Aractus

Blog of Daniel Baxter, now secure! :)

Free SSL from Let's Encrypt!

What you weren’t told about WannaCry

I pride myself on providing you, the humble visitor, with good information. Not always perfect because, well, I’m not a security expert. You can think of this post as an afterthought if you like to my previous post, what I am aiming to do here is complete the picture.

Is Microsoft to blame?

The US Government and their spy agency the NSA are the main guilty parties in this instance. The ShadowBrokers who hacked the NSA and then publicly released the weaponised exploit are also to blame. And yes, Microsoft absolutely shares some of the culpability. Here is the thing you haven’t been told anywhere on the internet… some systems don’t update even when configured to do so. You want evidence? Here are screenshots I took earlier this week on a friend’s PC:

update-1

update-2

When I manually checked for updates it just spent hours on this screen:

update-3

And no, that system is not patched. I was unable to fix the problem. WHAT THE FUCK MICROSOFT?! My solution for that system will be to re-install Windows. Nothing worked – and I did try. This page contains most of the fixes I tried. The owner of that PC had no idea the system wasn’t up to date. How many other Windows installations have this same problem?

And probably the most misreported fact on the internet “windows doesn’t support XP anymore”… WRONG! They do. They only provide support to those who pay for it though, and according to some the latest pricing for this privilege is about USD 1000 per year per desktop Windows XP installation. For the ordinary home user, you can still get Windows XP updates until 2019, and possibly longer. To achieve this you simply tweak a registry setting that tells Microsoft that it’s an Embedded system. XP was embedded into all kinds of hardware that is impossible to upgrade – speciality hospital equipment like MRI scanners, ATMs, etc. And they still receive security updates to this day.

People were surprised when Windows released a patch for this vulnerability for Windows XP. But they shouldn’t be – the patch would have been rolled out for XP Embedded at the same time as Windows 7/8/8.1. The only difference is that they waited until after the worm appeared before pushing the patch to non-embedded XP systems.

Why was there a kill switch?

The original version of WannaCry attempted to connect to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and then terminated if successful. Other variants then emerged with hex edited domains, or with that section hex-edited out entirely. But why was it there? It could just be a bit of unfinished code. It might be intended as an anti-detection measure, but it’s been pointed out that it doesn’t just do a DNS lookup it expects to create a TCP connection to the domain too. If there’s no TCP connection then WannaCry will execute the payload anyway. It could just be the hacker’s way of “having fun” with their malware – let people think it’s stopped and then push out the variants. Who knows?

How much has been paid out in ransom?

Not very much. So far over 200,000 people have been infected, and only 292 (or less?) have paid the ransom. That’s 0.1%. The three wallets are: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. About $109,000 or USD 81,000 has been paid in total so far. At 292 people though that averages at significantly less than USD 300 per ransom – going by the actual dollar figure only 270 people or less have paid up at the time of writing.

Is it a State actor?

Possibly. You will have heard that North Korea has been identified as a possible culprit. The problem though is that any competent hacker can make their code look like it came from North Korea, China, Russia, the USA, whomever they want.

So what’s their motivation?

You might think that the crypto-ransomware developers are simply highly motivated to be paid hefty ransoms. Well, most professionals don’t believe that to be a huge motivation. Just look at the program for a start: it encrypts types of documents that are important and valuable to their owners. They could steal sensitive documents actually if they had wanted to, but they didn’t. So you heard about the NHS in the UK having patient information encrypted – that’s a huge problem for them – but can you imagine how much worse it would have been if the malware developers had stolen millions of confidential medical files, and then ran a real extortion racket like was run against Ashley Madison?

Then, they provide you with all the information you’ll need to get your files back, assuming you pay up. They give detailed instructions on how to use Bitcoin, they helpfully put the decryption program everywhere on your system so you can always find it, and they give you a wall-paper in case your antivirus removes the decryption program. And the program is translated into 28 languages as well to ensure that you can read it:

wana-decrypt0r-2

Their set-up is not particularly well designed to receive payments, which is why they’ve received so little. Plus they have to manually verify payments on their end because they didn’t put in an automated system (ie unique bitcoin identifiers) to make it easy for them to verify. And it’s not exactly going to be easy for them to get their bitcoins. But here’s the thing, malware has been around for a very long time before the concept of ransomware. So they are unlikely to care much about actually getting paid, in fact they tell you explicitly if you’re so poor you can’t afford the ransom there will be a chance to get your in six months.

Whatever their motivations are, it’s not money. At least not primarily. It’s been pointed out that leaked NSA cyberweapons have been used to turn computers into large botnets to mine bitcoins, and that was far more lucrative strategy for cybercriminals than this method. But what we can say is that they have put a lot of effort into their program – they want to get their name out, I don’t think they care whether people pay the ransom or not, they will probably give out the master key after a few months.

Did people click malicious links in emails?

This is the most misreported aspect of WannaCry. It is able to spread itself directly though the internet to any vulnerable computer that it finds. We don’t know how the NHS in the UK got infected, but it is possible that the worm spread across the internet by connecting to just one vulnerable PC or internet server across port 445, and then once it got on the network it can infect all the vulnerable PCs it finds on the ethernet. And that’s actually a larger problem for organisations than it is for home users, because it will be trying to connect through your IP address which is assigned to your router, but organisations often assign public IPs to computers. And they have to for servers. So yeah, we don’t know, but we do know that the this crypto-malware spreads directly across the internet without people needing to click any links if their system is vulnerable. That’s how bad this exploit is! Again though, if you’re behind a home router you’re probably safe.

Is it really the worst ransomware attack yet?

Yes. I chose my words carefully, it’s not necessarily the worst cyber attack, but it is the worst ransomware attack. What has made it so bad is that people on vulnerable networks do not have to click any links, as the malware spreads laterally as a worm. If you have this on your computer it will eventually try connecting directly to every single public IP in the internet – starting at 0.0.0.0 and ending at 255.255.255.255. Obviously that’s a simplified explanation, it randomises its IP selection, but yes every computer with the worm – all 200-300,000 of them – will eventually try to connect to every single IP on the internet. And it wouldn’t take that long either, as there’s only 4 billion IPs to try.

So it’s not an understatement at all to put the blame squarely on the US Government/NSA. And this is just the beginning – the ShadowBrokers (the hackers that hacked the NSA and released their cyber weapons) said they have yet more cyber weapons to release.

