About Jonathan Zdziarski

Respected in his community as an iOS forensics expert, Jonathan is a noted security researcher, penetration tester, and hacker. Author of many books ranging from machine learning to iPhone hacking and software development, Jonathan frequently trains many federal and state law enforcement agencies in digital forensic techniques and assists law enforcement and the military in high profile cases. Jonathan is also inventor on several US patent applications, father of DSPAM and other language classification technology, and an App Store developer. All opinions expressed on this website are the author's own. Follow Jonathan on Twitter: @JZdziarski

How to Plan Your Own Photo Tour and Save Thousands

Photography tours and workshops sound exciting and even romantic to amateur photographers looking to get away and come home with some fantastic pictures. The concept is appealing: travel around with a pro photographer who can show you all the great places to shoot. Tours can certainly be beneficial, fun, and provide good instruction, but one other option you may consider is planning your own photography tour and saving possibly ten thousand dollars or more.

My wife and I are planning our second Iceland tour, have been to different parts of Norway three times, Hawaii, London, and many other common workshop destinations. Planning these trips was not as difficult as you might think, and from a cost perspective, night and day. We also found many great benefits to doing it this way.

Continue reading

Preparing Photos for Print Using Luminosity Masks in Photoshop

One of the biggest thorns in the side of photographers is getting photos to print with resemblance to what they look like on-screen. Calibrating your screen when you process photos is, of course, the first step in ensuring that the colors match between screen and print. Many labs also provide proofing profiles that can be loaded into Photoshop to further fine tune how the colors will look on paper. One of my biggest peeves, however, has been adjusting the luminosity (brightness) of photos to look good on paper.

Most lab prints will turn out about 3x darker on paper than they look on a screen at full brightness, which is why calibration tools like ColorMunki Display tell you when your screen is too bright. For example, my MacBook Pro’s screen matches print when the brightness is turned down exactly six notches from max. The problem is, you can’t simply just jack up the brightness of your photo, or you end up blowing out the highlights (such as your sky), or wrecking beautifully delicate mid-tones, such as dimly lit buildings. Assuming you’ve failed at this just like everyone else has, you’ve probably tried using CRA or masks to localize your adjustments, which leaves you with a photo that looks very uneven compared to the original. Fret no more, this is where luminosity masks can really come in and save your tail.

In this tutorial, I’ll show you how to create your own luminosity masks by hand (you can turn this into an action in Photoshop), and use them as a much simplified means of making targeted adjustments. It’s by far the most genuine technique to the original photo that I’ve used. These don’t have to just be used for brightness control; you can apply these masks to contrast, saturation, or any other adjustments you might need while processing your image.

The concept of luminosity masks have been around for a while, but I’m not sure if anyone has ever thought about using them to adjust for print. It works amazingly well.

Continue reading

Field Test: Formatt-Hitech FireCrest IRND 3.0

I took the FireCrest IRND 3.0 to Hawaii, and here are the results!

Camera: Nikon D800E
Lens: Sigma 35mm f/1.4 DG HSM "Art"
Filter System: ProGrey G-150X w/77mm Adapter, 67mm Step-up
Filter: Formatt-Hitech FireCrest IRND 3.0
Exposure Time: 30 seconds

FireCrest-Hawaii-SmallThe filter itself is definitely a slight bit cooler at long exposures, and so the first thing you may notice is that I had to warm up the color temperature from 6500K to 8000K for the comparison photo. This is to be expected to some degree among such strong neutral density filters, and in spite of Formatt-Hitech’s advertising, there is still some degree of that going on here. This is, of course, why shooting RAW is so important when doing long exposure. Once the color temperature was adjusted, however, you can see that the color channels proved to be almost completely neutral – that is, there was no shift in the reds (or blue, or green for that matter). This is where the FireCrest IRNDs really shine. By blocking the infrared spectrum (the IR in IRND), Formatt-Hitech was able to keep the photo from warming up too much in some areas, causing the color balance to fall apart. This can be a pain to correct in Photoshop.

The verdict for me is this: FireCrest isn’t a magic unicorn; you’re still going to have to adjust for the cooler color temperature that NDs experience when shooting long exposures. FireCrest did do a great job, however, preventing color shift, which is pretty hard to get right, and could easily ruin your shot if you’re using an economy filter.


