fuzhong.org

Sunday, January 29, 2012

The microblogging service Twitter has changed its software support for censoring posts. With the new updates, Twitter can now withdraw individual posts and accounts in specific countries, as opposed to a global deletion. Twitter announced these changes in a blog post on Thursday, and released a clarification update on Friday.

Twitter says it needed to make the changes to expand on an international level. It said in a blog post entitled Tweets still must flow, “we will enter countries that have different ideas about the contours of freedom of expression. Some differ so much from our ideas that we will not be able to exist there. Others are similar but, for historical or cultural reasons, restrict certain types of content, such as France or Germany, which ban pro-Nazi content.” Twitter says it will use the new feature only “when required to do so in response to what we believe to be a valid and applicable legal request.”

The new tools will give Twitter the ability to withdraw posts and entire accounts in selected countries. Once the posts have been withdrawn, they are replaced with a message saying: “This Tweet/account has been withheld in: Country.” and then links to a support page.

The social network has been used in the past as an outlet for political expression. During the Arab Spring, protesters in various countries used Twitter to mobilize support and report information to the outside world.

Some users have proposed boycotting Twitter. The organization Reporters without Borders sent an open letter to Twitter’s chairman, Jack Dorsey, saying “We urge you to reverse this decision, which restricts freedom of expression and runs counter to the movements opposed to censorship that have been linked to the Arab Spring, in which Twitter served as a sounding board… Twitter is depriving cyberdissidents in repressive countries of a crucial tool for information and organization.”

Thursday, October 19, 2017

On Monday, digital security researchers Mathy Vanhoef and Frank Piessens of Belgium’s KU Leuven university publicly disclosed a security vulnerability in the WPA2 Wi-Fi (wireless local-area networking) protocol, which they called KRACK (for Key Reinstallation Attack). Their study claimed KRACK affects every modern device using Wi-Fi; it can be fixed by a software update, researchers said.

Vanhoef wrote, “Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.” Vanhoef notified vendors about the flaw in July, including UNIX-like operating system OpenBSD. “If your device supports Wi-Fi, it is most likely affected. […] In general, any data or information that the victim transmits can be decrypted”, he wrote.

The study papers, which were submitted for review on May 19, were kept in confidence allowing companies to fix the security flaw. The United States-based Computer Emergency Response Team (CERT) informed vendors on August 28. The Wi-Fi Alliance said it “could be resolved through a straightforward software update.” OpenBSD released their software patch on August 30.

Exploring the flaw which affected every device the researchers had tested, National Cyber Security Centre of the UK said “the attacker would have to be physically close to the target”. But due to this flaw, an attacker can send malware or ransomware on the websites, Vanhoef claimed.

Linux-based operating systems including Android v6.0 and higher are especially affected by this flaw, while Windows and iOS are not as vulnerable as Android by this flaw as they do not fully implement WPA2.

Microsoft reportedly has released security patches for Windows 7, 8, 8.1 and 10. Google said Android operating systems would receive the updates in the software update scheduled to be made available on November 6. Apple has implemented the patch in the beta versions of their operating system iOS, macOS, tvOS and watchOS, however it is yet to roll out patches for stable operating systems.

WPA2 protocol has been used for more than a decade, and has been compulsory for Wi-Fi since 2006. KRACK would also affect various home appliances which can be controlled over Wi-Fi, within the so-called “Internet of things”. Andrew Martin from Oxford University said, “We can be sure a lot of these devices won’t be patched[…] Whether that matters for this attack or only for some future attack is yet to be seen.”

The study and its findings are scheduled for presentation at the ACM (Association for Computing Machinery) Computer and Communications Security conference on November 1.

Monday, March 19, 2012

Hawker, Australian Capital Territory — Tonight, the Japanese national team beat the Australian Capital Territory (ACT) softball team 1–0 in the first of a two game series before Japan plays a three game test series against the Australian national team.

The game was a low scoring pitching duel. Japan brought five pitchers to Canberra for their Australian tour. Since the last Olympics, Japan has been in a rebuilding period. The side is young and many of their best players have not had much international experience. One of their best pitchers is only nineteen years old.

The ACT side included Australian national team members Aimee Murch and Clare Warwick; Olympic bronze medalist Brenda De Blaes; Victorian state team representative, national team member and Olympic bronze medalist Justine Smethurst; and Clare Currie, who narrowly missed the cut for the national team.