World’s worst ransomware attack yet

The recent WannaCry ransomware attack has been described as being the worst attack yet. The cybercriminals who created it have quickly become the world’s most wanted cyber criminals… but let’s talk about who’s responsible here, because the cyber criminals were armed whether intentionally or not by the NSA.

fbi-most-wanted-hannibal

By the way, I have been working on a little project that is nearing completion, here’s a little preview of it that I made very quickly using Microsoft GIF Animator:

ubobanpreview

I highly recommend installing uBlock Origin, that will provide you with some protection again an infection through malvertising.

The NSA developed an arsenal of cyber weapons. One of these weaponisd exploits is called EternalBlue. The NSA’s entire arsenal of cyber weapons was both leaked and sold to third parties, including to hacking groups. Recently, a different arsenal of cyberweapons developed separately by the CIA was leaked to Wikileaks (known as Vault 7) who proceeded with responsible disclosure. Responsible disclosure means giving broad information to the public, while giving specific information to affected software and hardware vendors so that vulnerabilities can be patched, and then later full disclosure. In the case of the NSA’s arsenal of cyber weapons, it fell into the hands of a hacking group called The Shadow Brokers, and they do not believe in responsible disclosure so they promptly dumped the cyber weapons directly into the hands of the masses. The Shadow Brokers claim they hacked the NSA and stole the weapons, but however they came to obtain them is irrelevant.

The reason this is the worst ever malware attack is that it has crippled critical infrastructure. This is what every security expert has been worried about. It leverages EternalBlue (and EsteemAudit for older OS’s) to spread across computing networks. How ordinary users becomes infected though has not yet come to light, but I suspect Malvertising may be one culprit.

wana-decrypt0r

Ransomware works by encrypting your data using RSA encryption. What you need to know about RSA is that it’s the same principle behind SSL/TLS internet security. It is an asymmetric encryption – there are two keys, let’s call them Key A and Key B. If data is encrypted with Key A, then it can only be decrypted with Key B. If it’s encrypted with Key B, it can only be decrypted with Key A. Ransomware generally generates a unique key pair for each and every infection, and it can be remotely generated on a server far away. What that means is that an infected user has no way of obtaining their decryption key – it can’t be brute-forced, it can’t be extracted from the program, the only way to get it is from the cybercriminals who have it.

If you’re infected- should you pay up? Well, if your data is worth more to you than $400 – yes you should. Some reports have suggested you have no guarantee or receiving a decryption key… well that’s true, but generally speaking operators of ransomware do provide the decryption keys when payments are made. The situation where that might not be true is if you manage to get infected with an older malware by a group that’s no longer active, then I would agree you would be chancing it if you pay up.

So who should foot the bill for this? I believe the US government should be held to account, and made to pay out the ransoms. They’re the assholes that developed this cyberweapon. This is exactly the reason why the security industry hates the so-called intelligence industry. The correct thing to do when you find a security vulnerability is to do exactly what Wikileaks did with Vault 7: engage in responsible disclosure so that the vulnerabilities can be patched. Think about it this way, the NSA is a foreign intelligence agency that we would classify the same way as any other cyber criminal organisation. If they develop a weapon, then you can bet that someone else – whether in China, in Russia, in India, or elsewhere has also developed it. And even if they haven’t, as we’ve seen time and time again these inevitably get leaked/stolen.

And WannaCry has crippled critical infrastructure – that’s one of the worst possible outcomes of a cyber attack. Hospitals, schools, and telecommunications were taken out with this purely as a side-effect of its original intention. Had the cyber criminals wanted to though they could have specifically launched a far more vicious attack specifically aimed to take out critical infrastructure, and if that was done there could have been thousands of deaths as a consequence: rioting could have happened in cities across the world if power grids were taken off-line for example.

You may have heard that a security researcher that calls himself MalwareTech “accidentally” stopped WannaCry from spreading further. Well, that’s a half-truth. He did a write up on his blog about it actually. In a nutshell, the malware checks for the existence of a “random” domain that doesn’t exit. If an IP address is returned then it assumes it’s being run in a sandbox and shuts down its operations – this is a tactic it uses to try and evade malware detection by anti-malware software executing the program in a sandbox. It effectively is a kill-switch, but not intentionally so. But to say that it was accidental is not true, as stated clearly on the blog it’s standard practise to register domains found within malware as it gives researchers a way to track malware as much as anything else.

Alien: Covenant review (spoiler free)

Alien (1979) is a seminal film. It is one of the rare horror films of its time to be made by a film director who was later welcome to produce films outside of the horror genre. This can not be understated – working in the horror genre at that time was literally the kiss of death for your career as an actor, or as a director. The prejudice against the horror genre permeated so deeply that many great movie ideas were simply never made. And many great directors like the late Wes Craven were never welcome to make movies outside of the horror genre. The late David Hess talked about the prejudice against him for playing villains in horror films. So making Alien was a huge risk for Ridley Scott’s career and for Sigorney Weaver and the rest of the cast.

Now you might think that’s where the story ends – no. We move to Aliens, and I can’t say why, but Aliens is a pure action film with no horror elements to it. Some people use the word “thriller”, but I think thriller can be split into two genres – there are action thrillers, which is what Aliens is, and there are drama thrillers which is what Silence of the Lambs, and Alien 3 are for example. So with Aliens we had a director that basically didn’t take chances. He didn’t want to advance the story, he just wanted to make a generic action based story in the Alien universe. Aliens works very well as an action film, and is actually quite a fine sequel.

Alien 3 brought the series back to its drama-thriller roots. It’s a good film, but it failed to live up to quality of the original. And many people were expecting another action film to follow Aliens, and didn’t want the film back in the horror genre. But it did have a strong cast, and a coherent story.  Alien Resurrection is a generic action film with few redeeming qualities. Disappointingly, Resurrection tries to re-make specific scenes from the first two Alien films with varying degrees of success. Winona Ryder as Resurrection’s android Annalee Call was bland, unconvincing, and uninteresting.

Finally we came to Prometheus. Prometheus restructured the narrative of the Alien universe. It brought the revelation that life on Earth was created by Engineers. Many critics scoffed at this, which I think is a mistake because these films are science fiction and need to have room to define their own rules. Many also didn’t like its unanswered questions, but I think those were fine. Prometheus brought the series full circle back to its roots. It’s true roots that is – including the exploration of unknown outer space. The film is not perfect and could have been improved by showing a bit more constraint and spreading the narrative elements so it unfolds more organically. Guy Pearce was completely miscast as Peter Weyland, and the make-up was unconvincing. However Michael Fassbender is absolutely amazing as the film’s android David, and Noomi Rapace was a very strong lead.

