jack: (Default)
I feel confused by the news of Friday's ransomware worm. I've tried to piece together the pieces.

It spread by both email (requiring people to clink a link or open an attachment?) and across local networks to windows computers that were not up to date with patches (ie. all xp and win7/8 which haven't got security updates in the last two months )[1] using one or more particular vulnerabilities. Is that right?

This vulnerability applied to some networking thing called Windows SMB, version 1, which was outdated, but mostly still enabled on any computers which used SMB at all, which was mostly organisation networks, not home computers. Is that right?

Some time ago, the NSA discovered this particular vulnerability. As far as I can tell there's no suggestion they *created* it? Even though that's the sort of thing they WOULD do. Lots of news articles are saying "the nsa vulnerability" but that's just hype, right? But they did find it, and (apparently) not report it, just keep it for internal use.

They assembled some of these vulnerabilities into a suite of hacking tools.

Some time more than two months ago, there was a leak. Probably an insider of some sort? Someone got hold of those tools. cf. https://en.wikipedia.org/wiki/EternalBlue

About two months ago, maybe immediately, maybe after a delay, the NSA tipped off microsoft. Microsoft released a patch in the normal security updates. I think Microsoft mostly confirmed this recently, even though at the time the patch didn't say anything about it (it was somewhat suspicious it didn't say who found the vulnerability).

One month ago, a shadowy hacker group who named themselves after a shadowy hacker group in Mass Effect 3, tried to auction some of those leaked tools with mixed success. This sounds weird, but AFAICT is fairly certain, is that right?

They could be anyone, but people suspect they may be sponsored by Russia, as propaganda to say, "see what the NSA do, don't get into an open, cyber or propaganda war with us, you have a lot to lose too".

If the malware had been released *before* the patch, it could have been a lot worse, it could have infected many other networks as well, even completely up to date computers. As it happened, it only applied to older computers of which there were still many, but it made the auction less notable.

By Friday, someone had used that vulnerability to create (an updated version of?) that worm aka WannaCry and released it. It infected many many major organisations including most of NHS.

I don't know how the clean-up is going. Will large organisations pay ransom? Probably not? Will they be able to restore computers? How much data is permanently lost? I've no idea.

Someone registered a domain name referenced in the worm which accidentally or deliberately acted as a kill switch.

Microsoft released a one-off patch for windows xp and some other older operating systems (?) to fix this specific exploit.

We have no idea who "someone" was in this case, if they were affiliated with any of the previous groups or not.


This is just a feeling, but it feels like this particular worm was a bit of a rush job by someone who didn't expect it to do this well.


As far as I can tell, this worm was based on the same exploit the NSA found, but I've not heard anything concrete whether (a) they reverse engineered the microsoft patch (b) they got the vulnerability from the leaked NSA tool or (c) they re-used some of the code in the leaked NSA tool.

I assume the NSA didn't actually write this worm? Like, they would have done something more targeted?

But the news keeps saying things like "the tool used in this current attack had been developed by the US National Security Agency and was stolen by hackers". As far as I can tell, they just didn't understand the difference between "using" and "based on", right? I don't understand how they could know "using" without citing a security researcher or something, and I've not seen anything like that. Am I missing something?

What we should do

Give up the idea that unpatched OSes are "good enough". Make sure you're getting updates if you can.


Worry about the NHS being underfunded, and having a fucked-up tender process that ensures their IT infrastructure is always supplied by the sort of company that was cutting edge when security updates came out on a scale of a decade, not a day.

Worry about the NSA stockpiling vulnerabilities.

Remember that it could be a lot worse. Sooner or later things will line up and a vulnerability gets discovered and *not* patched, and basically infects every computer running a particular operating system, and is paired with something even worse than ransomware eg. a botnet consisting of 75% of the windows computers on the planet. People are working on this and we've got a lot better, but it's a struggle to make security good enough.


That's my attempt at a summary. Mostly based on the news and SwiftOnSecurity. Can people who actually know more fill in the details, especially the bits that don't quite seem to track?