De Blaes started the top of the first with a hit. She ended the inning stranded on base. Murch was pitching for the ACT to start the bottom of the first. Number 15 for Japan opened the inning with a single, and was advanced to third on another single. She was tagged out after trying to score a run after her teammate hit a pop up caught by the ACT’s centre fielder. Number 6 hit a double during this inning, scoring Japan’s only run.

The top of the second saw ACT players 1, 5 and 3 tagged out after hits to the infield. The bottom of the second saw number 13 out on a foul ball caught on the fly by the ACT’s third baseman, and number 11 and 24 out on balls hit into and caught by the ACT’s centre fielder.

The top of third inning saw numbers 24 and 21 ground out. De Blaes ended the inning by striking out. The bottom of the third saw Japan’s first batter ground out, number 8 getting a single on an infield hit, another playing getting an out, and the inning ending with number 11 hitting an infield ground out.

The rest of the game followed much the same pattern. Two players, an ACT player and a Japanese, were struck by balls and required trainers to look at them. Smethurst came in and pitched a few innings in relief. Between the fifth and sixth innings, there was a small delay in the game when a dog named Streaker, owned by Australia men’s national softball team player Adam Folkard, ran onto the the infield.

The game ended 1–0. An announcement was made at the end of the game that the match scheduled for tomorrow would start fifteen minutes earlier than the advertised start time of 18:00.

Thursday, August 13, 2009

A mob of 20 men have killed a leading British gemologist in the town of Voi in Kenya. Campbell Bridges who was born in Scotland was killed at his 600-acre property located within a national park. The attack is reported to be linked to a 3 year dispute over control of the gemstone mines owned by Mr. Bridges.

Police reported that Bridges was driving his pick-up around his land when he was ambushed by 20 men wielding homemade clubs and spears as well as bows and arrows. Bridges fought off the mob with the help of his son and four Kenyan staff. He was transported to hospital but later died. No one else was seriously injured in the attack.

Bruce Bridges, Campbell’s son spoke to reporters about his ordeal. He spoke of how he fled to the capital Nairobi with his father’s body. “As we drove towards our mining camp we found huge thorn trees blocking the road. Eight men with machetes, spears, clubs, knives, bows and arrows appeared, shouting, ‘We’re going to kill you all!’ Then more people came down the mountain like ants — 20 or 30 of them” he said.

Campbell was renowned in the gemstone business. He worked as a special consultant for jewelers Tiffany & Co. He is also credited with the discovery of tsavorite and also involved in the discovery of tanzanite.

Friday, May 16, 2008

A major security hole was discovered in the pseudo-random number generator (PRNG) of the Debian version of OpenSSL. OpenSSL is one of the most used cryptographic software, that allows the creation of secure network connections with the protocols called SSL and TLS. It is included in many popular computer programs, like the Mozilla Firefox web browser and the Apache web server. Debian is one of the most used GNU/Linux distributions, on which are based other distributions, like Ubuntu and Knoppix. The problem affects all the Debian-based distributions that were used to create cryptographic keys since the September 17, 2006. The bug was discovered by Luciano Bello, an argentine Debian package maintainer, and was announced on May 13, 2008.

This vulnerability was caused by the removal of two lines of code from the original version of the OpenSSL library. These lines were used to gather some entropy data by the library, needed to seed the PRNG used to create private keys, on which the secure connections are based. Without this entropy, the only dynamic data used was the PID of the software. Under Linux the PID can be a number between 1 and 32,768, that is a too small range of values if used to seed the PRNG and will cause the generation of predictable numbers. Therefore any key generated can be predictable, with only 32,767 possible keys for a given architecture and key length, and the secrecy of the network connections created with those keys is fully compromised.

These lines were removed as “suggested” by two audit tools (Valgrind and Purify) used to find vulnerabilities in the software distributed by Debian. These tools warned the Debian maintainers that some data was used before its initialization, that normally can lead to a security bug, but this time it was not the case, as the OpenSSL developers wrote on March 13, 2003. Anyway this change was erroneously applied on September 17, 2006, when the OpenSSL Debian version 0.9.8c-1 was released to the public.

Even though the Debian maintainer responsible for this software released a patch to fix this bug on May 8, 2008, the impact may be severe. In fact OpenSSL is commonly used in software to protect the passwords, to offer privacy and security. Any private key created with this version of OpenSSL is weak and must be replaced, included the session keys that are created and used only temporary. This means that any data encrypted with these keys can be decrypted without a big deal, even if these keys are used (but not created) with a version of the library not affected, like the ones included in other operating systems.

