Security & Hacking: Tor warns of Possible Attack on Network

Snippet:  "The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities"

Full story:

• https://blog.torproject.org/blog/possible-upcoming-attempts-disable-tor-network
• https://threatpost.com/tor-project-warns-of-possible-upcoming-attack-on-network/110013

SC2 Thoughts: Power of Queens x Nydus!

Life (Z) vs Stats (P)

Comments with Spoilers below:

3

2

1

This was a well planned & executed counter to Stats play.

Few points I want to emphasize:

Life used a burrowed Zergling to provide vision for Nydus, this provides more tactical surprise, as well as being safer since what isn't seen can't be killed or pushed back.

Burrow is started at 10:15 at same time Life is getting a Zergling into Stats main for a complete scout.

The Zergling that provides vision for the Nydus is sent at ~13:13 game time link to that momment. 

Note:  In addition to that Ling, there are 2 others to either side of it, for total of 3 Lings, all burrowed, providing vision on the left side of Protoss half of the map.

Also, more importantly for that Nydus attack, the 2 additional burrow Lings provide vision in case Protoss tries to flank or surround the Nydus force.

At nearly the same time as the Lings on the left are being burrowed, Life sends a group of Zerglings around right side of map for both Scouting and attempt at another run by into Natural/Main (typical Life Ling Tactics).

Near end of the game, Stats does send a Probe or two to drop a Pylon near Life's 4th Base (Bottom Right) while the Nydus attack is in progress.

But realizes there is no way he can put enough pressure on there to win a base race and GG's moments after that Pylon finishes.

Lee Hutchinson fed up with AT&T unlock policies

Personal frustration with AT&T from staff member of Ars Technica, Lee Hutchinson arstechnica.com/staff/2014/11/atts-outdated-unlock-policies-cost-it-a-loyal-customer-me/

Doesn't surprise me, AT&T was first carrier I used many years ago, won't ever use them again.

There are things Verizon & T Mobile do that frustrate me, but they at least have some things they do well than balance the negatives much better than AT&T IMO.

Devil's Advocate:  I can think of a single reason for AT&T to do this, though one would still have contract, enforcing that on someone who has unlocked device and isn't happy with AT&T is more expensive than using leverage of not unlocking phone.

That could be significant for AT&T's cash flow if many others share my opinion that AT&T is the worst carrier in USA after they become a customer.

Game of the Month: Bunny vs Life

Bunny (T) vs Life (Z)
Game 3 in Bo3

No comments, at least for now, because don't want any spoilers.

I also liked Game 2  of this series, though it wasn't as awesome as Game 3.

Nerd News: Dell Alienware external Graphics option

I've been interested in external GPU (eGPU) for some time, for all my posts on that click eGPU Label,since laptops are far more practical when you have to travel, but I don't care for 8+ lbs (4+ kilo) gaming laptops.

Heavy laptops like that aren't much more portable than some desktops, I helped a Nerd buddy drag his desktop around to many events when I was in high school.

So real interested in news from Dell Alienware about their "Graphics Amplifier", an external GPU bay designed to pair with their new 13" laptop.

Links to the eGPU:

• WSJ http://blogs.wsj.com/personal-technology/2014/10/27/alienwares-huge-graphics-amplifier-turns-laptops-into-gaming-infernos/
• Anandtech http://www.anandtech.com/show/8653/alienware-graphics-amplifier

Link to 13" Alienware laptop info:

• Dell Alienware (Graphics Amplifier under "Accessories & Services" tab in middle of page) http://www.dell.com/us/p/alienware-13/pd.aspx
• Anandtech http://www.anandtech.com/show/8652/alienware-launches-the-alienware-13-gaming-laptop-with-a-twist

Starcraft 2 Thoughts: Roach Baneling vs Terran

Symbol (Z) vs Flash (T)

Very nice Zerg play!

A few significant choices Symbol made worth pointing out IMO:

• In his first attack, he made a point to focus down 4 Supply Depots (3 at third base, & 1 at wall in Natural), this supply blocked Terran for a bit.
• He also destroyed the 2 Ebays that were part of the front wall.
• He immediately withdrew after accomplishing these limited objectives (ie he didn't overextend).

I've blogged before about how strong Roach & Banelings with Air Support can be, see this TLO vs Satini game http://cliffsesportcorner.blogspot.com/2012/02/tlo-vs-satini.html, though I tend to favor Corrupters over the Mutas used here.

I prefer Corrupters because I feel they are more cost efficient vs Terran than Mutas.

Six (6) Corrupters will 2 shot Medivacs, so 6 to 12 Corrupters in early game, and in mid or late game Broodlords can be much more useful than Mutas.

Midgame I would use them more for harassment on certain maps that have dead air space behind bases.

You can fly 1 or 2 Corrupters behind a Terran base, and then upgrade them to Broodlord.

If you do that to 2 bases at same time, and have a Nydus network, you can drop Nydus in weak or undefended base with Broodlings providing vision & cover for Nydus.

Just click on the Starcraft 2 Thoughts Label for more posts like this, more Labels can be found at bottom left of every post and in Label cloud at left side of Blog.

