Idea: National, Regional and Amateur Hackathon Teams

Here is a cool idea that could be supported either by government or big business.

Similar to sports teams, a series of leagues are setup, by way of a series of Hackathons in each major city, with the initial outcome of the first match being a regional team of 10 winners for each region or city, say $10,000 each.

Photo: TechCrunch

The next year, do the same thing again, this time generating a 'Regional B Team'. About a month or two later the regional teams could do battle in a remote nationwide Hackathon, to create the national team. The All Green Screens / Call Blacks / All Black Hats or similar. In the time between the matches, the teams and their manager may be able to promote a couple of players from 'Regional B' by swapping an existing player with the new one. Likewise the 'Regional B Team' would have some chance to swap out a couple of players for amateurs who did well in the regional heats.

In the third year, it goes international, by way of the internet, no actual stadium is required. The regional heats are the only Hackathons that have a physical presence. This is because of an interesting trend in Hackathons worldwide.

The national team is encouraged to play in global Hackathons, which we'd own if we are allowed to compete as a team not as individuals:

Making A Living From Professional Hackathons

Makers Against Drought Hackathon
Sponsored by Samsung, this hackathon is designed to help solve California’s water crisis.
Winner: $90,000 cash prize
Finalists: $10,000 cash prize for 10 finalists

GlobalHack IV
This hackathon was sponsored by LockerDome. GlobalHack hackathons often offer large cash prizes.
Winner: $30,000 cash prize
Finalists: $15,000, $5,000 and $5,000 for runners-up

Launch Hackathon
Last year, there were two top prizes of $800,000. This is run as part of the regular Launch startup event. Winning includes some serious business connections.

The Money20/20 Financial Tech Hackathon
This hackathon is geared toward financial, payments, banking or investment-based tech. The grand prize was $20,000 in cash, and it was given to four teams. The $5,000 prize was given to five teams. The pure odds of winning were 9 out of about 155 teams, or a 5.8 percent chance.

RootsTech Hackathon
RootsTech is about promoting the use of family history in a creative way.
1st prize: $20,000 in cash, $25,000 in-kind
2nd prize: $14,000 in cash, $15,000 in-kind
Judge’s choice: $6,000 in cash, $10,000 in-kind
People’s choice: $10,000 in cash

IBM Spark Hackathon
IBM has been sponsoring lots of hackathons to promote their BlueMix cloud platform and Spark investments.
1st prize: $15,000
2nd prize: $7,500
3rd prize: $5,000
Plus various smaller prizes.

List of Hackathons source from Tech Crunch article: https://techcrunch.com/2016/01/24/living-off-hackathons-the-possible-rise-of-the-pro-hacker/

The Infamous Digital Marketing Algorithms That Shape Internet Traffic

An abstract of my lecture today at the Testingmind conference

I really enjoyed being part of the first ever event like this put on by a truly international company. I'd like to thank Ipsita, Kunal, and Kishore for finding me, reaching out, believing in me, even when at one point, I could hardly believe it myself! Testingmind is a consulting and workforce development organisation helping its clients and customers to optimise IT-intensive processes through consulting, training and live summits. Specialising in coaching software companies in implementing the Agile method of project management, they also host a huge number of training events worldwide.

The following is the abstract I wrote for my talk.

Digital Marketing Summit 2019

Algorithms are mathematical formulas forming the heart and brain of software functionality. High volume Internet sites like Google and Facebook have no option but to implement extreme levels of automation, because manual processing would be a much more expensive option, and not scalable or sustainable long term. Understanding these algorithms is essential in the world of digital marketing in 2019, in order to leverage their benefits and avoid their penalties.

Tom Atkinson from Tomachi Corporation explains what shapes the traffic from organic search, pay per click ads, social referrals, email spam, and recently, the flow of cash from advertisers to social media influencers, by these secret software programs. I’ll explain why so many Hip Hop tracks include references to Alizé and we can discuss ideas and theories on what metrics advertisers check on before paying the next YouTube celebrity to hype their product!

Understanding what the platforms are trying to achieve in future is often a better approach than chasing after where they have been in the past. Google Quality Score is there to keep both the searchers and the advertiser happy, removing low quality ads, and sometimes not showing any ads.

