Aractus

Blog of Daniel Baxter, now secure! :)

Free SSL from Let's Encrypt!

Category : Internet

US accuses NK of unleashing WannaCry

And it’s probably bullshit.

Here’s the first reason to think this was not North Korea… it made the hackers barely any money. In total only around 360 people or so paid the ransom. The hackers were not prepared to receive large numbers of payments as there was no way for them to immediately identify a payment made to a specific infection. Nevertheless they did provide decryption for those who paid the ransom. They didn’t even steal any data – which is something that often happens with Ransomware. They put a lot of effort into making their malicious program look nice and work well, and barely any effort into exploiting it for financial gain. Sure 360 people or so paid the ransom, but the ransom wasn’t very much and all the data remained on the victim’s computers, none was ever stolen or permanently destroyed which is the kind of mischief we’d expect a State actor like North Korea to get up to. After all the stealing of information was clearly a motivation behind the infamous Sony Hack.

Remember, when the outbreak happened back in May, every self-proclaimed “security expert” appearing on TV or cited in the papers was saying it was spread through a malicious email campaign, with no evidence whatsoever to backup their claims. I rightly called it for what it was, and pointed out that the malware had the ability to spread itself directly to any vulnerable computer connected to the internet with some obvious caveats (for example there would need to be port-forwarding from the router), and that once just one PC on a network was infected that all other vulnerable computers on the same network could be infected. This is why it was so insidious to large organisations, but seemed to affect ordinary households much less. If you had a vulnerable computer connected to the internet in May, your router probably blocked connection requests on port 445 and that would have been the only thing that saved you from infection! Oh and it’s also why security experts who examined it say there was no email campaign associated with WannaCry.

There’s also another point to make. The ransom note was translated into 28 languages. The Korean version is apparently not very good and likely machine translated, and the Chinese is much better. Of course if it was a State-sponsored actor then you might expect them to obfuscate their origin by getting a native Chinese speaker to write the note, and that wouldn’t be hard for NK to find. However the sloppy Korean note suggests that it wasn’t written by a native Korean speaker.

WannaCry was a huge public attack, that has resulted it people being more mindful of cybersecurity. This fact completely contradicts the usual intentions of a State-sponsored actor who generally want their attacks to be carried out quietly in secret so they can inflict as much harm as possible. This is what we see from NSA-backed attacks for example. And they want to be able to use their exploits for as long as possible.

Now I’m not saying that we know that NK was not involved. Just that it may have been China, or Russia, or South Korea, or maybe not even a State actor at all. And unless we see the respected independent non-state sponsored security firms lining up to blame NK I would remain extremely sceptical of any such claim. Do you see any of the major independent security companies backing this statement? No you don’t. What we can say, and this I think is the insulting thing about the USA’s claim that is parroted by Australia, Canada, New Zealand, Japan, South Korea, and the UK, is that the US Government and its State agency the NSA are squarely responsible for the outbreak. They’re the ones that developed the exploit and weaponized it. The ShadowBrokers are also a squarely guilty party, as they were not in any way interested in the “responsible reporting” of the security vulnerabilities. Responsible reporting means making security companies aware of the problem so they address it before it becomes widespread public knowledge. The NSA should have done that, instead they developed or bought exploits to weaponize.

Why aren’t journalists consulting the experts?

Symantec issued a statement on their blog back in May: “Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign.” Kaspersky’s assessment was similar. So far only Microsoft’s Brad Smith squarely accused NK, but I’d hardly count him as an unbiased source of information. This surely begs the question – why are the media too lazy to get statements on the US government’s claim from the top security firms?

Why have the US only now come to blame NK? The only real difference in facts between May and now is that the hackers withdrew their bitcoin in August (and appear to have left later ransoms received in the wallets). The rest of the facts and evidence was there for them to analyse, and it’s not like the evidence is overly complicated or difficult to examine. Certainly not to the point that it would take seven months to do.

Hold the US to account

The pathetic thing about all this is the unwillingness of any sovereign nations to hold the US to account for this. Not only that but they minimise their role even further by using incorrect terminology and calling their cyber-weapons “tools”. Heck, the hackers couldn’t even be bothered to create their own exploit based on the NSA’s weapon: for the “EternalBlue” cyberweapon the hackers simply copied the NSA’s code and used it as-is!! To put that in context, that’s like saying Person A invents the firearm, and then instead of making their own version based on Person A’s firearm, Person B just copies it exactly and makes the exact same gun. So even saying that WannaCry was “based on” the NSA’s code and cyberweapons is somewhat inaccurate, it contains the exact NSA code the way that the NSA wrote it. The US claims they want to hold NK to account for it, of course without actual proof of wrongdoing, yet think they don’t want to admit any guilt. See here’s the thing, the US even arms terrorists and drug cartels with conventional weapons, and escapes being held to account. But on the other hand, if you decided to do that as an individual you could be charged with anything from inciting violence to treason and gaoled forever.

By the way, the US also invented the nuclear bomb, something North Korea is also arming themselves with. So perhaps it is time we think about holding the US to account for all this?

Introduction

The diet industry is huge. And mostly it doesn’t work. Why is this? Well, it’s actually quite straightforward. People are set up for failure by an industry that thrives on people failing and coming back. They don’t really care whether their clients succeed or not, so long as they can profit from their efforts. I have a huge ethical problem with this, and I think any service should be covered by a guarantee. Instead, people blame themselves for the failure of commercial weight-loss programs, and the industry doesn’t take responsibility for their failures. In this entry what we’re going to look at is the peer-review published evidence for the Flexi diet, and I’ll go over whether or not it is sufficient to guide clinical practise.

The first thing I wish to ask is – how would you define success? Is yo-yo dieting/weight-gain a success? Is short term weight loss a success? Take a moment to consider these questions, they’ll be addressed as we proceed.

What is the “Flexi diet”?

The Flexi diet is “backed by CSIRO research” (CSIRO, 2016). When I first heard about this, I thought the CSIRO had designed and published a diet in the form of a book… I think I first heard it on the radio, and the media was reporting that the CSIRO launched an intermittent fasting diet for weight loss (Connery, 2017; Powley, 2017; SBS, 2017). In fact the CSIRO website also makes this claim. In reality they “co-developed” it, but it’s questionable as to exactly what they “developed” and wish to take credit for.

Despite repeated claims of this on the Impromy website they do not provide the citation to the paper itself. Even more bizarrely, neither do the CSIRO on most of their pages on Flexi including their blog announcement! I’ll refer to the research paper as the “CSIRO paper”, here is the paper’s citation,with a link to it so you can read in full if you want:

Brindal, E., Hendrie, G. A., Taylor, P., Freyne, J., & Noakes, M. (2016). Cohort analysis of a 24-week randomized controlled trial to assess the efficacy of a novel, partial meal replacement program targeting weight loss and risk factor reduction in overweight/obese adults. Nutrients, 8(5), 265. doi:10.3390/nu8050265

In a nutshell, the Flexi diet is a ~30% energy deficient diet that uses commercial meal replacement (MR) shakes and one high-protein meal six days a week. One day a week is a free day. The so-called “fasting days” are simply further energy restricted compared to the other energy restricted days. A more detailed description of the diet is in the following sections.

Description of the study

The study took place over a period of 24 weeks, and predominantly considered whether a program incorporating commercial meal replacement shakes, controlled diet, iPhone app, and ongoing dietary support would support weight loss for participants. In other words they studied a proposed commercial product, which eventually became known as the Flexi diet by Impromy.

