sábado, abril 22, 2017

Convoluted Crime Fiction: "She Died a Lady" by John Dickson Carr

Just about every book written by John Dickson Carr is a locked room mystery, and all of them try to play fair (thus also trying to drive the reader nuts), but I always feel Carr tried too hard. His books are so convoluted that they become almost unreadable. I’m a bit reluctant to continue reading books wherein the intricacies become utterly unbelievable (why do some authors bother to impinge on our consciousness crap like this?) I’m better off reading Agatha Christie. This Carr was me being back to 'easy' reading after a hard week reading hard stuff. This one is among his middle-rankers. The method of murdering two persons close to a cliff with only his own footprints on wet sand was clever - maybe a bit too clever-clever - and the characters a touch clichéd - but then you do meet the same people over and over again in a Carr novel. The fun is in trying to out-guess him, and in the wonderful, spooky atmospheres he creates. Unlike Christie, the Carr’s leave a lot to be desired. In this case the solution just doesn't hang together. The characters and motivations are there but the explanation of the murder is just too weird. Carr once again didn’t play fair.

sexta-feira, abril 21, 2017

Tor2Web Proxy: "The Dark Net - How to Stay Anonymous Online Even from the NSA" by Peter Johansen

The darkness exists in the human mind not the technology.
Victorian Portugal was full of dark secrets that have had a negative effect on
this society ever since, far more than the internet has.

There's the "dark web" - i.e. the web you need to use Freenet or Tor or something like access (and those two are just examples, and they form distinct non-interconnected webs). And then there's the "deep web" - this is websites whose content is not indexed by search engines, because you need to register or pay to access the contents, or has Flash front ends, or is otherwise unavailable to a search engine. This is the thing that is likely much larger than the freely available web, and it's usually because there's money to be made by gate-keeping access to it. There's very little illegal, immoral or otherwise dodgy about the deep web; most of it is for-pay services, which are usually easy to clamp down on if they're illegal - just follow the money. 

Am I missing something here?

Yes. Google doesn't search every machine on the Internet. most of those don't have websites on them. Google only gets links by people who either fill out a "request for indexing" form or by following links from other pages. So if you create a website on your home machine and don't tell anyone...it's part of the dark web. It only exists to people who know about it. If you post your link inside a chat room that isn't accessible to Google (maybe because you must login with a password, like say Yahoo chat) ...then it's still part of the dark net. However, it's obscurity rather than security. no one can find it because no one can second guess your url. However, (again) Freenet users don't talk to each other. The user doesn't ask the website author for the site like the regular, it asks a friend to do so on their behalf...who may ask someone on their behalf...thus no can work out who is reading the content. A system of replication ensures the author doesn't point directly at a machine but just somewhere "generally" in the network. Thus, everyone is anonymous. Even if Google could index the content...they wouldn't know what they were indexing or where it came from. Two aspects of Freenet immediately bother me, which is why I won't be downloading or using it. First up is the distributed nature of the data storage - even if my use is perfectly legal, it could be storing material on my computer which is not only illegal but also highly offensive. Now, perhaps that doesn't bother you, but it bothers me. Secondly, per the Freenet site, "Files are encrypted, so generally the user cannot easily discover what is in his data store, and hopefully can't be held accountable for it." Did you spot that there? hopefully. I must say that I find that statement rather irresponsible; fortunately, in Portugal especially there’s no RIPA legislation where you can be sent to jail for not revealing your encryption keys, irrespective of the content you are protecting. And if this sounds far-fetched, you should be aware that it has already happened (http://www.theregister.co.uk/2009/11/24/ripa_jfl/). There is also no commercial element in Freenet. The developers have deliberately eschewed the creation of anonymous money. That takes the rug from under some criminal activity. On the practical side of things, Freenet is slow and not an ideal environment for swapping large files. On Freenet, most people choose to remain anonymous; that limits their interactions to a degree. On the conventional internet groups of people may work together using opaque encrypted connections and truly conspire in illegality if they wish; they sacrifice their anonymity to connect in the first place. Conspiracies are broken by their weakest link. Most (perhaps all setting aside whatever GCHQ accomplishes) clever internet police detective work begins from traditional policing methods. A suspect is brought to their attention somehow either by acting suspiciously on the internet (say a chatroom) or by coming under suspicion in the ordinary world. The suspect's computer is inspected and this may lead to new suspects. At that point the police may opt to operate a scam to catch others in the act. Freenet was developed to promote freedom of speech, particularly in places like China.