INFAMOUS ALGORITHMS covers buzzwords such as Google PageRank, Facebook EdgeRank, Yahoo TrustRank, SEOMoz MozRank, Google Ads Quality scores, search ranking signals, web spam and email spam detection, duplicate content and canonicalization, social authority signals, Klout, Skorr, StackExchange Flair, and Quora Stats: If there is time and interest, I may also cover how website speed and mobile usability affect traffic sent to your site from Google and how to fix it.   

Fast Reboot Mac

Here is an app I wrote to restart or shutdown a bit faster, or for when picking Apple -> Restart isn't working for some reason, since I prefer not to do a hard reset by holding the power button down. It uses a root shell command 'sudo shutdown -r now' to achieve it's magic combined with an AppleScript to rapidly log you out without saving saving changes!Click the big hand to download Fast Reboot Mac


_+88_
_+880_      .....see you there!
_++88_                       if I don't see you first.....
_++88_                                          funk.co.nz                                funk.co.nz
__+880_________________________++_
__+888________________________+88_
__++880______________________+88_
__++888_____+++88__________+++8_
__++8888__+++8880++88____+++88_
__+++8888+++8880++8888__++888_
___++888++8888+++888888++888_
___++88++8888++8888888++888_
___++++++888888888888888888_
____++++++88888888888888888_
____++++++++000888888888888_
_____+++++++000088888888888_
______+++++++00088888888888_
_______+++++++088888888888_
_______+++++++088888888888_
________+++++++8888888888_
________+++++++0088888888_
________++++++0088888888_
________+++++0008888888_
________#############_
Fast Reboot macOS

The only known bug is actually a bug/feature in macOS: When your computer has come back up, macOS will ask you if you want to open Fast Reboot Mac again. Don't do that. It will reboot again as thats all this app does. You see now?

That's one app you don't wan't to re-open the next day!

If you are curious / distrustful, you can inspect the scripts by right-clicking Show Package Contents:

_+88_ _+880_ .....see you there! _++88_ if I don't see you first..... _++88_ funk.co.nz funk.co.nz __+880_________________________++_ __+888________________________+88_ __++880______________________+88_ __++888_____+++88__________+++8_ __++8888__+++8880++88____+++88_ __+++8888+++8880++8888__++888_ ___++888++8888+++888888++888_ ___++88++8888++8888888++888_ ___++++++888888888888888888_ ____++++++88888888888888888_ ____++++++++000888888888888_ _____+++++++000088888888888_ ______+++++++00088888888888_ _______+++++++088888888888_ _______+++++++088888888888_ ________+++++++8888888888_ ________+++++++0088888888_ ________++++++0088888888_ ________+++++0008888888_ ________#############_

Give Huawei A Chance re: Spark 5G

According to the NZ Herald Spark has been warned of an impending Huawei ban by the GCSB!

Personally I'd like to see the evidence. They have delivered wireless in NZ and Australia for nearly 15 years.

Also, I'd rather our country reject them due to technical reasons rather than just racism/protectionism (if thats what it is).

If the equipment would pose a risk, what is it please? I'd love to know, I like that kind of detail. I heard it was more about vulns than backdoors.

Look, while I'm 100% open to the idea that Huawei routers and network equipment is crappy, vulnerable and has flaws, and can be remotely exploited etc, but I feel this move by , is jumping the gun. To be fair I can understand sensitive networks running "allied country routers" but we missed a good chance to learn what makes a good router. We don't make routers here in New Zealand, so I guess it must be due to our yankee spy friends and Cisco et al.

Basically its protectionism for US companies. Then again, cellphones definitely give you cancer and make you infertile as a man, so perhaps slowing down a little is a good thing? Recently I found out that America either lied when it said they found backdoors in their routers, or the NSA never provided the evidence to prove it.

Brislen added that the national security concerns surrounding Huawei look like "smoke and mirrors", with no hard evidence in public that scenarios such as data exfiltration to China or national-scale "off switches" are feasible. Source: The Register

Here's another story from The Register about how they loose a jury trial about a robot "trade secret" that wasn't even secret nor innovatory.

