Here's some of what you missed in the discussion at 'The Thirsty Robot':
Technical Musings:
Vulnerable to attack...
We started by talking about how to practice penetration testing - the art of seeing if a web-site (or network, or cloud server, or...) has any virtual 'open door' or probably more likely: 'doors accidentally left slightly ajar'. As always, it was noted that trying out techniques on other people's sites requires their permission, but we did gather some links to places which are designed to be tested:
Vulnerable web-sites:
https://securitytrails.com/blog/vulnerable-websites-for-penetration-testing
https://dst.com.ng/15-vulnerable-sites-legally-practice-hacking-skills/
And some vulnerable applications:
https://owasp.org/www-project-vulnerable-web-applications-directory/
https://github.com/OWASP/OWASP-VWAD
https://resources.infosecinstitute.com/topic/vulnerable-web-apps-from-owasp-and-others/
Photo by Maxime Guy on Unsplash |
Some web-sites are devoted to 'game-ified' competitive hacking of vulnerables web-sites etc. One notable example is: https://www.hackthebox.eu/, but there are many others that approach the topic from academic or commercial angles, etc.:
https://www.whatuni.com/degree-courses/search?subject=ethical-hacking
https://www.hackerone.com/for-hackers/start-hacking
HackTheBox led to 'Black Box Insurance' https://www.confused.com/car-insurance/black-box which then led to:
Spurious correlations...
The conversation drifted to the way that the media likes to present linkages that aren't real - but merely suggested by shapes or trends of data / graphs / plots / charts.... A trivial example is the number of people who tend to be left still talking at The Thirsty Robot at the end (three!) which just happens to be the same number of medals as are awarded for a sport at many athletic events - there just has to be a connection, yes? Actually, no. These are two unconnected, uncorrelated things which just happen to share a common feature (three). The generic word for these is 'Spurious Correlations', and there's an excellent book, and web-site:
http://www.tylervigen.com/spurious-correlations
The usual headline for this topic is:
'Correlation does not equal causation."
The problem is that when you are presented with lots of carefully collected, statistically significant, detailed data presented as a graph, with references and academic papers backing it up, then if it shows that margarine consumption is connected to the divorce rate, then human minds (wired for finding patterns so that they can comprehend the world...) think 'There's no smoke without fire...' and assume that there's a causal link, and before you know it, public health announcements are imploring people not to eat margarine. (As it happens, margarine is a last-Century rapidly-going-obsolete word for what is now more commonly called a 'spread', but both are just emulsions of oil and fat in water.) And for clarity, whilst the divorce rate in some places might have a strong correlation to the consumption of spread, they are not connected. Now if you were to try and correlate solicitors' income and the divorce rate...
A lot of insights and examples were shared about how the choice of the dataset could affect the apparent match between two unconnected sets of data, which shows the advantage of having a diverse group of people at The Thirsty Robot. For example, car insurance is most expensive for people who have just passed their driving test, and it seems obvious that inexperience of driving might well affect the ability of young people to anticipate potential threats whilst driving. But if you factor in the number of young people in the car, then it seems that social pressure (aka 'showing off') may be a significant impairment, and the time of day (or night) may affect things too. Even if only two people are in the car, then what happens if they are romantically linked?
https://hbr.org/2015/06/beware-spurious-correlations - from the Harvard Business Review
https://en.wikipedia.org/wiki/Spurious_relationship - from the BBC news web-site
Which took us to Black Boxes or Telematics ( https://www.insurethebox.com/telematics ), which started out as a way to find stolen (and subsequently abandoned) cars, but which has become an important way of monitoring behaviour when tachograph functionality was added. It used to be that lorry drivers complained about the 'spy in the cab' that plotted (literally, on a circle of paper) their speed against time - https://en.wikipedia.org/wiki/Tachograph - but now insurance companies will offer favourable premiums if drivers can show that they drive carefully,...
Of course, some people will see any technology as an opportunity for hacking, which took the conversation back in a loop to vulnerability testing, this time for Black Boxes...
Recommended Movies:
The 9th Company (DVD - No UK streaming available in the UK at this time.)
This film was selected by Russia in 2006 as its candidate for the Academy Award for Best Foreign Language Film nomination
As usual, we reckon it is best if you don't know anything before watching a film! So only click on a link if you want your experience to be potentially spoiled...
Recommended TV:
Inhuman Resources (On Netflix in the UK)
Corporate twists and turns in a French corporate crime thriller...
https://en.wikipedia.org/wiki/Inhuman_Resources
https://www.netflix.com/title/81019037
Lower Decks (Amazon Prime Video in the UK)
https://www.amazon.co.uk/Star-Trek-Lower-Decks/dp/B08SHVGNJ5
https://en.wikipedia.org/wiki/Star_Trek:_Lower_Decks
Star Trek (and it is canon), but not as you might expect after Discovery and Picard. Instead, this animated series approaches the Federation by looking at the lowest of the ranks. See life below decks on a star ship.
A Very Secret Service (On Netflix in the UK)
https://www.netflix.com/title/80097771
https://en.wikipedia.org/wiki/A_Very_Secret_Service
Not at all what it might appear to be at first. The French Secret Service was never like this - or was it? A more than slightly absurd parody that might almost be taken seriously.
Omniscient (On Netflix in the UK)
https://en.wikipedia.org/wiki/Omniscient_(TV_series)
https://www.netflix.com/title/80220334
Exactly the type of security and surveillance series that you expected to find in this blog.
Recommended YouTube:
https://www.everythingisaremix.info/ - A 'classic' insight' web-site and videos. If you ever wondered what a formal definition of creativity would look like, then this is for you...
Recommended Software:
https://github.com/mame/quine-relay - Translation from one language to another, to another, to another... It's a standard meme to go back and forth between 2 or 3 langauges, but this has a twist - it is for programming languages...
https://www.blackmagicdesign.com/products/davinciresolve/ - DaVinci Resolve is one of those gems that not everyone knows about, rather like Blackmagic Design are to video. DaVinci Resolve is deep: it can be used for serious video editing, but it can also be used to do a lot of 'Photoshop'-style editing of photos, as well as editing audio. What you won't expect is that it is free, Yep - Free!
Recommended Circular Reference:
Create a QR code that logs into the QR code reader web-site...
(QR codes are just URLs. But as a general rule, anything that stores a 'login' (User ID, Password) is not a good idea, and is a Security Risk. If it gets into the wild (and QR codes are easy to send...) then it would become a Security Threat...
And it you ever wondered what happens if you invert the colours on a QR code...
(Does this tell you something about how the QR code is encoded / decoded?)
OWASP Link:
https://owasp.org/www-chapter-suffolk/
---
A lot of discussion happens at The Thirsty Robot. This blog is an edited, biased summary of just a small fraction of the conversation, links/IURLs and references that were mentioned. It is an imperfect record and is definitely not complete - for that you should visit The Thirsty Robot!
---
The next online meeting at The Thirsty Robot is on Thursday 25th March 2021 at 7:30pm GMT.
Comments
Post a Comment