1. No idea if anyone's using vista.


Jan. 26th, 2015 02:17 pm
jack: (Default)
Via emperor http://www.bbc.co.uk/news/uk-politics-30976610

I wish articles wouldn't conflate every sort of e-voting. I have very different views of:

1. MPs allowed to vote in absentia -- since the votes aren't private, risk of shenanigans seem a lot lot lower, basically a good idea.

2. Jumping straight to allowing remote electronic voting without even a cursory look-over by a security expert -- I have no idea why anyone even contemplates this it seems criminally irresponsible. We have a pretty good voting system, let's not destroy it on a whim?

(Likewise, using electronic voting machines in polling stations produced by partisan companies, with no oversight from all parties or election officials, that are trivially hackable, seemed an obviously bad idea, I don't know how it happened.)

(Although, I would be interested to see what the possible trade-offs were, if it were designed by somebody competent.)

3. Investigating ways of using electronic vote counting in polling stations -- extreme caution, but possibly worth investigating, because the convenience is definitely something people want, and it would be good to have actual pros and cons, not just "NO". I agree there are lots of risks and I'm not eager to explore it, especially if it's conflated with #2. But it seems like you could make machines which were sufficiently simple they couldn't boot off SD cards, and had oversight from representatives from all parties (as elections do currently), and it might be worth trying??
jack: (Default)

Does anyone know more about this?

Many people report being EU citizens resident in UK who thought they were registered to vote, but weren't given a vote in the European elections. Is this just a case of forms being genuinely accidentally lost? Or some sort of central snafu?

Is the process of registering to vote supposed to be different for non-UK EU citizens? Several people referred to a "second form" which they were supposed to have received, but apparently went astray.

Update 1

EU citizens resident in the UK should be able to vote in the European elections (which is obvious to me). But:

1. Apparently they have to submit some additional form in order to register to vote, which most people were never sent, and never given any instruction about. Is that right? What form? Is that required, or is it a UK-specific extra hurdle?
2. Why did many people not receive it?
3. At least some people manning polling booths apparently thought eu citizens shouldn't be able to vote, or that it didn't matter. Obviously some people do lose their vote through paperwork snafus, but it shouldn't happen systematically! How on earth can "who can vote" and "everyone who's entitled to vote, should be able to vote" not be something you have to learn before running an election?


I'm hyper-aware of any systematic disenfranchisement, even at fairly small scales, because it often might just be a miscommunication that doesn't have any effect, but I know how easy it is for it to have been a wider effect than people realised, or for someone to take advantage and deliberately spread it, if disenfranchising people advantages whichever party they support.
jack: (Default)
A little while back, there was a fuss, "should a corporation hire the obvious candidate for CEO if they donated money to a campaign against allowing equal marriage".

What I think should happen

But lots of posts about it framed it as "should everyone refuse to hire people with different political views" and concluded "no, even if the views are really awful, it's usually better if everyone hires ignoring political views and sorts out political issues by voting and activism". Which I agree with.

But I think this framing is mistaken. I don't think we should refuse to employ anyone with vile political views, but I do think we shouldn't put them in charge of doing things which their politics tells them not to, unless they make a clear and convincing statement that "I may not agree with it, but I admit my job responsibilities say I should ignore that and I will abide by them."

Something similar applies to people in being-a-public-face roles. And a CEO is both in charge and a public face.

If he had an objectionable political view completely unrelated to the company he's running, and he was discrete about it, I would reluctantly live with it. But anti-gay-marriage isn't that, there's all sorts of ways it can come up. Would you prefer corporate charity donations which are anti-gay-marriage, or refuse ones which are sympathetic to it? Would you discriminate against gay employees? If you have the option, would you deny employment benefits to gay spouses but not straight spouses? Did he clearly state none of that was a problem?

I basically think "a giant internet storm which forced him out" was a good result (even if a shame for him personally, and I think internet storms are dangerously misusable).

Aside: Firing people for not being progressive enough

A point several people made is that it's exhilarating to have reached a point in society where it's even conceivable to talk about firing someone for being anti-gay, instead of firing someone for being gay. It would be easy for people to get overexcited and call for anyone with non-progressive views to be fired.