Alien: Covenant was fucking great! I am struggling to find some negative points to make about this film. The only negative I can say is it’s a bit formulaic, but I won’t hold that against it as it’s easier to see that in retrospect. Michael Fassbender is amazing, this time playing two androids – the original David, and Walter. Some incorrect reports have said they’re the same model, that’s not true – Walter is a newer model but looks the same. The very real problem in AI development of how do we realistically implement safeguards into AI so that we remain in control has not been solved to this day. This is the same premise behind Terminator, and the Matrix, and of course the original Alien where Ash was willing to obey orders above the safety, welfare, or interests of the crew. Remember though, even though Walter and David are very different, they are not as advanced as Ash – and Ash was happy to follow his orders and let the entire crew die to the Xenomorph.

This movie stayed on track from the first act to the final scene. It didn’t deviate or present unnecessary hyperbole to advance the plot and get its point across. It does still rely on people making stupid decisions though. David’s evolution from the curious android in Prometheus who distrusts humans to his new home where he has used the Engineers to continue his agenda progresses his character flawlessly. Walter rightly does not trust David, but perhaps perplexity he fails to alert his crew to his suspicions – he is after all only synthetic. The interesting reverence David has for Elizabeth is also worth an honourable mention, he holds nothing but love and admiration for her and it’s very clear why this is so, yet it’s a selfish love that he holds and he does not reciprocate it. I only wish that these nuances could have been teased out a bit further. Great films leaves you wanting a bit more in places, and these cognitive limitations that androids in the Alien universe are fascinating, and attest to the film’s ability to draw us into its world so deeply we want to find out more!

The film was not afraid to continue developing the new ideas presented in Prometheus. It would have been a great shame to see these ideas abandoned in favour of only pursuing the original Xenomorph and face-hugger. Even though there were some issues with Prometheus, expanding the Alien universe to include the Engineers and goo was genius. A very well made film and a fine addition to the Alien filmography.

5 Stars

Trump and Turnbull

Watch this:


Video: White House

I love this video. This video sums up everything that’s wrong with Turnbull. Here he is sitting across from one of the most ridiculous first-world State leaders in our generation, and he’s listening to him spew his bullshit. To bring my international readers up-to-speed, Turnbull is well educated, highly intelligent, and knows a lot about history. All the things Trump knows nothing about.

The expression on his face says everything. It says “I can’t believe I have to sit here and listen to this man’s bullshit… I’ll just smile and nod”. You can see he just wants to shake his head, roll his eyes and walk out. Grow some fucking balls Turnbull. The only reason that people aren’t going to lampoon you for being as blissfully uninformed as Trump is because we know you’re smarter than that – why not fucking tell Trump to his face when he spews out bullshit?

Trump: “We’ve been allies for 99 years”

Turnbull: “Yep”

Trump: “Can you imagine that? 99 years”

What the fuck Turnbull? Perhaps he was stunned by Trump’s blatant stupidity? We’ve been formal allies, counting the ANZUS Treaty as the start, for 65 years. And it’s an archaic outdated alliance anyway. More Australians have a negative view of the US than have a positive view. Because the US is a fucking inhumane disgrace of a country that practices the death penalty, criminalises prostitution, and has worse gun violence than any other first world country.

Trump: “Right now we have a failing healthcare … you have better healthcare than we do”

Well – maybe. I think it’s funny that people seem to claim to know whether one country’s healthcare system is “better” than another, and it’s really difficult to objectively measure. The World Health Organization last ranked countries in 2000 – that’s 17 years ago. What is true however, is that the US healthcare  system is grossly overpriced – the US spends greater than 18% of GDP on healthcare services, whereas the rest of the industrialised world spends 9-12%. I don’t see how you can possibly implement a universal healthcare system in the US in a single term of government and not expect to see a huge recession. Reducing healthcare spending from 18% to 12% would result in a lot of job losses, and also many doctors, surgeons, and nurses would have to face pay cuts and/or stagnant wages. That’s a reality because governments and insurers pay less for health services than private citizens do – and you can check that fact if you want. It’s similar in Australia with GPs that bulk-bill vs those that charge a consultation fee, except that in the US there are just many more health services. For example if you need heart surgery and you are covered by an insurance policy in the US, then the insurer will pay out a set amount to the hospital for the service. A private citizen however might be charged much more because he’ll be dealing with a surgeon that charges whatever he wants and doesn’t perform surgeries for insurance companies.

The issue in the US isn’t the quality per se of the healthcare, it’s the accessibility for essential health services, affordability, and the fact that people have to rely on insurance policies. The failure of the US health system is that it doesn’t cover everyone, and (prior to Obamacare) insurance companies didn’t have to cover “high risk patients” (those that had pre-existing health conditions), or could charge people with pre-existing health conditions more than people without. Obama of course lied when he claimed premiums wouldn’t go up – you can’t cover all the high-risk patents and expect premiums to stay the same!! Now, don’t get me wrong, the US absolutely should bring in universal healthcare. But it won’t be a purely straightforward process.

Anyway, Turnbull grow some fucking balls and tell the man that his healthcare plan is fucking atrocious.

Why I’m Not Islamophobic

Imam Shaikh Mohammad TawhidiThis is a post I’ve been meaning to do for a while, it’s a direct follow-on to my 2010 post Hi, I’m an Islamophobic. On today’s Outsiders programme with Ross Cameron and Rowan Dean was one of the loveliest people I have ever seen on television. His name is Imam Shaikh Mohammad Tawhidi (pictured), and I want to credit him with motivating me to make this post now. Now let’s get one thing out of the way first, I am genuinely fearful of Muslims more than I am of any other religious organisations, so in that sense I am Islamophobic.

Right – on to business… how did we get here?

In my former post I said you can not prove Christianity, and you cannot disprove it. Or rather I mentioned the Antediluvian Period, which is something most Christians would prefer to ignore. It creates a huge problem – without it there are no Patriarchs, and without the Patriarchs there’s no Covenants with God, and without those there’s no condemnation, and no requirement for a Saviour.

“for all have sinned and fall short of the glory of God, and all are justified freely by his grace through the redemption that came by Christ Jesus.” -Romans 3:23-24.

