Trolls, Bullies, and CEOs: Dealing With the Dumbest People on Twitter

The following is based on my own personal experience with Twitter’s security team. Your mileage may vary.

I have some of the thickest skin around; that’s probably what makes Twitter work for me. The company itself, though, seems to be intentionally leaning in favor of supporting criminals and that’s not only ignorant, but incredibly self defeating. I spent a day in January entertained by a couple idiots who claim to be part of Lizard squad, but I have my doubts, as they have no technical skill whatsoever. They did the absolute most laughable job of trying to dox me, and failed miserably. As is the case with this type of harassment, they made the typical death threats you see them making everyone else: trying to incite fear by claiming a hit man is on his way to (what they thought) was my address, followed by a cheap public records search, which in my case had all wrong addresses dating back over 20 years. Even sadder is what was missing from the dox: they didn’t even know where I worked, or have any real accurate information about me to present. The photo they even posted of me while “doxxing” me was an old O’Reilly Media photo, about 50lb heavier, that I had released when I published my first book. (O’Reilly has a better one of me now, that’s only a couple years old). Other photos (like some old wedding photos) were ones I’d posted myself on my website; ironically only a couple IPs dug back that far in my weblogs and none of them were Tor (idiots). It was a truly amateur attempt to release information on me that I not only knew was already publicly available, but even released myself.

There is really no better word to describe these kids than “dipshits”.

This group of kindergarteners got other information wrong too that I won’t disclose. Sorry, guys, but there actually is more than one Jonathan Zdziarski in the world. Their sad sad doxxing skills aren’t the only point I want to make, though. My other point here is to explain what Twitter did: absolutely nothing. That’s right. Not even suspended an account and in some cases just stopped responding to me.

Screen Shot 2015-01-29 at 9.25.44 PMIt’s these same kids who doxxed the person behind SwiftOnSecurity, and even claimed responsibility for hacking the real Taylor Swift’s account. These are the same ones who’ve made vicious death threats too, against myself, SwiftOnSecurity, and many others including some prominent feminists and gamers, using public records to look up addresses. Some people on Twitter became scared enough to actually leave their homes and contact the police after receiving personalized threats. Twitter is the chosen medium for instant fame and large follower counts; that’s why it is so good at attracting psychopaths. The only way it works is by allowing bullies to build a large follower base for popularity and by allowing users to create a set of [trackable] social connections.

Doxxing is kind of like asking the Internet for your FOIA record. It’s good to know what other people know about you, and what’s out there, and what’s not. Pretending your information isn’t out there is naive; it’s better to know, and even be able to point to screenshots of leaked data in the event that it’s ever used. Of course when it escalates to death threats and harassment, you have to at least go through the process of treating it seriously, even if you know the people behind it are powerless.

Screen Shot 2015-01-30 at 3.45.22 PM

Continue reading

Lenovo’s Domain Record Appears Jacked

Early reports came in from Verge that Lenovo was hacked, however upon visiting the website, many reported no problems. Lenovo servers were not, in fact hacked, however it appears that the lenovo.com domain record may have been hijacked. Two whois queries below show that the domain was updated today and its name servers were changed over from Lenovo’s own to CloudFlare.

Screen Shot 2015-02-25 at 4.29.33 PM

Given recent DDoS attempts against Lenovo lately, it’s not entirely impossible that Lenovo decided to host with CloudFlare, however given their own massive infrastructure, I’d call this extremely unlikely; in that event, the transition went quite miserable from Verge’s point of view. What most likely is happening is the hacked site being hosted behind CloudFlare, and the name records simply have been hijacked.

Lenovo uses an obscure Chinese registrar (webnic.cc), so it’s foreseeable that the registrar could have been socially engineered to gain control of the domain. How ironic would it be, though, if the credentials to Lenovo’s account were stolen by decrypting Lenovo traffic using Superfish certs? Perhaps poetic justice?

It looks as though the domain may have even been deleted from, or transferred out of webnic. If this is the case (and not just a malfunction), then it could take even longer for Lenovo to get the domain back.

