A new game in town: Siberian Dice aka 37.6

Lame Heron has released a wonderful board game — embarrassingly simple albeit tremendously rich in strategies. This is an ancient game played by some indigenous tribes of Siberia isolated from the rest of the world for millennia. This marvelous game remained undiscovered until recently. Being invented and developed in nearly complete cultural isolation this game employs mechanisms very alien to a player of «western» origin. Although the mathematical and physical substance of the game is not from the parallel universe — it is still cubical dice and a hexagonal board well known to everybody — the dice are used in a very unorthodox manner, they are randomizers and the moving pieces at the same time. The goal of the game is also surprising, it does not fall in any usual category, it is not a «capture» goal, nor a «advance to» goal, neither is it a «connect» goal, not even a «dominate», yet it is a very simple condition clearly followed from the rules and easily readable on the board.
Read more →

How many capital letters does your password contain?

Do you really, i mean really, believe that computers are afraid of capital letters? and punctuation? Don't tell me that you want to scare off people, not computers, it would be even more ridiculous, given a second thought.

How would you feel if a service provider asks you: «please include at least three capital letters, seven underscores, and a number thirteen in your password»? — weird? You better adjust your attitude. The first ingredient is already required by some, more to follow soon.

Seriously, have you ever tried to think why all those «password choosing» policies are so ridiculous and stupid, are they as beneficial as people believe?

The serious answer to the question is given in my new paper on the password authentication: arxiv.org/abs/1505.05090 and its summary is as follows: «The password policies are futile, because they have no formal mathematical foundation at all, and this is why they are all as ridiculous as homeopathy».

Here i want to present some fun aspects of the problem.

The two most prominent protagonists of computer security MS and Google directly contradict each other:

DO NOT USE:
Common letter-to-symbol conversions, such as changing «o» to «0».
USE:
similar looking substitutions, such as the number zero for the letter 'O'
No one notice. These both password creation policies are equally respected. Who are we to doubt the Wisdom of the Titans!?

Also, the Titans teach us that there is an inherent contradiction between security and memorability. Of course the Titans do not condescend to proving their claims. We are supposed to make a leap of faith. I don't have faith, i need a proof, or at least some evidence supporting the claim. Here is the claim:

Human memory is limited and therefore users cannot remember secure passwords.
Call me when you find any evidence of that.

RTB on fingers

RTB (Real Time Bidding) the mechanism of monetization of traffic by more highest price or selling the traffic which the ad network can’t monetize itself. It could be compared with the big auction where one ad network is the auctioneer all other is participants. The auctioneer to announced the lot, some participants make a bid, and the bid with the highest price wins the lot.

Auction


Read more →

On positive impact of ransomware on information security

I truly hate I need to write this. And I feel really sorry for those who were forced to learn it the hard way, but don't tell me you haven't been warned in advance years before. However.


— The end of compliance-driven security is now official. Petya is not impressed with your ISO27K certificate. Nor does it give a flying fsck about your recent audit performed by a Big4 company.
— Make prevention great again (in detection dominated world we live in now)! Too busy playing with your all-new AI-driven deep learning UEBA box? Ooops, your homework goes first. Get patched, enable smb signing, check your account privileges and do other boring stuff and then you may play.

Did I say BCP and business process maturity? Forget that, I was kidding, hahaha. That's for grown-ups.

On The Banishment Of Cash (part1)

I am failing to understand four simple things:
why do people always fail to know the limits of their individual reach?
why do people always believe everything authorities say?
why do people always think «it won't happen to us»?
why do people always prefer to lose everything in order to save a part?

All these four shine and glitter as they intricately weave into the topic of «cash vs plastic» (keep them in mind while reading).

It has become a popular fad to use «plastic» instead of cash… as usual people are completely unaware of the dangers of this fad. And for some reason they think that «plastic» is somewhat equivalent to cash — NOT EVEN REMOTELY!

The most important issue is (as usual) the simplest one and (as usual) the most ignored one — WHO COMMITS A TRANSACTION? You come to a store for a loaf of bread, you pay for it and take it away. Are you sure it was you who payed for it? I am sure, because I always use cash. When I give a banknote to a cashier I physically commit the transaction — this is MY FINAL SAY. When you type your PIN, you MERELY ASK a bank to commit the transaction for you. In the end of the day it is the bank's decision whether you gonna have this loaf of bread or not. Think about it for once! The bread you are having now is not a result of a free trade between you and a backer, it is a free will of an (undoubtedly honest) 3rd-party. The bank decided on their own volition to allow you to have this bread, and they can as easily decide to starve you at any time.

