iOS developer
781 stories
·
8 followers

Remote Mac Exploitation via Custom URL Schemes

1 Share

Patrick Wardle:

Once the target is visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the achieve will be automatically unzipped, as Apple thinks it’s wise to automatically open “safe” files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user’s filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!

Now that the malicious app’s custom URL scheme are registered (on the target’s system), code within the malicious webpage can load or “browse” to the custom url. This is easy to accomplish in JavaScript

window.location.replace(‘windshift://’);

Behind the scenes macOS will lookup the handler for this custom URL scheme-which of course is our malicious application (that was just downloaded). Once this lookup is complete, the OS will kindly attempt to launch the malicious application to handle the URL request!

Read the whole story
bjtitus
12 days ago
reply
Denver, CO
Share this story
Delete

A reliable credit-card skimmer detector: a card that detects multiple read heads

1 Share

A team from the University of Florida won a 2018 Usenix Security Distinguished Paper Award for Fear the Reaper: Characterization and Fast Detection of Card Skimmers, which presents their work on the "Skim Reaper," a fast, easy-to-use, reliable credit-card skimmer-detector. (more…)

Read the whole story
bjtitus
13 days ago
reply
Denver, CO
Share this story
Delete

The Disproportional Power of Anecdotes

1 Share

Humans, it seems, have an innate tendency to overgeneralize from small samples. How many times have you been caught in an argument where the only proof offered is anecdotal? Perhaps your co-worker saw this bratty kid make a mess in the grocery store while the parents appeared to do nothing. “They just let that child pull things off the shelves and create havoc! My parents would never have allowed that. Parents are so permissive now.” Hmm. Is it true that most parents commonly allow young children to cause trouble in public? It would be a mistake to assume so based on the evidence presented, but a lot of us would go with it anyway. Your co-worker did.

Our propensity to confuse the “now” with “what always is,” as if the immediate world before our eyes consistently represents the entire universe, leads us to bad conclusions and bad decisions. We don’t bother asking questions and verifying validity. So we make mistakes and allow ourselves to be easily manipulated.

Political polling is a good example. It’s actually really hard to design and conduct a good poll. Matthew Mendelsohn and Jason Brent, in their article “Understanding Polling Methodology,” say:

Public opinion cannot be understood by using only a single question asked at a single moment. It is necessary to measure public opinion along several different dimensions, to review results based on a variety of different wordings, and to verify findings on the basis of repetition. Any one result is filled with potential error and represents one possible estimation of the state of public opinion.

This makes sense. But it’s amazing how often we forget.

We see a headline screaming out about the state of affairs and we dive right in, instant believers, without pausing to question the validity of the methodology. How many people did they sample? How did they select them? Most polling aims for random sampling, but there is pre-selection at work immediately, depending on the medium the pollsters use to reach people.

Truly random samples of people are hard to come by. In order to poll people, you have to be able to reach them. The more complicated this is, the more expensive the poll becomes, which acts as a deterrent to thoroughness. The internet can offer high accessibility for a relatively low cost, but it’s a lot harder to verify the integrity of the demographics. And if you go the telephone route, as a lot of polling does, are you already distorting the true randomness of your sample size? Are the people who answer “unknown” numbers already different from those who ignore them?

Polls are meant to generalize larger patterns of behavior based on small samples. You need to put a lot of effort in to make sure that sample is truly representative of the population you are trying to generalize about. Otherwise, erroneous information is presented as truth.

Why does this matter?

It matters because generalization is a widespread human bias, which means a lot of our understanding of the world actually is based on extrapolations made from relatively small sample sizes. Consequently, our individual behavior is shaped by potentially incomplete or inadequate facts that we use to make the decisions that are meant to lead us to success. This bias also shapes a fair degree of public policy and government legislation. We don’t want people who make decisions that affect millions to be dependent on captivating bullshit. (A further concern is that once you are invested, other biases kick in).

Some really smart people are perpetual victims of the problem.

Joseph Henrich, Steven J. Heine, and Ara Norenzayan wrote an article called “The weirdest people in the world?” It’s about how many scientific psychology studies use college students who are predominantly Western, Educated, Industrialized, Rich, and Democratic (WEIRD), and then draw conclusions about the entire human race from these outliers. They reviewed scientific literature from domains such as “visual perception, fairness, cooperation, spatial reasoning, categorization and inferential induction, moral reasoning, and the heritability of IQ. The findings suggest that members of WEIRD societies, including young children, are among the least representative populations one could find for generalizing about humans.”

