Upcoming new features: group chat and favorites (twister)

After another great climbing vacation (with two new summits climbed for the first time ;-) ) I’d like to post a quick update on latest twister developments…

Users following our github repositories commits may have noticed that two cool new features have been added to twister-core but are still lacking UI support (twister-html), these are:

  • Group chat: allows users to invite a party for a private group chat. All group chat messages are encrypted and only invited members are able to read them. Any current member may invite another user to join the chat (there is no “exclude” user feature, the alternative is to create a new group without people you want to exclude).
  • Favorites: users can mark some posts as “favorites”, either private (like a personal bookmark only you can see) or public (so everybody will know that you favorited that post). Many thanks to @erkanyuksel for this!

So what this mean, in practice? This means that these two new and experimental features are already available for the brave who want to play with twisterd command line interface. There is no time frame for these to appear in twister-html. In fact, I may attest that we currently have much more experienced Javascript contributors to twister-html than me. I’m not personally working on UI for any of that.

In case of group chat, it is an almost “invite only” feature so far. The thing is that if one invites you from the command line interface, you will then be able to join the group chat using standard twister-html DM screens…

Stay tuned!

Read More

Crowdfunding capacity for peer production (SENSORICA)

Disclaimer: This blog entry reflects the thoughts of the author and does not speak on behalf of the Sensorica OVN. 
——————————————————————————————

They did it again!

In the spring of 2015, the SENSORICA network delivered another important proof of concept for commons-based peer production. We demonstrated that equipment for peer production can be endogenously crowdfunded.

Everyone today knows about crowdfunding. In case you are just returning from a trip to Mars, crowdfunding is a new way to raise funds which involves hundreds or even thousands of individuals, the crowd. If you need money for a venture, instead of going to the bank for a loan or getting venture capital you can now use websites like Goteo, IndiegogoKickstarter, etc. You present your project on one of these platforms and ask people from around the world to fund you. Crowdfunding is either a donation scheme, people help you to achieve something without expecting much in return for themselves, only a good feeling for having contributed to a good cause, or a pre-sale scheme, people give you money upfront for a service or a product that doesn’t need to be finished before the crowdfunding, that you will deliver a few months later. There is also crowdfunding for equity, where people give you money in exchange of shares in your venture, but very few countries have permissive laws for it.

You can find a lot of stories about individuals or small groups who raised hundreds of thousands of dollars for their product ideas. This shows that crowdfunding democratizes innovation.

It didn’t take long before companies caught up with this trend, realizing that they could not only finance the productization phase (transforming a prototype into a manufacturable product at a competitive price) but also get immediate and valuable feedback from the market (if people finance you before you even have a finished product that means that you have a market, and they might even tell you how to improve your product).

So, before we see what SENSORICA did different, let’s review a few important features of crowdfunding in general.

Most crowdfunding is used as a pre-sale scheme, Kickstarter being the most popular platform. Goteo is more for open source projects, or for projects that have a social impact. Crowdfunding for equity seems to be adequate for financing infrastructure or capacity development, but it is still in its infancy. 
Almost all the crowdfunding mechanisms are dissociated from the ventures that are using them. They are centralized platforms owned by a classical organization that acts as a mediator between project initiators and their support crowd. 
The crowdfunding model is fueled by three types of actors: the project initiator who proposes the idea and/or project to be funded; individuals or groups who support the idea; and a moderating organization (the “platform”) that brings the parties together to launch the idea.  [Wikipedia]
There are also a few examples of self-crowdfunding, where organizations run their campaign on their own platform. This practice is problematic though, because people see in it a conflict of interest. When a third-party that specializes in crowdfunding is used, people trust that the same rules will be applied to everyone and that the data displayed during the process reflects reality.

But things are changing very fast now. Within a year or so, crowdfunding will be implemented on p2p infrastructures based on block chain technology. This means that the centralized crowdfunding platforms (the website that lives on a proprietary server or cloud, Kickstarter for example) will become entirely a p2p processes (will not be websites hosted on a private server or cloud anymore, instead the information will live in a bunch of interconnected machines, individually owned by everyone who uses the system). Simply put, the block chain technology (and who knows what will follow next) decentralizes funding even further. If traditional crowdfunding allows people to fund each other using a centralized proprietary platform, this new technology eliminates the proprietary platform, the company in the middle, and  puts the same people in charge of the process. See more here.