And when I am speaking about bread, I literally mean bread. It is a common practice in Ukraine and Russia to arrest bank accounts of family members of political dissidents, thus rendering them incapable of engaging in any trade, i.e. buying bread. When you are under a police investigation for political reasons, you are offered a choice: your family will starve unless you confess that you were digging a tunnel under Kremlin with a premeditated goal to assassinate the dear comrade Stalin. The most famous implementation of this tactics is the Ruslan Kotsaba case, his wife and kids have only survived thanks to the public campaign (launched by the defence attorney) encouraging people to trade with the wife for cash (she is a pastry chief).

But, of course! It can not happen to you! No way! (Ask The Lighthouse Project what methods do courts and prosecutors employ in USA and Canada to exert pressure on falsely accused.)

The banks do not bother with breaching your security, they took away your agency altogether.


(to be continued)

Any sales pitch mentioning WannaCry is a scam.

snake oil
To suffer a significant damage from WannaCry, you need to craft a redundant clusterfuck of FIVE SIMULTANEOUSLY MET conditions:

  1. Failure to learn from previous cases (remember Cornflicker? It was pretty much similar thing)
  2. Workflow process failure (why do you need those file shares at all?)
  3. Basic business continuity management process failure (where are your backups?)
  4. Patch management process failure (to miss an almost two month old critical patch?)
  5. Basic threat intelligence and situational awareness failure (not like in «use a fancy IPS with IoC feed and dashboard with world map on it», more like «read several top security-related articles in non-technical media at least weekly»)

And after you won the bingo, you expect you can BUY something that will defeat such an ultimate ability to screw up? Duh.

An Open Letter To mr. Thunderf00t The YouTube Physicist In Chief For Debunking Bad Science

Dear mr. Thunderf00t, recently you have published a series of videos about melting gold in strange contraptions (or one might say «stupid setups»). This series culminated in the episode called «Will Burning Diamond Melt Gold?». I quote:
Gold melts at 1064 C, Diamond burns at 2700 C — this should be enough to melt gold, will a diamond melt gold?
Then you put a ~0.25g diamond on a 1g golden coin, ignite the diamond in the pure oxygen atmosphere and wait until the diamond burns a hole in the coin. The diamond burned happily to ashes and the coin remained intact.

This «failure» created confusion among yourself and your audience:
How so?! It burnt so HOOOOOOOT! and melted nothing...

Spoiler alert: ENERGY TRANSFER.

Given that few days before you successfully melted a bead of gold that was put in a cavity inside a burning graphite block (What a surprise that this contraption worked!), your confusion is legitimately cringeworthy.

FUCKING SHAME!!!

I want you to understand the magnitude of this shame. Mr. Thunderf00t is not only an official scientist like many imbeciles are, he has a real discovery in his portfolio which is an achievement that the Steven Hawking's portfolio lacks of. Mr. Thunderf00t is a real scientist — not a cosmologist or something — he knows his science and he is capable of conducting meaningful experiments. A man of this qualification was driven astray by the notion of temperature. So much astray, that laymen of ancient Egypt would laugh at his «gold melting» contraptions being so obviously against even the most basic common sense understanding of thermodynamics available for humans since 10 000 years ago… 20 000? Once again, pay attention, a credible scientist forgets to calculate the energy balance of his experiment before burning real diamonds.

I therefore propose to remove the notion of temperature from the middle school physics curriculum, for it is overwhelmingly confusing and marginally useful.



P.S.
make a funny experiment:
calculate «the temperature» of a 10 GEv proton, say X (note the amount of zeroes in the result)
and then ask a patented physicist: will a proton heated up to X Celcius deg melt a hole in a thin golden foil.

An open letter to mr. John Kelly the Homeland Security Secretary

Dear mr. Kelly,
do you realize that you lose the ability to attribute a suspect's social media account to the said suspect immediately after obtaining a password to the said account?
Once you own the password, the account is attributed to YOU, shithead, thus rendering all your claims about the suspect's alleged activity associated with the account completely inconsiderable.

Resign immediately! You know _NOTHING_ about security nor elementary logic, you are utterly unqualified for the Homeland Security Secretary position.

Internet Works!

First was Brexit, then Trump, now The Italian referendum has happened… and Jean-Claude Junker is calling for EU leaders to infringe on the peoples' right to vote. This is the first manifestation of Internet working as an information system for the people.

LADIES AND GENTLEMEN, INTERNET WORKS! (wikileaks be upon him)