The paper begins by informing the reader that lab data and real-world data are often very different, citing that meal replacement and other weight management strategies have been promising in trials, but that their efficiency in the real-world drops significantly. As noted in the paper, in just about all programs available through pharmacies weight-loss become negligible after the first 12 months. These issues will be discussed later in this essay.

The CSIRO study involved observing two intervention groups. All their participants were randomly assigned to one of two intervention groups, with both receiving the same intervention with the exception that one group was given a more basic iPhone app than the other. There was no control group. The study environment was a CSIRO lab and not a pharmacy. In total there were 146 participants, 104 females and 42 males. 27 participants were overweight, the remainder were obese (BMI 30+). The intervention period was 24 weeks, with 12 weeks of “active intervention”. “Active intervention” involved face-to-face meetings with non-nutrition trained consultants who had been given program-specific training from dieticians involved in designing the program. Participant-reported data was relied on primarily for care, and their weight was measured regularly by the consultants. They were also asked to provide feedback on their satisfaction of the meal replacement shakes throughout the program, as well as questions from the consultants that included “what has been the most helpful aspect of the program” (which was asked in week 12). Many of the feedback questions were targeted towards improving the prototype program rather than studying the program objectively per se. Meal replacement sachets were free for the first 4 weeks, and then provided at a nominal cost of $1 each for the remainder of the study.

The findings of the study were modest. 84 participants (58%) completed the study. Of those who completed, 72 offered 94 comments on the meal replacement shake, of those 57 were identified as positive comments, and 16 as negative. 33.5% of all participants lost weight over the study period. All significant weight loss occurred by week 12, with no significant change in weight between weeks 12 and 24.

The CSIRO paper cites Gordon et al. (2011) a systematic literature review which found that pharmacy based weight-loss intervention programs only achieve modest results. The Gordon paper found such methods only achieved an average weight-loss of 0.6-5.3 kg in the first 3 months, 0.5-5.6 in the first 6 months, and just 1.1-4.1 kg over the first 12 months. It’s important to mention to you the design of their study as it is not addressed in the CSIRO paper: this is not a review of all pharmacy weight loss products, rather it is a review of peer-review published “studies” of such products. Only 10 studies met inclusion criteria for a systematic review, and the paper’s authors report that this likely represents a strong bias towards meaningful results. That is many other programs that were available were either: not studied at all, studies undertaken went unpublished, published studies did not meet the inclusion criteria (eg did not take place in a pharmacy setting was the main reason for published papers not being included), or the focus of the study wasn’t weight loss. All 10 of the studies included were multi-factor interventions that included dietary and physical activity components. Finally, the authors noted there was a strong risk of bias in all of the studies which the CSIRO does not mention in its citation of this paper.

Discussion

The paper’s premise that pharmacy-delivered weight loss intervention programs are advantageous, is highly questionable to say the least. Any positive findings from the cited Gordon paper are not relevant to this study for several reasons including that: all trials reviewed in it included a physical activity component, and all trials were conducted in actual pharmacies and not research labs. Literature consistently shows that interventions that combine diet and exercise provide patients greater weight loss (Franz et al., 2007; Johns et al., 2014). Furthermore it represents but a small fraction of the weight management programs available in pharmacies, many of which are quackery! The Gordon paper is their best evidence from the literature for delivering weight-loss programs through the pharmacy, yet read below what the paper actually says in its conclusion:

“This systematic review identified few high-quality studies on weight management in community pharmacy. Currently, there is insufficient evidence for the effectiveness and cost-effectiveness of community pharmacy-based weight management initiatives to support investment in their provision.” (Gordon et al., 2011).

CSIRO authors correctly point out that successful lab studies generally provide participants with ongoing multidisciplinary professional support at no cost for the duration of their clinical trials. This should not surprise us! In fact, it completely discredits their hypothesis that any commercial program will succeed. Finding effective low-cost long-term solutions continues to be evasive. People who wish to lose weight will be far more successful by working directly with a dietician or a registered nutritionist on a tailored program: no commercial program has been shown to even approach an equal degree of success. In fact, most of the commercial programs are not designed and targeted for people who are obese, but rather people who are only slightly overweight. Cost is a big factor: clinical trials as mentioned are generally free to participate in. Commercial programs are expensive and need to fit into people’s budgets. Working directly with a registered nutritionist or a dietician is also expensive, however they can provide their clients suitable and realistic diet plans instead of generic plans produced for mass-consumption that don’t fit most overweight or obese clients. This begs the question: why is the premise of the CSIRO study to deliver a program through pharmacies instead of through dieticians?

Some of the claims in the paper are dubious to say the least:

“For longer term success on a program such as this, providing individuals with the flexibility to transition through to fewer meal replacements as their weight loss progresses or as fatigue with the shakes sets in becomes an important element for success. Pharmacy staff are ideally placed to assist the community with weight loss as they are readily accessible and can be available to consultant with individual’s on an as needs basis, potentially quicker that seeking advice from other health professionals. However, appropriate training and tools are required to ensure pharmacy staff delivering the program (not qualified in nutrition) have adequate support to facilitate such a transition through a weight loss program.” (Brindal et al., 2016)

These findings in particular are concerning as they did not recruit pharmacy staff. Nor did they do any research into determining whether people would actually approach pharmacists for dietary advice and assistance with weight management. Nor did they attempt to find out if this is something pharmacists would do instead of say directing a client to a registered nutritionist. Why should pharmacists who are health professionals administer a commercial weight loss program that is not supported by evidence? Even Impromy’s own forum shows the flaw in this logic: “Just opened up the program. … I’m thinking this appears to be more a money making venture, rather than a supported diet. … The Pharmacy wasn’t much help at all.” (C. Kendall, Impromy discussion forum). The last question from that participant on the online forum has gone unanswered for two straight weeks! I don’t imagine the pharmacy will help either – is this really the realistic supportive environment envisioned in the study?

I’m going to show you something the diet industry doesn’t want you to see:

weight-loss-interventions

Figure: Franz et al. 2007.

The figure is from a high quality literature review. As you can see, none of these interventions can be shown to work long-term except for maintaining some of the weight loss experienced in the first 3-6 months. The only thing in that review that kept going was an appetite suppressant (Sibutramine) that’s since been banned by the TGA (also the FDA in the US) in 2010 due to serious adverse side effects. This is why the diet industry is so big – nothing works long-term. Weight-loss doesn’t continue beyond 6 months. Only half the weight lost is maintained to two years, and often all the weight is regained over 5 years. I guess that’s fine if you just want to lose 8kg in 6 months and don’t mind putting back on 4kg. But – keep in mind that most participants at least in this study are obese. A person who is 5′ and slightly obese needs to loose a minimum of 12kg to get to a healthy weight. A person who is 6′ needs to lose 18kg. And have you ever noticed how there are dozens of “12 week” weight-loss products? Now you know why. It’s not because they’re great products, it’s because people won’t notice they don’t work if they stop after 12 weeks!

There are several problems with the CSIRO study. Firstly it’s far too small to generalise data from, and it doesn’t have any follow-up data after six months. There was no control group – therefore this is not an RCT but just an observational study. It’s not in the commercial interests of Impromy to commission an RCT (randomised control trial) as it would likely show their intervention to be ineffective as is the case with the Ahrens paper reviewed by Gordon et al 2011 (and the only RCT in their review). An academic description of it reveals there was no statistically significant difference in the weight loss outcomes compared to the control group that were given a traditional energy-restricted diet (Academy of Nutrition and Dietetics, 2006). The CSIRO study environment was not a pharmacy, and the trial was not delivered by pharmacists. Participant-reported data was relied on, when we know that is problematic. And the “satisfaction feedback” is unlikely to have produced meaningful feedback: people participating in studies are often willing to say more positive things about their experience then real-world clients or customers would.