How Profiling Has Weakened National Security

My wife and I drove up through Canada on the 4th of July weekend, for a pleasant time in Montreal and Niagara Falls. The falls, Niagara on the Lake, a wine trial you can get lost in, and a romantic French town made for a wonderful time. On the way in, however, the Canadian border crossing proved gloriously ignorant of American gun crime when they searched our vehicle on the sole premise that I own a concealed carry permit in my state. The whole experience got me thinking quite a bit about the pitfalls of profiling, and in Canada’s too-liberal-to-use-common-sense case, their poor profiling practices have likely left them in a position of being even less secure.

Canada has been attempting to crack down on gun violence over the past few years by profiling individuals with conceal carry permits, and/or admit to owning guns at home. Some states are rumored to share this information with Canada; no doubt they likely at least flag passports based on intel from prior trips. The border patrol agents are quite intrusive, asking how many guns you own, what kind, and etcetera. Even if your visit shows a number of good indicators (such as traveling with a companion that you are related to), merely owning a firearms is enough to bump you to the top of their suspect list. Canada claims that they’ve confiscated around 1,400 firearms from visiting Americans every year, and of course that is the metric they use to quantify their profiling efforts. In a nutshell, having a carry permit makes you a violent felon in Canada’s eyes. Not surprisingly, Canada’s inexplicable fear of guns has left them more vulnerable to gun violence by senselessly tainting their profiling capabilities.

Continue reading

Tl;Dr Notes on iOS 8 PIN / File System Crypto

Here’s iOS file system / PIN encryption as I understand it. I originally pastebin’d this but folks thought it was worth keeping around. (Thanks to Andrey Belenko for his suggestions for edits).

Block 0 of the NAND is used as effaceable storage and a series of encryption “lockers” are stored on it. This is the portion that gets wiped when a device is erased, as this is the base of the key hierarchy. These lockers are encrypted with a hardware key that is derived from a unique hardware id fused into the secure space of the chip (secure enclave, on A7 and newer chipsets). Only the hardware AES routines have access to this key, and there is no known way to extract it without chip deconstruction.

One locker, named EMF!, stores the encryption key that makes the file system itself readable (that is, directory and file structure, but not the actual content). This key is entirely hardware dependent and is not entangled with the user passcode at all. Without the passcode, the directory and file structure is readable, including file sizes, timestamps, and so on. The only thing not included, as I said. Is the file content.

Another locker, called BAGI, contains an encryption key that encrypts what’s called the system keybag. The keybag contains a number of encryption “class keys” that ultimately protect files in the user file system; they’re locked and unlocked at different times, depending on user activity. This lets developers choose if files should get locked when the device is locked, or stay unlocked after they enter their PIN, and so on. Every file on the file system has its own random file key, and that key is encrypted with a class key from the keybag. The keybag keys are encrypted with a combination of the key in the BAGI locker and the user’s PIN. NOTE: The operating system partition is not encrypted with these keys, so it is readable without the user passcode

There’s another locker in the NAND (what Apple calls the class 4 key, and what we call the DKEY). The DKEY is not encrypted with the user PIN, and in previous versions of iOS (<8), was used as the foundation for encryption of any files that were not specifically protected with “data protection”. Most of the file system at the time used the Dkey instead of a class key, by design. Because the PIN wasn’t involved in the crypto (like it is with the class keys in the keybag), anyone with root level access (such as Apple) could easily open that Dkey locker, and therefore decrypt the vast majority of the file system that used it for encryption. The only files that were protected with the PIN up until iOS 8 were those with data protection explicitly enabled, which did not include a majority of Apple’s files storing personal data. In iOS 8, Apple finally pulled the rest of the file system out of the Dkey locker and now virtually the entire file system is using class keys from the keybag that *are* protected with the user’s PIN. The hardware-accelerated AES crypto functions allow for very fast encryption and decryption of the entire hard disk making this technologically possible since the 3GS, however for no valid reason whatsoever (other than design decisions), Apple decided not to properly encrypt the file system until iOS 8.
Continue reading

Open Letter to the Commerce Department and Legislators, Regarding Wassenaar

To Whom it May Concern,

I am a published and respected forensics expert who pioneered the very first forensic techniques to extract data from the iPhone as early as 2008.. Since then, I have spend several years, and much of my time, assisting numerous law enforcement and military agencies around the world, including our own. I’ve trained government agencies in the US, Canada, and UK, and trained law enforcement from dozens of our allies here at home in the US. My work has been validated by the NIJ/NIST. I have invested my time in providing free assistance to many US-based federal and state agencies who have flown personnel into my small town for help in the middle of the night. Because of my research and hard work, I’ve provided the necessary information to the rest of the industry to be able to perform iOS forensics, and a vast majority of today’s forensics solutions are founded upon my techniques.

