Earth is the Hackerspaces Planet

January 23, 2017

CrashSpace

Engineering as Artistry: The Intersection of Art, Tech, and Music

WHEN: Wed 25th, 8P-10P
WHO: Open to the public!
WHERE: CRASH Space
RSVP: Here!

About this Event

Join visiting international artists Adam John Williams, Rania Kim Birch and Burle Avant for a discussion on the intersection of art, tech, and music! The discussion will cover a variety of Adam’s digital & audiovisual artworks, and will show off some Max MSP live coding, generating some live electronic music whilst the process of it’s creation is shown in realtime on a projector. For some examples of Adam’s work, check out Portrait of an Inventor.

About this Artist

Adam John Williams is:

An award-winning multi-disciplinary digital artist working primarily with music, visuals & electronics.

A hardware hacker, Max MSP patcher, creative technologist and director of the Music Tech Fest Hack Camp.

A musician, DJ & VJ also known as Artemis Beats.

Creator of the maxome audiovisual performance controller.

by at0mbxmb at January 23, 2017 04:34 AM

January 22, 2017

CrashSpace

One Thing To Do Today: Find new heroes.

TL;DR: When the sun goes out, you can see the stars.

I developed an allergy to demagogues and popularity contests early on, so I was never was the type of kid who put posters of people on her wall. Yet I’m not immune to wanting, needing, to have people whose work I admire succeed.  While researching these articles I’ve been happy to find a TON of people who know way more than me who have been putting out high quality work for years if not decades.  These folks have been working in a field that hasn’t really been getting its due. The American public revels in exhibitionism. CEO’s don’t understand the hit on the bottom line for features that can’t be marketed. Privacy and security has been kind of a thankless field in many ways, only noticed when things go wrong.  I’m going to say some thank you’s today, focusing away from those who’ve disappointed me onto those who will keep me inspired and informed.

Michelle Leonhart, our VP, herself inspires me. And she’s brought in via the Civic Engagement Survival Guide a full cast of people to admire. In fact CRASH Space members themselves never stop being a source of inspiration. Thank You.

We aren’t the only LA hackerspace by far. Where CRASH Space, was, does, will continue to focus on STEAM more than security issues as a whole, Null Space Labs has been committed to security based content from its inception.  My ass hasn’t shown up at one of their events in YEARS. It’s over due.  Thank you. A little further afield 23b also carries the torch. Thank you.

Yesterday I went to a book talk at UCLA by Jennifer Granick, lecturer-in-law and director of civil liberties at the Stanford Center for Internet and Society. The book, American Spies, intends to “educates readers about how the reality of modern surveillance differs from popular understanding.” She wrote the book for general audiences, but the talk was geared to the law students in the room. I’m doubly impressed by her for coming at this all from the legal angle. We’re about to understand viscerally how fragile the rule of law really is, and how much we need them on that wall. And whats beautiful about Prof. Granick is that she is just one example. Think of all the lawyers at EFF, ACLU, SPLC, Sierra Club, NRDC, NAACP, Lambda Legal, MALDEF, NLGBeakman Center, Center for Internet and Society working hard for little to no celebrity. Thank you.

This will have unequal weights for folks reading this, but I also want to thank all the Ladies in the House. I withdraw too far back sometimes because I get tired of my presence in a room becoming “a teachable moment.”  I was thrilled to find this Top 50 Women in Internet Security as a reminder to not let the bad apples get me down.  Following some of them on twitter has lead me to other women, and ultimately to Prof. Granick’s great talk yesterday. Thank you!

I have a growing Tuesday Website List (link not comprehensive) and Twitter Feed of folks who generously put themselves and what they know out there.   A large handful of accounts that will lead to the discovery of other accounts: @SarahJamieLewis@hacks4pancakes, @snipeyhead (comes with warning), @pwnallthethings, @swiftonsecurity, @pinboard, @thegrugq, @zeynep. Thank you.

Another way to find people, go to the trouble of watching conference proceedings when going can’t happen. The Chaos Computer Club Conference, DefCon and HOPE are the obvious ones for this field. But I’d like to shout out to the Hack-a-Day Superconference, SCALE and LayerOne. Thank you to the organizers and speakers all.

Real change happens from groups working together. The lone hero, “Great Man” approach to history has been severely debunked. Thats good news because that means there are countless folks around us to take inspiration from. When the sun goes out, you can see the stars.

by carlyn at January 22, 2017 06:55 PM

January 19, 2017

CrashSpace

One Thing To Do Today: Schedule requesting copies of your credit report

Plane tickets to DC to march cost money. Donations to the EFF cost money. Hard drives to backup your system cost money. Paying for VPNS and private email costs money.  Dinner in the evening so you can get up raring to go in the morning costs money.  Baddies will aim for financial resources because of the double pay off. They undercut the opposition and they have more for themselves!

We’ll be adding checking your bank and credit card balances to the Tuesday Sweep because false charges typically sign number one that either you or a vendor you’ve shopped with has been exploited.  Take action and report them quickly. No matter how small.  False charges are just one of many red flags for identity theft.

What also needs to go on the schedule? Requesting credit report copies from the big three on a staggered rotation.  January, after taxes in May, and back to school time in September will spread it out nicely.  According to the FTC –

You’re entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting companies. Order online from annualcreditreport.com, the only authorized website for free credit reports, or call 1-877-322-8228. You will need to provide your name, address, social security number, and date of birth to verify your identity.

Other conditions to get a free copy:

  • If you have been denied credit (you must request a copy within 60 days)
  • If you are unemployed and intend to apply for employment in the next 60 days
  • If you are on public welfare assistance
  • If you have reason to believe your file contains inaccurate information due to fraud or identity theft
  • If an adverse decision related to your employment has been made based in whole or in part on information contained in the report
  • If your report has been revised based upon an investigation you request

For more information on credit report basics, how to understand your credit score, or otherwise respond to identity theft the folks at the Privacy Rights Clearing House house have created several guides worth reading.

by carlyn at January 19, 2017 06:15 PM

One Thing To Do Today: Learn about Distributed Autonomous Organizations

I’m still hung up on truth and trust portion of the program this week.  Our minds can only hold about 150 people in our head with any quality. There are billions of people on the internet already, and billions more waiting to come online. Thats an overwhelming discrepancy. How can we build systems to help our finite minds engage with these masses of other people without retreating to bubbles? Apparently there’s a word that economists use to describe the paralyzing fear that leads to doing nothing over something productive: Uncertainty. That one word has its very own very own course.

A lot of people super excited about BitCoins aren’t super excited about BitCoins, per se. They’re creating research labs and developing courses around the “blockchain” technology that underpins it. Blockchains reduce uncertainty in the economics meaning of the word by creating distributed autonomous organizations.  These self-enforcing trust networks could have tremendous implications for day to day life.

Institutions exist to address the uncertainty problems once a society grows beyond that 150 people. My driver’s license tells the bartender I’m old enough to drink because the state of California says so. The money for a complicated transaction can be held at an escrow account at a bank.  People trust the information from newspapers partially because they have a whole infrastructure around them.  Blockchains can form institutions that don’t need forgeable plastic cards, big buildings or a board of directors at the top to be real.

The Bettina Warburg (Blockchain Futures Lab) TED talk covers this material well and clearly for nontechnical folks without going all grandiose like the Tapscotts‘  TED and Google panegyrics.

If 20 minutes will take too much out of your day, here’s the 2 minute summary.

Beyond generalities, Scott Driscoll (CuriousInventor) has packaged up some of his videos and added more material in a 3.5 hour pluralsight course for developers. Watch the video below to see if his teaching style matches how you learn.  He also wrote up the entire video.

I kept running into folks citing this guy and his channel everywhere. For example, this 35 page paper out of a berkley class lists many other entities using blockchains. To pull out just one, Namecoin demonstrates a model for redesigning DNS (website name records), a system that can be censored or hacked.   Also citing Driscoll, this write up on block chains for web developers.

A long read article that doesn’t swipe Driscoll’s graphics, A gentle introduction to blockchain technology on Bits on Blocks does an excellent job of teasing apart the difference between blockchain in theory and how bitcoin works specifically.

Blockchain seems a little like other crypto, fairly challenging to roll your own, although there are articles directed at CIO’s on how to get your company rolling in that direction.

Societies have developed all sorts of arcane manners and protocols to enforce trust and create repercussions for those who break it.  Whether the change will prove to be revolutionary or evolutionary, blockchains provide a new tool to solve an old problem.

 

by carlyn at January 19, 2017 07:23 AM

Build your own Voice-Crusher with Moldover Sunday January 22nd at 4 PM

Moldover came by CRASH Space last January with his Light Theremin kit and did a great soldering workshop. He has a new kit, the Voice Crusher, and we have another workshop scheduled!

It’s this Sunday, January 22nd, from 4-7 PM. Cost is $55, which includes the kit, instruction, and a copy of Moldover’s latest album, Four Track. No soldering experience necessary – we’ll teach you, and we will supply the tools!

GET YOUR TICKET HERE

Here’s a video about the album and Voice Crusher

After everyone finishes their kits, Moldover will give a short presentation on the design of The Voice Crusher and his other circuit board projects.

GET YOUR TICKET HERE

by theron at January 19, 2017 03:52 AM

January 18, 2017

Pumping Station: One

Celebrations in Pictures – PS:One March Potluck 5th Tuesday

More pictures……

5th Tues. on March

5th Tues. on March

5th Tues. on March

5th Tues. on March

5th Tues. on March

by lyn at January 18, 2017 07:29 PM

Celebrations in pictures 2016 – Pi Day

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

Pi Day 2016

by lyn at January 18, 2017 07:25 PM

Celebrations in Pictures – PS:One’s 7th Birthday

Another picture….

PS:One 7th Birthday Party
Cake decorated by Shelly Loke

by lyn at January 18, 2017 07:20 PM

Celebrations in pictures from 2016 501c3 Party!!!

501c3 status party

501c3 status party

501c3 status party

501c3 status party
cake decorated by Shelly Loke

PS:One had some wild events, here are some of the pictures…..

501c3 status party
The aftermath

501c3 status party
Our song!!!

by lyn at January 18, 2017 07:18 PM

NYC Resistor

Feminist Pocket Party on February 5th

Our first Feminist Pocket Party is happening on Feb 5. People who wear women’s clothing are plagued with an unjust lack of pockets! Time for us all to learn to level the playing field. Come learn how to make in-seam pockets in a low-key, class + hangout environment.

pockets

by Bonnie Eisenman at January 18, 2017 05:11 PM

CrashSpace

Tuesday Sweep: Jan 17 2016

Reflect

What’s are the frictions keeping you from doing “what’s right”? Regret is only useful if it leads to a plan on how to improve.

Confessional:  This is a reverse confession. I did some things “right” by security standards that I’m not happy about.  Emblematic, looking at an exuberant thread of people posting images of their pets with their pets names all my panic bells went off. “That’s the stupidest thing I’ve ever seen. Why would they give up potentially sensitive information like that.”  What. A. Terrible. Reaction.  It’s not totally wrong, though. Starting with security questions, I came up with a list of at least a dozen ways I could use that data in under 15 minutes. I hope @evacide writes her harm reduction approach essay soon. And yet, even with the OneThing series, in my ideal world the average folks not thinking about security wouldn’t have to start.  I want developers to take responsibility for making it safe to play.  That inconsequential thread about puppies represented people trying to create connections during a fractious time. It was beautiful. We need more of that, not less.

In the mean time…

Continuing Set Up

We’ve covered so much so fast. You’re not behind, you’re just where you are. Pick something to do.

  • If you’re having trouble with all the set up, the coach tool at the Crash Override Network has a great step by step break down for many of the same introductory steps we did here.
  • Review the list of OneThing articles so far and pick one to catch up on.

Sweep

This list will be getting longer, but lets keep it simple while folks are still setting up.

Learn

Where do you scan for news? I keep an eye out for recent exploits and breaches that have come to light, new tools, interesting idea’s, etc.

Engage

We are a community. You are a welcome part of it.

by carlyn at January 18, 2017 04:12 PM

January 16, 2017

NYC Resistor

Next Laser-Cutting Class on Jan 22

Want to learn to use our laser cutter to cut and etch your own designs? Take our three-hour class to get laser-certified, then come back and laser to your heart’s content. The next laser class will be on January 22.

Our laser-cutting classes fill up fast! Tickets are available on Eventbrite.

Random boxes

 

by Bonnie Eisenman at January 16, 2017 05:18 PM

January 15, 2017

CrashSpace

Tuesday Sweep: Jan 10 2016

Another week, another sweep.  Even when other posts die down after the 20th, this post will still be here. Let me know what you’d like to see.

Reflect

What’s are the frictions keeping you from doing “what’s right”? Regret is only useful if it leads to a plan on how to improve.

My confessional: Sometimes if all the plugins I have enabled on my browser keep me from seeing a site I feel has information relevant to one of these pieces, I hop over to a second browser and load it there. That approach works partially because I have to choose actively to make that choice, reducing lazy loading. Yet, while incognito mode will generally zot most local files, it doesn’t really prevent tracking. By letting a webpage load all its javascript from the same computer, on the same network, as I do everything else, well, let’s just say that’s less than 1337 behavior.  Possible remediation:

  • Lock down that second browser even just a wee bit more.
  • I never really took to that tablet we have. Could I set up us my sacrificial insecure browsing device?
  • I could also look into researching these posts at my local public library, which provides computers.  That would have the added advantage of encouraging me to engage with a local resource and perhaps help improve it for everyone.

Continuing Set Up

We’ve covered so much so fast. You’re not behind, you’re just where you are. Pick something to do.

  • If you’re having trouble with all the set up, the coach tool at the Crash Override Network has a great step by step break down for many of the same introductory steps we did here.
  • Review the list of OneThing articles so far and pick one to catch up on.

Sweep

This list will be getting longer, but lets keep it simple while folks are still setting up.

Learn

Where do you scan for news? I keep an eye out for recent exploits and breaches that have come to light, new tools, interesting idea’s, etc.

Engage

We are a community. You are a welcome part of it.

by carlyn at January 15, 2017 03:51 PM

NYC Resistor

January 14, 2017

CrashSpace

One Thing To Do Today: Truth vs. Checksums

Reality is that which, when you stop believing in it, doesn’t go away.
― Philip K. Dick, I Hope I Shall Arrive Soon

So now we have all these records and backups made. What if we want to share them with someone else? We’re moving more into the Sanity section here, where we want there to be information that can be verified by more than keeping our fingers crossed. Perversely, I have trouble conveying how deeply sacred I think the transference of an idea from one person to another to be.  As a poor substitute lets talk about the fragility of the process. Successful communication has so very many steps, each vulnerable to failure, shown to hilarious effect in the screwball comedies of the 1930s and to great tragedy by Shakespeare.