When God reveals himself to Moses he says “I am the God of your father, the God of Abraham, the God of Isaac and the God of Jacob” (Exodus 3:6). Abraham exists after the Antediluvian Period, but the Abrahamic Covenant displaces (dispenses with) the Noahic Covenant, and the Noahic Covenant happens at the dawn of the Antediluvian Period. So it is important that it holds some meaning to Christians – many now take the easy route of saying these were just stories – but if they’re only stories then the Sacred Covenants are just stories too. Though I was loathed to admit it, as a Christian I was forced to believe there was an Antediluvian Period. I didn’t care when though, for all I cared it could have been 200,000 years ago. And even that didn’t solve the problem of Adam and Eve – although I never really knew that was a problem since I’d never really been taught properly what the Adamic Covenant is.

You may be wondering where I’m going with all this? Well, I recognise now that you can prove or disprove the claims of Christianity. You can’t absolutely rule out the Antediluvian Period happening at some point in the past due to divine intervention… but the historicity of Moses has been well and truly disproved for example. Now this is a huge problem for Christians it’s the Elephant in the room. Judaism is the first known religion in the world to have been based on a collection of writings. Other religions existed outside of written texts, and religious texts were written about the religion, rather than serving as its blueprint. So any Christian that tells you that they don’t have to believe parts of the Bible they disagree with is selling you a revisionist lie. They might believe it, but the fact of the matter is that it’s not consistent with the formation of Judaism, the beliefs of Jesus and his Disciples, or of first century Jews.

As an atheist I see a lot of intolerance shown towards those of religious faith. This is the same kind of intolerance I used to have regarding others who were not Protestant Christians. I don’t hold those views any more because that would be hypocritical. I was really moved today when I saw Imam Tawhidi on Outsiders. He is a true humanist.


Video © Imam Shaikh Mohammad Tawhidi, 2017. License unknown.

It’s sad that Imam Tawhidi represents the minority of Muslims leaders in Australia. Until today I never knew that true moderates really existed within Islam, although that’s largely due to me not finding out about Shiites. About 85 percent of Muslims are Sunnis, and I would consider the vast majority of them to be “extrmeists” as we use the word. It gives me no pleasure to say this, but I do not believe that Sunni Islam can ever be full reformed. There are too many core beliefs that are incompatible with modern society. I also don’t think that people convert between religious ideologies very readily – it’s not something that most people do in their lifetimes. Which is why atheism has taken a long time to grow – it takes a generation, usually, for change.

Imam Tawhidi also exposed a dirty secret that I actually didn’t know. He said in no uncertain terms that he doesn’t know any Sunni Islamic Scholars (he may have been referring to all Islamic Scholars it wasn’t entirely clear, the context was Sunni) who believe the Holocaust happened. Now that’s truly frightening. There is still a lot of hatred towards Jews. And this brings me to the dark side of religion. Religious beliefs form a fundamental part of people’s world views, and those world views are a very strong cognitive bias for denying information that has been discovered or learned academically in secular society. The priest at my former Church pretty much disagrees with any Biblical Scholar that is not a Trinitarian Christian, for example. In fact I may as well re-post my video on social stigmas, it’s only 3 minutes so check it out:


Baxter, D. 2016. Creative Commons Attribution 3.0 Licence (Aus). Originally published at: https://youtu.be/HMdl-VDRg9I

Religious tolerance is a necessary part of a free society. But don’t for a second think that all religions are capable of reform. Scientology was built on the premise that Psychiatry was a pseudoscience. They also deny the Holocaust. Now just to be clear – Holocaust denial is “the belief that the Holocaust did not occur as it is described by mainstream historiography” (source), and the type of denial perpetrated by Scientologists is that they believe psychiatrists were to blame.

But this brings me full circle. What we consider to be extreme beliefs were once mainstream beliefs. Eugenics was once the majority view in psychiatry, and psychiatrists did pay an active role in the Nazi extermination programs, including before and after the Final Solution. Hate and distrust of Jews was once mainstream. It was less than 100 years ago that we discovered there are galaxies in the universe other than our own. And I see one very important similarity between Imam Tawhidi and Jesus of Nazareth: both men wanted to reform their religion, and both have faced persecution from religious authorities in their religions. And both were/are exceptional human beings.

Google is building an adblocker into Chrome…

Google is playing with fire. In fact so is Opera. So is ABP, Adblock, and PageFair. To understand where we are, we need to go back to the beginning. This will be a long entry, so grab yourself a coffee, install uBlock Origin if you don’t have it, and enjoy your time here.

Ad blocking has long been a side-effect of the MVPS hosts file, which I have used consistently for more than a decade. Back then internet bandwidth was limited as well, and another side-effect of using it was of course that it blocked unwanted internet traffic. It’s also good for preventing malware – in fact that’s the main reason to use it in my opinion.

History

In 2004 the original Adblock extension was developed for Firefox. Already there were complaints from advertisers and webmasters, for example here “blocking ads on Ars is a bannable offense”. You could also get programs that would block ads. In mid-2007, Maxthon 2 became the first browser in the world with a built-in adblocker. The Adblock Plus extension was created in 2006 to pick up where Adblock left-off, and in late 2009, the new Adblock extension was created. For quite some time Adblock and ABP were both very popular. And again, advertisers were not happy – some claimed the extensions are illegal and their use amounts to stealing. Others put up notices in the place of ads – or worse lock the content or use modal overlays. Hank Green and Boogie2988 have both posted rants against the extension, as have many others. Then in 2011 something truly terrible happened: Adblock Plus created a whitelist to allow so-called “acceptable ads”. In 2014, uBlock joined the extension market, and has since become the blocker that is featured in both the Firefox and Edge Extension pages. In 2016, Opera added a built-in adblocker, and now it appears that Google is looking to do the same.

So as you can see, we have a lot to go over.

Blocking is stealing?

This is probably the most ridiculous argument that I have ever heard. Let me put it like this: my PC or other device is MINE, not yours. I own it, and I do whatever I want with it. It doesn’t belong to an advertiser, it doesn’t belong to Microsoft, it doesn’t belong to Google. It belongs to me. Who’s is it? MINE! If you can grasp that simple concept, then you can understand that just like my TV, I can choose to do whatever I want with it – I don’t have to look at any ads if I don’t want to. Now of course, there’s something else that’s mine, and that’s my internet connection. To suggest that an advertiser – or for that matter anyone – has some inherent right to it is just insanely wrong. That’s like a bully who wants to control things that you own, and make you do things with your possessions them that benefit him.