I agree it's better to have a truce where people aren't fired just for their politics, with the 51% on any issue always deploying a scorched-earth policy against the 49%, since that just makes it worse for everyone. And that it's risky to fire someone because of internet outrage, because that can happen. But I don't see that it happened in this case (eg. no-one called for mozilla to be purged of ALL people with some political view, just the CEO!).
jack: (Default)


I like it. I think it's the first new coin design I've actively liked, although I came to like the £2 and £5 coins a lot later. I like the word "dodecagonal". Yay for being shaped like a thruppeny-bit :)

Backwards compatibility with existing £1 coins

The BBC article says the Royal Mint said the coin will be about the same size as the existing coin and "will be expressly designed to fit existing mechanisms". But I've not seen the original text of that announcement, or any details on how or why, or whether it means "it will work in existing shopping trolleys" or just "it's POSSIBLE to construct shopping trolleys that accept them", or whether vending machine manufacturers and supermarkets agree or not.

If a dodecagon is just close enough to a circle?

The usual way of making a rounded polygonal coin is a Reuleaux triangle, a polygon curved so any diameter has the same width as a circle, so it rolls smoothly through a fixed-height channel, even though the centre isn't at the same height. But that only works for polygons with odd numbers of sides (else you have a point opposite a point, and if you maintain the same width, you just get a circle). So it doesn't work for 12-sided.



It apparently includes some sort of authentication thing like banknotes, but no details exactly what.

Pseudomonas asks on twitter, "This doesn't let the government track who spends individual coins, right? Right?" But I've not heard an answer yet.

Mid Staffs

Apr. 25th, 2013 01:16 pm
jack: (Default)

A couple of people shared a link talking about the controversy about mid staffs hospital. The gist is that the entire thing was a combination of (a) cherry-picking data that happened to look bad (b) repurposing data that's not supposed to reflect hospital performance (c) finding scandals when you look hard enough for them (d) a self-perpetuating media myth.

That sounded plausible to me, but I don't know enough to judge it. Does anyone know if that's actually accurate?
jack: (Default)
When news was slow over Christmas, a spate of newspapers ran one of those "here's an interesting little factoid" articles about a Israeli archaeologist who dug up a different town called Bethlehem in north Israel, quite close to Nazareth and said "hey, I wonder if the bible story about Jesus' birth is about this one, not the one at the other end of the country".

I was sceptical that Jesus was born in any Bethlehem, but I didn't know enough biblical history to know either way. Here's my understanding of the history, can anyone fill in the gaps?

Read more... )
jack: (Default)
I was listening to the news on radio 4. My favourite item was "Many people believed a prophecy that predicted that the world would end this afternoon. It didn't."

I love that they added "it didn't", just in case there was any doubt.

And remember, there's no evidence any Mayan people believed this, the people being believing it (or far more commonly, repeating it) are mostly modern westerners.
jack: (Default)
So, the news all over the headlines today (as I found out when wondering why so many strange tweets are appearing), seems to be "30-year-old married couple expecting baby". I'm not sure why I feel compelled to repeat that.
jack: (Default)
All four main connections from Syria to the internet cut off (three undersea cables, one overland into Turkey). Minister for Information denies that it was deliberate on behalf of the government.

jack: (Default)

I'm not clear on the distinctions in degree in being recognised as a state, but it's a clear step forward to recognise palestine as a state at all (and hopefully good for palestine and israel).
jack: (Default)

Do I have this right? After Mubarak was forced to resign, there was an essentially democratic election, though the candidates that did best were the current president, Morsi, and the previous prime minister under Mubarak.

Morsi won, and everyone in the west hoped that a government not dominated by the military would be a good thing, although people in the west didn't really want an explicitly Islamic candidate from the Muslim Brotherhood.

Now Morsi passed a bunch of laws that look like consolidating power and (probably) suppressing any dissent, and mass protests from everyone else broke out, leading to some deaths.

And the best we can hope for is that Morsi backs down and lets things drift along non-dictatorily, and we desperately hope it doesn't degenerate into another dictatorship, a putsch by the military factions, or slide into civil war. Is that an accurate (but extremely simplified) summary?