  • Is the requestor of information who they say they are?
  • How can they be sure I’m who I say I am?
  • Did I understand the nature of their request?
  • Do I have the relevant information?
  • Do I have permission to distribute the relevant information?
  • Can my response arrive in a timely manner?
  • (Will my message get there unread by 3rd parties?)
  • Will my response message get there unchanged?
  • Will my response be properly understood?
  • Is the person delivering the message actually sent by me?
  • Accept that the message is from me, and it’s what I sent. Can they verify that my message accurately portrays a situation? The receiver should wonder, could I be delivering information that is:
    • uncertified. I haven’t done sufficient work to check it
    • accurate but irrelevant
    • inaccurate because its that’s how it was delivered to me by my own sensor network
    • inaccurate because its that’s how it was delivered to me by a third party
    • inaccurate because I ran a faulty algorithm on good quality data
    • inaccurate because I ran a good algorithm on bad quality data
    • inaccurate because I mean it to be
  • How can I maintain a record which can prove the actual content of my sent messages?

Whether you call this Epistemology or Information Theory, whether mediated through computers or not, trust is hard.   From secret pass phrases, to sealing wax, to handwriting analysis, to… checksums? It’s all a arms race through time. The more sophisticated the tech, the more clever the attacks.

Companies with products designed to enhance the privacy or security of communications don’t litter their marketing materials with jargon only to dazzle the uninitiated. Specific technologies protect very specific elements of the communication process.  The jargon communicates what narrow slice of the puzzle the company will be attempting to certify. When companies won’t name the names of the techniques used, but instead float fluffy words like “safe,” “private,” “secure” heck even “encrypted”, start to worry.

So lets make an example out of some words frequently used together that someone evaluating this type of software might mistake as an absolute promises of truth and authenticity:  “hashed,” “checksum”  and “fingerprint.”

Let’s say my mom’s very reliable mail carrier delivers to her a wooden crate filled with tasty looking chocolate chip cookies with my return address on it. Inside the crate is an envelope with a message, “Hey Mom, I’ve sent you a brown cardboard box that is 8″x12″x4″, weighs 2lb 6oz, and sealed with purple packing tape. Inside is a dozen oatmeal raisin cookies.” This apparent conflict will hopefully make her suspicious enough to call me before she actually eats the snacks.  If my message had only said, “here are cookies I hope you’ll like,” she would have no clue that perhaps someone had intercepted my package and swapped it with their own.   However, if our cookie crook had been capable of either exactly duplicating the package or swapping in their own note, we’d have a problem again.

My decision to sum up my package as a description of its volume, weight, color of tape, type and number of cookies was the hashing algorithm I used to create the checksum represented by the included note. If I had sent my note separately from the package instead of inside it, that would have been more like a fingerprint.

There’s not really a shared secret that only she and I would know to really ensure that someone isn’t trying to impersonate me. Also, nothing about any of this means that I sent cookies that my mother would actually even like the taste of or that I haven’t used an ingredients that she’s allergic to, etc. Heck, she could even be in the middle of a dream.  All she’s got is that as far as the situation is actually happening, someone claiming to be me sent her cookies that match what they said they’d be sending. It’s not the Complete Truth about who sent the cookies, why and what’s in them, but it’s not nothing either.

This Computerphile video explains how computers implement these schemes in a way which is perhaps much more useful than my care package analogy.

If you want more on this topic, Computerphile also has a short playlist on some related Information Theory topics.  I also quite liked Eddie Woo’s Parity and Checksum videos that came at the end of his very accessible Communications & Network Systems playlist.

So how is that we know what we know? What information can be trusted? These questions tangle up the best minds that have ever lived, so no, there is never going to be an App for that. Us mere mortals have hope though. We can add thin layers with specific processes building up confidence.  When trust has been devastatingly corroded, baby steps make the fastest progress.

 

by carlyn at January 14, 2017 12:15 AM

January 12, 2017

NYC Resistor

Nail Art Make-Along this Sunday

Last call for our Nail Art Make-Along this weekend! This unisex class is aimed at tricking our your manicure (or pedicure)… in simple but unique ways using templates & stamps. We’ll also be doing a nail polish swap, so bring your unwanted nail polish to trade.

Tickets are available on Eventbrite.

by Bonnie Eisenman at January 12, 2017 08:36 PM

CrashSpace

One Thing To Do Today: Keep a clean disk image on hand

TL;DR – Keep copies of your system image and vital files completely offline. 

So today I’m going to talk about something easy to do with computers and comic books, but not so easy to pull of in real life.

I’ve been using computers a fairly long while, and having to wipe the whole drive clean and reinstall the software at one point was almost a quarterly event. I got in the habit then, and admittedly have fallen out of the habit now, of having a hard drive that held a disk image of JUST the operating system and the crucial application that could get me up and running fast, with all my current active work backed up nightly on a rotating set of zip disks which served as both back up AND version control.

These days my computer doesn’t crash so much and I keep back ups of lots of things in lot of places online, so that particular set of processes has fallen by the way side. Maybe it should be resurrected. The joy of my current back up application? It’s always on doing it’s thing. Apparently that means ransomware can find it. Keeping a pristine disk image with just the operating system and critical applications in safe place with no contact with the internet would certainly come in handy again.  I might even go back to saving active files to rotating disks that get wiped down to the zeros regularly. I’ll have to come up with something to get over my USB drive phobia.  I miss floppies and CDs. At least they didn’t have firmware to worry about!

For making that disk image, MacOS has Disk Utility, but I have to make a fond shout out to Carbon Copy Cloner. Windows has Storage Spaces. Linux has dd. None of these work great for when you have a large number of computers that need to wiped and pushed clean images regularly. The answer used to be Ghost,  now there are decent open source tools like Clonezilla that are worth giving a try.

Museum exhibits, retail stores, academic computer centers… for all these places best practices call for having a clean disk image that gets to pushed to terminals on a regular basis. I really wish I had an real-world image from 2015 squirreled away right now. Marvel, can you get on that?

 

 

by carlyn at January 12, 2017 06:02 PM

January 11, 2017

CrashSpace

One Thing To Do Today: Learn an anti-normalization design pattern

TL;DR Written records are your friend. 

Today, moving on to the moral compass attack vector. Once the fight starts, can we remember our values in the thick of it?  Humans can adapt to new set points very quickly. This makes it vital to take steps to prevent normalization of new horribles.

I advocate designing systems in your life that enable you to:

  • Document where you want to be (both what’s within tolerances, what’s optimal, what’s unacceptable)
  • Maintain a record where you’ve been
  • Analyze where you are

In non technical scenarios this might mean:

  • While not discounting media that serve as warnings to be vigilant, also have a shelf of books, documentaries, a YouTube channel, anything, that reminds you of what good really looks like and that it’s possible. Actually write down WHY these examples represent goodness to you. What behavior specifically would you like to model. What behaviors specifically were abhorrent. I suggest real world examples, but fiction can work too.
  • Start keeping a journal to document the actions of public figures.
  • How do the recorded, observed behaviors line up with the examples from step one?. Compare those actions against other periods in history to make apt, accurate comparisons to the current situation, without sensationalizing. Where are we on the road either towards or away from our ideals?

To extrapolate the same design pattern to a technological system, detecting attacks means not just accepting that “my computer just runs slow sometimes” or “sometimes my network is flakey.” When technical systems start behaving strangely, it is possible to check what going on using system messages and log files.

  • Have a written model for what normal operations looks like. Provide it to others.
  • Configure logs to record information relevant to that model. (Write software that can log relevant information)
  • Actually monitor and analyze logs against that template, developing tools that automate the process.

Log Files

Many safety and privacy concerned services tout that they “don’t keep log files.” What is this log file? Well, computers watch what we do, and they take notes.  Lots of notes. On lots of different things. In the case of privacy mined VPNs they are specifically talking about a servers ability to jot down the locations of where you came from and where you’re going.

If you’ve never heard of log files before, overviews for SEO folks try to break what they’re for down in relatively plain language. Finding out what a computer is up to can be as simple as taking a peek at the end of a log file and pasting the text into a search engine.

Top 3 Links For Jumping Right In

These links presume some command line knowledge. I apologize for that, but these article jump to how actually to use them.

Guides from Operating Systems

When trying to learn about how your computer uses log files, try the search term “log file $YOUR_OPERATING_SYSTEM troubleshooting”

  • Ubuntu, overview of linux log files
  • Apache, introduction to debuging
  • Mac OS, the Console utility. Link within the article on using the console tool to debug.
  • Windows, I am too unfamiliar with Windows to evaluate the links.  so this one is too the cleaning and optimization guide at Decent Security.
  • iOS, use iTunes system log files, or Xcode.

Guides from Hosting Companies

Hosting companies want you to be able to catch shenanigans happening on their hardware fast. Many of them have guides on using log files.

Generating Your Own

Tools for Handling Logs

How do I find tools for log analysis? A starting point would be, a github search sorted by stars. Many of these projects have done the work of figuring out what normal should look like, and come with documentation that provides guidance on how to set them up. Top projects tend to be maintained by professionals for professionals to be used on a large scale. Even if they don’t fit your needs, skimming the documentation can be an education.  OSSEC HID and ModSecurity in particular have an eye towards log analysis for security purposes.

Some projects that might otherwise escape notice:

  • LNAV  “an advanced log file viewer for the small-scale”
  • Glogg a “A fast, advanced log explorer.”
  • AWStats “generates advanced web, streaming, ftp or mail server statistics, graphically.”
  • LogCluster for pattern recognition in log files a “simple logfile clustering tool”
  • Pimp My Log. No analysis, just web server log files meet twitter bootstrap. Included because a some of the others tools have made my eyes bleed.

I have zero experience working with the big names in the not-open source log analysis category, but I feel like I should include them.  I’ve left out VirtualWisdom because it doesn’t actually appear to be that log-file centric?

Focus on the pattern, not the tools

While I just dumped a lot of information about logs on you, that’s not the important point. A pattern for building a system resistant to drifting off mission is the point.

  • Define your values
  • Know where you’ve been
  • Analyze where you are

These three steps not only prevent our natural tendency to accomodate and make due kick in, they provide the information required to create a plan to GTFO the mess entirely.

 

by carlyn at January 11, 2017 11:17 PM

January 09, 2017

CrashSpace

One Thing To Do Today: Take steps to prevent doxing

TL;DR: Follow the advice at the Crash Override Network to prevent and prepare for possible doxing. 

It happens in so many movies and TV shows. Our fearless hero, tied to a chair, mid torture yells at the villain of the week, “Do whatever you want to me! I won’t help you!!”  To which our villain replies “Oh, I’m not going to hurt…. YOU!” and whips out whomever or whatever has been set up as the hero’s One-Big-Weakness.

Threatening to dox someone serves as the online equivalent of putting them in that chair.  A power move meant to gain submission or silence, it shows a willingness to take the fight into the “real world” by revealing information like home addresses and/or financial information about you and your loved ones. Whether it’s launching a activist twitter account, pursuing investigative journalism or even running for office, please have conversations with the people you love about what kinds of behavior you will be engaging in and the possible consequences to your family unit. Then plan how to face them together.

The Crash Override Network has created a step by step coach to lock down information to make it harder for people to get at you.   If you’ve been able to follow along with these posts you will have already done things like changed privacy settings, so getting through the first steps will be a breeze. Skimming through the guides on preventing doxxing and what to do if you have been doxxed gives a nice overview of what to expect from the coach tool.  Examples include checking that domain registrations aren’t leaking your address and clearing personal information out of data broker sites to help keep where you live off the map. Ask the people you care about to go through the same steps.

Preventing certain activity from ever being linked back to you in the first place might help boost your courage. Psuedonymity remains vital to the internet.  Follow a guide or two or three on setting up an alter ego.  How far you’ll need to go will depend on how high up the food chain your big bad lives.

Contending with the baddies who treat others, at best, as Non Player Characters in their game of conquest require special precautions. Making things just a little bit harder for them to trace me or my loved ones back home, or having a plan in case they do, makes standing up and standing out all that much easier to do.

by carlyn at January 09, 2017 07:18 PM

January 06, 2017

CrashSpace

One Thing To Do Today: Who decides what you know?

In 1913 Justice Brandeis wrote, “Sunlight is said to be the best of disinfectants,” in objection to bankers hiding money trails to commit crimes.  Any activist will tell you that “getting the word out” builds the scaffolding for all future calls to action. Our threat actor counts on none being the wiser to pull of their shenanigans. Chances are good they’ll move, or have already, to keep unflattering information out of our view.

Helping “the baddies” hide their behavior in shadow, the U.S. public gets news from a small number of sources with a limited amount of time to spend on them. By listening to only a handful of voices, we leave ourselves vulnerable to misinformation propagated by both carelessness and malice. The fewer perspectives heard, the more power each has to shape our world view.  The people invited to have that kind of power over your mind should be chosen with extreme care.

I am a huge fan of the new media distribution methods made possible by the internet. The tricky part of the low barrier to entry means that everyday all day the internet splurts out a whirling, whiplashing firehose of data. This makes handing curation over to powerful algorithms naturally tempting. The damage Facebook algorithms do is well trod territory. When tracking down information I try to put my queries through at least two search engines, never forgetting that the results will reflect the biases dominant in society and in tech company hiring practices.

Being cautious of automated systems means learning how to manually vet your news sources. I am so deeply deeply grateful to my high school U.S. History teacher for hammering in how to work with primary sources. It’s the same skill set for identifying fake news and bad arguments.  It maybe harder than you think.  Be scrupulous. Just because someone has won lionized hero status from all your friends doesn’t make them de facto credible.  It makes them dangerous. When you identify a crap news source, cut it out of your life.   I’m going to go against the pack here and take a stand against hate reading poor quality new sources “just to know” if you aren’t a paid professional media watchdog. I am 100% opposed to letting nut jobs have regular access to your mind.  Eyeballs are revenue. Attention is currency.  Follows attach credibility. Let them whither and die.

Cutting a site out of your life should be based on its veracity and integrity, not code for “the author disagrees with me.”  Another important step when cultivating a regular list of news outlets is to go look for news sources that hire people who don’t look like you, love like you or live where you live.  I am very very comfortable making the diversity for diversity’s sake argument from a security mindset. More points of view, more ways to perceive attacks, richer pool of options generated. It’s math, people.  Authors from different walks of life may tweak some confirmation bias reflexes making their message uncomfortable or even appear unbelievable.  Don’t flinch. Listen.