China has flaws and it's government sucks. But that's no reason to be racist or mean to Chinese companies. This is the perfect time for Telecom and Huawei both to offer to:

  • offer ablated chips for micro-photographic inspection
  • offer binary disassembly code for inspection
  • possibly even offer the source code up to inspectors
  • generally prove there are no back doors in the router

In my quest to end unreasonable government secrecy, I feel Huawei needs a fair trial. Because it would put to the test our ability to understand what network security actually means. rather than just ban it because it's from China, let's ban it for technical reasons and use those to hone our skills of analytics to apply to the other routers from Europe and USA or even a Linux one.

In Other Communist Related News

Recently a report came to light that says at least 10,000 were killed at Tiananmen Square Massacre in 1989

Tiananmen-Massacre

China is one of the most evil countries in the world = Tiananmen Massacre

"Students linked arms but were mown down including soldiers. APCs then ran over bodies time and time again to make 'pie' and remains collected by bulldozer. Remains incinerated and then hosed down drains," said Mr Donald.

"Four wounded girl students begged for their lives but were bayoneted," he added.

Here is the top 100 NZ Government pages on Google about Huawei... a snapshot in time before it all goes to custard...

How to detect if a keylogger has been installed on your machine

A keystroke logger is the worst kind of malicious software (malware) you could possibly hope to be infected with. Why? Because it could be recording each key you type and sending it to a central server, which would include your messages and username passwords!

This is why in some cases a password manager can make your machine more secure: because you are typing your passwords less, if somehow you could an infection it would have less impact.

That point is debatable however, since one needs to be root to install one it's a good reason to have a guest account enabled on your computer if you ever plan to let a bad-ass criminal use it for 5 minutes while your making a cup of tea or similar.

How To Not Get Virus Infection

  • Before double-clicking, check you trust the source of the executable
    • Check the domain name, the person who sent etc
  • Provide to guest users a regular low-privilege user account
    • If a stranger needs to use your machine when you are not around, this will prevent them most badness if it's not an admin account
    • Saved my ass at least once, I know this much
    • Helpfully, this also logs all your web sessions out

How To Detect Keystroke Logger Installation

It's actually quite difficult. I'm going to look into it and update this blog later when I find out more. If you want to take a snapshot of all your system kexts try running Syntella (macOS only presently) then you can search through the report with a text editor to try to find anything that is amiss.

If you're on windows you could try checking this link:

answers.microsoft.com/...how-to-detect-if-a-keylogger-is-installed/... 

 

 

Social Welfare for Kiwi Infotech

Security is always a "nice to have" feature but how does a busy business owner get it done?

It's virtually impossible for one person to do this type of military strength hacking job. The time and effort required is highly non-linear and almost impossible to predict.

It would be cool if the government would tell you if your website was insecure. But they'd prefer to keep the back door in case they need it later. Just kidding CERT has very useful advisories over at cert.govt.nz/it-specialists/advisories/ But they can only do so much.

Bug Bounty Programs != Complete Solution

At first, only the super large software companies like Google and Facebook can afford bug bounty programs, but today 93 companies are listed at bugcrowd.com/programs

Not all companies with websites need super strong security like this. National state level quality network operations. But the citizens of the country would likely hope their government has a plan to protect it's own computers, and also a plan to protect those of important Infosec industries such as banking, finance, healthcare, legal aren't leaking huge quantities of data everywhere.

But it's not a complete solution - its an extreme solution for a super technical area actually - and perhaps not the first solution for medium sized business dabbling in hardening their networks.

False intrusion detection positives are a mega waste of time.

Bruce puts it nicely over at his page on the subject:

Here's an outsourcing idea: get rid of your fleet of delivery trucks, toss your packages out into the street, and offer a reward to anyone who successfully delivers a package. Sound like a good idea, or a recipe for disaster?

The reality is that it comes down to branding: if the brand would be harmed by being the victim of a really big hack or data breach, then it puts more effort in. This works pretty well for infosec products. And for the times when it doesn't, I'm not suggesting forcing anyone to start a bug bounty program.

People would still eat pizza at a joint which has a haxored network, but they might not want to visit a doctor or use a lawyer whos network was wide open, with a file servers leaking everywhere etc.

I'm wondering if it would be possible to have a kind of social welfare for hackers government ministry, which pays kiwi researchers for their efforts pertaining to New Zealand headquartered companies directly, without needing the approval of the target company, who's head is likely in the sand anyhow.

