150 stories
·
5 followers

Which OSI network layer is "spitting in the tube"?

jwz
1 Comment and 4 Shares
Malware in a Strand of DNA

A group of researchers from the University of Washington has shown for the first time that it's possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer. [...]

But encoding [the buffer overflow attack] in actual DNA proved harder than they first imagined. DNA sequencers work by mixing DNA with chemicals that bind differently to DNA's basic units of code -- the chemical bases A, T, G, and C -- and each emit a different color of light, captured in a photo of the DNA molecules. To speed up the processing, the images of millions of bases are split up into thousands of chunks and analyzed in parallel. So all the data that comprised their attack had to fit into just a few hundred of those bases, to increase the likelihood it would remain intact throughout the sequencer's parallel processing.

When the researchers sent their carefully crafted attack to the DNA synthesis service Integrated DNA Technologies in the form of As, Ts, Gs, and Cs, they found that DNA has other physical restrictions too. For their DNA sample to remain stable, they had to maintain a certain ratio of Gs and Cs to As and Ts, because the natural stability of DNA depends on a regular proportion of A-T and G-C pairs. And while a buffer overflow often involves using the same strings of data repeatedly, doing so in this case caused the DNA strand to fold in on itself. All of that meant the group had to repeatedly rewrite their exploit code to find a form that could also survive as actual DNA, which the synthesis service would ultimately send them in a finger-sized plastic vial in the mail.

The result, finally, was a piece of attack software that could survive the translation from physical DNA to the digital format, known as FASTQ, that's used to store the DNA sequence. And when that FASTQ file is compressed with a common compression program known as fqzcomp -- FASTQ files are often compressed because they can stretch to gigabytes of text -- it hacks that compression software with its buffer overflow exploit, breaking out of the program and into the memory of the computer running the software to run its own arbitrary commands.

Even then, the attack was fully translated only about 37 percent of the time, since the sequencer's parallel processing often cut it short or -- another hazard of writing code in a physical object -- the program decoded it backward. (A strand of DNA can be sequenced in either direction, but code is meant to be read in only one. The researchers suggest in their paper that future, improved versions of the attack might be crafted as a palindrome.)

This next part makes me sad. By "verge on cheating" you mean "absolutely totally cheating":

Despite that tortuous, unreliable process, the researchers admit, they also had to take some serious shortcuts in their proof-of-concept that verge on cheating. Rather than exploit an existing vulnerability in the fqzcomp program, as real-world hackers do, they modified the program's open-source code to insert their own flaw allowing the buffer overflow.

Still, it's a great stunt. Original paper here.

My favorite line is "The repeated 0xdeadbeef bytes produced a long (40+ base pair) repetitive sequence" because it makes me wonder whether this DNA is technically dead, and/or beef.

Read the whole story
aranth
6 days ago
reply
Share this story
Delete
1 public comment
jimwise
4 days ago
reply
O. M. G.

Paging Agent 007

4 Shares

History: is it about kings, dates, and battles, or the movement of masses and the invisible hand of macroeconomics?

There's something to be said for both theories, but I have a new, countervailing theory about the 21st century (so far); instead othe traditional man on a white horse who leads the revolutionary masses to victory, we've wandered into a continuum dominated by Bond villains.

Consider three four five, taken at random:

Mr X: leader of a chaotic former superpower with far too many nuclear weapons, Mr X got his start in life as an agent of SMERSH the KGB. Part of its economic espionage directorate, tasked with modernizing a creaking command economy in the 1980s, Mr X weathered the collapse of the previous regime and after a turbulent decade of asset stripping rose to lead a faction of billionaire oligarchs, robber barons, and former secret policemen. Mr X trades on his ruthless reputation—he is said to have ordered a defector murdered by means of a radioisotope so rare that the assassination consumed several months' global production—and despite having an official salary on the order of £250,000 he has a private jet with solid gold toilet seats and more palaces than you can shake a stick at. Also nuclear missiles. (Don't forget the nuclear missiles.) Said to be dating the ex-wife of Mr Y. Exit strategy: change the constitution to make himself President-for-Life. Attends military parades on Red Square, natch. Bond Villain Credibility: 10/10

Mr Y: Australian multi-billionaire news magnate. (Currently married to a former supermodel and ex-wife of Mick Jagger.) Owns 80% of the news media in Australia and numerous holdings in the UK and USA, including satellite TV channels, radio stations, and newspapers. Reputedly had Arthur C. Clarke on speed-dial for advice about the future of communications technology. Was the actual no-shit model upon whom Elliot Carver, the villain in "Tomorrow Never Dies", the 18th Bond movie, was based. Exit strategy: he's 86, leave it all to the kids. Bond Villain Credibility: 10/10

Mr Z: South African dot-com era whiz kid who made a fortune before he hit 30. Instead of putting his money into a VC fund he set his sights higher. By 2007 he had a tropical island base complete with boiler-suited minions from which he launched satellites and around which he drove an electric car: has been photographed wearing a tuxedo and stroking a white cat in his launch control center. Currently manufacturing electric cars in bulk, launching absolutely gigantic rockets, and building a hyperloop from Boston to Washington DC. Exit strategy: retire on Mars. Bond Villain Credibility: 9/10 (docked one point for trying too hard—the white cat was a plush toy.)

Mr T: Unspeakably rich New York property speculator and reality TV star, who, possibly with help from Mr X, managed to get himself into the White House. Tweets incessantly at 3AM about the unfairness of it all and how he's being persecuted by the false news media and harassed by crooked politicians while extorting fractional-billion-dollar bribes from middle eastern regimes. Has at least as many nukes as Mr X. Rather than a solid gold toilet seat, he has an entire solid gold penthouse. In fact, he probably has heavy metal poisoning from all that gold. (It would explain a lot.) Bond Villain Credibility: 10/10

Mrs M: After taking a head-shot, M was reconstituted as a cyborg using a dodgy prototype brain implant designed by Sir Clive Sinclair and parachuted into the Home Office to pursue a law-and-order agenda. Following an entirely self-inflicted constitutional crisis and a party leadership challenge in which all the rival candidates stabbed each other in the back, M strode robotically into 10 Downing Street, declared herself to be the Strong and Stable leader the nation needs, and unleashed the world's most chilling facial tic. Exit strategy: (a) Brexit, (b) ... something to do with underpants ... (c) profit? Bond Villain Credibility: 6/10 (down from 8/10 before the 2017 election fiasco.)

I think there's a pattern here: don't you? And, more to the point, I draw one very useful inference from it: if I need to write any more near-future fiction, instead of striving for realism in my fictional political leaders I should just borrow the cheesiest Bond villain not already a member of the G20 or Davos.

Read the whole story
aranth
23 days ago
reply
Share this story
Delete

Cop didn’t know his body cam was on—footage shows him planting drugs

1 Share

In May, we published a story about how police body cams can be employed in the worst way—for planting evidence, or staging a crime scene. In what was among the first instances of its kind, we revealed that a Colorado cop had staged the body cam footage of the search of a vehicle in which he is seen finding drugs and cash. Pueblo prosecutors dropped the drug charges, and the Pueblo Police Department said it disciplined the officer, as an internal matter. No charges against the officer were lodged.

Now there's word of another such incident in Baltimore, related to video from a January drug arrest. The officer's trickery was revealed by the fact that his body cam, by default, retained footage for 30 seconds before it was activated to begin recording. During that time, according to the footage and the Baltimore public defender's office, officer Richard Pinheiro puts a bag of pills in a can in an alley and walks out of the alley.

The Axon cam's initial 30 seconds of footage, by default, doesn't have sound. After 30 seconds, viewers of the video can both see and hear the officer looking for drugs in the alley. Lo and behold, he finds them in the same soup can that he placed them in, according to the footage, which was released Wednesday. Pinheiro can then be heard yelling "yo" to his fellow officers, telling them he found drugs in the alley.

Read 5 remaining paragraphs | Comments

Read the whole story
aranth
28 days ago
reply
Share this story
Delete

Beehive Chop Shop

jwz
1 Share
Beekeepers Feel the Sting of California's Great Hive Heist

Earlier this year, around $1 million worth of stolen bees were found in a field in Fresno County. Sgt. Arley Terrence with the Fresno County Sheriff's Department says it was a "beehive chop shop." [...]

"This is the biggest bee theft investigation that we've had," Terrence says. Most of the time, he says, beehive thieves turn out to be "someone within the bee community."

That was the case in the giant heist earlier this year. The alleged thief, Pavel Tveretinov, was a beekeeper from Sacramento who used the stolen bees for pollination and then stashed them on a plot of land in Fresno County. He was arrested and could face around 10 years of jail time. And authorities say he didn't act alone. His alleged accomplice, Vitaliy Yeroshenko, has been charged and a warrant is out for his arrest.

Steve Godlin with the California State Beekeepers Association says the problem of hive theft gets worse every year. "There used to be kind of a code of honor that you didn't mess with another man's bees," Godlin says.

Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.

Read the whole story
aranth
49 days ago
reply
Share this story
Delete

Going offline for a while

4 Comments and 9 Shares

Zillow is threatening to sue me if I don’t delete most of the posts on this blog. Anyone who can see this who can help, please contact

kate@mcmansionhell.com

Read the whole story
aranth
51 days ago
reply
Share this story
Delete
4 public comments
gazuga
50 days ago
reply
Optimistic prediction: McMansion Hell comes back up within a month thanks to a combination of pro bono legal help and Zillow tasting a hot serving of Streisand Effect; and Kate Wagner's Patreon income surges in the meantime.
Edmonton
chrisrosa
51 days ago
reply
Hey @zillow, pick on someone your own size! @mcmansionhell is doing good work...any lawyers out there that can help?
San Francisco, CA
zwol
50 days ago
According to https://twitter.com/mcmansionhell/status/879795641643409408 Kate now has a lawyer.
angelchrys
51 days ago
reply
Sadness.
Overland Park, KS
brennen
51 days ago
reply
ffs.
Boulder, CO

The Dangers of Secret Law

1 Comment and 3 Shares

Last week, the Department of Justice released 18 new FISC opinions related to Section 702 as part of an EFF FOIA lawsuit. (Of course, they don't mention EFF or the lawsuit. They make it sound as if it was their idea.)

There's probably a lot in these opinions. In one Kafkaesque ruling, a defendant was denied access to the previous court rulings that were used by the court to decide against it:

...in 2014, the Foreign Intelligence Surveillance Court (FISC) rejected a service provider's request to obtain other FISC opinions that government attorneys had cited and relied on in court filings seeking to compel the provider's cooperation.

[...]

The provider's request came up amid legal briefing by both it and the DOJ concerning its challenge to a 702 order. After the DOJ cited two earlier FISC opinions that were not public at the time -- one from 2014 and another from 2008­ -- the provider asked the court for access to those rulings.

The provider argued that without being able to review the previous FISC rulings, it could not fully understand the court's earlier decisions, much less effectively respond to DOJ's argument. The provider also argued that because attorneys with Top Secret security clearances represented it, they could review the rulings without posing a risk to national security.

The court disagreed in several respects. It found that the court's rules and Section 702 prohibited the documents release. It also rejected the provider's claim that the Constitution's Due Process Clause entitled it to the documents.

This kind of government secrecy is toxic to democracy. National security is important, but we will not survive if we become a country of secret court orders based on secret interpretations of secret law.

Read the whole story
aranth
56 days ago
reply
Share this story
Delete
1 public comment
jimwise
29 days ago
reply
...
Next Page of Stories