Conclusions

Overall this is a low quality study that is not suitable to guide clinical practise. And that’s putting it as nicely as I can. As mentioned there are many problems with this study, it is low quality by design. It’s not really designed to find best practise, it’s just designed to produce a result. They lack a control group which is absolutely necessary to make any clinical guidelines from. There is no doubt at all that expecting participants to get ongoing support from pharmacies is wholly unrealistic.

The program produces mediocre results. Some media incorrectly reported that participants lost an average of 11kg (I have no idea why, perhaps they extrapolated the finds from 24 weeks to 12 months or something), but in reality the amount of weight lost was nothing special and well below the amount required to make the participants healthy. In other words, they’re selling a diet that fails to achieve a healthy weight even for participants that were only slightly obese. A successful program should at the very least reduce the weight of obese category one clients (BMI 30-35) to a healthy weight. There is no suggestion in the paper that any of their 117 obese clients achieved a healthy weight. Which is not surprising of course in only a 24-week period, but nor is there any indication that their clients were on track to do so: in fact the paper states that weight-loss ceased after the first 12 weeks!

The CSIRO are doing themselves no favours by promoting this “weight-loss diet”.

Recommendations

What should you do if you wish to lose weight? My suggested starting point is to learn the Consumer Healthy Eating Guidelines (that’s the AGTHE in Australia, MyPlate in the US, etc). Those guidelines are freely available and evidence-based, and you can read the literature behind them. Unfortunately most consumers ignore them. If you’re OK with a more restrictive diet you can also consider using DASH or the Mediterranean diet guidelines. None of those are weight-loss diets of course, but they are all health-promoting and provide a solid foundation for learning portion sizes and the right balance between the food groups. Meal replacement diets suffer the problem that they don’t re-educate people into healthy eating, and people often find themselves lost when working out how to eat once the MRs are gone.

A good starting point would be elimination of “discretionary foods”, and a strong focus on eating enough fresh fruit and vegetables (most people don’t eat enough veggies). If you can work that out, then weight-loss is as simple as creating a moderate energy deficiency with of course a long-term commitment to substantially altering one’s lifestyle.

Physical activity also needs to play an important role. When it comes to this there are many options available to people – sports, gyms, swimming, cycling, jogging, walking, altering the workplace environment, dancing, martial arts classes, etc. People should seek solutions that work for them.

References:

(Academic)

Academy of Nutrition and Dietetics. 2006. AWM: Meal Replacements (2006). Evidence Analysis Library (if page doesn’t load clear cookies)

Brindal, E., Hendrie, G. A., Taylor, P., Freyne, J., & Noakes, M. (2016). Cohort analysis of a 24-week randomized controlled trial to assess the efficacy of a novel, partial meal replacement program targeting weight loss and risk factor reduction in overweight/obese adults. Nutrients, 8(5), 265. doi:10.3390/nu8050265

Franz, M. J., VanWormer, J. J., Crain, A. L., Boucher, J. L., Histon, T., Caplan, W., … & Pronk, N. P. (2007). Weight-loss outcomes: a systematic review and meta-analysis of weight-loss clinical trials with a minimum 1-year follow-up. Journal of the American Dietetic Association, 107(10), 1755-1767. doi:10.1016/j.jada.2007.07.017

Gordon, J., Watson, M., & Avenell, A. (2011). Lightening the load? A systematic review of community pharmacy‐based weight management interventions. Obesity reviews, 12(11), 897-911. doi:10.1111/j.1467-789X.2011.00913.x

Johns, D. J., Hartmann-Boyce, J., Jebb, S. A., Aveyard, P., & Group, B. W. M. R. (2014). Diet or exercise interventions vs combined behavioral weight management programs: a systematic review and meta-analysis of direct comparisons. Journal of the Academy of Nutrition and Dietetics, 114(10), 1557-1568. doi:10.1016/j.jand.2014.07.005

(Non-Academic)

Connery, G. (2017). CSIRO backs fasting and meal replacement shakes in new ‘Flexi’ Diet. Fairfax News

CSIRO. (2016). Impromy™ Health and Weight Management Program. CSIRO website

Powley, K. (2017). How does the CSIRO’s new flexi diet rate? News Corp (subscription) / Mirror

SBS. (2017). Researchers examine time-restricted eating. SBS News

Tufvesson, A. (2012). The CSIRO’s Flexi diet weighs in as the fast way to avoid fasting. The New Daily


1

Fake. I like to be upfront, I saw for some reason a video come up on YouTube with a click-bait title “my 600 lb life exposed” where the lady claims she did her research and she’s concluded that it’s “real”. Well she’s wrong, and this entry will explain why she’s wrong.

So first off let’s set some parameters. Real would be a documentary, an investigative journalist report, a medical procedural show, a bibliographical programme, or perhaps an educational programme. At the lower end we might even accept a current affairs show. 600-lb Life is a reality television show that imitates the format of a documentary programme like Brother’s Keeper. Its imitation of the documentary format is as close as it gets to being “real”, the show is just entertainment, not an informative show. You could even call this kind of show “documentary-porn”. It’s what people watch instead of documentaries as documentaries are far less entertaining.

One reason why people might think that this show is real is because it has “real people” and claims to follow their journeys over the course of a year. But this is just a staple of reality television.

So why then is this show fake – what makes it fake? The number one difference between this kind of show and a documentary is that a documentary film-maker is there to tell the story that unfolds – they aim to represent people and their journey as they are, and to present the viewer with an accurate account of what took place condensed into the space of an hour or two. Reality shows instead of showing you people’s journeys, construct characters/personalities out of their participants and manufacture dramatic moments through the use of music cues, clever editing, and frankenbiting. Constructing personalities for your characters in single episode instalments is far easier than in ongoing serials – have a look at Ice Road Truckers for a counterexample and take notice of how those portrayed with “reckless” personalities have that toned down or even dropped in subsequent series!

They also create whatever story and whatever ending they want for their show and make it all fit within their show’s formatting. One huge difference you will notice between this show and any acclaimed documentary is that use of a voice-over by their participants. To create this voice-over the participants are primed with videos of stressful or emotional clips and a producer (or director) grills them with questions that both further prime them or are intentionally leading. So for example, when you hear someone say something like “this is my last chance and if I don’t get surgery I will die” a line that every participant I’ve seen so far appears to have uttered, it’s because someone has primed them or lead them to say that off-screen … or they’ve simply constructed it by frankenbiting (taking different parts of conversations and editing them together to create a completely new statement by their participant). And it’s not hard for them to manipulate these participants, as most of them have high anxiety associated with their weight, and when a producer or someone off-camera makes them uncomfortable they will do what the producers want in order to lower their anxiety.

The show does not address many of the issues facing the participants. It presents a very shallow view of weight management – there are many issues which these people face, however if it doesn’t fit the show’s manufactured format then they aren’t included. Social anxiety for example is one huge issue for many people with morbid obesity that prevents them from going into public more to exercise etc. Disordered eating is usually the result of a mental health condition, rather than the result of gluttonous behaviour and those issues are not addressed either. Instead the show simply views morbid obesity as the result of a person’s unwillingness to control their behaviour and the enablers that surround them. While that forms part of the picture, it’s far from a comprehensive understanding.