Why you need to block ads

Blocking ads is not merely a convenience issue – it’s a security necessity. And you don’t need to take my word for it, the experts say so:

“The only effective protection against malware advertising is to block the advertising networks that accept adverts from the criminal gangs.” – Comodo computer scientist, Dr. Phillip Hallam-Baker (source). By the way there’s even a specific term for this threat – malvertising.

It’s also recommended by security guru Steve Gibson:

Take a moment to digest this information if this is news to you. And ask yourself: why is it you haven’t heard this?

The reason you haven’t seen this is that it represents a conflict of interest for many websites to tell you this information. They would rather tolerate serving their visitors malware than dare suggest you remove the advertising from their website. In fact, many of these websites are the same ones that pop-up those god-awful modal overlays telling you they “need advertising revenue”.

I am not suggesting that adblocking is a complete solution. You should also completely uninstall adobe flash, keep your system and browsers up-to-date, use the MVPS hosts file, and a good anti-virus program.

The other reason you need to block ads is to protect your privacy. Privacy is an inalienable human right, advertisers create, buy, and sell your unique information that they gather. And they do it without your consent. In some countries, ISPs spy on their customer’s internet usage, and sell that metadata to advertisers. In other countries that is illegal, yet that is what advertisers do. I do not believe there is the legitimate case for user-targeted advertising – it’s a blatant form of spyware. And it can put vulnerable people at risk – for example should an advertiser really know that you are looking crisis accommodation, and if they do learn that and then run ads for these services all over your PC when your abusive partner is using it what might be the consequences?

The problem with Adblock/ABP and built-in adblockers

So you might be wondering, if I’m so in favour of adblockers – particularly uBlock Origin – why do I have a problem with the built-in blockers? Well let’s start with Adblock and ABP – both of those extensions adopt the “acceptable ads” motif. Now, even on the official Adblock website in a recent blog post the CEO acknowledges its use in preventing malware… yet what do you see nowhere in the acceptable ads policies? That’s right, not one mention of malware. They’re more interested in allowing advertising than protecting their clients from the very real harm of today’s crypto-ransomware. PageFair and Fair Adblocker offer no protection against malware at all. Google supports the Coalition for Better Ads, and they don’t mention malware either.

The issue with all of these existing blockers (except uBlock Origin that is), is that it puts an important security measure in the hands of those who have a conflict of interest. All of these people believe in “acceptable ads” more than they believe in protecting you from harm. To put it in another way, the goals of Adblock, ABP, and Pagefair do not include protecting you from malvertising – their primary goal is retention: they want to capture people that are fed up with internet ads and retain a level of advertising on their device that the user will tolerate. That goal is completely incompatible with the security goal.

Opera’s adblocker is a problem for a different reason: it doesn’t give the user the choice of filter lists or ability to create their own, and it’s not clear what filters it does use. And the other reason I see it as problematic is that uBlock Origin is already available for Opera and provides a better option – why not include it by default for users instead of a closed-source adblocker? Finally, the blocker is not an extension, it’s built right in to Opera and what that tells me is that it can only be updated with Opera – and of course there’s no indication I know of about how often it gets updated – with uBlock Origin the community is in control of all the lists which are regularly peer-reviewed and updated, and the user is in complete control of his or her own rules as well.

I think I really should restate this… the goal of adblocking is to provide you with an effective security measure against malvertising. It’s the only effective preventative measure! It doesn’t mater if you love ads and want to view them all day – it’s more important that you are protected online from malware. So that’s it, and I think that’s where we’re at. That’s why I have an ethical problem with these other blockers – Adblock and ABP used to be great by the way before the introduction of “acceptable ads”.

The problem with Google

Google is obviously the wrong company to be in control of this important security measure that people need. And not only that, but it would be clearly an anticompetitive market move that I suspect would be illegal in many places such as Australia. Do you remember how Microsoft was forced to give people in the EU the browser choice ballot on installation of their Windows OS? Well, can you imagine that the world’s largest internet advertiser would be allowed to write an extension or feature for their software that directly harms their competitors and integrate it into their browser? That has litigation written all over it. I hope they do it actually, and face the consequences. So much for their ‘don’t be evil’ motif.

By the way don’t think this is new to them, they have an absolute monopoly at the moment with their Chrome web browser that sees it as well as most others (this includes Firefox, Maxthon, Safari, and Opera) set the default search engine to google.com. That is extremely anticompetitive – especially given the fact that they pay money to competing web-browsers to make google.com the default search engine. With that said, the recent versions of Firefox have actually improved this by changing the default search engine whenever you use the search bar – but it’s a small improvement as most people only use the omnibar.

Google’s goal is not to improve your protection against malvertising – their goal is to protect their advertising business and to ensure that you will see adsense and youtube ads. All they care about is improving the user experience just enough so that users will tolerate advertising. They think that user experience is more important than their security! Imagine this if you will: Google gives up advertising to become the world’s largest condom manufacturer. Next, they outline plans to become be the authority on quality control for all other condom manufacturers. I think most people can understand that’s a conflict of interest, but then we learn something even worse: their idea of quality control is not to test that the product provides the protection users expect, instead all they care about is the user experience, and if there are major flaws in the products they will deal with the problem after users are exposed to the threat.

You may not believe me, but Google’s own numbers show they had to remove 900,000 ads from their network that were serving Malware! Nine hundred thousand. How many people were infected with crypto-ransomware? Did Google compensate the victims that had to pay large sums to recover their data? Of course not, yet they profited from serving those poor souls the ads in the first place.

Why do I hate ads so much?

I don’t hate ads. As I’ve stated I think quite repeatedly, blocking ads is a necessary security measure. To be protected I have to be prepared to block all the third-party ads – the horribly obtrusive ones that I hate as well as the ones I don’t. As I’ve already mentioned, ad blockers are one of the only effective preventative measures against malvertising – exactly in the way that condoms are the only effective protection against many STIs, other than abstinence of course. So unless you want to disconnect yourself from the internet you absolutely need the best adblocker you can find to help protect you from the ever increasing threat of crypto-ransomware delivered through malvertising.

Now with this said, I do have an ethical issue with third-party internet advertising. As I’ve already mentioned, privacy is an inalienable human right. That’s why you need to consent to questioners. Internet advertisers steal this information from you via analytics without even asking. I think that is morally wrong. Ads that are not targeted using profiles built with analytics like TV and radio I don’t mind, but any ad network that profiles individuals on the internet is below contempt in my opinion. It doesn’t matter if they have an “opt out feature”, if they automatically opt people in it an absolute disgrace of humanity.

But don’t websites need advertising revenue?

This I think is where many advertisers, as well as content creators, and webmasters have got it very wrong. Do they need advertising revenue? Maybe – but that’s not my problem. Nor is it yours. And nor should you be bullied into thinking that it is. Your right to security and privacy trumps a website’s “right” to deliver you advertising. And anyway, the idea that ads should be forced on you completely breaks everything the world-wide web is meant to represent.

I am not arguing that websites shouldn’t be allowed to have ads. Of course they can, but any time they run cross-site scripts that deliver ads, and any time they are not in full control of the ads that appear they are a security risk to you. It’s a misconception by the way that hackers need to hack an advertiser to begin infecting people – one of the ways they’ve actually been doing it is simply by uploading an ad that integrates malware into it that they’ve paid for. To give you an example of how I might get a malicious file to you – let’s say I embed a virus file into a picture file. I offer this picture file for downloads – you don’t know that it contains a malicious executable in it because it looks like an ordinary picture. Once you put the picture on your computer though, you have unwittingly saved a file that looks and behaves like a picture, but is actually an archive that contains the malicious executable. Then, all I need to do is embed code to recover the file, extract it and execute it. And I might hide that code in a completely separate program that appears to be completely safe – but unknown to you it searches your computer for the file so it can extract and run the malicious file.

That might sound convoluted to you – but that’s actually exactly how modern computer infections work. They can hide the malicious file within a picture, a sound file, or a video file, or even something like a font file if they want to get really creative. Those types of files are of course considered to be lower security risk than executable files, so they can get saved into your temporary internet files. What malware does is combine this type of method with a browser exploit that allows them to break the security of your browser and execute the code directly… and there are criminal organisations that are constantly seeking out these exploits. In fact, it’s almost certain that the CIA’s arsenal of cyber-weapons has been used for this purpose as well – both by the CIA and other cyber criminal organisations.

Websites that ask you to disable your adblocker?

What the fuck. I do not even visit my own site with uBlock Origin disabled. What would you think if these websites told you to download and run a binary file on reddit and, oh, disable your antivirus software before doing so? Asking you to disable your adblocker is no different. As mentioned, adblocking is the only currently known general-purpose measure known to protect against malvertising. Yes, I feel bad for those websites that depend on advertising – but it’s not worth risking having my files encrypted for a ransom. As others before me have pointed out, making a living knowingly selling access to every well known ransomware distributor on Earth is pretty goddamned despicable.

Like I said, I don’t even disable uBlock Origin on my site – so why the fuck would I disable it for someone else?

Broadchurch Finale: Just as I thought!

SPOILERS!!!

At last my theory is vindicated. Granted I didn’t every specific detail right, but I got most of it right. I had worked out the rapist had not previously been involved with the other rapes, but that there were two attackers – who I believed would turn out to be Michael and Tom. I had also worked out that the accomplice filmed the event – and that it was the films that linked the rape to the previous rapes (as Michael and Tom would be too young to have perpetrated them), although I’m not sure the way depicted in the episode is even possible … can you really run a flash-light mode on your phone and record video at the same time? Not only that, but I knew the sock would either belong to Clive (Michael’s father) or they had matched Michael’s DNA paternally to the sample found at the scene. Michael’s accomplice was Leo, not Tom, but I was essentially right about everything else.

The evidence that either Michael or Tom was involved was overwhelming: to start with, one of them was the Broadchurch Highschool Porn Baron, and I was convinced the rapes were amongst that porn footage. We never really find out definitively if it was, but that was one clear clue. Then, after serving their penalty at the church, the boys watched porn again with Tom insisting and Michael resisting – this is a foreshadowing of the relationship he had with Leo, and of course it made sense because he was in remorse. The attacker knocked Trish unconscious and tied her hands behind her back – that suggests an attacker that isn’t as physically strong as her. Most of the other men – Ian, Jim, Aaron, Ed – were much strong physically and would have had no trouble controlling her. And finally, the boys sub plot of sharing porn would have been would up last week if it was not connected to the larger plot.

Some have noted the police work throughout the series was not very professional, or for that matter realistic. I tend to agree, and I think we had a clear example of this in the final episode. Michael was 16 when he raped Trish, and Leo filmed it on his phone. That’s child pornography, and Leo would find himself under charges for both possessing it, and for producing it – in addition to all his other charges. And they would be very serious indeed. While it was a good series that point should have been addressed. Also, how exactly did Leo film the other rapes if he acted alone?

Also, the scenario is not particularly believable – Michael is quite a shy boy, he gets drunk which lowers libido anyway, and then Leo knocks out Trish and tells him to go have a root while he watches. I just don’t believe Michael would be able to get it up in that scenario – especially if he didn’t find Trish particularly attractive (she is three times his age!), or if he didn’t relish the thought of control by violent force which is what rape is about. Put simply, in the scenario described it is so unlikely that Michael would have been able to get it up – even if he tried, the more realistic turn of events would be failing that that Leo goes and finishes the job. But, again that’s problematic too – Leo normally rapes women alone, it seems quite unlikely that he would change that paradigm.

Another issue I have is that Michael is such a generic antagonist, that he had barely no character development at all the entire season. I don’t think we even meet him until episode 3, and in the finale his mum Lindsay is nowhere to be seen for the entire hour! Again of course, this lack of attention is a big clue to who the culprit is, but seriously why don’t we see Lindsay at least once in the finale? She’s not even at the church service at the end, despite the fact that she’s the most devoutly religious character in the series – even more-so than the vicar.

broadchurch-michael-leo
The guilty parties – Michael (left) and Leo. Michael has guilt written all over his face.

Leo is just as generic – in fact even mores o than Michael. He has no motive whatsoever, and he already ha a girlfriend he effectively controls. He’s far more likely to be a physically abusive partner than a rapist, or to at least start there and then progress to rapes. And come to think of it, not only do we not get to see Lindsay, we don’t get to see Danielle (Leo’s girlfriend) either! In fat we barely see her at all the entire season – I guess that’s how Chibnall thought he was keeping Leo under the radar. Chibnall – some fucking character development of your antagonists would be helpful you know!

As an afterthought, you might be wondering if this was my theory all along why didn’t I say anything before the episode aired? I thought about doing so yesterday, but I decided against it because I knew I would want to post this post if I was mostly correct, which I was. And since you didn’t know what my theory was, the title of this post isn’t going to inadvertently spoil it for viewers yet to watch it – I would have had to have used a more neutral title. It doesn’t bother me if you don’t believe me, after all it’s just a stupid TV show. I’m just pleased with how close to the reveal I got.

World’s worst cyber criminal group identified

The cyber espionage group known as Longhorn has been formally identified by Symantec as the CIA.

Now, take a breath and get ready to learn the ugly truth behind this revelation. We live in the digital age, and underpinning that is the illusion of electronic security. Now I say illusion, but I wish to stress that this illusion is so strong that it gives people the confidence to conduct online transactions, and for banks to allow their customers to access their accounts over the internet. How secure is your data and your bank account? Not very. It’s about as secure as an ordinary bank vault. With the right tools, equipment, and expertise it can be broken into.

Electronic security is never truly provably secure. Take a moment to think what that means. Let’s say you have a large safe in your office – should you trust it with a high security mechanical lock (Manifoil MK4, S&G 2740B) or an electronic lock (the TL11G is the SCEC approved electronic equivalent)? Well, allow me to blow your mind for a moment: the mechanical locks are provably secure. They are not perfect, and they can be broken into (for example if someone guesses the right combination). The TL11G is not provably secure, its source code is closed, and the ROMs can of course be flashed if someone wanted to intentionally supply a known-vulnerable product, and it would be impossible for a user to tell the difference. I’m actually surprised it’s SCEC approved given the clear vulnerabilities that could exist or could be introduced. Granted though I’m not a locksmith or for that matter security professional.

On 7 Mar 2017, Wikileaks began publishing information relating to Vault 7. Vault 7 is an arsenal of CIA developed cyber-weapons. They are believed to have been sold for sometime on the darkweb. The reason why security companies and professionals hate intelligence organisations is because these intel orgs deliberately find vulnerabilities in software, but do not publish the information. What this means is that a vulnerability can exist for several years before it is independently discovered outside of an intelligence agency. And it doesn’t matter who you think are the “good guys”, if one intelligence agency found the vulnerability and developed a cyber weapon, you can bet that others did as well – the Chinese, the Russians, etc. In fact it would be unthinkable that the CIA could develop such weapons without the Chinese developing them at the same rate or faster given their expenditure on finding them. But as already mentioned, even without the same vulnerabilities being found, the CIA’s entire arsenal of cyber weapons has been leaked for some time and sold on the darkweb to the highest bidders.

On 10 Apr 2017, Symantec positively identified the north-American cyber criminal group known as ‘Longhorn’ as in fact being the CIA. Longhorn has been active since at least 2011, and has been described as the worst cyber criminal group of our age. They have infected 40 known targets in 16 countries. To quote:

The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.

That’s a pretty goddamned strong statement. Now there is another way to read that statement, the other way to read it would suggest that whoever Longhorn is they have had access to most or all of the Vault 7 cyber weapons soon after they were developed by the CIA. Meaning that if Longhorn is not a part of the CIA, they are a group the CIA has been intentionally arming with the weapons, or they had the ability to steal them from the CIA. None of those options are any better than the CIA is Longhorn.

Why are Christians persecuted?

It’s at this time of year that Christians claim that they are persecuted. Perhaps they take their cue from Jesus who was persecuted and then crucified. Unlike many other atheists, I believe it is right to remember Jesus as a good man who was unjustly persecuted. And to recognise the good he taught. Where I don’t agree with Jesus was his act of violence, and my reading of the gospels would agree with scholars that it was that specific act for which Jesus was condemned under Roman law and crucified.

Let’s recap. Man becomes violent, and is persecuted. Check. Well I think now we can understand why other groups that use violence perceive themselves to be persecuted. Or feel they are entitled to use violence to achieve their goals.

Christians are persecuted in some countries (some Middle-Eastern countries, and North Korea) that’s true. But in Australia, France, Germany, the United Kingdom of Great Britain and Northern Ireland, Ireland, The United States of America, Canada, Papua New Guinea, Philippines, and well most of the world – they’re not.

But Christians have in-turned showed persecution against others. Hard persecution. Not merely “intolerance” – I should know I used to be one.  I’m not in the least bit embarrassed by the persecution I showed towards others, but I do feel shame and remorse. Christians have been persecuting non-Christian groups and other Christian paradigms for two millennia. Thursday was my Graduation Ceremony. One of my fellow graduates appeared to be a transsexual lady. In times gone by, in Christian-controlled regions and eras such a thing would be unthinkable. On Thursday however there was no visible or audible persecution, although I would hasten to add that transsexuals remain amongst the most stigmatised groups in society. Which is to say that I’m sure the lady in question has experienced discrimination and stigmatisation perhaps even daily.

So, many Christians today are persecuted. Not by me, and not by most of Australia, but by North Korea, Saudi Arabia, and a slew of other States that view them as infidels. And I think we should recognise that as valid. But, it does not compare to other groups, I’m thinking pre-WWII Jews, I’m thinking Homosexuals, I’m thinking “other race”, and I’m thinking of Trans people.

Vietnamese Man Violently Thrown Off US Plane

Post updated: 12/04/2017.

Just when I thought the US couldn’t get any more inhumane, a story has broken about a 69 year old ethnically-Vietnamese American gentleman now identified as Dr David Dao being violently assaulted by aviation officers in the US.

Here are the facts:

  1. United Airlines “overbooked” a Sunday flight from Chicago to Louisville. Apparently this is quite common in the US, and when it happens some passengers are shit out of luck. To say the least.
  2. They found someone to volunteer not to board the plane.
  3. Then they decided they wanted to use the flight to ferry 4 of their staff for an upcoming shift – no information was provided as to why they couldn’t have instead taken a bus, train, taxi, or hire car.
  4. They then asked for volunteers to leave the flight – no one wanted to volunteer because the next flight wasn’t until 2:30PM on Monday (the following day). Need I remind you that this was a Sunday flight, so of course people had to get home for work in the morning.
  5. 4 people were chosen, and three left the plane without incident.
  6. The fourth person, Dr Dao, did not wish to leave the flight, he told the staff he was a doctor and had to work in the morning.
  7. The aviation staff then called aviation offers to come and remove him by force.
  8. One officer pulled him out of seat, he hit his face splitting his lip and drawing blood.
  9. Following this officers dragged him off the plane, he appears to be dazed (possibly concussed), and other passengers are horrified by his treatment.
  10. One passenger said that while being dragged off he was heard saying that it’s because he’s Chinese.
  11. He was then allowed back on the plane for reasons not yet understood and he ran up and down the plane repeatedly saying “I need to get home”.
  12. He then stood in an archway of the plane, with blood dripping down his face and repeatedly said “just kill me”.
  13. Following this incident all passengers were removed from the flight so that his blood could be cleaned up.
  14. The flight took off after a three hour delay. Dr Dao was not on the flight.
  15. Chicago police released a statement reading “Aviation Officers arrived on scene attempted to carry the individual off of the when he fell and hit his head on the armrest.”
  16. United Airlines CEO Oscar Munoz sent out an email blaming Dr Dao for the incident and praising the efforts of the staff (see Appendix 1).
  17. The police statement was later removed from the Chicago police website.
  18. The aviation officer was put on immediate leave as of Monday.
  19. The Chicago Department of Aviation released a statement reading “The incident on United Flight 3411 was not in accordance with our standard operating procedure and the actions are obviously not condoned by the department.”
  20. United Airlines has also released a statement accepting responsibility for the incident.
  21. Analysis of United Airlines own Contract of Carriage document reveals that they did not have a valid reason to eject the customer (see Appendix 2).

