Defensive Computing | O’Reilly

Defensive computing; Mike Loukides; In O’Reilly Media; 2017-05-31
Teaser: The tools of defensive computing, whether they involve mascara and face paint or random autonomous web browsing, belong to the harsh reality we’ve built.

tl;dr → generalized-handwringing
<quote> What other defensive tools will we see? I don’t know, but I’ll be watching </quote>


  • ad blockers
    Are the same but different.



In O’Reilly Media

  • The Computing Of Distrust; 2015-01-05.
    Teaser: A look at what lies ahead in the disenchanted age of postmodern computing.
  • The Ethics of Face Recognition; 2017-12-13.
    Teaser: We need AI researchers who are actively trying to defeat AI systems and exposing their inadequacies.


Online Privacy and ISPs | Institute for Information Security & Privacy, Georgia Tech

Peter Swire, Justin Hennings, Alana Kirkland; Online Privacy and ISPs; a whitepaper; Institute for Information Security & Privacy, Georgia Tech; 2016-05; 131 pages.

  • Peter Swire
    • Associate Director,
      The Institute for Information
      Security & Privacy at Georgia Tech
    • Huang Professor of Law,
      Georgia Tech Scheller College of Business
      Senior Counsel, Alston & Bird LLP
  • Justin Hemmings,
    • Research Associate,
      Georgia Tech Scheller College of Business
    • Policy Analyst
      Alston & Bird LLP
  • Alana Kirkland
    • Associate Attorney, Alston & Bird LLP

tl;dr → ISPs are not omnipotent; ISPs see less than you think; Consumer visibility is mitigated by cross-ISP, cross-device, VPN usage, DNS obfuscation, encryption.  Facebook has it all anyway.

<quote>In summary, based on a factual analysis of today’s Internet ecosystem in the United States, ISPs have neither comprehensive nor unique access to information about users’ online activity. Rather, the most commercially valuable information about online users, which can be used for targeted advertising and other purposes, is coming from other contexts. Market leaders are combining these contexts for insight into a wide range of activity on each device and across devices.</quote>

Separately noted.


PoC||GTFO (Proof of Concept or Get The Fuck Out) | Manul Laphroaig

Manul Laphroaig; PoC||GTFO;; No Starch Press; 2017-08 (estimated); 768 pages; ISBN-13:978-1-59327-880-9


Pastor Manul Laphroaig curates PoC||GTFO with a fine gang of friends and neighbors. Many of his essays are featured in the book, including “Epistle to Hats of All Colors,” “Sermon on the Divinity of Languages,” and “Build Your Own Fucking Birdfeeder.”


Photos are mock-ups.

Table of Contents

A CFP with POC

  • iPod Antiforensics” by Travis Goodspeed
  • ELFs are dorky, Elves are cool” by S. Bratus and J. Bangert
  • Epistle to Hats of All Colors” by Manul Laphroaig
  • Returning from ELF to Libc” by Rebecca .Bx Shapiro
  • GTFO or #FAIL” by FX of Phenoelit

Proceedings of the Society of PoC||GTFO

  • RNG in four lines of JavaScript” by Dan Kaminsky
  • Serena Butler’s TV Typewriter” by Travis Goodspeed
  • Making a Multi-Windows PE” by Ange Albertini
  • This ZIP is also a PDF” by Julia Wolf
  • Burning a Phone” by Josh Thomas
  • Sermon on the Divinity of Languages” by Manul Laphroaig

The Children’s Bible Coloring Book of PoC||GTFO

  • Build your own birdfeeder” by Manul Laphroaig
  • A PGP Matryoshka Doll” by Myron Aub
  • Code Execution on a Tamagotchi” by Natalie Silvanovich
  • Shellcode for MSP430” by Travis Goodspeed
  • Calling putchar() from ELF” by Rebecca .Bx Shapiro
  • POKE of Death for the TRS 80/M100” by Dave Weinstein
  • This OS is also a PDF” by Ange Albertini
  • A Vulnerability in Reduced Dakarand” by Joernchen
  • Juggernauty” by Ben Nagy

Address on the Smashing of Idols to Bits and Bytes

  • Greybeard’s Luck” by Manul Laphroaig
  • This PDF is JPEG.” by Ange Albertini
  • Netwatch for SMM” by Wise and Potter
  • Packet-in-Packet Mitigation Bypass” by Travis Goodspeed
  • An RDRAND Backdoor in Bochs” by Taylor Hornby
  • Kosher Firmware for the Nokia 2720” by Assaf Nativ
  • Tetranglix Boot Sector” by Haverinen, Shepherd, and Sethi
  • Defusing the Qualcomm Dragon” by Josh Thomas
  • Tales of Python’s Encoding” by Frederik Braun
  • Angecryption” by Albertini and Aumasson