Uh-oh. This is a double whammy. “It’s not merely that researchers frequently make generalizations from a narrow subpopulation. The concern is that this particular subpopulation is highly unrepresentative of the species.”

This is why it can be dangerous to make major life decisions based on small samples, like anecdotes or a one-off experience. The small sample may be an outlier in the greater range of possibilities. You could be correcting for a problem that doesn’t exist or investing in an opportunity that isn’t there.

This tendency of mistaken extrapolation from small samples can have profound consequences.

Are you a fan of the San Francisco 49ers? They exist, in part, because of our tendency to over-generalize. In the 19th century in Western America and Canada, a few findings of gold along some creek beds led to a massive rush as entire populations flocked to these regions in the hope of getting rich. San Francisco grew from 200 residents in 1846 to about 36,000 only six years later. The gold rush provided enormous impetus toward California becoming a state, and the corresponding infrastructure developments touched off momentum that long outlasted the mining of gold.

But for most of the actual rushers, those hoping for gold based on the anecdotes that floated east, there wasn’t much to show for their decision to head west. The Canadian Encyclopedia states, “If the nearly 29 million (figure unadjusted) in gold that was recovered during the heady years of 1897 to 1899 [in the Klondike] was divided equally among all those who participated in the gold rush, the amount would fall far short of the total they had invested in time and money.”

How did this happen? Because those miners took anecdotes as being representative of a broader reality. Quite literally, they learned mining from rumor, and didn’t develop any real knowledge. Most people fought for claims along the creeks, where easy gold had been discovered, while rejecting the bench claims on the hillsides above, which often had just as much gold.

You may be thinking that these men must have been desperate if they packed themselves up, heading into unknown territory, facing multiple dangers along the way, to chase a dream of easy money. But most of us aren’t that different. How many times have you invested in a “hot stock” on a tip from one person, only to have the company go under within a year? Ultimately, the smaller the sample size, the greater role the factors of chance play in determining an outcome.

If you want to limit the capriciousness of chance in your quest for success, increase your sample size when making decisions. You need enough information to be able to plot the range of possibilities, identify the outliers, and define the average.

So next time you hear the words “the polls say,” “studies show,” or “you should buy this,” ask questions before you take action. Think about the population that is actually being represented before you start modifying your understanding. Accept the limits of small sample sizes from large populations. And don’t give power to anecdotes.

The post The Disproportional Power of Anecdotes appeared first on Farnam Street.

Read the whole story
bjtitus
14 days ago
reply
Denver, CO
Share this story
Delete

A public bus named desire

2 Comments and 3 Shares
This was originally published in Nov 2015.

When I first stumbled across the streetcar vs bus rapid transit (BRT) debate, I was strongly biased towards streetcars. My opinion was largely shaped by the few weeks I spent in Berlin this past summer. While I was in Germany, I relied most heavily on Berlin's friendly yellow Metrotrams. I really only used the U-bahn and S-bahn when I had to make long, cross-city trips, where the travel time difference was more than 10 or 15 minutes. I used the bus system only once, despite the fact that it was just as extensive as the Metrotram lines.



At the time, I naturally gravitated towards the Metrotrams without consciously considering buses, its main substitute. For all obvious intents and purposes, the bus and metro systems are basically equivalent, so it's strange that I used one so heavily while all but ignoring the other. I can think of a few reasons why this might have happened:

  • As a first-time visitor to the city with a limited grasp of the German language, I liked the sense of direction the fixed tracks offered. When trying to figure out how to get somewhere, it was nice to see the rails trailing through the city, clearly marking the Metrotram's route.
  • Somehow the trams felt more predictable and dependable than the buses. This intuition is wrong, at least in Berlin's case—bus routes as just as well-defined and stable (at least in the short-term), and all transit options in Berlin run almost perfectly on time (yay for German precision, unlike the Catrain, Muni, and BART...). My hypothesis is that this perception is another byproduct of the fixed tracks, because they foster a sense of permanence that boosts the entire system's credibility.
  • I've always associated buses with the sketchiest, most obnoxious transit riders. My main exposure to buses has been riding SF's dingy, smelly cars crushed by mobs of drunk Giants fans and overly talkative tourists. I'm confident in saying that buses have a similar image problem among most middle-class Americans. My stigmatized perception of buses governed my transit decisions, despite the fact that Berlin's buses are actually very clean, and its riders are on the whole very polite.