I did all of this on my own personal time, and in many cases on my own dime. The tools and techniques I have developed are by no means “intrusion” tools, however due to the excessively broad nature of the Wassenaar proposal, would fall under its regulations as they bypass security mechanisms of devices and collect information from them. As all of my research is done personally, I have no large company with lawyers to address the impossible spider web of export regulations that would be introduced by Wassenaar. The current proposal as is would harm far more than simply the information security industry, but would also greatly damage the forensics industry and ultimately limit the quality of tools available to law enforcement agencies for conducting lawful forensics. My tools, as well as many commercial solutions, employ the use of exploits to collect information from devices for purposes that serve law enforcement and the greater good. I sometimes only privately release the source code to my own tools, as many commercial forensics manufacturers have stolen it in the past, yet I continue to help the law enforcement community. Wassenaar will do little to accomplish the goals it set out to, and instead make it impossible for security researchers like myself to further expand the base of knowledge by contributing openly to the community – which goes far beyond this country’s borders.

Continue reading

Enabling Awesome Hidden Screens on Your New Chevrolet

I was recently T-boned in a high speed crash, and only walked away by a miracle. After seeing how my Dodge RAM buckled, I came to abandon Chrysler completely. The side curtain airbags failed to deploy, and in spite of the outright lies they publish on the sticker for safety ratings, my 2010 RAM actually only had a three-star rating from the independent test labs, which became dreadfully apparent in the incredible amount of damage caused to the truck.

Enter my 2015 Silverado Z71. The truck is, as the commercials say, pretty boss, and this is by far the best truck I’ve ever owned. I initially looked at it only because Silverado/Sierra presently dominates the top spots on KBB’s truck safety ratings for 2015… as soon as I saw what Chevy had done with their trucks, though, all they had to do was shut up and take my money. The new engines are more powerful and fuel efficient than the old Vortec. The suspension is a dream. The triple sealed interior is unusually quiet, not to mention wrapped in leather and completely redesigned. USB ports everywhere, Siri Eyes-Free, Pandora, and flawless BT integration make the electronics in my pocket very happy. It seems as though Chevy has reinvented everything about themselves.

In spite of the fact that they use a cheesy name like “infotainment system”, the MyLink system is very high tech. In the process of geeking out over all of its capabilities, I came across several hidden screens that are not active by default. I didn’t see these documented or discussed anywhere, so thought I’d mention them; some may exist on other Chevy models, too, so it’s worth a look.

On Pilots and Mental Health

The recent airline tragedy involving a pilot who, suffering from mental illness, crashed his plane killing about 150 passengers, has got me thinking about a mental health crisis in my family about seven years ago. Due to strict medical privacy legislation layered on top of antiquated mental health treatment laws, this tragedy has proven yet again how easy it is for the government to enable the mentally ill to isolate themselves and hide their illness – even when they are in a very high risk position that can affect hundreds of lives.

I’ve written about this in an article some seven years ago, titled How Medical Privacy Laws Destroyed My Dad’s Mental Health. Read it. You may be surprised to find how government control of who your doctor is allowed to talk to can further deteriorate a patient’s mental state and lead to harmful outcomes. This may have been similar to what happened in this recent airline tragedy. My belief is that the choice of who a doctor can talk to is best left up to their discretion, not the government, and opening that communication between family can potentially prevent such tragedies, as well as avoid a worsening overall condition. I’m speaking this from experience.

My heart and prayers go out to the victims’ families.

