Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

Data breaches, phishing, or malware? Understanding the risks of stolen credentials

New research from Google:

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.

Categories
Links

Intro to Mitigating Contemporary DDOS Attacks

From Cloudflare:

As the capacity of networks like Cloudflare continue to grow, attackers move from attempting DDoS attacks at the network layer to performing DDoS attacks targeted at applications themselves.

For applications to be resilient to DDoS attacks, it is no longer enough to use a large network. A large network must be complemented with tooling that is able to filter malicious Application Layer attack traffic, even when attackers are able to make such attacks look near-legitimate.

The pace of change in how DDOS attacks are being conducted, and efforts to use best and worst security practices alike to threaten Internet-connected resources, is a serious and generally under appreciated problem.

Categories
Roundup Writing

The Roundup November 19-24, 2017 Edition

Photo made with iPhone 7 on November 2, 2017 in Toronto, Ontario. Edited in Apple Photos.

It’s another week closer to the end of the year, and another where high profile men have been identified as having engaged in absolutely horrible and inappropriate behaviours towards women. And rather than the most powerful man in the world — himself having self-confessed to engaging in these kinds of behaviour — exhibiting an ounce of shame, he’s instead supporting an accused man and failing to account for his past activities.

I keep going back and forth as to whether I want to buy a new Apple Watch; I have zero need for one with cellular functionality and, really, just want an upgrade to take advantage of some more advanced heart monitoring features. The initial reviews of the Apple Watch Series 3 were…not inspiring. But Dan Seifert’s review of the Apple Watch Series 3 (non-LTE) is more heartening: on the whole, it’s fast and if you already have a very old Apple Watch and like it, it’s an obviously good purchase. I just keep struggling, though, to spend $600 for a device that I know would be useful but isn’t self-evidently necessary. Maybe I’ll just wait until Apple Canada starts selling some of the refurbished Series 3 models…

While photographers deal with Gear Acquisition Syndrome (GAS), which is usually fuelled by the prayer that better stuff will mean better photos, I think that writers deal with the related Software Acquisition Syndrome (SAS). SAS entails buying new authoring programs, finding new places to write, or new apps that will make writing easier, faster, and more enjoyable. But the truth is that the time spent learning the new software, getting a voice in the new writing space, or new apps tend to just take away from time that would otherwise be spent writing. But if you’re feeling a SAS-driven urge to purchase either Ulysses or iA Writer, you should check out Marius Masalar’s comprehensive review of the two writing tools. (As a small disclosure, I paid for Ulysses and use it personally to update this website.)

New Apps and Great App Updates from this Week

Great Photography Shots

If tapeworms are your thing then there’s some terrific shots of them included as part of an interview with tapeworm experts. A few gems include:

Music I’m Digging

Neat Podcast Episodes

Good Reads for the Week

Categories
Quotations

On The Need For Loneliness and Private Time

As much as I love the intimacy of a stable, healthy romantic partnership, I’ve always been wary of my need for loneliness and private time. I brandish my introvert badge with chutzpah. But, deep inside, whenever I got with someone and I needed to take time off to replenish, I always felt guilty. I felt like I wasn’t ready . That if I really, really wanted a relationship, I would not have this need to be by myself.

Tchassa Kamga, Before I Could Date Anyone, I had to Date Myself.
Categories
Links

Confidentiality in an Era of Patient-Doctor-Cop

From The Canadian Press:

Doctors at Royal Columbian Hospital in New Westminster have complained that local police and RCMP officers are routinely recording conversations without consent between doctors and patients who are considered a suspect in a crime.

“They will be present when we are trying to question the patients and trying to obtain a history of what happened,” said Tony Taylor, an emergency physician who practises at the hospital.

“They have now recently started recording these conversations and often they will do that unannounced, which has a number of implications around confidentiality and consent.”

As far as doctors at Royal Columbian are concerned, the police are getting in the way of patient care.

Patients tend to clam up when police officers are present, Dr. Taylor said. “That makes it difficult to get those kind of history details that are critically important,” he said.