If someone fails to lose weight or to get surgery over the course of the programme they can construct whatever personality they want to present the viewer with. The blame for this is always on the patients and never on the healthcare providers who never seem to feel responsibility for the success of their clients. One example of this is an episode with a man named James K who they present as being a gluttonous slob. Never mind that he became bed-bound due to breaking his ankle, and probably feels high anxiety and humiliation due to it, which of course is going to make any effort to control his diet difficult. Cynthia on the other hand is portrayed as a strong independent woman raising a lovely family, but how different her episode would have been had she started bed-bound following a broken ankle! And that leads me to my next point…

The show presents unrealistic expectations on its participants. You think morbidly obese people can stick to a 800kcal or 1200kcal diet on their own? You have to be kidding me. And not only that, but every episode portrays bariatric surgery as the final goal of the participant – never mind the fact that it’s not suitable for everyone, and that people need to be assessed to determine whether they can lose sustained weight on a controlled diet on their own or whether they will require surgery. It’s not something suitable for all morbidly obese people. And nor is a 800 or 1200 kcal diet, to lose weight over the long term without surgery you would put someone on a energy restricted diet that decreased energy overtime as they lose weight – and you wouldn’t start anywhere near 1200kcal. In fact based on the shows portrayal of Dr Nowzaradan who consistently blames his patients or their family members for their ill health, and never seems to advise them that bariatric surgery may not be the right solution for them, I would think he should be investigated for medical malpractice.

Some participants are shown to be consistently losing weight, but then get surgery anyway. Um what? And worse still, in those episodes Dr Nowzaradan will say something like “they have done reall well but needs surgery to keep going and make progress long term”. No they don’t – many of them don’t need surgery at all. Bariatric surgery does not work long-term. It’s not a real solution, at least not for all patients. It can be a helpful tool, but that’s it. The idea that people need it or they will die, or that they can’t make progress without it is a complete fabrication and outright lie. If you watch the original series that was shot over the course of 7 years you will find that some of those participants (all of them by now probably) re-gain all the weight they managed to lose before and then after surgery. And that brings me to my final point.

The show’s successes are only an illusion. Here today, gone tomorrow. The show does start by saying that only 5% of morbidly obese people are successful long-term in controlling their weight, but they end many of their episodes by portraying a success that may be nothing but a short-lived false victory. The end goal for weight management is in 20, 30, 40 years time in the long-term, not in 1 year. 1 year means nothing, and if the show put that into context it might have a bit more medical credibility.

The show is fake, if you enjoy that’s perfectly fine. It’s an entertainment show after all, but stay sceptical and don’t take it seriously.

Jodie Whittaker as Doctor Who?

I see that there’s a lot of discussion about the 13th Doctor’s casting. Much of it is focused on whether it’s a good idea or a bad idea to cast a woman in the role. As usual I’m here to address the questions that no one else will.

Paul McGann nailed the role. And not only did he do that, but he did it in just one made-for TV movie. Every other actor to play Doctor Who had the ability to grow into the role. We in fact see this very clearly with David Tennant – the Christmas special was not his finest moment, but he improved in the first series and nailed the role. Christopher Eccleston nailed the role from the very first episode of his series.

And then we had Matt Smith. The less said about the 11th Doctor the better. He was completely miscast. In fact, speaking of miscast Doctors, David Bradley is also horribly miscast as the First Doctor as well. Well why do I say this? Eccleston was only 40 when he first appeared as Doctor Who filmed in 2004. But he presented the dual persona of a middle-aged man with a wide-eyed youthful enthusiasm for adventure. And that’s who Doctor Who is, in a nutshell. Tennant had more emphasis on the wide-eyed youthful enthusiasm side of Doctor Who, and less on the middle-aged man solving problems, but he still struck a balance. Smith was cast to replicate this but failed miserably – it’s likely that he was just too young to play Doctor Who. To make matters worse, Moffat’s tenure has been plagued with problems – he just doesn’t seem to understand how to make satisfying story-arcs, or follow through with consequences.

So, why is Bradley miscast I hear you ask? I should be blindingly obvious. William Hartnell was 5’8. He carried his chin high and looked up to taller men around him. Bradley is 5’11”. So far he has never carried himself the way that Hartnell did, and unless all of the supporting actors are taller than 6’2″, it’s quite unlikely that he will. To put this into context, Jodie Whittaker is William Hartnell’s height.

So should we be concerned with the casting of Jodie Whittaker? Well maybe. For 2018, she’s one year older than Tennant was when he took the reigns in 2006. Doctor Who is not really a part for Young actors – most actors to have played the role were in their 40’s or 50’s. In fact, of the first 7 doctors, Davidson was the only actor not to be aged in his 40’s or 50’s. Since that time there have been five more doctors: McGann, Eccleston, Tennant, Smith, and Capaldi. Two of those actors were in their 40’s or 50’s. That brings the total up to eight actors to date out of 12.

Of the younger actors McGann and Tennant were absolutely extraordinary. Davidson carried the role well as well. Smith on the other hand did not. And then to make matters worse, we’ve had people grow up watching Smith who were then shocked with Capaldi’s more Hartnell-like performance.

Now to be fair, you might say that well Colin Baker and Sylvester McCoy weren’t that great either.

I would also say that the abolishment of two-part episodes has weakened the series under Moffat. The original series was a serialised show. I think the loss of that serialisation has hurt the show – single episode 45-minute instalments are not the ideal format for all of the stories.

I still remember when I first saw Tennant after the regeneration at the end of Series 1. I was extremely sceptical. But Tennant managed to pull off the role admirably. The biggest question I have over Jodie is not whether a woman should be cast, but whether she’s the right age to play Doctor Who or not. I don’t think she is – I think the series thrives on casting actors in their 40’s-50’s. Does that necessarily mean she’ll do a bad job? Of course not, we’ll wait and see. Most of the younger actors actually did well in the role, it’s only Smith in my opinion who didn’t.

I would hope that the design team thinks seriously about the TARDIS interior. Or they do what was done with Tom Baker and have a season without it at all. It would be a disaster to hand her Capaldi’s TARDIS interior. Returning to a traditional white interior would in fact be most welcome. I do also think it would be great to give the Eighth Doctor a season or two. McGann is an absolutely amazing actor, in his single appearance he nailed the role, and is currently the right age to play the Doctor.

All of this said though I am please to see end of Moffat as showrunner! I wish all the best for Chibnall and Whittaker!

The future of the web is ad-free

Your future and my future are certainly ad-free. We use uBlock Origin and the MVPS hosts file.

I’m about to tell you what all those people on Youtube and other places have missed, when they cry foul of adblockers, or put up anti-adblock messages. Are you ready?

It used to be that only the tech-savvy knew how to navigate their way around such things. That was way back when though. Times have moved on since the 90’s, and the so-called tech-savvy are in a group I would be hard-pressed to define other than that we love computers and love to tweak, test, modify, and when necessary code. The problem that others don’t realise is that what used to be “tech-savvy” is the new norm. Times have moved on, and people have become aware they don’t need to buy Microsoft Office at a retail store and can either get a legal copy as cheap as $70 or use free software instead. I remember way back when a less tech-savvy guy had had his computer infected with a virus and the first thing he did afterward was (of course) to buy Norton Antivirus, and went on to say how great it was. He could have installed AVG for free instead, and at the time I had no idea why he would choose a paid option.

No one likes ads. So just to make this clear this post isn’t at all about whether or not ads have a right to exist, I think they do, but collectively we all hate them. Internet ads pose significant privacy issues, although that’s well beyond the scope of this post.

I think it would have been great to invest in Google in 2000, and to sell your shares now. Actually that may not be great financial advice. But look, Google is a cunt of a company. I’ve said so countless times before. Why only this week they have be fined over 2 billion Euros by the EU for something that I criticised WAY BACK FUCKING WHEN! Why was I the only one that cared that they removed the google product search and replaced it with the shopping tab. JESUS CHRIST am I really the only person on the whole internet that noticed this? It happened on 31 May 2012.

