Long Bet 382 has concluded: "Large Hadron Collider will destroy Earth."

Detailed Terms:

Prediction is correct if Earth is, as a result of operation of the collider, annihilated, reduced to much smaller volume than previously, vaporized, broken into large pieces, converted into photons, neutrinos, or other radiation, converted into exotic matter, or just unable to support life. For the purpose of the bet, Earth should be considered "destroyed" if, at the end of the term of this bet in 2018, zero human beings reside on the surface of the planet. Damage caused by attack of hostile beings is included if it is a causal result of operation of the collider. Teleporting Earth to another location or alternate universe where it is still able to support life is specifically excluded. Bet is won if whatever scientific community remains at this time, whether human, machine, or extraterrestrial, acknowledges that the "destruction" of Earth most likely resulted from the Large Hadron Collider or a product thereof (e.g. strangelet, micro black hole, etc).

Previously, previously, previously, previously, previously, previously.

Tags: , , ,

Two-factor auth and SMS hijacking

tl;dr: You ought to be using 2-factor, and you ought to be using the one-time password generator built into 1password instead of using SMS.

The "SIM porting" attack has been becoming more common and getting more press recently. Basically, it's easy for a crook to call up your phone company and get them to move your phone number to their phone. The telco is supposed to verify that it's you requesting this, but they are stupid and easily fooled.

Once the attacker is receiving your text messages, most services, even those that use 2-factor auth, will allow them to do a password reset and take over your account. My understanding is that they generally needn't have also compromised your email account first.

The fix to this is to not use SMS for your 2-factor. A better way is to use a one-time password generator. There are physical-dongle versions of these, and software versions. The way they work is, set-up involves them sharing a secret by scanning a QR code; and then the login codes are generated based on that secret, without the two ever needing to communicate again. Basically it's a clock-based PRNG with a shared seed.

Many people recommend Google Authenticator and I gave that a try, despite a deep paranoia about any software that has "Google" in its name -- which is not helped out by the fact that Authenticator was once open source, but then Google took it proprietary, which is not at all a shady and concerning move, no sir.

The problem with using that app is that if you want to use more than one device to generate your one-time codes -- say you sometimes have your phone with you and sometimes have your tablet with you but not both -- then you'd have to set them both up at the same time. You can't add a device later without losing access from all previous devices.

But it turns out that the excellent 1password includes a compatible one-time password generator that does the same thing! Instructions here. The huge benefit of this over Google Authenticator is that you can access the code generator from any device to which you are syncing your 1password vault, including your desktop.

This works with Facebook, Dropbox, Twitter, Kickstarter and Etsy.

Instagram (owned by Facebook) say they're really thinking about supporting non-SMS 2FA, really thinking about it really hard. But they still provide 2FA only via SMS.

Patreon and Ebay also only support 2FA over SMS. (Oddly, it looks like Patreon used to support OTP but stopped??)

And Twitter, of course, goes out of their way to fuck up this security feature, as is their core incompetency.

  • You can't enable 2FA at all without giving them a mobile number. You have to enable 2FA with SMS, and then you can switch to OTP.

  • After you've configured the OTP, you also have to go into the SMS setting and say "no really, don't use SMS for 2FA". Because if you don't do that, the login page will still have an option that says "Choose a different verification method" that allows your friendly neighborhood hacker the option to use your phone number anyway.

  • Just remove your phone number? Oh ho ho ho, no. Doing so turns off 2FA entirely.

Kickstarter seems to have the same bug: you can turn on OTP but you can't ever turn off SMS.

Amazon is even weirder: they let you register an OTP app, but I can't find a way to make them actually use it. They always use SMS.

In short, everything is terrible and it's a wonder that you can still log into any of your accounts at all.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , , ,

EPA staff worried about toxic chemical exposure -- for Pruitt

Then-EPA Administrator Scott Pruitt's staff sought to protect him from exposure to toxic formaldehyde from an office desk last year, emails show -- just months before his top political aides blocked the release of a report on health dangers from the same chemical.

In the spring of 2017, as Pruitt was finishing the more than $9,500 redecoration of his office, a top career official in the administrator's office noticed a California warning that one of the ornate desks their boss wanted contained formaldehyde, which the state classifies as a carcinogen. [...] After seeing the warning, acting deputy chief of staff Reginald Allen reached out to Wendy Cleland-Hamnett, the career official then serving as acting head of EPA's toxic chemicals office [...]

"Sorry to bother you with this but we need some help. The desk the Administrator wants for his office from Amazon has a California Proposition 65 warning. What I am asking is can someone in your area tell us whether it is OK to get this desk for the Administrator related to the warning?" [...]

The email exchange about the desk last spring took place just months before top aides to Pruitt took steps to block a health assessment produced by another division within the agency that found the levels of formaldehyde that many Americans breathe in daily are linked with leukemia, nose-and-throat cancer and other ailments. The chemicals industry has fought the assessment, which could prompt federal and state regulators to issue new restrictions on the chemical, and could lead to class-action lawsuits. [...]

"You can add 'EPA chemical safety science' to the list of taxpayer funded benefits that Scott Pruitt kept for himself. The irony would be comical if this wasn't so dangerous. Months before Scott Pruitt blocked the EPA's report on the dangers of formaldehyde to public health, he got the benefit of EPA's safety experts looking out for his own health," Evers said in a statement.

Previously, previously, previously, previously, previously.

Tags: , , , ,

A Global Guide to State-Sponsored Trolling

A Global Guide to State-Sponsored Trolling

In Venezuela, prospective trolls sign up for Twitter and Instagram accounts at government-sanctioned kiosks in town squares and are rewarded for their participation with access to scarce food coupons, according to Venezuelan researcher Marianne Diaz of the group @DerechosDigitales. A self-described former troll in India says he was given a half-dozen Facebook accounts and eight cell phones after he joined a 300-person team that worked to intimidate opponents of Prime Minister Narendra Modi. And in Ecuador, contracting documents detail government payments to a public relations company that set up and ran a troll farm used to harass political opponents. [...]

In response to revolutions and social movements launched on Twitter and Facebook, national governments initially censored content, blocked access to social media and used surveillance technology to monitor their citizens. But it turned out to be far more effective to simply inundate the platforms with a torrent of disinformation and anonymized threats -- what the researchers dubbed a strategy of "information abundance" made possible by the rapid spread of social media. [...]

Turkey is a prime example, according to Camille Francois, who directed the Jigsaw project as a principal researcher at Google. Since the 2013 protests at Istanbul's Gezi Park, President Recep Erdogan's government has used a combination of online and offline repression to turn social media "into a near dead zone for genuine social protest in Turkey," Francois said. "Five years later, there is very little organically organized activity."

Previously, previously, previously, previously, previously.

Tags: , , , , ,

And you will know my name is THE LORD when I EXTERMINATE ALL RATIONAL THOUGHT.



Google Translate Spitting Out Sinister Religious Prophecies

Type the word "dog" into Google Translate 19 times, request that the nonsensical message be flipped from Maori into English, and out pops what appears to be a garbled religious prophecy.

"Doomsday Clock is three minutes at twelve," it reads. "We are experiencing characters and a dramatic developments in the world, which indicate that we are increasingly approaching the end times and Jesus' return."

That's just one of many bizarre and sometimes ominous translations that users on Reddit and elsewhere have dredged up from Google Translate, Google's decade-old service that can now interpret messages in over 100 languages. In Somali, for instance, strings of the word "ag" translate into missives about the "sons of Gershon," the "name of the LORD," and references to Biblical terminology like "cubits" and Deuteronomy.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , ,

"Amateurs study heists. Professionals study money laundering."

Dump 30,000 stolen credit card numbers into the hopper, untraceable cash comes out the other side.

Much of the system was automated, including the creation of Apple accounts. According to Diachenko, the scammers used jailbroken iPhones they managed with a tool to generate Apple accounts with predefined user data. He showed Motherboard a video the Facebook group promoted with a bank of iPhones on a rack, all running the automated software.

"With the account creation process automated, the malicious actors then took the process further, automatically changing cards until a valid one is found, automatically buying games and resources, automatically posting the games and resources for sale, working with a digital wallet for order processing, and managing multiple Apple devices to distribute the load," Kromtech's report said. "The end result: an automated money laundering tool for credit card thieves."

The impressive thing here is how little human interaction was needed at any stage of the process. Their scripting fu is strong.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , ,

As Authorized by The Telecommunication Breakdown Act of 1995

EBN Brooklyn set circa 1998: 1:02:00.

Previously, previously, previously.

Tags: , , ,
Current Music: As noted

Trumpover

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , ,

Ten Goldblums out of a possible 10 Goldblums.

"Your artists were so preoccupied with whether or not they could,
they didn't stop to think if they should."

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , ,

Time Flies: Levitating Nixie Clock

This is an absolutely amazing artifact whose physical existence is difficult to accept. I can barely wrap my head around the fact that this thing is pushing enough electrons through the air that it can not only hold itself up, but also light up a set of Nixie tubes. It's god damned sorcery, is what it is. This is some Tesla HAARP Weapon Planetary Weather Control shit going on here.

It took just about two years since I ordered it from Kickstarter for it to arrive, which is kind of a standard time frame for Kickstarter, but it was long enough that I had completely forgotten about it.

Some minor gripes:

  • I strongly question the design decision of using 5 Nixie tubes instead of 6. That middle one just alternates between plus and minus, so the numbers only change once a minute. If there were 6 tubes we could have had a permanent second display like the NixieChron does.

  • It is fantastically hard to get it to levitate the first time. It takes me about five minutes each time, and that means that every few seconds the floater slams hard into the base. And I don't mean "fall" I mean "powered descent at 4 gravities". This isn't going to end well.

  • It's supposed to stay floating in case of power failure. It does not. Boom.

  • It didn't come with a manual, not even a URL on a post-it note. Since there have been several kit-based iterations of this, it took me a while to find the operating instructions (which are here, by the way.) Apparently some previous version of this was configured by waving your hands around in the air above it. This version is not that version, but I found that manual first, so that led to quite some time of me wildly gesturing at this levitating glowing thing like some Harry Potter cosplaying lunatic.

  • And the way you configure it is... complete lunacy, even compared to the typical UI standards of "how to set the time on a clock or a Microwave", which was already complete lunacy. You're used to "press button A to advance, press button B to configure, hope you can guess what the beeps mean?" Ho ho ho, welcome to the next level: the control here is an invisible capacitive touch button, just one, and to toggle, say, setting 3, you gesture near the button until the audio tone changes frequency 3 times... and then you wait a little bit longer and flee quickly. Oops, you advanced to 4! Try again! It's koo-koo-pants.

Still. It is sorcery. Glorious sorcery.

Previously, previously, previously, previously, previously, previously, previously.

Tags: , , , , , ,

  • Previously