IT Security Professional
3372 stories

This Submarine Crib Looks Like it Could be Out of a Movie Set

1 Comment

Rob Adams, World Art Lead for the Destiny video games, built this submarine themed baby crib out of fiberglass.

Read more on MAKE

The post This Submarine Crib Looks Like it Could be Out of a Movie Set appeared first on Make: DIY Projects and Ideas for Makers.

Read the whole story
3 days ago
I know a perfect place for this.
Denver, CO, USA
Share this story

SEC Issues Guidance on Initial Coin Offerings and Cryptocurrencies

1 Comment

The National Law Review recently reported that, on July 25th, the U.S. Securities and Exchange Commission (SEC) issued its most comprehensive public guidance to date on digital assets such as cryptocurrencies and tokens. Key points:

  • Initial Coin Offerings (ICOs) are required to be registered with the SEC if the digital assets are securities offered or sold in the U.S.
  • Digital assets can be evaluated for securities status using traditional securities law criteria
  • Automated functions through smart contracts or other code remain subject to securities laws
  • Companies dealing in digital assets should consider seeking counsel as to whether the digital assets are securities
  • Companies dealing in digital currencies may need to register as broker-dealers, securities exchanges, or alternative trading systems
  • Companies investing in digital assets and advising on investment may need to register as investment companies or investment advisers

A "cryptocurrency" is a currency that is not issued by a government and is available as a means of exchange (and perhaps a storehouse of value). Bitcoin and ethereum are the best known examples, but new cryptocurrencies are created regularly. Many of these cryptocurrencies are created by private businesses for commercial purposes.

In an Initial Coin Offering (ICO), a new digital asset – commonly called a "coin" or "token" – is offered in exchange for bitcoin, ethereum or other value. Often these assets do not represent an interest in the profits of the issuer, but instead a potential means to transact in a new technology system to be created by the issuer. Typically, the coins offered in an ICO are described in a white paper with information that is quite limited, compared to a prospectus used in an initial public offering of securities. Highly publicized surges in the value of previously issued digital assets have increased demand for ICOs. Some have argued that ICOs are crowdfunding campaigns and not subject to the jurisdiction of the SEC because the issuer is outside of the U.S.

The guidance explains that tokens issued by The DAO in order to create a blockchain-based venture capital fund were, in fact, securities. (The DAO is an unincorporated entity set up as a decentralized autonomous organization – hence the acronym 'DAO'.) The SEC concluded from its investigation that DAO tokens were subject to its jurisdiction because they were offered for sale in the U.S. In reaching its conclusion, the SEC analyzed the tokens utilizing traditional investment-contract criteria and noted that investors purchased the coins with the expectation of earning profits from the efforts of others. This was not mitigated by the fact that projects that could be sponsored by The DAO could encompass services and goods to be used by token holders. Despite determining that the SEC had jurisdiction over DAO tokens, the SEC did not undertake an enforcement action against The DAO.

The SEC did not conclude that all tokens and cryptocurrencies are securities, but confirmed how the SEC would evaluate cryptocurrencies. The SEC also noted that form should be disregarded for substance and that economic realities should be a key to the analysis. Thus, any party contemplating a future ICO that is available to investors located in the U.S. should analyze the extent to which the offered asset could be considered a security. This analysis should reach the business model underpinning the offered assets and not be limited to the white paper description of the offered digital assets.

The July 25 report also considered the obligations of companies that are interacting with similar digital assets. The SEC determined the platforms that traded DAO tokens appear to have been exchanges subject to separate registration and other regulatory requirements overseen by the SEC. The staff separately noted that individuals associated with The DAO may have become investment advisers and The DAO may have become an investment company had it commenced operations, which could have required additional registration and regulation.

These statements suggest that companies that are conducting business in digital assets with investors in the U.S. may be in violation of U.S. securities laws and may be required to register with the SEC and to comply with applicable securities regulations.

The cryptocurrency world may not be the Wild, Wild West much longer!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology

Read the whole story
3 days ago
You had to know the SEC was going to get involved with ICOs. Still early to understand the full impact.
Denver, CO, USA
Share this story

E-filing Comes to U.S. Supreme Court in November – Finally!!!

1 Share

As the Washington Post reported on August 3rd, the Supreme Court will begin using an electronic filing system for documents starting November 13th, a move other federal courts began decades ago.

Initially, attorneys will have to submit documents both electronically and on paper, the court said. Litigants who aren't represented by attorneys, mainly prisoners filing on their own behalf, won't submit through the electronic system, but their paper filings will be scanned and made available by the court. Once the system is in place, virtually all new filings will be available for free to the public, the court said.