TOR, at present, is anonymous only in some internet transmission modalities.

There is much distasteful material on the internet and doubtless on Freenet. I suspect that much of this is the same stuff cycling round and round. The priority for law enforcement should not be the relatively easy option of identifying people in possession of this material but rather at grabbing those who create it in the first place. This is where the traditional internet is so important because only on it is there commerce. Cabals sharing a criminal interest, operating covertly and not putting the product of their activities for sale on the internet will be broken only by serendipity arising from traditional policing methods.

ToR causes a marked slowing of browser response. That's because the number of people using it are relatively few. What would make these technologies sit up and work is the introduction of millions of new non-combatant users motivated to avoid governmental surveillance and copyright controls. These dark side technologies are relatively immature, yet I can see at least one design that links ToR, Kademlia and strong cryptography that would present an intractable file sharing system and alternative email backbone. The question is this: given that relatively few malcontent users are using simple technologies, is it desirable to obfuscate them behind millions of benign users deploying strong technologies because of incontinent legislation? If I were employed by the Portuguese secret service, I'd be rather concerned about losing the ability to see the bad guys from the trees.

Ugh. Ok, so who is creating all this dark content? Are there 400-500 times more people creating content than we 'know' about? On the net content is king. There is unlinked content, mostly image files, but frankly most of that is probably illegal sexual stuff and while there is some truly unpleasant stuff out there in the hard to find places there are an awful lot more legal porn images (because it's a vast business) and teenagers on youtube putting up clips of them taking the piss out of their mates, because it's easier than videoing the construction of homemade nuclear devices.

Google doesn't simply search JSTOR - publishers are required to provide google with something called an abstract to crawl before their content can be indexed (basically the non-subscriber landing page). I create content on the darkweb (silly term) everyday such as hidden back content to support published websites, and none of it is crawled by google or anyone else for that matter. And none of it is in the least bit illegal or even morally dubious. Most of the unknown web is full of boring web infrastructures, and certainly not child pornography.

Predictive searches never show porn related stuff (or so I have read); I guess that would conflict with Google's public image, but if you type rotten you get rotten.com before you've typed tomatoes; some time ago Google courted some controversy by refusing to take down a racist photoshopped pic of Michelle Obama - citing rules that they only removed content when legally required to do so, all of which makes their ethics seem a little patchy. The point I'm trying to make is that I would gladly trade free albums for the loss of sites like rotten.

I'll probably get criticised for this and I'm aware that there is no perfect solution. No-one wants an internet with little free content and a big buy button on the top of the screen, but I am concerned about the excesses of the internet (never mind the dark web freenet thing) and its influence on peoples' morality and behaviour. I think the idea of "public" content being in the minority is a complete fantasy and the percentages plucked from the air, also I think it should be made clearer that there is a big difference between actively hidden content and activity for clandestine, political or paranoid reasons, and content that is simply defunct, old outdated websites that no one links to any more but aren't deleted, abandoned personal websites or free websites for companies that have gone out of business. Hard drive space is cheap these days and older websites don't take up much room. Also important is separating traffic from actual useful available web content, files or communication; no doubt a huge amount of traffic is taken up by spam and automated programs like trojans and the like. The idea of a huge goldmine of interesting secret information that dwarfs the public web makes no sense, the number of users and content publishers in these "sub nets" are by their very nature minuscule.

Virtually everyone I know with a computer does or has at some point downloaded music or films through Limewire or rapidshare or whatever, and those who haven't have at the very least watched unlicensed rips of shows on youtube for example - and none of those people would consider themselves criminal, even remotely. It's one of the odd things I've always thought about the whole filesharing thing - it's right there, hugely visible and you don't need to search far to get to it - just post the name of a record in google and you're likely to get to a rapidshare link or an equivalent within two or three pages of results. Google will probably lead you to thousands more pirated works than I imagine you'd ever find on freenet.

Johansen’s book is not earth-shattering, but it gives all the basic necessary ingredients for you to dip your toes in the water dark-web-wise.

quarta-feira, abril 19, 2017

Dated Crime Fiction: "Sunset Express" by Robert Crais

Gosh, Robert Crais! I really want to like you, but after lots of books in and it still feels like gawky blind dating rather than true love.  I should be really digging these Crais novels, but I’m not. A smart-aleck gauntleting detective with a mean-as-hell friend is something that I can’t get enough of in other books. But something just isn’t coalescing here. From Crais first novel, I thought that Crais was doing a west coast version of Robert B. Parker’s Spenser novels and that feeling continues here. It isn’t Crais’ fault that I’m reading these over many years after he wrote them and that they seem dated in a lot of ways to me; having said this, there are still just too many clichés for me to overlook in this. Plus, Elvis is just such a dogged know-it-all that he tends to get on my nerves. Characters like Marlowe, Spenser or Lehane’s Patrick Kenzie can be wise asses and tough guys, but it feels like Cole can’t let the mildest thing go by without trying to act like a comic at karaoke night. What saves this book Cole’s quick jokes. So quick, he had me laughing like crazy a few pages in. That's pretty darn quick.

