twat – A cli for posting to twitter

Posted on August 27, 2011 by richo

I released today the first alpha of my CLI twitter application, twat.

If you use rubygems you can install it with `gem install twat`, else you can clone it from my github repo at Twat.

Configuration is reasonably simple,

Do a

twat -a [twitter username|nickname]

Then follow the instructions, then you can tweet with

twat -n [username|nickname]

but bear in mind that you’ll need to escape any metacharacters that your shell tries to tweak.

I’m not convinced that the OAuth implementation is secure, but while they explicitly say not to do what I’ve done, I also don’t see an alternative. Feedback greatly appreciated though.

Posted in Articles, psych0tik software | Tagged , , , , | Leave a comment

Singularity Summit AU11 wrapup

Posted on August 24, 2011 by richo

Australia’s second Singularity Summit was a roaring success, with fascinating talks delivered over the weekend and from what I’m hearing, more fantastic talks in the days after and leading up to the conference itself which sadly I wasn’t able to attend.

Unfortunately my phone was on the fritz for the whole con (hence my utter failure to deliver the rabid tweeting I promised) but I’ve tried to track down a few relevant pics, and all things going to plan should get hold of a few photos from fellow attendees.

Opening the talks was James Newton-Taylor with a retrospective look at what we’ve done to bring us this far, highlighting advances in nano technology, and a comparison between the speed of current supercomputers, and where we expect the human brain falls on the same scale. One thing I was not aware of before his talk was that 3d printing has developed far enough to facilitate printing articulated parts, he passed a functional chain such as that you’d find on a motorcycle through the audience that had been printed layer by layer.

So what is AI? The primary distinction made at the conference was between so called “Narrow AI” and an Artificial General Intelligence (AGI). The former is capable of making rational decisions based on experience, but is limited to one field of experience that is solidly hardcoded into it’s existance, with limited or non-existant ability to apply that experience to other similar problems. The example Goertzel used was Google’s adsense product, which impressively matches up ads to relevant webpages based on their content, but is incapable of placing a radio ad.

Hugo de Garis delivered his views on the consequences to humanity of creating the first AGI, in which he predicts a distopian future consisting mainly of faction war between the terrans (Those who resist AI) and the cosmists, who embrace it potentially in the form of augmentation; becoming cyborgs. His stance is in stark contrast to Ray Kurzveil who he mentioned numerous times, who’s belief is that with 10 years of dedication humanity could achieve a human level AGI.

Stelarc gave a fascinating speech from the perspective of an artist, which I hadn’t given much thought to until then. Once you remove pragmatism and explicitly working toward a tangible goal from your utility function (more on that later) a new world of opportunity is opened, although much of his work will become relevant in the next century as the seperation between consciousness and form becomes more defined. Stelarc’s presentation focused around the works he has created, generally using himself as the subject matter, and in most cases centered on the seperation of body and consciousness. From an artistic standpoint, setting up his body as a conduit by allowing it to be controlled remotely via an elaborate series of electrodes atached to speifc muscle groups makes for fascinating works, but for a scientist it opens a new world of possibility, as far as potentially giving us the technmology to grant a virtual life form physical presence. It would be hugely remiss of me not to show you one of the brilliant things I’ve seen in my time: The ear on his arm

Image credit stelarc.org

Hearing from, and speaking to Ben Goertzel was downright inspiring. Ben is working on- amongst other things- Opencog; an open source framework that he hopes will produce human level AGI within his lifetime (Although that may not be as optimistic as you think- he is also doing significant research into retroactively increasing human lifespan using narrow AI). I have since checked out Opencog and experimented with it, much of it goes over my head for the time being, but what I have seen is incredible.

Definitely one of my highlights were hearing from Steve Omohundro, who having done some research on since has been massively influencial on the IT environment we exist in now. Steve discussed the semantics, and potentially implications of expressing an AI’s goal to it in uncertain terms. At this time, most AI models revolve around a utility function to describe how desirable any given choice or action might be. Without wanting to regurgitate his speech, I thought his example was good enough to warrant posting here.

