Feed aggregator

Heirs of the Blank Slate

The Rational Man - Fri, 07/26/2019 - 16:04

“Yeah, well, not all women are like that. Men do it too and they’re even worse!”

“People are people. Everyone is different, you can’t predict human behavior because we all have freewill.”

“What’s good for the goose is good for the gander.”

“Everyone is born equal.”

“If women are hypergamous, men must be too.”

“Double standards are so unfair.”

The legacy of the Blank Slate has been one of the most pivotal influences on understanding intersexual dynamics for over the last century. In the time I’ve been writing I’ve covered egalitarianism’s influence on Blue Pill conditioning on at least 5 occasions. In all of these essays I’ve made the case that what we consider the Blue Pill, and the perceptions it instills in us, is firmly rooted in a preconception that an egalitarian state between the sexes is not only possible, but eminently desirable. In fact, I would argue that the presumption that an egalitarian state between men and women is ideal is the foundational premise of a Blue Pill social order.

Since I began writing on these topics one thing I’ve experienced that underpins people’s understanding of intersexual dynamics is an established belief that men and women are functional equals – or ideally they ought to be – who exist in a state of disequilibrium. This equalism (my term) is akin to a religious belief, albeit one most people are unaware they believe in. I first encountered this belief when I was in college. Around the same time I discovered that among the most rational of my fellow students and professors in behavioral psychology, most clung to the soulmate myth, I also noticed that most of them held to the hope of an “equal partnership” with whomever their ‘soulmate‘ turned out to be. Here I had some very empirical minds who would write thesis papers on human nature according to what we knew about evo-psych, evo-bio, anthropology and sociology, yet they would revert to the Blank Slate hope that ‘people are people‘ and we’d evolved past our innate natures when it came to finding their ‘One‘.

The idea that humans have ‘evolved beyond’ our animal natures is the lynchpin in the modern belief of the Blank Slate.

What we know as the Blank Slate, as a concept, evolved from the Enlightenment era idea of Tabula Rasa. Originally it was Aristotle who came coined the term, then it passed through the Stoics, then other notable minds of antiquity, but the root of what it has become today began in the Enlightenment era with John Locke.

On paper it’s a very ennobling idea. All people are born with the same intellectual (and later spiritual) potential; we’re all the same except for what society, environment and circumstance writes on the slate that is our intellect and personality. The object of this essay isn’t to give you a history lesson, but if you’re really interested in the development of how we got to our default, equalist, concept of the Blank Slate I’ll refer you to Steven Pinker’s great book The Blank Slate.

From the time of the Enlightenment the concept of the Blank Slate has been embedded into our core cultural beliefs about human nature. It dovetails very nicely into the concept of freewill and it also satisfies the of hopefulness human beings need to combat the determinism that might lead to nihilism. It’s exactly this human need for hope that makes the Blank Slate so appealing. People who hold a belief in the Blank Slate take it for granted to the point it becomes an ego-investment, and internalized thoroughly, it becomes the subconscious point from which people begin when it comes to understanding human nature. So, challenging the validity of whether human’s have innate, evolved, aspects of their natures – and their influences having a bearing on our decisions – borders on attacking their religion or who they are as a person.

From a Red Pill perspective, proposing that men and women are different physically and mentally, and that we’re subject to evolved influences as a result of these differences, is also sacrilege. The Blank Slate ideal is what defines every aspect of what Blue Pill conditioning would have men and women believe about intersexual relations and gender ‘equality’. In fact, as James Damore found firsthand, the Village forbids even the discussion of questioning the Blank Slate. The religion of the Blank Slate is also the state-approved religion, and this has implications in social realms that go well beyond intersexual dynamics.

With the rise of feminism and a feminine-primary social order, social adherence to the Blank Slate ideal became vital to the survival of feminism’s power base. Once the modern research and understanding of human beings’ evolved nature became unignorable the social institutions founded on the Blank Slate were challenged. Today, Red Pill awareness in men is one of those challenges.

A Blue Pill, equalist, mindset doesn’t coexist well with empirical evidence that shows men and women are more different than alike on fundamental levels. Today’s Blank Slate is, as Dr. Pinker describes, a ‘modern denial of human nature‘. The Blank Slate belief set is codependent on Social Constructionism. The idea is that we are all just empty vessels that a nebulous ‘society’ builds through media, culture, school, religion, family, etc. And while all of these outside influences certainly mold us, by necessity the Blank Slate ignores the import of our mental ‘firmware‘ – the innate proclivities that come standard in males and females.

The Human System

I use the term “evolved mental firmware” a lot in my writing. I look at it like this; we have the hardware that is our biological reality, a firmware that is our in-born, evolved proclivities (and the psychological aspects of how men and women’s hardware affects it) and the software that accounts for the social programming we learn from our environments and circumstances. From the perspective of my theory on perceptive processes (Instinct, Emotion & Reason) our firmware influences all three of these processes.

Blank Slate equalism would condition us to believe that our biology (hardware) is insignificant, our firmware is non-existent or inconsequential, and our programming (social learning) is the only thing that makes us what we are. If this sounds like progressivist boilerplate you’re not too far off. Modern concepts of social justice use exactly this social constructionism to justify their positions on a great many issues – and especially gender issues.

However, it’s a mistake to think the Blank Slate is a religion only for leftists and feminists. Equalism is the starting point for the beliefs of many well-meaning Blue Pill conservatives too. Feminism depends on egalitarian ideals setting the intersexual ‘Frame‘ for selling its ideology.

“If only men would cooperate and help smash the Patriarchy we could live in an ideal state of egalitarian equalism.”

The cover story of a ‘push for equality’ all depends on the Blank Slate notion that men and women are functional equals and all this inequality is the result of social doctrines (and plenty of evil men). If it’s all about social constructionism then all that’s needed is to change everyones’ programming and thus an idealized gender neutral world ought to be possible.

Male feminists, Mens Rights Activists and Masculinity Apologist organizations all have this in common – they buy into the Blank Slate and the feminist lie that gender equality is an achievable goal based on it. Most of them don’t realize they’re carrying feminist water in their egalitarian beliefs. They just believe in the hope of an “equal partnership” in their marriages and ignore or demonize the influence our evolved firmware exerts in themselves and their wives. So even when they accept intersexual differences and the influence of our firmware, the next defense of the Blank Slate is moralism.

Moralism for Rationalists

The Blank Slate is a lie, but it’s a lie that’s pregnant with hope. Men and women are different; and our differences are too significant to ignore. But even when the Blank Slate is effectively challenged and our evolved natures are acknowledged, the next rationale is that, if we’re only moral enough, intelligent enough, or “evolved” enough, we ought to ideally be able to effect the ideals of the Blank Slate above our base natures. The appeal to rising or evolving above the influences of our evolved natures is always the path of the moralist and the intellectual. Shouldn’t we strive for Equality? Would an equal state between the sexes not be a good thing? If we were good enough, and exercising our powerful freewill, men and women should be able to be more equitable, right?

The question isn’t whether we can overcome our evolved natures – we do this all the time actually – but whether we should strive for the egalitarian ideal. In the most egalitarian societies on the planet human being still opt for “traditional” (conventional) gender roles. Given the freedom to believe in a Blank Slate ideal and choose their roles in an egalitarian social order (or its best approximation) men and women still prefer the roles we’re supposed to believe are so constraining for us. The roles we’re supposed to believe are foisted on us by social constructionism.

I would argue that much of the gender conflicts we experience today are the result of force-fitting men and women into an egalitarian ideal with the expectation that our evolved (or designed) proclivities are ‘unnatural’ creations of a nebulous society. We’re told that gender is not binary and it’s really a social construct, yet we still need hormone therapy to alter the biochemistry of children to help them ‘transition’ to another binary gender.

