Category Archive

Cyber Security

A History of UFO-Spotting

Eyewitness Accounts and The News – 1940’s on

 

I’ll start when the modern day ‘flying saucer’ story started, although recordings of UFOs go back to BC times.

The first UFO to start the ‘flying saucer’ trope in America actually wasn’t a saucer – it was a squad of ships shaped like boomerangs that rotated like saucers. Newspaper telephone turned the banana-shaped ships into simple circles.

The person who saw them was a trusted, reliable pilot, so the story ended up in the news – the year was 1947, and although he was a private pilot, the job was difficult and garnered a lot of respect. He saw it with his own two eyes! There were very few instruments on board to help him define what he saw. The logical conclusion, therefore, is that the other crafts had something to block the extremely basic radar available at the time, leaving his eyes the only tools he had left. Who wouldn’t trust a hardworking, honest pilot? Especially after so much went into juicing up their public reputation during the second World War.

As time goes on, more pilots report strange phenomena upon landing, stuff they couldn’t have possibly recorded, otherworldly stuff. They had nothing but the equipment in their crafts to help them describe what they saw. Phantom ships that only the radar saw, visible ships that the radar didn’t, ships somewhere in the middle that were visible, but only briefly, strange glows, odd behavior in the clouds, the list goes on. They could record height and approximate location via a map and their travelling speed, but otherwise, they were completely and totally alone. Cameras could go up in planes, yes – but that wasn’t as simple as it is today, and seeing this stuff was rare. Nobody blamed cameramen for not catching anything when they went, and they couldn’t go up all the time on every plane.

Part of this is that print media itself was old and well-respected. It was one of very few ways to get news at the time. TVs weren’t quite everywhere, and radio wasn’t 24-7, but print news was cheap and accessible. Images were ‘trustworthy’, as many people didn’t grasp how easy photos were to manipulate, especially back then when rural folks could go their entire lives without touching a camera, or getting their own picture taken – a photo of a blur in the clouds when someone did happen to catch something strange was taken as fact. Rebukes were slow, and not as sensational. Aliens, as far as newspapers were concerned, were visiting Earth. Not everyone cared, and not everyone believed it, but this seeded an unshakeable belief in aliens in America.

 

The Blurry Photo Era – 1960’s to 1980’s

 

Once handheld devices were more available to people out in the sticks, bizarre, blurred images of things floating in the sky alongside blurred images of cryptids in forests began appearing. They were published to magazines, shared among groups, pictured on tabloid TV, and discussed publicly. Unlike before, though, these people worked all sorts of jobs, often less glamorous than pilots. The participants soon earned a reputation for being crackpots, crazy, or liars – after all, the best evidence they had was often barely better than an eyewitness statement. A blur.

It didn’t help that mental illness wasn’t really a ‘thing’ during this time period. Paranoia, schizophrenia, PTSD, etc. were all under the same umbrella of ‘insane’. People suffering from untreated illnesses were deliberately picked on alongside believers who were of sound mind to discredit all believers as ‘insane’. Even if someone did see something unexplainable, they’d be fighting uphill against the stigma set up by news sources. Eyewitness accounts become meaningless except to other people already looking for a reason to believe.

At the same time, professionals were also more connected to the public than ever, and so common phenomena that would have been UFOs (ball lightning, sun dogs, the green flash over the ocean during sunset, etc.) were now much more easily described and identified as natural, terrestrial stuff. Someone could come forward with a strange picture and get themselves shot down publicly.

However, many were also able to identify and picture real non-natural objects that they just didn’t understand. Weather balloons are much bigger than most people think they are, and the US is always trying to improve its arsenal with tech the other guys don’t have yet, so stories of mysterious super-sonic vehicles that appeared and disappeared in the blink of an eye aren’t necessarily lies. They just came at an inconvenient time for the militaries of the world, and aliens were easier to dismiss than manmade crafts were.

Clarifying that this was a real craft, therefore, was not going to happen. It was in everybody’s best interest to say that the witness said it was aliens. You wouldn’t want a cold war to turn hot over some amateur’s photos of your spy balloons, right? While TV watchers found them entertaining, it was more comfortable to assume witnesses saw whatever they saw wrong, even when they didn’t.

UFOs had more stories, but less credibility.

Mobile Phones (And Smartphones) 1990’s to 2006

 

Mobile phones capable of taking pictures started popping up in the late 90s and early 2000s, and with them, even more blurry, bad photos of cryptids and UFOs started appearing online – but they were less blurry than the previous generation, and the appearance of the internet meant that people who had experienced something otherworldly could share it alongside the photo without having to get onto TV or Radio. The sheer number of these stories lent them some credibility. Plus, their stories couldn’t be chopped up into something incomprehensible by someone else, like it sometimes was earlier. The story came straight from the horse’s mouth!

Smartphones made most of them disappear, however, during the transition from an offline world to an online one. I haven’t seen a ‘new’ photo of a UFO since 2006, not counting DoD videos and the like. Average, ordinary people can’t seem to snap pics of alien craft anymore. The quality of the camera is a big part of that! Suddenly, it didn’t make sense that images were blurry.

In the 90’s, cameras had a natural sort of fuzz to them unless it was professional equipment, and that fuzz made it easier to disguise altered photos. Edges could be blurry back then. They can’t be blurry now. It also no longer made sense that multiple eyewitnesses “Saw something in the sky” and none of them thought to take a picture while it was hovering. And now we don’t get any more half-blurry, half-filtered images of UFOs. Instead we get more eyewitness accounts and really well-photoshopped fakes.

Tech improves, and suddenly sightings are rare, but the ones we do get are much more believable, or come from trustworthy sources… like the military.

Modern era – 2007 – Now

 

And military tech is always improving. All this new tech to see things is actually often blinding. Hear hoofbeats? Think horse, right? Well… when the tech allows you such incredibly fine-tuned detail of the animal, it’s possible to confuse yourself with things you’d never have to worry about if you were just using your eyes to see that the animal is brown. Imagine being able to see the exact temperature and speed of a four legged animal, but not it’s color, because it’s too far away. You may even be able to see size… but horses come in all kinds of sizes, so if it’s the same size as the zebra, you still haven’t solved the mystery. You record it and avoid it like a smart person would, and when you get back, they’re trying to identify it with you.

The three videos released recently by the DoD, for example, could be a number of things, but they are UFOs until someone identifies them. But not all UFOs are equally unidentifiable, and many have simple, easy explanations. A duck can be a UFO. Another plane can be a UFO. A weather balloon can be a UFO. If you can’t identify the flying object with certainty, it’s an unidentified flying object. That’s it. The tech of today just allows pilots to see things from several kilometers away while moving at mach speed, so they’re able to pick up moving things they wouldn’t have been able to see before. Unfortunately, this often means that they’re seeing specks with heat signatures. The public then conflates an unidentified speck with a full-blown zebra, even though at the distance it was filmed at, it could have been a friendly dog.

 

Tic Tac

 

If the pilot is especially crafty, they may help the perception of the zebra along even if they don’t know either. The Tic Tac video and its story are some of the most contentious UFO ‘evidence’ available on the web today, and for good reason. The Tic Tac video and the two Tic Tac eyewitness accounts are all different from each other. One pilot only caught a glimpse of it, one says that the Tic Tac behaved aggressively for five or so minutes (and that keeps changing), and the video just shows a small white dot at a great distance moving in front of the ocean.