Lower federal courts have been quicker to embrace electronic filing. Testing of an electronic filing system began in the late 1990s, with electronic filing available in nearly all federal courts by 2007, according to the Administrative Office of the U.S. Courts. Documents are available to the public through the PACER website, short for Public Access to Court Electronic Records. Accessing documents costs 10 cents per page, though that's capped at $3 a document and there's no cost for looking at opinions or viewing documents at public access terminals at courthouses.

The availability of electronic filing at the Supreme Court follows the debut of its redesigned website in late July. Improvements to the site better support electronic filing, the court said, ahead of the website's unveiling. In November, a link on the website's home page will allow the public to access case documents. Attorneys will have to register to file documents.

While it has been a long time coming, I'm glad this is almost here and that filings will be available to the public. Lawyers have been e-filing in other courts for a long time, so making this transition is likely going to be pretty easy.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology

Read the whole story
7 days ago
Denver, CO, USA
Share this story

Auditing ASP.NET MVC Actions


Phil Haack is writing a blog post about ASP.NET MVC? What is this, 2011?

No, do not adjust your calendars. I am indeed writing about ASP.NET MVC in 2017.

It’s been a long time since I’ve had to write C# to put food on the table. My day job these days consists of asking people to put cover sheets on TPS reports. And only one of my teams even uses C# anymore, the rest moving to JavaScript and Electron. On top of that, I’m currently on an eight week leave (more on that another day).

But I’m not completely disconnected from ASP.NET MVC and C#. Every year I spend a little time on a side project I built for a friend. He uses the site to manage and run a yearly soccer tournament.

Every year, it’s the same rigmarole. It starts with updating all of the NuGet packages. Then fixing all the breaking changes from the update. Only then do I actually add any new features. At the moment, the project is on ASP.NET MVC 5.2.3.

I’m not ready to share the full code for that project, but I plan to share some interesting pieces of it. The first piece is a little something I wrote to help make sure I secure controller actions.

The Problem

You care about your users. If not, at least pretend to do so. With that in mind, you want to protect them from potential Cross Site Request Forgery attacks. ASP.NET MVC includes helpers for this purpose, but it’s up to you to apply them.

By way of review, there are two steps to this. The first step is to update the view and add the anti-forgery hidden input to your HTML form via the Html.AntiForgeryToken() method. The second step is to validate that token in the action that receives the form post. Do this by decorating that action method with the [ValidateAntiForgeryToken] attribute.

You also care about your data. If you have actions that modify that data, you may want to ensure that the user is authorized to make that change via the [Authorize] attribute.

This is a lot to track. Especially if you’re in a hurry to build out a site. On this project, I noticed I forgot to apply some of these attributes where they should be placed. When I fixed the few places I happened to notice, I wondered what places did I miss?

It would be tedious to check every action by hand. So I automated it. I wrote a simple controller action that reflects over every controller action. It then displays all the actions that might need one of these attributes.

Here’s a screenshot of it in action.

Screenshot of Site Checker in action

There’s a few important things to note.

Which actions are checked?

The checker looks for all actions that might modify an HTTP resource. In other words, any action that responds to the following HTTP verbs: POST, PUT, PATCH, DELETE. In code, these correspond to action methods decorated with the following attributes: [HttpPost], [HttpPut], [HttpPatch], [HttpDelete] respectively. The presence of these attributes are good indicators that the action method might modify data. Action methods that respond to GET requests should never modify data.

Do all these need to be secured?


For example, it wouldn’t make sense to decorate your LogOn action with [Authorize] as that violates causality. You don’t want to require users to be already authenticated before the log in to your site. That’s just silly sauce.

There’s no way for the checker to understand the semantics of your action method code to determine whether an action should be authorized or not. So it just lists everything it finds. It’s up to you to figure out if there’s any action (no pun intended) required on your part.

How do I deploy it?

All you have to do is copy and paste this SystemController.cs file into your ASP.NET MVC project. It just makes it easier to compile this into the same assembly where your controller actions exist.

Next, make sure there’s a route that’ll hit the Index action of the SystemController. If you have the default route that ASP.NET MVC project templates include present, you would visit this at /system/index.

Be aware that if you accidentally deploy SiteController, it will only responds to local requests (requests from the hosting server itself) and not to public requests. You really don’t want to expose this information to the public. That would be an open invitation to be hacked. You may like being Haacked, it’s no fun to be hacked.

And that’s it.

How’s it work?

I kept all the code in a single file, so it’s a bit ugly, but should be easy to follow.

The key part of the code is how I obtain all the controllers.

var assembly = Assembly.GetExecutingAssembly();

var controllers = assembly.GetTypes()
    .Where(type => typeof(Controller).IsAssignableFrom(type)) //filter controllers
    .Select(type => new ReflectedControllerDescriptor(type));

The first part looks for all types in the currently executing assembly. But notice that I wrap each type with a ReflectedControllerDescriptor. That type contains the useful GetCanonicalActions() method to retrieve all the actions.