IEM 2014 San Jose: Catz vs Creature

Interesting series
Catz (Z) vs Creature (P)

Nerd News: "Silk Road Lawyers Poke Holes in FBI’s Story"

Brian Krebs has an interesting article up,  http://krebsonsecurity.com/2014/10/silk-road-lawyers-poke-holes-in-fbis-story/, about the trial of alleged leader of Silk Road.

Short version, government's explanation for how they found the hidden servers appears to be BS.

This seems like they are hiding real way & means that they discovered the information.

Which, though IANAL, isn't legal as I understand it, in US Trials, there is a step called "Discovery" see http://www.americanbar.org/groups/public_education/resources/law_related_education_network/how_courts_work/discovery.html & http://en.wikipedia.org/wiki/Civil_discovery_under_United_States_federal_law.

So unlike TV or Movie Courtroom drama, there isn't surprise evidence introduced in the middle of the trial.

There are several reasons why information isn't supposed to be hidden during Discovery.

Discovery reduces wasting time, Judges generally have more cases than they can get to in any given time period, so as a practical matter, parties are encouraged to settle before Court date.

It also reduces some types of false testimony & evidence, or at least makes it easier to illuminate that it is occurring.

Security & Hacking: Apple iOS 8 & Data Extraction

People have been citing a statement on this page http://www.apple.com/privacy/government-information-requests/ as proof that with iOS 8 Apple can't extract data from devices secured with a passcode.

I don't think most people are reading Apple's statement with a critical enough mindset, here is last part of what Apple actually wrote about data extraction:

"So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."

The key part is "extraction of this data from devices in their [government] possession running iOS 8." Note my bolded emphasis.

What Apple is really saying, I think, is just like iOS 7 Apple needs devices in their possession to extract data, they can't do it remotely and didn't provide government agencies with the tools to do so either.

Here is a snippet from Apple's page Legal Process Guidelines U.S. Law Enforcement.  Important Note, the original link "https://www.apple.com/legal/more-resources/law-enforcement/" to this information at Apple gets redirected to "https://www.apple.com/privacy/government-information-requests/" now, so if you don't have a copy of original page you will need to find cached version to verify:

 " I. Extracting Data from Passcode Locked iOS Devices

 Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media. Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data." 

And from the FAQ section of that page:

"Can Apple provide me with the passcode of an iOS device that is currently locked?

No, Apple does not have access to a user’s passcode but may be able to extract some data from a locked device with a valid search warrant as described in the Guidelines."

So what it seems like to me, is that iOS 8 offers at best same protection as earlier versions, Apple can still extract data from from devices in their possession, though they worked hard to write a factually accurate statement that was misleading.

I also haven't noticed any comments about data from the coprocessor that tracks movement and other data on iPhone 5S and newer, even when phone is sleeping.


Additional Links of Interests:

• Apple's 2014 iOS Security Whitepaper http://images.apple.com/privacy/docs/iOS_Security_Guide_Sept_2014.pdf
• Apple iMessage encryption http://cliffsesportcorner.blogspot.com/2013/04/cnet-apples-imessage-encryption-trips.html
• iPhone 5S Good, Bad, & Big Brother http://cliffsesportcorner.blogspot.com/2013/09/nerd-news-iphone-5s-good-bad-big-brother.html

DEFCON 22 Weaponizing Your Pets Gene Bransfield

Weaponizing Your Pets
Gene Bransfield Twitter @gbransfield

DEFCON 22: Dark Mail Ladar Levison and Stephen Watt

DEF CON 22 Darkmail
Ladar Levison & Stephan Watt

I also strongly recommend Leo Laporte's interview of Ladar Levison on Triangulation, its available as podcast on iTunes or as download at
http://twit.tv/show/triangulation/125

Nerd News: "U.S. threatened massive fine to force Yahoo to release data"

Washington Post article about how US Government forced Yahoo to hand over information & messages from its users.

And forced their participation in PRISM.

Washington Post article:
http://www.washingtonpost.com/business/technology/us-threatened-massive-fine-to-force-yahoo-to-release-data/2014/09/11/38a7f69e-39e8-11e4-9c9f-ebb47272e40e_story.html

Wikipedia PRISM:
http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29

Nerd News: LastPass Back Up

LastPass has been down for a while, but according to LastPass and other reports it should be back up, though there may still be some issues.

Sounds like they only use 2 datacenters, or maybe even only single primary one with a "backup".

"Update: 1:28 pm EST

Though one of our data centers remains completely down, the service is generally stable and should be available to the majority of users (with the exception of login favicons). Some users may see connection errors but should still be able to access their data. We continue to work as quickly as possible to get the service back to 100%. "

       Source http://blog.lastpass.com/

"Aug 12, 2014 - One of LastPass' datacenters has been down since 3:57am EDT. The service is now running fully off one Herndon VA datacenter and we have been engaged with our provider all morning. Currently favicons/sprites are impacted. We are doing what we can to minimize the impact and apologize for the inconvenience. "

       Source https://lastpass.com/status.php


Also http://www.isitdownrightnow.com/lastpass.com.html 

For LastPass users that want an offline solution to prevent this type of problem in future consider LastPass Pocket

This is LastPass link specifically about offline access https://helpdesk.lastpass.com/password-manager-basics/your-lastpass-vault/offline-access-to-your-lastpass-vault/ 

Def Con 21: "Pentesting with an Army of Low-power Low-cost Devices"

Couldn't go to Def Con 22, waiting for vods to come out, so started watching some of the Def Con 21 Youtubes in the meanwhile.