Screen Shot 2015-02-25 at 5.05.44 PM

Naturally, as DNS takes time to propagate, more and more people will see the hacked version (sitting on some other server not at Lenovo), and when Lenovo finally regains control, it will take up to 24 hours or so for users to start seeing the DNS switch back.

This smells more of an amateur stunt rather than a good old fashioned hacking. No zero-days were harmed in the making of this defacement. In fact, Lenovo’s servers seem to be completely intact. Just another day at the zoo.

Speaking With a Vocabulary of Color

A wise woman once told me, “it takes a long time to learn how to play like yourself”, referring to my music. This was actually Vic Wooten’s mom, an amazing woman, who I had the pleasure of meeting during a three week retreat at Victor’s camp to learn more about music. I find the same is true in photography. Every photographer has a unique look and feel, and much of it is more than just camera technique. Technique is really only maybe 1/10th of the overall photo, just like technique is only about 1/10th of what makes music what it is.

Image toning and contrast plays a big role in how you communicate your photo to someone. In music, we have dynamics and tone to communicate emphasis, emotion, and even mood; the same is true in photography: color is emphasis, emotion, and mood. If a picture is worth a thousand words, then tone and contrast help determine whether those words are screaming in all caps (which is entirely appropriate sometimes), soft gentle words, or void of emotion completely. When you risk getting into trouble is when you’re trying to convey one emotion in your photograph, but the colors and contrast are conveying another, usually clashing, emotion. On one extreme, you’ve likely seen the outright blatant vibrance control abuse that can happen on sites like 500px. On the other end, some fantastic black and white photography conveys deeper meaning, but the emotion of color is lost.

Ocean Titan

Ocean Titan

Snæfellsness Peninsula, Iceland. (Nikon D800E, 24mm, f/13)

Continue reading

CVF: SPF as a Certificate Validator for SSL

In light of recent widespread MiTM goings on with Superfish and Lenovo products, I dusted off an old technique introduced in the anti-spam communities several years ago that would have prevented this, and could more importantly put a giant dent in the capabilities of government sponsored SSL MiTM.

The Core Problem

The core of the problem with SSL is twofold; after all these years, thousands of Snowden documents, and more reason to distrust governments and be paranoid about hackers more than ever, we’re still putting an enormous amount of trust into certificate authorities to:

  1. Play by the rules according to their own verification policies and never be socially engineered
  2. Never honor any secret FISA court order to issue a certificate for a targeted organization
  3. Be secure enough to never be compromised, or to always know when they’ve been compromised
  4. Never hire any rogue employees who would issue false certificates

Not only are we putting an immense trust in our CAs, but we’re also putting even more trust into our own computers, and that the root certificates loaded into our trust store are actually trustworthy. Superfish proved that to not be the case, however Superfish has only done what we’ve been doing in the security community for years to conduct pen-tests: insert a rogue certificate into the trust store of a device. We’ve done this with iOS, OSX, Windows PCs, and virtually every other operating system as well in conducting pen-tests and security audits.

Sure, there is cert pinning, you say… however in most cases, when it comes to web browsers at least, cert pinning only pins your certificate to a trusted certificate authority. In the case of Superfish’s malware, cert pinning doesn’t appear to have prevented the interception of SSL traffic whatsoever. In fact, Superfish broke the root store so badly, that in some cases, self-signed certificates could even validate! In the case of CAs that have been compromised (either by an adversary, or via secret court orders), cert pinning can also be rendered ineffective, because it still primarily depends on trusting the CA and the root store.

We have existing solid means of validating the chain of trust, but SSL is still missing one core component, and that’s a means of validating with the (now trusted) host itself, to ensure that it thinks there’s nothing fishy about your connection. Relying on the trust store alone is why, after potentially tens of thousands of website visits, none of the web browsers thought to ask, “hey why am I seeing the same cert on every website I visit?”