The idea that the police are present, and recording interactions between a doctor and patient, is patently problematic from a procedural fairness perspective. In the past the authorities have lost Charter challenges based on their attempts to exploit Canada’s one-person consent doctrine; I’d be very curious to know the legal basis for their recording persons who may be accused of a crime, in a setting clearly designated as deserving heightened privacy protections, and the extent to which that legal theory holds up under scrutiny.

Categories
Links

A Past Life’s Dream Job

Per Wired:

Woods, a 30-year-old with neatly floppy hair, is dressed tonight in a black button-down shirt and jeans. His DM performances—and being a dungeon master is a kind of performance—are often marked by excitable narration and winkingly melodramatic theatrics; at one point during tonight’s game, he gleefully pounds a hand into a fist, mimicking an arrow’s impact on an opponent.

He’s spent nearly three months preparing for this showdown, even hand-building a few model towers out of scrap wood and dowels. It’s one of the most elaborate adventures he’s crafted in his four-year career as a professional DM at schools and homes in Manhattan and Brooklyn. Sometimes, like tonight, the games are run in his apartment, where the bookshelves reach high with graphic novels and board games, and where the walls are decorated with full-color maps from D&D classics like Greyhawk and Isle of Dread.

But while Woods is one of several DMs-for-hire out there, this isn’t his hobby or a side gig; it’s a living, and a pretty good one at that, with Woods charging anywhere from $250 to $350 for a one-off three-hour session (though he works on a sliding scale). For that price, Woods will not only research and plan out your game but also, if you become a regular, answer your occasional random text queries about wizard spells. “He’s worth the money,” says Kevin Papa, a New York City educator (and occasional DM) who’s been part of this Friday-night game for more than a year. “Being a DM requires a lot of brainshare. I don’t know how Timm absorbs it all.”

When I was in high-school or my undergrad, I can see this as the type of job that I’d have loved. Though I think that the idea of a campaign’s length and narrative being based on sessions clients are willing to pay would create some challenging conditions for planning long-term stories; it’d definitely lend itself to a serialized type of play, where each session was like a mini-TV episode, as opposed to early sessions functioning as the opening scenes of a feature film.

Categories
Photography Videos

Develop Your Photographer’s Brain

A great, and as always helpful, reminder that what matters most isn’t the equipment you carry but your creativity and desire to use it on a regular basis.

Categories
Aside Links

Covernames Versus Code / Strategy Versus Tactics

From the New York Times:

Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

While the revelation of code facilitates a more immediate kind of repurposing and attack, I think that the Shadow Brokers have tended to reveal tactical information versus the strategic information released by Snowden. Few have done the requisite work to actually pull together the comprehensive narratives that emerge in the Snowden documents and, instead, have focused on specific programs or tools. Those few of us who have comprehensively analyzed his documents, however, now possess insights into strategic thinking, decision making, and resource allocation of the Five Eyes intelligence agencies. The long term value of such information is just as, if not more, valuable than code drops.

Categories
Photography

Terrestrial Movement

Photo made with Olympus E-M10ii and Olympus M.Zuiko Digital 14-42mm F3.5-5.6 II R at Niagara Falls on October 15, 2017 in Niagara Falls, Ontario. Edited in Apple Photos.

Categories
Solved

A Fix for Bad iPhone Battery Life

stewie.jpgFor the past weeks I’ve had outrageously bad battery life on my iPhone 7, running iOS 11. A lot of the battery drain was from the Podcasts app (approx. 24-33%) but I couldn’t figure out why the drain rate was so high: even when I only streamed over Bluetooth or Airplay I’d had the same power drain percentages, so it didn’t seem to be linked to powering the speaker on the phone (which can impact battery life significantly).

Then I realized that the application was searching for new podcasts every hour and downloading any that were available. My battery life has drastically improved after changing the setting so that the app only looks for new podcasts every 6 hours: I can now use the phone normally for a day and end up at about 20-30% battery remaining when it gets set down to charge for the night. Victory is mine!