gratitude and thanks. Plus the pride of knowing you're supporting a female writer in hacking, sex, and security who maintains an independent voice, is a fierce ally of LGBT people and target populations who face discrimination, as well as someone who fights censorship at every turn.
GET $1 REWARD
COFFEE
$3 or more per month
You're buying me a cup of coffee at a non-snooty cafe, the kind we'd actually hang out in. Your pledge will add up to a very meaningful amount over the course of a year.
GET $3 REWARD
INFORMATION WANTS TO BE FREE
$5 or more per month
My website is well-established, linked to from everywhere, 15 years old, gets an average of 350K visitors a month, and as you'd imagine, it gets attacked all the time. My server costs are real, and yet the information, news, entertainment, and education on the site has always been, and will always be, free. Same goes for my writing on security. This level of monthly pledge helps a lot.
GET $5 REWARD
HERO
$10 or more per month
Your support of $10 or more a month definitely gets you hero status. I have a number of $10 costs each month, and I deeply appreciate you carving out one of yours.
GET $10 REWARD
SUPERHERO
$25 or more per month
You were born a hero, and then you were either spanked by a god/goddess, or you had some rad accident in a lab that gave you powers beyond those of mortals. This kind of support heads into sustainability territory. If anyone ever steals your magical cape, call me -- I'll get it back.

You get access to my private posts.
GET $25 REWARD
SUPERVILLIAN
$100 or more per month
How is this even a sponsorship level?!? Maybe because while some believe villains may never win, you know for sure that they have more fun... By helping people like me hatch master plans for upending censorship, calling out infosec hypocrites, skewering goody-goody PR flacks, exposing evil "real names" enforcers, and my general plan for world domination. It's unbelievable that anyone would contribute this generously, and yet, if you do, my gratitude will actually have me speechless.

You get access to my private posts.
GET $100 REWARD
About
Careers
Create on Patreon