For example any web server running under any operating system may use a weak key created on a vulnerable Debian-based system. Any encrypted connection (HTTPS) to this web server established by any browser can be decrypted. This may be a serious problem for sites that requires a secure connection, like banks or private web sites. Also, if some encrypted connection was recorded in the past, it can be decrypted in the same way.

Another serious problem is for the network security software, like OpenSSH and OpenVPN, that are used to encrypt the traffic to protect passwords and grant the access to an administrative console or a private network protected by firewalls. This may allows hackers to gain unwanted access to private computers, networks or data traveled over the network, even if a not affected version of OpenSSL was used.

The same behavior can be applied to any software or protocol that use SSL, like POP3S, SSMTP, FTPS, if used with a weak key. This is the case of Tor, software used to offer strong anonymity on the TCP/IP, where about 300 of 1,500-2,000 nodes used a weak key. With 15-20% of weak Tor nodes, there is a probability of 0.34-0.8% circa to build a circuit that has all tree nodes weak, resulting in a full loss of anonymity. Also the case of only one weak node begin used may facilitate some types of attack to the anonymity. The Tor hidden services, a sort of anonymous public servers, are affected too. However the issue was speedly addressed on May 14, 2008.

The same problem also interested anonymous remailers like Mixmaster and Mixminion, that use OpenSSL to create the remailer keys for the servers and the nym keys for the clients. Although currently there is no official announcement, at least two remailer changed their keys because were weak.

Sunday, October 7, 2007

There are two things one can expect on a trip to see Michael Musto at the offices of the Village Voice: a 20-minute round-trip wait for the elevator and rapid fire answers from one of the most recognizable gossip columnists in the United States. Musto, in addition to his appearances on Countdown with Keith Olbermann and the E! network, has been writing his column for the Voice since 1984. He has recently compiled the best of them in a book released this year titled, La Dolce Musto: Writings by the World’s Most Outrageous Columnist. He was Carrie Bradshaw, replete with a prodigious use of puns, before Sex in the City was a thought. His column is a romp through his life, spats and opinions on socio-political issues. As David Thigpen of the Chicago Tribune wrote, Musto is “a funny and caustic satirist who masquerades as a gossip and nightlife columnist.”

Musto, a Columbia University graduate, is a rarity in today’s celebrity world: he is accessible. He often corresponds with his readers and his public functions are a mix of parties, nightclubs, academic lectures, university panels and film premieres.

He is friendly and frank, and he welcomes people to join him in his world (“I just got a message that Michael Lucas died!” he says staring wide-eyed at his phone; the message turned out to be false). Wikinews reporter David Shankbone spoke with Musto about his life and his relationship to the world of celebrity journalism. And he did not hold back.

Saturday, May 13, 2006

The U.S. Senate has scheduled debate and a vote in June on a bill that would allegedly initiate a process for Native Hawaiians to achieve the same level of self-governance and autonomy over their own affairs that many Native American tribes currently have. Critics of the bill characterize it as going much further than any existing tribal recognition, creating a governing entity based solely on race, without the same requirements as needed for Native American tribal recognition, such as having existed predominantly as a distinct community, having exercised political influence over its members as an autonomous entity, and have continuously been identified as a tribal entity since 1900.

Senator Daniel Akaka (D-Hawaii), the main proponent of bill S. 147 (the Native Hawaiian Government Reorganization Act) and a Native Hawaiian himself, had been giving daily speeches on the Senate floor since May 9 in support of the bill to raise awareness of it. His advocacy of the bill has led it to become known as the “Akaka Bill.” Opponents of the Akaka bill have made daily responses to the Senator’s speeches as well.

“I thank our majority leader, the senior senator from Tennessee, who is working to uphold his commitment to bring this bill to the Senate floor for a debate and roll call vote,” Akaka said after receiving the pledge from Majority Leader Bill Frist (R-Tenn.) on Friday. He also recognized his chief opponent, Senator Jon Kyl (R-Ariz.), who worked with Akaka “to uphold his promise to allow the bill to come to the floor for a debate and roll call vote.”

Frist is expected to file a cloture motion after the Senate returns from its May recess. A vote on the cloture motion would occur within 48 hours of filing.

Opponents of the bill, including Kyl, charge that the bill is a race-based privilege that the U.S. Constitution prohibits. Others, such as Sen. Lamar Alexander (R-Tenn.) imply that passage of the bill could have unintended consequences. In a speech on the Senate floor on Tuesday that preceded Akaka’s, Alexander likened the bill to recognizing Hispanic populations descended from pre-republican Texas or giving tribal status to the Amish or Hasidic Jews, the Honolulu Star-Bulletin reported.