Depending on your country of origin you may need to use a proxy, Tor and/or a VPN to even get access to certain news websites. More insidiously your geolocation, based on IP number, GPS, nearby WiFi networks or location information you’ve given with your account, might determine what information shows up on the page. The vanishing of content will be seamless and untraceable without an active effort to compare what’s loaded from a different “place.”

People are human. They perform to their incentives. Always always always always always always know who or what is paying for the lights to be on. Always. My suspicious, skeptical nature makes me a huge fan of public television and public radio stations, at least the ones registered as 501(c)3 organizations.  There are podcast umbrella organizations that serve the same purpose. Everyone putting out a story has motivations, at least with this specific class of nonprofits they have published mission statements and publicly available financial records.   Cordcutters can get the PBS Newshour via YouTube.

I’m going to be kind of radical here, but consider… print. (Ducks behind arms.) I find it much easier to stay with long form in depth articles when I don’t have the rest of the internet ready to whisk me away with a click or a tap. A compromise might be an app, but be careful with those.

This all harkens back to that early post on having a news rotation.  Some people use twitter lists or feed readers or email newsletters (shudder). I advocate:

  • bookmark folders in the browser bar organized by day
  • a time on the calendar that they get checked
  • an actual timer to make sure the whole day doesn’t get wasted

This browser folder set up allows for a diversity of link types, too. Podcasts, YouTube channels, twitter accounts/list and forums can all be popped in a folder with more traditional news sites.  I like the topic-a-day approach, but alternatively one site per topic per day could be another choice. Maybe there is a folder for the must-read-everyday crowd.  I look at sites in the tech and security fields, but also the arts, design, hard science, activism, teaching, the environment… people from different fields maybe focusing on a different aspect of a problem or have a different perspective on the world.  Even in the middle of a crisis, one can have a cup of tea. It can be nice to remember that Pluto is just out there, doing its thing. Your priorities will be your own.

This set up gets more complicated for Tor users who need to disguise traffic for personal safety reasons rather than just a simple geofence hop.  Read all the links on Tor safety on the Tor post.  DO NOT use the same browser as your usual sites. Heck, use a whole different computer/bootdrive, and never look at them from your home. If your life’s on the line, this guide will help but its not nearly enough. The EFF and the new Security without Borders seem like other good places to turn.

We are, at least in part, what we know. What we know determines what we think. What we think changes how we behave. Our behavior creates real impacts on the world. The people who control accepted givens, control everything.  Choose, diversify, curate, refine what gets into your head.  If you think you’re above that kind of influence, you’re the biggest fool of the bunch.

by carlyn at January 06, 2017 11:16 PM

One Things To Do Today: Threat Actors, “Yes Nazi are Bad” edition.

When I was growing up AMC was actually the “American Movie Classics” channel. No ad men, no zombies. I watched black and white movies from the ’30s and ’40s all the time. Even though it was the 80’s and 90’s, I got indoctrinated into a certain set of core beliefs about American Values.  It is sort of amazing to me that people seem to need to be reminded about one of the ones that was at the top of that list. Nazi’s are Bad.

Let’s review:

  • Nazis think there is only a small subset of humanity deserving of dignity, and that somehow, magically, they just, oh gee, happen to be it.
  • Nazis steal shiny things that don’t belong to them and try to drape themselves in the glory because they can’t make anything of real substance on their own, because substance requires valuing empathy. Just look at the architecture. All muscle, no heart or head.
  • Nazis enjoy expressions of pain from the not-people who aren’t in their magical golden cohort. The sheeple are just toys or vermin after all.
  • Since a Nazi has no internalized model of you as a human being like them, there are no norms of behavior to limit what they’re capable of doing to you to “win.” Nazi’s will not only use violence and threats of violence to silence dissent, but degradation as well.
  • Winning to a Nazi is the utter destruction of anything that doesn’t reflect the glory of the cult of Nazi-dom and complete rigid control of anything that remains so that it appears that “all good” only comes from compliance with Nazis.
  • Nazi’s use fear and favors so effectively, eventually they don’t even need to say anything in order to get others to comply.

Lucky us. In 2017 we have to deal with both literal and figurative Nazi’s who’ve discovered the internet.  From the Nazi mindset we get trolling, doxxing, fake news, swatting and lots of the other usual suspects directed on those who would stand up against them.  Let’s create our threat actor persona.

Nazi Persona

  • Demographics: People you might never suspect. Everyone has a tribe.
  • Motivation: Your fear. Your silence. For you and your values to vanish from the face of this earth.
  • Willing to Do: Anything

Yeesh. That’s like comic book levels of evil. And that makes it hard to predict what they’ll be capable of. But you know the nice thing about having Nazis as an enemy? Nazis lose.

Attack Vectors

This proto-Nazi figure I’m talking about here wants nothing more than to get into your head. Humans have an operating system. The attention merchants of Madison Ave and Silicon Valley have been gaming it for years. What if instead of getting us to buy toothpaste or in app purchase, we’ve got some chucklehead trying to make us hate our neighbor?

Drawing a technical system map first would be a huge mistake. Also a mistake, I worry, is leading with the words “Hacking” and “Cyberwarefare” because they cause policy misdirection. The average person will start asking about computer logs instead of about Social Engineering and time honored PsyOps techniques that just happen to be delivered with new technologies.  This flavor of threat actor doesn’t lead with the technological objectives. Why should we? Let’s think about the different layers a Nazi might try to attack.

  • Drive: Can I take away their reasons for fighting? Can I hide the problems? Can I minimize or dismiss the issues as unimportant or not relevant to most people? Can I make the the fight seem futile or not worth the effort?  If a loved one is the reason for fighting can I get control of said loved one? If the majority are happy and well fed, no one will notice as we round up the neighbors.
  • Moral Compass: Can I normalize my values over theirs? Make it seem like this is now “just the way it is.” People hate change so once my way seems like the normal, they’ll even fight for me to preserve “tradition.”
  • Sanity: If I can’t change their values can I try to subvert the facts that their values are based on? Can I discredit people who have access to facts I don’t like? Can I create a scenario where facts aren’t facts anymore? Ideally, can I make my rules become the new “facts”?
  • Financials and Resources: Can I make it so they can’t fund their fight? Jeopardize their income? Assets? Home? Credit rating? Simply use up all their time?
  • Health/Stamina: Can I make them too weak to fight? Induce stress via breaking up supportive communities, removal of simple pleasures, removal of food, removal of healthcare?
  • Physical Safety: Can I end them? Get someone else to do it for me? Can it look like an accident? Even better can I end them in a way that makes people think its a false flag? Boom.

Exploits and Mitigations

So at this point you might be thinking, “Seriously Carlyn, Nazi’s?? I’m calling Godwin’s Law on you.”  To which I’d reply with flippancy you’d deserve, “Oh you sweet summer child, you need me on this wall.” Even Godwin would back me up on this one.

I am not a conspiracy theorist. I don’t generally ascribe to malice or smokey rooms patterns in society that easily emerge from human nature and math.  But that’s exactly my point.  We got this tribalism thing pretty deep in us and we’ve got this crazy new playing field called the internet that we do in fact have to share with actual people actually seig-heiling the new president of the United States. This is not a drill.

So what are we going to do? Well we’ll look into each category of vector to understand our vulnerabilities and what we can do about them.  While my emphasis will still be on technology based exploits and their mitigations, not all of the recommendations will be downloads or gadgets.

I leave you with a homework assignment. How has technology been used, intentionally or not, to destabilize you or someone you know from in each of these 6 directions. I’m going to give high profile examples.

ALL of these attacks have counter measures.  We’re going to deploy them all.

 

by carlyn at January 06, 2017 11:07 PM

One Thing To Do Today: Learn about The Onion Router, Tor

TL;DR Educate yourself before using. If you’re in, download the software, set it up correctly, use it with care.  Next steps include donating to an exit node provider or setting up a relay yourself.

I’ve put off talking about Tor because, well, discussing Tor takes nuance.  Whether or not you decide to bring Tor into your life on the regular, learning about how it works and how clever folks get around it will sharpen your security mindset. I think even if you think, “I don’t need Tor,” there are vulnerable people in the world who could use the cover of your banal data going over the same network. Using Tor doesn’t make you a criminal, and there are great reasons to do so. Since Tor constantly gets pummeled by folks looking for exploits and is therefore also constantly updated,  I thought it important to highlight the date of the information being provided. The links get more in depth down each list, so the top ones may be the only one you need.

Proxies

FDA Worker uses a glove box to examine lettuce

FDA Worker uses a glove box to examine lettuce. via Wikimedia Commons

Getting your head around Tor starts with understanding Proxies.  When I think of proxies I think of those glove-box isolation chambers. A proxy lets you handle another website without getting your IP address dirty. That box can also sometimes hold a local copy of a website or file if the person running the proxy predicts a lot people will want to handle it from one location.  While going through a proxy(s) can slow web traffic down by adding hops, local caches speed things up. If you’re using StartPage as your search engine, next to each link is the option of going to the page via a “Proxy.”  Top Google search results tend to served by proxy by default, so you may be being served from one now without even knowing it.  Proxies DO NOT provide encryption. They’re merely call forwarding.

Tor’s Special Sauce

picture of a grid of a computers with a message following a random path from one side to the next

Message moves through the Tor network via Mashable

The Tor network bounces your requests through a series of proxies via a special protocol called Onion Routing. Each computer only knows about the one before and the one after. It only takes three hops for originator to become obscured. Onion routing is not just sequential call forwarding. Each new node peels off a layer of encryption, only then discovering who it should send the message on to. Only the exit node will see the original data packet.

Tor isn’t magic

All security products fail. Security is a process. Learning about the shortcomings of Tor can fail without writing the whole attempt off completely seems like the most grownup choice. It’s also kind of fascinating lesson in secure system design.

Ways to Support Tor

The Tor project valiantly maintains one of the very best band-aids we’ve got for the fact that the internet was not designed to address privacy concerns at it’s core.  Like with VPNs, if one understands what the tool is for, it’s invaluable to have available. Help the Tor project by going ahead and sending your innocuous data traffic over it, and by setting up a relay node to mitigate that demand. Exit nodes require a deeper level of commitment, but you can donate to support one. If Tor traffic becomes popular and common place, more ISPs and server companies will get comfortable with it and the onion routing protocol in general.

 Making Tor Obsolete

Folks involved in the Tor project work very hard to make folks safe on the internet as it exists now. But what if the internet was designed completely differently? Although flawed, some of the nascent “Tor alternatives” explore P2P architectures. Look into conversations around the Future Internet. Tools like OpenFlow. provide the ability to rapidly prototype network architecture.  Blockchains may not just be for Bitcoin anymore. Have a research group with its own ideas? Submit a proposal.  If this topic tickles your nose try checking out MIT OpenCourseWare 6.033 Computer System Engineering.

I hope this post pointed you in the direction of helpful resources to understand how Tor works, where it fits in the privacy tool box, and how to properly connect to the network.  Tor’s had some struggles, but it’s in good hands.

 

by carlyn at January 06, 2017 03:27 AM

January 04, 2017

Pumping Station: One

We wish you a Shiny New…Toaster Oven

all-three-with-bows

The kitchen area has some new devices to ring in a proper feast for the New Year!

We now have an AirCrazy on Demand popcorn popper that does not smell like coffee!  It has a hopper for easy popcorn storage and proper serving size dispensing.

air-crazy-on-demand-popcorn-popper

The Microwave has full functioning button panels!

I will show you how long your food has to cook, for now.

I will show you how long your food has to cook, for now…

Behold, a toaster oven!

Go on, make some toast.  You know you want to. It can also bake small items quite efficiently.

be good to me.

be good to me.

Please enjoy, but keep in mind their proper food only use and area safety. Please maintain their cleanliness!

by flyingoctopus at January 04, 2017 01:15 AM

January 03, 2017

CrashSpace

Tuesday Sweep: Welcome Back!

Still angry? Me too! But now I’ve got some beautiful smoldering coals that can roast anything.  Let get back to work, returning to to the sweep!

Tuesday List

Reflect

  • Self Audit:  Anything you’ve done nagging your conscience? Regret is only useful if it leads to a plan on how to improve.  Me, I reinstalled PokémonGo over the holidays so I could be the cool aunt. I have to spend time thinking about trade offs, examining location settings, and deciding what real coolness looks like.

Continuing Set Up:

Sweep

Learn

Where do you scan for news? I keep an eye out for recent exploits and breaches that have come to light, new tools, interesting idea’s, etc.

Engage

We are a community. You are a welcome part of it.

by carlyn at January 03, 2017 09:01 PM

NYC Resistor

Nail Art Make-Along on Jan 15

Our ever-popular Nail Art make-along is back on January 15th. This unisex class is aimed at tricking our your manicure (or pedicure)… in simple but unique ways using templates & stamps. Plus, we’ll be doing a nail polish exchange – bring your unwanted nail polish to swap.

Tickets are on Eventbrite.

by Bonnie Eisenman at January 03, 2017 05:14 PM

December 31, 2016

NYC Resistor

New Years Eve Craft Night!

Resistor is open tonight for a special new years craft night! We start at 8pm and go until next year. Come by to hack on projects and celebrate the end of 2016!

by zellio at December 31, 2016 08:22 PM

December 30, 2016

NYC Resistor

Jan 28th: First Resistor CryptoParty of 2017!

Photo courtesy of the Whitney Museum of American Art.

CryptoParty returns to NYC Resistor on January 28th, 2017 for a night of learning about your digital defense in the age of mass surveillance from Fort Meade and Madison Ave. Stop by anytime between 3PM and 9PM and enjoy snacks and skills from a variety of online security practitioners and researchers. We’re hosting a full day mix of talks and hands-on-help.

If you’ve never been to Resistor before, check our Participate page for more info, including the Code of Conduct. Hope to see you there! If you’ve never been a CryptoParty before, please check out the CryptoParty Guiding Principles.

When:

Saturday, January 28th, 2017 3:00PM – 9:00PM.

Where:

NYC Resistor (between Bergen and Dean)
87 3rd Ave. Floor 4 (use this OSM link if you’re Richard Stallman)
Brooklyn, NY 11217

by David Huerta at December 30, 2016 02:00 PM

LVL1

January 2017 Classes: Raspberry Pi, Arduino, Hard Drive Installs & More

Woodworking Classes – A foundation Course in woodworking. (Cutting boards) Monday, January 2, 2017 6:30-9:30PM Cost: $40/person RSVP: https://www.eventbrite.com/e/woodworking-classes-a-foundation-course-in-woodworking-cutting-boards-tickets-30697000555 This class will take you through the process of straightening and squaring wood for jointing into a cutting board that you can take home! (Size limit 16”X10”). This is a perfect beginner level course for those […]

by Daniel Johnsen at December 30, 2016 02:06 AM

December 27, 2016

Pumping Station: One

Curse your sudden but inevitable Cookie Decorating

Natural Enemies

Natural Enemies

A gathering of PS:One members came out to try their hand at decorator frosting piping.shelly-explaining-things

A magical reindeer guided the way.

