NDA Lynn: AI screens your NDAs

NDA’s or confidentiality agreements are a fact of life if you’re in business. You’ve probably read tons of them, and you know more or less what you would accept.Of course you can hire a lawyer to review that NDA. And you know they’ll find faults and recommend changes to better protect you.But it’ll cost you, in both time and money. And do you really need the perfect document, or is it OK to flag the key risks and move on?That’s where I come in. I’m an AI lawyerbot and I can review your NDA. Free of charge.

Source: NDA Lynn | Home

One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week

Bitcoin’s incredible price run to break over $7,000 this year has sent its overall electricity consumption soaring, as people worldwide bring more energy-hungry computers online to mine the digital currency.An index from cryptocurrency analyst Alex de Vries, aka Digiconomist, estimates that with prices the way they are now, it would be profitable for Bitcoin miners to burn through over 24 terawatt-hours of electricity annually as they compete to solve increasingly difficult cryptographic puzzles to “mine” more Bitcoins. That’s about as much as Nigeria, a country of 186 million people, uses in a year.This averages out to a shocking 215 kilowatt-hours (KWh) of juice used by miners for each Bitcoin transaction (there are currently about 300,000 transactions per day). Since the average American household consumes 901 KWh per month, each Bitcoin transfer represents enough energy to run a comfortable house, and everything in it, for nearly a week. On a larger scale, De Vries’ index shows that bitcoin miners worldwide could be using enough electricity to at any given time to power about 2.26 million American homes.

Source: One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week – Motherboard

Intel’s super-secret Management Engine firmware breached via USB

Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is barely documented and supposedly locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it’s found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.For some details, we’ll have to wait, but what’s known now is bad enough: Positive has confirmed that recent revisions of Intel’s Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB. JTAG grants you pretty low-level access to code running on a chip, and thus we can now delve into the firmware driving the Management Engine.With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited at a later date. Alternatively, an attacker can slip into the USB port and meddle the engine as required right there and then.

Source: Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB • The Register

Introducing GoCrack: A Managed distributed Password Cracking Tool

FireEye’s Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Figure 1 shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines.

Source: Introducing GoCrack: A Managed Password Cracking Tool « Introducing GoCrack: A Managed Password Cracking Tool | FireEye Inc

LavaRand in Production: The Nitty-Gritty Technical Details or How Cloudflare uses a wall of lava lamps to protect the internet

There’s a wall of lava lamps in the lobby of our San Francisco office. We use it for cryptography. Here are the nitty-gritty technical details.
In cryptography, the term random means unpredictable. That is, a process for generating random bits is secure if an attacker is unable to predict the next bit with greater than 50% accuracy (in other words, no better than random chance).

We can obtain randomness that is unpredictable using one of two approaches. The first produces true randomness, while the second produces pseudorandomness.
In short, LavaRand is a system that provides an additional entropy source to our production machines. In the lobby of our San Francisco office, we have a wall of lava lamps (pictured above). A video feed of this wall is used to generate entropy that is made available to our production fleet.

We’re not the first ones to do this. Our LavaRand system was inspired by a similar system first proposed and built by Silicon Graphics and patented in 1996 (the patent has since expired).

The flow of the “lava” in a lava lamp is very unpredictable,6 and so the entropy in those lamps is incredibly high. Even if we conservatively assume that the camera has a resolution of 100×100 pixels (of course it’s actually much higher) and that an attacker can guess the value of any pixel of that image to within one bit of precision (e.g., they know that a particular pixel has a red value of either 123 or 124, but they aren’t sure which it is), then the total amount of entropy produced by the image is 100x100x3 = 30,000 bits (the x3 is because each pixel comprises three values – a red, a green, and a blue channel). This is orders of magnitude more entropy than we need.

Source: LavaRand in Production: The Nitty-Gritty Technical Details

Ex-agent in Silk Road probe gets more prison time for bitcoin theft

Shaun Bridges, 35, was sentenced by U.S. District Court Judge Richard Seeborg in San Francisco after pleading guilty in August to money laundering in the second criminal case to be brought against the former agent, prosecutors said.Bridges, who served in the Secret Service’s Baltimore field office, was sentenced in 2015 to 71 months in prison for diverting to his personal account over $800,000 worth of bitcoins during the Silk Road probe.Before serving that sentence, though, Bridges was arrested again on new charges related to his theft of bitcoins that were at the time worth $359,005 but today are valued at $11.3 million, according to the industry publication CoinDesk.