Running Invisible in the Background in iOS 8

Since iOS 8’s release, a number of security improvements have been made since publishing my findings last July. Many services that posed a threat to user privacy have been since closed off, and are only open in beta versions of iOS. One small point I made in the paper was the threat that invisible software poses on the operating system:

“Malicious software does not require a device be jail- broken in order to run. … With the simple addition of an SBAppTags property to an application’s Info.plist (a required file containing descriptive tags iden- tifying properties of the application), a developer can build an application to be hidden from the user’s GUI (SpringBoard). This can be done to a non-jailbroken device if the attacker has purchased a valid signing certificate from Apple. While advanced tools, such as Xcode, can detect the presence of such software, the application is invisible to the end-user’s GUI, as well as in iTunes. In addition to this, the capability exists of running an application in the background by masquerading as a VoIP client (How to maintain VOIP socket connection in background) or audio player (such as Pandora) by add- ing a specific UIBackgroundModes tag to the same property list file. These two features combined make for the perfect skeleton for virtually undetectable spyware that runs in the background.”

As of iOS 8, Apple has closed off the SBAppTags feature set so that applications cannot use that to hide applications, however it looks like there are still some ways to manipulate the operating system into hiding applications on the device. I have contacted Apple with the specific technical details and they have assured me that the problem has been fixed in iOS 8.3. As for now, however, it looks like iOS 8.2 and lower are still vulnerable to this attack. The attack allows for software to be loaded onto a non-jailbroken device (which typically requires a valid pairing, or physical possession of the device) that runs in the background and invisibly to the SpringBoard user interface.

The presence of a vulnerability such as this should heighten user awareness that invisible software may still be installed on a non-jailbroken device, and would be capable of gathering information that could be used to track the user over a period of time. If you suspect that malware may be running on your device, you can view software running invisibly with a copy of Xcode. Unlike the iPhone’s UI and iTunes, invisible software that is installed on the device will show up under Xcode’s device organizer.

Continue reading

Testing for the Strawhorse Backdoor in Xcode

In the previous blog post, I highlighted the latest Snowden documents, which reveal a CIA project out of Sandia National Laboratories to author a malicious version of Xcode. This Xcode malware targeted App Store developers by installing a backdoor on their computers to steal their private codesign keys.

Screen Shot 2015-03-10 at 2.09.50 PM

So how do you test for a backdoor you’ve never seen before? By verifying that the security mechanisms it disables are working correctly. Based on the document, the malware apparently infects Apple’s securityd daemon to prevent it from warning the user prior to exporting developer keys:

“… which rewrites securityd so that no prompt appears when exporting a developer’s private key”

A good litmus test to see if securityd has been compromised in this way is to attempt to export your own developer keys and see if you are prompted for permission.

Continue reading

The Implications of CIA’s Jamboree

Early this morning, The Intercept posted several documents pertaining to CIA’s research into compromising iOS devices (along with other things) through Sandia National Laboratories, a major research and development contractor to the government. The documents outlined a number of project talks taking place at a closed government conference referred to as the Jamboree in 2012. The projects listed in the documents included the following pieces.


Rocoto, a chip-like implant that would likely be soldered to the 30-pin connector on the main board, and act like a flasher box that performs the task of jailbreaking a device using existing public techniques. Once jailbroken, a chip like Rocoto could easily install and execute code on the device for persistent monitoring or other forms of surveilance. Upon firmware restore, a chip like Rocoto could simply re-jailbreak the device. Such an implant could have likely worked persistently on older devices (like the 3G mentioned), however the wording of the document (“we will discuss efforts”) suggests the implant was not complete at the time of the talk. This may, however, have later been adopted into the DROPOUTJEEP implant, which was portrayed as an operational product in the NSA’s catalog published several months ago. The DROPOUTJEEP project, however, claimed to be software-based, where Rocoto seems to have involved a physical chip implant.


Strawhorse, a malicious implementation of Xcode, where App Store developers (likely not suspected of any crimes) would be targeted, and their dev machines backdoored to give CIA injection capabilities into compiled applications. The malicious Xcode variant was capable of stealing the developer’s private codesign keys, which would be smuggled out with compiled binaries. It would also disable securityd so that it would not warn the developer that this was happening. The stolen keys could later be used to inject and sign payloads into the developer’s own products without their permission or knowledge, which could then be widely disseminated through the App Store channels. This could include trojans or watermarks, as the document suggests. With the developer keys extracted, binary modifications could also be made at a later time, if such an injection framework existed.

In spite of what The Intercept wrote, there is no evidence that Strawhorse was slated for use en masse, or that it even reached an operational phase.

