Archive for August, 2016

Memo from the police beat.

Friday, August 12th, 2016

There are a couple of ongoing stories in the news, two of them locally. Both of those two had significant developments today (in other words, “Let’s break this news on Friday afternoon and see if it gets lost over the weekend.”)

First story: You may recall the controversy back in April where our city manager, Marc Ott, accused the police chief of insubordination and fined him five days of pay?

Looks like we know who won that battle.

Austin City Manager Marc Ott, the most powerful man at City Hall, is leaving his post for a prestigious job running a Washington, D.C., association.

Last month, the council gave him a $22,000 raise, bumping his pay and benefits to $361,000 annually. His predecessor at the management association made $478,000 in 2013, the group’s tax returns show.

At least, we know who won for the moment. It will be interesting to see how the replacement process plays out, and how much deference (if any) the incoming city manager will be expected to show to the APD and the chief.

Also worth pointing out is what may have been Ott’s final “F— you” to the APD. There was a recent report (the “Matrix Report”) that called for increasing the number of police officers.

Additionally, the report also calls for the department to create positions for 66 officers and eight corporals beyond what has already been authorized, and to add an average 17 new officer positions over the next four years. Finally, the report calls for adding four officers to the Motorcycle Unit.

So that’s 78 sworn officers over and above the current authorized staffing level, which APD is still about 100 officers short of. What did the City Manager and his team ask for in the current budget?

Currently, the city has taken a phased approach to increasing staffing at APD in FY 2017. Included in the City Manager’s proposed FY 2017 budget are 12 new sworn positions and 21 new civilian positions to transition existing sworn employees back to patrol activities.

Twelve. To quote our great and good friend RoadRich: “‘But first let me deny you most of the required staff to protect the city… and then I shall leave you to your fates. Suckahs.'”

(Another problem which I would like to get into, but the margins of this post are too small to contain: there’s also talk of converting the district representative positions, which are currently sworn officers, into civilian positions.)

Next:

(more…)

DEFCON 24 updates: August 11, 2016.

Thursday, August 11th, 2016

“SITCH – Inexpensive, Coordinated GSM Anomaly Detection” doesn’t just have slides up. Or a whitepaper.

It has an entire freaking website. Which does include, yes, slides and whitepaper. (Thanks to SecBarbie on Twitter for this.)

Slides for the Tamas Szakaly “Help, I’ve got ANTs!!!” talk are here. And his GitHub repo is here.

Good stuff is going up on the Black Hat 2016 briefings site, too. I haven’t had a chance to go through all of the abstracts yet, but my current favorite is: “Does Dropping USB Drives In Parking Lots And Other Places Really Work?”. Slides here, code here, blog post here, no spoilers here.

DEFCON 24 updates: August 8, 2016.

Monday, August 8th, 2016

Torn from the pages of the NYT.

Monday, August 8th, 2016

Two stories from the NYT that aroused my interest, for different reasons:

Emperor Akihito of Japan wants to step down from the throne. But it isn’t that simple. There’s no provision in the law that allows him to step down and have his son, Crown Prince Naruhito, take over the throne, so the Japanese government would have to change the law. But the Emperor can’t ask for that directly, because that would be meddling in politics. So he has to hint that he’d like the law changed. But people are concerned that if the government does change the law, they would be exerting undue influence over the throne. So Japan has a mess to sort out, one that’s also tied up with the question of allowing women to take the throne, and what the role of the Emperor should be in present day Japanese society.

One of the things that I found most striking about this article was a reference – which appears to have been deleted from the current version of the article, but there are comments mentioning it – to Crown Prince Naruhito’s wife, Masako, Crown Princess of Japan, who according to the article (this is also backed up some by Wikipedia) has lived in virtual seclusion for the past fifteen years battling crippling depression. That’s about the saddest thing I’ve heard in a long while.

Story number two: a man named Neil Horan, who lives in London, was upset that Vanderlei de Lima was selected to light the Olympic flame.

Why?

Neil Horan shoved Vanderlei de Lima into the crowd during the 2004 Olympic marathon, probably costing him the gold medal. (De Lima ended up winning the bronze.)

Horan has gained bursts of infamy for his public exploits. He is a defrocked Irish priest who has made an occasional habit of interrupting sports events. He frequently appears at demonstrations, wearing a green beret and a green vest — the same outfit he wore when he interrupted the Olympic marathon — claiming that the second coming of Jesus is near. In 2009, he appeared on “Britain’s Got Talent,” and his Irish dancing earned him an invitation to the second round, until executives realized who he was. He does not dispute the label as an eccentric.

I believe “asshole” is actually the word the paper of record is looking for here. But what reason does Horan have for being so worked up?

He said that he has sent de Lima two letters of apology, in Portuguese, but has never had contact with him since the fateful day in Athens. (After the 2004 Games, Horan said he planned to go to Brazil to apologize in person, but he faced charges of indecency with a child. He was acquitted by a jury later that year.)

“It’s extremely sad that he never responded to my apologies, nevertheless acknowledged them,” Horan said. “I would like to meet him and his family. But absolutely no response. I condemn him for this. He miserably failed in basic manners of human decency and courtesy.”

That’s funny. I would have said the person who failed in “basic manners of human decency and courtesy” was Horan, when he pushed an athlete that had done nothing to him into a crowd and ruined his chance at winning the race.

Seriously. This guy is upset because the man he wronged refuses to accept his apologies, or even contact him. That’s not surprising; that’s the kind of behavior you expect from delusional assholes.

“As if I was just some sort of pop star looking for attention,” Horan said. “I see it as a personal attack on me, my Christian mission and Christ himself.”

The question on my mind is: why did the NYT chose to devote space to the rantings of an attention-seeking nut?

More on Blue Hydra.

Sunday, August 7th, 2016

Earlier, I wrote “It runs! It works! Mostly. Kind of.”

I’ve been banging on Blue Hydra in my spare time since Thursday, and I stand by that statement. Here’s what I’ve run into so far.

The README is pretty clear, and I didn’t have any problems installing the required packages. (I don’t have an Ubertooth, so I skipped that one. We’ll come back to the Ubertooth later.)

First problem, which was actually very tiny: I know next to nothing about Ruby, other than that cartoon foxes are somehow involved, so the phrase “With ruby installed add the bundler gem” was more like “I don’t speak your crazy moon language”. Google cleared that up pretty quickly: the magic words are gem install bundler.

Next problem: running bundle install resulted in an error stating that it couldn’t find the Ruby header files. It turns out that, while my Ubuntu installation had Ruby 2.1 installed, it didn’t have the ruby-dev package installed. sudo apt-get install ruby-dev fixed that issue.

Next problem: the SQLIte Ruby gem failed to install when I ran bundle install. It turns out that I also needed the sqlite3-dev package as well. And with that installed, the bundle built, and I could do ./bin/blue_hydra.

Which gave an error stating that it didn’t have permissions to open a handle for write. Okay, let’s try sudo ./bin/blue_hydra (because I always run code from strangers as root on my machine; everyone knows strangers have the best candy). And that actually worked: Blue Hydra launched and ran just fine. In fairness, this may be a configuration issue on my machine, and not an issue with the software itself.

In playing with it, I’ve found that it does what it claims to do. Sort of. It’s been able to detect devices in my small lab environment with Bluetooth discovery turned off, which is impressive. I also like the fact that it stores data into an SQLite database; other Bluetooth scanning tools I’ve played with didn’t do that.

However, it seems to take a while to detect my iPhone; in some instances, it doesn’t detect it at all until I go into Settings->Bluetooth. Once I’m in the Bluetooth settings, even if I don’t make a change, Blue Hydra seems to pick up the iPhone. Blue Hydra also has totally failed to detect another smart phone in my small lab environment (and I have verified that Bluetooth was both on and set to discoverable.)

Now, to be fair, there may be some other things going on:

  • I’ve also observed previously that Bluetooth under Ubuntu 15.10 didn’t work very well. At all. So at one point on Saturday, just for giggles, I upgraded Project e to Ubuntu 16.01.1 LTS. And shockingly (at least for me) Bluetooth works much much better. As in, I can actually pair my phone with Ubuntu and do other Bluetooth related stuff that didn’t work with 15.10. That seems to have mitigated the discovery issues I was seeing with Blue Hydra a little, but not as much as I would have liked. (Edited to add 8/8: Forgot to mention: after I upgraded, I did have to rerun bundle install to get Blue Hydra working again. But the second time, it ran without incident or error, and Blue Hydra worked immediately aftewards (though it still required root).)
  • I was using the Asus built-in Bluetooth adapter in my testing. Also just for giggles, I switched Blue Hydra to use an external USB adapter as well. That didn’t seem to make a difference.
  • In fairness, Blue Hydra may be designed to work best with an Ubertooth One. The temptation is great to pick one of those up. It is also tempting to pick up a BCM20702A0 based external adapter (like this one) partly to see if that works better, partly because I don’t have a Bluetooth LE compatible adapter (and this one is cheap) and partly because the Bluetooth lock stuff is based on that adapter. (Edited to add 8/8: I’m also tempted by this Sena UD100 adapter. It is a little more expensive, but also high power and has a SMA antenna connector. That could be useful.)
  • It may also be that I have an unreasonable expectation. Project e is seven years old at this point, and, while it still runs Ubuntu reasonably well, I do feel some slowness. Also, I think the battery life is slipping, and I’m not sure if replacements are available. I’ve been thinking off and on about replacing it with something gently used from Discount Electronics: something like a Core i5 or Core i7 machine with USB3 and a GPU that will work with hashcat. Maybe. We’ll see. Point is, some of my issues may just be “limits of old hardware” rather than bugs.
  • And who knows? There may very well be some bugs that get fixed after DEFCON.

tl, dr: Blue Hydra is nice, but I’m not yet convinced it is the second coming of Christ that I’ve been waiting for.

DEFCON 24: August 7, 2016 updates.

Sunday, August 7th, 2016

The presentations on the conference CD are here, if you’re looking for something specific that I didn’t mention. I’m still going to try to provide links to individual presenters and their sites, simply because I believe those are the most recent and best updated ones. Just to be clear, I’m not trying to rip off anyone else’s work, which is why I link directly. I want to provide myself (and possibly other interested folks) with one-stop shopping for the latest versions of the things I’m most interested in.

This takes us into today. I’ve been at this for about an hour and a half now. I’m not proud. Or tired. But I do have some other things I want to do, and I think it is a bit early to expect Sunday presentations to be up. I’ll end this one for now, and see if I can do another update tomorrow. Also, I want to do a further write-up on Blue Hydra, possibly tonight, maybe tomorrow as well.
If you are a presenter who’d like to provide a link to your talk (even if it is one I didn’t specifically call out) or you have other comments or questions, please feel free to comment here or send an email to stainles [at] sportsfirings.com.

Random notes: August 6, 2016.

Saturday, August 6th, 2016

Two more obits: we were waiting for the NYT to do a David Huddleston obit. Now they have. And it includes a great photo of him and Cleavon Little from “Blazing Saddles”, too.

The role he said he relished most was that of Benjamin Franklin, which he played in revivals of “1776” on Broadway in 1998 and at Ford’s Theater in Washington in 2003.

Yeah, we can see that.

Also among the dead: Chris Costner Sizemore. “Who?” The actual woman who the book (and movie) The Three Faces of Eve was based on.

Her new marriage turned out to be not an ending at all; she endured a fragmented identity until the mid-1970s, seeing several psychiatrists after Thigpen and Cleckley, until, in the care of a Virginia doctor, Tony Tsitos, her personalities — not three but more than 20, it turned out — were unified.

By most accounts, for the last four decades or so, Mrs. Sizemore lived a productive and relatively serene life as a mental health advocate and painter. She died on July 24 in Ocala, Fla. She was 89. Her son, Bobby Sizemore, said she had a heart attack.

The sunny narrative of Mrs. Sizemore’s triumphant second act was called into some question in 2012, when Colin A. Ross, a psychiatrist specializing in dissociation, published a book, “The Rape of Eve,” in which he accused Dr. Thigpen of having exercised an unethical, Svengali-like influence over Mrs. Sizemore and manipulating her for nefarious purposes during and after his treatment of her ended. Dr. Thigpen died in 1999.

And by way of the Times, we learn of a new box set of “The Untouchables”.

From the Department of I Kid You Not (talking about the campaign against the show, which was considered excessively violent and anti-Italian by some):

One prominent defender was Ayn Rand, who, writing in The Los Angeles Times, characterized “The Untouchables” as “profoundly moral.” Ms. Rand was particularly taken with Mr. Stack. His “superlative portrayal of Eliot Ness” was, she declared, “the most inspiring image on today’s screen, the only image of a real hero.”

Yes, we are trying to work on the DEFCON updates.

Obit watch: August 6, 2016.

Saturday, August 6th, 2016

Joaquin Jackson passed away June 15 of this year. I did not learn of his death until I flipped through this month’s Texas Monthly at the grocery store today, and I’m not sure how I missed that. Brief tribute from TM. Statesman.

For those folks unfamiliar with Mr. Jackson, he served for 27 years as a Texas Ranger, from 1966 to 1993. His time as a Ranger spanned what I’d call the end of the old Texas and the beginning of the new Texas; the evolution from horses and cattle to technology. He retired in 1993, ostensibly because of his discomfort at changes taking place in the Rangers organization. (However, he states in one of his books that his reasons were actually more complex and personal than that.)

In 1994, he appeared on the cover of Texas Monthly as part of an article on the changes taking place in the Rangers. The cover made him an icon. He went on to do some private investigation work, and appeared in several movies.

Jackson was a member of the governing board of the National Rifle Association, once getting into hot water over remarks he made about assault weapons.
“I personally believe a weapon should never have over, as far as a civilian, a five-round capacity,” he told then-Texas Monthly editor Evan Smith in 2005. “If you’re a hunter, if you’re going to go hunting with a weapon, you shouldn’t need over but one round. So five rounds would be plenty. … Personally, I think assault weapons basically … need to be in the hands of the military and in the hands of the police.”
He later backpedaled from the remarks, claiming that he was talking only about fully automatic weapons and not about semiautomatic rifles.

I remember that controversy, and I’m convinced Jackson knew exactly what he was saying at the time and was covering his butt later. (If you doubt he knew the difference between fully automatic weapons and semi-automatic weapons, read Chapter 6 of One Ranger and then try to tell me otherwise.)

He also wrote two books. One Ranger is a damn fine book. I try to snap up firsts of this every time I find them, as I am convinced this will be seen as an important Texas book in the coming years. The sequel, One Ranger Returns, had a different co-author and is not quite as good, in my humble opinion. (There are some interesting things in it; mostly background from his family.)

In spite of my disagreement with him, I would have enjoyed meeting him and shaking his hand. I missed the chance, sadly: he appeared a few times as the Texas Book Festival, but I was never able to get down there on those weekends.

His passing leaves a hole that can’t be filled.

Mayors gone wild!

Friday, August 5th, 2016

The mayor of Stockton, California, was arrested Thursday and charged with felony eavesdropping, among other misdemeanor charges, related to a strip poker game that he allegedly played with teenage counselors at a camp for economically disadvantaged kids last year, according to prosecutors in neighboring Amador County.

In October 2015, Silva was detained at San Francisco International Airport upon his return from China, where Department of Homeland Security officials demanded that he hand over his electronic devices, including the passwords. He seemingly complied with their requests, but he publicly objected to how the matter was handled.

Would you like to take a guess what organization Mayor Silva belongs to? Ding ding ding! Yes, Criminal Mayors Against Guns is the correct answer.

silva

Screen snapshot, just in case this goes down the memory hole.

Meanwhile, in Virginia, the mayor of Fairfax City has been arrested in a meth-for-sex scheme:

Richard “Scott” Silverthorne, 50, was arrested as part of an undercover operation by police, authorities announced Friday. The scheme involved offers of meth in exchange for group sexual encounters with men, police allege.
Before his arrest Thursday, police claim Silverthorne provided the drug to undercover detectives at the Crowne Plaza Hotel in Tysons Corner.

In fairness to Mayor Silverthorne, while meth is a hell of a drug, he does not appear to be a member of Crooked Mayors Against Civil Rights. At least, he’s not currently listed on that website…

Edited to add 8/6: Well, he wasn’t listed on the website when I checked yesterday. But, according to Uncle, he does appear to be a Bloombergian shill.

DEFCON 24 notes: Hail Hydra!

Thursday, August 4th, 2016

GitHub repository for Blue Hydra.

I’m jumping the gun a little, as the presentation is still a few hours away, but I wanted to bookmark this for personal reference as well as the enjoyment and edification of my readers.

Edited to add: quick update. Holy jumping mother o’ God in a side-car with chocolate jimmies and a lobster bib! It runs! It works! Mostly. Kind of.

If I get a chance, I’ll try to write up the steps I had to follow tomorrow. Yes, this blog is my personal Wiki: also, while the instructions in the README are actually pretty good, I ran into a few dependency issues that were not mentioned, but are documented on Stack Overflow.

DEFCON 24: 0-day notes.

Wednesday, August 3rd, 2016

Another year observing DEFCON remotely. Maybe next year, if I get lucky, or the year after that.

The schedule is here. If I were going, what would I go to? What gets me excited? What do I think you should look for if you are lucky enough to go?

(As a side note, one of my cow-orkers was lucky enough to get a company paid trip to Black Hat this year. I’m hoping he’ll let me make archival copies of the handouts.)

(more…)

Quote of the day.

Tuesday, August 2nd, 2016

The first time I went to Boston was in 1989, for the Worldcon that year.

I clearly remember walking down Newbury Street and visiting a funky little mystery bookstore (and I remember Lawrence’s annoyance at me for purchasing mystery novels when we were attending a SF convention). I also remember walking into Avenue Victor Hugo Books and feeling like I was home. And I remember going up to the front counter and reading their mission statement for the first time. I don’t mind saying that it made me choke up a little bit.

Whenever I made it up to Boston after that (and I was lucky: I got up there several more times) I always visited Avenue Victor Hugo, mostly so I could pay homage to that mission statement. If they had made it available as a poster, I would have bought one and hung it in a prominent place in my home.

Sadly, they closed in 2004. I’ve tried in the intervening years to find the text of their mission statement, but didn’t have any luck until this weekend. Somehow, either I put in just the right combination of search terms for Google, or it indexed a previously un-indexed page, or something.

Anyway. Hattip on this to Confessions of a Mad Librarian.

This small outpost of civilization exists because a few people still believe in the essential freedoms guarded by the first amendment to the United States Constitution. Some people believe that government should define for us what we should be able to say, write, or read. Most people think there should be limits to such rights, but are unclear on who should have the power to dictate those limits. Most of our rights have already been traded away by those who prefer the safety of government control to the anarchy of individual freedom. Very few people understand the Faustian bargain they have made. This shop is dedicated to those who have rejected the bargain. It is open to those who might reconsider.