We have a deployment at work tonight at 5pm (because in financial firms, you always deploy at 5pm on Friday). Fortunately, we've already done a full test, so we're looking forward to a pretty boring deployment tonight.
Fortunately, we have the Internet, which has provided me with all of these things to read:
Back to planning for next week's post-deployment fixes.
If the Kanye West–Donald Trump crazyfest didn't do it for you, there are plenty of other things to take a look at this lunchtime:
That's all for now. Enough crazy for one Friday.
As in, "nice work, Dutch military, for unraveling a GRU operation and blowing 300 GRU agents worldwide:"
Dutch authorities have photographs of four Russian military intelligence (GRU) operatives arriving at the Amsterdam airport last April, escorted by a member of the Russian embassy. They have copies of the men’s passports — two of them with serial numbers one digit apart. Because they caught them, red-handed, inside a car parked beside the Organization for the Prohibition of Chemical Weapons in The Hague — the GRU team was trying to hack into the OPCW WiFi system — Dutch authorities also confiscated multiple phones, antennae and laptop computers.
On Thursday, the Dutch defense minister presented this plethora of documents, scans, photographs and screenshots on large slides at a lengthy news conference. Within seconds, the images spread around the world. Within hours, Bellingcat, the independent research group that pioneered the new science of open source investigation, had checked the men’s names against several open Russian databases. Among other things, it emerged that, in 2011, one of them was listed as the owner of a Lada (model number VAZ 21093) registered at 20 Komsomolsky Prospekt, the address of the GRU. While they were at it, Bellingcat also unearthed an additional 305 people — names, birthdates, passport numbers — who had registered cars to that very same address. It may be the largest security breach the GRU has ever experienced.
That's a great way to fight back: exposure. This is an example of the integrity and ingenuity which almost led to the Dutch controlling the world instead of the British way back when.
This week, I got an email from the SEO coordinator at Alaska Airlines:
My name is Shawn with Alaska Airlines. I'm reaching out concerning a specific link on blog.braverman.org. As you may have heard, Alaska Airlines acquired Virgin America last year. We are in the process of updating all Virgin America links to go directly to our website, https://www.alaskaair.com.
We want to make sure your readers are being sent to the correct place!
We would really appreciate it if you could update the link and anchor text, Virgin America, on this page: http://blog.braverman.org/2009/09/default to:https://www.alaskaair.com and Alaska Airlines.
Please let me know if you have any questions.
If you're not the appropriate person to contact about this, can you put me in contact with the right person?
(The actual post he meant me to change is here.)
See, Alaska took over Virgin America, and now they want to scrub the Internet of all references to the old airline. I politely told Shawn that, no, I was not about to change a 9-year-old blog post to send Virgin down the memory hole.
He replied that he understood, but could I just change the URL to point to Alaska Air at least?
No, Shawn. I'm not editing the post, full stop. It reflects the state of the world in 2009, and to me, it's a document that needs to remain unaltered.
I'm sure the SEO coordinator of an airline believes that it's a doubleplusgood thing to help people who may inadvertently discover a blog post from 2009 not get misdirected. But the whole thing really creeped me out. Alaska or one of its vendors had to go through every one of the over 6,500 posts I've written looking for references to Virgin America, and then Shawn had to field my response to his (no doubt automated) email request. That's a lot of effort to pretend Virgin America never existed.
Did I mention Virgin America Airlines? Just making sure.
Lots of stuff crossed my inbox this morning:
Back to my wonderful, happy software debugging adventure.
Before diving back into one of the most abominable wrecks of a software application I've seen in years, I've lined up some stuff to read when I need to take a break:
OK. Firing up Visual Studio, reaching for the Valium...
In late 2016, someone apparently attacked American diplomats in Cuba and China with a device that caused people to hear loud sounds and experience concussion-like brain damage. Now, doctors working with the attack victims may have figured out what it was:
The medical team that examined 21 affected diplomats from Cuba made no mention of microwaves in its detailed report published in JAMA in March. But Douglas H. Smith, the study’s lead author and director of the Center for Brain Injury and Repair at the University of Pennsylvania, said in a recent interview that microwaves were now considered a main suspect and that the team was increasingly sure the diplomats had suffered brain injury.
“Everybody was relatively skeptical at first,” he said, “and everyone now agrees there’s something there.” Dr. Smith remarked that the diplomats and doctors jokingly refer to the trauma as the immaculate concussion.