I find it kind of ironic that a mindset, a social force and a belief system that would otherwise call for a natural balanced harmony in life is the most disharmonious with respect to a natural evolved order among men and women. The conclusion I come to then is that promulgating the Blank Slate social religion is more about power dynamics than a real push for an equalist harmony.

In 2019, after decades of advancements in the cognitive sciences, neurological study, anthropology, sociology, etc. we can lay the Blank Slate to rest, but so much of our social and intersexual understanding of human nature (or even the denial of it) is dependent on it being an ideal to strive for.

When I make an unflattering observation of women’s nature the first response from conditioned men and women is to firing back with some equal-but opposite-reaction. Our natural, human inclination is to look for symmetry and balance in things. The default belief is to think that what’s good for the goose is good for the gander, or to distract from the observation by making value judgements.

Well, men do it too, only worse.

Deal with the plank in your own eye before you pluck the mote from mine.

If it’s true for one, there’s an opposite truth for another.

The reflexive need for a symmetrical balance – even when there is none – is a human default. ‘Men and women are different’ is a radical statement in this era, not the least of which because it contradicts the Blank Slate religion that persists in spite of itself. When people ask me whether I believe men and women are equals and I answer ‘no’, they look as if I pulled the wings from a butterfly. I believe men and women are complements to each other and we’re better together than apart, but we are not equals. We are different, with differing motives and strategies that are part of who we are. We could achieve a far more harmonious social state by accepting and embracing these differences.

Categories: Miscellaneous Blogs

Chalkboard Crochet Can Cooler: Quick Cricut Craft

Moogly - Fri, 07/26/2019 - 15:05

The Chalkboard Crochet Can Cooler is a fast project that combines crochet and chalkboard iron-on for the perfect accessory for summer fun! Claim your beverage or keep score on your game with this free and quick Cricut craft and crochet pattern! Disclaimer: This post includes affiliate links. Materials provided by Red Heart, Clover USA, Siser,...

Read More

The post Chalkboard Crochet Can Cooler: Quick Cricut Craft appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Cryptozoic and Hobby World Announce Release of Spyfall: Time Travel

Cryptozoic - Fri, 07/26/2019 - 13:00

Cryptozoic Entertainment and Hobby World announced the limited release of Spyfall: Time Travel at Gen Con, August 1-4, followed by a full retail release in September. In this latest social deduction card game in the popular Spyfall series, 2-8 players take on roles in memorable locations from history, as well as some futuristic locations. The twist is that one of the players is secretly a spy and does not know the location.

Categories: Tabletop Gaming Blogs

Link Love: My Favourite Things This Week

Knitted Bliss - Fri, 07/26/2019 - 11:00


My Favourite Articles and Links This Week 5 ways to bring more fun to your life. Ideas for hosting a summer dinner party without breaking the bank. Because going broke just to have friends over is no fun for anyone. France has made it a law that grocery stores have to donate edible food instead

The post Link Love: My Favourite Things This Week appeared first on %%www.knittedbliss.com%%.

Categories: Knitting Feeds

Our Land of Azurth party in Hero Forge

Sorcerer's Skull - Fri, 07/26/2019 - 11:00
Tragically, Hero Forge still doesn't have a frog folk race option, so poor Waylon gets left out, but we've it can replicate the other members of the party pretty well:

Erekose, Human Fighter

Shade, Elf Ranger

Bellmorae, Dragonkin Sorcerer

Kairon, Demonlander Sorcerer

Kully, Human Ranger

Adapting Dungeons of Dread For Old School Sword & Sorcery Campaign Play

Swords & Stitchery - Fri, 07/26/2019 - 06:10
"Dungeons of Dread is a collection of four classic, stand-alone Advanced Dungeons & Dragons adventure modules -- S1: Tomb of Horrors, S2: White Plume Mountain, S3: Expedition to the Barrier Peaks, and S4: The Lost Caverns of Tsojcanth -- complete with original black-and-white interior art."Stay in a hobby long enough & you might witness your own play as you go at the table top Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

HackMoor Summary: No Quorums 2019/06/21 to 2019/07/19

Furiously Eclectic People - Fri, 07/26/2019 - 01:46

Games are normally on Friday nights sometime after 5:30PM at World's Best Comics, 9714 Warwick Blvd Newport News, Virginia 23601.

The weather has improved, and I expect a re-attempt at the BattleSystem rules again Tomorrow.

Due to lack of quorums and sometime just due to the awesome heat, we have played mostly Settlers of Catan and Rail Baron for the past few weeks. The 7th of July had no game at all since I was out of town. I had not game on July 19 due to the heat. Although on July 12 we had a change of venue to my home.

Also had a home game on July 13 where we played Axis & Allies and on the 20th we played a couple scenarios of PanzerBlitz.

Tracy Johnson


Categories: Miscellaneous Blogs

Paizo Starfinder Mini’s under new license with Archon Studios

Gamer Goggles - Thu, 07/25/2019 - 21:42


Archon Studio to fulfill Kickstarter backer rewards

REDMOND, WASHINGTON (July 25, 2019): Today, Paizo announced that Archon Studio will be taking over the license for Starfinder Masterclass miniatures, formerly produced by Ninja Division. As part of the agreement, Archon Studio will fulfill backer rewards for the Starfinder Masterclass Miniatures Kickstarter.

“Thanks for all of your patience as we worked with Ninja Division and Archon Studio to get this done. We’re looking forward to some epic minis!” said Paizo VP of Marketing and Licensing Jim Butler.

“We’re excited to work with Paizo to bring the Alien Archives of the Starfinder universe to life on your tabletop,” said Archon Studio CEO Jarek Ewertowski. “We can’t wait to leap into the adventure with you!”

Archon Studio will be producing plastic miniatures instead of resin. They will also be starting over with Kickstarter fulfillment; this means that backers who have already received resin miniatures from Ninja Division will receive those minis again from Archon Studio, this time in plastic.

Archon Studio will also be creating all-new Starfinder Masterclass miniatures. Each month, they plan to produce 4 or 5 of the minis announced during the Kickstarter plus 1 brand-new mini. These minis will be available for sale at your favorite local game store, on archon-studio.com, and on paizo.com. (The Kickstarter-exclusive miniatures of Candy, Cola, Seelah the Paladin, and Epic Obazaya will not be available at retail.)

Archon Studio plans to ship Kickstarter rewards in waves. Approximately every 6 months, the pledge rewards produced during the previous 6 months will be shipped to backers free of charge. Additionally, any time a Kickstarter backer purchases any Starfinder mini from Archon Studio—whether that’s a new mini or a duplicate of a Kickstarter mini—they will also ship any released Kickstarter miniatures due to that backer for no additional charge. Details of which minis are shipping when, and how to purchase other miniatures, will be posted on the Kickstarter page.

Archon Studio will be fulfilling backers in Europe, and Ninja Division will be shipping to the rest of the world. Paizo does not have specific answers to fulfillment questions: if you’re a backer with a question about your order, you’ll need to post the question to the Starfinder Masterclass Kickstarter page.

Categories: Tabletop Gaming Blogs

DC Deck-Building Game: Rebirth — Overview

Cryptozoic - Thu, 07/25/2019 - 21:18

DC Deck-Building Game: Rebirth will be in stores on July 31! There has been a lot of speculation on the forums about this new release and all of the differences between it and the main competitive format in the DC Deck-Building Game series, so I will try and clear up a lot of the mystery, but without spoilers!