I like this one about Pen Testing with cheap Arm devices by Dr. Philip Polstra aka Dr. Phil the Hacker his Twitter is ppolstra | https://twitter.com/ppolstra.

He uses the BeagleBoard Black as the starting point for his hardware.

Some useful links:

• Current version that's available BeagleBone Black Rev C - 4GB Flash - Pre-installed Debian https://www.adafruit.com/products/1876
• Jan Axelson was LVR.com now http://janaxelson.com/ ["The developer's resource for computer interfacing, especially USB, serial (COM) ports, mass storage, Ethernet and Internet for embedded systems, and the parallel port."] 
• Xbee http://www.digi.com/xbee/ 
• The Deck [a full-featured penetration testing & forensics Linux distribution] for BeagleBone Black  http://ppolstra.blogspot.com/2013/08/the-deck-for-beaglebone-black-has.html
• Installing Deck Youtube http://youtu.be/98kbOKuInv4?t=1m18s
• BeagleBoard site http://beagleboard.org/
• BeagleBoard Black site http://beagleboard.org/black
• Wikipedia on BeagleBoard http://en.wikipedia.org/wiki/BeagleBoard
• Wikipedia on Xbee http://en.wikipedia.org/wiki/XBee

For new readers of my blog, I have labels at bottom left of every post & selected labels at left side of the blog to help find related posts.

These labels can be booked marked so you can just check topics your interested in, so for more posts like this you could click on:

• DEFCON 
• Pen Testing
• Security
• Hacking

Security & Hacking: The Matasano Crypto Challenges

Really cool the Matasano Crypto Challenges is "a collection of 48 exercises that demonstrate attacks on real-world crypto."

It's designed to teach real Crypto attacks by doing, great for improving the security of code you write, or to get an idea of what Pen Testing or malicious hacking involves.

Very good review, worth reading in it's own right here https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/

Note in the Pinboard review the original link for Matasano Crypto Challenges  didn't update for server move, current working link (I have correct link at top of this blog post of mine as well) is http://web.archive.org/web/20140213141638/http://www.matasano.com/articles/crypto-challenges/

SC2ITL: ROOT vs Grav

Stream:  http://www.twitch.tv/fenn3r

SC2 Improve Team League:  http://wiki.teamliquid.net/starcraft2/SC2Improve_Team_League

Root 4 Root!

Hope? Federal Appeals Court ruled Police need Warrant for cell phone location history

"For the first time, a federal appeals court has ruled that law enforcement must obtain a warrant to get people’s phone location histories from their cell service companies."

Source & full article at https://www.aclu.org/technology-and-liberty/first-time-appeals-court-rules-warrant-required-cell-phone-location-tracking

PDF of the ruling itself at https://www.aclu.org/sites/default/files/assets/q_davis_opinion_0.pdf

A little hope, my understanding is that this ruling would only apply to jurisdiction of the court that made the ruling, and I suspect governments (local/state/federal?) will appeal.

Security & Hacking: Windows Patch Tuesday Reminder

In case you forgot, yesterday was patch Tuesday for Windows.

Some critical fixes in this patch, for quick details on Patch Tuesdays I always recommend Brian Krebs posts http://krebsonsecurity.com/2014/06/adobe-microsoft-push-critical-security-fixes-4/

Excellent match from SPL2014: Maru vs effOrt

Jinair vs CJ series, Maru vs effOrt match.

Great game, I really liked seeing a Zerg that uses Overlords more effectively than typical Zerg.

Don't want to spoil it, so no more comments for now.

Snowden responds to email NSA released via ICON

I Blogged here about supposedly only email NSA could find where Snowden seemed to be following procedure for complaints, concerns, & whistle blowing.

I had more than one sad chuckle reading Snowden's response at The Washington Post http://www.washingtonpost.com/world/national-security/edward-snowden-responds-to-release-of-e-mail-by-us-officials/2014/05/29/95137e1c-e781-11e3-afc6-a1dd9407abcf_story.html

Like I speculated in my previous blog post, Snowden realized the official system wasn't designed to correct problems.

He states that in the article linked above.

But more telling, he mentions another specific correspondence that they certainly have:

"Today’s release is incomplete, and does not include my correspondence with the Signals Intelligence Directorate’s Office of Compliance, which believed that a classified executive order could take precedence over an act of Congress, contradicting what was just published. It also did not include concerns about how indefensible collection activities - such as breaking into the back-haul communications of major US internet companies - are sometimes concealed under E.O. 12333 to avoid Congressional reporting requirements and regulations."