Imagine if you will an AI created specifically to play chess, and to play it well. Therefore, it’s utility function might be described as being “The sum total of difficulty ratings of oponents defeated”, which at face value is a safe proposition.

However, by virtue of extrapolation we can see that it could be taken out of context. Imagine that we want to turn off the machine, having conducted our research. Being switched off logically implies that the machine is not playing any chess, and so it will resist being turned off.

If the program can appropriate more resources, then it’s ability to play more chess/beat harder opponents is increased, so it will try to get more resources.

If the automation can replicate, then it can multiply it’s ability to defeat challenging opponents, so therefore it should produce likenesses of itself.

Assuming finite capabilities, doing things that aren’t playing chess impliess doing fewer things that /are/ playing chess- for this reason it should resist changing it’s goals.

Better algorithms would make the machine better at chess, and so logically it should attempt to improve its own code.

What seemed like a benign goal at first can easily be bent into something quite concerning, and while there’s no “exterminate all humans” directives emerging obviously, it’s not inconcievable that removing poor chess players from the gene pool would allow it to play more and better chess in future generations.

His view on the countermeasures to this were an increasingly “moral” codebase, beginning in the first generations of intelligent machine with hardware controls, but moving rapidly towards a conciousness with imbued values and a concept of ethics.

David Chalmers spoke about the philosophical implications of creating an artificial consciousness, and also about how the opens up the possibility that the world we live in is actually a simulation, although practically this affects nothing as unless we intended to ‘break out’ it shouldn’t alter our decision making at all.

Lawrence Krauss concluded the conference on Sunday night with an engrossing discussion of the nature itself, explaining some research that have proven to 99% certainty that the universe is flat, and vindicating people such as myself that despite having no solid understanding to base it on, didn’t buy into string theory as a great unifying theory of the universe. He also described how our universe has a total processing capacity of at most 10^24 bits, which if Moore’s law holds, is 400 years.

I transcribed pages of notes from the talks, but as I believe the talks themselves should be available as video (as well as the slides etc, that the speakers used) I would much rather give a brief overview and my thoughts to anyone considering going next year. Overral, a successful summit and I’d like to extend my sincerest congratulations to Adam, the speakers, and all those who made it possible.





Posted in Reviews | Tagged , , , | Leave a comment

Panda Hacktop

Posted on August 16, 2011 by richo

This is by no means a new mod ( http://www.applemacbook.com/mods/5-keyboard-mods-for-the-undecided-macbook-owner ), but it’s new to me.

Enough with the words, on with the pichas:

The matrix thing running is https://github.com/richo/matrix , but also very buggy.

Posted in Guides, Hax | Tagged , , , | Leave a comment

Grub Embedding, blocklists and bios_grub partitions

Posted on August 16, 2011 by richo

This has tripped me up so many times, and the parted invocation needed to fix it is hard to find on google.

The issue is that with GPT, grub won’t have room to embed all of it’s needed files, leading to an unbootable system. The solution is to create a small (1meg is plenty) partition and mark it as space that grub can use.

So here it is:

# parted [block device] set [partition no, from 1] bios_grub on

Posted in Reminder | Tagged , , , , | Leave a comment

countkeys

Posted on August 15, 2011 by richo

Overcome by a compulsive need to know how many keys I type daily, I forked [LogKeys](http://code.google.com/p/logkeys/) and created countkeys, which is essentially a keylogger that just counts instead of logging.

Countkeys supports all the same features (running as a daemon, which will create logs showing all keys typed for a given session, specific device logging, etc) but also supports foreground mode which provides more instant gratification.

You can get it from my apt repo ( deb http://packages.psych0tik.net/apt/ sid main contrib non-free ) for i386 and amd64, or the source is available at https://github.com/richoH/countkeys

The current release 0.2 still includes the bulk of logkeys documentation, I should have 0.3 out in the next 48 hours or so.