Continue reading

Superfish Spyware Also Available for iOS and Android

Screen Shot 2015-02-20 at 3.52.37 PMFor those watching the Superfish debacle unfold, you may also be interested to note that Superfish has an app titled LikeThat available for iOS and Android. The app is a visual search tool apparently for finding furniture that you like (whatever). They also have other visual search apps for pets and other idiotic things, all of which seem to be quite popular. Taking a closer look at the application, it appears as though they also do quite a bit of application tracking, including reporting your device’s unique identifier back to an analytics company. They’ve also taken some rather sketchy approaches to how they handle photos so as to potentially preserve the EXIF data in them, which can include your GPS position and other information.

To get started, just taking a quick look at the binary using ‘strings’ can give you some sketchy information. Here are some of the URLs in the binary:

Continue reading

Tone and Drama

 

First Snow SMDark Kings
Nikon D800E, 14mm, f/9, 15s

After developing several dozen photographs of Kirkjufell, they all started to look alike. If you’re putting a gallery together, this isn’t really a good thing. Even at different angles, different times of day, etc., each photo needs to be able to stand out on its own. Add to that, some website communities prefer different things (for example, 500px prefers either surrealistic landscapes, or large breasts). I took a couple photos that I had developed the same as the others, then decided to have some fun with them (no, I didn’t paste breasts onto either of them).

The first big change I made was to adjust the tone of the photo. The tone is the overall color rendering and tonal range. While I still do my best to stay true to the photo, adjusting the tone can still be done in a tasteful and realistic way. DxO Optics Pro offers an expansion Film Pack kit, which allows me to take a photo and apply it to different types of analog film; old school film came in many different types and depending on the chemical makeup, ISO, and other properties, you’d get a different tonal presentation depending on what film you used. The film I chose was Lomography Redscale ISO 100. This added a much warmer cast to the photo, and really brought out the reds. There are many other ways to alter the overall tone of a photo, too. Photoshop CC itself provides white balance, HSL sliders, color balance controls, and HDR toning options all within the software.

Continue reading

Lenovo Enabled Wiretapping of Your Computer

Robert Graham recently uncovered software that came preinstalled on Lenovo computers hiding under the guide of advertising-ware. While the media rushes to understand the technical details behind this, many are making the mistake of chocking it up to some poorly designed advertising / malvertising software with vulnerabilities. This is not the case at all, and it’s important to note that what’s been done here by Lenovo and SuperFish by all accounts is far more serious: a very intentionally designed eavesdropping / surveillance mechanism that allows Lenovo PCs’ encrypted traffic to be wiretapped anywhere it travels on the Internet. We’ll never know the true motives behind the software, but someone went to great lengths to maliciously transform encrypted traffic in a way that allows this electronic wiretapping, then bundled it with new Lenovo computers.

Based on Graham’s notes, and what the media is reporting is commonly referred to as a Man-in-the-Middle attack on the victim’s computer; this is only where the trouble begins. When the user goes to establish an encrypted connection with, say, Bank of America, the SuperFish software pretends that it’s Bank of America right on your computer, by using a phony certificate to masquerade as if it were actually the bank. SuperFish then talks to the real Bank of America using its own private keys to decrypt traffic coming back to it. Where this becomes dangerous is that this transforms the traffic while it’s in transit across the Internet, so that data coming back to the PC is encrypted with a key that SuperFish can decrypt and read.

The threat here goes far beyond that of just the victim’s computer or advertisements: by design, this allows for wiretapping of the PC’s traffic from anywhere it travels on the Internet. In addition to the local MiTM / advertising concerns the media is focusing on, it appears as though the way SuperFish designed their software allows anyone who has either licensed or stolen SuperFish’s private key to intercept and read any encrypted traffic from any affected Lenovo PC across the Internet, without ever having access to the computer. How is this possible? Because SuperFish appears to use the same private keys on every reported installation of the software, according to what Graham’s observed so far.