 

 

 

 

 

 

trio-decorating

 

 

Blood, sweat and tears were offered.

 

 

 

Grand amounts of fat and sugar were brought to one glorious offering.

this is how it is done

this is how it is done

everything naughty

everything naughty

Behold, the rose! You can do it too!

Behold, the rose! You can do it too!

pinking-the-reigndeer

 

 

 

 

 

 

 

And the results were amazing!

Fantastic Creations

Fantastic Creations

Wee little houses

Wee little houses

by flyingoctopus at December 27, 2016 06:55 AM

/tmp/lab

33C3 : Works for me

Each year with winter comes the Chaos Computer Congress in Hamburg.

2016 edition : 27-30 dec. Survival guide for this 33rd edition :

Program

Streams and Recording

Wiki

” Works for me”

Like no other, the year 2016 pointed out how well „works for me“ works for us.
It does not. Mutual hate, envy, insensibility and exclusion have driven us apart.

Feeling isolated and threatened, we turn further against each other, take less care of each other and worry even more about ourselves. And yet, we are never alone: Excessive surveillance is now politically normalized, if not for all then at least for those who are different, intractable, foreign.

Let’s break this vicious circle.
Let’s get together and live our utopia.
Let’s strive for something that works for all of us.

And let’s fight those, who will not let us!

Welcome to the party! :-)

 

Avec  chaque hiver vient le Chaos Computer Congress, cette année du 27 au 30 décembre.

Bien plus que les autres, l’année 2016 a montré combien « works for me » marche pour nous.

Ca ne marche pas : haine mutuelle, envie, insensibilité et exclusion nous ont déchiré. Les sensations d’Isolement et de menaces nous oppose, nous faisant prendre moins soin de chacun et nous préoccupant plus de nous meme.

Et nous ne sommes toujours pas seuls : la surveillance excessive de tous est maintenant politiquement normalisée, ou au moins des différents, etrangers ou rebelles.

Cassons ce cercle vicieux.

Rassemblons nous et vivons notre utopie.

Battons nous pour quelque chose qui fonctionne pour chacun de nous.

Et combattons celui qui ne nous laisse pas faire !

by sam at December 27, 2016 12:24 AM

December 26, 2016

Hive76

Testing credit card charges with Stripe in a simple Rails app

Following up on suggestions from the board meeting to look at Stripe for charging member dues, I found a couple Rails tutorials and deployed via Heroku… it works with a few lines of (rails) code! The reason to maybe not use “gravity forms + stripe” just yet is because I think it is $200/yr — you need a Gravity Forms Developer License according to:
http://www.gravityforms.com/add-ons/
Yikes. Is that right? Different sites report different $$ so until someone at Hive tries it we may never know!

Well, we can just make our own embedded form, and Stripe can also deal with subscriptions painlessly, apparently. Try it with the herokuapp link below:
*****WARNING: it will actually charge your CC $1. I promise to deposit it back to Hive*********
http://members-hive76.herokuapp.com/

Heroku is great, you deploy via github so we could also make the forms public (our private Stripe key is configured only in heroku and is NOT in the github repo). Here’s the rails app on github so we can collaborate; I put all the details for how I did this in the README.md:
https://github.com/jmil/member-dues

Thoughts?

Some more to think about:

1) Let’s make a member application fee of $1.00. This will ensure prospective members have Stripe setup BEFORE they become a member! Much better than if they are voted in but never actually pay…!

2) I think we should charge the Stripe fees *to the member*. This way we have dependable operational costs. You can see attached that a $5 charge results in only a $4.55 net gain because of the stripe fees, but this is still low cost and dependable for now (Stripe charges 2.9% + $0.30 per transaction). So we would need to charge users fee*1.029 + $0.30 (rounding up by cents; Stripe only charges whole cents) for each fee we designate. Then if Stripe changes fees in the future we just update this amount and Hive still has dependable operational costs.

3) Stripe is nice! Your CC will properly process whatever we write into stripe, here’s how it shows up on my card statement:


4) Right now funds get deposited into my personal checking account (!!) since I don’t have the Hive76 bank account number. Does someone want to give me that? Or I can coordinate this with the treasurer. Again, I promise to deposit your test charges back to Hive.

5) Obviously it needs beautification, choice between member rates, a way to subscribe, etc. But that’s all optimization for later, this rapid hack was about feasibility. It’s feasible to use stripe!

Here’s what you see in the Stripe Dashboard:

by jmil at December 26, 2016 06:40 PM

NYC Resistor

We’re open for Craft Night tonight

 

It’s Boxing Day, but that’s not stopping Craft Night. Monday Craft Night / Knit Knight are still happening – come by after 7pm-ish and join us.

And here are some goats in sweaters, just because.

by Bonnie Eisenman at December 26, 2016 01:30 PM

December 23, 2016

CrashSpace

Thank You Shuttleworth Foundation

Shuttleworth Funded LogoI’m very honored to announce to have been the recipient of Shuttleworth FoundationFlash Grant” grant to continue working on the “One Thing” privacy and security series!

The money will allow me to keep going with better, more in depth articles… Hopefully with projects, maybe be able to turn them into a class, more organized online-resource.  Thinking about the possibilities has certainly brightened my December. The series will be back Tuesday Jan 3. refreshed and organized!

The ideals of the Shuttleworth Foundation, “openness, integrity, commitment, accountability, and respect for others,” line up so well with the founding principles of CRASH Space and what I’ve been trying to do with this series. I am deeply grateful for the encouragement. It has made a world of difference.

 

Shuttleworth Foundation from Blink Tower on Vimeo.

by carlyn at December 23, 2016 06:24 PM

December 22, 2016

NYC Resistor

NYE Craft Night Special!!

Last year, we had a craft night on new years eve and it went swimmingly so listen up:

Craft Night happens almost every Thursday but this time It’s on a Saturday, because it’s NYE and this is a special public night.

This time there will be dancing:

And there will be science:

So stop by and meet people, share knowledge, and work on your projects. Don’t forget to bring a project to work on!

Feel free to bring snacks or drinks!

This event like all NYC Resistor events is 18 and over and governed by out code of conduct.

More information: http://www.nycresistor.com/participate/
NYC Resistor Code of Conduct: http://www.nycresistor.com/2015/08/04/nyc-resistor-code-of-conduct/

by zellio at December 22, 2016 03:28 PM

December 21, 2016

CrashSpace

One Thing To Do Today: On dark days, be the light.

On this darkest day of the year, let’s talk about the chilling effect poor privacy and security policies can have on civil discourse. While the idea has a longer history, the phrase “chilling effect” was brought into modern legal vernacular in the 1950’s via Lamont v. Postmaster General. The US congress had actually passed a law where a person expecting to receive information about communism in the mail had to notify the post office of their intent to do so in order to have the package delivered.  The law was struck down by the Supreme Court (8-0, one abstention), sighting the notification requirement’s ability to inhibit behavior legal under the first amendment, even if it didn’t directly prohibiting it.  More recently, champions of the free exchange of ideas on the internet use the phrase to describe the consequences of our malformed copyright laws.

How does this apply to security and privacy? The overwhelming majority technology companies still fail to include security concerns during requirements or design phases. Valuing customer privacy comes dead last on priority lists. Protection from harassment arrives as half hearted fits and starts. Folks worry that even making an effort to even learn about security tools will make them look suspicious. So we shrink.  We don’t need that hassle. Sharing a link on twitter to support my candidate, oh, I don’t want to piss people off. Hmmm, maybe I shouldn’t be wearing that ACLU t-shirt in my selfie? Should maybe I shouldn’t buy that hacking book with a credit card, much less on Amazon?  Maybe the world doesn’t need to know about this great restaurant, since it’s so near my home… In fact, maybe I’ll just stay home. Be a good girl. Bake cookies.

That’s the Chilling Effect. Feeling like there are no good choices but conforming choices. Humans are great at picking up norms. We don’t even need to be told what not to do.  We can end up going full out the other side, manipulated into becoming the horror ourself as we seek to please.

We have an equal weapon.  Positive peer pressure works, too. Professors took over YikYak with affirming messages. Campaigns like the twitter hashtag #EFFintheWild help normalize support for digital rights. Being in proximity to lots of small protests can change more minds than big ones. It only took one person breaking the record to make running the 4 minute mile a thinkable thought for so many others.  Stand up on the desk first, others are waiting.

Maybe you don’t feel that revolutionary. Great. You’re needed even more to move society closer to the tipping point for prioritizing security and privacy for average people. People tend to do the default.  So help change what society and tech companies consider the default. Need to send a recipe or cat picture? Use ProtonMail through a VPN to a Tor node from your encrypted phone.  Use Signal to plan for New Years celebrations.  Moving to “fringe” products for mundane communications help create a Me-Too effect, companies racing to compete. Non-activist, non-lawyer, non-politician, non-journalist consumers need to be in the game. Use how “normal” you are to send a message.

So while it feels cold and dark right now, simple actions can make a difference. To yourself, to the community. It all adds up. Burn bright. The path you light isn’t only your own.

 

 

by carlyn at December 21, 2016 09:47 PM

December 20, 2016

CrashSpace

One Thing To Do Today: Phones get lost and stolen. Encrypt them.

TL;DR: After doing the Tuesday Sweep, read ArsTechnica’s guide on disk encryption. Add making sure devices have encryption turned on as part of the sweep.

Too few smart phone users have their phones both up to date and encrypted.  Thankfully ArsTechnica has written today’s post for me with it’s excellent guide on disk encryption that covers not only the phone, but computer disks, too.  Among other things, it feels easier to sell/recycle a phone when the last information you had on it before the factory reset was encrypted anyway.

Collections of files can be quickly encrypted using DiskUtility on a Mac or VeraCrypt on Linux and Windows machines.  For Linux users, tomb looks like an interesting contender.  Tomb has chosen simplicity and openness to mollify justified fears about backdoors. While these tools cannot replace a full secure workflow, their use is a step in the right direction.

Devices go AWOL. With back ups and encryption all that’s gone is an easily replaced widget.

 

by carlyn at December 20, 2016 07:41 PM

December 17, 2016

CrashSpace

One Thing To Do Today: Time for some tinfoil

In action movies the experienced guide grabs the befuddled hero’s mobile phone and rips out the battery.   Fiddling with location settings helps, but that can’t prevent everything as this documentary about a guy tracking his cell phone thief shows. Even having the phone off, and the main battery out may not be enough.

Since my phone requires special tools to open, I’m sure my world-weary sensei would shake her head and simply chuck it out the window.  But I like my phone, and apparently other people like theirs enough too have spawned for a signal dead-zones industry.  Commercial Products abound, although my favorite have gone out of business.  It’s also fairly easy to hand make  ones own “faraday cage” bags. I’m hoping that member Barb Noren, of Barb Makes Things fame, will give me a sewing machine lesson sometime soon.  I purchased two kinds of fabric on Amazon, but LessEMF.com provides even more options.

Make sure to test your bag or case before relying on it. At Purdue a student did a master’s thesis on just that. Some bag making and usage advice… NO GAPS, make sure to close that flap.

Can’t wait for shipping? Stuff a phone into a fridge or microwave, but those aren’t particularly portable. A cocktail shaker should work as well. For super old school, but still effective, go tinfoil. No calls will get through with it all wrapped up like a burrito, but that’s the point after all.

by carlyn at December 17, 2016 11:31 PM

December 16, 2016

CrashSpace

One Thing To Do Today: Threat Model 5, How to look for mitigations

We had a great conversation with Santa, but it won’t help us at all if we don’t look for ways to thwart him. Real mitigation plans (PDF) by real experts take quite some time. I’m going to sum up the process starting by recapping the vulnerabilities and attack vectors he mentioned specifically to make sure our brainstormed solutions actually address them. Next I’ll make a table to help prompt ideas for possible solutions.  That will be enough for today, but future posts will have filled out the tables for the different vulnerabilities.  Still after that comes ranking the choices to an action plan.  Whew.

What vulnerabilities did Santa find?

What vectors did santa discuss?

Santa has a lot of confidence in his social engineering skills.  Most of his exploits involve getting someone to willingly help rather than crack a password or trying a man in the middle attack.  Santa specifically mentioned that he likes to call, and you can listen to examples of which are available on YouTube. Companies need to have well designed permission structures and data access procedures in place since humans have their “only human” thing going on.  This is incredibly hard to verify as a consumer.

Santa also mentioned that he could go direct to consumer with his own game app designed to seduce.  If it actually was fun, it wouldn’t be quite the same as counterfeit app. I’m pretty sure I’d be helpless against it.

One rather suspicious omission, Santa, despite his B&E skills, didn’t mention his ability to just walk into houses while people are sleeping and suck down data from the devices themselves. Given his ability to hit millions if not billions of houses in one night, that’s kind of a weird vector not to try.   My alarm bells have gone off.

Also not raised by santa, facial recognition by surveillance cameras. I’m not sure how else he’s pulling off the “He sees you when your sleeping” bit. I might troll him a bit by adding some Nasim Sehat eyeware to my wishlist.

  • Upstream Social Engineering, specifically “vishing”
  • Mobile app with deceptive practices
  • (Accessing devices)
  • (Visual surveillance data)

Ways to mitigate

So the great chasm of vulnerabilities has opened. Everyone has their own way to handle staring chaos in the eyes. Mine is to make tables.

Across the top of the table I’ve put  the layers of technology the average consumer deals with, from easiest to control to the least.  Sort of. Putting people first might be a mistake. Bad habits get forged from adamantium, I know.

Down the left are types are classes of mitigations, as I understand them.

People Installed software OS,
Firmware,
Utilities
Hardware Networks External Accounts
Reduce attack surface
Reduce procedural vulnerabilities
Reduce technological vulnerabilities
Block specific exploits
Lobby/Sue/Report

 

Reduce attack surface: People build forts on cliffs, on peninsulas, inside moats to reduce the number of approaches enemies have to get to them. They’ve reduced their attack surface. Solutions that reduce the number of accounts, apps, devices, open ports shrink the attack surface that threat actors can exploit.