Source for quote same as link at top http://www.washingtonpost.com/world/national-security/edward-snowden-responds-to-release-of-e-mail-by-us-officials/2014/05/29/95137e1c-e781-11e3-afc6-a1dd9407abcf_story.html

Sure sounds to me like Snowden's focus is to bring accountability to NSA & other agencies under the DNI http://en.wikipedia.org/wiki/Director_of_National_Intelligence.

I'd also suggest reading http://www.emptywheel.net/2014/05/29/snowdens-emailed-question-addresses-one-abuse-revealed-by-his-leaks/

TrueCrypt Alternatives

Updated:  Wanted to add https://www.grc.com/misc/truecrypt/truecrypt.htm green shaded box (scroll down a little) shows correspondence from devs of Truecrypt.

TL:DR Confirms that this was just an odd way of quitting.


****

For the couple people that might have missed drama with TrueCrypt see http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/

TL:DR Looks like people(s) behind TrueCrypt are done supporting it & suggest people use something else, additionally version released with this information only decrypts previously encrypted data, won't encrypt.

In light of this situation, many people are looking for alternatives, best list I have found so far, though I know very little about the suggestions, is http://www.ghacks.net/2014/05/29/list-truecrypt-encryption-alternatives/

Security & Hacking: NSA & Snowden email correspondence

http://icontherecord.tumblr.com/post/87218708448/edward-j-snowden-email-inquiry-to-the-nsa-office is link for most recently released email, released by NSA, of correspondence between Snowden & Office of General Counsel.

[Edited to add:  Strange that they released this email, they claimed Snowden's emails were exempt from FOIA & that they didn't have records, because he was never a NSA or CSS employee? see https://www.muckrock.com/foi/united-states-of-america-10/edward-snowden-employeecontractor-reviewsagreements-5971/]

He asks for some clarification about Executive Orders, that they are of lesser authority than Federal Statues.

In addition to the email, IC On The Record states that they can't find any other evidence that Snowden was trying to fix problems through official procedures or channels.

Based on this statement:

"There are numerous avenues that Mr. Snowden could have used to raise other concerns or whistleblower allegations. We have searched for additional indications of outreach from him in those areas and to date have not discovered any engagements related to his claims."

It seems clear they (Executive Branch of Government) are continuing to portray Snowden as someone who refused to follow correct procedures and just wanted some personal gain or revenge.

That doesn't fit the facts very well.

Consider that Snowden turned over the document collection to the reporters that he had decided to trust.  And refused to dictate the agenda.

He certainly could have released fewer documents, or only documents that targeted what he wanted revenge against, or even had sold the documents.

He didn't do that.

Funny thing is, many of the claims of government officials & politicians have repeatedly been proven to be false by the documents released so far.

Not to mention court cases that had been denied because standing couldn't be proved until documents Snowden released were published by reporters.  Or in other words, Snowden enabled Courts to actually provide a check on Executive branch of government, including NSA, like they are supposed to do.

More on US Seperation of Powers:

• http://en.wikipedia.org/wiki/Separation_of_powers_under_the_United_States_Constitution
• http://en.wikipedia.org/wiki/Separation_of_powers#United_States

More on IC On The Record, according to info on their site http://icontherecord.tumblr.com/post/58838654347/welcome-to-ic-on-the-record:  Created at the direction of the President of the United States, IC ON THE RECORD provides immediate, ongoing and direct access to factual information related to the lawful foreign surveillance activities carried out by the U.S. Intelligence Community

Despite that data, some still try to claim Snowden did this for fame/notoriety or out of spite.

I suppose that is possible based on the evidence we have so far, but it doesn't seem targeted, or focused, with that as a primary goal.

Also based on the pattern of denials by Government, followed by documentation that prove those denials false, I wouldn't be surprised if eventually, documentation surfaces showing that Snowden did attempt to resolve at least some issues through official means.

Need to remember that Snowden seems smart, one of the most frequent comments from people that meet him.

Note smart people tend to learn quickly, I doubt it would have taken many failures to fix things through official means for Snowden to realize the official means were designed to maintain status quo, not fix things.

Being a smart nerd, he would have then searched for some way to fix that problem.

Security & Hacking: DEFCON 20 "Can You Track Me Now?"

DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data

This was posted on Youtube November 22, 2012, so was well before Snowden release of information in May of 2013.

Main emphasis of this talk was tracking of cell phones.

But Christopher Soghoian briefly covers, at 31:05, that both Android (Google) & iOS (Apple) device encryption can be defeated by Google & Apple respectively.

This is a service they provide for Law Enforcement & other Government agencies.

Google can force a password reset for Android device, they don't require physical access.

Apple appears to use what Soghoian calls a "Master Skeleton key," they require departments to provide actual device (ie physical access).  They then provide unencrypted data on a CD, while device remains encrypted.

I wonder if they might actually need device to decrypt data with way devices since iPhone 4S & iPad 2 have been designed (they have hardware based encryption).

Entire video is worth watching, though it is rather long, they joke about having 3 different audience during the course of the talk.
 