Tract de la Société Secrète

  • Epistle on the Bountiful Seeds of 0Day” by Manul Laphroaig
  • This OS is a Boot Sector” by Shikhin Sethi
  • Prince of PoC” by Peter Ferrie
  • New Facedancer Framework” by Gil
  • Power Glitching Tamagotchi” by Natalie Silvanovich
  • A Plausibly Deniable Cryptosystem’ by Evan Sultanik
  • Hardening Pin Tumbler Locks” by Deviant Ollam
  • Intro to Chip Decapsulation” by Travis Goodspeed
  • Forget Not the Humble Timing Attack” by Colin O’Flynn
  • This Truecrypt is a PDF” by Ange Albertini
  • How to Manually Attach a File to a PDF” by Ange Albertini
  • Ode to ECB” by Ben Nagy

Address to the Inhabitants of Earth

  • A Sermon on Hacker Privilege” by Manul Laphroaig
  • ECB: Electronic Coloring Book” by Philippe Teuwen
  • An Easter Egg in PCI Express” by Jacob Torrey
  • A Flash PDF Polyglot” by Alex Inführ
  • This Multiprocessing OS is a Boot Sector” by Shikhin Sethi
  • A Breakout Board for Mini-PCIe” by Joe FitzPatrick
  • Prototyping a generic x86 backdoor in Bochs” by Matilda
  • Your Cisco blade is booting PoC||GTFO” by Mik
  • I am my own NOP Sled” by Brainsmoke
  • Abusing JSONP with Rosetta Flash” by Michele Spagnuolo
  • Sexy collision PoCs” by A. Albertini and M. Eichlseder
  • Ancestral Voices” by Ben Nagy

Old Timey Exploitation

  • On Giving Thanks” by Manul Laphroaig
  • Gekko the Dolphin” by Fiora
  • This TAR archive is a PDF!” By Ange Albertini
  • X86 Alchemy and Smuggling” by Micah Elizabeth Scott
  • Detecting MIPS Emulation” by Craig Heffner
  • More Cryptographic Coloring Books” by Philippe Teuwen
  • PCB Reverse Engineering” by Joe Grand
  • Davinci Seal” by Ryan O’Neill
  • Observable Metrics” by Don A. Bailey

PoC||GTFO, Calisthenics and Orthodontia

  • The Magic Number: 0xAA55” by Morgan Reece
  • Coastermelt” by Micah Elizabeth Scott
  • The Lysenko Sermon” by Manul Laphroaig
  • When Scapy is too high-level” by Eric Davisson
  • Abusing file formats” by Ange Albertini
  • AES-NI Backdoors” by BSDaemon and Pirata
  • Innovations with Linux core files” by Ryan O’Neill
  • Bambaata speaks from the past” by Count Bambaata
  • Cyber Criminal’s Song” by Ben Nagy

Exploits Sit Lonely on the Shelf

  • Witches, Warlocks, and Wassenaar” by Manul Laphroaig
  • Compiler Bug Backdoors” by Bauer, Cuoq, and Regehr
  • A Protocol for Leibowitz by Goodspeed and Muur
  • Jiggling into a New Attack Vector” by Mickey Shkatov
  • Hypervisor Exploit, Five Years Old” by DJC and Bittman
  • Stegosploit” by Saumil Shah
  • On Error Resume Next” by Jeffball
  • Unbrick my Part” by Tommy Brixton
  • Backdoors up my Sleeve” by JP Aumasson
  • Naughty Signals” by Russell Handorf
  • Weird Crypto” by Philippe Teuwen


  • Ange Albertini
  • Myron Aub
  • JP Aumasson
  • Don A. Bailey
  • Count Bambaata
  • J. Bangert
  • Bauer
  • Bittman
  • Brainsmoke
  • Tommy Brixton
  • Frederik Braun
  • S. Bratus
  • BSDaemon
  • Cuoq
  • DJC
  • Eric Davisson
  • M. Eichlseder
  • Peter Ferrie
  • Fiora
  • Joe FitzPatrick
  • FX of Phenoelit
  • Gil
  • Travis Goodspeed
  • Joe Grand
  • Joernchen
  • Russell Handorf
  • Haverinen
  • Craig Heffner
  • Taylor Hornby
  • Alex Inführ
  • Jeffball
  • Dan Kaminsky
  • Manul Laphroaig
  • Matilda
  • Mik
  • Muur
  • Assaf Nativ
  • Ben Nagy
  • Colin O’Flynn
  • Ryan O’Neill
  • Deviant Ollam
  • Pirata
  • Potter
  • Morgan Reece
  • Regehr
  • Micah Elizabeth Scott
  • Saumil Shah
  • Rebecca .Bx Shapiro
  • Shikhin Sethi
  • Shepherd
  • Mickey Shkatov
  • Natalie Silvanovich
  • Michele Spagnuolo
  • Evan Sultanik
  • Philippe Teuwen
  • Josh Thomas
  • Jacob Torrey
  • Dave Weinstein
  • Wise
  • Julia Wolf