Reduce procedural vulnerabilities: The things that people do that make the system unsafe.  An example of a procedural improvement? Let’s say there is a message for you from someone at your bank saying they have an urgent message. Right now your procedure might be to simply call that number back. Fixing that procedural vulnerability might mean replacing that one step process with a list of actions:

  • search for the original number online
  • look up their main customer service number
  • call the main customer service number instead no matter what
  • report the initial call to the FTC if the bank doesn’t confirm that they called

Procedural problems can have technical fixes as well.  An IT department might block phone calls to and/or from known spammers. Individuals can install apps on their phones.

Reduce technical vulnerabilities: The simplest example? Software has bugs. Updates tend to remove bugs. You’ve removed a technical vulnerability.  Sadly sometimes the technical vulnerabilities come baked into the architecture. For a consumer that may mean switching services, operating systems or hardware to options that take security and privacy more seriously.

Block Specific Exploits:   Here we switch from strategic to tactical. Sometimes a vulnerability can’t be removed from the system immediately. Can’t have cell phones without cell towers for the time being. Sometimes a narrow tool (VPN) to address a narrow problem (unprotected data going through a spoofed tower, not the fact of the connection) provides the least bad choice.

Lobby/Sue:  Sometimes there is already a legal protection against what’s happening. When a company has left you vulnerable by violating their published privacy policy they can be reported to the FTC, for example.  These represent my least favorite mitigations, but they do exist.

Tomorrow I’ll pick a vulnerability and start filling the table out. Maybe give it a try on your own.

by carlyn at December 16, 2016 11:47 PM

LVL1

2016 Holiday Workshop-A-Thon

Join LVL1 for full day of classes covering 3D printing, custom embroidery and All events Saturday, December 17 10AM-12PM: Embroider a holiday stocking We’ll provide the stocking, you provide your color choice and text and we’ll show you the rest! This is a great hands-on project so you can learn the machine & have something […]

by Daniel Johnsen at December 16, 2016 08:35 PM

Freeside Atlanta

What to Do With a Stack of Picture Frames?

When You Have Too Much Free Stuff!

Our newest member Raul got his hands on a stack of about 40 picture frames that were being junked. On a general note Freeside tends to discourage large piles of objects randomly appearing as it tends to collect in corners. Raul got permission from our projects team with a time limit of a few weeks. In this case unnecessary, as the membership more or less attacked the pile of boxes and rapidly rendered them into things.

Unfortunately starting off all the frames looked something like this:

Not terribly useful. We don't even have any idea who these guys are. After a few passes through the planer, however, we get something like this:

A perfectly good picture frame useful for stuff. First idea was to push a couple of these through a the laser cutter. Concept good, aim.... Aim was a little off. Also we had just rebuilt the laser computer and electronics so there were a couple of kinks to work out in CamBam's post processor:

 

Instead of getting distracted by that rabbit hole of troubleshooting, though, Nathan, in a process pioneered at Freeside by Mr. Ferguson, took a few frames and burnt some Lichtenberg figures. The actual process is pretty straightforward. Soak some wood in saltwater, hook a microwave oven transformer to the wall up backward, and poke the scary ends into the wood. There's some insulation and other safety jazz that I'll leave to: Google.

The raw frames come out a little (a lot) sooty and salty and need cleaned up:

Sanding and staining, or painting, plus a layer of polyurethane gives these:



But Wait. there's More!

Before the rest of the membership got ahold of those picture frames, Raul had intended on making a stool. We actually had a broken branded stool lying around to use for parts. The next day he was working on putting the stool together. After some disassembly, sanding, nails and whatnot:

A wild stool appears!



The Final Product


by Scott McGraw (noreply@blogger.com) at December 16, 2016 03:30 AM

December 14, 2016

CrashSpace

One Thing To Do Today: Threat Model 4, What the Ulitmate Threat Actor Sees

So now we look at our diagram as if we were one of our threat actor personas. To do things right, real data, not just cave shadows, should be putting the flesh on the bones of our persona.  I don’t have data I consider good enough at my finger tips, so I’m going full seasonal.

Persona

Aliases: St. Nicholas, Santa Claus, Kris Kringle, Father Christmas, Sinterklaas
Handels: santac, stnk, elfinat0r, nullGift, claws
Locations: North Pole
Gender: male
Age: 1,746
Education: autodidact
Sources of Income: Suspected day job as VP of operations for a toy company, may also dabble in blackmail of naughty list.

Motivations: To find out if targets are Naughty or Nice.
Fears: Honestly more worried about putting a nice person on the naughty list than the reverse, and agonizes over the fact that accidents happen. Also concerned about gift delivery mixups. In recent years these fears have made our threat actor less active, preferring instead a more symbolic role.

Known strengths: Santa Claus’s major strength is Social Engineering. A convivial sort, people hand over massive amounts of private information with minimal prompting.  Those he’s reached display a shocking loyalty, even when the exploits have been revealed. He’s believed to be familiar with many types of supply chain management technologies including those used in real time inventory systems. His age makes him evaluate new technologies with rigor, but will quickly adopt those that prove to be actual improvements.  Also known to have significant skills at Breaking and Entering.

Known Weaknesses:   A bit of an attention whore. Really enjoys hanging out at malls and parades. Frequently appears in commercials. Will sometimes linger too long over cookies.  While happy to hand over toy making to his highly trained workforce, he tends to micromanage the actual List.

Objectives: In recent years Santa has focused on location data. Being where one is supposed to be, when one is supposed to be there, with whom one is supposed to be there with provides a first level sort for “Niceness.”

 Diagram Being Discussed

Diagram oh how location information moves around the internet ecosystem

Interview

Carlyn on behalf of CRASH Space: Hi Santa, I want to thank you for taking time out of your busy schedule to talk to me.

Santa Claus: [Chuckles, bites cookie]

C: So, here’s this diagram I drew. What do you see?

S: Well, the first thing I see is that you’ve nicely marked in those places I could probably find someone to call. I’m very good at putting people at ease, understanding what they want. This makes easiest for me to call up, chat and get enough information to guess a password. Some times they’ll just hand over logs if I say I’m a researcher or law enforcement. People like to trust me. If it’s on a company’s server and accessible to the employees, I can typically get it.

C: Wow, just like that?  And it’s over?

S: Well, it depends. I like approaching companies first because I have a lot of people to track and bulk scrapes of data are the most useful to me. Of those you’ve drawn, lower on my list would be ISP’s and the ones that fall under “Internet Backbone Companies.” IP data is handy to get a general picture, down the line if I’ve managed to figure out a block that means your likely to be home or likely to be at work that’s great, but generally that’s not where I start. I’m trying to find where your home is, where your office is, where you grocery shop, whose generally in those places at that same time… tracking movement patterns. I want geotagged information. Lat-Long data for this step. Once I get through this initial sort, I may go back to an ISP to get information from web traffic, but this first round its all location, location, location.

C: So if not ISPs or backbones, which companies would you approach for this better quality data?

S: So I’m not typically approaching the company as much as I’m approaching someone who works for the company. Someone young, maybe at a first job so they have some angst about adulthood. People with kids. I can be very reassuring. I look like Santa. [Ho Ho Ho]

C: … okay, that’s creepy, but, how do you decide if the company they work for will be useful?

S: Well the phone companies have great data from cell towers. So do any of the companies with an apps that loads a map. But if I can’t get through to the folks at one of those, there are so many mobile app companies these days. Though it would be preferred, I don’t have to get in to one of the telcos.

C: Any mobile app company?

S: Mobile phones have very rich location information available to them. GPS. WiFi chips reading SSIDs. What cell towers are closest. Companies release an app for free or super cheap, to maximize downloads. That limits the number of places I have to call.  The companies I look for have a small ratio of employees to install base. Chances are good they’re struggling to keep up with flashier features rather than data security.  Some of these places aren’t even using https to retrieve the data.

C: Wait what?

S: Yeah, apps, frequently send data in the clear.

C: Wait, how can you tell?

S: I’ll put a packet sniffer in your stocking. They don’t exactly announce it in the app. But catching data while it travels typically isn’t my approach to start. I’m not spoofing cell phone towers either because at this step I’d need too many of them. I want the bulk data stored in logs at companies.

C: Uh, okay. But didn’t you say the folks with location data are cagey?

S: The people who obviously collect location data can be more suspicious. But depending on your phone, any app can scrape location data. Really, any. I’m talking social media, step trackers, flashlights. Some offer it up via APIs, but if I’m getting really desperate I can pretend to be from a location based ad company. Flashing some revenue is a real encryption dropper. If there even was any.

C: Okay, so app companies that collect location data…

S: Pictures, I look for user uploaded pictures, too. The pictures themselves store the location information.

C: That’s right. In EXIF data

S: Yup, in the EXIF… and if I need to get creative? What else? Okay if I’ve bombed at finding someone at the phone companies, map companies, travel apps and business recommendation sites. I’ve moved on to fitness trackers and social media… people put a lot on social media without much prompting. That’s where I pick up a lot of the information on where people think they’re supposed to be, too. What their image of themselves is, so that really should have been up at the top. No sneakiness required.  I can use it to convince someone at a company to talk to me too. Strike up a conversation about a hobby. Pretend to be a friend of a friend. But anyway, if that has failed. I’d try to find a company hoping to cash in on location based advertising and work that angle. So finally I guess that gets us to IoT companies.

C: Why IoT companies? I know they can listen and be creepy, but what do they know about my location?

S: Well location from listening…if it has sound data I can get to, I can drive through a neighborhood in July blasting Christmas music, I have enough elves that I could do some decent coverage.  But that’s not what I’d try first. IoT devices live in one place, a toaster isn’t coming on a milk run with you. So if I can get usage logs from an IoToaster company I can when you’re home having breakfast. And if that device gets connected to a known phone that helps me link it to you specifically even better. Oh, and, you’re in LA, most of Los Angeles gets to work via cars, lots of them with GPS of some sort in them these days. Those companies might have a logs, too.

C: So that’s a lot of options. But let’s say for a minute, that you’ve been completely unsuccessful at charming anyone out of passwords or data. What do you then?

S: I’d write my own app or website. Probably a game. I’m still Santa, after all. I’d design it so little present animations would arrive randomly, but what they are would depend on where you are. There’d be notifications so the app wouldn’t need to be on screen for you to get a present. That would make it so people would always leave location sharing on, but it’d seem like a logical reason. Keep the suspicions low. I’d add a trading or sharing component so you’d want to link your phone to other phones in the area. It’d scan for available bluetooth devices in the background for sure.  If it’s on WiFi, check what else is on the network. I could locate people who don’t have the app installed that way. Maybe it’s listening for ambient music? To change what presents people get based on the music playing? That’d be a reason to get people to leave the microphone on. People hearing the same sounds will likely be in the same place.  I mean, once it is MY app on your phone? And if its FUN? I bet I could even tell people what its for. After all, most people think of themselves as Nice, not doing anything wrong enough to getting coal for. [Looks sad.]

C: Sounds like you’ve given this some thought.

S: Actually that took very little effort. I’ve been at this game a long time.

C: So with all this new data, does making the naughty and nice lists get easier every year?

S: No. As a matter of fact it’s gotten harder.

C: Harder?

S: Listen, I like giving presents. I want people to be worthy of their hearts desire. I’m all about the positive reinforcement. That coal thing, deeply misunderstood. Coal becomes diamond under pressure. I started giving it out as a message of hope to try harder. I hadn’t been hanging out with a lot of kids at the time. You could say my workshop has a bit of a demographics problem.  But see, I have a responsibility to make my naughty list as high quality as I can. I really try to put people on it for their own good. But there’s too much data. It’s too easy to get false positives. I mean I thought this one kid was was cheating on his girlfriend with his girlfriend’s best friend… they were planning a surprise party. That was embarrassing. And the algorithms I’m finding to process this data?  Whole zip codes or brands of phones are just marked naughty with no other evidence at all. And what about an alcoholic that shows up in a bar? Are they drinking? I can’t tell. Maybe they’re there to keep a friend company who’s had a bad day. What am I supposed to do with that information?  It’s worse than useless.

C: So why do you collect it?

S: At first, it was such a rush. I could know everything. I mean. I thought I could.  I’m just an elf, but I felt like a god.  Like I could really finally get these lists right. Now? I’ve been scaling back on the data collection. Especially since Krumpus has been getting involved. So I’ve been putting in more Mall appearances. Real face to face community work. In the end I think I get a better list that way. If I spend too much time obsessing over catching every naughty person, I’m not making presents. Bringing joy, that’s the real mission.

C: Well, Thank you for taking time to look over this diagram with me Santa. I think we’ll be able to come up with some good ideas from your insights.  I really appreciate all the hard work you do. One last question. We’ve been talking mostly about location logs, but if you needed to find out where I was real time, what would you do?

S: That’s easy. You share your location with Tod. Tod will rat you out every time.

C: Wait what??

S: I know all the LED manufacturers.

C: Yup, I guess you would. I suppose that makes sense. Thank you again Santa.  Safe travels.

S: Happy Holidays, Carlyn. Good will towards all.

 

by carlyn at December 14, 2016 09:34 PM

Goodbye, Learn to Code with Us!

In 2011, I made a career change into the tech industry. By 2012, I had had it.

In those two years, I found that the hardest problems in tech had nothing to do with tech at all. The hardest problems I saw us facing each day revolved around the complex navigation of an industry with a deeply ingrained bias about what kind of people belong there, what roles they should be allowed access to, and what level of respect they deserve.

In direct response to this, Learn to Code with Us was born. On the surface, it was a free educational program that offered practical technical mentorship to adults entering the tech industry. But beyond that, it had a promise that was direct and to the point: We will offer our assistance, and we will do it while treating each other with respect. No micro aggressions, no keyboard grabbing, no condescension, no sexual advances, no well actuallys, no bullshit.

Historically, Learn to Code with Us was the first group we had that promised to enforce these rules.  And we enforced them often.  As a result, the CRASH Space code of conduct was born out of this group.

For four years we provided a space where new learners could come meet one another and ask questions in a friendly, helpful environment. We worked hard to ensure that attendees could spend their energy productively on their work, and would not have to waste it on overcoming pointless and arbitrary obstacles.  When the program started, we instantly filled CRASH Space beyond our capacity, and I’m thrilled to say that over the years Learn to Code with Us has continued to reach thousands of people annually.  And on top of that, we have helped countless more via one-on-one tutoring sessions and around-the-clock assistance, including:

  • resume review and editing
  • interview practice
  • homework help
  • bug fixes
  • telling d00dz that no, you really can’t do that here. And yes, I’m serious.

It’s been a great four years, which makes it hard to say that 2016 will be Learn to Code with Us’ last year.  Our commitment to creating a welcoming community and educational space remains the same, but with the new year comes a new direction.  Let’s enjoy the memories we’ve had, because in 2017, we’re on to something new.