Strikes with microwaves, some experts now argue, more plausibly explain reports of painful sounds, ills and traumas than do other possible culprits — sonic attacks, viral infections and contagious anxiety.
In particular, a growing number of analysts cite an eerie phenomenon known as the Frey effect, named after Allan H. Frey, an American scientist. Long ago, he found that microwaves can trick the brain into perceiving what seem to be ordinary sounds.
Military strategists have talked about various nonlethal weapons for a long time. I don't remember reading about microwave weapons until now, since sound on its own seemed to be a pretty good way of disabling troops. But this is interesting, and disturbing.
Via Bruce Schneier, retired USMC Colonel Mark Canclan has authored a report outlining what threats we're likely to face in the next few years, and how to cope with them. He includes some chilling strategic possibilities:
The cyber attacks varied. Sailors stationed at the 7th Fleet' s homeport in Japan awoke one day to find their financial accounts, and those of their dependents, empty. Checking, savings, retirement funds: simply gone. The Marines based on Okinawa were under virtual siege by the populace, whose simmering resentment at their presence had boiled over after a YouTube video posted under the account of a Marine stationed there had gone viral. The video featured a dozen Marines drunkenly gang-raping two teenaged Okinawan girls. The video was vivid, the girls' cries heart-wrenching the cheers of Marines sickening And all of it fake. The National Security Agency's initial analysis of the video had uncovered digital fingerprints showing that it was a computer-assisted lie, and could prove that the Marine's account under which it had been posted was hacked. But the damage had been done.
There was the commanding officer of Edwards Air Force Base whose Internet browser history had been posted on the squadron's Facebook page. His command turned on him as a pervert; his weak protestations that he had not visited most of the posted links could not counter his admission that he had, in fact, trafficked some of them. Lies mixed with the truth. Soldiers at Fort Sill were at each other's throats thanks to a series of text messages that allegedly unearthed an adultery ring on base.
The report is fascinating, and the vignettes that Canclan describes should be keeping US military and defense personnel up at night.
Via Schneier, Stuart Schechter has an excellent article for MFA n00bs people new to multi-factor authentication:
Many online accounts allow you to supplement your password with a second form of identification, which can prevent some prevalent attacks. The second factors you can use to identify yourself include authenticator apps on your phone, which generate codes that change every 30 seconds, and security keys, small pieces of hardware similar in size and shape to USB drives. Since innovations that can actually improve the security of your online accounts are rare, there has been a great deal of well-deserved enthusiasm for two-factor authentication (as well as for password managers, which make it easy to use a different random password for every one of your online accounts.) These are technologies more people should be using.
However, in trying to persuade users to adopt second factors, advocates sometimes forget to disclose that all security measures have trade-offs . As second factors reduce the risk of some attacks, they also introduce new risks. One risk is that you could be locked out of your account when you lose your second factor, which may be when you need it the most. Another is that if you expect second factors to protect you from those attacks that they can not prevent, you may become more vulnerable to the those attacks.
Before you require a second factor to login to your accounts, you should understand the risks, have a recovery plan for when you lose your second factor(s), and know the tricks attackers may use to defeat two-factor authentication.
Read it, and then send it to all of your non-technical friends, unless they happen to be politicians in a certain elephantine party in the U.S.
Bruce Schneier says that the TSA's thoughts about security at smaller airports are exactly the conversation they should be having:
Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes -- 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations.
To be clear, the TSA has put forth no concrete proposal. The internal agency working group's report obtained by CNN contains no recommendations. It's nothing more than 20 people examining the potential security risks of the policy change. It's not even new: The TSA considered this back in 2011, and the agency reviews its security policies every year.
We don't know enough to conclude whether this is a good idea, but it shouldn't be dismissed out of hand. We need to evaluate airport security based on concrete costs and benefits, and not continue to implement security theater based on fear. And we should applaud the agency's willingness to explore changes in the screening process.
There is already a tiered system for airport security, varying for both airports and passengers. Many people are enrolled in TSA PreCheck, allowing them to go through checkpoints faster and with less screening. Smaller airports don't have modern screening equipment like full-body scanners or CT baggage screeners, making it impossible for them to detect some plastic explosives. Any would-be terrorist is already able to pick and choose his flight conditions to suit his plot.
And just think, it's only taken 15 years and $45 billion to get here...