NB: According to BL/GR/LT this is my 400th/396th/394th book review. I believe BL is correct.

segunda-feira, abril 17, 2017

Nuanced SF: "Crackpot Palace - Stories" by Jeffrey Ford

There are two kinds of "favourite books," I always say. There are the ones that you recognize as original in concept, extremely well written, and strong in theme. Then there are the ones that say something personal to you so that you identify with the protagonist, live in that society, laugh at the jokes and thrill at the adventure, but also realize that the style may not be so good or the theme so strong. I ain't half the SF geek I was when I was younger - you know, before I discovered characterisation and inner life - but I still appreciate a good novel of ideas. So often, it comes down to a tug-of-war of definitions and false differences of opinion. The mundane literary establishment tends to demean SF. Yet, the works of Cormac McCarthy, Jonathan Lethem, Michael Chabon, Doris Lessing, Margaret Atwood and Kurt Vonnegut are just as much SF, using the same devices to advance the same thought experiments and commentary on society as many other SF writers can do. Quite honestly, many of the SF writers do at least as good a job of tackling the thorny issues as the more literary writers, and write extremely well. On the other hand, there are certainly books written to be enjoyed and consumed, without quite such a hefty intellectual burden. These have their place (in SF and, frankly, in mundane fiction) as well. SF and mundane literature are not and need not be exclusive domains. It’s stupid that different literary realms will try to claim a book like “The Road” for themselves. “It’s highfalutin literature!” “No, it’s SF!” “It’s mine!” “No, it’s mine, you idiot!” As a reader, I want both gorgeous prose and a strong plot. And that’s where Jeffrey Ford comes in. He’s one of those writers that is both comfortable in the SF and literary domains. Jonathan Lethem is another case in point. Reading a short-story collection by Jeffrey Ford is like taking a master class in how to write, and "Crackpot Palace: Stories" is the author's most masterful yet. Not only do the stories range widely across popular genres, from noir to horror to high fantasy to literary, but each exhibits expert understanding and control of the elements that breathe life into these forms. I became invested in the characters, absorbed in their internal and external mysteries, enveloped by their locales, and enthralled with the themes they explore. Ford's prose is as precise and nuanced as ever, and he bends his style to serve each tale differently. The casual everyday idiom and lightly profane voice perfectly fit the hilarious suburban satire "Sit the Dead," while a rural directness and earnestness in the narrative language help to shape both "Down Atsion Road". Most of the stories don't neatly fit into a single genre but instead straddle two or more categories confidently, and this provides part of their freshness. Everyone is a treat, and the whole collection is an expansive and satisfying feast. His characters are unique and so vividly described you can easily see them. You should remember “Robot General”, “Jimmy Tooth”, and “Father Walter” well after having finished this short-story collection. Ford has a unique imagination and a calm, assured way of writing that is intoxicatingly seductive. I loved almost all of these stories even the crazy ones.

SF = Speculative Fiction.

sábado, abril 15, 2017

Matthew 28

I loved Bookstooge's post so much I was pushed to emphasize it through a text of "me" own:

To be a true believer is a wonderful gift. I can’t take any credit for it though. Ordinarily one cannot just seek belief – it finds you when you’re ready. That readiness has to do with making space within for an answer. But many of us today are crammed full of opinions and second-hand facts – that is the way of the world. It has to do with ego of course – we don’t like to have emptiness inside. But the act of making space is what lies behind the meaning of to “ask”. Ask (empty yourself) and ye shall receive.

quarta-feira, abril 12, 2017

This is How the World Will End: "The Art of Invisibility" by Kevin Mitnick, Robert Vamosi

This book calls for a limerick of "me" own:

This is how the world will end.
This is how the world will end.
Not with the roar of a lion
But with the click of a mouse.