We can’t see color, we can’t see shape, we can’t see anything about it other than its relative speed and temp. It could just be a seabird. It could be a tiny personal craft, like a glider. We have no video of the thing actually darting around in the way the pilot describes later – ways that defy physics. Jerks in the video are due to the camera not being able to turn anymore, or the auto-lock simply losing the object, not the object itself ‘jerking’.

I’d like to trust the pilot, I really would – but which makes more sense? An otherwise ordinary man in a high-profile job lied to get some time in the spotlight, or an interstellar traveler came from space without being detected until it got onto the Navy’s turf, behaved in ways that broke the laws of physics as we know them in front of observers, and then disappeared, again, without being spotted?

 

We can only hear hoofbeats, and the pilot swears it’s a zebra with no evidence other than “trust me”.

 

Debunking

 

All of this tech is great, but it also enables lying by being specifically vague. People who really, really want to believe in aliens cherrypick relevant details out of these videos to get the conclusion they want. They then share this narrative that it must have been an alien because the information in the video that could argue against that is so critically important but so easy to ignore. Speed. Temp. How far the camera can rotate. Laymen don’t often have to look at readouts like this, so easy-to-miss details like the speed being relative instead of absolute sometimes drifts right by. Proving them wrong as a layman is nearly impossible because they’ve told the truth – just not all of it.

The most infuriating part of this is that the DoD would never release these videos if they didn’t know A) what they weren’t and B) whether or not they were a threat. They specify that the videos don’t reveal any sensitive data. The context of these videos is just as important as the content – you never see videos of UFOs threatening US pilots, because it would cause unrest if such videos ever made it to the public.

You never see videos of something clearly manmade and powerful but unidentified either, because releasing those videos would be as good as admitting that some other nation has a craft on par or superior to the US’s, and the US can’t have that. Maybe interstellar UFOs do exist – but if the Navy has seen them, that footage isn’t just out in the open. Regular boring old UFOs that are just unidentified flying stuff aren’t as exciting.

A Side Note

 

Tech reduces the reliance on interviewers. This is a good thing, because a poor interviewer can completely wreck a case or story before it’s even gotten off the ground. It’s well-documented that people, especially children, can misremember things if the interviewer isn’t careful. “What color of shirt was he wearing?” Vs. “And he was wearing a dark blue shirt, right?” Produce different responses. If the person doesn’t know for certain what shirt the suspect was wearing, they may misremember it as dark blue instead of simply saying they don’t remember or didn’t see.

Humans are social creatures – children especially will react to what they perceive as positive attention from a caring adult (the interviewer) by fibbing or subconsciously altering their story to get more of that positive attention. They may not even be aware that they’re doing it, and they’ll definitely remember it wrong after the fact. For this reason, you also shouldn’t conduct interviews in groups to avoid memory cross-contamination.

Conducting interviews like this, therefore, is undeniably bad for justice and truth. Look for it when watching documentaries on UFOs – do they interview in a group? Do they ask strangely-worded follow-up questions designed to get a certain, soundbiteable response? Does the interviewer lead the interviewee?

 

Sources: https://www.theatlantic.com/technology/archive/2014/06/the-man-who-introduced-the-world-to-flying-saucers/372732/

https://www.nytimes.com/2020/04/28/us/pentagon-ufo-videos.html

https://www.history.com/videos/uss-nimitz-tic-tac-ufo-declassified-video

What’s the deal with Google.amp links?

Google And Fast Loading

If a mobile site takes even a second too long to load, users navigate away. This is a well-studied phenomenon, and all companies can do is try and optimize loading so the user gets some feedback before they bounce.

Facebook created Instant Articles, an easier-to-read and easier-to-load format than the original old method of simply copying and pasting a link to your wall, which worked fine on desktop and not so well on mobile. Ads, videos, and assorted other tidbits really slow loading down on mobile devices, even on WiFi. Consumers agree via engagement: Instant Articles is great. After all, who likes autoplay videos? Google sees a fantastic channel for improving loading times, pictures how it could monetize it, and begins to assemble the Accelerated Mobile Pages project, or .amp for short, and introduces Google.Amp links. You search something on mobile, you find it, and instead of being taken directly to the site, you’re taken to a Google.Amp page that optimized the site for you.

 

How does it work?

 

How does .amp make things load faster? Well, firstly, dynamic content doesn’t show up. Everything on that .amp version of the page is as simple and easy-to-load as possible.

That means if you’ve mistagged a menu, the consumer might not be able to see it. The same goes for embedded videos and music clips. If your site is really reliant on those things being present to function, allowing .amp links is a bad move!

Secondly, the website is stripped down to its bare bones: website creators are given a small selection of tags to build out their website, which usually results in something plain, but quick-loading. If the website is really, really insistent on keeping all of its content, .amp links are unfortunately unable to help. .Amps are a trade-off!

 

And Results

 

It makes some websites downright ugly. People using .amp links have very limited tags in their toolbox, so the end websites almost always look really similar. Sometimes that’s a good thing, sometimes it’s bad. After all, if you, as a business owner, spent however many hours going back and forth with a designer (or designing a site yourself) only to have to cut most of it when signing up for those .amp links, you might be a little mad, right? Menus, color options, images – if all of it goes missing, it may as well be written in plaintext. One critic complains that this makes it easier for fake news and disinformation to squeak into the regular news stream, because when all pages look the same, all pages receive the same quality assessment from readers who don’t know better, whether they deserve it or not.

.Amp links can negatively impact search ratings and valuable data for the client website, as well. People see the page via Google, not the host’s website. As a result, the brand gets out there and impressions improve, but the website itself can’t track that data as effectively. If you’re trying to navigate the complicated world of SEO optimization, then that’s a major issue.

It also has the potential to limit ad revenue. If the ad takes too long to load, it takes to long to load, and the end user never actually sees the ad. Most Google ads function by clicks – that means that customers clicking or tapping the ad is the only way the website gets money from them. As a result, unloaded ads = lost potential revenue.

 

Good Results?

 

However, the ability to load the website so quickly is often worth it to small business owners. Customers are impatient and often expect instant feedback – with Google.amp links, they can provide that instant feedback, usually for cheaper than other speed-up options, like redesigning the site or removing certain content features.

Besides, many users actually like the lack of ads. The mobile web is riddled with annoying popups and other assorted garbage that makes sketchy websites even more annoying to navigate. Of course customers are going to pick a .amp if it means not having to struggle with jerky, autoloading videos and annoying, jumpy ads. Not to mention that .amp links take away windows for viruses!

 

Google and… Data

 

It’s not a secret anymore. Google is always gathering data. It knows what device you’re using, it has some understanding of who you are as a person, and it’s using it to build ads that people like you are more likely to click on.

Google primarily started the .amp project as a way to compete with other data hogs like Facebook and Messenger. Why? Data, valuable data. You clicked on X? We’ll show you more articles about X! You clicked on a fashion article? Why, we just so happen to have ads from Calvin Klein’s newest collection.

Now, sometimes this is good – many people find new and interesting things via algorithms. Sometimes this is bad for the consumer, where they get ad after ad about dog food despite not having a dog because they clicked an article about dogs, and sometimes it’s bad for society at large, where conspiracy theorists get more and more misinformation funneled to them via the algorithm. Nothing tells Google to stop. Once you start on a path, it takes some serious effort to get algorithmically plugged content away from your feeds.

.amp links are obviously not the only things tracking you. Anything with Google anywhere is tracking you. Adsense is tracking you. But .amp links are part of the problem, and Google is getting your info before it’s getting filtered down to the actual website’s owner.