Nov. 21st, 2012 11:03 pm
jack: (Default)
Someone I knew from Cambridge (from LARP, I think), Edward, made... a thing.

http://trotify.com/ (video link)

The video is hilarious, as is the concept. It's a non-kickstarter kickstarter[1]. Watch the video first if you can, it's funnier when you don't know what's coming.

[1] I think "kickstart" has been genericised, possibly in record time? You know what I mean. A site encouraging you to make enough pre-orders to finance production, with money refunded if there aren't enough, using a different intermediary or none.

Read more... )
jack: (Default)
Syria rebel factions form an opposition government. It's yet to see if it'll last successfully, but it's a good step, it's seeking international recognition from several other countries (neighbouring countries, France, USA, etc). And generally seems a better hope for the future than, um, whichever murderous bastard was the previous dictator, I can't remember.

Fighting and dying continues.

Does anyone have a better read on the situation in syria? I only know whatever's in the headlines on aljazeera english (which is pretty good at listing the international news with less of a pro-UK/USA bias and with a blessed, blessed absence of celebrity gossip and artificial controversies).
jack: (Default)
There is a copy of the complaint made to the IPCC with more details about what actually happened:

At approximately 11.40pm on Friday night, 26th October, shortly after I had succeeded in falling asleep for the night, the doorbell rang very loudly and repeatedly, half a dozen times. Shocked and disorientated I stumbled to the front door, pulling on some trousers. To my immense shock there were two police officers at the door, a male and a female officer in high-vis jackets and bristling with equipment as if here to deal with a riot.

They told me they had come to investigate criminal activity that I was involved in on Facebook. I was profoundly shocked and disorientated. I asked what criminal activity. They said complaints had been made about posts I’d made on Facebook about the Jobcentre.

jack: (Default)
Betteridge's_law_of_headlines says that you can save time by assuming that any news headline that ends in a question can be answered "no". As he put it, "The reason why journalists use that style of headline is that they know the story is probably bollocks, and don’t actually have the sources and facts to back it up, but still want to run it."

Obviously there are some exceptions. But it occurs to me that a probable corollary is that, in a satrical newspaper, the intended answer can probaby be taken as "yes":

"Could The Use Of Flying Death Robots Be Hurting America's Reputation Worldwide?" Onion video
jack: (Default)
Link: http://mikesivier.wordpress.com/2012/10/27/police-move-on-campaigners-for-criminal-acts-against-dwp/

Quote from one of the targets:

I've just had the police forcing their way into my flat near midnight and harrassing me about my "criminal" posts on Facebook about the DWP, accusing me of being "obstructive" when I didn't know what in fuck's name they were on about. They kept going on and on at me, it was horrifically stressful, and they only left after I started crying uncontrollably.

I've not heard anything from the police, so I don't know if there may be some reason this isn't as gratuitous as it sounds. I don't know anything about the police officers involved.

But it sounds like the ridiculous expansion of criminalisation of all sorts of critical online speech leads to police action to shut down free speech pointing out obvious problems in government, exactly like everyone thought it would.

One of my friends was friends with the targets, which is the only reason I know anything about it. And I don't know any more of the details or if there's anything else I should know, but I assume the basic account of what happened is accurate.

Edit: Link from friend who knows people personally: http://miriammoules.livejournal.com/261015.html
jack: (Default)
Man freefalls from edge of space 24 miles up, first human to break sound barrier unaided.

jack: (Default)
Scientists discover a particle which is almost certainly the higgs boson: http://press.web.cern.ch/press/PressReleases/Releases2012/PR17.12E.html (Double checking still needed but would be a heck of a coincidence if it were wrong. Need a couple of years to establish if details fit the standard model exactly or is evidence for supersymmetry theories or something else.)

Scienctists invent perfect levitation with superconductors: http://io9.com/5850729/quantum-locking-will-blow-your-mind--but-how-does-it-work

Scientists invent cure for not breathing: http://gizmodo.com/5921868/scientists-invent-particles-that-will-let-you-live-without-breathing via andrewducker