Categories: Tabletop Gaming Blogs

Let The Monster Suit The Purpose - The Astonishing Swordsmen & Sorcerers of Hyperborea Kicstarter & Dr

Swords & Stitchery - Thu, 07/25/2019 - 18:09
From the side lines I've been watching the Astonishing Swordsmen & Sorcerers of Hyperborea kickstarter for  Hyperborea Other Worldly Tales for  The Lost Treasure of Atlantis™ and The Sea-Wolf's Daughter™. If you haven't checked it out then my all means take a look & show your support if your so inclined.  And no I'm not looking for a free module or any such crap as that. What the kickstarter Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Changing California’s privacy law: A snapshot at the support and opposition

Malwarebytes - Thu, 07/25/2019 - 15:59

This month, the corporate-backed, legislative battle against California privacy met a blockade, as one Senate committee voted down and negotiated changes to several bills that, as originally written, could have weakened the state’s data privacy law, the California Consumer Privacy Act.

Though the bills’ authors have raked in thousands of dollars in campaign contributions from companies including Facebook, AT&T, and Google, records portray broader donor networks, which include Political Action Committees (PACs) for real estate, engineering, carpentry, construction, electrical, and municipal workers.

Instead, Big Tech relied on advocacy and lobbying groups to help push favorable legislative measures forward. For example, one bill that aimed to lower restrictions if companies provide consumer data to government agencies was supported by TechNet and Internet Association.

Those two groups alone represent the interests of Amazon—which was caught offering a corporate job to a Pentagon official involved in a $10 billion Department of Defense contract that the company is currently seeking—and Microsoft—another competitor in the same $10 billion contract—along with Google, Twitter, Lyft, Uber, PayPal, Accenture, and Airbnb.

Below is a snapshot of five CCPA-focused bills that were all scheduled for a vote during a July 9 hearing by the California Senate Judiciary Committee. The committee chair, Senator Hannah-Beth Jackson, pulled a 12-hour-plus shift that day, trying to clear through more than 40 bills.

Yet another day in politics.

We hope to provide readers with a look at both the support and opposition to these bills, along with a view of who wrote the bills and what groups have donated to their authors. It is important to remember that lawmaking is rarely a straight line, and a campaign contribution is far from an endorsement.

The assembly bills AB 1416
  • What’s it all about? Exceptions to the CCPA when companies provide consumer data to government agencies
  • Author: Assemblymember Ken Cooley
  • Author’s top 2018 donors: the California Democratic Party ($111,192), the State Building and Construction Trades Council of California PAC Small Contributor Committee ($17,600), the California State Council of Laborers PAC ($17,600).
  • Author’s tech donors: AT&T ($8,800), Facebook ($6,900)
  • Supported by: Internet Association, Technet, Tesla, Symantec, California Land Title Association, California Alliance of Caregivers, among others
  • Opposed by: ACLU of California, Electronic Frontier Foundation, Common Sense Kids Action, and Privacy Rights Clearinghouse

AB 1416 would have created a new exception to the CCPA for any business that “provides a consumer’s personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met.”

The bill would have granted companies the option to neglect a consumer’s decision to opt-out of having their data sold to another party, so long as the sale of that consumer’s data was “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.”

According to multiple privacy groups, those exceptions were too broad. In a letter signed by ACLU of California, EFF, Common Sense Kids Action, and Privacy Rights Clearinghouse, the groups wrote:

“Given the breath of these categories, especially with the increasing use of machine learning and other data-driven algorithms, there is no practical limit on the kinds of data that might be sold for these purposes. It would even allow sales based on the purchaser’s asserted purpose, increasing the potential for abuse, much like the disclosure of millions of Facebook user records by Cambridge Analytica.”

These challenges were never tested with a vote, though, as Asm. Cooley pulled the bill before the committee hearing ended.

AB 873
  • What’s it all about? Changing CCPA’s definition of “deidentified” information
  • Author: Assemblymember Jacqui Irwin
  • Author’s top 2018 donors: California Democratic Party ($105,143), the State Building and Construction Trades Council of California PAC ($17,600), the Professional Engineers in California Government PECG-PAC ($17,600)
  • Author’s tech donors: Facebook ($8,800), AT&T ($8,200), Hewlett Packard ($3,700)
  • Supported by: California Chamber of Commerce (sponsor), Internet Association, Technet, Advanced Medical Technology Association, California News Publishers Association, among others
  • Opposed by: ACLU of California, EFF, Campaign for a Commercial-Free Childhood, Access Humboldt, Oakland Privacy, Consumer Reports, among others

AB 873 would have narrowed the scope for what CCPA protects—“personal information”—by broadening the definition of something that CCPA currently does not protect—“deidentified” information.

According to the bill, the definition of “deidentified” information would now include “information that does not identify, and is not reasonably linkable, directly or indirectly, to a particular consumer.”

Privacy advocates claimed the bill had too broad a reach. In a letter, several opponents wrote that AB 873 “would allow businesses to track, profile, recognize, target, and manipulate consumers as they encountered them in both online and offline settings while entirely exempting those practices from the scope of the CCPA, as long as the information used to do so was not tied to a person’s ‘real name,’ ‘SSN’ or similar traditional identifiers.”

During the Senate committee hearing, Asm. Irwin defended her bill by saying that CCPA’s current definition of deidentified information was “unworkable.” She then rebuffed suggestions by the committee chair to add amendments to her bill.

The bill failed to pass on the committee’s 3–3 vote.

AB 25
  • What’s it all about? Exceptions to CCPA for employers that collect data from their employees and job applicants
  • Author: Assemblymember Ed Chau
  • Author’s top 2018 donors: California State Council of Service Employees ($17,600), the California State Council of Laborers ($13,200) the California State Pipe Trades Council ($10,000).
  • Author’s tech donors: Facebook ($4,400), AT&T ($3,900), Hewlett Packard ($3,200), Google ($2,500), Intuit ($2,000)
  • Supported by: Internet Association, Technet, California Chamber of Commerce, National Payroll Reporting Consortium, among others
  • Opposed, unless amended, by: ACLU of California, EFF, Center for Digital Democracy, Oakland privacy, among others

AB 25, as originally written, would have removed CCPA protections for some types of data that employers collect both on their employees and their job applicants.

Hayley Tsukayama, legislative analyst for EFF, said that a concern she and other privacy advocates had with the bill was that employers are beginning to collect more information on their employees that more often resemble consumer-type data.

“We are seeing a lot more of these workplace surveillance programs pop up,” Tsukayama said over the phone, giving a hypothetical example of a fitness tracker for employees where the data could be shared with health insurance companies. “The ways that this collection is being introduced into the workplace, it’s not necessary for the employer-employee relationship, and it is more in the vain of consumer data.”

After Chau agreed to add amendments to his bill, the Senate committee passed it. The bill, if it becomes law, will sunset in one year, giving legislators and labor groups another opportunity to review its impact in a short time.

AB 846
  • What’s it all about? Customer loyalty programs
  • Author: Assemblymember Autumn Burke
  • Author’s top 2018 donors: State Building and Construction Trades Council of California PAC ($17,600), SEIU California State Council Small Contributor Committee ($17,600), IBEW Local 18 Water & Power Defense League ($17,600), California State Council of Laborers PAC ($17,600)
  • Author’s tech donors: Facebook ($8,800), Technet California Political Action Committee ($8,449), Charter Communications ($7,900), AT&T and its affiliates ($7,300)
  • Supported by: California Chamber of Commerce, California Grocers Association, California Hotel & Lodging Association, California Restaurant Association, Ralphs Grocery Company, Wine Institute, among others
  • Opposed, unless amended, by: ACLU of California, EFF, Common Sense Kids Action, Privacy Rights Clearinghouse, Access Humboldt

AB 846 targets CCPA’s current non-discrimination clause that prohibits companies from offering incentives—like lowered prices—to customers based on their data practices.