Mitnick's and Vamosi's book is for the layman. You won't find here buffer overflows (NOP sled,  or overwriting the stack return pointer), network scans/DoS attacks, integer overflow exploitation, details about recent techniques to bypass ASLR, shell-code injection, network sniffing, no kernel hacking/rootkit exploits, i.e., it does not break ground as a book to explain how hacking and software exploits work and how readers could develop and implement their own. It's a breezy read with lots of information, but the deep dives aren't there.

Reading this, it got me thinking once again on IT security aspects. I've done this recently when I read my last security book. Every time I read something like this, I always get in the mood "Oooh spooky, 'cyber security', how hip, how now." Cyber security is what used to be called 'spying' and that goes back to erm...Caesar Augustus as emperor lived in a modest two story home in central Rome. Two floors around an open central area and thin columns sparsely placed to form colonnaded mezzanine ground and top floor and no drapes or hangings - he lived in a modest house with open mezzanines so that NO ONE COULD HIDE BEHIND columns and listen to his conversations. Spying is as old as ancient governments.

Technology helped the dissemination to become global, helping thus "disseminators" on all sides to keep each other in power even easier.
The actual sides in that war are not different groups of "disseminators", but all "disseminators" of fake news on one side, and all recipients of fake news on the other.
Hacking, being digital or "analogue" one, is a weapon of recipients' defense, therefore all hackers, being digital or "analogue" ones, are "Fifth Column" to all of the fake news "disseminators". And, of course that "disseminators" is the term borrowed from management theory. The Fake News War is about management of facts, which to hide and which to reveal in averted form.

I mean, come on... people are being fired and/or punished for accidentally forgetting one confidential paper on the office table overnight and not under the lock.  So, we are not talking then about hacking as the warfare which started the cyberwar, but about cyberspace as the warfare, however and whatever for it is used. Then we may say that the cyberwar started not in 21st century, but in the late 70s, when the first permanent ARPANET link was established between UCLA and the Stanford Research Institute. Besides, we call them First and Second World War, not the gas/tanks/trenches war and plane/rockets/atomic war respectively. I'm arguing that hacking is not the most important weapon of choice to alleged sides in war, but the fake news which has been disseminated for ages before the cyberspace started to exist.
The next world war may well be fought in Cyberspace but it won’t resemble the mischief or the malicious hacks we've been witnessing (Stuxnet gave a glimpse of the potential - the Iranian nuclear centrifuges were driven into meltdown). It will be an altogether more devastating attack on vulnerable civilian and military infrastructure, as likely as not launched from a third world country without a developed economy vulnerable to counter attack (not that the targets will be able to identify the source of the attack).
The greatest danger is not Russia but probably ISIL or a small rogue state - North Korea is a possibility. Imagine the damage if the Internet is taken down, if transport, water, power and utilities cease to function. We're sleepwalking into a potential meltdown.

I still hear lots of people talk about the TalkTalk situation (forgive me the pleonasm...). Let's be clear about it. Broken into by a young hacker? How bloody fortunate you all are that it was not the Chinese, Russians, Koreans, or Americans. But perhaps they already did, and you haven't yet found out. Would they even know? Apparently they still don't know whose data may or may not have been compromised. The real story here appears to be a lack of adequate security. Data that is not encrypted. A lack of layers of protection that prevent access to anything of importance. And a level of overall control of access that is so poor that a 15-year old can get in. Perhaps the word is porous. If anyone is at fault, it is not the successful hacker, but the company that failed to apply the time and resources (including funds) required to meet their responsibilities and obligations to those whose information they hold in trust. Too many companies are run by non-technical posho/MBA idiots who think the IT team are the home help, and not the people who keep the engine room running.
There are clear issues of due diligence and corporate responsibility which can only be solved by fines for board members and disqualifications addressed at company members.  Until then we'll have to put up with the corporate equivalent of directors who leave customer secrets in a filing cabinet in the street under a sign saying "It's not locked." if only TalkTalk spent 10% of what they spent on advertising on security.

All the cushy over paid jobs are in marketing, law etc. Engineers need more respect / pay. They do all relevant work. Marketing people are mostly about trying to get you to choose one brand over the other. But so much is spent on it - they lose out on quality and service in their product. Talktalk is a classic example. "Sponsoring" popular TV programmes (more money of our money going to over paid talentless people: “Portugal’s Got Talent, and crap like that).