Create an extra information stream for CERT. Banks, lawyers, doctors instant fines for leakage events. I'm looking at ACC, remember they had multiple screwups involving a CMS that could fire out emails in bulk, operated by staff!

Remember NOVAPAY? It's probably riddle with bugs, and ya'll know what that means. No incentive to find the but.

Or perhaps an approved proxy one could "hack all the NZ things" through but still be contactable by the authorities. Recording the traffic to disk temporarily would enable maximal value and help the researcher prove if they succeeded or not to claim the bounty reward.

Sometimes I just want to be sure my own bank is safe. Personally.

When the network admin sees the penetration test coming from a New Zealand based IP address - on a government subnet even - they'd visit the IP address and see a message to say it's all legit. Usually when you are being hacked you can't contact the other side like that. This would be different.

Crowd-sourced security outfit Synack use this method. It's required because sometimes there is a dispute about payout of the bounty to the successful researcher - how do you prove such a thing?

Also I hear in the US researchers found a remote-execution jailbreak for iOS and instead of collecting Apples $200,000, they opted for a way bigger million plus payout motherboard.vice.com/.../somebody-just-won-1-million-bounty-for-hacking-the-iphone

Unauthorised Use of a Computer System

I'd like to be able to scan and probe the entire country to find vulnerable machines, as a pre-sales market research information gathering exercise. To build a list of companies at risk to contact and sell my security services to.

But some parts of that probe maybe deemed unauthorised access - if done here in NZ.  It would need to be carried out in another country, and then it would not be investigated further, if I understand the "prosecutorial budget" allocation methods we use here, it would be deemed too hard to bother looking into, unless coming fro a five eyes country, they might find it hard to get at you.

You left your headlights on

For sure, having every doorknob in your house jiggled would be un-nerving to watch, even if its somewhat equivalent to that friendly neighbour telling you your car headlights are still on so you don't flatten your battery: trying to help. But then visiting the probe IP and reading the message would allay fears and maybe boost confidence even. Free network virus check. 🙂

The reason for high standards of evidence in criminal courts and the use of the presumption of innocence, is that it is better to have criminals roaming free due to lack of evidence, than to have innocent people locked up in jail wrongly - just because they looked at your computer the wrong way. You'd need a lot of jails and the economy would suffer. Sound like any country in 2007? Tame Iti is an artistic genius not a terrorist.

HIPAA is the Health Insurance Portability and Accountability Act of 1996 and is United States legislation that provides data privacy and security provisions for safeguarding medical information.

PCI Compliance is the payment card industry code to ensure payment processors use best practices.

CERT and The NZ Police should provide revenge-porn victims their file hashes

They often say the internet has no delete button.

It's a very useful analogy to explain to new users of the internet the gravity of certain areas of their personal computer and information security: maybe think twice before uploading semi-sensitive information, and three times for anything more secret. Once it's on the internet it can be hard to delete.

How to delete files from the internet:

One way could be to create a "hash" of the file you want gone from the internet, and then you know what you don't want to know, without knowing it! Amazing. Example time:

Assume the file is named horrific-revenge-porn.jpg

The following hash (random encrypted strings derived from the picture of an idiot) can be used instead of the actual offensive / suppressed original file data - makes sense if you are trying to delete the file not to hold it! It can be given to administrators to guarantee a system does not have a copy of the file:

Horrific revenge porn

Horrific revenge porn

sha256: c8b3c2a03380f577fa9d6b67ee15e40a9f8f9a076073ea56e5b5adb2e9ffe32c
md5: 79768d44c2aca6ed68d8157130265c05
crc32: b5513fdf
bytes: 50323

For the very most extreme cases, involving criminal contraband information such as the unfortunately case of the kiwi man from Hastings sentenced to 4 years for secretly filming his female Airbnb guests, CERT and The NZ Police should offer to provide file hashes to the victims of criminal data breaches like revenge porn and so forth.