The bill would clarify that CCPA’s regulations are not violated when businesses offer “a different price, rate, level, or quality of goods or services to a consumer if the offering is in connection with a consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program.”

The bill received so many changes though, that some groups were puzzled over what it allows.

“There was a point at which [AB 846] said any service that has a functionality directly related to the collection of, and use, of personal information was exempt,” Tsukayama said. “We spent a lot of time going ‘Well, what does that mean?’ We never got a satisfactory answer.”

She continued: “We were concerned that this would cover a lot of ad tech, or invasive company programs, to collect more data.”

With additional amendments to be added, the Senate committee passed the bill.

AB 1564
  • What’s it all about? Whether businesses have to provide a phone number for consumer data requests
  • Author: Assemblymember Marc Berman
  • Author’s top 2018 donors: California State Council of Service Employees ($26,100), Northern California Carpenters Regional Council SCC ($17,600), American Federation of State, County & Municipal Employees – CA People SCC ($17,600)
  • Author’s tech donors: Facebook ($8,800), TechNet PAC ($6,526)
  • Supported by: Internet Association (sponsor), Engine, Coalition of Small & Disabled Veteran Businesses, Small Business California, National Federation of Independent Businesses (CA), among others
  • Opposed by: ACLU of California, EFF, Center for Digital Democracy, Oakland Privacy, Access Humboldt, Privacy Rights Clearinghouse, among others  

CCPA allows Californians to contact the companies that collect their data and make requests about that data, including accessing it, changing it, and deleting it. The law states that companies must provide at least two methods of contact, including one toll-free telephone number, for those requests.

AB 1564 would allow online-only businesses to provide their direct consumers with just one method of contact—an email address—for data requests.

Privacy advocates previously warned that the bill could make it harder for those with limited Internet access to assert their privacy rights.

The bill, which will be amended, passed the Senate committee.

What comes next?

The California Senate is currently in a summer recess, scheduled to return August 12. The bills that passed the Senate Judiciary Committee—ABs 25, 846, and 1564, regarding employee data, loyalty programs, and email address contacts—will next be heard by the Senate Appropriations Committee, a separate committee of lawmakers who oversee and move forward bills that have a fiscal component.

That committee has until August 30 to move bills to the floor.

Afterwards, either chamber of the state has until September 13 to send a bill to Governor Gavin Newsom’s desk for signature.

The post Changing California’s privacy law: A snapshot at the support and opposition appeared first on Malwarebytes Labs.

Categories: Techie Feeds

MooglyCAL2019 – Afghan Block #15

Moogly - Thu, 07/25/2019 - 15:00

I’m in love with Block #15 in the MooglyCAL2019, courtesy of Red Heart National Spokesperson, Marly Bird! This square is relatively simple to crochet – but the effect is mesmerizing! Disclaimer: This post includes affiliate links; materials provided by Red Heart Yarns, Clover USA, and Chetnanigans. Just getting started with the Crochet Along? CLICK HERE...

Read More

The post MooglyCAL2019 – Afghan Block #15 appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

It’s a Trap!

Torchbearer RPG - Thu, 07/25/2019 - 13:00
Fall by Rebekah Bennington

Hello friends!

I want to apologize for this blog’s recent hiatus. Many of you probably don’t know that my other hobby (apart from making games) is coaching women’s flat track roller derby. 

I coach two teams in the Gotham Girls Roller Derby league: Manhattan Mayhem (a home team) and the Gotham Girls Roller Derby All-Stars (a travel team). Over the past six weeks, Mayhem has played twice (a victory against Queens and a loss to Bronx), and the All-Stars have played five games across two tournaments (victories against New Jax (Jacksonville, Fl.), Arch Rival (St. Louis, Mo.), Victoria (Melbourne, Australia), Crime City (Malmö, Sweden) and Dirty South (Atlanta, Ga.)).

As you can imagine, I’ve been a little distracted! The good news is that both teams are now headed into the post-season. Mayhem will play Bronx again for the local championship in August. The All-Stars still have a few more games ahead, but our success has put us back in the #2 spot ahead of Victoria, and we hope to reclaim the Hydra from Rose City (Portland, Ore.) at the International WFTDA Championships in Montreal this November.

In the meantime, I’ve got a little breathing room to think about games once again — which is good, considering that this time next week I’ll be at Gen Con (Burning Wheel will be at booth 2150; come say hi!). On to Torchbearer!

If You Trap It…

Last week, Luke and I participated in an AMA at the RPGdesign subreddit. Near the end, Lord Mordeth of our friends at Mordite Press asked about traps in Torchbearer (Build a Better Man Trap, page 127).

Is a failed test the only way to get a condition? Is a condition always accompanied by and effective success in the intent of the test?

I’ve really struggled with some of the logic from “Build a Better Man Trap” for years now. It’s hard for me to grasp how intent works with forced tests. For example, the Health Ob 6 test from the spike version of the Chute to Hell, or the Ob 3 Health test from the Dart Trap.

In these cases, I would think that the “intent” of the roll was to avoid gaining a condition. If you fail the Ob 3 Health test vs. the dart trap, you haven’t really succeeded or gained anything, you just got saddled with a condition. This seems to contradict the “failing forward” logic at work elsewhere in the game. I think most people simply gloss over this, and certainly that’s what we do and it does work fine. But the logic has always eluded me.

Lord Mordeth

This exchange helped crystallize for me something that is not explicit in the text. I think the natural tendency is to think of traps as something intended to kill or injure, but Torchbearer requires that you think about them differently.

First, conditions in Torchbearer are generally either the result of the grind or a failed test. And when a condition is given as the result of a failed test the character always (always, always) achieves the objective of the roll. The only way to get injured by a spear trap is to fail the Health test to avoid it but get a condition and successfully avoid it? What? How does that work?!

Second, there are only three ways for the GM to give a character the Dead condition: as a result of a kill conflict, as a result of having the Injured condition and failing a test involving the risk of physical harm or as a result of having the Sick condition and failing a test involving sickness, disease, poison, madness or grief. In the latter two instances, the GM is also required to inform the character’s player that death is on the line prior to the roll.

Given those limitations, how do you make a death trap in Torchbearer? Well, you don’t. Not really.

Here’s the secret: The objective of traps in Torchbearer is not to injure or kill. Those things are a byproduct of a particular trap’s method, but the objective is something else. People install traps to capture you, move you to another location, prevent you from opening something or going somewhere or even to fool you. If they happen to give you a condition instead? Well, that’s life as an adventurer for you.

The objective of the pit trap in Under the House of the Three Squires is to alert the guards to the adventurers’ presence and give the guards an advantage in the subsequent conflict. The objective of the sleeping gas panel in The Dread Crypt of Skogenby is to allow Haathor-Vash’s minions to capture interlopers that get too close. The trap vault in The Secret Vault of the Queen of Thieves is meant to fool adventurers into thinking they’ve actually found the vault, and perhaps trap them or keep them busy digging until Hsivin the Defiler’s cultists can get at them.

You get the idea. Once we have a trap’s proper objective in mind it should be much clearer how we can employ a twist on a failed test. The pit trap brings the guards running. The sleeping gas panel puts the characters to sleep. The trap vault might leave the characters trapped under rocks or standing outside the entrance to the vault which is now blocked off by fallen rocks.

We can also start thinking about conditions. The characters involved in the test get a condition, but they overcome the trap’s objective. When the pit trap goes off, the characters leap to safely but painfully bark their shins on the edge (injured), or they leap off but their hearts start racing (afraid) when they hear the distant guards wonder about the noise but go back to gambling. They inhale just a little of the sleeping gas (exhausted) but don’t get captured. They escape just ahead of the falling rocks but not before they understand the trap vault was just a trick (angry or injured).