There is a bit of a secondary problem which gets no attention at all: running a badly secured computer may end up making you an unwitting collaborator in crime - the Denial Of Service attacks (basically flooding a service so it no longer works) is only possible using thousands of hacked systems, and hacked systems are often used as proxies for the real criminal to hide behind. Strangely, the most prevalent OS still needs the sticking plaster of anti-virus software to be anywhere near suitable for use on the Internet. Back in the day, when I was doing this as a night job, I remember having found a page on one website that always took a long time to render. If I hit it with a few requests the whole of the website was inaccessible. I could kill the site from a browser. Turned out, talking to one of the developers I knew, that there was some badly written SQL used to render that page that caused the database server(s) to grind to a halt. WTF?? And don't let me start talking about the way operating systems can be got at. There have been totally new concepts of PC software put forward by those far better than me, which would cut down a lot of the vulnerabilities we now see, but no one cares and they would involve a radical re-think of how we use the web. It would involve total ownership of the Operating System by the user, it would be impossible to alter or add to and would be a physical non writeable entity. No agreement to terms or any of that rubbish, it would be yours only. Beyond that there would be a 4 stage later before you get out to where we use the web today. Attacks would be more and more difficult as you go down through the layers and compromise of the Op. System would be impossible. I have heard techies walking through this set-up and agreeing that only the host of the router would be able to trawl or snoop in a blanket way, and any suspected compromise could be cleaned immediately. It would be better than we have today, but would curtail lots of money making habits companies are used to currently, and involve the users actively maintaining their Op. System a bit like looking after a fish tank. We just don't seem to care much about the security, so any improvement is unlikely, plus there are an awful lot of people doing very nicely out of the way it is currently thank you. It is my firm opinion that people are not too bothered about the Secret Services looking and watching, under some supervision, for security reasons, but the ongoing access of all activity to be disseminated to others on an "official" basis is the widespread concern on most.

As the snooping could be done at all routers or by piggy backing onto hubs, the Secret Services should be able to get whatever they want, there should not be a problem.
I imagine key depression is what they are wanting to monitor through the Op. System upgrade, they then pick up everything before encryption, and get decent profiling of keying speed and the personal idiosyncrasies of the user's hand actions, but the whole thing could be a lot simpler and robust with most people getting largely what they want, except the criminals (in the main).
The whole thing is in a real mess, and when the Secret Services can't even keep the Atomic Bomb, The Watergate Project, or even the current Mass Surveillance infrastructure secret, it does make people feel like some new thinking is required.

The typical hacker relies on lack of defenses, inadequate security budgets and ineptitude of middle managers (let's direct resources at this non-problem, and leave all the SQL un-encrypted). I worked on lots of "on-the-side" projects where these hackers were constantly trying to break in and award themselves "the sword of dobber". Simply encryption and authentication took care of every hacker except the military grade/Israeli. Most of these guys knew how to run Linux as root and frequent forums that give them most of what they know, aside from that they succeed where the gatekeepers leave the back door open.

On a side note, because I really hate Mr. Robot, let me once more add fuel to the fire. As a piece of drama Mr. Robot is pretty rubbish. Its world view is naïve, adolescent, and confused. The Christian Slater character is an immature and delusional idiot - the eternal narcissistic adolescent clown. Please do not re-boot.

terça-feira, abril 11, 2017

Micro-Fiction, Text 007: "He Lived as He Died" by Myselfie

I knew he was dead. The blood and the hatchet buried in his head was a giveaway.

As I walked past he let off a bubbling sound. I ignored it. Air in the lungs seeping out. Seen it all on CSI. I went through the drawers, bottom first like they show on TV. Looking for his hoard, his flash, a reason for him existing. A picture of him on a donkey on some wind swept beach when he was about 12yrs old. Wedding pictures, pictures of him and his hang-arounds in a pub in Alicante. All smiles all happy. Bastard. He was scum a shit a merchant of piss and bad poison to the children of the lost. No future here, move along please. The hatchet in the head was a symbol, a pagan gesture. He had been shot and then axed. The righteous men where long gone. A happy ending to a nasty story. He lived as he died, on his knees pumped full of lead and needle holes. Was I sorry? No. I set him up. He was a young cocky bastard who blossomed into a wife beater, dream stealer, cop squealer. Now just another axed drug dealer. They would come back for me. They had a taste for it now, for righteous killing. Did I care? No. My happy times. None. Friends. None. Future. None. The bundle was thick and heavy. Held together by big red rubber bands. The notes torn and soiled by an army of unwashed trembling junkie hands. Greasy Euros and black Dollar bills mixed company with Elizabeth. Her jaded jubilee crown, smudged with the unhealthy sweat of bad lies and unfilled expectations.

30 pieces of HIV silver in my pocket. I left. And went looking for the next stage out of Dodge.