Pen Testing: Pwnie Express new Nexus 5 based phone

1/13/15 Updated link to software download page due to changes on Pwnie Express site: new link to download page, confusingly labelled IMHO "Community" is  https://www.pwnieexpress.com/community/

XXXXXXX

Pwnie Express is a pretty awesome company, https://www.pwnieexpress.com/, you have probably heard of their Pwn Plug even if you don't recognize the company's name.

They have a new Pen Testing phone out called:  Pwn Phone 2014

Product link https://www.pwnieexpress.com/penetration-testing-vulnerability-assessment-products/sensors/pwn-phone-2014-penetration-testing-phone/

They aren't cheap, but Pwnie Express also provides free downloads for the entire software suite they use in their products.

It usually take a little time for new product's software to be added, but they already have software for 2014 Pwn Pad, Nexus 7 based, available.

Download [Updated link 1/13/15] https://www.pwnieexpress.com/community/ if you want to use your existing Nexus 7, they should have the Nexus 5 download available in near future as well.

The downloads for DIY are listed under "Community Editions & Legacy Product Downloads"

If I can find the time this week, I will also track down current hardware accessories they offer, & update this post or make post dealing with accessories.

Meanwhile you can view hardware accessories I listed for the 2013 Pwn Pad http://cliffsesportcorner.blogspot.com/2013/02/pen-testing-pwn-pad-by-pwnie-express.html.

Probably newer options available for some of those products, but those should work.

Just click following labels for more blog posts on Pwnie Express or Pen Testing, labels can be found at bottom left of every blog post, easy way to find similar or related content.

Select labels can also be found in label cloud at left side of Blog.

Hardware Hacking: "MacBook Pro Thunderbolt 2 Sonnet III-D GTX 780 Ti

Link for Youtube http://youtu.be/G0M05rJkTQY

Link with details:  http://forum.techinferno.com/diy-e-gpu-projects/6689-%5Bguide%5D-2013-15-macbook-pro-gtx780ti%4020gbps-tb2-sonnet-echo-express-iii-d-win8.html

Anandtech article:  http://www.anandtech.com/show/7987/running-an-nvidia-gtx-780-ti-over-thunderbolt-2

Very Interesting!

Something I have been interested in since Thunderbolt came out, though I don't think it is going to be practical enough for me.

I've decided for my needs & wants the new (2014) 14" Razer Blade laptop makes lot more sense http://www.razerzone.com/gaming-systems/razer-blade/ & http://www.anandtech.com/show/7858/razer-announces-the-new-razer-blade-14-qhd-with-gtx-870m what I am saving up to get as replacement for my Windows 7 laptop.

Still think external GPU, specially combined with docking station or high res monitor & docking connector (something like Apple's Thunderbolt display, but with 4K, and external GPU(s) to game on it) makes a lot of sense.

Problem is most people just want cheap netbook or a tablet.

Plus, since many (most?) gamers either make their own machines or have friends build them a gaming rig, I doubt the companies that could reasonably make dock with external GPU would ever be able to make profit.

TT

Starcraft 2 Thoughts: Special Tactics in SPL 2014 Maru vs Super

Link for those that don't want embeded video http://youtu.be/Oxe42fznuXs

Link here to jump right before things start to happen http://youtu.be/Oxe42fznuXs?t=3m26s

I can't say how very much I enjoyed this game, it was exceptional!

Been so long since I have seen a game that I felt was worth a Starcraft 2 Thoughts post.

Really cool game, not simple cheese, I'm not sure it is even an all in, need to do some testing to see if it is.

Go back and watch replay again, note that Protoss is constantly making Probes, found it particularly funny that as one caster is saying this is an "economically light" build Probes are being made.

Though to be fair, hard for the English casters to follow everything since they don't have full access to game, they are basically just viewing what Korean Observer is showing, just like we are, and they aren't always aware when the production or unit tab will be open.

Reason I not sure I would classify this as Cheese, is that IMHO, Cheese relies on not being scouted to be effective.

I doubt think this build relies on that at all, not just because Super won after it was scouted early, but because Probe production was constant.

Also Protoss take Natural during the attack.

Will take some serious testing, but I suspect this build works, at least on this type of map vs Reaper opening, even if Oracle(s) don't do any direct damage at beginning.

It will Pin Terran in their base, also forces minerals into early bunkers and/or Turrets.

I wonder if the strongest Terran defense to this would be to counter attack all in with SCV pull?

Or maybe counter attack with few SCV's to tank for Marines, but not full all in?


I suspect Mines might also be one of the better Terran responses to this if they can make some fast enough, depending on Terran build.

Though full wall off is probably critical as well, part of what made this a game ending attack instead of just gaining a modest advantage, was the fact that a Zealot & Stalker were able to get into the main.

This allowed serious attacks from multiple angles (similar concept to flanking & surrounding), as well as buying time for critical mass of Oracles for the small number of Marines.

Hard to say without some testing, would really like to see Day9 or Artosis work with MVP and go over some of the in house practice and testing of this build.