 

Turn It Off!

 

While turning off customized ads won’t stop the data collection, it will mean you’re less likely to see oddly specific, creepily accurate ads when you’re just trying to browse. As for the .amp links, turn that off too. .AMP links are giving a lot of power to Google, and some of the information you accumulate during normal browsing may very well be sucked up by Google.

Look here: and here to control how you’re seeing ads.

Sources:

https://www.discovertec.com/blog/amp-speed-page-the-good-and-bad-of-faster-load-times

https://www.theverge.com/2019/4/16/18402628/google-amp-url-problem-signed-exchange-original-chrome-cloudflare

Reasons to Recycle your Phone

 

1.Lithium batteries are not biodegradable.

 

In general, modern materials don’t really degrade much. When was the last time something you owned rusted away completely? And if it did – did it really? The spot below the cheap, neglected grill in my friend’s back yard has no grass in it. The rust is still there to interfere with that grass’s growth, even though it’s technically degraded. That grass may eventually come back if the rain ever washes enough of the contaminated dirt away, but until then, the ground is inhospitable. Now picture that with metal that’s not designed to spoil, and chemicals that are much harsher. Batteries are by far one of the most concerning items to trash. They tend to corrode and release acid if not disposed of properly, and the bigger the battery, the bigger the concern for acid to leach into whatever it’s laying on top of. You don’t want something you threw away to make a mini-superfund site, surely?

 

2. They also don’t behave well when the internals are exposed to air.

You cannot just dump a phone in the trash when you’re buying a new one. Besides the environmental effects (which can be anywhere from acid leaching to heavy metal poisoning, depending on battery type) there’s also a real danger of starting an unquenchable fire in a garbage truck. If it’s one of the fancy ones that can compact garbage as it picks it up, the battery being punctured can set off a fire inside the bin. If you’re unlucky, and others have thrown out paper trash or flammables, you’ve got a serious problem on your hands. Recycle the phone! If not the phone, then at least the battery!

 

3. The phone contains rare earth metals.

 

These are metals that are common in the Earth’s crust, but very difficult to actually mine out and purify economically. After a point, mining them might make phones too expensive for the average consumer – so it’s important to harvest what parts are harvestable! Besides that, the phone itself isn’t going to bio-degrade because it’s completely inorganic. Rather than let all those precious minerals and non-degrading materials go to waste, recycle!

4. The hard drive may not be wiped the way you hope it is.

 

It’s very possible to recover deleted documents off of a hard drive months after ‘wiping’. Wiping a traditional hard drive completely is difficult, and solid states only make it harder. The hard drive still has a phantom copy of the old doc until it’s written over with something else, or grazed with a magnet. Doing this thoroughly is difficult, which is why you should recycle through a reputable hardware recycler. This is especially important for things like email apps, which frequently don’t ask users to log in after the first time they’re used on the phone!

5. Having a secondary market is essential for the health of the industry.

 

If the number of workable phones is low, people are forced to buy the new model because it’s all they can find. This is why planned obsolescence is so insidious. They’re deliberately cutting down the market for their users so they can sell more new phones at a high price. If this was a perfectly efficient world where consumers had perfect information, this would lead to the company dying, because nobody wants to pay 700$ for something that breaks in three years. But it’s not – it’s a world where people drop an extra $200 on a phone for its camera. It’s a world where the phone carrier forces you to upgrade as part of their contract. It’s a world where branding is the fashion. It is not perfectly efficient, and as long as the manufacturers recognize this, they will make attempts to money-grub.

Keep those second-hand phones in the market and force manufacturers to keep making phones at least as well as their old products. This is still recycling! It’s keeping the phone from its final death in a landfill, and extending it’s life for as long as possible.

 

6. Broken Phones Still have Valuable Parts

 

If the phone’s so broken that it’s not possible to re-sell it, consider recycling it anyway – lithium batteries have many uses, and as mentioned before, those rare earth metals aren’t getting any less rare. Recycling the phone by sending it somewhere to get it broken down is also valid recycling. If you can squeeze just a little bit more use out of a device by dropping it off or passing it on – why wouldn’t you?

Besides, the facility will know how to handle that battery!

 

Sources:

https://www.independent.co.uk/news/science/mobile-phones-elements-periodic-table-endangered-chemicals-st-andrews-a8739921.html

https://www.npr.org/2020/11/18/936268845/apple-agrees-to-pay-113-million-to-settle-batterygate-case-over-iphone-slowdowns

 

 

Avoiding Doxxing

 

On TikTok, posting personal details and Facebook profiles of feuding personalities is becoming normal, frighteningly fast. Doxxing is becoming a real problem. How do you avoid it?

 

Don’t use the same username for every website.

 

When every website you go to uses xXxCatLover93xXx as your handle, eventually, people are going to start searching for that name. Maybe you got into an argument over whether Ragamuffins are better than Ragdoll cats – and now someone is googling your username to see what other wrong opinions you have. If your TikTok account had that username and a real picture of you, then they know what you look like. If you posted that same picture to Facebook once you migrated from MySpace, and they reverse-image search, suddenly they’ve stumbled upon your profile. Use different usernames! Don’t link anonymous and non-anonymous accounts with the same username, that defeats the purpose!  

Additionally, under those usernames, it’s a good idea to regularly purge your post history or delete the account, particularly for sites like Reddit where post history is public. People reveal more than they think they do in comments, especially if they don’t realize something’s a local landmark. Citing a particular statue or feature of a town may be just familiar enough for someone to recognize it. They then know you’re there, and by scrolling down the post history, they may be able to identify you.

Not everyone is malicious, and if people identify that you live in their town, it’s probably not going to lead to someone murdering you (although cases like that exist!). It’s just uncomfortable to spill secrets to strangers who may or may not be able to recognize you IRL. The bigger concern should be people you don’t like identifying you and learning more about you via that profile’s history!

 

Don’t Post Details (or post them ‘wrong’)

 

Birthdate, gender, and zipcode can narrow your exact identity down to one or two people within that zipcode. With your name or initials, bingo! You’re the only one who matches! Now, other people may be able to identify that you only have one dog, one roommate, and no security door via information you’ve posted in the past.

How do you prevent that? Don’t post any of those details. Post them wrong if someone asks – flip numbers around in the zipcode, and birthday. Insinuate you have several dogs. Flip your gender or refuse to disclose it. If someone is asking you for something as specific as your zipcode, you should read that as a red flag! City, state, whatever – that’s one thing. Zipcodes can get really specific, down to two or three neighborhoods. You may have overshared elsewhere, and the other side is one small step from being able to doxx you.

 

Non-Text Related – Don’t post your face or identifying locations

 

When I was growing up, it was suggested that you should never post your face online, as someone could find you off of that alone. In middle school, we were told a horror story of a little girl who went missing, because she was conversing with a ‘friend’ online. That friend was really a pedophile posing as another 10-year-old, and he asked her for a picture of herself, spotted her school’s logo on her backpack in the background of that picture, and then snatched her and murdered her based off of that. Information in the background is just as valuable as a face pic.

That still holds true! You shouldn’t post pictures of the outside of your house, because if Google Street View has seen it, it’s not impossible to reverse-search. If a malicious party knows you live in that state, then they may be able to narrow down your neighborhood just by building style. Your face, your school, your work – any unique building or feature could be used against you.