It would have been possible for me to get all the action methods without using GetCanonicalActions by calling type.GetMethods(...) and filtering the methods myself. But GetCanonicalActionsis a much better approach since it encapsulates the same logic ASP.NET MVC uses to locate actions.

As such, it handles cases such as when an action method is named differently from the underlying class method via the [ActionName("SomeOtherMethod")] attribute.

What’s Next?

There’s so many improvements we could make (notice how I’m using “we” in a bald attempt to pull you into this?) to this. For example, the code only looks at the HTTP* attributes. But to be completely correct, it should also check the [AcceptVerbs] attribute. I didn’t bother because I never use that attribute, but maybe you have some legacy code that does.

Also, there might be other things you want to check. For example, what about mass assignment attacks? I didn’t bother because I tend to use input models for my action methods. But if you use the [Bind] attribute, you might want this checker to look for issues there.

Well that’s great. I don’t plan to spend a lot of time on this, but I’d be happy to accept your contributions! The source is on GitHub.

Let me know if this is useful to you or if you use something better.

Read the whole story
8 days ago
Denver, CO, USA
Share this story

There is No Innovation in Perfection

1 Share

Do as I say, not as I do

This is a quote I tweeted out last week with the comment
A good reminder for us damn perfectionists:

“It is easy to begin once you have accepted that what you produce may not be very good, and that’s normal.” — Megan Mcardle

But, clearly. As I sit here at 5am because I’ve been up all night trying to put together a perfect blog post for my 30 posts in 30 days challenge. Well, clearly… I’m not remembering that at all.

A bit of back story…

Einstein and Newton and Neo, Oh My

I recently took the 16 Personalities Test and came out as an INTP, aka “The Logician.” That’s the same personality type as Einstein and Newton and Pascal and… wait for it. Neo.


(there is no spoon)

Too cool!

Right up until I read the description…

“The one thing that really holds INTPs back is their restless and pervasive fear of failure. INTP personalities are so prone to reassessing their own thoughts and theories, worrying that they’ve missed some critical piece of the puzzle, that they can stagnate, lost in an intangible world where their thoughts are never truly applied.”


Okay, yes, there are several pages describing INTP on 16 personalities.

But all I could see was “pervasive fear of failure.” And all I could think was, without failure, there is no innovation. Where does that leave me?

I kept thinking back to all the times I’d done that: reassessing my own thoughts and spending forever hunting down that critical missing piece of the puzzle before I’d allow myself to move forward.

This endless searching for better, more complete, perfectly bullet-proof ways of doing things… it really gets in the way of Getting Shit Done.

Just put something out there!

I tell this to all of the startups I advise. But, obviously, do as I say, not as I do.

We don’t have to have the perfect answer. We just have to have a reasonably good guess that we can use as a stake in the ground from which to start.

To get our name out there, to kick off our project, to get involved in the space that we’re interested in, to share our idea. Whatever it is. We can’t get anywhere if we don’t ever allow ourselves to start.

And just because we start with something, that doesn’t lock us into it. Once we start, we can evolve what we did, continue to make it better if we chose. Or we can simply enjoy the fact that we put ourselves out there, shared a bit of our gift with the world, and feel proud of that before moving onto our next thing.

From imperfection comes insights and learning

And, here’s the thing. If we can, as Mcardle suggests, truly embrace that what we put out there may not be very good. Well, then that leaves us open to so many new ideas and gifts of insight and learning.

Gifts and knowledge that we may have been closed off to if we decided that what we’d put out there was “perfect” or “complete.”

If we share something where we’re missing a crucial piece of the puzzle, then we open ourselves to the possibility of being enlightened by others who have different viewpoints and different knowledge to share. Things they might not have had an opportunity to share with us if we hadn’t allowed our imperfect creation to go out into the world.

That’s kind of awesome, right?


I love this advice by James Altucher,

“Pretend everyone was sent to this planet to teach you.”

I try to remind myself of this regularly. It’s amazing what you’ll learn when you open yourself up.

What were YOU sent to this planet to teach? I’m ready to learn!

The post There is No Innovation in Perfection appeared first on The Hacker Chick Blog.

Read the whole story
16 days ago
Denver, CO, USA
Share this story

Penetrating a Casino's Network through an Internet-Connected Fish Tank


Attackers used a vulnerability in an Internet-connected fish tank to successfully penetrate a casino's network.

BoingBoing post.

Read the whole story
16 days ago
Denver, CO, USA
Share this story
Next Page of Stories