But really doubt that they would be willing to do that, because it would reveal lot of info to other teams on how they specifically prepare, among other issues.

Really awesome game!

Lot of depth to this game, many things that happened long before actual match.

Really cool!

For more posts like this exploring Strategy & Tactics in SC2 click on the Label: Starcraft 2 Thoughts or for somewhat related posts see Starcraft 2 Skills.

Selected Labels can be found in the Label Cloud at left side of blog, and every blog post has Labels at bottom left of post, so you can easily cross reference topics.

Nvidia Shield Price cut to $200

I was pleasantly surprised today, when I noticed Nvidia Shield is only $200 now http://store.nvidia.com/buyshield!

This may be a temporary price drop though http://www.anandtech.com/show/7899/nvidia-shield-price-cuts-and-portal

I am shopping for an Android device, since I need WiFi calling (inadequate reception in my home) Nexus 5 phone won't work for me, since stock Android phones don't support WiFi calling on Tmobile.

So have been thinking about Nexus 7, or getting non Nexus Android phone from Tmobile that has support for WiFi calling.

Started thinking about the Nvidia Shield again today, and was surprised to see it was in the news again, and price had dropped when I Googled.

Additional resources:

• Official site http://shield.nvidia.com/
• XDA (one of the best Android resources) http://forum.xda-developers.com/nvidia-shield
• All Anandtech Nvidia Shield articles http://www.anandtech.com/tag/shield
• Article that inspired my interest in the Shield http://www.anandtech.com/show/7190/nvidia-shield-review-tegra-4-crossroads-pc-mobile-gaming

Security & Hacking: Ars article "Ancient Linux Servers"

Ars article "Ancient Linux Servers" http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/, worth reading.

They reference Cisco blog post http://blogs.cisco.com/security/mass-compromise-of-the-obsolete/

In addition to the articles, I found many of the comments on the Ars article worth reading, though I suggest reading all of them, I have quoted a few of the best ones IMVHO.

Note I use brackets [] to indicate comments or links I have have inserted in original quote:

"Not updating systems is bad practice that too many admins still go by. When I came onboard with my current employer it took a great culture shift to get everybody to understand why security updates are so important. One year later and are update cycle is nearly perfected.

There is no excuse for this anymore. Virtualize your servers, snapshot VMs before making changes, update and revert if a problem occurs. Clone a VM and build a test environment to check before doing it in production. For every excuse there are established best practices and mitigation techniques to deal with them."

~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483315#comment-26483315

"I'm a Linux fan. Glad its around.

But, Linux made lots of headway as a cheap secure alternative to Microsoft. If I had a penny for every time someone said, "We'll be fine, it's a Linux box we're deploying on the internet and not a Microsoft server" ....

The thing is, like the Mac, Linux has been viewed as bulletproof. In 2007, I was working through the SANS 560 course and we utilized a publicly available kernel exploit for 2.6 to gain root. It was beautiful, just compile, run and BOOM, you were root. Linux was never bulletproof.

This is simply more (unnecessary) evidence that when we decide a platform is secure, we become complacent and end up in this situation. Anything with software should be treated as vulnerable as long as it has power and network connectivity."

~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483323#comment-26483323

SunnyD posted:

"Here's the problem when it comes to updating infrastructure systems like these for system administrators:

It's not a matter of security, it's a matter of "If it ain't broke, don't you even dare try to fix it."

If history as sysadmins has taught us nothing it's that the constant cycle of updates, especially on mission-critical machines, puts our job security on the lines. Especially when a lot of these machines are running custom code with dependencies that end up being the very security liabilities that get patched."

~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483235#comment-26483235

Responding directly to SunnyD's comment:

There is a concept for this, it's called "technical debt"[Cliff: Wikipedia Technical Debt]. I'm not saying it's any one person's fault, but it is a flawed system. Keeping pushing off the problem until you're painted into a corner."

~http://arstechnica.com/security/2014/03/ancient-linux-servers-the-blighted-slum-houses-of-the-internet/?comments=1&post=26483329#comment-26483329

There are also many comments from people that cover some of the real world limitations with implementing the best practices.

Though I am a long way from being an expert on computer & internet security, at best I'd consider myself an apprentice.

I think these exploits & the comments quoted above clearly illustrate that Linux has vulnerabilities like any OS, something I have been certain was true for some time.

But still felt troubled when I would see the oft repeated "Linux is more secure".

That always felt like simple security through obscurity, which we know is no security at all.

There are certainly different tradeoffs between operating systems, not sure more can be objectively claimed.

Except perhaps, that certain OS tend to be better fit for certain types of applications, but IMO that is just a restatement of the differing tradeoffs.

Should also be realized that smart hackers can certainly look at Best Practices as a starting point for attacks, so defenders certainly should as well.