Upon further reflection, I see that streetcars' advantages (as expressed in a previous post all have one trait in common: they are a product of perception. Meanwhile, buses' advantages are far easier to quantify. As a result, it is easy for BRT advocates to dismiss streetcars' advantages as petty and unimportant.

I have begrudgingly come to agree that BRT is the way forward; streetcars' modest advantages simply cannot justify their cost. However, rather than dismissing them entirely, it is critical that planners incorporate streetcars' advantages into BRT systems. A few ideas for how they could do this:

  • Make the bus routes clear and permanent feeling. Ideally you have full-on bus "tracks", segregated from the other lanes of traffic, but you could also simply paint bus routes directly onto the streets. This paint would serve the same function as tram rails running through the city, offering a sense of direction and permanence for a fairly low price.
  • Emphasize a clean aesthetic on both the interior and exterior of the buses. Implement a zero-tolerance policy for messes, and design the interior and exterior of the buses with long-term aesthetics in mind.
    • All forms of public transit –– but especially buses –– are vulnerable to stigmatization as being dirty and unsafe. Given the sheer volume and diversity of riders, it's easy to descend below a basic level of sanitation, comfort, and even safety. Any public vehicle quickly devolves into a moving trashcan and graffiti canvas without proper custodial attention. (Never use Caltrain's onboard bathrooms towards the end of rush hour. Just don't.) However, this is not inevitable!
    • Immediate cleanup of messes reminiscent of the NYC subway's zero-tolerance policy for graffiti in the mid 80s could minimize broken windows behavior.
      • Riders take far less care with their messes when a space is already dirty, which means that once a vehicle is gross it often spirals down to the depths of disgust until it is finally cleaned. It's important to keep to cleanliness above that critical threshold to ensure that it doesn't enter that spiral.
      • People are less inclined to use transit if it is dirty. This results in thinning out of riders, leaving the space to sketchier characters. I for one feel much more safer riding public transit alongside a large, diverse group of people rather than in a vehicle that is nearly-empty with the exception of one or two sketchy people. This has a cyclical effect –– without a critical mass of reputable-looking individuals, others are less likely to take that form of transit. This leads to a downward spiral of perception as well as actual safety.
    • Certain materials, colors, and designs are better suited for long-term use. For example, the brushed aluminum seats on the Seoul metro (to the right) are easy to clean and long-lasting, and they're even shiny! Those cars look like they belong in an industrial kitchen, not an urban transit system. In contrast, seats in many American buses are made of much less durable materials. I have a particularly vivid memory of the buses that hauled my elementary school classes off to various field trips. The seats were outfitted with an ugly vinyl that were brittle and cracked, revealing filthy yellow padding below. A simple choice of more durable, attractive materials would have single-handedly improved my childhood impression of mass transit. (Lucky for the school, we were a captive audience.) If the seats had looked more like the radiant blue of the bus seats pictured to the right, I would have seen mass transit as just another way to get around rather than as a stinky death trap.

It's true that none of the benefits of streetcars account for tangible differences. If riders' only goal was to get from point A to point B as fast and cheaply as possible, BRT would categorically sweep streetcars in this debate. However, riders care about more than just speed and cost; their transit decisions are also influenced by comfort and safety, and they are just as much shaped by perception as the actual experience.

Streetcars clearly win on this count –– they are just so cute! They harken to an older time, and they feel more permanent and sturdy than buses. These factors do not outweigh the advantages of BRT, but they should not be ignored. The perfect system would incorporate the advantages of both options, and there are easy, low-cost steps that could be taken in that direction.
.
.
.

.



Read the whole story
bjtitus
14 days ago
reply
An excellent analysis of BRT. I have the same issue with Light Rail versus bus in Denver. While light rail has traffic advantages, I still view buses as less permanent and dirtier.
Denver, CO
samuel
16 days ago
reply
Bus Rapid Transit versus streetcars. I want streetcars to win but BRT is the future. This post goes into the exciting details about what should happen to make BRT closer to streetcars in terms of perception.
The Haight in San Francisco
Share this story
Delete

Every US President at their worst

3 Shares

On Twitter, @InstantSunrise wrote an entertaining thread “in which I drag every single US president in order”. She starts off with The Founding Fathers:

Thomas Jefferson: Motherfucker owned slaves, and was a rapist, committed forced removal against Native Americans. Started an actual war in North Africa and a trade war with Britain that would eventually escalate into an actual war.

