Skip to main content

Thursday 11th March 2021

Here's some of what you missed in the discussion at 'The Thirsty Robot':


Technical Musings:

Vulnerable to attack...

We started by talking about how to practice penetration testing - the art of seeing if a web-site (or network, or cloud server, or...) has any virtual 'open door' or probably more likely: 'doors accidentally left slightly ajar'. As always, it was noted that trying out techniques on other people's sites requires their permission, but we did gather some links to places which are designed to be tested:

Vulnerable web-sites:

https://securitytrails.com/blog/vulnerable-websites-for-penetration-testing

https://resources.infosecinstitute.com/topic/top-5-deliberately-vulnerable-web-applications-to-practice-your-skills-on/

https://dst.com.ng/15-vulnerable-sites-legally-practice-hacking-skills/

And some vulnerable applications:

https://owasp.org/www-project-vulnerable-web-applications-directory/

https://github.com/OWASP/OWASP-VWAD

https://resources.infosecinstitute.com/topic/vulnerable-web-apps-from-owasp-and-others/

Photo of a spiders web in a window
Photo by Maxime Guy on Unsplash


Some web-sites are devoted to 'game-ified' competitive hacking of vulnerables web-sites etc. One notable example is: https://www.hackthebox.eu/, but there are many others that approach the topic from academic or commercial angles, etc.:

https://www.whatuni.com/degree-courses/search?subject=ethical-hacking 

https://www.hackerone.com/for-hackers/start-hacking 

HackTheBox led to 'Black Box Insurance' https://www.confused.com/car-insurance/black-box which then led to:


Spurious correlations...

The conversation drifted to the way that the media likes to present linkages that aren't real - but merely suggested by shapes or trends of data / graphs / plots / charts.... A trivial example is the number of people who tend to be left still talking at The Thirsty Robot at the end (three!) which just happens to be the same number of medals as are awarded for a sport at many athletic events - there just has to be a connection, yes? Actually, no. These are two unconnected, uncorrelated things which just happen to share a common feature (three). The generic word for these is 'Spurious Correlations', and there's an excellent book, and web-site:

http://www.tylervigen.com/spurious-correlations

The usual headline for this topic is:


'Correlation does not equal causation."

The problem is that when you are presented with lots of carefully collected, statistically significant, detailed data presented as a graph, with references and academic papers backing it up, then if it shows that margarine consumption is connected to the divorce rate, then human minds (wired for finding patterns so that they can comprehend the world...) think 'There's no smoke without fire...' and assume that there's a causal link, and before you know it, public health announcements are imploring people not to eat margarine. (As it happens, margarine is a last-Century rapidly-going-obsolete word for what is now more commonly called a 'spread', but both are just emulsions of oil and fat in water.) And for clarity, whilst the divorce rate in some places might have a strong correlation to the consumption of spread, they are not connected. Now if you were to try and correlate solicitors' income and the divorce rate...

A lot of insights and examples were shared about how the choice of the dataset could affect the apparent match between two unconnected sets of data, which shows the advantage of having a diverse group of people at The Thirsty Robot. For example, car insurance is most expensive for people who have just passed their driving test, and it seems obvious that inexperience of driving might well affect the ability of young people to anticipate potential threats whilst driving. But if you factor in the number of young people in the car, then it seems that social pressure (aka 'showing off') may be a significant impairment, and the time of day (or night) may affect things too. Even if only two people are in the car, then what happens if they are romantically linked? 

https://hbr.org/2015/06/beware-spurious-correlations - from the Harvard Business Review

https://en.wikipedia.org/wiki/Spurious_relationship - from the BBC news web-site

Which took us to Black Boxes or Telematics ( https://www.insurethebox.com/telematics ), which started out as a way to find stolen (and subsequently abandoned) cars, but which has become an important way of monitoring behaviour when tachograph functionality was added. It used to be that lorry drivers complained about the 'spy in the cab' that plotted (literally, on a circle of paper) their speed against time - https://en.wikipedia.org/wiki/Tachograph - but now insurance companies will offer favourable premiums if drivers can show that they drive carefully,... 


Of course, some people will see any technology as an opportunity for hacking, which took the conversation back in a loop to vulnerability testing, this time for Black Boxes... 


Recommended Movies:

The 9th Company (DVD - No UK streaming available in the UK at this time.) 

This film was selected by Russia in 2006 as its candidate for the Academy Award for Best Foreign Language Film nomination

As usual, we reckon it is best if you don't know anything before watching a film! So only click on a link if you want your experience to be potentially spoiled...


Recommended TV:

Inhuman Resources (On Netflix in the UK)

Corporate twists and turns in a French corporate crime thriller...

https://en.wikipedia.org/wiki/Inhuman_Resources

https://www.netflix.com/title/81019037

Lower Decks (Amazon Prime Video in the UK)

https://www.amazon.co.uk/Star-Trek-Lower-Decks/dp/B08SHVGNJ5

https://en.wikipedia.org/wiki/Star_Trek:_Lower_Decks

Star Trek (and it is canon), but not as you might expect after Discovery and Picard. Instead, this animated series approaches the Federation by looking at the lowest of the ranks. See life below decks on a star ship.