You also shouldn’t post pics of receipts, as store numbers contain a lot of information. When you do post pictures, black out information like time and place! It’s also a really good idea to check your phone’s settings. EXIF data is data the phone stores about the picture – things like time, date, and device specs are stored in each picture you take. If you don’t have it set to ‘off’, EXIF data also frequently has geotagging information attached to it. Turn that off in settings!

 

TikTok Crisis

 

TikTok is a terrifying place. Users regularly show their entire face, cons that they’ve attended, and personal stories with too much detail to their audience. Distinctive, unique tattoos get shown off to thousands of people, as well as the view from their front yard and what stores they can walk to. Some of the TikToks that came out of the pandemic were about remote learning, with the teacher visible on the screen. This is a problem because many schools post pics of their teachers on their staff page. Bad actors are using this to find the school to show them the TikTok and find the person who posted it.

The worst part? It doesn’t have to happen immediately. Kids posting a video of themselves violating school rules weeks later can still be found via that video further down in the feed. Ticked off a more anonymous user? You’ll never know how the school found out. Videos of dance trends that they wouldn’t want their parents seeing are getting sent to their parents based off of information gathered over weeks or months of posts. All of it’s online. Video is an incredibly information-rich format, and when each video is under a minute long, any one person could look through them all.

It’s no surprise people are getting their own details shoved in their face when they’re posting this much about themselves!

The easy solution? Just don’t. Don’t download the app, and don’t download videos. Of course, this isn’t going to happen, so the second-best option is to always film indoors away from windows, or in generic buildings like Targets or chain grocery stores. Don’t film yourself in a distinctive school uniform or in an identifying area of said school, because sometimes all it takes is specific colors. In Las Vegas, many of the school buildings look the same, but the colors are totally distinct to each school. Blue and orange belong to Bishop Gorman, so if a kid has posted about living in Vegas before, those colors narrow down their location dramatically.

Shia LeBeouf’s flag, and 9Gag’s ‘meme hieroglyph’

 

It’s dangerous to attract too much attention from certain forums. 4Chan in particular is notorious for finding the unfindable, triangulating exact locations based off of things like truck honks and light positioning. See the saga of Shia LeBeouf’s flag project, where the flag was found over and over until he was forced to put it in a featureless white room.

9Gag put a limestone pillar covered in ‘hieroglyphs’ (which were really just old memes carved into the surface) underground for future archeologists to find. 4Chan and other forums found it by cross-referencing information in the background (Spanish writing on a truck) with available limestone mines and open fields in Spanish-speaking countries and found its exact coordinates based off of that little information. They couldn’t do much about it, because it was a 24-ton piece of limestone, but they found it.

 

Crimes

 

If you post things online, someone may be able to find you given time and determination. The best thing you can do to avoid that determination is fade into the background, as hard as you can, and don’t post crimes or social misconducts to TikTok or social media. Even if you’re not planning on committing crimes, you should set accounts to private, don’t overshare, and don’t do things that get you online attention for the wrong reasons. Once again, TikTok is terrifying because small accounts may think they’re only sharing with their friends, only to end up trending unintentionally!

Maskless groups of friends posting videos at the beginning of the pandemic were scolded for being maskless, and because interaction makes videos more likely to appear on the ‘For You’ page, those maskless videos were getting thousands of people’s worth of harassment. Post something dumb? Algorithm catches it juuuust right? Previously anonymous posts then get a glance from hundreds to thousands of people! Suddenly, it matters a lot if you’ve ever posted videos that looked bad with no context.

 

And More Crimes

 

If you’ve seen posts that said “help me find her!” with some sob story about a missed connection, this is one way of finding people who don’t necessarily want to be found. Sure, it might be legit. It might also be a particularly clever stalker using a sad story about ‘I was out of swipes on Tinder!’ to get unsuspecting ‘good Samaritans’ to help him chase some woman’s Facebook profile down. Missed Connections on Craigslist is one thing – that’s pretty anonymous. Posting a missed connection to thousands of people on Reddit or TikTok is an entirely different thing. It’s effectively setting a mob after that person to get them to respond to the poster. The same goes for Missing Persons posts – if the number is anything but a police department’s number, you should be wary of trying to help.

 

Sources: https://www.dhs.gov/sites/default/files/publications/How%20to%20Prevent%20Online%20Harrassment%20From%20Doxxing.pdf

https://dataprivacylab.org/projects/identifiability/paper1.pdf

 

Emulators: Legal Gray Area

History of the Emulator

 

An emulator is a program that emulates a game console, usually for the purpose of playing a game that is – either by price, age, or device – inaccessible. Streamers commonly use emulators to play Pokemon games made for the Gameboy, so they can screen-record their gameplay directly from their computer instead of having to somehow hook the Gameboy up to it. Zelda fans might want to play Ocarina of Time, but they might also find that the console to play it on is awfully expensive for one game, but an emulator is pretty cheap! In certain cases, games are geolocked – countries restrict access to certain forms of art as a means of censorship. Emulators can make those games accessible to people who want to play them in that country.

In the 1990s, consoles were on top when it came to games. Computers were rapidly gaining in power, however, and some folks realized that the console could be recreated using a home computer. The first emulators were born via reverse-engineering console coding. They evaded legal action by only copying devices that were outdated, but that changed too with a major emulator made for the Nintendo 64 while it was still in production. Nintendo pursued legal action to stop the primary creators, but other folks who had already gotten their hands on the source code kept the project going.

Ever since then, emulators have lived in a delicate balance of making games available and making them so available that the parent company decides to step in and try to wipe it out, which is nearly impossible once it’s out on the open web. Gamers simply won’t allow a good emulator to die!

 

Copyright

 

Copyrights are crucial to the gaming ecosystem, and it’s a delicate balance of allowing fan art, but disallowing unauthorized gameplay. Allowing game mods, but disallowing tampering that could lead to free copies being distributed against the company’s wishes. Copyright laws are always evolving – new tech comes with new ways to copy, create, and distribute intellectual property. Generally, though, copyright falls back to permission: did the original company intend for their IP to be used in this way?

Emulators and copyright don’t get along very well at all! Emulators are, by their very definition, creating access to the game in a way the original company didn’t intend. As such, it’s unofficial, and if money is exchanged, it’s not normally between the copyright holder company and the customer, it’s the customer and some third unauthorized party.

Games aren’t selling you just the physical disk. You’re buying a license to play the game. If you take it as far as Xbox intended to back when the Xbox One was coming out, friends are only allowed to come over and play with you on your license because the company can’t enforce it. It’s a limitation of the system that they can’t keep you from sharing disks.

Not every company thinks like this (see the Playstation 5), but that’s the most extreme possible interpretation. You bought a disk so you could play a copy of their game that they have licensed out to you. You own the right to play that copy of the game, you don’t own the game itself.

 

Consider: Death of a Console

 

When a console dies, it’s taking all of its content with it. There is no more money to be made off of it, and the games are going to slowly disappear into collections and trash bins.

Does art need to exist forever, or is it okay if some art is temporary? Not every Rembrandt sketch is still in trade – some of it was just sketches, and he obviously discarded some of his own, immature art. Immature art is interesting to see, but it’s not what the artist wanted their audience to see. Otherwise it would have been better kept. Think about the ill-fated E.T. game that Atari made, they weren’t proud of it, they didn’t want it seen, and they saw fit to bury it. So they buried it. It was directly against their wishes for people to find this game and then play it. Emulating it is obviously not what the programmers who made it wanted for it.

But then consider all the little games included on a cartridge that’s just forgotten to the sands of time, made by a programmer who didn’t want it to fade away? Acrobat, also for the Atari, isn’t very well-remembered, but it still made it onto Atari’s anniversary console sold in-stores. 97 games on that bad boy, and Acrobat was included. It’s not a deep game, it’s nearly a single player Pong. But the programmers who made it didn’t ask for it to be excluded from the collection, so some amount of pride must exist over it, right? Does the game have to be good to be emulated? Is only good art allowed to continue existing officially?

Is all art meant to be accessible to everyone?

If some art is made with the intent to last forever, is it disregarding the creator’s wishes to not emulate it, against their production company’s wishes?

If art’s made to last forever but the artist (and society) accepts that that’s simply unrealistic, is it weird to emulate it, in the same way it’s weird to make chat-bots out of dead people? Every tomb we find, we open – even against the wishes of the grave owner, in the case of the Egyptians, or against the wishes of the living relatives, in the case of Native Americans. Video games are kind of like tombs for games that have lived their life and then died. But they’re also kind of like art.

When you get past the copyright, it’s a strange, strange world to be in.

 

Ethical Dilemma

 

Stealing goes against the ethics of most societies, modern or not. The case against emulators is that it’s stealing.  It often is! An emulator/ROM (ROMs act as the ‘disc’ or ‘cartridge’ for the emulator) for Breath of the Wild was ready just a few weeks after the game launched, which could have seriously dampened sales if Nintendo didn’t step in to try and stop that. That first emulator, the one for the Nintendo 64, also drew a lot of negative attention for the same reasons, potentially siphoning away vital sales.

However, there’s a case to be made for games and consoles that aren’t in production anymore.

Is this a victimless crime, if the original game company really can’t make any more money off of it? It’s one thing to condemn piracy when the company is still relying on that income to make more games and pay their workers, it’s another entirely when the game studio isn’t interested in continuing support, and the console had a fatal fault in it that caused many of them to die after 10 years. That game is as good as gone forever without emulators. With no money to be made, why not emulate it?

In less extreme circumstances, the console’s still functioning, but the cartridges that went to it are incredibly rare. The company could potentially make money off of the game if they someday decided to remaster it, but that’s unknowable. Licenses could be available for purchases… but they aren’t right now.

Or, even better, the cartridges are still available for purchase in the secondary market. You just don’t happen to have the console, which has now spiked to a cost of 400 dollars due to reduced supply over time. You buy the cartridge – you’re still buying the license, you just don’t have the car, right?

According to copyright, you need a specific car for a specific license, but ethically, you’ve done the best you can as a consumer.

Assuming you have tried to buy a license for the car. The biggest issue with emulators is that they allow unlicensed drivers access to cars, making piracy much easier than it should be.

 

Brand Name

 

Much like Disney did with Club Penguin’s many spinoffs, emulators are kind-of sort-of overlooked up until they start eating into sales. Most companies just don’t want to spend money to enforce an issue like emulators – their game is still being played, their brand is still out there, and the users are going to be very upset if this big company decides to step in and ruin fun when they don’t need to. It may do more harm than good to try and wipe the emulator out when most people want to do the right thing.

Obviously, they’ll need to put a stop to emulating new games – the goal is to spend just enough money to do that effectively without also overstepping and destroying emulators for consoles no longer in production. It takes money to make games, games should earn money as a result. Removing emulators for games and consoles no longer in production isn’t helping them earn money – as such, many are allowed to stay. For now.

Sources:

https://www.pcgamer.com/the-ethics-of-emulation-how-creators-the-community-and-the-law-view-console-emulators/

https://scholarlycommons.law.northwestern.edu/njtip/vol2/iss2/3/

 

 

Risks to Your Machine In Public

 

1) Public Wifi

If you’ve been online in the past few years, you’ve likely seen this warning already from VPN ads and security experts: don’t connect straight to public WiFi if you can help it, and if you do, don’t do your online banking on it. If the hacker gains special access to the WiFi network without the actual owners knowing, they can see the data that travels to and from the systems attached to it.

 

2) Juice Jacking

 

There was a period of time between the phone security we see today and teeny-tiny tech found in things like micro-cameras where hackers could connect chips to public USB plug-ins and steal data. This happened either directly through the port or by downloading malware designed to send that info after a certain amount of time. Things like pictures, app passwords, saved files and audio recordings , anything you wouldn’t want to share over USB. Luckily, a security conference revealed a lot of these issues before they became an epidemic, and between Android updating with a white-list system and Apple updating with security patches, juice jacking is less and less common. If you’re still worried, there are a number of ways that don’t rely on programming, like using the cable/adaptor that came with your device or using a cable with no data cord.

 

3) Illegitimately Named HotSpots

 

In this case, the hacker renames a WiFi source (which could be a phone hotspot or something similar) to something that you’re looking for. Maybe it’s the free WiFi for the hotel, and you don’t notice that there’s two of them before you go through the effort of logging in with your room’s key and the password they gave you – which the hacker doesn’t need, but it gives an air of legitimacy to the fake network. Now the hacker can see your online traffic, whether it be to apps on your phone or to websites on your laptop. Private information is no longer private.

This is different than the previously mentioned public WiFi: in this method, the hacker owns the fake network, where on public WiFi, they don’t. The legitimate admin on a WiFi channel that the hacker doesn’t own might eventually notice and kick them from it, but the WiFi source the hacker owns would need to be shut down to keep people off of it since the hacker is the source.

Renaming networks to get phones to auto-connect can also be a problem, but if it’s not done right unseen data alerts the phone that HomeNetwork1 isn’t really the network it is supposed to auto-connect to. This means that this hack is more complicated than the method listed above; most people would probably pause for a second if their phone was asking for permission to connect to their home network from miles away, without a password. Social engineering a connection to a network the device is unfamiliar with anyway is an easier, more efficient way to steal data.

Be sure to turn off WiFi seeking features until you’re ready to connect to a specific network of your choosing, which removes this possibility altogether.

 

4) Over the Shoulder

 

The simplest method of gaining illegitimate access to your accounts is via Social Engineering. Now, it’s not easy – if you’ve ever tried before out of curiosity, you’ll know that most people type too fast for your eyes to actually follow, and that’s not including hitting the shift key and adding in numbers or punctuation, etc. so it’s simple – not easy. But difficult is not impossible, and if your password is especially simple, or they watch you glance at a sticky note you’ve stuck somewhere to remember the password, the chance that they’ll successfully remember or find your password goes up. Remember, the best passwords are long and decently complicated!

 

Sources:

https://blog.malwarebytes.com/explained/2019/11/explained-juice-jacking/

https://us.norton.com/internetsecurity-mobile-what-is-juice-jacking.html

https://krebsonsecurity.com/2011/08/beware-of-juice-jacking/

https://www.androidpolice.com/2013/02/12/new-android-4-2-2-feature-usb-debug-whitelist-prevents-adb-savvy-thieves-from-stealing-your-data-in-some-situations/

https://www.consumerreports.org/digital-security/is-using-public-wifi-still-a-bad-idea/

 

Internet Of Things: Network Vulnerability

 

Internet of Things items are convenient, otherwise they wouldn’t be selling. At least not next to regular, non-wifi-enabled items. They don’t even have to be connected to the internet, and they should stay that way!

An Internet of Things item, or an IoT item, is a device that has a WiFi- or network-enabled computer in it to make the consumer’s use of it easier. This includes things like WiFi-enabled/networked washing and drying machines, ovens, fridges, mini-fridges, coffee makers, lamps, embedded lights, etc. anything can be an IoT item, if it’s got WiFi capability.

 

Network Entry Point

 

Internet of Things items, when connected to WiFi, represent a weak link in the chain. They’re poorly protected, they’re designed to favor user friendliness over all else, and they’re usually always on. You likely don’t unplug your fridge or washing machine when you go to bed – that computer may sleep, but it’s not off. You probably don’t disconnect the internet when you go to bed, either. Some devices take advantage of this, and only schedule updates for late at night so you don’t notice any service interruptions. Unfortunately, their strengths are their weaknesses, and an always-open port is a dream for hackers.

 

Outdated Password Policies

 

Internet of Things items are rarely password protected, and if they are, many users don’t bother actually changing the password from the factory default. This makes them excellent places to start probing for weaknesses in the network!

Assuming someone’s hacking into a place to ding it with ransomware, there are a number of worthy targets: corporate offices, nuclear facilities, hospitals, etc. are all staffed by people, and people like their coffee. A well-meaning coworker bringing in an internet-enabled coffee machine for his coworkers is suddenly the source of a critical network vulnerability, an open port in an otherwise well-defended network!

If the coffee machine, or vending machine, or the lights are IoT items, they need to be air-gapped and separated from the main network. They don’t need to be on the same network supplying critical data within the center. The devices are simply unable to protect themselves in the same way a PC or phone is! There’s no way to download a suitable antivirus onto a coffeemaker. If something gets past a firewall, and that password’s still default or nonexistent, there’s no second layer of protection for IoT devices.

 

Malware

 

For example, hacking into a fridge is not nearly as hard as hacking into an old PC. Even great antivirus can struggle with traffic coming from inside the network. Even worse, IoT devices are often missed in security checkups anyway. When McAfee or Norton or Kaspersky recommends you scan your computer, are they offering to scan your lightbulbs as well?

Once they’re in, the entire network is vulnerable. Ransomware events with no obvious cause, malware that’s suddenly deleted all the files on a server, stolen data and stolen WiFi – all of it’s possible with IoT devices. There’s more to gain than just bots for the botnet, which is why hackers keep going after these IoT items.

IoT devices are also much easier to overwhelm to gain access, even with firewalls and effective load balancing. DoSing an IoT item can be as simple as scanning it. No, really. A team in the UK found that they could shut down turbines in a wind farm by scanning them. The computers inside weren’t equipped to handle both a network scan and their other computing duties at the same time. Many user devices are in the same spot or worse!

 

Security

 

Besides turbines, items like cameras and door locks probably shouldn’t be connected to the internet just yet. A terrifying string of hacks let strangers view doorbell and baby monitoring cameras, for example. The cameras themselves were difficult to defend even though the network was protected by a router. This is terrible for obvious reasons and class action suits were filed soon after. It even happened accidentally; Nest users would occasionally end up viewing other people’s cameras unintentionally, a bug in the system that was only fixed after complaints were made.

A consistent pattern is forming, here: security patches are only issued after vulnerabilities are discovered by the consumer! Any other type of programming wouldn’t get away with this without some public outcry. You shouldn’t have to become a victim of a security flaw to get it fixed.

And then there’s things that physically interact with the security features of a house, like electronic locks. There’s nothing wrong in theory with a password lock. However, electronics are not inherently more secure than physical locks, and adding in WiFi only gives lockpickers another ‘in’. Hacking the lock could lead to being locked out of your own home, or worse. Besides, a regular lock will never unlock itself because its battery died, or because you sat down on the fob while getting on your bike or into your car. If you do want a password lock, it’s better to get one that’s not network enabled.

We aren’t quite at the point where hacked self-driving cars are a legitimate issue, although the danger is growing on the horizon. Cars are also poorly protected, computer wise.

BotNets

The fridge doesn’t need a quadcore processor and 8 GB of RAM to tell you that it’s at the wrong temperature, or that the door’s been left open and you should check the milk. The voice-controlled lightbulbs only need enough power to cycle through colors. IoT items are weak. But not too weak to be used for things like Botnets, even if your main PC wards off botnet software.

Botnets are networks of illegitimately linked computers used to do things like DDoSing, brute-forcing passwords, and all other kinds of shenanigans that a single computer can’t do alone. By combining the computing ability of literally thousands of devices, a hacker can turn a fridge into part of a supercomputer. No one ant can sustain an attack on another colony, but an entire swarm of ants can!

This is another reason tech experts are worried about IoT items becoming widely used. Their basic vulnerabilities give skilled hackers the ability to ding well-protected sites and fish for passwords even if the network they’re targeting doesn’t have any IoT items on them. It’s a network of weaponizable computers just waiting to be exploited. Remember, password protect your devices, and leave them disconnected if you can!

Source:

https://eandt.theiet.org/content/articles/2019/06/how-to-hack-an-iot-device/

https://danielelizalde.com/iot-security-hacks-worst-case-scenario/

https://cisomag.eccouncil.org/10-iot-security-incidents-that-make-you-feel-less-secure/

https://www.courtlistener.com/docket/16630199/1/orange-v-ring-llc/

 

Blizzard Entertainment’s 2012 Hack: An Example of How to Do It Right

In 2012, game developers were beginning to experiment with a principle known as “always on”. “Always on” had many potential benefits, but the downsides keep the majority of games from ever attempting it. Many of the notable standouts are games that require team play, like Fall Guys or Overwatch. Others without main-campaign team play tend to fall behind, like Diablo 3 and some of the Assassin’s Creed games. Lag, insecurities, perpetual updating, etc. are all very annoying to the end user, so they’ll only tolerate it where it’s needed, like those team games. It’s hard to say that this hack wouldn’t have happened if Blizzard hadn’t switched to an “always on” system… but some of their users only had Battle.net accounts because of the always-on.

Blizzard’s account system was designed with their larger, team games in mind. It was forwards facing, and internet speeds were getting better by the day. Users were just going to have to put up with it, they thought. Users grumbled about it, but ultimately Blizzard was keeping data in good hands at the time. You wouldn’t expect Battle.net accounts created purely to play Diablo 3 to lose less data than the user profiles in the Equifax breach, right? Blizzard didn’t drop the ball here! What did Blizzard do right to prevent a mass-meltdown?

Hacker’s Lament

 

The long and the short of it was that Blizzard’s stuff had multiple redundancies in place to A) keep hackers out and B) make the info useless even if it did end up in the wrong hands. Millions of people had lost data in similar events before, and security experts were more and more crucial to keeping entertainment data safe. Blizzard was preparing for the worst and hoping for the best, so even when the worst struck here, they were prepared.

The actual hack was defined by Blizzard as ‘illegal access to our internal servers’. It released the listed emails of players (excluding China), the answers to security questions, and other essential identifying information about accounts into the wild. However, due to Blizzard’s long-distance password protocol, the passwords themselves were scrambled so much that the hackers might as well have been starting from scratch. This is still a problem, but it’s not a world-ending, ‘everyone has your credit card’ problem. Changing the password on the account and enabling 2FA was considered enough to shore up security.

 

Potential Issues

 

Lost email addresses aren’t as big of a problem as lost passwords, but they can still present an issue. Now that the hacker knows an email address was used on a particular site, it’s possible to perform a dictionary attack, or regular brute forcing! This strategy will eventually work, but the longer and more complicated the password is, the less likely it is to succeed on your account in particular.

A secondary problem is the lost security questions. Those are a form of 2FA. Depending on the question asked, guessing something that works or brute forcing it again is dangerously easy. Sparky, Rover, and Spot are very popular names for American dogs, for example. If the hacker is able to identify that the player’s American, and then guess the name of their first dog, they’re in! They can change the password to keep the legitimate player out. (Part of Blizzard’s response is forcing users to change their security questions for this reason). 2FA that uses email or mobile is generally preferred.

Battle.net acted as an overarching account for all the games, and made the stakes higher for an account breach. All the online Blizzard games went through Battle.net. Losing access could mean losing access to hundreds of hours of game progress. Or worse: credit card data and personal info.

 

Online, Always, Forever

 

The event provided ammo for anti-always-on arguments. There was no option to not have a Battle.net account if you wanted to just play Diablo’s latest game. Some users were only vulnerable as a result of the always-online system. If they’d simply been allowed to play it offline, with no special account to maintain that always-online standard, there wouldn’t have been anything to hack! Previous Blizzard games didn’t require Battle.net. People who stopped at Diablo 2 seem to have gotten off scot-free during the hack. This is annoying to many users who only wanted to play Diablo 3. They might not find value in anything else about the Battle.net system. Why bother making users go through all this work to be less secure?

When discussing always online, there’s good arguments to be made for both sides. Generally, always on is better for the company, where offline gaming is better for the consumer. Always on helps prevent pirating, and it gives live data. Companies need data on bugs or player drop-off times, which can help them plan their resources better and organize fixes without disrupting the player experience.

On the other hand, consumers with poor internet are left out, as lag and bugs caused by poor connection destroy their gaming experience. As games move more and more to pure digital, buying a ‘used game’ only gets more difficult for the consumer. Companies treat purchased games as a ticket to a destination, rather than an object the consumer buys. Games used to be objects, where anybody could play the game on the disc even though save data stayed on the console. Buying access to Diablo 3 via Battle.net means that there’s no way to share that access without also allowing other people to access the Battle.net account, which stores the save data. It’s the equivalent of sharing the console, not just the disc.

 

Handling

 

The response to the stolen, scrambled passwords was for Blizzard to force-reset player passwords and security questions, just in case the hackers somehow managed to unscramble them.

2FA is always a good idea, and Blizzard strongly recommended it too. 2FA will do a better job of alerting you than the default email warning  ‘your password has been changed’ will after the fact. After you’ve received that email, the hacker is already in. Depending on when you noticed, they could have already harvested all the data and rare skins they wanted by the time you get your support ticket filed! Setting up 2FA first means that you’re notified before that happens.

All in all, Blizzard handled this particular incident well! Companies are required to inform their users about potential online breaches, but some companies do this with less tact than others. Formally issuing an apology for the breach isn’t part of their legal requirements, for example. What made this response possible in the first place was Blizzard’s competent security team, alongside a set of policies that were strictly followed. Logs and audits in the system ensured that Blizzard knew who accessed what and when, which is critical when forming a response. Blizzard was able to determine the extent of the problem and act on it quickly, the ultimate goal of any IT response.

 

 

Sources:

https://us.battle.net/support/en/article/12060

https://us.battle.net/support/en/article/9852

https://www.forbes.com/sites/erikkain/2012/08/09/its-official-blizzard-hacked-account-information-stolen/?sh=2ecadbc955d1

https://comsecglobal.com/blizzards-gaming-server-has-been-hacked/

https://medium.com/@fyde/when-too-much-access-leads-to-data-breaches-and-risks-2e575288e774

https://www.bbc.com/news/technology-19207276

Censoring Image Info: Do it Right

Redaction.

Once upon a time, I stumbled into a forum thread about image censorship. The forum was made up of clipped images of funny Facebook posts, and at the time people were beginning to realize that you can’t just post names online willy-nilly. Censoring out the names attached to the posts was a requirement, and there were many ways to do it, but some of them could be undone.

What is Censoring, or Redacting?

That’s questionable. Merriam Webster gives a run-around definition, where censorship is the act of censoring, and censoring is the work of a censor, so I’m having to shave off the little bits of definition I got from each of those steps to make a cohesive definition here. Censorship is the act of keeping need-to-know info out of the hands of people who don’t need-to-know. This information could be moral (censoring swears out of public TV shows) private (people’s faces) or some other sort (no free branding). This isn’t a perfect definition, but it’s enough for this limited article.

The same goes for redaction, but with a little more intensity – need-to-know info has to be shared, but it could put people or property in danger. The easiest way to share that info without putting people in danger is to make them anonymous. By my own example here, redaction is the act of cutting out specifics (and anonymizing people) so the information can be shared.

People can guess – Tom Clancy is infamous for connecting dots to write what-if stories about redacted info – but the info is more or less anonymous to the general public.

Pixelate

Many choose pixelating over other methods of image redaction because it’s less harsh to the rest of the image, and destroys more than most kinds of “smooth” blurring. A lot of people can still make out what brand of soda a pixelated can is, and context will usually tell people that an obscene gesture is what’s behind the boxes on a TV show, but in general it works pretty well to get rid of the finer details that could identify somebody. More or less.

As machines get better and better at identifying patterns and finding the stop sign in Captchas, the human face is easier and easier to recreate. Gizmodo has an article on the subject here, and it’s a good demonstration of why – when the info is really important – it shouldn’t be used. Picture this: you have a 10,000-piece puzzle, most of it is one color, and you don’t have a box to look at. You do your best, but end up with a blob. This is early computers trying to un-pixelate an image.

It was great! It was very difficult to decipher who a protected witness was.

Then, further down the line, you get the box, and a set of glasses that lets you distinguish colors better – turns out that one color from before is actually like 30! So you get to work piecing it together. The box is blurry, so that’s a bummer, but other people with a completed puzzle can show you theirs. And someone posts to your database/puzzle forum an image very similar to the parts of the puzzle you’ve already completed. Suddenly you’re able to finish decoding the image for what it is: a human face.

That’s where we’re at right now. Pixelating the face of someone in the background of a TV show likely won’t lead to anybody going through all this effort to find them, but it could turn into a problem for folks being pixelated out of compromising images, court hearings, interviews, etc. where it’s very important that they aren’t found.

Text is even easier: picture the scenario above, but you know what letters are, there’s only two or three colors even with the glasses, and the puzzle’s only about 500 pieces. Don’t. Pixelate. Text. There’s a reason that governments go the permanent marker route. This article here does a great job of describing the undoing process.

Blur

Blur is very similar to pixelating, in a lot of ways. The pieces to the puzzle are much smaller, but you should begin to see a pattern with algorithmic censoring: once somebody knows how to do it, it can be undone. Fortunately, most people using it for important things know to go so hard on the blur factor that the image could have been a lot of things (or people), and poorly written AI can confuse matters further. Algorithms to undo blur aren’t perfect, so creating a face out of nothing doesn’t mean it’s the right face.

poor redaction means Barack Obama is completely visible but still wrong

Source: The Verge

Take this image, for example. It’s blurry and pixel-y, but still clearly former US president Barack Obama. In a perfect world, databases would have perfect access to the entire population, but they don’t. They have access to what the researchers and engineers feed them. If your goal is to keep people from discovering someone’s identity, but you don’t want to slap a blackout square on their face, blurring is still a choice. Just make sure it’s too blurry for both people and machines to make out. Obama in this image has not been blurred nearlyenough to thwart human eyes, even though the machine can’t figure it out. As a side note, this is a great example of why facial recognition technology is too immature to use right now!