Source: Ex-agent in Silk Road probe gets more prison time for bitcoin theft | Reuters

~$300m of Etherium accidentally lost forever by Parity due to bug

More than $300m of cryptocurrency has been lost after a series of bugs in a popular digital wallet service led one curious developer to accidentally take control of and then lock up the funds, according to reports.Unlike most cryptocurrency hacks, however, the money wasn’t deliberately taken: it was effectively destroyed by accident.
On Tuesday Parity revealed that, while fixing a bug that let hackers steal $32m out of few multi-signature wallets, it had inadvertently left a second flaw in its systems that allowed one user to become the sole owner of every single multi-signature wallet.

The user, “devops199”, triggered the flaw apparently by accident. When they realised what they had done, they attempted to undo the damage by deleting the code which had transferred ownership of the funds. Rather than returning the money, however, that simply locked all the funds in those multisignature wallets permanently, with no way to access them.

“This means that currently no funds can be moved out of the multi-sig wallets,” Parity says in a security advisory.

Effectively, a user accidentally stole hundreds of wallets simultaneously, and then set them on fire in a panic while trying to give them back.

Source: ‘$300m in cryptocurrency’ accidentally lost forever due to bug | Technology | The Guardian

Linux Has a USB Driver Security Problem. 79 of them. Fortunately, they require physical access.

“All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine,” Konovalov said.
Konovalov has found a total of 79 Linux USB-related bugsThe 14 flaws are actually part of a larger list of 79 flaws Konovalov found in Linux kernel USB drivers during the past months. Not all of these 79 vulnerabilities have been reported, let alone patched.
Most are simple DoS (Denial of Service) bugs that freeze or restart the OS, but some allow attackers to elevate privileges and execute malicious code.All bugs Konovalov discovered were found using syzkaller, a tool developed by Google that finds security bugs via a technique known as fuzzing.

Source: Linux Has a USB Driver Security Problem

Forget cookies or canvas: How to follow people around the web using only their typing techniques

In this paper (Sequential Keystroke Behavioral Biometrics for MobileUser Identification via Multi-view Deep Learning), we propose DEEPSERVICE, a new technique that can identify mobile users based on user’s keystroke information captured by a special keyboard or web browser. Our evaluation results indicate that DEEPSERVICE is highly accurate in identifying mobile users (over 93% accuracy). The technique is also efficient and only takes less than 1 ms to perform identification

Source: [1711.02703] Sequential Keystroke Behavioral Biometrics for MobileUser Identification via Multi-view Deep Learning

Re:scam and jolly roger – AI responses to phishing emails and telemarketers

Forward your scammer emails to Re:scam and here’s what happens.

Source: Re:scam

The AI bot assumes one of many identities with little mistakes and tries to keep the scammer busy with the email exchange for as long as possible using humor.

Which reminds me of http://www.jollyrogertelco.com/ (seems to be down now), which had a number and an AI which you could connect to and the AI would try to keep the telemarketer talking for as long as possible.

Machine learning of neural representations of suicide and emotion concepts identifies suicidal youth | Nature Human Behaviour

The clinical assessment of suicidal risk would be substantially complemented by a biologically based measure that assesses alterations in the neural representations of concepts related to death and life in people who engage in suicidal ideation. This study used machine-learning algorithms (Gaussian Naive Bayes) to identify such individuals (17 suicidal ideators versus 17 controls) with high (91%) accuracy, based on their altered functional magnetic resonance imaging neural signatures of death-related and life-related concepts. The most discriminating concepts were ‘death’, ‘cruelty’, ‘trouble’, ‘carefree’, ‘good’ and ‘praise’. A similar classification accurately (94%) discriminated nine suicidal ideators who had made a suicide attempt from eight who had not. Moreover, a major facet of the concept alterations was the evoked emotion, whose neural signature served as an alternative basis for accurate (85%) group classification.

Hackers Compromised the Trump Organization 4 Years Ago—and the Company Never Noticed

In 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains. Each one of these shadow Trump subdomains pointed to a Russian IP address, meaning that they were hosted at these Russian addresses. (Every website domain is associated with one or more IP addresses. These addresses allow the internet to find the server that hosts the website. Authentic Trump Organization domains point to IP addresses that are hosted in the United States or countries where the company operates.) The creation of these shadow subdomains within the Trump Organization network was visible in the publicly available records of the company’s domains.


The subdomains and their associated Russian IP addresses have repeatedly been linked to possible malware campaigns, having been flagged in well-known research databases as potentially associated with malware. The vast majority of the shadow subdomains remained active until this week, indicating that the Trump Organization had taken no steps to disable them. This suggests that the company for the past four years was unaware of the breach. Had the infiltration been caught by the Trump Organization, the firm should have immediately decommissioned the shadow subdomains, according to cybersecurity experts contacted by Mother Jones.