The business model of certain companies is to keep people down. Sometimes that includes consumers. But what we have seen, if nothing else, over the last 20 years is the internet build into something accessible to everyone. And everyone deserves privacy, and the best possible experience going forward. The golden age of internet advertising is over. And it didn’t come soon enough!

Do you see any ads on my blog? Of course not. I’m just grateful you took the time to read this, I hope your experience navigating and loading the site was smooth, and I don’t want a cent from you.

What you weren’t told about WannaCry

I pride myself on providing you, the humble visitor, with good information. Not always perfect because, well, I’m not a security expert. You can think of this post as an afterthought if you like to my previous post, what I am aiming to do here is complete the picture.

Is Microsoft to blame?

The US Government and their spy agency the NSA are the main guilty parties in this instance. The ShadowBrokers who hacked the NSA and then publicly released the weaponised exploit are also to blame. And yes, Microsoft absolutely shares some of the culpability. Here is the thing you haven’t been told anywhere on the internet… some systems don’t update even when configured to do so. You want evidence? Here are screenshots I took earlier this week on a friend’s PC:

update-1

update-2

When I manually checked for updates it just spent hours on this screen:

update-3

And no, that system is not patched. I was unable to fix the problem. WHAT THE FUCK MICROSOFT?! My solution for that system will be to re-install Windows. Nothing worked – and I did try. This page contains most of the fixes I tried. The owner of that PC had no idea the system wasn’t up to date. How many other Windows installations have this same problem?

And probably the most misreported fact on the internet “windows doesn’t support XP anymore”… WRONG! They do. They only provide support to those who pay for it though, and according to some the latest pricing for this privilege is about USD 1000 per year per desktop Windows XP installation. For the ordinary home user, you can still get Windows XP updates until 2019, and possibly longer. To achieve this you simply tweak a registry setting that tells Microsoft that it’s an Embedded system. XP was embedded into all kinds of hardware that is impossible to upgrade – speciality hospital equipment like MRI scanners, ATMs, etc. And they still receive security updates to this day.

People were surprised when Windows released a patch for this vulnerability for Windows XP. But they shouldn’t be – the patch would have been rolled out for XP Embedded at the same time as Windows 7/8/8.1. The only difference is that they waited until after the worm appeared before pushing the patch to non-embedded XP systems.

Why was there a kill switch?

The original version of WannaCry attempted to connect to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and then terminated if successful. Other variants then emerged with hex edited domains, or with that section hex-edited out entirely. But why was it there? It could just be a bit of unfinished code. It might be intended as an anti-detection measure, but it’s been pointed out that it doesn’t just do a DNS lookup it expects to create a TCP connection to the domain too. If there’s no TCP connection then WannaCry will execute the payload anyway. It could just be the hacker’s way of “having fun” with their malware – let people think it’s stopped and then push out the variants. Who knows?

How much has been paid out in ransom?

Not very much. So far over 200,000 people have been infected, and only 292 (or less?) have paid the ransom. That’s 0.1%. The three wallets are: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. About $109,000 or USD 81,000 has been paid in total so far. At 292 people though that averages at significantly less than USD 300 per ransom – going by the actual dollar figure only 270 people or less have paid up at the time of writing.

Is it a State actor?

Possibly. You will have heard that North Korea has been identified as a possible culprit. The problem though is that any competent hacker can make their code look like it came from North Korea, China, Russia, the USA, whomever they want.

So what’s their motivation?

You might think that the crypto-ransomware developers are simply highly motivated to be paid hefty ransoms. Well, most professionals don’t believe that to be a huge motivation. Just look at the program for a start: it encrypts types of documents that are important and valuable to their owners. They could steal sensitive documents actually if they had wanted to, but they didn’t. So you heard about the NHS in the UK having patient information encrypted – that’s a huge problem for them – but can you imagine how much worse it would have been if the malware developers had stolen millions of confidential medical files, and then ran a real extortion racket like was run against Ashley Madison?

Then, they provide you with all the information you’ll need to get your files back, assuming you pay up. They give detailed instructions on how to use Bitcoin, they helpfully put the decryption program everywhere on your system so you can always find it, and they give you a wall-paper in case your antivirus removes the decryption program. And the program is translated into 28 languages as well to ensure that you can read it:

wana-decrypt0r-2

Their set-up is not particularly well designed to receive payments, which is why they’ve received so little. Plus they have to manually verify payments on their end because they didn’t put in an automated system (ie unique bitcoin identifiers) to make it easy for them to verify. And it’s not exactly going to be easy for them to get their bitcoins. But here’s the thing, malware has been around for a very long time before the concept of ransomware. So they are unlikely to care much about actually getting paid, in fact they tell you explicitly if you’re so poor you can’t afford the ransom there will be a chance to get your in six months.

Whatever their motivations are, it’s not money. At least not primarily. It’s been pointed out that leaked NSA cyberweapons have been used to turn computers into large botnets to mine bitcoins, and that was far more lucrative strategy for cybercriminals than this method. But what we can say is that they have put a lot of effort into their program – they want to get their name out, I don’t think they care whether people pay the ransom or not, they will probably give out the master key after a few months.

Did people click malicious links in emails?

This is the most misreported aspect of WannaCry. It is able to spread itself directly though the internet to any vulnerable computer that it finds. We don’t know how the NHS in the UK got infected, but it is possible that the worm spread across the internet by connecting to just one vulnerable PC or internet server across port 445, and then once it got on the network it can infect all the vulnerable PCs it finds on the ethernet. And that’s actually a larger problem for organisations than it is for home users, because it will be trying to connect through your IP address which is assigned to your router, but organisations often assign public IPs to computers. And they have to for servers. So yeah, we don’t know, but we do know that the this crypto-malware spreads directly across the internet without people needing to click any links if their system is vulnerable. That’s how bad this exploit is! Again though, if you’re behind a home router you’re probably safe.

Is it really the worst ransomware attack yet?

Yes. I chose my words carefully, it’s not necessarily the worst cyber attack, but it is the worst ransomware attack. What has made it so bad is that people on vulnerable networks do not have to click any links, as the malware spreads laterally as a worm. If you have this on your computer it will eventually try connecting directly to every single public IP in the internet – starting at 0.0.0.0 and ending at 255.255.255.255. Obviously that’s a simplified explanation, it randomises its IP selection, but yes every computer with the worm – all 200-300,000 of them – will eventually try to connect to every single IP on the internet. And it wouldn’t take that long either, as there’s only 4 billion IPs to try.

So it’s not an understatement at all to put the blame squarely on the US Government/NSA. And this is just the beginning – the ShadowBrokers (the hackers that hacked the NSA and released their cyber weapons) said they have yet more cyber weapons to release.

World’s worst ransomware attack yet

The recent WannaCry ransomware attack has been described as being the worst attack yet. The cybercriminals who created it have quickly become the world’s most wanted cyber criminals… but let’s talk about who’s responsible here, because the cyber criminals were armed whether intentionally or not by the NSA.

fbi-most-wanted-hannibal

By the way, I have been working on a little project that is nearing completion, here’s a little preview of it that I made very quickly using Microsoft GIF Animator:

ubobanpreview

I highly recommend installing uBlock Origin, that will provide you with some protection again an infection through malvertising.