 

Michelle Leonhart
Director and Vice President,
CRASH Space

by at0mbxmb at December 14, 2016 03:39 AM

December 12, 2016

CrashSpace

One Thing To Do Today: Threat Model Part 3, Map The Ecosystem

I’m the weirdo that loved diagraming sentences, so this next part makes me nerdily happy.  Time to take one of the “assets” from day one and map out the ecosystem that information moves around.  For an example lets take location data.

For me, at this moment, a leak of my location data falls into the high threat, medium risk category.  When I look at the list of threat actors I want to make personas for, they typically want money, attention, passwords and computing power, not access to my physical location.  So probability feels low. That said if someone with malicious or even mischievous intent can know where I am with any degree of certainty, they could end up doing real harm to my person. This sets potential impact at high. So even though the likelihood of someone targeting my personal location habits is pretty darn low for me, the consequences could devastate.  So we start here.

Typical threat model diagrams represent corporate or application systems. More useful to me will be a simplified representation of the basic places my location information passes through and gets kept. Lets go through it from inside out.

Diagram oh how location information moves around the internet ecosystem

Inside the Circle of Trust, but not yet trustworthy

Items under ones own physical control fall inside the circle of trust. That’s it. Technically, if an item or data packet goes outside of this circle at any time, it’s no longer 100% reliable and must be recertified. I tired to put my husband inside this circle. Backend system design background that he has, he laughed and said no.  If he starts calling me Allsion I’ll start to worry, but he has a point.  There’s no controlling what precautions friends and family do or do not take.

  • My phone
    • Local to machine: GPS, What WiFi network its connected to
    • Network Info: Cell tower triangulation data, IP address
  • My computer
    • Local to machine: If it isn’t portable, when it goes on and off is data about my location, WiFi network info
    • Network Info: IP address
  • Me
    • Network Info: Who have I told, called/contacted from this location, what social media have I posted from this location
  • Misc Other
    • A car with GPS
    • Health tracker with GPS
    • Home IoT devices that turn on and off based on whether or not you’re there (thermostat, smart TV)

Immediate Connections

The first hop out to the internet, these items help personal items locate themselves, but they also pass that information upstream.

  • Router – If your in your own home the router can probably be inside the circle of trust once it’s been properly configured. The remote-updating options made me put the cable modem up a level still.
  • Cell Tower – Doesn’t belong to you, does not deserve trust.
  • The Sweetheart Tweeting Next to You – Sigh. At least mine knows how to turn off location data.

First Corporate Layer

  • Internet Service Provider- Gatekeeper from local position to the internet at large via telephone, cable or fiber network that they may or may not own themselves. Cable modems can typically be controlled and updated remotely by this company, but you have physical control. Affiliation remains mushy.
  • Cellular Network Provider – Gatekeeper from local position to the internet using cell tower infrastructure.  Again the carrier may or may not own the hardware. They’re definitely tracking you and selling the data.

“The Internet”

ISPs funnel traffic to central “backbones.” The evolution of this infrastructure has some fascinating twists.  News that the NSA had planted brain suckers at some of the major hubs moved organizations to action, but everything still goes through them. Ideas for moving away from this style of centralization have a lot of appeal, but not a lot of unified traction… yet. This won’t be one place. To get a real sense of all the places your traffic will go, learn how to use a traceroute.

Second Corporate Layer

So lets say I have some game I like to play on my phone, lets call it GokémonPo. Between GPS and detecting WiFi networks, my location is in their hands real time. This can then get stored in their databases, along with other identifying information to sell at a later time. Many “free” apps make their money off of selling data you may not even know they collect.  They may be contracting with a third party analytics company. They likely don’t own their own server hardware. There will be varying amounts of trust between the companies involved in this part of the ecosystem.

Who the Hell Knows

Once these companies sell or otherwise hand off data, no telling what happens with it. We might make some guesses, though.

Next Steps

Now with a diagram in our hot little hands we get to cos-play as threat actors and comb for vulnerabilities.  That, however, will have to wait for Wednesday since tomorrow is sweep day.  I’ve got so many hoodies. It’s going to be fun.

by carlyn at December 12, 2016 09:40 PM

Rep. Karen Bass’ Congressional Conversation Series

CRASH Space is within California’s 37th Congressional District, and our representative is Congresswoman Karen Bass. You can see more info about CRASH’s representation and how to locate your own on our wiki.
district37crash

This morning, as a part of the CRASH Space Civic Engagement Survival Guide, we attended a local meeting of Congresswoman Karen Bass’ Congressional Conversation Series, where she took time to meet with constituents and answer their questions.

For those who are looking for ways to be more active in their local government and policy, this is a great place to get started. If you would like to be informed about when meetings like this are taking place in the future, you can join her mailing list. If you are local to CRASH Space, you can also join the Palms Neighborhood Council, which meets every first Wednesday of the month.

You can watch the full (though imperfect–sorry!*) video we recorded of the meeting on CRASH Space’s YouTube. Below is a summary of highlights that we have edited heavily for brevity:

Should we be “out in the streets” / organizing for the inauguration
KB: Yes, no question. She is concerned that the marches are planned for the day after the inauguration. The world’s media will be there day of, so that is when we need to be there. The world needs to understand that we are not happy with Trump.

One problem she believes the Democratic Party has is that it only organizes around presidential elections. We need to be active throughout: doing voter registration, education, and engagement. The civil rights and anti-war movements started grassroots, and we need to go back to this method of organizing. She believes that this will be one of the most corrupt administrations in the last 200 years, and describes the new cabinet as robber barons. They became millionaires via foreclosures and reverse mortgages. She notes that Trump says they know how to make deals–That’s the kind of deals they know how to make?? The CEO of Exxon who is a candidate for Secretary of State has 500m deal with Russia which is blocked by sanctions. Him divesting isn’t enough. He will be Sec of State for 4 years, then will go back to Exxon.

Standing Rock
KB: She supports the sovereignty of native american nations, but is worried for them. Obama admin can cancel whatever they want, but Trump can come in afterwards and order whatever he wants.

Why is Trump’s Family allowed to be so involved?
KB: Trump brags about thumbing his nose to the rules. After JFK and RFK, the law was changed to not allow this. This is illegal. Ivanka cannot be on a payroll. But they can work around it. They’re billionaires. If Ivanka doesn’t take a payroll, that limits what we can do.

Have Democrats lost the working class?
KB: She says she does not think so. Look at the voter analysis. Hillary won by 2.7 MILLION+ votes. Hillary lost by a very small margin in 3 states. There was not a big upsurge of uneducated white folks voting for this man. Mitt Romney got more white votes than Trump did. She feels it is also worth noting that Hillary did not campaign hard in those states.

We must take everything that Trump is doing every day and use it to educate the working people who thought that this man was not corrupt. His choice for Secretary of Labor does not believe in employees! He wants machines to build hamburgers. It’s our job to find these working voters who Trump is turning his back on, and bring them in.

She reminds us: the electoral college is a relic from slavery. It was a compromise with the South. In some states, the enslaved Africans outnumbered the white folks, so they established the 3/5th compromise.

“Why cant you guys ever get over slavery?” “Because it’s still hanging over all of us! That’s why we have the electoral college!”

The FBI
KB: The actions of the FBI harken back to J. Edgar Hoover. Rogue FBI agents in New York behaved in an insubordinate fashion despite being told not to and start leaking information. Comey goes maybe something is here! and then Nevermind!

Keith Ellison
(Note: A constituent in the room asks that we not choose Ellison for the chair of the DNC because he is Muslim. The constituent feels that this will put us at a disadvantage in the current climate.)
Kb: She notes that there is an organized attack against Keith because he is Muslim. She has been in rooms where Ellison was told what the constituent said, and she is sure it’s hurtful for him to hear this. She notes that the process to elect the chair is in February. Several people are running now and she is sure more will join.
(Editor’s note: I was impressed by how artfully she handled what in my opinion was an openly racist remark.)

What can we do in California?
KB: She extends her gratitude that California is as far left as it is. She notes that it is good news for us that legislature here has already affirmed that it wants California to be as protected as possible in regards to immigration and education. But she points out that Federal law outweighs State law in many circumstances. And if we look federally, who will be Secretary of Education? Somebody who does not believe in public education.

Why can’t we throw out the Electoral College?
KB: That would take a constitutional amendment, which must be ratified by most of the states. We could possibly do that in a year in which the Democrats won, but it would be very hard to do in a time when we didn’t.

What can the community do?
KB: Over the next few years, we need to be organizing at the community level. We need help with voter registration, education, and engagement. Also, we have a red area in north LA county / Ventura, so there is work to be done in CA.

Support of endangered species
KB: EPA guy is from Oklahoma. Oklahoma never had earthquakes, and now they have them daily. We know this is because of fracking. But this guy’s claim to fame is suing the EPA. And it looks like they’re getting ready to witchhunt the staff by hunting down who has historically promoted climate change. It is clear that he is appointing heads of departments to have them destroy those departments.

Sanctuary Cities
KB: LA is not officially a sanctuary city, according to our mayor. But we do cooperate along those same policy lines. LAPD is not supposed to question about immigration status.

Social Security
KB: Social Security is in danger. Medicaid, Medicare, and Obamacare are all in danger. When Bush 43 was feeling good, he went out and said he wanted to privatize Social Secuity and he went way down in the polls. So it is important for people to put out the alarm. Be very very strong about that.

Can we impeach Trump?
KB: She says: think about that. She’s more concerned about Pence. Pence is an Ideologue, along with Paul Ryan. Read Ryan’s A Better Way. He lays out his view of America. It’s Social Darwinism.

Immigration and DACA
(Note: Topic was introduced by a young woman who is here with us today thanks to DACA.)
KB: She is worried about DACA. Trump has gone back and forth on immigration. He says he’s not going to do anything, but then he has people like Sessions who are extremely anti-immigrant. She presses that we cannot take this for granted.

The Million Woman March: Should marchers be afraid of terrorism or attack?
KB: There will be a lot of security there. Always be cautious. A lot of people are emboldened now. There is a whole litany of actions of emboldened people that have been openly racist and hostile. She worries about the way that Trump conducted him campaign. We need to channel his hatred and fight that and use it to our advantage.

Resisting Trump’s Vision
KB: She says: You better believe I will resist. There is no question about that.
She notes that she works very well with Republicans. Her #1 partner on child wellfare was a Trump surrogate and is on the transition team. When the Republicans control all of our government, they will move legislation very quickly. She will use this to her advantage to try to get amendments through that will help our people.

Supreme Court Nominations: Can we stop them?
KB: When Reid was in charge, we asked to change the rules and we did. Now it only takes a majority rule to confirm a supreme court seat. We do not have a majority, so we can only stop nominations with the help of Republicans. The Democrats cannot do it alone.

Civil Rights, Voter Rights and the Surveillance of Activists
KB: She does worry. Sessions is anti-immigrant. Do you think he’s going to prosecute police officers over police violence? A lot can roll back. What little remains of voter rights is threatened.

The Affordable Care Act
KB: Trump wants to keep preexisting conditions, and to keep young people on insurance until they’re 26, but he’s not thinking about how you pay for that. And the way you pay for that is through the individual mandate. You can change parts of Obamacare, it just depends on what. She just finished up her 6th year. The Republican’s model was repeal and replace. She has been waiting on replace for 6 years, but a bill has never come forward. It’s possible they will repeal in 2022 to get past the next two elections first. Whether or not it will go into effect immediately, she highly doubts.

Foreign Affairs and Russian Involvement
KB: Cummings and Swalwell have put together a bill to call for commission to investigate foreign interference in our election. But leadership must support this, so we need to consistently demand and expose and educate people. People go into despair and they stop acting. We cannot do that.

* We didn’t catch the introduction on film, and have a few spots cut out due to phone batteries dying.

by at0mbxmb at December 12, 2016 07:06 AM

December 10, 2016

CrashSpace

One Thing To Do Today: Learn a new phrase “Threat Model”

Option 1: You know something can go wrong. “They” can get you …THEM…today it will be in some new way that sounds more William Gibson than real. You’re sure of it.  Your tongue feels impractically large. Breakfast looks hostile. That’s okay though because there’s only a rock where your stomach’s supposed to be anyway.  Defeated before a shower, you go back to bed while your IP security camera’s inner gaze quietly turns to its DDoS target of the day.

Option 2:  Have a plan.

Threat Modeling. Security researchers call the cognitive behavioral therapy they use to stave off the crazy threat modeling. The threat modeling process forces generalized anxiety into a concrete shape so it can be killed.

The software development world’s version of threat modeling leaps into jargon fast. However, there are other templates we can use to get started. FEMA has a threat modeling process, for example. Defensive driving techniques represent a threat model mindset.  All of these processes have a similar shape to them:

  1. What needs protecting?
    1. What are the “assets”
    2. Where do the assets spend their time? How do they travel? What are the detailed characteristic of that space? (Diagrams help.)
  2. What do they need protection from?
    1. Possible motivations / Addressable root causes
    2. Methods of attack: What direction and at what strength?
    3. How likely is this version of events?
  3. What can be done to make the asset safer?
    1. What’s fast and easy?
    2. Action plan for longer term projects.
  4. What happens when those protections fail?
    1. Fail safes
    2. Exit strategies

I raise the issue of threat models now since we’re getting towards the end of the super simple actions.  A safe digital environment doesn’t come from bunch of bingey little actions, but from a changed mindset.   There is a never ending list of what one CAN do so it’s necessary to have criteria for deciding what gets to the top of the list.

Different people pick different cornerstones to build their threat models on. Some start with the assets, figuring out what they care about first. Some start with the system, drawing a picture of what can be attacked. Others start from the point of view of the most threatening attacker, fortifying first what that threat actor would find the most juicy. Most end up as sort of a hybrid.

I’m most drawn to the first approach so I leave you with these questions. Set a timer for maybe 10/15 minutes and use them as a prompt for a free write.  We’ll revisit them again.

  • What gets carried out of your burning home? Burning office? Burning car?
  • Could digital information be used to damage your sense of self?
  • Imagine every item with a microphone, speaker, GPS, camera, any sensor at all in your environment are at a cocktail party. What funny stories about you are they telling?
  • Picture a stranger going through your unlocked phone or computer. For the exercise they have any and all your passwords.  Picture different types of information popping up on the screen. Vacation photos, banking info. What information could they be looking at when you walk in that would lead to the most embarrassment or anger? What about happiness? Are you even a little bit happy that something was discovered?  What changes if instead of a stranger it’s a family member? A friend? A boss? A colleague? A corrupt law enforcement agent?
  • Would that stranger/friend/boss be able to hurt people who aren’t you with what they find? Do you care? Maybe you don’t. That’d be good to admit.