NOTE: At the time these documents were reportedly created, a vast majority of App Store developers were American citizens. Based on the wording of the document, this was still in the middle stages of development, and an injection mechanism (the complicated part) does not appear to have been developed yet, as there was no mention of it.

Continue reading

Trolls, Bullies, and CEOs: Dealing With the Dumbest People on Twitter

The following is based on my own personal experience with Twitter’s security team. Your mileage may vary.

I have some of the thickest skin around; that’s probably what makes Twitter work for me. The company itself, though, seems to be intentionally leaning in favor of supporting criminals and that’s not only ignorant, but incredibly self defeating. I spent a day in January entertained by a couple idiots who claim to be part of Lizard squad, but I have my doubts, as they have no technical skill whatsoever. They did the absolute most laughable job of trying to dox me, and failed miserably. As is the case with this type of harassment, they made the typical death threats you see them making everyone else: trying to incite fear by claiming a hit man is on his way to (what they thought) was my address, followed by a cheap public records search, which in my case had all wrong addresses dating back over 20 years. Even sadder is what was missing from the dox: they didn’t even know where I worked, or have any real accurate information about me to present. The photo they even posted of me while “doxxing” me was an old O’Reilly Media photo, about 50lb heavier, that I had released when I published my first book. (O’Reilly has a better one of me now, that’s only a couple years old). Other photos (like some old wedding photos) were ones I’d posted myself on my website; ironically only a couple IPs dug back that far in my weblogs and none of them were Tor (idiots). It was a truly amateur attempt to release information on me that I not only knew was already publicly available, but even released myself.

There is really no better word to describe these kids than “dipshits”.

This group of kindergarteners got other information wrong too that I won’t disclose. Sorry, guys, but there actually is more than one Jonathan Zdziarski in the world. Their sad sad doxxing skills aren’t the only point I want to make, though. My other point here is to explain what Twitter did: absolutely nothing. That’s right. Not even suspended an account and in some cases just stopped responding to me.

Screen Shot 2015-01-29 at 9.25.44 PMIt’s these same kids who doxxed the person behind SwiftOnSecurity, and even claimed responsibility for hacking the real Taylor Swift’s account. These are the same ones who’ve made vicious death threats too, against myself, SwiftOnSecurity, and many others including some prominent feminists and gamers, using public records to look up addresses. Some people on Twitter became scared enough to actually leave their homes and contact the police after receiving personalized threats. Twitter is the chosen medium for instant fame and large follower counts; that’s why it is so good at attracting psychopaths. The only way it works is by allowing bullies to build a large follower base for popularity and by allowing users to create a set of [trackable] social connections.

Doxxing is kind of like asking the Internet for your FOIA record. It’s good to know what other people know about you, and what’s out there, and what’s not. Pretending your information isn’t out there is naive; it’s better to know, and even be able to point to screenshots of leaked data in the event that it’s ever used. Of course when it escalates to death threats and harassment, you have to at least go through the process of treating it seriously, even if you know the people behind it are powerless.

Screen Shot 2015-01-30 at 3.45.22 PM

Continue reading

Lenovo’s Domain Record Appears Jacked

Early reports came in from Verge that Lenovo was hacked, however upon visiting the website, many reported no problems. Lenovo servers were not, in fact hacked, however it appears that the lenovo.com domain record may have been hijacked. Two whois queries below show that the domain was updated today and its name servers were changed over from Lenovo’s own to CloudFlare.

Screen Shot 2015-02-25 at 4.29.33 PM

Given recent DDoS attempts against Lenovo lately, it’s not entirely impossible that Lenovo decided to host with CloudFlare, however given their own massive infrastructure, I’d call this extremely unlikely; in that event, the transition went quite miserable from Verge’s point of view. What most likely is happening is the hacked site being hosted behind CloudFlare, and the name records simply have been hijacked.

Lenovo uses an obscure Chinese registrar (webnic.cc), so it’s foreseeable that the registrar could have been socially engineered to gain control of the domain. How ironic would it be, though, if the credentials to Lenovo’s account were stolen by decrypting Lenovo traffic using Superfish certs? Perhaps poetic justice?

It looks as though the domain may have even been deleted from, or transferred out of webnic. If this is the case (and not just a malfunction), then it could take even longer for Lenovo to get the domain back.