Posted in Articles, psych0tik software | Tagged , , , | Leave a comment

Security in extremely hostile environments

Posted on August 13, 2011 by samurai

The Defcon network (and pretty much all internet sources within a few miles of that hotel) are probably among the most dangerous environments you can drop a piece of technology into.   This year proved that point more over with Lulzsec and Anonymous attacking CDMA along with spawning rouge access points[0] and rooting a number of people who should have been “security savvy.”  While common sense is still a large part of your security in these environments (accepting Java updates at Defcon? really?), this does provide an interesting use case for networks that you can’t trust ANYTHING on.  As a veteran con-goer, I’ve adapted a few techniques to help me handle such environments.  These methods could easily be used anytime you travel or are planning to be on particularly hostile networks.  Most of this is focused around the idea of having access only to those dangerous networks, while still being able to go about your regular business as much as possible.

First and foremost when considering security in these highly volatile environments you need to operate under the assumption that anything you bring with you is going to be compromised.  Each year I completely wipe my netbook, install a fresh operating system, and then migrate over any files (often requiring some redaction) that I need to have a “working OS.”  I’ll also copy over any media that I might want to entertain myself in the event that I cannot find a viable source of internet.  I use this machine for any internet connections I need as well as to mount questionable media.  In previous years, I’ve also brought work laptops and simply not connected them to anything, but as my paranoia grows things like the “evil maid attack”[1] make me question even physically having data in that environment.  With a box that has no personal data and no real value (outside of the hardware), you can also have a bit more fun by running a honeypot and some form of packet capture safely, possibly resulting in some really fun new intel.

The next big item on my list is access to my personal email.  While I don’t usually receive highly critical or sensitive mails, I do use that email as the recovery for a variety of other services.  Additionally, the account is a number of years old and contains archives of many mails that I don’t feel like sorting through to find any data leakage (I really hate mailing lists that email you your password monthly…)  To overcome this obstacle, I created a new email address and told my old account to forward all new mails to this account.  This let me receive any new mails that I might need to address quickly through a different user/password combination, protecting my original account.  Since we’re operating under the mindset that anything we use will be compromised, it also limits the value of that compromise by containing only new mails and not being connected to any other accounts.  Finally, if the account is compromised, it’s easy to disable all use of it as the forwarding is controlled by a separate account and password.

The other side of the email coin is having an account to give to people who you don’t necessarily trust (or want to know your primary address.)  Using your mail-forward account can work for this too.  Creating this account with a name not-related to your primary account or handle also allows you to keep people from Google’ing for more information on you, ultimately protecting your privacy and anonymity.

Another thing I don’t like to leave home without is a shell account somewhere, usually on my home server, but in this case that won’t work.  Environments like Defcon are more hostile than the regular internet partly because you become a more obvious target, so connecting back to your server may be seen/sniffed and would then be somewhat included in that increased hostility bubble.  To cover this base, I typically use Bshellz.[2]  They provide easy, disposable shells that offer my usual needs (ssh, irc) as well as some slightly more advanced things like web server and database.  The only downside I’ve found with Bshellz is they block random processes from connecting to the internet, so running ii or nmap from them isn’t really an option.

All those usual things you do to secure your computer (antivirus, firewall, browser plugins, common sense) should be installed and configured on their strictest settings.  Ideally, you won’t be in this environment for extended periods of time (more than the length of the con or trip), so having a few extra clicks to convince NoScript and RequestPolicy[3] to render web pages properly won’t be an on-going time-sink.  Purposely not installing more vulnerable tools, like Flash, can also help reduce your attack surface and going a few days without YouTube really isn’t _that_ bad (tho I did get the shakes on day 3.)

In environments where everything is suspect, the name of the game is data partitioning.  Don’t connect to accounts you don’t want to be compromised, don’t bring data you wouldn’t want leaked, and don’t assume that noone is looking.  Most of the techniques listed in this article focus either on separating sensitive information or preemptively setting up controls to mitigate any form of compromise.  At the end of the day, a determined attacker will almost always win, so being prepared to handle a loss should be part of your strategy.

References:

[0] http://seclists.org/fulldisclosure/2011/Aug/76

[1] https://www.schneier.com/blog/…/2009/10/evil_maid_attac.html

[2] http://www.bshellz.net/?page_id=41

[3] https://www.requestpolicy.com/

Posted in Articles | Tagged , , , , , | Leave a comment