Some Best Practices resources:

• http://www.debian.org/doc/manuals/securing-debian-howto/ch9.en.html
• http://www.redhat.com/f/pdf/rhn/WHP0008US_RHN.pdf
• http://technet.microsoft.com/en-us/library/cc750076.aspx
• http://www.seas.upenn.edu/cets/answers/linux-best-practices.html
• http://www.its.virginia.edu/unixsys/sec/
• http://training.apple.com/pdf/wp_integrating_active_directory_ml.pdf

Security & Hacking: Windigo compromises 25+ thousand Unix & Linux servers

Detailed report for experts  http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

More general audience article http://arstechnica.com/security/2014/03/10000-linux-servers-hit-by-malware-serving-tsunami-of-spam-and-exploits/

As anyone who is seriously into Computer Security or Hacking knows, it really doesn't matter what OS your running, they are all vulnerable to attacks.

Though staying patched & updated are critical regardless of OS, funny (scary) tidbit from the pdf was a few people browsing net with Windows 98, and at least one on Windows 95!

EEK!

Not that old is bad, but generally old means not maintained.

Windows Phone 8 T-mobile & Lumia Black update on Lumia 521

If you haven't heard, Lumia has new update/upgrade for all Lumia Windows Phone 8 (WP8 for short) devices getting rolled out.

It is called Lumia Black, official link http://www.nokia.com/global/windows-phone-black-update/.

Yesterday it became available for Lumia 521, which is the T-mobile specif version of the Lumia 520.

WP8 devices revice both OS updates from Microsoft, and firmware updates from device manufacture.  Lumia Black is a firmware update.

Today I updated my Lumia 521, it took about 3 minutes for download on my WiFi, but 5+ minutes for install prep stage.

Then several minutes for reboot & final installation, sorry I didn't get more precise times dealing with IRL issues.

First call I made, using WiFi calling,phone did random reboot!

Made me laugh pretty hard, but random reboot are pretty common with this device.  At least weekly, often more frequent than that.

Call was made & worked fine after reboot.

Internet browsing seems a little snappier than prior to Lumia Black update.

Native Podcast app seems to be working fine.

If anyone has any questions, leave a comment & I'll do my best to answer.

Nearing end of my year long use of Lumia 521, to better learn the major phone OS I am planning to switch to Android later this year, already had lot of experience with Blackberry (old Pearl & newer Bold).

Have almost year of experience with iOS on a 5th generation iPod Touch, plus I provide tech support for my girlfriend who has been using an iPhone 5s since Fall 2013.

Lumia Black:

• GSM Arena http://blog.gsmarena.com/nokia-lumia-black-software-update-features-overview/
• Nokia http://www.nokia.com/global/windows-phone-black-update/

Lumia 521 & 520 specs:

• GSM Arena http://www.gsmarena.com/nokia_lumia_520-5322.php
• Windows Phone Central http://forums.wpcentral.com/nokia-lumia-521/224841-521-t-mobile-specs-users-guide.html

General WP8 Resources:

• WP8 Update history http://www.windowsphone.com/en-us/how-to/wp8/basics/windows-phone-8-update-history
• Microsoft guide to WP8 http://www.windowsphone.com/en-us/how-to/wp8/basics/stop-my-screen-from-rotating

Carbot Animations "Undermine the Overmind"

Carbot Animations Youtube channel http://www.youtube.com/user/CarbotAnimations

Link for Undermine the Overmind http://youtu.be/69_VjbZznds

Pure Awesome ^_^

Or should I say, "Clever."

iOS 7.1 released

I've already updated my 5th Gen iPod Touch, no problems so far, do like Bold Text setting working in more (most?) places now.

Haven't played with it enough to say more yet.

Additional information in links below.

Links:

• Apple  http://www.apple.com/ios/ios7-update/
• Macworld  http://www.macworld.com/article/2105988/ios-7-1-adds-carplay-interface-tweaks-accessibility-enhancements.html
• Cnet  http://reviews.cnet.com/apple-ios-7/
• Ars  http://arstechnica.com/apple/2014/03/ios-7-1-released-improves-iphone-5s-stability-iphone-4-speed-and-more/

Rotterdam aka Rooterdam streaming fun games tonight

Stream:  http://www.twitch.tv/rotterdam08

For those that haven't heard, NASL has dropped SC2, and casting for NASL was only regular work Rotterdam had, so from what I understand, he is trying to stream more.

He is doing lotta of silly and fun stuff tonight.

Seen Nexus Cannon rush tonight, in addition to the trademark Rottie Tempest rush vs Terran.

Apple releases Security patch for OS X vulnerability

Apple released security patch for OS X few hours ago

Link to Apple statement about patch http://support.apple.com/kb/HT6150

My understanding is the big problem, that was shared with iOS [see iOS 7.0.6 SSL/TLS problem for more on iOS issue ] only affected Mavericks, though I could certainly be in error on that, and this patch fixes more than that single issue.

Links to media comments about patch:

• http://www.bbc.co.uk/news/technology-26335701
• http://arstechnica.com/apple/2014/02/apple-releases-os-x-10-9-2-patches-ssl-flaw-and-adds-facetime-audio-support/
• http://www.zdnet.com/apple-releases-os-x-10-9-2-update-patches-severe-ssl-bug-7000026765/

Security & Hacking: iOS 7.0.6 SSL/TLS problem

If you or friend/family member has iOS device, they need to update ASAP if they haven't already to iOS 7.0.6

http://support.apple.com/kb/HT6147 "Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps."

Addition (technical) information:

• https://www.imperialviolet.org/
• https://news.ycombinator.com/item?id=7281378
• http://www.reddit.com/r/netsec/comments/1ykt3t/ssltls_authenticity_checks_broken_in_apple_ios/

More (general audience) information:

• http://www.zdnet.com/major-apple-security-flaw-patch-issued-users-open-to-mitm-attacks-7000026624/
• http://www.theregister.co.uk/2014/02/21/apple_patches_ios_ssl_vulnerability/

Ender's Game on Blu-ray Tournament today!

Minigun won the sister tournament to today's event http://wiki.teamliquid.net/starcraft2/Twitch_Ender%27s_Game_on_Blu-ray_Tournament.

Minigun will face winner of today's event, I'm hoping Scarlett, in a show match!

Today, Tuesday Februrary 11, 2014 we get to see the sister tournament to the one Minigun won, link to today's event http://wiki.teamliquid.net/starcraft2/MLG_GameOn_Ender%27s_Game_on_Blu-ray_Tournament

For replays, full event schedule, etc see (click on power button for menu) http://www.gameon.gg/

Casters:  Catz & Destiny

Stream:  Updated Correct Stream http://tv.majorleaguegaming.com/event/gameon
   http://tv.majorleaguegaming.com/

When:  08:00 KST Wed/00:00 CET Wed/Tue 18:00 EST Tue 17:00 CST Tue 15:00 PST MLG GameOn

Not sure if today is just Group A, or if it is several groups, but there should be at least 1 or 2 more nights cast this week.

Several of my favorite players in this event, besides Scarlett, including Goswer, MajOr, and Kane.

Also get to see Nathanias, one of my favorite casters, playing in this event.

GL HF!

Windows Phone 8 T Mobile Texting problems

This seems to be WP8 problem on WiFi for Texting, I have been doing some digging, since I experience this problem frequently.

Best information I have found so far, from the customers not T Mobile of course, is here http://support.t-mobile.com/message/333431

Could be worse, if you have WP8 on Verizon, lot of problems with Texting issue that looks similar to this one, but more pervasive (perhaps not limited to WiFi?).

Haven't found any useful work arounds for the Verizon Texting problem, other than temporary *maybe* fixes like:  reboot, battery pull, deleting Texting threads, resets, etc.

Still looking for useful information on random crashes & reboots, as well as screen freezing when call comes in so you can't answer the call.

"Extra Credits" on gaming Difficulty and Fun

Couple of very good discussions on gaming, IIRC Extra Credits is associated with Penny Arcade, http://penny-arcade.com/, in some fashion.

Direct link for Youtube above http://youtu.be/BWFzFsHc75U
Link for Extra Credits Youtube Channel http://www.youtube.com/user/ExtraCreditz/featured

They do an exceptional job of articulating some of the differences in games and gamers.

Stuff I'd understood, but never heard clearly stated before, I know I much prefer games of Depth, as they term it, big part of the reason I still like Diablo 2 but can't stand Diablo 3.

Or Chess vs Checkers.

Difficulty isn't the motivator, or at least not the sole motivator, I also like Minecraft.

Worth watching if your into gaming, and very worth following IMHO.

Twitter and more info for them is available on their Youtube Channel.




Link for VOD http://youtu.be/ea6UuRTjkKs

TwitchTV status site or "Is TwitchTV down?"

This site isn't part of Twitch, but they monitor Twitch server status

http://twitchstatus.com/

Some of you may already be familiar with it, but probably not everyone.

Cliff's Esport Corner SITREP

As many of you have noticed, I haven't had many posts lately.

IRL stuff, my significant other had some surgery, and needed help 24/7 for some time afterwards.

Very happy to say that everything went very well for her, and that she is recovering quickly, though not quickly enough to make her happy ^_^

Things are to the point where I can start posting regular again, though it will probably start slowly and build back up to normal pace.

I didn't get to follow CES 2014 news very closely, so I would welcome anything of interest or comment about that, either in comment section or on Twitter @CliffsEsport or link https://twitter.com/CliffsEsport

I have been following the Target Credit Card Hack with great interest though, working on blog post about it, but can strongly reccomend Brian Krebs articles on it http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

IIRC Brian was the one that broke the story originally, http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/, I remember seeing his Tweet about his Mom being interviewed about it at Target, while my girlfriend was still in the hospital.

Thanks to all my readers!

And a special thanks to everyone who offered good wishes, support, & prayers for my girlfriend's surgery & recovery, it was greatly appreciated by both of us!

Nerd News: Ars is hiring

Ars is hiring:  http://arstechnica.com/staff/2014/01/ars-is-hiring-a-senior-editor-and-two-technology-reportersreviewers/

As much as possible I try to post about job openings that I think Nerds would be interested in, certain many Nerds would like to work at Ars.

Full information at Ars link above, sounds like these are new positions (Ars is expanding their staff) based on response to comments.

GL HF