Swedish Lemon Angels

slaytanic killer writes: "Bruce Schneier addresses the "Third Wave of Computer Attacks" in a recent ZDnet article. Another step in his evolution towards looking at the human side of computer weaknesses; analyzing the dangers which come into life when humans translate syntax into meaning. Complete with links at the bottom about rigorous military analysis and Penn&Teller's exploding Swedish Lemon Angels."

Re:swedish lemon angels

Recipe: SWEDISH LEMON ANGELS

• 1 egg
• 1/2 cup buttermilk
• 5 tsp. baking soda
• 1/2 tsp. vanilla
• 1 cup lemon juice
• 1 and 1/4 cups sugar
• 1 cup flour
• 3/4 cup sugar
• 8 tbs. melted butter

preheat oven to 375 degrees.

1. In a small bowl beat egg until foamy.
2. Add the butter milk and the vanilla and blend well.
3. Add the baking soda, one teaspoon at a time, sprinkling it in and beating until it is smooth.
4. Add the lemon juice all at once and blend into the mixture.
5. Scoop the mixture out of the bowl useing a spatula and spread onto a floured surface.
6. sift the flour and the sugar and work it into the mixture using your fingertips.
7. With a floured rolling pin, roll the dough out 1/32" thick, and with the tip of a sharp knife, cut out "angel" shapes and sprinkle on some sugar.
8. Brush with butter.
9. Place on ungreased baking sheet and bake for 12 minutes or until the edges curl up.
10. Let cool and serve.

For anyone who somehow managed to miss kitchen chemistry as a kid, these are going to blooey right around step 4. Fun.

Hmph.

Seems like Slashdot itself is responsible for a number of "Third Wave" attacks... and at the same time, is a perfect vector for a third-party Third Wave...

Too lazy to look up examples - fire away...

"Third wave"? It's hardly new.

I realize that Bruce needs to structure some sort of narrative around his article, but this "third wave" of "semantic hacking" is hardly new.

The attack on Internet Wire was just an insider abusing the system. It's been going on for quite a while, and shame on Internet Wire for having lax enough security than an ex-employee could abuse the system. Social Engineering has also been a common practice for years: call the helpdesk from the CEO's phone and demand that your password be reset. Easy stuff, old practices. In fact, social engineering, manipulation of the press, and misleading the public are practices that predate the internet by a few thousand years:

"What of this again, that these people are experts in flattery, and will commend the talk of an illiterate, or the beauty of a deformed, friend, and compare the scraggy neck of some weakling to the brawny throat of Hercules when holding up Antaeus[12] high above the earth; or go into ecstasies over a squeaky voice not more melodious than that of a cock when he pecks his spouse the hen? We, no doubt, can praise the same things that they do; but what they say is believed."
- Juvenal's Satires [fordham.edu]

What's new is that the interconnectedness of the internet community is allowing these practices to migrate to the internet in powerful ways. At least one person believes that this is cause for deep optimism: [hyperorg.com]

"All the bad things we hear about the Web are true. There really are people online who'd like to lure our children into shadows. There really are hucksters who'll steal not only your money but your identity. There really are people who'll take pictures of you in a public bathroom and publish the pictures to the world. Every human vice
we can imagine finds its way onto the Web, which seems to spur the world's most lurid imaginations even further. But the reason for this should be a cause for optimism."

You can check the article out yourself for more, but I agree with the premise. The internet continuing to mirror the "real" world is generally a good thing, and the "forces of good" can harness those powers as well as the "forces of evil".

Noam Chomsky has worried quite a bit about the power of centralized press. [weeklywire.com]

"Chomsky's central belief is that propaganda plays the same role in a democracy as violence plays in a dictatorship.
In the United States, therefore, you need to be less afraid of the National Guard and more afraid of the manipulation of information by governmental, corporate and academic sources. According to Chomsky, the elites who control and benefit from the American political system preserve that system by marginalizing alternative political views, selectively reporting on the consequences of United States foreign policy, and creating political apathy among the general populace by encouraging them to watch professional sports and TV sitcoms rather than actively participate in the political process."

Bruce Schneier should be less worried about manipulation of public news outlets, stock prices, and the economy by hackers, and more worried about the manipulation of public opinion by corporations and governments. Hackers, by showing people how easy it is to have their opinions manipulated, actually serve a positive purpose. I'm not saying I endorse the Internet Wire hack, real people lost money and that's not good. But, creative hacks, the "jam the WTO" movement in Seattle, cool sites like The Onion [theonion.com] and Adbusters [adbusters.org] are all great ways to wake up an uninterested, uninvolved public.

- Twid

Then there is the fourth wave:

Full frontal assault by lawyers. Of all the network attack methods, this is the most slow and painful one. It is immediately obvious, yet nearly impossible to protect yourself against (unless you own a patent for something everyone and their dog already does).

Beware the LOTR (Lawyers On The Rampage) attacks. The perpetrators of these attacks seem to be hitting small to medium sites all over the internet, in a seemingly random pattern.

The future of warfare

In the Year 2000, all war will consist of... forged emails!

From: president@whitehouse.gov
To: The People of the United States of America

My fellow Americans,

I hereby forfeit all American land and assets to the Republic of Iraq. May Allah forgive us for our past evils.

Signed,
Saddam^H^H^H^H^H^HBill Clinton

Woah.

Swedish Lemon Angels

That sounds like it would be the title of a corny pr0n video...

-- Dr. Eldarion --

Prefigured in "Bloom County"

Remember the strip where Oliver Wendell Jones hacked the ticker at the NYSE to say "Avast ye scurvy dogs, Bank of America is about to go belly up!"

That's the most obvious use of this, and it appears that in this case, even a pathetically crude and transparent fraud managed to cause significant damage, though it appears they caught the perp.