The NSA developed an arsenal of cyber weapons. One of these weaponisd exploits is called EternalBlue. The NSA’s entire arsenal of cyber weapons was both leaked and sold to third parties, including to hacking groups. Recently, a different arsenal of cyberweapons developed separately by the CIA was leaked to Wikileaks (known as Vault 7) who proceeded with responsible disclosure. Responsible disclosure means giving broad information to the public, while giving specific information to affected software and hardware vendors so that vulnerabilities can be patched, and then later full disclosure. In the case of the NSA’s arsenal of cyber weapons, it fell into the hands of a hacking group called The Shadow Brokers, and they do not believe in responsible disclosure so they promptly dumped the cyber weapons directly into the hands of the masses. The Shadow Brokers claim they hacked the NSA and stole the weapons, but however they came to obtain them is irrelevant.

The reason this is the worst ever malware attack is that it has crippled critical infrastructure. This is what every security expert has been worried about. It leverages EternalBlue (and EsteemAudit for older OS’s) to spread across computing networks. How ordinary users becomes infected though has not yet come to light, but I suspect Malvertising may be one culprit.

wana-decrypt0r

Ransomware works by encrypting your data using RSA encryption. What you need to know about RSA is that it’s the same principle behind SSL/TLS internet security. It is an asymmetric encryption – there are two keys, let’s call them Key A and Key B. If data is encrypted with Key A, then it can only be decrypted with Key B. If it’s encrypted with Key B, it can only be decrypted with Key A. Ransomware generally generates a unique key pair for each and every infection, and it can be remotely generated on a server far away. What that means is that an infected user has no way of obtaining their decryption key – it can’t be brute-forced, it can’t be extracted from the program, the only way to get it is from the cybercriminals who have it.

If you’re infected- should you pay up? Well, if your data is worth more to you than $400 – yes you should. Some reports have suggested you have no guarantee or receiving a decryption key… well that’s true, but generally speaking operators of ransomware do provide the decryption keys when payments are made. The situation where that might not be true is if you manage to get infected with an older malware by a group that’s no longer active, then I would agree you would be chancing it if you pay up.

So who should foot the bill for this? I believe the US government should be held to account, and made to pay out the ransoms. They’re the assholes that developed this cyberweapon. This is exactly the reason why the security industry hates the so-called intelligence industry. The correct thing to do when you find a security vulnerability is to do exactly what Wikileaks did with Vault 7: engage in responsible disclosure so that the vulnerabilities can be patched. Think about it this way, the NSA is a foreign intelligence agency that we would classify the same way as any other cyber criminal organisation. If they develop a weapon, then you can bet that someone else – whether in China, in Russia, in India, or elsewhere has also developed it. And even if they haven’t, as we’ve seen time and time again these inevitably get leaked/stolen.

And WannaCry has crippled critical infrastructure – that’s one of the worst possible outcomes of a cyber attack. Hospitals, schools, and telecommunications were taken out with this purely as a side-effect of its original intention. Had the cyber criminals wanted to though they could have specifically launched a far more vicious attack specifically aimed to take out critical infrastructure, and if that was done there could have been thousands of deaths as a consequence: rioting could have happened in cities across the world if power grids were taken off-line for example.

You may have heard that a security researcher that calls himself MalwareTech “accidentally” stopped WannaCry from spreading further. Well, that’s a half-truth. He did a write up on his blog about it actually. In a nutshell, the malware checks for the existence of a “random” domain that doesn’t exit. If an IP address is returned then it assumes it’s being run in a sandbox and shuts down its operations – this is a tactic it uses to try and evade malware detection by anti-malware software executing the program in a sandbox. It effectively is a kill-switch, but not intentionally so. But to say that it was accidental is not true, as stated clearly on the blog it’s standard practise to register domains found within malware as it gives researchers a way to track malware as much as anything else.

Imam Shaikh Mohammad TawhidiThis is a post I’ve been meaning to do for a while, it’s a direct follow-on to my 2010 post Hi, I’m an Islamophobic. On today’s Outsiders programme with Ross Cameron and Rowan Dean was one of the loveliest people I have ever seen on television. His name is Imam Shaikh Mohammad Tawhidi (pictured), and I want to credit him with motivating me to make this post now. Now let’s get one thing out of the way first, I am genuinely fearful of Muslims more than I am of any other religious organisations, so in that sense I am Islamophobic.

Right – on to business… how did we get here?

In my former post I said you can not prove Christianity, and you cannot disprove it. Or rather I mentioned the Antediluvian Period, which is something most Christians would prefer to ignore. It creates a huge problem – without it there are no Patriarchs, and without the Patriarchs there’s no Covenants with God, and without those there’s no condemnation, and no requirement for a Saviour.

“for all have sinned and fall short of the glory of God, and all are justified freely by his grace through the redemption that came by Christ Jesus.” -Romans 3:23-24.

When God reveals himself to Moses he says “I am the God of your father, the God of Abraham, the God of Isaac and the God of Jacob” (Exodus 3:6). Abraham exists after the Antediluvian Period, but the Abrahamic Covenant displaces (dispenses with) the Noahic Covenant, and the Noahic Covenant happens at the dawn of the Antediluvian Period. So it is important that it holds some meaning to Christians – many now take the easy route of saying these were just stories – but if they’re only stories then the Sacred Covenants are just stories too. Though I was loathed to admit it, as a Christian I was forced to believe there was an Antediluvian Period. I didn’t care when though, for all I cared it could have been 200,000 years ago. And even that didn’t solve the problem of Adam and Eve – although I never really knew that was a problem since I’d never really been taught properly what the Adamic Covenant is.

You may be wondering where I’m going with all this? Well, I recognise now that you can prove or disprove the claims of Christianity. You can’t absolutely rule out the Antediluvian Period happening at some point in the past due to divine intervention… but the historicity of Moses has been well and truly disproved for example. Now this is a huge problem for Christians it’s the Elephant in the room. Judaism is the first known religion in the world to have been based on a collection of writings. Other religions existed outside of written texts, and religious texts were written about the religion, rather than serving as its blueprint. So any Christian that tells you that they don’t have to believe parts of the Bible they disagree with is selling you a revisionist lie. They might believe it, but the fact of the matter is that it’s not consistent with the formation of Judaism, the beliefs of Jesus and his Disciples, or of first century Jews.

As an atheist I see a lot of intolerance shown towards those of religious faith. This is the same kind of intolerance I used to have regarding others who were not Protestant Christians. I don’t hold those views any more because that would be hypocritical. I was really moved today when I saw Imam Tawhidi on Outsiders. He is a true humanist.


Video © Imam Shaikh Mohammad Tawhidi, 2017. License unknown.

It’s sad that Imam Tawhidi represents the minority of Muslims leaders in Australia. Until today I never knew that true moderates really existed within Islam, although that’s largely due to me not finding out about Shiites. About 85 percent of Muslims are Sunnis, and I would consider the vast majority of them to be “extrmeists” as we use the word. It gives me no pleasure to say this, but I do not believe that Sunni Islam can ever be full reformed. There are too many core beliefs that are incompatible with modern society. I also don’t think that people convert between religious ideologies very readily – it’s not something that most people do in their lifetimes. Which is why atheism has taken a long time to grow – it takes a generation, usually, for change.

Imam Tawhidi also exposed a dirty secret that I actually didn’t know. He said in no uncertain terms that he doesn’t know any Sunni Islamic Scholars (he may have been referring to all Islamic Scholars it wasn’t entirely clear, the context was Sunni) who believe the Holocaust happened. Now that’s truly frightening. There is still a lot of hatred towards Jews. And this brings me to the dark side of religion. Religious beliefs form a fundamental part of people’s world views, and those world views are a very strong cognitive bias for denying information that has been discovered or learned academically in secular society. The priest at my former Church pretty much disagrees with any Biblical Scholar that is not a Trinitarian Christian, for example. In fact I may as well re-post my video on social stigmas, it’s only 3 minutes so check it out:


Baxter, D. 2016. Creative Commons Attribution 3.0 Licence (Aus). Originally published at: https://youtu.be/HMdl-VDRg9I

Religious tolerance is a necessary part of a free society. But don’t for a second think that all religions are capable of reform. Scientology was built on the premise that Psychiatry was a pseudoscience. They also deny the Holocaust. Now just to be clear – Holocaust denial is “the belief that the Holocaust did not occur as it is described by mainstream historiography” (source), and the type of denial perpetrated by Scientologists is that they believe psychiatrists were to blame.

But this brings me full circle. What we consider to be extreme beliefs were once mainstream beliefs. Eugenics was once the majority view in psychiatry, and psychiatrists did pay an active role in the Nazi extermination programs, including before and after the Final Solution. Hate and distrust of Jews was once mainstream. It was less than 100 years ago that we discovered there are galaxies in the universe other than our own. And I see one very important similarity between Imam Tawhidi and Jesus of Nazareth: both men wanted to reform their religion, and both have faced persecution from religious authorities in their religions. And both were/are exceptional human beings.

Google is building an adblocker into Chrome…

Google is playing with fire. In fact so is Opera. So is ABP, Adblock, and PageFair. To understand where we are, we need to go back to the beginning. This will be a long entry, so grab yourself a coffee, install uBlock Origin if you don’t have it, and enjoy your time here.

Ad blocking has long been a side-effect of the MVPS hosts file, which I have used consistently for more than a decade. Back then internet bandwidth was limited as well, and another side-effect of using it was of course that it blocked unwanted internet traffic. It’s also good for preventing malware – in fact that’s the main reason to use it in my opinion.

History

In 2004 the original Adblock extension was developed for Firefox. Already there were complaints from advertisers and webmasters, for example here “blocking ads on Ars is a bannable offense”. You could also get programs that would block ads. In mid-2007, Maxthon 2 became the first browser in the world with a built-in adblocker. The Adblock Plus extension was created in 2006 to pick up where Adblock left-off, and in late 2009, the new Adblock extension was created. For quite some time Adblock and ABP were both very popular. And again, advertisers were not happy – some claimed the extensions are illegal and their use amounts to stealing. Others put up notices in the place of ads – or worse lock the content or use modal overlays. Hank Green and Boogie2988 have both posted rants against the extension, as have many others. Then in 2011 something truly terrible happened: Adblock Plus created a whitelist to allow so-called “acceptable ads”. In 2014, uBlock joined the extension market, and has since become the blocker that is featured in both the Firefox and Edge Extension pages. In 2016, Opera added a built-in adblocker, and now it appears that Google is looking to do the same.

So as you can see, we have a lot to go over.

Blocking is stealing?

This is probably the most ridiculous argument that I have ever heard. Let me put it like this: my PC or other device is MINE, not yours. I own it, and I do whatever I want with it. It doesn’t belong to an advertiser, it doesn’t belong to Microsoft, it doesn’t belong to Google. It belongs to me. Who’s is it? MINE! If you can grasp that simple concept, then you can understand that just like my TV, I can choose to do whatever I want with it – I don’t have to look at any ads if I don’t want to. Now of course, there’s something else that’s mine, and that’s my internet connection. To suggest that an advertiser – or for that matter anyone – has some inherent right to it is just insanely wrong. That’s like a bully who wants to control things that you own, and make you do things with your possessions them that benefit him.

Why you need to block ads

Blocking ads is not merely a convenience issue – it’s a security necessity. And you don’t need to take my word for it, the experts say so:

“The only effective protection against malware advertising is to block the advertising networks that accept adverts from the criminal gangs.” – Comodo computer scientist, Dr. Phillip Hallam-Baker (source). By the way there’s even a specific term for this threat – malvertising.

It’s also recommended by security guru Steve Gibson:

Take a moment to digest this information if this is news to you. And ask yourself: why is it you haven’t heard this?

The reason you haven’t seen this is that it represents a conflict of interest for many websites to tell you this information. They would rather tolerate serving their visitors malware than dare suggest you remove the advertising from their website. In fact, many of these websites are the same ones that pop-up those god-awful modal overlays telling you they “need advertising revenue”.

I am not suggesting that adblocking is a complete solution. You should also completely uninstall adobe flash, keep your system and browsers up-to-date, use the MVPS hosts file, and a good anti-virus program.

The other reason you need to block ads is to protect your privacy. Privacy is an inalienable human right, advertisers create, buy, and sell your unique information that they gather. And they do it without your consent. In some countries, ISPs spy on their customer’s internet usage, and sell that metadata to advertisers. In other countries that is illegal, yet that is what advertisers do. I do not believe there is the legitimate case for user-targeted advertising – it’s a blatant form of spyware. And it can put vulnerable people at risk – for example should an advertiser really know that you are looking crisis accommodation, and if they do learn that and then run ads for these services all over your PC when your abusive partner is using it what might be the consequences?

The problem with Adblock/ABP and built-in adblockers

So you might be wondering, if I’m so in favour of adblockers – particularly uBlock Origin – why do I have a problem with the built-in blockers? Well let’s start with Adblock and ABP – both of those extensions adopt the “acceptable ads” motif. Now, even on the official Adblock website in a recent blog post the CEO acknowledges its use in preventing malware… yet what do you see nowhere in the acceptable ads policies? That’s right, not one mention of malware. They’re more interested in allowing advertising than protecting their clients from the very real harm of today’s crypto-ransomware. PageFair and Fair Adblocker offer no protection against malware at all. Google supports the Coalition for Better Ads, and they don’t mention malware either.

The issue with all of these existing blockers (except uBlock Origin that is), is that it puts an important security measure in the hands of those who have a conflict of interest. All of these people believe in “acceptable ads” more than they believe in protecting you from harm. To put it in another way, the goals of Adblock, ABP, and Pagefair do not include protecting you from malvertising – their primary goal is retention: they want to capture people that are fed up with internet ads and retain a level of advertising on their device that the user will tolerate. That goal is completely incompatible with the security goal.

Opera’s adblocker is a problem for a different reason: it doesn’t give the user the choice of filter lists or ability to create their own, and it’s not clear what filters it does use. And the other reason I see it as problematic is that uBlock Origin is already available for Opera and provides a better option – why not include it by default for users instead of a closed-source adblocker? Finally, the blocker is not an extension, it’s built right in to Opera and what that tells me is that it can only be updated with Opera – and of course there’s no indication I know of about how often it gets updated – with uBlock Origin the community is in control of all the lists which are regularly peer-reviewed and updated, and the user is in complete control of his or her own rules as well.

I think I really should restate this… the goal of adblocking is to provide you with an effective security measure against malvertising. It’s the only effective preventative measure! It doesn’t mater if you love ads and want to view them all day – it’s more important that you are protected online from malware. So that’s it, and I think that’s where we’re at. That’s why I have an ethical problem with these other blockers – Adblock and ABP used to be great by the way before the introduction of “acceptable ads”.

The problem with Google

Google is obviously the wrong company to be in control of this important security measure that people need. And not only that, but it would be clearly an anticompetitive market move that I suspect would be illegal in many places such as Australia. Do you remember how Microsoft was forced to give people in the EU the browser choice ballot on installation of their Windows OS? Well, can you imagine that the world’s largest internet advertiser would be allowed to write an extension or feature for their software that directly harms their competitors and integrate it into their browser? That has litigation written all over it. I hope they do it actually, and face the consequences. So much for their ‘don’t be evil’ motif.

By the way don’t think this is new to them, they have an absolute monopoly at the moment with their Chrome web browser that sees it as well as most others (this includes Firefox, Maxthon, Safari, and Opera) set the default search engine to google.com. That is extremely anticompetitive – especially given the fact that they pay money to competing web-browsers to make google.com the default search engine. With that said, the recent versions of Firefox have actually improved this by changing the default search engine whenever you use the search bar – but it’s a small improvement as most people only use the omnibar.

Google’s goal is not to improve your protection against malvertising – their goal is to protect their advertising business and to ensure that you will see adsense and youtube ads. All they care about is improving the user experience just enough so that users will tolerate advertising. They think that user experience is more important than their security! Imagine this if you will: Google gives up advertising to become the world’s largest condom manufacturer. Next, they outline plans to become be the authority on quality control for all other condom manufacturers. I think most people can understand that’s a conflict of interest, but then we learn something even worse: their idea of quality control is not to test that the product provides the protection users expect, instead all they care about is the user experience, and if there are major flaws in the products they will deal with the problem after users are exposed to the threat.

You may not believe me, but Google’s own numbers show they had to remove 900,000 ads from their network that were serving Malware! Nine hundred thousand. How many people were infected with crypto-ransomware? Did Google compensate the victims that had to pay large sums to recover their data? Of course not, yet they profited from serving those poor souls the ads in the first place.

Why do I hate ads so much?

I don’t hate ads. As I’ve stated I think quite repeatedly, blocking ads is a necessary security measure. To be protected I have to be prepared to block all the third-party ads – the horribly obtrusive ones that I hate as well as the ones I don’t. As I’ve already mentioned, ad blockers are one of the only effective preventative measures against malvertising – exactly in the way that condoms are the only effective protection against many STIs, other than abstinence of course. So unless you want to disconnect yourself from the internet you absolutely need the best adblocker you can find to help protect you from the ever increasing threat of crypto-ransomware delivered through malvertising.

Now with this said, I do have an ethical issue with third-party internet advertising. As I’ve already mentioned, privacy is an inalienable human right. That’s why you need to consent to questioners. Internet advertisers steal this information from you via analytics without even asking. I think that is morally wrong. Ads that are not targeted using profiles built with analytics like TV and radio I don’t mind, but any ad network that profiles individuals on the internet is below contempt in my opinion. It doesn’t matter if they have an “opt out feature”, if they automatically opt people in it an absolute disgrace of humanity.

But don’t websites need advertising revenue?

This I think is where many advertisers, as well as content creators, and webmasters have got it very wrong. Do they need advertising revenue? Maybe – but that’s not my problem. Nor is it yours. And nor should you be bullied into thinking that it is. Your right to security and privacy trumps a website’s “right” to deliver you advertising. And anyway, the idea that ads should be forced on you completely breaks everything the world-wide web is meant to represent.

I am not arguing that websites shouldn’t be allowed to have ads. Of course they can, but any time they run cross-site scripts that deliver ads, and any time they are not in full control of the ads that appear they are a security risk to you. It’s a misconception by the way that hackers need to hack an advertiser to begin infecting people – one of the ways they’ve actually been doing it is simply by uploading an ad that integrates malware into it that they’ve paid for. To give you an example of how I might get a malicious file to you – let’s say I embed a virus file into a picture file. I offer this picture file for downloads – you don’t know that it contains a malicious executable in it because it looks like an ordinary picture. Once you put the picture on your computer though, you have unwittingly saved a file that looks and behaves like a picture, but is actually an archive that contains the malicious executable. Then, all I need to do is embed code to recover the file, extract it and execute it. And I might hide that code in a completely separate program that appears to be completely safe – but unknown to you it searches your computer for the file so it can extract and run the malicious file.

That might sound convoluted to you – but that’s actually exactly how modern computer infections work. They can hide the malicious file within a picture, a sound file, or a video file, or even something like a font file if they want to get really creative. Those types of files are of course considered to be lower security risk than executable files, so they can get saved into your temporary internet files. What malware does is combine this type of method with a browser exploit that allows them to break the security of your browser and execute the code directly… and there are criminal organisations that are constantly seeking out these exploits. In fact, it’s almost certain that the CIA’s arsenal of cyber-weapons has been used for this purpose as well – both by the CIA and other cyber criminal organisations.

Websites that ask you to disable your adblocker?

What the fuck. I do not even visit my own site with uBlock Origin disabled. What would you think if these websites told you to download and run a binary file on reddit and, oh, disable your antivirus software before doing so? Asking you to disable your adblocker is no different. As mentioned, adblocking is the only currently known general-purpose measure known to protect against malvertising. Yes, I feel bad for those websites that depend on advertising – but it’s not worth risking having my files encrypted for a ransom. As others before me have pointed out, making a living knowingly selling access to every well known ransomware distributor on Earth is pretty goddamned despicable.

Like I said, I don’t even disable uBlock Origin on my site – so why the fuck would I disable it for someone else?

The cyber espionage group known as Longhorn has been formally identified by Symantec as the CIA.

Now, take a breath and get ready to learn the ugly truth behind this revelation. We live in the digital age, and underpinning that is the illusion of electronic security. Now I say illusion, but I wish to stress that this illusion is so strong that it gives people the confidence to conduct online transactions, and for banks to allow their customers to access their accounts over the internet. How secure is your data and your bank account? Not very. It’s about as secure as an ordinary bank vault. With the right tools, equipment, and expertise it can be broken into.

Electronic security is never truly provably secure. Take a moment to think what that means. Let’s say you have a large safe in your office – should you trust it with a high security mechanical lock (Manifoil MK4, S&G 2740B) or an electronic lock (the TL11G is the SCEC approved electronic equivalent)? Well, allow me to blow your mind for a moment: the mechanical locks are provably secure. They are not perfect, and they can be broken into (for example if someone guesses the right combination). The TL11G is not provably secure, its source code is closed, and the ROMs can of course be flashed if someone wanted to intentionally supply a known-vulnerable product, and it would be impossible for a user to tell the difference. I’m actually surprised it’s SCEC approved given the clear vulnerabilities that could exist or could be introduced. Granted though I’m not a locksmith or for that matter security professional.

On 7 Mar 2017, Wikileaks began publishing information relating to Vault 7. Vault 7 is an arsenal of CIA developed cyber-weapons. They are believed to have been sold for sometime on the darkweb. The reason why security companies and professionals hate intelligence organisations is because these intel orgs deliberately find vulnerabilities in software, but do not publish the information. What this means is that a vulnerability can exist for several years before it is independently discovered outside of an intelligence agency. And it doesn’t matter who you think are the “good guys”, if one intelligence agency found the vulnerability and developed a cyber weapon, you can bet that others did as well – the Chinese, the Russians, etc. In fact it would be unthinkable that the CIA could develop such weapons without the Chinese developing them at the same rate or faster given their expenditure on finding them. But as already mentioned, even without the same vulnerabilities being found, the CIA’s entire arsenal of cyber weapons has been leaked for some time and sold on the darkweb to the highest bidders.

On 10 Apr 2017, Symantec positively identified the north-American cyber criminal group known as ‘Longhorn’ as in fact being the CIA. Longhorn has been active since at least 2011, and has been described as the worst cyber criminal group of our age. They have infected 40 known targets in 16 countries. To quote:

The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.

That’s a pretty goddamned strong statement. Now there is another way to read that statement, the other way to read it would suggest that whoever Longhorn is they have had access to most or all of the Vault 7 cyber weapons soon after they were developed by the CIA. Meaning that if Longhorn is not a part of the CIA, they are a group the CIA has been intentionally arming with the weapons, or they had the ability to steal them from the CIA. None of those options are any better than the CIA is Longhorn.