Now we can make a few observations about this. Firstly, it’s only a four forty and minute hour drive from Chicago to Louisville – why on earth would you kick paying customers off a flight when you can just hire a car or send the staff to Louisville on a train or bus? Heck I’ll bet they could have found a taxi driver who would take $1200 and drive them there. That just doesn’t make any sense, and it goes to show they don’t put their customers first. Also, in what world is it okay to ferry your staff on an already full flight?? Let’s do some maths here: It would have taken the airline staff 4hrs and 40 minutes to drive to Louisville. On the other hand, the flight was delayed 3 hours, and the flight itself takes 1 hour and 15 minutes – so in total that’s 4hrs and 15 minutes. All of this bullshit only served to get the staff there 25 minutes early – and that’s assuming they left at the same time as the flight was scheduled. If they left earlier then then would of course be in Louisville earlier. And by the way, all reports I’ve read are consistent with the staff being required in Louisville the next day (Monday), not within the next 4-5 hours.

This is important, because United Airlines in one of their statements claimed that had the staff not got to Louisville on time that many more passengers would have been delayed on their flights. We know this can’t possibly be true, because the staff only got there a maximum of 25 minutes sooner than if they had hired a car and driven there. I keep calling them “staff”, it’s not clear whether some were pilots or whether they were all cabin crew, etc, but whatever the case they had other ways to get there that did not involve kicking paid customers off a Sunday flight. I also want to stress the point that a number of news stories have repeatedly referred to the flight as being “overbooked”, this is not the case. The flight was overbooked, but that had already been dealt with, the fact is they wanted to eject paying customers to give their seats to their own staff.

You can view many of the clips below:

Now note that this gentleman bought his ticket and expected to fly home on Sunday.  You could well argue that bumping Dr Dao to a later flight on Sunday isn’t a huge inconvenience – but the next available flight as already mentioned wasn’t until 2:30PM on Monday. I can understand why he would want to barricade himself in his seat – he was a paying customer who should be allowed to travel to his destination in peace. Instead he was violently assaulted by police. Now, bear in mind that passengers were offered $800 each to voluntarily vacate their seats – and no one did. Not a single passenger thought that it was worth $800 to them to vacate and fly home on Monday! Some reports have suggested passengers were only offered $800 in airline credit, however after going over the other facts of the case and looking at their aviation policy it does specify that compensation is in the form of a cheque. To be honest, $800 is pretty reasonable to stay overnight and fly the next afternoon – however people have commitments to make, and as mentioned no one on the flight thought that it was worth $800 to them to voluntarily vacate their seat.

The fact Dr Dao had a ticket and the airline simply wanted to give his seat to one of their staff is absolutely abhorrent. Is it really worth it to the airline to spend $3200 moving their own staff on this flight? This goes back to what I was saying before – flying isn’t the only way to get from Chicago to Louisville – you can take a 7hr train ride, or a bus ride, or a 4hr 40 minute drive. And why the hell are they even allowed to do that shit in the first place – don’t they have aviation regulations in the US? Since when can you revoke customer’s tickets after they have boarded the plane simply because you want to give someone else the ticket? That’s corporate scalping is what that is!

Furthermore, as revealed by a lawyer below, the Contract of Carriage Document does not provide a reason for the man to have been ejected from the flight (see Appendix 2). The document forms a legal contract between the passenger and the airliner and outlines when they are allowed to refuse flight for a passenger. Importantly, nowhere does it say they can remove a passenger so they can give their seats to staff, and furthermore, nowhere does it say that they can remove a passenger that has already boarded except for the reasons of disorderly conduct or security. The clause they are relying on is a denial of boarding – but as is perfectly clear in this case, the customer had already boarded. Put simply, their own contract doesn’t give them any right to forcibly remove an orderly passenger that has already boarded the flight. Or in legal terms, it deals only with denial of boarding and not with refusal of transport, or removal from the cabin after boarding.

The Contract of Carriage is what’s known as a contract of adhesion. That means it’s a contact presented by someone with greater power (in this case the airline) to someone with lower power. In such contacts it is not at all unusual for some of its terms to be thrown out when challenged in court. For example, the idea that you can refuse boarding to paying customers because you oversold the flight clearly advantages the airline’s interests over that of the customer. The Contact though also specifies that denied boarding is a last resort – and this brings me back to my point: why not pay a Taxi driver $2,000 in cash to ferry the staff to Louisville? That would have kept everyone happy – especially the cab driver offered the ride.

Dr Dao is currently recovering from the assault in hospital.

Appendix 1: Leaked email from United Airlines CEO Oscar Munoz:

Dear Team,

Like you, I was upset to see and hear about what happened last night aboard United Express Flight 3411 headed from Chicago to Louisville.

While the facts and circumstances are still evolving, especially with respect to why this customer defied Chicago Aviation Security Officers the way he did, to give you a clearer picture of what transpired, I’ve included below a recap from the preliminary reports filed by our employees.

As you will read, this situation was unfortunately compounded when one of the passengers we politely asked to deplane refused and it became necessary to contact Chicago Aviation Security Officers to help.

Our employees followed established procedures for dealing with situations like this. While I deeply regret this situation arose, I also emphatically stand behind all of you, and I want to commend you for continuing to go above and beyond to ensure we fly right.

I do, however, believe there are lessons we can learn from this experience, and we are taking a close look at the circumstances surrounding this incident. Treating our customers and each other with respect and dignity is at the core of who we are, and we must always remember this no matter how challenging the situation.

Oscar

Appendix 2: Lawyer reads the Contract of Carriage