Akaka believes that he has bipartisan support for his bill, with four Republican senators pledging support for it. At least six Republican senators would need to vote for the bill for it to pass, assuming that the bill receives solid support from Akaka’s fellow Democrats and the chamber’s one independent member who usually votes with the Democrats.

A recent report from the U.S. Civil Rights Commission recommended that the bill be rejected. [1](PDF)

The Commission recommends against passage of the Native Hawaiian Government Reorganization Act of 2005 (S. 147) as reported out of committee on May 16, 2005, or any other legislation that would discriminate on the basis of race or national origin and further subdivide the American people into discrete subgroups accorded varying degrees of privilege.

Although the U.S. Civil Rights Commission redacted the findings section of their draft report before approving their final report, opponents of the Akaka bill have challenged the characterization of the findings section as being “historically inaccurate” by Akaka bill supporters.

Supporters of the bill, which include the Democratic members of Hawaii’s congressional delegation and Republican governor Linda Lingle, counter that Hawaii is a unique case because of its former history as an independent nation before the overthrow of the Hawaiian monarchy in 1893.

Kyl had placed a block on the bill when it was originally placed on the Senate schedule in July 2005, but has since agreed to allow the bill to come to a floor vote. The bill was later deferred indefinitely due in part to Hurricane Katrina.

Tuesday, October 8, 2013

Unlike some parts of the US Federal Government, the Consumer Financial Protection Bureau (CFPB) has been open during the federal government shutdown and recording a record-low number of complaints submitted by consumers against mortgage companies, credit card companies, student loan providers, banks, money transfer providers, companies who provide credit reports, and other companies providing consumer loans.

With data not available for yesterday, the first four days of the shutdown had daily totals of 37, 16, 13, and 3 complaints. With the exceptions of September 29 with 15 complaints and September 28 with 23, it is the lowest daily total since March 16 of this year when 36 total complaints were recorded and February 23 of this year with 14. The total complaints are also down from the same dates last year, when the total complaints per day for the first four days of October 2012 were 272, 298, 288, and 225.

Of the 69 filed complaints recorded so far this month, 27 were complaints about mortgage companies, 21 were about bank accounts and 10 were about credit card companies. 40% of credit card companies complaints, 42.9% of bank account complaints and 48.1% of mortgage complaints are currently listed as still in progress. Most of the rest have been closed with an explanation.

Bank of America leads all companies in terms of total complaints filed this month with 9. Bayview Loan Servicing, LLC and JPMorgan Chase have 7 complaints each. Ally Bank, Sovereign Bank, and Wells Fargo have 4 each. Flagstar Bank and Equifax have 3 each. Citibank, Nationstar Mortgage, TD Bank, Amex, and FirstMerit Bank have 2 complaints each. 18 financial services companies have 1 complaint each filed against them.

During the government shutdown, some CFPB staff have voiced their opinions on Twitter. Dan Munz, deputy assistant director for consumer engagement at the CFPB, tweeted, “Boy, shutdown week has really created a sudden bumper crop of amateur federal management experts.”; “Also, seems like Boehner is singlehandedly undoing whatever progress he’d made in portraying this as a Dem [Democratic Party] shutdown.”; and “Basically, there’s now a strong incentive to fill legislation with minor symbolic things you can bargain away later to protect the core.”

The agency has been able to stay open during the government shutdown because it is funded by the Federal Reserve. According to Amanda Terkel at the Huffington Post, Republican members of the United States House of Representatives have put closing the CFPB on their wish list of items in negotiating for a new debt ceiling limit. Party members have previously stalled the appointment of Richard Cordray as the CFPB boss as a way of hindering it from engaging in oversight of financial organizations in the the US.

Tuesday, November 4, 2008

One person has been killed and dozens of boats have been severely damaged or sunk by storms on the Spanish island of Majorca.

The storms hit the island frequently last week, and the weather finally calmed on Sunday.

In San Telmo, a 62-year-old man died when he tried to save his sinking yacht. Winds of up to 60 mph were reported with gusts reaching 75 mph.

Boats could be seen sinking into the water for several days after the storm, with people unable to rescue them due to the conditions.

Local residents stated that they were the worst to hit the island, which has a large number of ports, in ten years, with the clean up effort continuing into this week.