So that’s it. When making traps for your Torchbearer games. Think about what the builder was trying to achieve and base your twists and conditions on that objective.

What do you think? Does that help traps make more sense for you?

P.S. Roller derby is one of the fastest growing sports in the world. There are currently 463 Women’s Flat Track Roller Derby Association member leagues on six continents. If you’re curious, there’s almost certainly a league near you. Do yourself a favor and check it out!

Categories: Tabletop Gaming Blogs

Everything Goes Better with Ravenloft

Sorcerer's Skull - Thu, 07/25/2019 - 11:00
Well, maybe not everything, but I think Ravenloft could mix with several of the other D&D settings like chocolate and peanut butter.

Art by Bruce PenningtonBlood Red Sun [Dark Sun/Ravenloft]
Some Dying Earth stories have more than a touch of the Gothic to them (Clark Ashton Smith's Zothique stories immediately come to mind), so this is really a natural. As the sun dimmed and sputtered, the Dark Powers grew stronger and fed upon the energy of the planet, slowing leeching it of life. Replace the sorcerer-kings with the Dark Lords, and (probably) loose the mists. Some tweaking of the domains might be in order, to make them a little less Dracula and a little bit more Vathek, but that's up to you.

Planet of the Vampires [Spelljammer/Ravenloft]
Each domain is a world, and the mists and phlogiston are combined into one. Maybe give Spelljammer more of a 18th Century or even Victorian vibe: Combine Kipling (his sci-fi stories like "With the Night Mail" and his horror yarns) with Stoker.

And why limit myself to AD&D settings?

Terror Under the Eternal Sun [Hollow World/Ravenloft]
I'm thinking ditch most of the Hollow World idea, except for it being the repository of things preserved from the outer world. Take it back to it's Burroughsian roots and have a land of dinosaurs and mostly primitive peoples, except for these areas and mists containing weird, otherworld realms of madness. Probably the realms of dreads should be a bit smaller, maybe just a castle and a village in some cases. Like Turok meets Dracula.


Looking For Group - Thu, 07/25/2019 - 04:00

The post 1316 appeared first on Looking For Group.

Categories: Web Comics

Some Random Thoughts & Praise Tonight For the The Advanced Dungeons & Dragons Dungeon Master's Guide By Gary Gygax & Mike Carr

Swords & Stitchery - Thu, 07/25/2019 - 03:07
The Advanced Dungeons & Dragons Dungeon Master's Guide By Gary Gygax & Mike Carr has some very iconic parts to it but the book itself is a classic. The book is a snap shot in time when Advanced Dungeons & Dragons ruled the table.  But what makes the The Advanced Dungeons & Dragons Dungeon Master's Guide stand out even today to me is the utility of the book. Everything for the AD&D dungeon Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Weird Wednesday OSR Film Inspiration - Disney's The Black Hole Film from 1979

Swords & Stitchery - Wed, 07/24/2019 - 21:31
I actually saw this movie at a drive in back in 1979, I was nine years old. It pretty much screwed me up for life. The movie plot is as follows: It is the year 2130 A.D. An Earth exploratory ship, the USS Palomino, discovers a black hole with a lost ship, the USS Cygnus, just outside its event horizon. Deciding to solve the mystery of the Cygnus are: the Palomino's Captain, Dan Holland; his Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Let's Gel

3d6 Traps & Thieves - Wed, 07/24/2019 - 20:00
One of the most contrived and ridiculous D&D monsters of all-time is the Gelatinous Cube. A nearly-invisible mass of slime that just happens to be exactly the same size and volume as those ridiculous 10' x 10' dungeon corridors.

Those opening sentences do not reflect my own opinions. They are the edited and condensed views of quite a few op-ed pieces I've seen on this wondrous Internet of ours.

This is another example of, in my opinion, the disservice done to our beloved hobby by overwrought rulebooks that strive to tell players exactly how their game should be played. Yes - that's my opinion. Filling up an entire page with exposition that explains just how to include a monster, along with the actions said monster should probably take in combat - well, at what point can we just dispense with the DM?

While I acknowledge that many players want or even need all these rules and guidelines, it does make for more bloated and expensive rulebooks, bigger learning curves, drawn-out and rules-heavy gaming sessions, and tons of wasted space. Do we need an entire (5E) page for the Piercer? Do the (5E) monster illustrations really need to fill half a page? I've found that a lot of players and DMs prefer not to use something that they don't like or understand in the rulebooks. And, of course, the premise of the game actively encourages this. I've even met some folks that do without the classic dungeon environment entirely because it's just too silly to them. That's fair.

And I'm not insisting that the older editions are "better" than the new editions. 
Just so we're clear.

For myself, I prefer to actually treat what I read or see in a D&D book as guidelines - all of it. By way of example, let's take the Gelatinous Cube. This is a classic D&D monster. How do I know? It appears in the first release of the game in 1974/1975, and in every core monster book from 1E thru 5E. Still, people make sarcastic comments about the thing. How does it even kill people? How slow or dumb do you have to be to get caught by one? Well - that depends on the DM.

First - the 'Cube is not a hunter. It's a scavenger. It isn't chasing you down. The 'Cube is almost invisible in its natural state. This means that a lot of its prey comes to the 'Cube. You're strolling (or fleeing) down a corridor and - SPLOOP! And, that's just in default mode. If the DM really wants to 'Cube a PC, there are plenty of ways. Dead-end corridor - and a 'Cube glops its way into the other end, blocking your only escape route. You fall into a 10' x 10' x 10' pit...and...heeeeeeeere comes a 'Cube - just the right size to *PLOP*. Let's not even bother with slides or teleporters. It's like dissolving adventurers in a barrel full of acid.

What follows is MY version of the Gelatinous Cube for MY setting. Your turgidity may vary.

The Gelatinous Cube is an amorphous mass of transparent protoplasm. Being amorphous, it can change shape without much effort at all. When the 'Cube is 10' x 10' x 10', it is typically filling the empty available space around it. Otherwise, the creature can be a sphere, a pyramid, a torus, a giant puddle, a shapeless mass - or just about any other simple form that suits its immediate needs or environs. Somewhere near the center of the gelatinous form is a kind of "cognitive center" or "brain."

But, the Gelatinous Cube is non-intelligent. That is true - but the Slithering Tracker isn't.
The 2E entry - since it has a nice illustration.
Oh, look - another transparent, paralyzing monster made of jelly. But, this one is smaller, faster, and smarter. Still, my mind likes to connect and share things. Sometimes, the whole can be more interesting (and deadly) than the sum of its parts.

Consider the Slithering Tracker as the "brains" of the Gelatinous Cube. However, the 'Tracker is often out and about - hunting. During these times, the 'Cube is its usual mindless, scavenging self. On the rare occasion that the 'Tracker is part of the 'Cube, the 'Cube is treated as a smarter monster - but the 'Tracker is usually easier to see because it has recently fed on blood. The Gelatinous Cube becomes a two-part monster with an increased threat potential.

Were I inclined to accept text and illustrations at face value, the setting of Avremier probably wouldn't even exist - and I sure wouldn't be creating these fun monster variants. Maybe most players aren't used to DMs that innovate. I can understand that. It's not necessary for an enjoyable game. But, the attraction of D&D for myself is the spaces between the rules, stats, and pictures. That's what I strive to fill.

Categories: Tabletop Gaming Blogs

A deep dive into Phobos ransomware

Malwarebytes - Wed, 07/24/2019 - 18:09

Phobos ransomware appeared at the beginning of 2019. It has been noted that this new strain of ransomware is strongly based on the previously known family: Dharma (a.k.a. CrySis), and probably distributed by the same group as Dharma.

While attribution is by no means conclusive, you can read more about potential links between Phobos and Dharma here, to include an intriguing connection with the XDedic marketplace.