Continue reading

Well Written Piece on Crowd Shaming

How One Stupid Tweet Blew Up Justine Sacco’s Life isn’t just a piece about Justine Sacco, it’s a piece about the depravity of society and how the ferocity in shaming has evolved over a few hundred years. The nature of instantly rewarding those who essentially bully others creates a rather compound effect. The way social networks react today in this practice feels very Hitler-esque. While I’ve never been crowd shamed for anything, I have witnessed it in disgust several times. I often question if those who crowd shame are the same archetype who would have fit right into Hitler’s Nazi regime. The principles are the same: the instant gratification and reward of attention and acceptance by a crowd for destroying another human; scale is the only thing that’s really any different. I suspect those who would intentionally seek out the former would also seek out the latter, and those that would ignorantly go along with the former would likewise, under the right conditions, also be weak minded enough to ignorantly go along with the latter.

Waze: Google’s New Spying Tool

In 2013, Google acquired Waze, a tool designed to find you the best route while driving. Upon hearing of the application, I thought I’d check it out. Unfortunately, I didn’t get past the privacy policy, which was updated only six months ago. While Waze’s policy begins with “Waze Mobile Limited respects your privacy”, reading the policy demonstrates that they do no such thing.

Interesting note: Waze will not let you view the privacy policy inside the app until you’ve already agreed to let it track your location.

Unique Tracking Identifiers

The first thing I immediately noticed about Waze is that they function in the same way Whisper does: under the false guise of anonymity. The average user would wrongly assume that by not registering an account, their identity remains unknown. Even if you don’t create an account in Waze, the privacy policy states that their software creates a unique identifier on your device to track you; to my knowledge, this is a violation of Apple’s own App Store guidelines, but it seems that Google (and Whisper) have gotten a free pass on this. From the policy:

“If you choose to use the Services without setting up a username you may do so by skipping the username setup stage of the application installation process. Waze will still link all of your information with your account and a unique identifier generated by Waze in accordance with this Privacy Policy.”

I’ve previously written about Whisper and how this technique, combined with multiple GPS data points, can easily identify who you are and where you live, even if the GPS queries are fuzzed. With Google as a parent company, not only is your location information particularly identifying, but cross-referenced with Google data and their massive analytics, could easily determine a complete profile about you including your web search history (interests, fetishes, etc). Even if you don’t have a Google account, any Google searches you’ve done through local IP addresses or applications that track your geolocation can easily be used to link your Waze data to your search history, to your social networking profiles, to virtually any other intelligence Google or its subsidiaries are collecting about you. Simply by using Waze just once, you’ve potentially granted Google license to identify you by GPS or geolocation, and associate an entire web search history with your identity, to de-anonymize you to Google.

Of course, Waze doesn’t come out and admit this; if you read their privacy policy, however, you see that they’ve granted themselves a number of interesting (some nonconventional) rights to your data that make this possible. Perhaps this is why company may have been worth over a billion dollars to Google.

Continue reading

Pawn Storm Fact Check

Fortinet recently published a blog entry analyzing the Pawn Storm malware for iOS. There were some significant inaccuracies, however, and since Fortinet seems to be censoring website comments, I thought I’d post my critique here. Here are a few things important to note about the analysis that were grossly inaccurate.

First of important note is the researcher’s claim that the LSRequiresIPhoneOS property indicates that iPads are not targeted, but that the malware only runs on iPhone. Anyone who understands the iOS environment knows that the LSRequiresIPhoneOS tag simply indicates that the application is an iOS application; this tag can be set to true, and an application can still support iPad and any other iOS based devices (iPod, whatever). I mention this because anyone reading this article may assume that their iPad or iPod is not a potential target, and therefore never check it. If you suspect you could be a target of Pawn Storm, you should check all of your iOS based devices.

Second important thing to note: Most of the information the researcher claims the application gathers can only be gathered on jailbroken devices. This is because the jailbreak process in and of itself compromises Apple’s own sandbox in order to allow applications to continue to run correctly after Cydia has relocated crucial operating system files onto the user data partition. When running Cydia for the first time, several different folders get moved to the /var/stash folder on the user partition. Since this folder normally would not be accessible outside of Apple’s sandbox, the geniuses writing jailbreaks decided to break Apple’s sandbox so that you could run your bootleg versions of Angry Birds. Smart, huh?