The privacy threat of IoT device traffic rate metadata | Help Net Security

The privacy threat of IoT device traffic rate metadata; ; In Some Blog, entitled Help Net Security; 2017-05-22.

tl;dr → There be dragons. Use a VPN. SIGINT by TA on the MD (Signals Intelligence by Traffic Analysis on the Meta Data)


  • Traffic Analysis
  • traffic rate


Trajectory Recovery from Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data | Xu, Tu, Li, Zhang, Fu, Jin

Fengli Xu, Zhen Tu, Yong Li, Pengyu Zhang, Xiaoming Fu, Depeng Jin; Trajectory Recovery From Ash: User Privacy Is NOT Preserved in Aggregated Mobility Data; In Proceedings of the Conference on the World Wide Web (WWW); 2017-02-21 (2017-02-25); 10 pages; arXiv:1702.06270

tl;dr → probabilistic individuation from timestamped aggregated population location records.

Separately noted.


Human mobility data has been ubiquitously collected through cellular networks and mobile applications, and publicly released for academic research and commercial purposes for the last decade. Since releasing individual’s mobility records usually gives rise to privacy issues, datasets owners tend to only publish aggregated mobility data, such as the number of users covered by a cellular tower at a specific timestamp, which is believed to be sufficient for preserving users’ privacy. However, in this paper, we argue and prove that even publishing aggregated mobility data could lead to privacy breach in individuals’ trajectories. We develop an attack system that is able to exploit the uniqueness and regularity of human mobility to recover individual’s trajectories from the aggregated mobility data without any prior knowledge. By conducting experiments on two real-world datasets collected from both mobile application and cellular network, we reveal that the attack system is able to recover users’ trajectories with accuracy about 73%~91% at the scale of tens of thousands to hundreds of thousands users, which indicates severe privacy leakage in such datasets. Through the investigation on aggregated mobility data, our work recognizes a novel privacy problem in publishing statistic data, which appeals for immediate attentions from both academy and industry.

Persuasion and the other thing: A critique of big data methodologies in politics | Ethnography Matters

Molly Sauter; Persuasion and the other thing: A critique of big data methodologies in politics; In Ethnography Matters; 2017-05-24.

tl;dr → 3026 words. Big Data (which so is very big) is bad. The sphere is problematized. A problematic which situates the hegemons is synthesized via the dialectic. A mode of resistance is posited.

Separately noted.

Trusted Geolocation in the Cloud | NCCoE of NIST

Trusted Geolocation in the Cloud; Mike Bartock, Murugiah Souppaya (NIST); National Cybersecurity Center of Excellence (NCCoE), National Institute of Standards and Technology (NIST); 2017-05-11; 16 pages; landing;


The motivation behind this Building Block is to improve the security of cloud computing and accelerate the adoption of cloud computing technologies by establishing an automated hardware root of trust method for enforcing and monitoring geolocation restrictions for cloud servers. A hardware root of trust is an inherently trusted combination of hardware and firmware that maintains the integrity of the geolocation information and the platform. Once the cloud platform has been attested to be trustworthy and to comply with a defined geolocation policy, then other use properties can be instantiated to support additional security capabilities that are built on this foundational hardware root of trust. These capabilities can include restricting workloads to running on trusted hardware in a trusted location; restricting communications between workloads; ensure workload data is protected at rest; applying security policies to workloads; and leveraging these capabilities across a hybrid cloud. This project will result in a freely available NIST Cybersecurity Practice Guide.

Table of Contents

  1. Executive
    • Purpose
    • Background
  2. Scenarios
  3. Security Characteristics
    • Stage 1
      Platform Attestation and Safer Hypervisor or Operating System Launch
    • Stage 2
      Trust-Based Homogeneous Secure Migration within a Single Cloud Platform
    • Stage 3
      Trust-Based and Geolocation-Based Homogeneous Secure Migration within a Single Cloud Platform
    • Stage 4
      Data Protection and Encryption Key Management Enforcement Based on Trust-Based and Geolocation-Based Homogeneous Secure Migration within a Single Cloud Platform
    • Stage 5
      Persistent Data Flow Segmentation Before and After the Trust-Based and Geolocation-Based Homogeneous Secure Migration within a Single Cloud Platform
    • Stage 6
      Industry Sector Compliance Enforcement for Regulated Workloads Before and After the Trust-Based and Geolocation-Based Homogeneous Secure Migration
    • Stage 7
      Trust-Based and Geolocation-Based Homogeneous and Policy Enforcement in a Secure Cloud Bursting across Two Cloud Platforms
  4. Relevant Standards and Guidance
  5. Component List

From Extreme to Mainstream: How Social Norms Unravel | Bursztyn, Egorov, Fiorin

Leonardo Bursztyn, Georgy Egorov, Stefano Fiorin; From Extreme to Mainstream: How Social Norms Unravel; Working Paper No. 23415; National Bureau of Economic Research (NBER); 2017-05; paywall.

tl;dr →something about needing “just the right” amount of correlational clustering to allow ideas to spread appropriately.