Phobos is one of the ransomware that are distributed via hacked Remote Desktop (RDP) connections. This isn’t surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups.

In this post we will take a look at the implementation of the mechanisms used in Phobos ransomware, as well as at its internal similarity to Dharma.

Analyzed sample


Behavioral analysis

This ransomware does not deploy any techniques of UAC bypass. When we try to run it manually, the UAC confirmation pops up:

If we accept it, the main process deploys another copy of itself, with elevated privileges. It also executes some commands via windows shell.

Ransom notes of two types are being dropped: .txt as well as .hta. After the encryption process is finished, the ransom note in the .hta form is popped up:

Ransom note in the .hta version Ransom note in the .txt version

Even after the initial ransom note is popped up, the malware still runs in the background, and keeps encrypting newly created files.

All local disks, as well as network shares are attacked.

It also uses several persistence mechanisms: installs itself in %APPDATA% and in a Startup folder, adding the registry keys to autostart its process when the system is restarted.

A view from Sysinternals’ Autoruns

Those mechanisms make Phobos ransomware very aggressive: the infection didn’t end on a single run, but can be repeated multiple times. To prevent repeated infection, we should remove all the persistence mechanisms as soon as we noticed that we got attacked by Phobos.

The Encryption Process

The ransomware is able to encrypt files without an internet connection (at this point we can guess that it comes with some hardcoded public key). Each file is encrypted with an individual key or an initialization vector: the same plaintext generates a different ciphertext.

It encrypts a variety of files, including executables. The encrypted files have an e-mail of the attacker added. The particular variant of Phobos also adds an extension ‘.acute’ – however in different variants different extensions have been encountered. The general pattern is: <original name>.id[<victim ID>-<version ID>][<attacker's e-mail>].<added extention>

Visualization of the encrypted content does not display any recognizable patterns. It suggests that either a stream cipher, or a cipher with chained blocks was used (possibly AES in CBC mode). Example – a simple BMP before and after encryption:

When we look inside the encrypted file, we can see a particular block at the end. It is separated from the encrypted content by ‘0’ bytes padding. The first 16 bytes of this block are unique per each file (possible Initialization Vector). Then comes the block of 128 bytes that is the same in each file from the same infection. That possibly means that this block contains the encrypted key, that is uniquely generated each run. At the end we can find a 6-character long keyword which is typical for this ransomware. In this case it is ‘LOCK96’, however, different versions of Phobos have been observed with different keywords, i.e. ‘DAT260’.

In order to fully understand the encryption process, we will look inside the code.


In contrast to most of the malware that comes protected by some crypter, Phobos is not packed or obfuscated. Although the lack of packing is not common in general population of malware, it is common among malware that are distributed manually by the attackers.

The execution starts in WinMain function:

During its execution, Phobos starts several threads, responsible for its different actions, such as: killing blacklisted processes, deploying commands from commandline, encrypting accessible drives and network shares.

Used obfuscation

The code of the ransomware is not packed or obfuscated. However, some constants, including strings, are protected by AES and decrypted on demand. A particular string can be requested by its index, for example:

The AES key used for this purpose is hardcoded (in obfuscated form), and imported each time when a chunk of data needs to be decrypted.

Decrypted content of the AES key

The Initialization Vector is set to 16 NULL bytes.
The code responsible for loading the AES key is given below. The function wraps the key into a BLOBHEADER structure, which is then imported.

From the BLOBHEADER structure we can read the following information: 0x8 – PLAINTEXTKEYBLOB, 0x2=CUR_BLOB_VERSION, 0x6610 – CALG_AES_256.

Example of a decrypted string:

Among the decrypted strings we can also see the list of the attacked extensions

We can also find a list of some keywords:

acute actin Acton actor Acuff Acuna acute adage Adair Adame banhu banjo Banks Banta Barak Caleb Cales Caley calix Calle Calum Calvo deuce Dever devil Devoe Devon Devos dewar eight eject eking Elbie elbow elder phobos help blend bqux com mamba KARLOS DDoS phoenix PLUT karma bbc CAPITAL

These are a list of possible extensions used by this ransomware. They are (probably) used to recognize and skip the files which already has been encrypted by a ransomware from this family. The extension that will be used in the current encryption round is hardcoded.

One of the encrypted strings specifies the formula for the file extension, that is later filled with the Victim ID:

UNICODE ".id[<unique ID>-1096].[lockhelp@qq.com].acute"

Killing processes

The ransomware comes with a list of processes that it kills before the encryption is deployed. Just like other strings, the full list is decrypted on demand:

msftesql.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe
oracle.exe ocssd.exe dbsnmp.exe synctime.exe agntsvc.exe
mydesktopqos.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe
ocautoupds.exe agntsvc.exe agntsvc.exe agntsvc.exe encsvc.exe
firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe
mysqld-opt.exe dbeng50.exe sqbcoreservice.exe excel.exe infopath.exe
msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe steam.exe
thebat.exe thebat64.exe thunderbird.exe visio.exe winword.exe

Those processes are killed so that they will not block access to the files that are going to be encrypted.

a fragment of the function enumerating and killing processes Deployed commands

The ransomware deploys several commands from the commandline. Those commands are supposed to prevent from recovering encrypted files from any backups.

Deleting the shadow copies:

vssadmin delete shadows /all /quiet
wmic shadowcopy delete

Changing Bcdedit options (preventing booting the system in a recovery mode):

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no

Deletes the backup catalog on the local computer:

wbadmin delete catalog -quiet

It also disables firewall:

netsh advfirewall set currentprofile state off
netsh firewall set opmode mode=disable
exit Attacked targets

Before the Phobos starts its malicious actions, it checks system locale (using GetLocaleInfoW options: LOCALE_SYSTEM_DEFAULT, LOCALE_FONTSIGNATURE ). It terminates execution in case if the 9th bit of the output is cleared. The 9th bit represent Cyrlic alphabets – so, the systems that have set it as default are not affected.

Both local drives and network shares are encrypted.

Before the encryption starts, Phobos lists all the files, and compare their names against the hardcoded lists. The lists are stored inside the binary in AES encrypted form, strings are separated by the delimiter ‘;’.

Fragment of the function decrypting and parsing the hardcoded lists

Among those lists, we can find i.e. blacklist (those files will be skipped). Those files are related to operating system, plus the info.txt, info.hta files are the names of the Phobos ransom notes:


There is also a list of directories to be skipped – in the analyzed case it contains only one directory: C:\Windows.

Among the skipped files are also the extensions that are used by Phobos variants, that were mentioned before.

There is also a pretty long whitelist of extensions:

1cd 3ds 3fr 3g2 3gp 7z accda accdb accdc accde accdt accdw adb adp ai ai3 ai4 ai5 ai6 ai7 ai8 anim arw as asa asc ascx asm asmx asp aspx asr asx avi avs backup bak bay bd bin bmp bz2 c cdr cer cf cfc cfm cfml cfu chm cin class clx config cpp cr2 crt crw cs css csv cub dae dat db dbf dbx dc3 dcm dcr der dib dic dif divx djvu dng doc docm docx dot dotm dotx dpx dqy dsn dt dtd dwg dwt dx dxf edml efd elf emf emz epf eps epsf epsp erf exr f4v fido flm flv frm fxg geo gif grs gz h hdr hpp hta htc htm html icb ics iff inc indd ini iqy j2c j2k java jp2 jpc jpe jpeg jpf jpg jpx js jsf json jsp kdc kmz kwm lasso lbi lgf lgp log m1v m4a m4v max md mda mdb mde mdf mdw mef mft mfw mht mhtml mka mkidx mkv mos mov mp3 mp4 mpeg mpg mpv mrw msg mxl myd myi nef nrw obj odb odc odm odp ods oft one onepkg onetoc2 opt oqy orf p12 p7b p7c pam pbm pct pcx pdd pdf pdp pef pem pff pfm pfx pgm php php3 php4 php5 phtml pict pl pls pm png pnm pot potm potx ppa ppam ppm pps ppsm ppt pptm pptx prn ps psb psd pst ptx pub pwm pxr py qt r3d raf rar raw rdf rgbe rle rqy rss rtf rw2 rwl safe sct sdpx shtm shtml slk sln sql sr2 srf srw ssi st stm svg svgz swf tab tar tbb tbi tbk tdi tga thmx tif tiff tld torrent tpl txt u3d udl uxdc vb vbs vcs vda vdr vdw vdx vrp vsd vss vst vsw vsx vtm vtml vtx wb2 wav wbm wbmp wim wmf wml wmv wpd wps x3f xl xla xlam xlk xlm xls xlsb xlsm xlsx xlt xltm xltx xlw xml xps xsd xsf xsl xslt xsn xtp xtp2 xyze xz zip

How does the encryption work

Phobos uses the WindowsCrypto API for encryption of files. There are several parallel threads to deploy encryption on each accessible disk or a network share.

Deploying the encrypting thread

AES key is created prior to the encrypting thread being run, and it is passed in the thread parameter.

Fragment of the key generation function:

Calling the function generating the AES key (32 bytes)

Although the AES key is common to all the files that are encrypted in a single round, yet, each file is encrypted with a different initialization vector. The initialization vector is 16 bytes long, generated just before the file is open, and then passed to the encrypting function:

Calling the function generating the AES IV (16 bytes)

Underneath, the AES key and the Initialization Vector both are generated with the help of the same function, that is a wrapper of CryptGenRandom (a strong random generator):

The AES IV is later appended to the content of the encryped file in a cleartext form. We can see it on the following example:

Before the file encryption function is executed, the random IV is being generated:

The AES key, that was passed to the thread is being imported to the context (CryptImportKey), as well the IV is being set. We can see that the read file content is encrypted:

After the content of the file is encrypted, it is being saved into the newly created file, with the ransomware extension.

The ransomware creates a block with metadata, including checksums, and the original file name. After this block, the random IV is being stored, and finally, the block containing the encrypted AES key. The last element is the file marker: “LOCK96”:

Before being written to the file, the metadata block is being encrypted using the same AES key and IV as the file content.

setting the AES key before encrypting the metadata block

Encrypted metadata block:

Finally, the content is appended to the end of the newly created file:

Being a ransomware researcher, the common question that we want to answer is whether or not the ransomware is decryptable – meaning, if it contains the weakness allowing to recover the files without paying the ransom. The first thing to look at is how the encryption of the files is implemented. Unfortunately, as we can see from the above analysis, the used encryption algorithm is secure. It is AES, with a random key and initialization vector, both created by a secure random generator. The used implementation is also valid: the authors decided to use the Windows Crypto API.

Encrypting big files

Phobos uses a different algorithm to encrypt big files (above 0x180000 bytes long). The algorithm explained above was used for encrypting files of typical size (in such case the full file was encrypted, from the beginning to the end). In case of big files, the main algorithm is similar, however only some parts of the content are selected for encryption.

We can see it on the following example. The file ‘test.bin’ was filled with 0xAA bytes. Its original size was 0x77F87FF:

After being encrypted with Phobos, we see the following changes:

Some fragments of the file has been left unencrypted. Between of them, starting from the beginning, some fragments are wiped. Some random-looking block of bytes has been appended to the end of the file, after the original size. We can guess that this is the encrypted content of the wiped fragments. At the very end of the file, we can see a block of data typical for Phobos::

Looking inside we can see the reason of such an alignment. Only 3 chunks from the large file are being read into a buffer. Each chunk is 0x40000 bytes long:

All read chunks are merged together into one buffer. After this content, usual metadata (checksums, original file name) are added, and the full buffer is encrypted:

By this way, authors of Phobos tried to minimize the time taken for encryption of large files, and at the same time maximize the damage done.

How is the AES key protected

The next element that we need to check in order to analyze decryptability is the way in which the authors decided to store the generated key.

In case of Phobos, the AES key is encrypted just after being created. Its encrypted form is later appended at the end of the attacked file (in the aforementioned block of 128 bytes). Let’s take a closer look at the function responsible for encrypting the AES key.

The function generating and protecting the AES key is deployed before the each encrypting thread is started. Looking inside, we can see that first several variables are decrypted, in the same way as the aforementioned strings.

Decryption of the constants

One of the decrypted elements is the following buffer:

It turns out that the decrypted block of 128 bytes is a public RSA key of the attacker. This buffer is then verified with the help of a checksum. A checksum of the RSA key is compared with the hardcoded one. In case if both matches, the size that will be used for AES key generation is set to 32. Otherwise, it is set to 4.

Then, a buffer of random bytes is generated for the AES key.

After being generated, the AES key is protected with the help of the hardcoded public key. This time the authors decided to not use Windows Crypto API, but an external library. Detailed analysis helped us to identify that it is the specific implementation of RSA algorithm (special thanks to Mark Lechtik for the help).

The decrypted 128 bytes long RSA key is imported with the help of the function RSA_pub_key_new. After that, the imported RSA key is used for encryption of the random AES key:

Summing up, the AES key seems to be protected correctly, which is bad news for the victims of this ransomware.

Attacking network shares

Phobos has a separate thread dedicated to attacking network shares.

Network shares are enumerated in a loop:

Comparison with Dharma

Previous sources references Phobos as strongly based on Dharma ransomware. However, that comparison was based mostly on the outer look: a very similar ransom note, and the naming convention used for the encrypted files. The real answer in to this question would lie in the code. Let’s have a look at both, and compare them together. This comparison will be based on the current sample of Phobos, with a Dharma sample (d50f69f0d3a73c0a58d2ad08aedac1c8).

If we compare both with the help of BinDiff, we can see some similarities, but also a lot of mismatching functions.

Fragment of code comparison: Phobos vs Dharma

In contrast to Phobos, Dharma loads the majority of its imports dynamically, making the code a bit more difficult to analyze.

Dharma loads mosts of its imports at the beginning of execution

Addresses of the imported functions are stored in an additional array, and every call takes an additional jump to the value of this array. Example:

In contrast, Phobos has a typical, unobfuscated Import Table

Before the encryption routine is started, Dharma sets a mutex: “Global\syncronize_<hardcoded ID>”.

Both, Phobos and Dharma use the same implementation of the RSA algorithm, from a static library. Fragment of code from Dharma:

The fragment of the function “bi_mod_power” from: https://github.com/joyent/syslinux/blob/master/gpxe/src/crypto/axtls/bigint.c#L1371

File encryption is implemented similarly in both. However, while Dharma uses AES implementation from the same static library, Phobos uses AES from Windows Crypto API.

Fragment of the AES implementation from Dharma ransomware

Looking at how the key is saved in the file, we can also see some similarities. The protected AES key is stored in the block at the end of the encrypted file. At the beginning of this block we can see some metadata that are similar like in Phobos, for example the original file name (in Phobos this data is encrypted). Then there is a 6 character long identifier, selected from a hardcoded pool.

The block at the end of a file encrypted by Dharma

Such identifier occurs also in Phobos, but there it is stored at the very end of the block. In case of Phobos this identifier is constant for a particular sample.

The block at the end of a file encrypted by Phobos Conclusion

Phobos is an average ransomware, by no means showing any novelty. Looking at its internals, we can conclude that while it is not an exact rip-off Dharma, there are significant similarities between both of them, suggesting the same authors. The overlaps are at the conceptual level, as well as in the same RSA implementation used.

As with other threats, it is important to make sure your assets are secure to prevent such compromises. In this particular case, businesses should review any machines where Remote Desktop Procol (RDP) access has been enabled and either disable it if it is not needed, or making sure the credentials are strong to prevent such things are brute-forcing.

Malwarebytes for business protects against Phobos ransomware via its Anti-Ransomware protection module:

The post A deep dive into Phobos ransomware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

FaceApp scares point to larger data collection problems

Malwarebytes - Wed, 07/24/2019 - 16:38

Last week, if you thumbed your way through Facebook, Instagram, and Twitter, you likely saw altered photos of your friends with a few extra decades written onto their faces—wrinkles added, skin sagged, hair bereft of color.

Has 2019 really been that long? Not really.

The photos are the work of FaceApp, the wildly popular, AI-powered app that lets users “age” pictures of themselves, change their hairstyles, put on glasses, and present a different gender.

Then, seemingly overnight, users, media reports, and members of Congress turned FaceApp into the latest privacy parable: If you care about your online privacy, avoid this app at all costs, they said.  

It’s operated by the Russian government, suggested the investigative outlet Forensic News.

It’s a coverup to train advanced facial recognition software, theorized multiple Twitter users.

It’s worthy of an FBI investigation, said Senator Chuck Schumer of New York.

The truth is less salacious. Here’s what we do know.

FaceApp’s engineers work out of St. Petersburg, Russia, which is not by any means a mark against the company. FaceApp does not, as previously claimed, upload a user’s entire photo roll to servers anywhere in the world. FaceApp’s Terms of Service agreement does not claim to transfer the ownership of a user’s photos to the company, and FaceApp’s CEO said the company would soon update its agreement to more accurately describe that the company does not utilize user content for “commercial purposes.”

Finally, the blowback against FaceApp—for what the company could collect, per its privacy policy, and how it could use that data—is a bit skewed. Countless American companies allow themselves to do the same exact thing today.

“The language you quoted to me, I recommend you look at the terms on Facebook or any other sort of user-generated service, like YouTube,” said Mitch Stoltz, senior staff attorney at Electronic Frontier Foundation, when we read FaceApp’s agreement to him over the phone.  

“It’s almost word-for-word,” Stoltz said. “All that verbiage, in a vacuum, sounds broad, but if you think about it, those are the terms used by almost any website that allows users to upload photos.”

But the takeaway from this week of near-hysteria should not be complacency. Instead, the story of FaceApp should serve as yet another example supporting the always-relevant, sometimes-boring guideline for online privacy: Ask questions first, download later (if at all).

FaceApp’s terms of service agreement

When users download and use FaceApp, they are required to agree to the parent company’s broad Terms of Service agreement. Those terms are extensive:

“You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you.”

Further, users are told through the Terms of Service agreement that “by using the Services, you agree that the User Content may be used for commercial purposes.”

This covers, to put it lightly, a lot. But it is far from unique, Stoltz said.  

“Any website that allows anyone in the world to post photos is going to have a clause like that—‘by uploading photos you give us permissions to do anything with it,’” Stoltz said. “It protects them against all manner of users trying to bring legal claims, where, oh, they only wanted four copies of a photo, not 10 copies. The possibilities are endless.”

Several years ago, CNN dug through some of the most dictatorial terms of service agreements for popular social media platforms, Internet services, and companies, and found that, for example, LinkedIn claimed it could profit from users’ ideas.

Relatedly, Terms of Service, Didn’t Read, which evaluates companies’ user agreements, currently shows that Google and Facebook can use users’ identities in advertisements shown to other users, and that the two companies can also track your online activity across other websites.

Stoltz also clarified that FaceApp’s Terms of Service agreement does not claim to take the copyright of a photo away from whoever took that photo—a process that would be difficult to do in a contract.

“It’s been tried—it’s something the courts don’t like,” Stoltz said.

Stoltz also said that, while consumers do have the option to bring a legal challenge against a contract they allege is unfair, such successful challenges are rare. Stoltz gave one example of where that worked, though: a judge sided with a rental car customer who challenged a company’s extra charge every time the driver sped past the speed limit.

“The court said nuh-uh, you can’t bury that in a contract and expect people to fully understand that,” Stolz said.

As to how FaceApp will actually use user-generated photos, FaceApp CEO Yaroslav Goncharov told Malwarebytes Labs in an email that the company plans to update its terms to better reflect that it does not use any users’ images for “commercial purposes.”

“Even though our policy reserves potential ‘commercial use,’ we don’t use it for any commercial purposes,” Goncharov said. “We are planning to update our privacy policy and TC to reflect this fact.”

Dispelling the rumors

On July 17, United States Sen. Schumer asked the FBI and the Federal Trade Commission to investigate FaceApp because of the app’s popularity, the location of its parent company, and its alleged potential link to foreign intelligence operations in Russia.

The next day, Sen. Schumer spoke directly to consumers in a video shared on Twitter, hammering on the same points:

“The risk that your facial data could also fall into the hands of something like Russian intelligence, or the Russian military apparatus, is disturbing,” Schumer said.

But, according to FaceApp’s CEO, that isn’t true. In responding to questions from The Washington Post, Goncharov said the Russian government has no access to user photos, and, further, that unless a user actually lives in Russia, user data is not located in the country.

Goncharov also told The Washington Post that user photos processed by FaceApp are stored on servers run by Google and Amazon.

In responding to questions from Malwarebytes Labs, Goncharov clarified that the company removes photos from those servers based on a timer, but that sometimes, if there is a large quantity of photos, the removal process can actually take longer than the chosen time limit itself.

“You can set a policy for an [Amazon Simple Storage] bucket that says ‘delete all files that are older than one day.’ In this case, almost all photos may be deleted in 25 hours or so. However, if you have too many incoming photos it can take longer than one hour (or even 24 hours) to delete all photos that are older than 24 hours,” Goncharov said. “[Amazon Web Services] doesn’t provide a guarantee that it takes less than a day to complete a bucket policy. We have a similar situation with Google Cloud.”

Another concern that some users raised about FaceApp was the possibility that the app was accessing and downloading every photo locally stored on a user’s device.

But, again, the rumors proved to be overblown. Cybersecurity researchers and an investigation by Buzzfeed News revealed that the network traffic between FaceApp and its servers did not show any nefarious hoovering of user data.

“We didn’t see any suspicious increase in the size of outbound traffic that would indicate a leak of data beyond permitted uploads,” Buzzfeed News wrote. “We uploaded four pictures to FaceApp, which corresponds with the four spikes in the graphic, with some noise at the end after the fourth upload.”

Finally, despite the many distressed comments on Twitter, Goncharov also told The Washington Post that his company is not using its technology for any facial recognition purposes.

What you should do

We get it—FaceApp is fun. Sadly, for many, online privacy is less so. (We disagree.) But that does not make online privacy any less important.

For those of you who have already downloaded and used FaceApp, the company recently described an ad-hoc method for removing your data from their servers:

“We accept requests from users for removing all their data from our servers. Our support team is currently overloaded, but these requests have our priority. For the fastest processing, we recommend sending the requests from the FaceApp mobile app using ‘Settings->Support->Report a bug’ with the word ‘privacy’ in the subject line. We are working on the better UI for that.”

For those of you who want to avoid these types of problems in the future, there’s a simple rule: Read an app’s terms of service agreement and privacy policy before you download and use it. If the agreements and policies are too long to read through—or too filled with jargon to parse—you can always avoid downloading the app altogether.

Always remember, the fear of missing out on the latest online craze should be weighed against the fear of having your online privacy potentially invaded.

The post FaceApp scares point to larger data collection problems appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator