Category Archives: Pirate Party

App Privacy Workshop (Updated)

I gave an application privacy workshop at Code for Boston on Tuesday. They recorded my talk on Facebook:

and on YouTube:

I posted the slide deck as a PDF. Feel free to offer suggestions in the comments.

Some of the topics I need to add to the presentation:

  • highlight privacy and security testing;
  • having development/test servers and how to sanitize the data in the development/test database;
  • more about SQL/XSS Injection attacks;
  • review the video for other topics to add.

Patreon made it easier to troll its users

Scott Helme is a Information Security Consultant. He has a Patreon account on which he posts about computer security issues and which he uses to take in donations for each blog post.  Recently he found out that Patreon suspended his account:

He could still post and people could still signup to support him, but, taking a page from Paypal, Patreon prevented him from withdrawing any of the money people donated.  Eventually, Patreon completed their investigation and emailed him that he was good to go.  He eventually discovered that:

He estimates that account withdrawals were suspended for between 18 and 47 days.

Account takeovers are a real problem. Had his account been taken over, it would be good if someone couldn’t take his money out and notifying the account that they think it might be hacked could tip the hacker.  In that light, it could make sense to act as they did.

Having multiple other methods of contacting the user would have helped in this case…. well unless email, phone number and Signal were compromised. Patreon would need to prove they are who they say they are, of course. Phishing is a problem as well.

That all said, going from one fraudulent pledge to account takeover seems a stretch.

But this incident reminded me of Violet Blue‘s reporting in Engadget about a troll campaign against women AMSR video creators:

Capitalizing on entrenched and easily exploitable anti-sex policies by internet giant payment processors and a new internet sex panic ushered in by FOSTA, 8chan trolls have started a campaign to mass-report attractive women who make ASMR videos. Listing names of women making these sound-effect videos in a forum thread called “PayPal lowering the hammer on ASMRtits” they’ve declared war by posting links to report pages for PayPal, and called upon fellow haters to get the women kicked off YouTube and Patreon as well.

… and that Patreon just added another method for trolls to harass Patreon’s users.  If all it takes is for one fraudulent looking donation to pass into someone’s account to flip the Account Hacked bit, trolls will use Patreon’s process to suspend a user’s ability to withdraw their money for two to six weeks. That would screw up the life of anyone who makes a living via Patreon.

Patreon has more than a customer service problem.

Vote Today

I posted this over at the Massachusetts Pirate Party blog.

Election day is today. Polling places are open until 8pm. You can find your polling place at WhereDoIVoteMA.com.

If you believe you are registered, but you aren’t listed on the voter rolls, don’t walk away. The law says you can demand a provisional ballot and get a receipt. Follow up after the election to make sure they count it, but your vote cannot be counted if you didn’t cast it.

When you vote, we ask you to vote yes on Questions 1 and 3 and support any third-party candidate you agree with. You can find out more about the ballot questions below.

As always, we are looking for candidates for the 2019 town and city elections. If you are interested in running, fill out our supporter/candidate form.

More on the ballot questions

Question 1 would set the maximum number of patients per registered nurse which would vary by type of unit and level of care. Our increasingly corporate-controlled health care providers are against it as it would harm their profits. Send them a message that people deserve decent healthcare and vote yes.

Question 3 prohibits discrimination on the basis of gender identity in places of public accommodation. The legislature already approved it, but some anti-trans bigots believe that our fellow trans citizens and residents do not deserve equality and are using lies and fear mongering to try to get their way. Don’t let them win; vote yes.

On Question 2, we have not decided. Question 2 would create a citizens commission to advance an amendment to the United States Constitution to limit the influence of money in elections and establish that corporations do not have the same rights as human beings. We do not believe that corporations should have the same rights as individuals and I agree that we need to remove the corrupting influence of money in politics. Considering the influence of the rich and corporations on both major parties and on politics, it is pretty clear that once we open up any citizens process to amend the US Constitution, the rich will do their best to rewrite it in ways that enshrine their power and ideas. What is your opinion? Tell us in a comment below.

The Massachusetts Elections Division has more information on the ballot questions.

Hate your ISP? Help form a community ISP

Today during the monthly Somerville Cryptoparty, will be a discussion on how we can move forward with developing a community mesh network in the Boston area.  It will be from 6-9pm at The Sprouts, 339R Summer Street, Somerville. The Sprouts is in the garage in the back of the drive way. Unfortunately, it is not wheelchair accessible.

On Saturday, February 10th, there will be a Community Meshnet Workshop from 1-4pm at the Somerville Public Library, 79 Highland Ave, Somerville.  The Somerville Public Library is wheelchair accessible. The Somerville Cryptoparty folks put together this flyer for the February workshop. I would appreciate it if you downloaded it and put it up around your neighborhood. You can also share the Somerville Cryptoparty page or the February Facebook event.

Hope you can make it and please spread the word about these events. Thanks!

Counting the days to Chelsea Manning’s freedom

Originally posted at the Massachusetts Pirate Party blog.

I learned recently from Susan McLucas, a long-time local activist for Chelsea Manning, that president Obama commuted Chelsea’s sentence. She will be released from prison on May 17th. I think I speak for most, if not all, Pirates that we are very happy and relieved that Chelsea will be free in four months.

Thanks to everyone who kept up their support for her and indeed increased it. I personally appreciate the effort of the Chelsea Manning Support Network, Evan Greer, Fight for the Future, Susan McLucas, Veterans for Peace, Pirate Parties and their supporters world-wide, the EFF, ACLU and the millions of people who advocated for her freedom.