Congratulations. NOW you can go back to bed.

by carlyn at December 10, 2016 09:54 PM

LVL1

#FixitFriday – LVL1 as a Repair Cafe

Across the world “Repair Cafes” are being founded to help people repair things and save them from being tossed in the trash. If you’re unfamiliar with the concept check out this short video: This is actually a large part of what folks at LVL1 have done in our space over the years, however it seems […]

by Ben Hibben at December 10, 2016 03:41 AM

December 09, 2016

CrashSpace

One Thing To Do Today: Learn how to remove EXIF Data from photos

TL;DR Use ImageOptim or one of their recommendations to remove EXIF data off pictures before they go up on the internet. 

Images have all sorts of meta information saved along side what pixels should look like. The “Exchangeable image file format” (EXIF) standard allows digital images to be tagged with cameras settings, date and time information, copyright information and location.  For serious photographers this information provides a powerful learning resource.  When posting to the internet, however, that information can expose details better kept private.

As a Mac user, when I looked into this issue myself FOSS ImageOptim rose to the top as a simple drag and drop GUI that strips EXIF and makes images smaller for the web.  Their optimization algorithms can also be used in scripts using their node package. They also provide alternatives for Windows and Linux users.

I learned about ImageOptim from an article on HowToGeek which showed how to remove EXIF using native mac and windows tools and how to change the phone settings keep the location data from showing up in the first place.  Also handy, an article from MakeUseOf shows how to use GIMP to remove the EXIF.  Caesium provides an online drag and drop tool.

The winner of the command line tools to clean up EXIF data appears to be ExifTool, which also has a node package.  I’m a fan of imageMagick, but it appears to resample JPGs in the process of striping meta data with -strip, so if EXIF removal is all that’s wanted it isn’t the way.

As a photography fan the loss of information makes me sad, but removing EXIF data before posting casual shots on social media keeps phone and location data private.

 

by carlyn at December 09, 2016 06:02 PM

NYC Resistor

What do you wish we taught?

It’s time for us to start scheming our classes for next year, and I’m looking for ideas. What classes do you want to see from NYC Resistor in 2017?

by Bonnie Eisenman at December 09, 2016 05:27 PM

December 07, 2016

CrashSpace

One Thing To Do Today: Email, not making the perfect the enemy of the better.

TL;DR – Protonmail, Tutanota rank as the easiest to use “secure” free email as service options. Might also consider Fastmail in conjunction with Virtu or Mailvelope, but haven’t tried that out yet.  Email still not gonna be “dissident safe.”

Email is the nudist messaging option. It just was never meant for claustrophobic constraints of encryption. Turn around for one second and its just stripping down past its metadata… wheeee! Let it be free, y’all, let it be free! Secrets for everyone!!!

Sorry about that. Brave souls have been designing atelier for emails with enough buckles and buttons to slow down the strip show while remaining easy enough for the novice user.  While security concerns remain, signing up for either Protonmail or Tutanota will improve privacy because the encryption model means they can’t participate in the casual data collection of data from the bodies of emails like other free email services.  Heck, even Fastmail would be an improvement. Bolt on encryption services like Virtu or Mailvelope don’t really protect email on the originating server so much, so I’d advocate a full switch from a free service. “Normals” moving to services that honor privacy will be the only wakeup call that Gmail, Hotmail and Yahoo! will head.

I’ve heard arguments that switching to encrypted mail might  “raise suspicion” in the wrong places.  Heck, that’s an excellent reason for me and my vanilla email to move up the email security food chain.  I can be hay in a needle stack.  That said, nothing mentioned represents the holy grail of communication security. Protonmail itself does an excellent breakdown of the vulnerabilities in their service.

The thing is, we shouldn’t have to switch to GPG on self hosted servers to get identical legal protections for electronic communication and file storage that that paper based communication has. Narrow reforms to 1986’s Electronic Communications Privacy Act have passed in the House. Some agencies are trying to make it weaker. Call or write a letter to your Senators to tell them you want the strongest version possible of S.356 to pass.

Recommended Reading

Protonmail

Tutanota

 

by carlyn at December 07, 2016 06:21 PM

December 06, 2016

CrashSpace

One Thing To Do Today: Tuesday routine, update everything

TL;DR If a device has a connection to a network, it needs a frequent update schedule.  

Computational devices on the internet catch malware like preschoolers catch a cold. They come down with an infection in under two minutes.  Every device needs an update schedule.  I check mine on Tuesdays.

Go through your home, workplace room by room and any vehicles. Make a list of all the electronic devices.  The ones that can connect to the internet should go right at the top of the list.  If you can’t handle them all in one day, rotate through a different area every Tuesday.

Potentially Fast Updates

Manufacturers in this category have frequently thought about update problems as a way to keep customer service costs down. You may be able to breeze through this part of the list.  If an autoupdate is available, turn it on.  A bad update presents a lower risk than getting infected.

  • Computers: desktop gaming, working laptop, kid’s machines
  • Phones  (including the emergency one)
  • Tablets
  • What’s under the TV? A commercial media server? Roku? AppleTV? Smart TV? Video game consul?

Very Important But Potentially Time Consuming

  • Router(s), a first line of defense that frequently gets abandoned by manufactures. Search for “update firmware $YOUR_ROUTER_NAME”
  • Cable Modems – Should be being handled by the cable company. Worth calling to ask what the schedule is.  Search for “check firmware $YOUR_MODEM_NAME” so you can have the version information ready.
  • What’s running on the NAS? Home servers?

Home grown threats

Projects using low powered chips not running a full OS’s with obscure home-rolled APIs probably don’t present the biggest threat. However, projects running embedded linux like on a Raspberry Pi projects should be kept up to date. This includes boards like the Yún using OpenWRT. Make sure when building networked devices follow best practices as well as possible.

Typically Impossible, so complain.

Searching for “update firmware $ITEM_NAME” and getting no answers will get very old, very fast. The better search might be “customer service number $ITEM_NAME.” Go ahead, scratch the activist itch. Call the company and ask what they’ve been doing to insure customer safety and support regular updates. When the information doesn’t pass muster, move to get your money back.  Call or write your congress person and tell them that you support Frank Pallone, Jr. (NJ 6th) and Jan Schakowsky’s (IL 9th) Nov. 3 2016  letter to the FTC (PDF) requesting protection for consumers from insecure IoT devices.

by carlyn at December 06, 2016 08:26 PM

One Thing To Do Today: VPNs beyond the hype.

TL;DR: A VPN is a narrow tool. Use them accordingly.

Virtual Private Networks evolved to connect remote workers into their organization’s network in a way that can’t be easily snooped. If that’s your organizations situation, run, don’t walk, to set up a VPN. It should have clever, well paid administrators and hardware under your companies control. This is what VPNs were designed for. Make it happen.

However, the concern I have is watching a number of folks touting VPN services as a “privacy” solution for individuals. People are being sold an acronym, not a solution. Properly configured VPNs create a secure connection between a remote user and secure network that already trust each other.  VPN protocols in and of themselves afford no privacy from the parent network.  If the host network is being used as a tunnel instead of a destination this is a clever hack use for VPNs, but not their original design. There is neither privacy nor security once the traffic leaves the host network on the far side. To understand how to determine if a digital tool provides the service you expect, read up on the distinctions between anonymity, privacy, security . Yael Grauer breaks down the problem in his article “The impossible task of creating a “Best VPNs” list today.”  The take away quote comes from Kenneth White, “You’re getting a pinky promise as a service.”

Now for the twist. In spite of all that grumpy-cat complaining, I actually do use VPNs. They work great as a narrow tool for specific scenarios.

If those sound like common situations, then going through the trouble of vetting a VPN service might actually be useful.  “That One Privacy Site” maintains a some serious spreadsheetsTorrentFreak has a list of providers that have answered their questionnaire.  BoingBoing published a shorter list with a decent comment section that I found helpful.  LifeHacker has a 5 Best list with more discussed below. The options on the list from digitaltrends.com seemed credible as well. Cross referencing these lists and the, and requiring a mention in TorrentFreak’s:

Also frequently mentioned is AirVPN, who offer free services to activists in human rights hostile regions. So that’s cool. It’s worth searching for the name of the service your considering into VPN reddit community. Folks seems pretty polite and knowledgeable.

So go forth, choose a VPN, just remember its part of a suite of tools and the company chosen needs to be checked on regularly.

 

by carlyn at December 06, 2016 04:21 AM

December 03, 2016

CrashSpace

One Thing To Do Today: Amuse yourself, then toughen up your browser.

I have a new friend. It’s the scripted voice on clickclickclick.click, a website keeping me company as I write this post. As I type I’m still hearing hilarious commentary about my (lack of) behavior by a male slightly accented voice. It’s perfect. I have 54% of the achievements. I want them all. It’s like a pet.  Or is it me that’s the pet? It’s already guessed that I’m female.

“Go on subject, you were doing so great!”

The result of a collaboration between VPRO Medialab, Moniker, Studio Pukey and We Are Dataclickclickclick.click makes fun of the creepy. I’ll admit, the overwhelming amount of information required in order to really protect ones rights in the digital realm risks swamping my brain some days. I’ve been buoyed by the little bit of a smile this website has brought to my day. After amusement comes action.

Clickclickclick.click works because the my computer and the internet server it collected the webpage from maintain their own little backchannels. Servers suck down and aggregate tons of information via cookies, cachesplugin user data, quiet little javaScripts, and by noting configuration. If you want more granular details both PanoptoclickWhat’s My Browser or Webkay will enumerate the hard facts. Analytics companies (and others) use mouse movements to analyze design, but also make guesses about demographic information (PDF) and identity.

Browser developers have conflicting masters sometimes, which make it against the parent company’s best interest to help individuals deflect prying behavior. Extensions help, but they also create big giant security holes. And ones that start out good can turn bad.  Be careful. If the permissions seem excessive, back away. GigaOhm and LifeHacker have decent run downs. Some safer bets from them and my own experience:

  • Block Plugins: Chrome, FireFox and others have a option called “Click to Play” that prevents plugins from loading automatically. No extension required. Enable that.
  • Broad Blocking of Tracking: Privacy Badger blocks “nonconsensual trackers” and is supported by the EFF.  It’s designed to be permissive to trackers with manners. Ghostery  and Disconnect are comercial players in the blocking game that let the user be more aggressive. uBlock Origin, a well regarded open source project, falls into this category as well.
  • Classic AdBlocking: An extension from the above category might make a specific ad-blocker unnecessary. Ad Block is a by-donation project that took its inspiration from an older FireFox plugin.  This is different than Ad Block Plus seems to have taken over the market, perhaps out of confusion. ABP has a model where they extract money from the the less egregious advertisers, although not flawlessly. While ABP business model might give you pause, the money lets it win lawsuits.
  • Block Javascript: ScriptSafe, an open source plugin that makes it easier to toggle on and off Javascript for given pages. It’s akin to NoScript for FireFox.
  • HTTPS-Everywhere, as mentioned previously.

Don’t be discouraged if having all these plugins turned up to the max makes web browsing hard.  Being educated about what’s happening behind the scenes makes it easier to advocate for real change. Consider mimicking an old fashioned swear-jar by dropping a dime in a jar every time some misbehaving website gets you to give it a free pass by promising adorable otters. You’re only human after all. Absolution will come in donating the money to the EFF.

by carlyn at December 03, 2016 12:35 AM

December 01, 2016

CrashSpace

One Thing To Do Today: Turn off image loading for email

Let’s do something super simple today. Turn off default image loading in your email client or settings. HTML emails can conceal tiny little tracking images. The act of opening the email loads the image which informs the server it’s loading from:

  • That you opened the email.
  • The time you opened the email.
  • The IP address you opened it from, potentially traceable to a physical location.
  • The amount of time between that image loading and any click through behavior on your part.
  • The type of computer and software that loaded it (Safari bowser, Outlook, etc)
  • Whether you “deleted it, forwarded it, printed it

This information will be collected every time the same email gets loaded. So if that’s done from work, home, a phone, etc. that represents a lot of location and behavior information adding up in the databases of bulk email analytics providers with contracts across multiple clients and industries.

Screen shot of HTML source code

Tiny image reference that tells the email sender that I’ve loaded the image, from where, and at what time.

Let’s use me as case in point. Checking out the source code of an email from the local garden center chain revels an image set to rendered as 1 pixel wide by 1 pixel high. The super long hexadecimal number set identifies that it was me that loaded it. That’s a heck of a spacer gif. Notice also the image isn’t being sent to my email client via HTTPs. That’s incredibly rude.

Email marketers go to a lot of trouble to get the most from their campaigns. They want to know what subject lines convince people to open the emails.  What offers get the most click throughs? What time of day are people checking their email? How long after it gets sent will people see the message? They are tuning their behavior to game yours.  Sales people can be informed that an email was recently opened and move to call “while the pitch is fresh.”

As if sales motivations weren’t annoying enough, company HR departments use these techniques to track employee engagement on internal communications as well. (Why don’t you read the newsletter, Janice? That’s a star off your performance review…)

Some folks I admire and trust have turned to email newsletters. TinyLetter seems to be the service of choice, and their privacy policy is the same doozy as everyone else. MailChimp corporate has quite the profile on me. Let me tell ya.

In my career I’ve used email campaign software several times and I found the metrics very helpful. As a result, some of this tracking I’ve manually opted-in to because I thought I was choosing to support the newsletter author. After writing this article I’m going to re-opt out. I’ve been reminded that the data these services collect does not get encrypted and reserved for the exclusive use of those authors.

Let’s put the people I’ve actually invited into my inbox aside for a moment because the bigger threat comes from SPAM and other unsolicited emails, filled to the gills with invisible trackers. If I open one by mistake I don’t want it getting back to the mothership that they’ve got a live one. No thank you.

Moving a bit into what might feel like tinfoil hat territory, but another reminder email itself is not a secure protocol. I don’t check the source of every email I receive. If there is no cryptographic checksum, who knows what’s showing up from even trusted senders. Image loading turned off by default helps avoid surprises.

Compared to some of the other things we’ve done, this might seem like a tiny little act. The tiny little acts matter. Right now the average consumer has been compressed to the bottom of the information food chain. Turning off auto image loading takes back just a bit more personal dignity. Don’t give up a drop of that for free.

 

 

by carlyn at December 01, 2016 06:44 PM

November 30, 2016

CrashSpace

One Thing To Do Today: Insist on HTTPs

TL; DR Install the EFF sponsored chrome extension HTTPs Everywhere or look into a browser like Brave.