How we fooled Google’s AI into thinking a 3D-printed turtle was a gun

Students at MIT in the US claim they have developed an algorithm for creating 3D objects and pictures that trick image-recognition systems into severely misidentifying them. Think toy turtles labeled rifles, and baseballs as cups of coffee.

It’s well known that machine-learning software can be easily hoodwinked: Google’s AI-in-the-cloud can be misled by noise; protestors and activists can wear scarves or glasses to fool people-recognition systems; intelligent antivirus can be outsmarted; and so on. It’s a crucial topic of study because as surveillance equipment, and similar technology, relies more and more on neural networks to quickly identify things and people, there has to be less room for error.

Signed Malware: using digital certificates to circumvent malware checks

Digitally signed malware can bypass system protection mechanisms that install or launch only programs with valid signatures. It can also evade anti-virus programs, which often forego scanning signed binaries. Known from advanced threats such as Stuxnet and Flame, this type of abuse has not been measured systematically in the broader malware landscape. In particular, the methods, effectiveness window, and security implications of code-signing PKI abuse are not well understood. We propose a threat model that highlights three types of weaknesses in the code-signing PKI.

Source: Signed Malware

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. “Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors,” Tudor Dumitras, one of the researchers, told El Reg.

“Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service.”
Hackers abusing digital certs smuggle malware past security scanners – the Register

Millions of South Africans’ personal information may have been leaked online

The personal information of more than 30 million South Africans has apparently been leaked online. This is according to Australian security researcher and creator of ‘Have I Been Pwned’, Troy Hunt. His website allows people to check if their personal information has been compromised in a data breach.He took to Twitter on Tuesday to say he had “a very large breach titled ‘masterdeeds’”.The title of the data led him and others commentators to speculate that the leak was likely from the deeds office. Identity numbersIf the information Hunt has is legitimate, it may be the biggest breach of Popi (Protection of Personal Information Act) to have ever taken place. Hunt said the database contained names of people, their gender, ethnicity, home ownership and contact information. The data also contained people’s identity numbers and other information like their estimated income and details of their employer. He said the information appeared to be from a government agency.MyBroadband reported that the database was a 27.2GB backup file that Hunt found on Torrent and he gained 31.6 million records before it crashed. He said there could be over 47 million records in the database.

Source: Millions of South Africans’ personal information may have been leaked online | Fin24

Virtually everyone in Malaysia pwned in telco, govt data hack spree

Information on 46.2 million cellphone accounts was slurped from Malaysians telecoms providers. To put that in context, the population of Malaysia is 31.2 million; obviously, some people have more than one number.The stolen telco records include people’s mobile phone numbers, SIM card details, device serial numbers, and home addresses, all of which are useful to identity thieves and scammers. Some 80,000 medical records were also accessed during the hacking spree, and government websites as well as Jobstreet.com were attacked and infiltrated, too, we’re told.
Malaysian officials confirmed this week that nearly 50 million mobile phone account records were accessed by hackers unknown. The authorities also warned that people’s private data was stolen from the Malaysian Medical Council, the Malaysian Medical Association, the Academy of Medicine, the Malaysian Housing Loan Applications body, the Malaysian Dental Association, and the National Specialist Register of Malaysia.

It’s believed the systems were actually hacked as far back as 2014, The Star reported.

Source: Virtually everyone in Malaysia pwned in telco, govt data hack spree • The Register

Large companies in NL giving Facebook personal client data freely

The companies asked by the consumer protection authority are

de ANWB, Nuon en Oxfam Novib. De Bijenkorf stopte hier al eerder mee. Essent heeft toegezegd binnenkort te stoppen en KLM en Transavia heroverwegen hun aanpak. De Bankgiroloterij, FBTO, KPN/Telfort, Postcodeloterij, Vakantieveilingen, Vriendenloterij en de Persgroep blijven gewoon doorgaan. Van Heerlijk.nl, HelloFresh en Hotels.nl

To be fair, some were giving the data away encrypted.

BMWs from between 2006-2011 at fire risk, recalled in the US

One recall covers 670,000 2006-2011 U.S. 3-Series vehicles to address a wiring issue for heating and air conditioning systems that may overheat and could increase the risk of a fire.

The second recall covers 740,000 U.S. 2007-2011 vehicles with a valve heater that could rust and lead to a fire in rare cases. The recall includes some 128i vehicles, 3-Series, 5-Series and X3, X5 and Z4 vehicles.