Continue reading

Three Lenses That Outperform Nikon’s

Every time I hear pro photographers drone on about what’s in their bag, it almost always gravitates solely around Nikon, Canon, or  whatever brand they’re being sponsored by. This, in my opinion, is their handicap, and why so many “pro” photographers end up looking just like all the other noise out there. Lenses are like wine, each one has a different personality. Just because brand X happens to be made by Nikon, or have the sharpest center, doesn’t mean that it’s going to necessarily give you the best results.

There’s a lot to consider in lens selection. Overall sharpness is certainly one of them, but in addition to that, there is color rendering, contrast (and micro-contrast), bokeh, sharpness at desired apertures, vignetting, compression, flaring and plenty other things. If you want to stand out as a photographer, getting that different look and feel in your photos can – to some degree – be determined by which lenses you choose to shoot with. Here are a few lenses that I keep in my bag, and why you might consider them as good alternatives to whatever camera brand you’re currently using.

Continue reading

Night Shooting with Light Pollution Filters

If you’ve been keeping up with my photography, I was quite happy with how Starry Cabin turned out. I had been previously dabbling with night photography in Iceland, when we finally chased down the Aurora, and again in Norway. Of course, it’s easy to do a good night shot when you’ve got the Aurora as your subject. Starry Cabin brought a rare opportunity to capture the beauty of a clustery starscape with the warmth of a ski cabin in the winter. Moments like these can often be ruined by heavy light pollution, which can drown out the quality of the sky in an otherwise great photo.

IcedLeft: Iced; Nikon D800E, 21mm, f/2.8, 25s.

In my research into night photography, I came across a little known type of filter that’s more often used in astronomer’s telescope eyepieces. It’s called a light pollution filter, and it does what it says it does: reduces the amount of pollution in the sky caused by ground lights. Typically, these are helpful to astronomers because it helps cut the light that would otherwise interfere with photographing the effects of H-Alpha infrared, which are the red auras often appearing around the Milky Way and other celestial bodies. Some photographers modify their cameras to remove IR filters so they can pick up these red hues in their sky photos. On unmodified cameras, this filter is particularly useful at cutting back the light pollution from the ground when you’re shooting things at night.

Continue reading

All Your Hash are Belong to Apple: /usr/libexec/gkoverride

I happened to notice a process running for a split second: /usr/libexec/gkovverride. Little Snitch was asking if it should have access to connect to Apple. This appears to be a new Yosemite thing, as others aren’t seeing it in older versions of OSX. Naturally, my curiosity took over and I had to take a closer look at this binary. A brief skim through the disassembly makes it appear that gkoverride is invoked by the Security framework, and takes hashes of binaries in question (via the commandline), then sends the hashes to Apple, waits for a response, then returns a yes/no response (via stdout) presumably as to whether the binary should be allowed to run.

I poked around some of gkovverride’s caches, and also found mention of Google Chrome. I’ve never used Chrome, but the cache seemed to have Google’s public key identifier (which they use to sign the binary, I assume) in it. I haven’t had time to hunt down when gkoverride specifically gets invoked, but this occurred during a package installation. I’ll have to disassemble Security framework for more details. So upon an initial glance, it looks as though gkoverride may get triggered when new binaries are installed or initially run, to see if they’ve been white/blacklisted. What bothers me about this is that OSX seems to be sharing hashes of your binaries with Apple, and calling home. What bothers me more is that Apple likely now has a complete inventory of binaries I’ve installed on my machine, identified by the same IP address that  my iCloud and other accounts connect from; therefore, personally identifiable.

Continue reading

Photography Gallery Online

After much refining and careful selection, I’ve gathered the courage to place my photography on public exhibit. I’ve posted my latest three galleries on my new photography website. I’ve also partnered with a trusted lab to deliver fine art prints and metal prints. To view my galleries, please visit http://photography.zdziarski.com.

I’m in no way leaving InfoSec, and am still very heavily invested in the law enforcement forensics community. Photography is a passion I’ve had for a while now, and love the fusion of art and science of it all. I hope you find something to enjoy in the gallery.

Features I’d like to see from Nikon

If Nikon is indeed working on advanced firmware options, I’d pay good to have these:

  • A bulb lock that locks the shutter down until I press it again, and starts a timer on the screen. Canon M cameras do this.
  • The ability to view the image and histogram of the long exposure I’m taking while its exposing; this can help immensely with certain long exposures where you’re uncertain about shutter time. Canon M cameras do this too.
  • Support for exposure times beyond 30 seconds
  • A way to delete white balance presets
  • If I am taking an HDR photo at different shutter speeds, have the camera process it all in one shutter, and have different exposures save as they achieve their exposure levels.
  • Electronic Front Curtain should work when using exposure delay mode

Mystery: Processing the Aurora Borealis

Mystery

Mystery

The Northern Lights making a grand entrance over Kirkjufell Mountain. A small, ten minute window opened up between hail storms that night as we fought to see the Aurora for the first time in our life. We were not disappointed. Nikon D800E, 14mm, f/2.8, ISO 1600, 15s.

My wife and I have been hunting the Aurora Borealis for two years now. In Norway 2013, we encountered a series of snowstorms for two weeks. We missed the Aurora, but captured some fantastic winter photography. This year, we headed for Iceland and Norway, and saw the Aurora in both. This shot was taken in Iceland at the iconic Kirkjufell Mountain. We didn’t have time to hike to the waterfall, because hail storms hit us every 5-10 minutes; it would then clear for a little while, then the storms would circle back around. Fortunately, we got some fantastic shots of the Aurora, and got the storms approaching the mountain as a bonus.

White Balance Tricks and Embracing High ISO Noise

To develop this shot, I used a Sodium Lamp white balance in DxO (this is somewhere around 2450K in Photoshop CC). This helped to bring out the blue-green of the sky while simultaneously cutting back the peach colors caused by light pollution from the nearby town of Grundarfjörður (I kept one shot with the peachy hues, as it’s still quite beautiful). Not much editing went into this shot at all. I applied some clarity with Topaz to add some definition, some minor dodging for shading and to bring out the reflection of the Aurora on the ground, and some sharpening. I used very minor noise reduction on the print edit, as most noise doesn’t show up in print, even at ISO 1600. Stronger noise reduction was used for the screen edit.

With a night shot like this, your first thought is probably to use noise reduction, but I say save it for last, and tread very lightly with it. Overdoing your noise reduction in print is the best way to get banding and other strange patterns appearing. Banding occurs because you have very strong gradients of clean, solid colors appearing next to each other… this happens when you apply too much noise reduction, or by blurring the sky. Printers simply can’t render this without banding. Here’s a secret: neither can your screen, except that your screen has built-in dithering, which basically adds noise to your colors.

Continue reading

The Best 150mm Filters in my Bag

Some of these are obscure, so if you’re a wide angle enthusiast, you may want to consider looking up these great filters.

Cavision CPL: Cavision makes an excellent 2mm 150x150mm square circular polarizer. It filters out unwanted polarized light, but unlike most CPLs, doesn’t filter out desirable non-polarized light. Therefore it isn’t overly dark like other CPLs, and gives you better quality color tones. This is a glass filter, not resin, and is therefore fragile. Because it is a circular polarizer (and not a linear polarizer), it works with auto-focus.

Formatt-Hitech Firecrest NDs: I have the ND3.0 and ND1.8, however they are available in all varieties up to 16 stops. These are the best NDs I’ve used so far, and are almost spot on true to color, at least as far as I’ve tested to 20 minute exposures. The ND3.0 is ever so slightly warm, but not nearly to the degree that other filters are (some of which are almost red in color). Virtually no additional color correction is needed with these filters.

Continue reading

Grey Card Control Test: Formatt-Hitech’s new Firecrest ND 3.0

firecrest-blk“Firecrest ND is a revolutionary new type of ND filter from Formatt-Hitech. Rather than dyed resin, Firecrest is a carbon metallic coating used to create hyper neutral NDs. The filters are made from 2mm thick Schott Superwite glass, and the multicoating is bonded in the middle to increase scratch resistance. Firecrest Filters are neutral across all spectrums, including UV, visible, and infrared.” – Formatt-Hitech

I’ve just received my Firecrest ND 3.0 (10-stop), shipped from the manufacturer in the UK. These are so new that you won’t find them in stores yet. I had originally contacted Formatt-Hitech after suffering terrible color cast problems with their previous generation resin neutral density filters. These new filters are 2mm thick glass, not resin, and use a completely different coating process that supposedly helps keep colors neutral across long exposures. They come in a very nice box with a large plastic case (although I use the OneSixFive filter bag instead). Being glass, you’ll need to be very careful with it; they will break.

This is the first of a few tests I’ll be running against this filter to see how it holds up. For the grey card test, I taped a grey card to the wall and shot it both with and without the filter. The first exposure took 1s, and the exposure with the filter took 17:04. First I did this with white balance set to auto, and the second set I did with a cloudy white balance. Both sets were shot indoors to get a nice long exposure with consistent lighting.

Continue reading

Shooting Starscapes

Starry Cabin SMThis was my first go around with starscapes after reading this most excellent primer by a local New England photographer. That title shot of Hopewell Cape ironically is where my wife and I spent a small part of our honeymoon, so I have to go back and try this.

Once I get this technique down, I’ve been planning to make the five hour trip to shoot the Quoddy Lighthouse, as well as the Pemaquid Lighthouse and some others at night; eventually, I’ll make it back up to New Brunswick too.

The photo to your left is a winter cabin up in the Maine mountains; you can see the smoke from a burning wood fire on this cold winter night, and small night ski lights going on a mountain away. Temperatures were approaching -20 F when this photo was taken. While terrible for skin (dress warm!), cold weather makes for some of the clearest night skies. The Lovejoy comet is also showing this week, and so I’m hoping to catch it one of these nights.

This is a blended three-shot exposure; Sky: ISO 3200 @ 30s, Cabin: ISO 2000 @ 8m, Windows: ISO 2000 @ 30s. I used a flashlight to set the focus to infinity by reaching outside of the max focusing range of this lens. I then had to refocus on the cabin in order to take the cabin and window shots, as the depth of field at f/2.8 is quite shallow; if you don’t refocus then you end up with a blurry foreground. I then blended these exposures in Photoshop. Nothing fancy here, I just used masks and painted/blended everything by hand. You could do an HDR of sorts, too if you wanted. I ran each shot through camera raw, adjusting the exposure specifically for the part of the photo I was concentrating on. The sky exposure had a lot of contrast, noise reduction, and low blacks. I then took each exposure and just pasted it into a document, then masked each one over the other where I wanted it.  I also did some minor dodging and burning and used some basic filters, such as Topaz DeNoise (noise reduction), Topaz Clarity, Topaz Clean, Nik Low Key w/Mask, and Nik Sharpener 2 to finish the photo. I’m pretty happy with how it turned out!

Continue reading

A Meta-Data Resilient, Self-Funding “Dark” Internet Mail Idea

I’m still reading the specs on DIME, but already it’s leaving a bad taste in my mouth. It feels like it’s more or less trying to band-aid an already broken anonymous mail system, that really isn’t anonymous at all, and leaves far too much metadata lying around. Even with DIME, it looks like too much information is still exposed to be NSA proof (like sender and recipient domain names), and with all of the new moving parts, it leaves a rather large attack surface. It feels more as if DIME gives you plausible deniability, but not necessarily NSA proof anonymity, especially in light of TAO, and the likelihood at least one end of the conversation will be compromised or compelled by FISA. I could be wrong, but it at least got me thinking about what my idea of an Internet dark mail system would look like.

Let me throw this idea out there for you. We all want to be able to just write an email, then throw it anonymously into some large vortex where it will magically and anonymously end up in the recipient’s hands, right? What’s preventing that from being a reality? Well, a few things.

Continue reading