Screen Shot 2015-02-25 at 5.05.44 PM

Naturally, as DNS takes time to propagate, more and more people will see the hacked version (sitting on some other server not at Lenovo), and when Lenovo finally regains control, it will take up to 24 hours or so for users to start seeing the DNS switch back.

This smells more of an amateur stunt rather than a good old fashioned hacking. No zero-days were harmed in the making of this defacement. In fact, Lenovo’s servers seem to be completely intact. Just another day at the zoo.

Speaking With a Vocabulary of Color

A wise woman once told me, “it takes a long time to learn how to play like yourself”, referring to my music. This was actually Vic Wooten’s mom, an amazing woman, who I had the pleasure of meeting during a three week retreat at Victor’s camp to learn more about music. I find the same is true in photography. Every photographer has a unique look and feel, and much of it is more than just camera technique. Technique is really only maybe 1/10th of the overall photo, just like technique is only about 1/10th of what makes music what it is.

Image toning and contrast plays a big role in how you communicate your photo to someone. In music, we have dynamics and tone to communicate emphasis, emotion, and even mood; the same is true in photography: color is emphasis, emotion, and mood. If a picture is worth a thousand words, then tone and contrast help determine whether those words are screaming in all caps (which is entirely appropriate sometimes), soft gentle words, or void of emotion completely. When you risk getting into trouble is when you’re trying to convey one emotion in your photograph, but the colors and contrast are conveying another, usually clashing, emotion. On one extreme, you’ve likely seen the outright blatant vibrance control abuse that can happen on sites like 500px. On the other end, some fantastic black and white photography conveys deeper meaning, but the emotion of color is lost.

Ocean Titan

Ocean Titan

Snæfellsness Peninsula, Iceland. (Nikon D800E, 24mm, f/13)

Continue reading

CVF: SPF as a Certificate Validator for SSL

In light of recent widespread MiTM goings on with Superfish and Lenovo products, I dusted off an old technique introduced in the anti-spam communities several years ago that would have prevented this, and could more importantly put a giant dent in the capabilities of government sponsored SSL MiTM.

The Core Problem

The core of the problem with SSL is twofold; after all these years, thousands of Snowden documents, and more reason to distrust governments and be paranoid about hackers more than ever, we’re still putting an enormous amount of trust into certificate authorities to:

  1. Play by the rules according to their own verification policies and never be socially engineered
  2. Never honor any secret FISA court order to issue a certificate for a targeted organization
  3. Be secure enough to never be compromised, or to always know when they’ve been compromised
  4. Never hire any rogue employees who would issue false certificates

Not only are we putting an immense trust in our CAs, but we’re also putting even more trust into our own computers, and that the root certificates loaded into our trust store are actually trustworthy. Superfish proved that to not be the case, however Superfish has only done what we’ve been doing in the security community for years to conduct pen-tests: insert a rogue certificate into the trust store of a device. We’ve done this with iOS, OSX, Windows PCs, and virtually every other operating system as well in conducting pen-tests and security audits.

Sure, there is cert pinning, you say… however in most cases, when it comes to web browsers at least, cert pinning only pins your certificate to a trusted certificate authority. In the case of Superfish’s malware, cert pinning doesn’t appear to have prevented the interception of SSL traffic whatsoever. In fact, Superfish broke the root store so badly, that in some cases, self-signed certificates could even validate! In the case of CAs that have been compromised (either by an adversary, or via secret court orders), cert pinning can also be rendered ineffective, because it still primarily depends on trusting the CA and the root store.

We have existing solid means of validating the chain of trust, but SSL is still missing one core component, and that’s a means of validating with the (now trusted) host itself, to ensure that it thinks there’s nothing fishy about your connection. Relying on the trust store alone is why, after potentially tens of thousands of website visits, none of the web browsers thought to ask, “hey why am I seeing the same cert on every website I visit?”

Continue reading

Superfish Spyware Also Available for iOS and Android

Screen Shot 2015-02-20 at 3.52.37 PMFor those watching the Superfish debacle unfold, you may also be interested to note that Superfish has an app titled LikeThat available for iOS and Android. The app is a visual search tool apparently for finding furniture that you like (whatever). They also have other visual search apps for pets and other idiotic things, all of which seem to be quite popular. Taking a closer look at the application, it appears as though they also do quite a bit of application tracking, including reporting your device’s unique identifier back to an analytics company. They’ve also taken some rather sketchy approaches to how they handle photos so as to potentially preserve the EXIF data in them, which can include your GPS position and other information.