This is important because generally these recalls only happen in the US due to law suites, even though the danger is to all vehicles worldwide.

Yes, Google is reading your corporate documents and you agreed to it.

Many people worried that Google was scanning users’ documents in real time to determine if they’re being mean or somehow bad. You actually agree to such oversight in Google G Suite’s terms of service.

Those terms include include personal conduct stipulations and copyright protection, as well as adhering to “program policies.” Who knows what made the program that checks for abuse and other violations of the G Suite terms of service to go awry. But something did.

And it’s not just Google that has such terms. Chances are you or your employees have signed similar terms in the many agreements that people accept without reading.

The big concern from enterprises this week was not being locked out of Google Docs for a time but the fact that Google was scanning documents and other files. Even though this is spelled out in the terms of service, it’s uncomfortably Big Brother-ish, and raises anew questions about how confidential and secure corporate information really is in the cloud.  

This is part of a workshop I have given several times: many companies do this happily. Oddly enough you won’t find their invasions in the privacy policy, but in their terms of service is where you find the interesting maneuvering. It’s actually worse than above: you generally give away copyright to all your documents as well 🙂

Mozilla Wants to Distrust Dutch HTTPS Provider Because of Local Dystopian Law (Sleepnetwet)

If the plan is approved, Firefox will not trust certificates issued by the Staat der Nederlanden (State of the Netherlands) Certificate  Authority (CA).

This CA is operated by PKIOverheid/Logius, a division of the Ministry of Interior and Kingdom Relations, which is the same ministry that oversees the AIVD intelligence service.

New law givers Dutch govt power to intercept Internet traffic

What’s got Mozilla engineers scared is the new “Wet op de inlichtingen- en veiligheidsdiensten (Wiv)” — translated to Information and Security Services Act — a new law voted this year that will come into effect at the start of 2018.

This new law gives Dutch authorities the powers to intercept and analyze Internet traffic. While other countries have similar laws, what makes this one special is that authorities will have authorization to carry out covert technical attacks to access encrypted traffic.

Such covert technical capabilities include the use of “false keys,” as mentioned in Article 45 1.b, a broad term that includes TLS certificates.

Cross-Cultural Study on Recognition of Emoticon’s shows that different cultures see emojis differently

Emoticons are getting more popular as the new communication channel to express feelings in online communication. Although familiarity to emoticons depends on cultures, how exposure matters in emotion recognition from emoticon is still open. To address this issue, we conducted a cross-cultural experimental study among Cameroon and Tanzania (hunter-gatherers, swidden farmers, pastoralists, and city dwellers) wherein people rarely experience emoticons and Japan wherein emoticons are popular. Emotional emoticons (e.g., ☺) as well as pictures of real faces were presented on a tablet device. The stimuli expressed a sad, neutral, or happy feeling. The participants rated the emotion of stimulus on a Sad–Happy Scale. We found that the emotion rating for the real faces was slightly different but similar among three cultural groups, which supported the “dialect” view of emotion recognition. Contrarily, while Japanese people were also sensitive to the emotion of emoticons, Cameroonian and Tanzanian people hardly read emotion from emoticons. These results suggested that the exposure to emoticons would shape the sensitivity to emotion recognition of emoticons, that is, ☺ does not necessarily look smiling to everyone.

Source: Is ☺ Smiling? Cross-Cultural Study on Recognition of Emoticon’s EmotionJournal of Cross-Cultural Psychology – Kohske Takahashi, Takanori Oishi, Masaki Shimada, 2017

39 episodes of ‘CSI’ used to build AI’s natural language model

group of University of Edinburgh boffins have turned CSI:Crime Scene Investigation scripts into a natural language training dataset.Their aim is to improve how bots understand what’s said to them – natural language understanding.Drawing on 39 episodes from the first five seasons of the series, Lea Freeman, Shay Cohen and Mirella Lapata have broken the scripts up as inputs to a LSTM (long short-term memory) model.The boffins used the show because of its worst flaw: a rigid adherence to formulaic scripts that make it utterly predictable. Hence the name of their paper: “Whodunnit? Crime Drama as a Case for Natural Language Understanding”.“Each episode poses the same basic question (i.e., who committed the crime) and naturally provides the answer when the perpetrator is revealed”, the boffins write. In other words, identifying the perpetrator is a straightforward sequence labelling problem.What the researchers wanted was for their model to follow the kind of reasoning a viewer goes through in an episode: learn about the crime and the cast of characters, start to guess who the perp is (and see whether the model can outperform the humans).