Andrew Jackson is deservedly dragged more than most:

Ohhhhhh my god. This absolute motherfucker garbage president. Literally committed genocide. Owned slaves, gave govt. jobs to people who gave him money. Decided that a central bank was a bad idea and closed it in 1837, breaking the entire economy.

Teddy Roosevelt gets a B/B-:

Did some good busting trusts and monopolies with his big dick energy. Discovered that if you bait the media with “access” they’ll eat up whatever shit you say. Had a lot of policies that were racist as shit, like banning all Japanese ppl from entering the US.

Woodrow Wilson gets a Jackson-esque OMG:

Ohhhhhh my god. Dude was like super fucking racist. So racist that his election emboldened racists enough where they literally revived the KKK. His AG, Palmer, loved to deport leftists for no reason. There’s so much shit about Wilson I can’t fit it into 280 chars.

I think she could have gone in on Nixon a bit harder (for creating the war on drugs for example):

Created the southern strategy and stoked racial tensions. Sabotaged the peace negotiations for Vietnam in order to get elected, then prolonged the war. Bombed the shit out of Laos and Cambodia for no real reason. Also watergate.

Only Lincoln and John Quincy Adams get off relatively unscathed.

Tags: lists   politics   USA
Read the whole story
jlvanderzwan
4 days ago
reply
bjtitus
17 days ago
reply
Denver, CO
Share this story
Delete

Offering a more progressive definition of freedom

5 Comments and 12 Shares

Pete Buttigieg is the mayor of South Bend, Indiana. He is a progressive Democrat, Rhodes scholar, served a tour of duty in Afghanistan during his time as mayor, and is openly gay. In a recent interview with Rolling Stone, Buttigieg talked about the need for progressives to recast concepts that conservatives have traditionally “owned” — like freedom, family, and patriotism — in more progressive terms.

You’ll hear me talk all the time about freedom. Because I think there is a failure on our side if we allow conservatives to monopolize the idea of freedom — especially now that they’ve produced an authoritarian president. But what actually gives people freedom in their lives? The most profound freedoms of my everyday existence have been safeguarded by progressive policies, mostly. The freedom to marry who I choose, for one, but also the freedom that comes with paved roads and stop lights. Freedom from some obscure regulation is so much more abstract. But that’s the freedom that conservatism has now come down to.

Or think about the idea of family, in the context of everyday life. It’s one thing to talk about family values as a theme, or a wedge — but what’s it actually like to have a family? Your family does better if you get a fair wage, if there’s good public education, if there’s good health care when you need it. These things intuitively make sense, but we’re out of practice talking about them.

I also think we need to talk about a different kind of patriotism: a fidelity to American greatness in its truest sense. You think about this as a local official, of course, but a truly great country is made of great communities. What makes a country great isn’t chauvinism. It’s the kinds of lives you enable people to lead. I think about wastewater management as freedom. If a resident of our city doesn’t have to give it a second thought, she’s freer.

Clean drinking water is freedom. Good public education is freedom. Universal healthcare is freedom. Fair wages are freedom. Policing by consent is freedom. Gun control is freedom. Fighting climate change is freedom. A non-punitive criminal justice system is freedom. Affirmative action is freedom. Decriminalizing poverty is freedom. Easy & secure voting is freedom. This is an idea of freedom I can get behind.

Tags: language   Pete Buttigieg   politics
Read the whole story
bjtitus
17 days ago
reply
Denver, CO
popular
17 days ago
reply
samuel
18 days ago
reply
The Haight in San Francisco
Share this story
Delete
4 public comments
satadru
12 days ago
reply
FDR talked about this in his "Four Freedoms" speech. And let's not forget that "freedoms" and "rights" have long been interchangeable. The problem with discussing rights & freedoms is that they're just aspirational without enabling legislation and structures.

And yes, freedoms and rights in this context have LONG been owned by progressives. Look at the UDHR, or at the various human rights conventions thereafter. Look at what they cover, and what they do NOT cover. For instance, the convention on women doesn't include talking about violence against women...
New York, NY
lousyd
17 days ago
reply
Some of that stuff isn't freedom. And the word freedom is being used in multiple conflicting ways.
jhamill
17 days ago
reply
I endorse this idea of freedom.
California
WorldMaker
18 days ago
reply
Don't Think of an Elephant. Words have power and progressives do need to stop ceding them.
Louisville, Kentucky
Next Page of Stories