Even a teenager has been able to pull off a scam of this sort. This article [thestandard.com] in The Standard [thestandard.com] has the story of a teenager caught manipulating stock prices, who was ordered to pay back his illegal profits after he got caught.

Now this is an inexperienced kid, and another idiot who apparently made his transactions transparently obvious and got caught. We only hear about the ones who get caught, and I highly doubt these guys are the only ones doing it. They're just the only ones dumb enough to make it so transparent.

Interesting quote from the above

These two trends -- the ability to force information past controls, and the ability to create false information -- work both with and against each other. People tend to believe what they want to believe (or what others they fear or respect want them to believe). Contrary reports can be easily discounted, particularly as people come to understand how easy faking a video can be. The same technologies that let people freely experience the world are those that allow people to deny its reality. The resulting cynicism works in favor of people trusting only the information generated by their own village -- not the globe as a whole. Reality is not universally validated but personally validated based on networks of trust.

I never really thought of this before, but this explains a lot of the online behavior and attitudes we see everyday, even on /.

No matter how much information is out there, it is rare that people will look outside of their familiar haunts and find information that they truly trust that they disagree with.

Semantic Attacks & Social Engineering

It seems to me that Schneier's idea of semantic attacks as a new, third generation attack is a little overstated - what is a semantic attack but a natural progression out of social engineering?

I suppose the distinction, if one is to be made, is that in the past, social engineering was a means to an end - you would use your 'leet SE skillz to get a private dialup number, or access to a machine - whereas semantic attacks tend to be ends in themselves.

Nevertheless, the distinction feels somewhat contrived, and moreover, anyone who's read books like Sterling's The Hacker Crackdown (or anyone who knows their computer history, for that matter) knows that SE has been a big part of these attacks since the beginning: obtaining access to university systems, obtaining AT&T technical docs - SE is what armed people to commit the physical and syntactic attacks he mentions.

His pessimism about their severity is striking too - sure people online don't verify their sources as well as they should - but a) they've for the most part not known how, and moreover b) the media's been doing this for at least the last century without civilization grinding to a halt.

Semantic attacks against humans rely on gullibility or sometimes in the case of the internet, technical ignorance - but with digital signatures coming into fashion, it may not be long before grandma's email program tells her when a signature is invalid, and when grandma herself knows not to trust unsigned mail. And the idea of semantic attacks against computers, through feeding them bad data, is really about spamming search engines, and trying to overflow buffers, which are neither new nor noteworthy.

I know Schneier has gradually become more skeptical about the ability of people, especially online, to take care of themselves - and in many cases, he has good reason to. But having said that, I do feel that the picture he paints is a little too bleak.

Re:"Third wave"? It's hardly new.

I respectfully disagree with both your primary and secondary points.

First off, while Social Engineering has been a tool of good penetration experts for some time, that is all it has been - a tool. The purpose of the use of SE was to gain access to a network. What Bruce is describing is not necessarily a new idea in the real world (look at the World War II counterintelligence operations), it is a (relatively) new concept in information attack, and one that has been primarily the domain of government agencies. Rather than manipulating a person to gain access to a system, the point is to gain access to a system in order to manipulate a person. Or, in the case of the Emulex fraud, many persons.

As to the tired rant telling Schneier to worry more about government and less about hackers, this is a pretty tired saw. Believe it or not, there *are* black hats out there. The only way to adequately defend against them is to educate their targets - like the helpdesk worker who will freely change the CEO's password.

Mind you, I'm not saying that governments and corporations are blameless; rather that disregarding the hackers is not a reasonable (or money-making) option.

Information wants to be free

I love Swedish Lemon Angels...

...but I can't eat them anymore. They give me gas.

And the hardest problem to fix

Computer are easy to fix in comparison to humans. Computers accept any given set of instructions we see fit to give them, and they execute those instructions exactly, every time. When there's a problem in the instructions, we can give the computer a new set to fix the problem.

Humans dont WANT to be fixed. Humans don't even want to admit that they're broken. About 3 1/2 years ago, my mother was driving around a curve with my younger brother in the car when she was striken by an elderly woman nearly head on. Her car was demolished, and she was badly injured herself. (My younger brother was not.) Even after the physical therapy, she will suffer pain every day for the rest of her life. The elderly woman couldn't see well enough to see the bend in the road, or even my mothers car. She was for all intents and purposes blind, and a terrible danger to everyone on the road. Any responsible person would know that they should not drive in that condition, but people are frequently NOT RESPONSIBLE. Given the choice between safe and convenient, the woman chose convenience.

Could this problem have been prevented? Can it be fixed? Sure! First, however, someone has to admit that there is a problem. Then people would have to implement more frequent checks and more rigid requirements for the license to drive.

People don't want to go out of their way for safety or correctness. They don't want to learn good practice. They want convenience, and they want fast results. That will probably always be the case. As long as it is, those people will be the biggest source of trouble, computer related or not.

My Favorite Semantic Attack Ever

Does anyone else remember the war that went on in the late 80s between talk.bizarre and alt.tv.tinytoons? It all started when someone from alt.tv.tinytoons started cross posting his fan fiction to talk.bizarre. No one in talk.bizarre liked it, and told him to stop. He didn't. Things got increasingly heated, and eventually others from alt.tv.tinytoons came to his defense. This really infuriated those on talk.bizarre, and someone took it upon themselves to declare war on alt.tv.tinytoons. They did this by posting inflammatory messages in various newsgroups, and setting the followup-to header to alt.tv.tinytoons. The only message I specifically remember was to soc.culture.islam and used the word towelhead. Anyway, with less than 1/4 of the messages on alt.tv.tinytoons having any relevance, it wasn't long before there were no messages about Tiny Toons on talk.bizarre.

Woogie