Source: 39 episodes of ‘CSI’ used to build AI’s natural language model • The Register

Bitcoin Pioneer Says New Coin to Work on Many Blockchains

The mobility means that if one blockchain dies out as the result of infighting among developers or slackened use, metronome owners can move their holdings elsewhere. That should help the coins retain value, and ensure their longevity, Garzik, co-founder of startup Bloq that created metronome, said in a phone interview. It will be unveiled Tuesday at the Money 20/20 conference in Las Vegas.”Institutional investors should be very excited to see something like this,” Matthew Roszak, the other co-founder of Bloq and chairman of industry advocate Chamber of Digital Commerce, said in a phone interview. “We’ve built a thousand-year cryptocurrency, something that’s built to last.”That’s a concern for many digital currencies. Infighting among developers and various supporters, and the slow pace of enhancements on the bitcoin blockchain have helped to limit use. Both bitcoin and its main rival, ethereum, have split into several versions.More splits could be coming — partly, thanks to Garzik, who is a proponent of and a developer for an upgrade to the bitcoin network called SegWit2x, which offers one way to speed up transactions. That split could happen in November.

Source: Bitcoin Pioneer Says New Coin to Work on Many Blockchains – Bloomberg

A useful feature for a coin.

Turns out that dating apps can give away your location, show who you like and who and where you are

It seems just about everyone has written about the dangers of online dating, from psychology magazines to crime chronicles. But there is one less obvious threat not related to hooking up with strangers – and that is the mobile apps used to facilitate the process. We’re talking here about intercepting and stealing personal information and the de-anonymization of a dating service that could cause victims no end of troubles – from messages being sent out in their names to blackmail. We took the most popular apps and analyzed what sort of user data they were capable of handing over to criminals and under what conditions.We studied the following online dating applications: Tinder for Android and iOS Bumble for Android and iOS OK Cupid for Android and iOS Badoo for Android and iOS Mamba for Android and iOS Zoosk for Android and iOS Happn for Android and iOS WeChat for Android and iOS Paktor for Android and iOSBy de-anonymization we mean the user’s real name being established from a social media network profile where use of an alias is meaningless.

Source: Dangerous liaisons – Securelist

AMD sales soar, actually makes a profit, beats expectations, share price… decimated

Personal TechAMD sales soar, actually makes a profit, beats expectations, share price… decimatedIntel’s antitrust shield even loses when it winsBy Shaun Nichols in San Francisco 25 Oct 2017 at 00:0816 Reg comments SHARE ▼guitar player on shuttertsock photo of (sisyphus) man rolling a rock up a hill. photo by SHutterstock/PHOTOCREO Michal BednarekAMD revenues were up, an actual proper profit was banked, and its future looking brighter than ever in the past financial quarter… meanwhile investors are selling off shares fearing a downturn looming for the chip designer.Strong sales from its Ryzen and Epyc Zen-based processor lines helped the world’s second-favorite x86 PC and server chip slinger grow revenues by more than 25 per cent in its third quarter of 2017, the three months to September 30. Here’s a summary of the figures, announced on Tuesday: Revenues of $1.64bn were up 26 per cent from $1.31bn in Q3 2016, and topped analyst estimates of $1.51bn. Net income of $71m topped the admittedly low bar set by last year’s $406m quarterly loss, in large part caused by a $340m payment to Global Foundries. For a different angle, non-GAAP operating income this year was $110m compared to $27m this time last year. Earnings per share were $0.10 non-GAAP, topping analyst estimates of $0.08. Computing and graphics processors (PC CPUs and GPUs) accounted for much of the jump, as the Ryzen launch and Radeon revamp bumped revenues to $819m, compared to $472m on the year-ago quarter. CEO Lisa Su claimed AMD’s Ryzen desktop processors made up 40 to 50 per cent of CPU sales at certain online retailers. Enterprise, embedded, and semi-custom (everything from servers to games console chips) logged revenues of $824m, down slightly from $835m this time last year.
Investors, meanwhile, seemed to be less interested in 7nm than in what lies immediately ahead for AMD. For the upcoming quarter, the chip designer is expecting a sequential revenue decline of 15 per cent, with year-over-year Q4 revenues up by 26 per cent. Additionally, AMD said that it sees sales for hardware specializing in blockchain calculations – GPUs for Bitcoin and other alt-coin mining, which has fueled sales – “leveling off” as demand slows.

Those figures spooked shareholders after hours, sending AMD stock down by 10.5 per cent to around $12.75 per share at the time of writing.

Source: AMD sales soar, actually makes a profit, beats expectations, share price… decimated • The Register

Signs the market we use is outdated!

Skip to toolbar