Black Out (And Sticker) Redactiontwo cartoon figures demonstrate poor redaction

From Sci Fi shows to taxes, redacted documents pop up frequently. Completely covering text in a document with black ink or unremovable black squares should completely destroy data. It’s a government favorite for that reason! As long as it’s done right, the info is lost.

The problem is doing it right.

The American Bar Association has a blog post on the matter here. A failure to completely redact information digitally led to the case falling apart. Separately, the US government got into some hot water with the Italian government a while back over a document with information in it they were not supposed to see, including names of officials and checkpoint protocols relating to an Italian operative’s death in Baghdad.

The Stickers

In less serious stakes, digital stickers can be imperfect depending on the app used to place them on the document, but that’s more of a .png problem than a problem with sticker apps. Since these are mostly used to post funny exchanges online, rather than conceal government secrets, bulletproof security is normally not necessary. As such, you should treat them that way: security is not their main goal. Don’t use them for tax forms.

Additionally, printing the page, marker-ing over info to redact it, and then scanning it back in is an option if you truly don’t trust digital apps to completely destroy the data. It’s tedious, it’s annoying, and

Kaspersky demonstrates poor redaction

Source: Kaspersky Labs

it requires a scanner, but it’s an option. This is also not infallible, because even in real life things can look opaque when they aren’t. Kaspersky made this image with a digital marker, not an ink one, but it’s still a good demo. Use something marketed for redacting, not just some Crayola water-soluble marker.

Side Note: Government and Redaction Programs

Sometimes art programs store images in layers. Sometimes checking a PDF for redactions means making the redactions not permanent until publish. With these two problems in mind, mistakes like not merging layers, or using a program that doesn’t actually remove the text (as in, you can still copy it from behind the box) are somewhat understandable. That doesn’t mean it’s not a huge mistake. Redaction is there for a reason.

A major program flaw leaked government secrets. Users could simply copy the text behind the box, like it wasn’t even there. Why would you ever leave the text intact when that’s exactly the opposite of what it was advertised for? It wasn’t an isolated incident, either, as you can see mentioned above with the ABA and the Italian case. Other ways to unsuccessfully redact include putting a vector of a black box over the information in Word and cropping the image in an Office program. The entire picture’s still there, it’s just hidden, not destroyed. Don’t do that.

Swirl Redaction

Swirl is the worst of all of these options unless the others are executed very poorly. Besides being the ugliest option, it doesn’t do a good job at destroying information that other computers could use. Another algorithm doesn’t need to make assumptions like it would for pixelating. All of the information is still there, just stored in the shape of a crescent. That’s it. The algorithm stretches the image, and then warps it around a central axis, but everything is still there. See the side note below on the Swirl Man who assumed he’d done a good enough job of redacting his face. Now that this cure for swirling is out there, it’s basically obsolete.

Side Note: They Caught The Guy

A while back, police caught a child trafficker. He only hid his identity by swirling his face. Swirling, like any other computer effect, uses an algorithm. Algorithms follow rules.There’s a clear pattern in the swirling that can be undone to retrieve the original image. Simply knowing what tool he’d used was enough to reverse-engineer it and undo the face swirling. He was caught, thankfully, as a result of his own hubris. Here’s the Wikipedia article on his case and capture.

 

Sources: https://www.makeuseof.com/tag/easily-pixelate-blur-images-online/

https://stackoverflow.com/questions/4047031/help-with-the-theory-behind-a-pixelate-algorithm

https://en.wikipedia.org/wiki/Pixelation

https://gizmodo.com/researchers-have-created-a-tool-that-can-perfectly-depi-1844051752

http://news.bbc.co.uk/2/hi/europe/4504589.stm

https://vowe.net/archives/005838.html

https://www.kaspersky.com/blog/how-to-leak-image-info/34875/

http://www.cs.cornell.edu/~shmat/shmat_imgobfuscation.pdf

https://help.adobe.com/archive/en_US/acrobat/8/professional/acrobat_8_help.pdf

https://talkingpdf.org/redacting-with-acrobat-8-professional-vs-redax/

 

 

Don’t Plug In Found USB Sticks

Don’t Plug In Found USB Sticks

Did you find a seemingly normal USB stick on the ground outside your work? How about in the lobby, where the public can come and go as they please? Did you find something that doesn’t seem to be your company’s preferred brand of USB stick, or even not branded at all? Is it strangely heavy for a typical USB stick?

DON’T plug it in. Here are some reasons why.

Ransomware

As it’s now 2020 and WannaCry has made the news more than once, you’ve probably heard of ransomware, a type of malware that encrypts files, and threatens to destroy them if money is not sent to the hacker.

USB sticks are one of many ways this virus finds itself into your most important files, pictures, and documents, and it’s notoriously difficult to get rid of. In the time it takes to discover it and attempt to neutralize it, the hacker can simply *poof* the files away if they realize you’re not going to pay.

And deleting them isn’t the only way they can cause pain. Copying the files somewhere and then releasing them online can be disastrous for certain industries and businesses, even worse than just destroying the files, and the hackers know that.

Do NOT plug strange USB sticks into your device. Even if it looks like someone from your office might have dropped it, if you don’t recognize it? Don’t plug it in. Keep it on your desk or turn it in to the IT department and wait for them to come looking for it.

Broad Malware

If the ultimate goal of the USB isn’t money, malware is another widely used way to completely wreck a computer. Sometimes malware is aiming to destroy a business’s computer network, or looking to steal secrets without ransom, or infect other computers on the network and eventually break them all at once. This is where something like AI-driven antivirus comes in handy: if something is propagating very quickly across all the devices on a network, and it’s not officially licensed, and it’s bringing a bunch of .exe stuff with it – antiviruses designed around behavior and not fingerprinting will take notice. They aren’t impenetrable, but it takes more to get around them than it does to get around a classic antivirus.

Again, don’t fall victim to Social Engineering and plug in a USB you found on the floor.

USB Killers

If you thought your anti-virus was enough to stop something nasty from creeping in on a USB, you’d be wrong. There’s more than one way to go about breaking a machine.

A USB killer is a device meant to cause harm to the device’s hardware. Essentially, it takes charge from the computer with a capacitor and then redirects it back. “How much damage could the power flowing to the USB port actually cause?”, you may ask. USB killers aren’t simply redirecting the energy back into the computer at a one-unit-in one-unit-out basis. Instead, they use a capacitor. A capacitor behaves kind of like a balloon rubbed on a carpet: it stores charge in a ‘field’ (the balloon in that example) passively. It doesn’t really matter how much power is leaving the USB port, as long as there is power – when the capacitor gets to its limit, it discharges back into the computer, like the static shock you’d get from the doorknob after scooting across the carpet in socks, but many times larger. Up to 215 volts larger, according to Hackaday.

USB killers are becoming rarer, but they aren’t extinct.

But Why?

So why would someone want to use a USB killer or destructive malware, instead of using ransomware or straight file-stealing?

There are a lot of answers.

Some people just want to break expensive things, and don’t care what that is. Some people are looking to slow down business opponents or gauge weaknesses within the organization. Sometimes something expensive or hard to replace is stored on the computer, and the hacker wants it gone. Sometimes it can even boil down into terrorism, depending on the industry.

The long and the short of it is that you shouldn’t plug in a USB if you don’t definitely recognize it as yours.

Sources: https://resources.infosecinstitute.com/topic/usb-killer-how-to-protect-your-devices/

https://www.independent.co.uk/life-style/gadgets-and-tech/news/russian-computer-researcher-creates-usb-killer-thumb-drive-will-fry-your-computer-seconds-a6696511.html

https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf