Wow. JavaScript is so ubiquitous now, that running NoScript must be like television without ... television. I mean, NoScript makes sense -- there are any number of scams that require JavaScript to be active -- but so much online content, online experience, now relies on it.
I'm a Javascript developer and I always use NoScript.
Most JS is bad JS. Activating it when needed on some sites (such as interacting w/ some buttons) is pretty quick. Plus you can whitelist certain things like Disqus and common sites.
I use NoScript too and 99 times out of 100 when I do enable javascript for a particular site it is just froofroo crap that adds noise not signal. But I've been using the web since before java, much less javascript, was invented so maybe I am old.
They are right to be worried about the attack surface presented by the mobile & display ad ecosystem.
The key to any attack, of course, is de-anonymizing the data, in the sense of being able to identify corresponding entities across disparate sources of data. This is the technical challenge that a large chunk of the ad-tech industry has been working on.
This is difficult to do reliably --- but the reliability (or otherwise) of a particular technique may be moot if you have a population of several thousands of individuals that you can target -- sooner or later somebody will carry out the actions that your attack assumes, and you will be able to make the connections that you need. The attacker needs only think of the problem in terms of "matched filters" to make headway -- just discard anything that does not match.
Of course, characterising the target is only part of the story -- exploiting the information advantage comes next.
Funnily enough, the proliferation of open communications channels also offers a potential attack vector - the use of individually crafted messages and disinformation to direct attention and manipulate behaviour of the target -- similar in concept to the social engineering techniques that are used in spear phishing attacks.
If your goal was to cause mayhem/reveal war plans/take down a bank, wouldn't just hacking it be easier than advertising an AQ Data Scientist job posting? This attack vector is the obfuscated c contest of skullduggery.
Yeah, perhaps I am over thinking it. Mind you -- the study is purposefully looking for vulnerabilities that arise from open source data, so my brain did not head off in that direction entirely of it's own accord.
Oh of course. It should be investigated (if only to see what crazy red team shit one could come up with). I may be wrong, there may be a brilliant Rube Goldberg of big data terror hammering out some kickass python number that will rain misinformation and chaos down on the world. This would in fact be a better Bond villain than the Quantum of Solace bad guy. However given the way the Pentagon overreacts to shit they don't understand I really hope that they don't start REALLY worrying about this.
"The doomsday thinkers over at DARPA are looking for researchers to "investigate the national security threat posed by public data available either for purchase or through open sources." The question is, could a determined data miner use only publicly available information -- culled from Web pages and social media or from a consumer data broker -- to cause "nation-state type effects." Forget identify theft. DARPA appears to be talking about outing undercover intelligence officers; revealing military war plans; giving hackers a playbook for taking down a bank; or creating maps of sensitive government facilities.
I'll save them some time and say its possible, and if they are just inquiring into this, they are already behind the game… Using wikipedia, one can get a list most of the oil refineries in the united states (for the world for that matter), and from some api queries using either popular or open-source map/geocoding services, obtain gps coordinates within 100's of feet of those locations, within a matter of seconds.
If you scrape cryptome/other places every so often of the lists uncovered (often with contact info[numbers|emails|names|addresses]) of people, map them against other lists to find connections (this takes a matter of seconds as well), it is not unheard of that one could automate emails/calls/send mail to people to uncover attack surfaces to exploit.
And even until more recently, one could access public all posts on facebook via https://graph.facebook.com/search without authentication, and with some well crafted queries, one was able to get specific information about people that one wouldn't think would be possible to obtain.
Am I the only who get a greyed-out overlay layer because I'm guessing some anti-spam-security-and-whatnot plugin interferes with their page?
In any case -> inspect -> delete node!
This, like PRISM, is governments having to adjust to the loss of privacy as well. The 16 year old girl whom Wal-Mart knows is pregnant because of her loyalty card purchases thought she could keep it "secret". But secret is not what you don't tell people, it's what you don't reveal.
Governments the world over are finding out that their secret airbases, their secret flights, their buildings and purchases are just "private".
You really have to work at keeping secrets. So instead of pretending you can keep everything secret, try being open by default. You will find it a lot easier to concentrate on the things you want to keep secret then. Oh - and never ever let your secret near anything digital
30 comments
[ 2.8 ms ] story [ 67.9 ms ] threadPaste of text.
2. Hey, thanks!
:)
Wow. JavaScript is so ubiquitous now, that running NoScript must be like television without ... television. I mean, NoScript makes sense -- there are any number of scams that require JavaScript to be active -- but so much online content, online experience, now relies on it.
Most JS is bad JS. Activating it when needed on some sites (such as interacting w/ some buttons) is pretty quick. Plus you can whitelist certain things like Disqus and common sites.
Overall the security/speed benefits are worth it.
Probably true, and as often as you say. Here are two counterexamples:
http://arachnoid.com/mandelbrot_set/index.html#Mandelbrot_Ge...
http://arachnoid.com/binomial_probability/index.html
2. They see links to other articles from that site (e.g. "Most Popular on FP")
3. They decide to post that article to HN
http://www.zyn.com/sbir/sbres/sbir/dod/darpa/darpasb133-002....
They are right to be worried about the attack surface presented by the mobile & display ad ecosystem.
The key to any attack, of course, is de-anonymizing the data, in the sense of being able to identify corresponding entities across disparate sources of data. This is the technical challenge that a large chunk of the ad-tech industry has been working on.
This is difficult to do reliably --- but the reliability (or otherwise) of a particular technique may be moot if you have a population of several thousands of individuals that you can target -- sooner or later somebody will carry out the actions that your attack assumes, and you will be able to make the connections that you need. The attacker needs only think of the problem in terms of "matched filters" to make headway -- just discard anything that does not match.
Of course, characterising the target is only part of the story -- exploiting the information advantage comes next.
Funnily enough, the proliferation of open communications channels also offers a potential attack vector - the use of individually crafted messages and disinformation to direct attention and manipulate behaviour of the target -- similar in concept to the social engineering techniques that are used in spear phishing attacks.
I'll save them some time and say its possible, and if they are just inquiring into this, they are already behind the game… Using wikipedia, one can get a list most of the oil refineries in the united states (for the world for that matter), and from some api queries using either popular or open-source map/geocoding services, obtain gps coordinates within 100's of feet of those locations, within a matter of seconds.
If you scrape cryptome/other places every so often of the lists uncovered (often with contact info[numbers|emails|names|addresses]) of people, map them against other lists to find connections (this takes a matter of seconds as well), it is not unheard of that one could automate emails/calls/send mail to people to uncover attack surfaces to exploit.
And even until more recently, one could access public all posts on facebook via https://graph.facebook.com/search without authentication, and with some well crafted queries, one was able to get specific information about people that one wouldn't think would be possible to obtain.
The list goes on.
Governments the world over are finding out that their secret airbases, their secret flights, their buildings and purchases are just "private".
You really have to work at keeping secrets. So instead of pretending you can keep everything secret, try being open by default. You will find it a lot easier to concentrate on the things you want to keep secret then. Oh - and never ever let your secret near anything digital