Chelsea emerging from prison on May 17th will be a glorious day. However, our support for her must not end on that day. She will continue to need our help from those engaging in character assassination whether trolls or politicians. After so many years in prison and solitary confinement, being a free again will come with its own challenges.

So savor this day and the days ahead, for this one act relied on the support of so many and yet again proves that we are more powerful together.

Solidarity forever.

Vote Aaron James for State Representative

On election day, November 8th, in the next ward over, the Pirate Party is running Aaron James for the 27th Middlesex State Representative district. He is continuing the tradition started by fellow Pirate, Noelani Kamelamela, in 2014.

If you have time this weekend to help flyer or time on election day to stand out or poll watch, please email his campaign or contact them at their Facebook page.

If you are in the neighborhood join us on election night to celebrate.

Thanks!

Visualizing Clinton Emails As A Means of Investigating the Future

The the MIT Media Lab Macro Connections group created a data visualization tool for the Clinton/Podesta/DNC emails that Wikileaks made available.  It is well worth a look. Thanks to Saul for bringing this research to my attention.

Cesar A. Hidalgo, the professor on the project, wrote about what he learned from it.  A few quotes stood out for me:

These emails are relevant because Clinton was a person in charge of doing a security job, and anyone working on a security job, is not supposed to communicate using an unsecured or unauthorized channel. This should be obvious, since each extra channel of communication increases the vulnerability of the system by increasing the probability that messages are intercepted. So the reason why Clinton’s emails are a big deal is because a person in charge of security should not be using an unsecure channel, and those who argue from that perspective have a valid point. The fact that the emails were hacked and exposed validates that point.

Which gets to the point we (the Pirate Party) made when the Podesta emails first came out, since, in a sense, we are all in charge of our own security:

As a Pirate, I found professor Hidalgo’s statement that his motivation for this effort “comes from my support for a society where people have direct access to relevant sources of information through well-designed data visualization tools” aligns well with my own philosophy. We cannot know what our government and our representatives are doing in our name without access to the information they have, presented in a way that people can intelligently make their own assessments of it.

In thinking about how we increase people’s power over our government, I found this statement interesting as well:

So what I got from reading some of Clinton’s email is another piece of evidence confirming my intuition that political systems scale poorly. The most influential actors on them are spending a substantial fraction of their mental capacity thinking about how to communicate, and do not have the bandwidth needed to deal with many incoming messages (the unresponded emails). This is not surprising considering the large number of people they interact with (although this dataset is rather small, I send 8k emails a year and receive 30k. In this dataset Clinton is sending only 2k emails a year).

Our modern political world is one where a few need to interact with many, so they have no time for deep relationships — they physically cannot. So what we are left is with a world of first impressions and public opinion, where the choice of words matter enormously, and becomes central to the job. Yet, the chronic lack of time that comes from having a system where few people govern many, and that leads people to strategize every word is not Clinton’s fault. It is just a bug that affects all modern political systems, which are Ancient Greek democracies that were not designed to deal with hundreds of millions of people.

In my mind the solution to this issue is to setup systems so that people are able to make more decisions about government. Not faulty marketplace democracy with its one dollar one vote, but true democracy of one person one vote. Proportional representation instead of winner take all elections. Sadly, I find many adherents of the two old political parties don’t get this. We have a long road to travel until we get there, but we will.

GoPro as computer virus infection vector

I came up with an idea of using a GoPro to infect someone’s computer with a virus.  A quick search didn’t turn up anything specifically about it, though GoPros have been hacked to be surveillance devices:

For what it is worth, the idea is below.

Why

Your target is someone who has decent computer security procedures.  Doesn’t trust random USB sticks, keeps OS up to date with security patches, has good passwords.

What is needed

  1. A person to appear to be assaulted.  Considering a GoPro is involved, a bicyclist would be ideal. The person assaulted has to be someone the target will identify with and want to help;
  2. One or more people to assault the first person. My guess is that it would work better if they were police or appeared to be police;
  3. A hacked GoPro that can infect the target’s computer both via the SD card and the firmware via the USB port;
  4. A tote to encourage the target to take the GoPro and report the assault.

The process

  1. Stage the assault where very few people can witness it, but the target will be;
  2. Person assaulted wears the GoPro on a hat (or more likely helmet) and records the assault;
  3. Person assaulted is taken away, but the hat/helmet with the GoPro is knocked off the person’s head and left behind;
  4. Target, seeing the assault picks up the GoPro, takes it home. If target is reluctant to take it home, tote encourages them;
  5. Once home, target plugs in the SD card or GoPro via USB and is infected.

Not to say that this method will always be successful, but it could work for certain targets. Something to keep in mind if you think you could be a target.

So if any Hollywood studios, spy agencies or criminals want to use it, renumeration is not expected, but attribution is always appreciated.

Interviewed by the Weekly Dig about Galvin, third parties and real FOIA reform

I was recently interviewed by the Weekly Dig about Secretary of State Galvin’s statement that a vote for a third party is a waste. Obviously I disagree with him. You should read the whole article, but here is a choice quote:

“Massachusetts needs the breath of fresh air that only third parties can provide … We need a government that automatically puts public records on the web, where the public can easily find and review them. We need a government that carries out the people’s business in sunlight, not behind closed doors.”