To get started, just taking a quick look at the binary using ‘strings’ can give you some sketchy information. Here are some of the URLs in the binary:

Continue reading

Tone and Drama


First Snow SMDark Kings
Nikon D800E, 14mm, f/9, 15s

After developing several dozen photographs of Kirkjufell, they all started to look alike. If you’re putting a gallery together, this isn’t really a good thing. Even at different angles, different times of day, etc., each photo needs to be able to stand out on its own. Add to that, some website communities prefer different things (for example, 500px prefers either surrealistic landscapes, or large breasts). I took a couple photos that I had developed the same as the others, then decided to have some fun with them (no, I didn’t paste breasts onto either of them).

The first big change I made was to adjust the tone of the photo. The tone is the overall color rendering and tonal range. While I still do my best to stay true to the photo, adjusting the tone can still be done in a tasteful and realistic way. DxO Optics Pro offers an expansion Film Pack kit, which allows me to take a photo and apply it to different types of analog film; old school film came in many different types and depending on the chemical makeup, ISO, and other properties, you’d get a different tonal presentation depending on what film you used. The film I chose was Lomography Redscale ISO 100. This added a much warmer cast to the photo, and really brought out the reds. There are many other ways to alter the overall tone of a photo, too. Photoshop CC itself provides white balance, HSL sliders, color balance controls, and HDR toning options all within the software.

Continue reading

Lenovo Enabled Wiretapping of Your Computer

Robert Graham recently uncovered software that came preinstalled on Lenovo computers hiding under the guide of advertising-ware. While the media rushes to understand the technical details behind this, many are making the mistake of chocking it up to some poorly designed advertising / malvertising software with vulnerabilities. This is not the case at all, and it’s important to note that what’s been done here by Lenovo and SuperFish by all accounts is far more serious: a very intentionally designed eavesdropping / surveillance mechanism that allows Lenovo PCs’ encrypted traffic to be wiretapped anywhere it travels on the Internet. We’ll never know the true motives behind the software, but someone went to great lengths to maliciously transform encrypted traffic in a way that allows this electronic wiretapping, then bundled it with new Lenovo computers.

Based on Graham’s notes, and what the media is reporting is commonly referred to as a Man-in-the-Middle attack on the victim’s computer; this is only where the trouble begins. When the user goes to establish an encrypted connection with, say, Bank of America, the SuperFish software pretends that it’s Bank of America right on your computer, by using a phony certificate to masquerade as if it were actually the bank. SuperFish then talks to the real Bank of America using its own private keys to decrypt traffic coming back to it. Where this becomes dangerous is that this transforms the traffic while it’s in transit across the Internet, so that data coming back to the PC is encrypted with a key that SuperFish can decrypt and read.

The threat here goes far beyond that of just the victim’s computer or advertisements: by design, this allows for wiretapping of the PC’s traffic from anywhere it travels on the Internet. In addition to the local MiTM / advertising concerns the media is focusing on, it appears as though the way SuperFish designed their software allows anyone who has either licensed or stolen SuperFish’s private key to intercept and read any encrypted traffic from any affected Lenovo PC across the Internet, without ever having access to the computer. How is this possible? Because SuperFish appears to use the same private keys on every reported installation of the software, according to what Graham’s observed so far.

Continue reading

Well Written Piece on Crowd Shaming

How One Stupid Tweet Blew Up Justine Sacco’s Life isn’t just a piece about Justine Sacco, it’s a piece about the depravity of society and how the ferocity in shaming has evolved over a few hundred years. The nature of instantly rewarding those who essentially bully others creates a rather compound effect. The way social networks react today in this practice feels very Hitler-esque. While I’ve never been crowd shamed for anything, I have witnessed it in disgust several times. I often question if those who crowd shame are the same archetype who would have fit right into Hitler’s Nazi regime. The principles are the same: the instant gratification and reward of attention and acceptance by a crowd for destroying another human; scale is the only thing that’s really any different. I suspect those who would intentionally seek out the former would also seek out the latter, and those that would ignorantly go along with the former would likewise, under the right conditions, also be weak minded enough to ignorantly go along with the latter.