Social norms are typically thought to be persistent and long-lasting, sometimes surviving through growth, recessions, and regime changes. In some cases, however, they can quickly change. This paper examines the unraveling of social norms in communication when new information becomes available, e.g., aggregated through elections. We build a model of strategic communication between citizens who can hold one of two mutually exclusive opinions. In our model, agents communicate their opinions to each other, and senders care about receivers’ approval. As a result, senders are more likely to express the more popular opinion, while receivers make less inference about senders who stated the popular view. We test these predictions using two experiments. In the main experiment, we identify the causal effect of Donald Trump’s rise in political popularity on individuals’ willingness to publicly express xenophobic views. Participants in the experiment are offered a bonus reward if they authorize researchers to make a donation to an anti-immigration organization on their behalf. Participants who expect their decision to be observed by the surveyor are significantly less likely to accept the offer than those expecting an anonymous choice. Increases in participants’ perceptions of Trump’s popularity (either through experimental variation or through the “natural experiment” of his victory) eliminate the wedge between private and public behavior. A second experiment uses dictator games to show that participants judge a person less negatively for publicly expressing (but not for privately holding) a political view they disagree with if that person’s social environment is one where the majority of people holds that view.

How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to Government Agents | FindLaw

How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to Government Agents Solomon L. Wisenbert; In FindLaw; 2017-05? (undated).
Solomon L. Wisenberg is a partner and co-chair of the white collar criminal defense practice group of Nelson Mullins Riley & Scarborough, LLP.

18 U.S.C. § 1001 – U.S. Code – Unannotated Title 18. Crimes and Criminal Procedure § 1001. Statements or entries generally

Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully–

  • falsifies, conceals, or covers up by any trick, scheme, or device a material fact;
  • makes any materially false, fictitious, or fraudulent statement or representation;  or
  • makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry;

shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both.  If the matter relates to an offense under chapter 109A, 109B, 110, or 117, or section 1591, then the term of imprisonment imposed under this section shall be not more than 8 years.

  • Subsection (a) does not apply to a party to a judicial proceeding, or that party’s counsel, for statements, representations, writings or documents submitted by such party or counsel to a judge or magistrate in that proceeding.
  • With respect to any matter within the jurisdiction of the legislative branch, subsection (a) shall apply only to–
  •  administrative matters, including a claim for payment, a matter related to the procurement of property or services, personnel or employment practices, or support services, or a document required by law, rule, or regulation to be submitted to the Congress or any office or officer within the legislative branch;  or
  • any investigation or review, conducted pursuant to the authority of any committee, subcommittee, commission or office of the Congress, consistent with applicable rules of the House or Senate.

Consensual Software: How to Prioritize User Safety Before It Becomes a PR Nightmare | InfoQ

Consensual Software: How to Prioritize User Safety Before It Becomes a PR Nightmare; Danielle Leong; In InfoQ; 2017-05-18.

tl;dr → GuitHub is on it. Ms. Leong’s team comprise the guardians.  Their rubric appears midway.

Rebuttal: Machines work for their owners. In SOA, that is not you, you are the product.

Danielle Leong
  • engineer, Community & Safety, GitHub
  • founder developer, Feerless
    <quote>an app that provides trigger warnings for Netflix users with PTSD</quote>
    One “develops” an app; one “founds” a religion, a country or a company.



  • Is every user explicitly consenting to use this feature, or are we assuming they want to participate?
  • Is it easy to opt-out of this feature?
  • Is it easy to block a person who is abusing the feature to spam, harass, or threaten others?
  • Are there audit logs to see how users are interacting with your feature? Metrics?
  • Is it easy for your support staff to untangle what happened if an incident occurs?
  • How much personally identifying information is public?
    • How easy is it to redact past or sensitive information? (i.e. a trans person’s deadname, a user’s physical address, private email addresses, AWS keys, etc)
    • Do we really need to store or expose personally identifying information?
  • Are you allowing users to upload images?
    • Are you filtering out porn?
    • Are all users explicitly consenting to receiving uploaded images?
    • Can you solve this problem by using a pre-vetted image integration like GIPHY?
  • Do you allow 0-day accounts the same privileges as a vetted user?
  • How could a stalker ex use this feature to hurt someone?
  • How are your support tickets handled for each new release?