A Very Secret Service (On Netflix in the UK)

https://www.netflix.com/title/80097771

https://en.wikipedia.org/wiki/A_Very_Secret_Service

Not at all what it might appear to be at first. The French Secret Service was never like this - or was it? A more than slightly absurd parody that might almost be taken seriously.

Omniscient (On Netflix in the UK)

https://en.wikipedia.org/wiki/Omniscient_(TV_series)

https://www.netflix.com/title/80220334

Exactly the type of security and surveillance series that you expected to find in this blog.


Recommended YouTube:

https://www.everythingisaremix.info/ - A 'classic' insight' web-site and videos. If you ever wondered what a formal definition of creativity would look like, then this is for you...


Recommended Software:

https://github.com/mame/quine-relay - Translation from one language to another, to another, to another... It's a standard meme to go back and forth between 2 or 3 langauges, but this has a twist - it is for programming languages...

https://www.blackmagicdesign.com/products/davinciresolve/ - DaVinci Resolve is one of those gems that not everyone knows about, rather like Blackmagic Design are to video. DaVinci Resolve is deep: it can be used for serious video editing,  but it can also be used to do a lot of 'Photoshop'-style editing of photos, as well as editing audio. What you won't expect is that it is free, Yep - Free!


Recommended Circular Reference:

Create a QR code that logs into the QR code reader web-site...  

QR Code for this page
QR Code for this page











(QR codes are just URLs. But as a general rule, anything that stores a 'login' (User ID, Password) is not a good idea, and is a Security Risk. If it gets into the wild (and QR codes are easy to send...) then it would become a Security Threat...

And it you ever wondered what happens if you invert the colours on a QR code... 

(Does this tell you something about how the QR code is encoded / decoded?)


OWASP Link:

https://owasp.org/www-chapter-suffolk/

---

A lot of discussion happens at The Thirsty Robot. This blog is an edited, biased summary of just a small fraction of the conversation, links/IURLs and references that were mentioned. It is an imperfect record and is definitely not complete - for that you should visit The Thirsty Robot!

---

The next online meeting at The Thirsty Robot is on Thursday 25th March 2021 at 7:30pm GMT.



 


Comments

Post a Comment

Popular posts from this blog

December 2021

Dec ember.   The final and twelfth month in the year, although that 'dec' at the start of the name looks like it is something to do with the number ten. As was mentioned last month, The Thirsty Robot is now going to publish the summary every month, although this one is again very late! So, here is a short summary of some of what you may have missed in December's online meetings at The Thirsty Robot: Warning, warning... Where is Will Robinson when you need him? And did the  Netflix 'Lost In Space'  reboot robot kind of use the iconic: 'Danger, Will Robinson!' catch-phrase from the  original (there was one!) series  visually when its head-display went red? ('Reboot robot' is a gorgeous phrase,btw!)  But, anyway, continuing the theme of visual warnings: https://www.etsy.com/shop/UnsafeWarnings Photo by Breana Panaguiton on Unsplash Yep - a classic 'Thirsty Robot' topic! Warning signs for things that the official ones seem to have somehow overlo
Post a Comment
Read more

Thursday 14th May 2021

Here's some of what you missed at The Thirsty Robot: Technical Musings Technology Topic - The 5 Stages of Hacking Discussion turned immediately to Security this time. The fifth stage of Hacking was mentioned, in the context of digital forensics. Hang on, you might be thinking, the fifth stage of Hacking isn't Forensics! Photo of one of the 5 Stages by  Antoine Julien  on  Unsplash Let's refresh our memories about those 5 stages first. No, not that sort of stage! - Reconnaissance - Scanning - Gaining Access - Maintaining Access - Cover(ing) Tracks Now, if you are talking about Ethical Hacking, then that fifth stage is often changed - to Forensics. And some people insist on calling it 'digital forensics', to differentiate it from dusting for fingerprints, looking at blood splatter patterns and all those other 'Witless Silence' tropes. (The long-used incorrect spoonerism of a famous BBC crime drama was first given a mass audience in the 1999 Easter Special epi
Post a Comment
Read more

Thursday 12th August 2021

Here's some of what you missed at The Thirsty Robot: Technical Musings Technology Topic - Alternative Operating Systems Not what you might be expecting... There was no mention of Windows or macOS in this discussion. Instead the chat circled around alternative Linuxes, and particularly Kali - the specialised 'security-oriented' community-project offering from Offensive Security .  If you aren't familiar with the extreme customisation that security people prefer in their operating systems, then the words 'specialised' and 'security' are the most important keywords here. Kali is not intended to be used as a general purpose operating system by ordinary people - for that you should use something designed to be as easy to install and maintain as possible:  Mint Linux being just one example of a popular 'distro' that fulfills those 'straight-forward' and 'easy to use' criteria. A lot of people use Mint Linux as an alternative to the W
Post a Comment
Read more