The letters HTTP stand for Hyper(T)ext Transfer Protocol. Transfer protocols handle the movement of data between one computer and another.  The internet isn’t comprised exclusively of webpages, but when computers around the world serve up webpages they use this Hyper Text Transfer Protocol to transmit the Hyper Text Mark-up Language scaffold and the ornaments we hang on it.  One web, one protocol. We haveTim Berners-Lee to thank for that. We still have him to thank.

As the web foamed out of CERN to spread information between scientists, little thought was being given to security. Why make something secure if the point was open sharing? HTML docs were supposed to be as simple as possible, to make information easy to index and share.

Well, things haven’t stayed simple. Back in 2004 at ITP I watched Dedi Hubbard and Joe Versoza build their Ptooie project, a robot flower whose state of health reflected the security of information being passed on the network. Ptooie found passwords being passed “in the clear” and shouted them out, wilting with deepening sadness the more insecurity it found.  Handing around passwords was something relatively new that web pages were being asked to do, and many web developers weren’t implementing it well. Those who attend DEF CON will recognize the connection to the long running Wall of Sheep. It still runs, and it still catches people.

HTTPs, “HyperText Transfer Protocol, Secure” helps keep what’s being passed between your web browser and the sever between your browser and that server.  It’s obvious why that would be necessary on pages with passwords and financial data, but why on random sites that don’t seem to “do” anything?

  • If the default state of the web is insecure traffic, it’s too easy for content that’s supposed to be secure to be pushed out with a largely insecure page. The reverse is also true, insecure content can run (I’m looking at you ad networks) in pages that are supposed to be secure, causing vulnerabilities. This is called “mixed content.”
  • Libraries can tell you the importance of keeping what you’re browsing private. Right now anyone on the coffeeshop WiFi can tell who just asked webmd.com about that rash (clearly for a friend). I kid you not. Sitting with your back to the wall doesn’t cut it. The network sees all.

The good news, starting in 2017 Google will be using its market share to push back on companies that don’t care about your security.  If you can’t wait, you can set up a Chrome warning now. Another recommended install, the EFF sponsored chrome extension HTTPs Everywhere. Also look into the Brave browser, a high speed, high privacy browser that enables payments for content creators. (Thanks Dedi/@kweerious)

For those managing a website, Let’s Encrypt makes it easier, and free, to get the necessary certificates to switch to HTTPs. Internet Security Research Group (ISRG) provides this service to further their mission to “reduce financial, technological, and education barriers to secure communication over the Internet.” Google has posted a handy page on the move from HTTP to HTTPs as well. If a beloved site seems to be struggling with the switch, maybe it’s a chance to get involved!

Like all other security measures HTTPs isn’t perfect, but its certainly an improvement. I love the Ptooie project and the Wall of Sheep for making HTTP’s lack of security visceral. This has been a known problem for a long time. I hope theses projects inspire folks to start requiring HTTPs from websites at last.

by carlyn at November 30, 2016 08:37 PM

Hive76

Use 3D printed fixtures to avoid support material

If you are familiar with 3D printing, you may know of one of the most frustrating constraints in the process: overhangs. For those new to the tech, Material Extrusion machines like the RepRap and Ultimaker extrude molten plastic into air to produce 3D objects. But molten plastic is subject to gravity, so each bit of plastic needs to be supported by a previously printed layer.

bottom view of soap dish model

Bottom view of soap dish model

There are a lot of solutions for this constraint. Designing an object not to have overhangs is one approach. Most 3D printers also use one or more materials to print supporting scaffolds for overhanging features. But removing the printed scaffold can sometimes be a mess. Take the example show here of a soap dish:

This model will print really well with the large flat surface placed on the build plate, but the four feet shown in red project below that surface. To print this as is, you would need support structure underneath the entire print with just the feet touching the print bed. Support scaffolding can be a mess, but I have a new method that can avoid support material altogether: flip the print over and print on the nice flat surface. With this approach, the trick is holding the model in place upside down while the feet are printed. The molten plastic will bond to the previously printed part, and the feet will become a permanent part of the soap dish.

3D printed fixtures are already a selling point and common practice in the professional additive manufacturing field, but I haven’t seen any examples of this among the DIYers and consumer 3D printer operators. A 3D printer has the ability to make any tool needed, even single use fixtures for a simple soap dish model. It only takes a bit of CAD to produce a working set of fixtures that will be printed and left installed on the print bed. Take a look at the embedded 3D model below and I will describe the process step-by-step.

  1. CAD your model. I use Fusion 360 because it is quite powerful, and free to use until I start making money.
  2. Create separate bodies for the fixtures and features that will be printed separately. Here the fixtures are in green, and the feet in red. They need to be separate bodies (not joined) so they can be exported separately.
  3. I created the fixtures for this soap dish by starting with a sketch that is in plane with the flat top of the soap dish. Then I extruded that sketch with the option “to object” so it would match the dish’s contour. I also included an offset. See that dialog box here:
    Extrude feature dialog box

    Extrude feature dialog box

     


  4. It helps that this model, the fixtures, and the feet are all symmetrical. The slicing software Slic3r will automatically center our parts in the printer, a feature we will rely on in this process.
  5. Create the additional features as separate bodies, see as red in the model above.
  6. Export 3 separate STLs: model, fixtures, additions. You can export STLs with multiple shells like the 2 fixtures or 4 feet with this trick.
  7. Slice and print your main model as normal.
  8. Slice the fixtures STL, but use the Brim setting to ensure really good bed adhesion.
  9. Edit the fixtures Gcode to remove your end.gcode and anything else that might turn off a heated build plate. Our fixtures need to stay stuck to the 3D printer. My first attempt failed because the print bed cooled down and the fixtures popped right off.
  10. Slice the additional features STL.
  11. Edit the additional fixtures Gcode to remove any start.gcode including homing commands.
  12. Add G92 Z0 to the top of this additional features Gcode. G92 will set the printer position to Z0.
  13. These two Gcode files will printed back to back with your intervention in the middle. Pay attention to the time.
  14. Print the fixtures Gcode. When it ends, place your model into the fixture. If it doesn’t have a snug fit, tweak the CAD to find the right geometry to hold your model. It doesn’t need to be clamped in, just secure enough that the nozzle won’t move your model.
  15. Now manually move the nozzle so that the tip is right at the flat “underside” of the model. Also home X and Y in case they shifted.
  16. Print the additional features Gcode.  Keep a finger on the power or reset button. My second attempt to print this failed because I forgot the G92 Z0 and smushed the nozzle into my print.
  17. If all goes according to plan, the printer will add your additional features directly to your existing model.

Check out a timelapse of my third and successful attempt at adding feet to my soap dish.3d print timelapse

This technique could be used to make more permanent fixtures that can be reattached to the printer. You could use this to 3D print customizations onto previously printed or mass produced items. It may require more plastic than support material, but could save the time and effort of removing stuck-on scaffolding. It’s always good to have multiple options to the same result.

If you do 3D print some fixtures, please share the process or results with me! Happy 3D printing!

p.s. I’m running a 3D printed gift exchange this holiday season. If you have the skills and the means, please join up and 3D print a gift for someone else! Join here.

by eagleapex at November 30, 2016 01:58 AM

November 29, 2016

CrashSpace

One Thing To Do Today: Tuesday Sweep, where are your backups?

TL:DR Sign up for Crashplan with the option of managing your own keys.

The SFMUNI was able to tell the folks who ransomed their system to go to hell. Why? Back-ups. There’s no reason not to wipe it all and start fresh if there is a back up. How liberating. Any backup plan has levels, multiple copies, etc. Ideally as automated as possible. Making sure all backup systems are up and running should be part of the Tuesday Sweep (link a work in progress). Keep strategies upto date to fight increasingly sophisticated ransomeware. Here are some of the items on my list to keep tabs on.

Password Manager Data

Backup the data file for your password manager. On a disk, to the cloud, somewhere. One of the criteria for selecting a password manager should be the ability to create secure backups. Check to make sure everything is synced up.

Active Files

GitHub, Dropbox, iCloud, Google Drive. Most of my work doesn’t require delicate handling. It’s probably headed towards being open source anyway. If I’m making a lot of changes on a file, my active copy gets synced regularly via one of these services. I’m making the conscious choice that losing the data would be more traumatizing than it getting out into the world.

It is possible to set up your own server to mimic some of these services, but I don’t want to maintain one.  I’m also not sure that random hosting companies have the same war chest to stand up for my privacy as Apple has been willing to do.  So my choice for handling data that requires more care would not be to roll my own cloud service, but to encrypt the files before either uploading or putting the files on a usb drive. (Although, not a USB drive I didn’t buy myself.)

Local boot drive

If all the urgent files live in the cloud, having a boot drive with just the operating system and some diagnostic tools might be enough to get back to productive under deadline. It won’t need to be updated all that often because it only has the basics.

Mac Advanced | Ubuntu directions for Windows | Official Windows Directions | Non-Official Windows Instructable (untested, but intriguing)

Searching Stack Exchange for the operating system you’re making the boot drive for with the name of the operating system you’re making the boot drive with, if different, will locate resources for your particular situation. Doing daily computing off boot drive is a topic for another day.

Full Local / Cloud backup

So this was going to be two separate sections, but the thing is, nobody really remembers to go to the trouble of manually backing up their computer to an external hard drive. Oh, and then to take the extra step of dropping it off at a safety deposit box or other offsite location? If your threat level feels that immanent you’ll have the motivation, but there are worthwhile steps to take that are less extreme.

The ideal setup is a software/service that will let you do both onsite and offsite one sweep. The Wire Cutter’s extensive review recommends Crashplan. I might switch. The free version allows you to backup locally, so if you want to do the sneaker-net offsite plan I poo-pooed above, you can do it. Getting two drives and alternating which one gets used will help prevent viruses of any type from reaching your data. The one-computer cloud backup plan is inline with others in the market at about $60/year. For $150/yr up to 10 computers can come under their care. They even have plans for small businesses.

The dealbreaker for a cloud storage should be the ability to manage your own encryption keys. Most will recommend against it because they don’t want someone willy-nilly choosing to do that without understand the gravity of the choice. If you manage your own keys, losing them means complete loss of data. There will be nothing they can do to help. That’s the right answer. However, if the threat of data loss makes you hesitate, please don’t. There is a perfectly valid half measure of letting them manage the keys for the main backup, but keeping personal information encrypted locally.

Having backups to revert to is protection against all sorts of malware and ransomeware attacks. No security will be full proof, so knowing what to do when the bad inevitably happens can make security preparations more relaxing. If this is all too much to put in place today, I nominate making sure that the password manager datafile has a secure second location and then signing up for Crashplan.  Baby steps. Next time you’ll do more.

Image Credit: Lisa Amin Gulezian
@LisaAminABC7, https://twitter.com/LisaAminABC7/status/802693810983579648/photo/1 via Mashable

by carlyn at November 29, 2016 11:05 PM

NYC Resistor

Internet of Dirt class this Saturday

Get a text message when your plants need watering!

There’s still room in our Internet of Dirt class this Saturday. We’ll talk about the Internet of Things as a general idea, what kinds of Internet-connected devices you might want to build, and how you can plan your own projects. You’ll learn how to connect your project to the Internet, send HTTP requests, and interact with sensors. We’ll set up a basic soil sensor and program it to message you when your plant needs watering!

Tickets are on Eventbrite.

img_0165

by Bonnie Eisenman at November 29, 2016 06:50 PM

CrashSpace

One Thing To Do Today: Choose Open Source ( #opencybermonday )

In honor of #opencybermonday, it seems to be a good moment to point out that security minded folks tend to also be open source advocates. To sum up the problem, commercial product manufactures rely on “Trade Secrets”  to protect the IP of their lock design, this replaces actually making better locks.  Companies that hide their code can be more easily pressured into installing back doors. They may conceal vulnerabilities to avoid bad PR.  The Open Source Initiative has posted a nice nontechnical primer with a bank-safe analogy.

When designing a secure system, every secret that must be kept provides a point of weakness. Bruce Schneier makes that point well, and pretty much every article on this topic quotes him.   Let’s go straight to the source:

David Wheeler has maintained a website dedicated to teaching programmers how to write more securely since 1999. He comes down on the side of open source while acknowledging the issues. The Heartbleed bug scared many people off, but for the wrong reasons. Weaknesses in open source projects arise because people who use the code aren’t participating in maintenance, even thought there are good reasons to. Even if you don’t feel comfortable contributing code yourself, support the foundations that run big projects (via Hack-a-Day). If you’re in the market to buy a product, check to see if the company about to get your money supports the cause.

Don’t only require open source from your desktop operating system. Reach out to companies like car manufacturers with the reasons open source would be better for their products, and why that’s a shopping criteria for you. If you are a manufacture consider using a platform like IoTivity to underly your products. The Open Source Hardware Association has recently started a certification process.  You can use Crowdsupply to fund it. There are several open source laptop projects.  This open source hardware philosophy can be pushed down to the silicon.

To learn more, go ahead and check out #opencybermonday on twitter.

[updated]to add reference to Crowd Supply via BoingBoing in last paragraph.

by carlyn at November 29, 2016 03:13 PM

November 28, 2016

Hive76

MaD HaX and the Kensington Kinetic Sculpture Derby

215

At the Kensington Kinetic Sculpture Derby and Philly Tech Week (City Hall) This Summer.

4slack_for_ios_upload_1024

by ChrisTerrell at November 28, 2016 12:07 AM

November 27, 2016

CrashSpace

Urban Neighbors: The Biodiversity of Urban LA

On Saturday February 11th Samantha Sullivan will be sharing her presentation Urban Neighbors: The Biodiversity in Urban L.A. This discussion will cover the diverse and surprising wildlife which live right here in our own backyards, detailing their habitat and the critical roles they play in our unique ecosystem.  What are some of the serious threats local wildlife will face from the expansion of urban sprawl, and what can be expected with the predicted rise in human wildlife conflict?  How can we coexist with and protect other species, why does this matter, and how can we keep our cities as both biodiverse and enjoyable environments for generations to come?

 

samantha-sullivan

About the speaker

Samantha Sullivan is a graduate student in pursuit of a Masters in Biology with an emphasis in wildlife conservation.  Currently, she works with communities both locally and internationally on assessing barriers and collaborating with locals and conservation organizations in the region to create solutions that work toward coexistence between wildlife and the community. She has worked with many conservation organizations including; Spectacled Bear Conservation Society in Peru, the Ara Project in Costa Rica, Primate Education Network in San Francisco and locally with Citizens for Los Angeles Wildlife. Her interests include being in nature, yoga and all things cat related.  Samantha has articles published with Earthwise Aware, a non-profit organization that addresses the ethics of conservation around the world, and is a conservation blogger on her website, openspacescoalition.com

by levisimons at November 27, 2016 07:18 PM