This would enable the following desirable privacy benefits:

  • ensure the banned files are not held on owned computer systems
  • securely provide the means for others to also do so
  • nothing about the files contents can be said from looking at the random letters*
  • a registry of illegal files would help large ISPs to keep their disks clean
  • an infinitely large file - even a 50 GB file - is reduced to a short piece of text
  • its not encryption - it's an irreversible scrambling of any file to a set sized chunk of gibberish

For example, lets say this picture above is some revenge-porn you made once but was posted by your evil ex-partner or stalker, and now you'd like it gone from the nets; in theory if you put the file hashes into a government registry, one day ISPs can do seasonal scans and wipe files matching.

China likely does this to laser target and delete entire sections of internet from it's citizens. They probably have scanners running 24/7 to find old shots from the Tiannamen Square Masacre - and perhaps even this new shot - this time the guy is flat as a pancake after being literally "rolled" by a tank:

China Rogue State

China Rogue State

SHA256 is the current state of the art. You can get SHA512 also but its twice the length.

MD5 was huge for a very long time. Popular for verifying big .iso files after downloading.

CRC32 is not a hash, but its a checksum maintained by your computer in the disk that can also be used in a similar way. It will detect a single bit change, but unlike a true secure hash, you can pad the altered file to get the same CRC32 for a different file easily (if you add a bit, then delete a bit also, it is just each byte added together essentially).

Collisions

While it's theoretically possible for two different input files to create the same hash - a hash collision - if you use two or more different hash types like above or even just also including the filesize in bytes: 50,323 bytes in this case, you eliminate the false positive potential.

Also, any large ISP isn't going to want to automatically delete files based on just one parameter. For use by a sovereign national police force I'd recommend using all four: bytes, crc32, md5, sha256 plus a category eg: kid-porn, espionage, credentials, financial, medical/health, military, government, personal privacy, government, education, entertainment (here we hit a snag: the copyright industry).

The way a hash completely changes with tiny little single bit alterations to the input file, to get a hash collision is going to require a wildly different filesize, say 50 Kb versus 50 Tb!

The commands to get this on my mac were:

shasum -a 256 [bad-file.jpg]
md5 [bad-file.jpg]
crc32 [bad-file.jpg]
ls -la [bad-file.jpg]

What's nice is that you can double check your hash using a different program, openssl:

openssl sha -sha256 [bad-file.jpg]

Now you can quickly compare huge files without transferring them; and detect tiny alterations to big files.

Syntella macOS Forensics Tool

DownloadSyntella.app.dmg

Syntella (Download) is an open-source macOS forensics tool that creates a text file report that tells you about exactly whats running on your system, open connections, services, network connectivity, disks, USB, global ping time network checks. It takes about 5 minutes to run and gives you a text file with a timestamp that you can "diff" against earlier files to see changes easily.

It's designed for advanced mac users to check there system is safe, and for regular users peruse and give to an expert for help with. View the example report.

It is licensed as open source via the Apache 2.0 license, source code (click Syntella.sh to see what it's doing behind the scenes).

I capture a copy of all the reports via encrypted link to tomachi.co

In exchange for your use of the software I am collecting it's output presently, this can be disabled for a fee.

At this time I do not have automatic deletion of reports setup, but they are at difficult to guess web URLs only reported in the app and not linked from any places online. If the app becomes popular I'll begin deleting reports on a daily rotation to ensure privacy but still give time to download.

Privacy Sensitive Categories Collected:

The labels but not the contents of:

Wifi names, machine name, hardware serials (no software is checked at all), Mac addresses, processes, programs, ports, servers, services, disk free, network connections, open files, router tables, users logged in, tunnels, mounted volume names,

We don't capture any user files or filenames, unless they are open. So consider which websites you were visited just before running it. Netstat will still show closed connections for at least 2 minutes after closing, due to the the CLOSEWAIT and TIMEWAIT states of TCP/IP.

This app collects a bunch of

Run from compiled Application (easy)

Download the app .dmg tomachi.co/syntella-uploads/Syntella.app.dmg

Run from source code (advanced)

Since this is security software, it's open source. You can read it and see everything it does. But you will need to also install:

  • homebrew
  • git
  • curl
  • nmap

This shell script will run a range of diagnostic tools against your machine. To install it enter at the terminal:

git clone https://github.com/tomachinz/syntella/ ~/syntella

Then to run it use:

~/syntella/syntella.sh

Or just double click the syntella.sh file icon.

To receive updates type:

cd ~/syntella/

git pull