Born in 2003, crowdfunding is already making a leap forward, leaving platforms like Kickstarter wondering about their own survival. The new p2p (or real) crowdfunding, based on block chain technology, can give much more flexibility to projects or ventures. The problem is that its time has not come yet. It is technologically possible, but the world around it hasn’t advanced far enough for it to have a proper ground for implementation. This is where SENSORICA and its proof of concept comes in.  

SENSORICA is not a typical organization. It is an open value network. It is an open network that does peer production. It is a cluster of open enterprises. It is, in my opinion, the most audacious attempt to implement commons-based peer production of hardware, started in February 2011, one year and 3 months after Satoshi Nakamoto published his paper “Bitcoin: A Peer-to-Peer Electronic Cash System“. It is the furthest humanity has gone into hard core peer production, building peer-run physical labs, peer governance and normative systems, methodologies for open product development, as well as legal structures compatible with all that. SENSORICA is the proper type of organization for p2p (or real) crowdfunding.  

Recent technologies like Ethereum, which also builds on the block chain technology, have made possible new types of economic entities, the so-called DACs, for Distributed Autonomous Organizations. The first implementations of DACs are quite simple, service based, see for example Peertracks. But this technology will very soon mature to fulfill the needs of p2p hardware innovation and production, which is very complex. This will most probably become the infrastructure on which open value networks like SENSORICA will be built in the not so far future.

All that to say that in parallel with the continuous development of crowdfunding there is also a continuous development of organizations, following the same philosophy, based on the same logic, enabled by the same technology. The two movements are about to merge into a coherent economic system, operating on new principles. We are already passed half way into the transition and we can already see what’s on the other side.

So what did SENSORICA demonstrated? Sorry for holding it, I am trying to save you the best for the end  : )

SENSORICA used its network resource planning and value accounting system (NRP-VAS), in a context of peer production, to endogenously crowdfund a piece of equipment for the first time in its history. In other words, this is the first time a p2p network that is focused on hardware innovation and production has used a crowdfunding mechanism part of its own infrastructure, not as a service from an external platform, centralized or not.

We used the NRP-VAS to co-finance a $4,000 3D printer. 11 SENSORICA affiliates have contributed to this purchase. The example might seem insignificant for the untrained eye, but there is a lot more behind it.

First, there is the issue of trust. Most of these participant affiliates have never seen each other. Two of them live in the US, the rest live in Canada. Some of them are so far away that they will not even be able to use the 3D printer. We passed the trust hurdle. Participation was a bit slow in the beginning, but after we reached a critical mass it got easier. This is trust in a system, trust generated by processes, trust generated through openness and transparency, not so much trust in each other. This is what makes a system scalable and reproducible.

Second, there is the complexity that comes with co-purchasing. Who owns it? What’s the agreement between the co-owners? Who can use it and under what conditions? Who is going to pay for maintenance? How are we going to deal with community use, and commercial use, and other types of uses? It is not simple, but this is what technology is good for, reducing complexity or hiding it behind user interfaces.

We created a co-owner agreement and we implemented new functionality within our NRP-VAS to handle the printer’s use logging and to perform calculations to account for the material used in the printing process, usage time, technical assistance, etc. For example, is someone makes commercial use of the 3D printer the cost is split into:

  • cost of the material used, 
  • some % will go into a maintenance budget account for the 3D printer, 
  • some % will go to a general infrastructure maintenance and development account,
  • some % will go to pay back the co-owners (the agreement stipulates that once they are paid back plus 20% to cover their risk, the 3D printer becomes part of the pool of shareables), 
  • some money will go to pay a technician, if needed.    

All that complexity is absorbed by the technology that we are developing.

NOTESENSORICA‘s NRP-VAS is not decentralized, it is not using block chain technology, because this new p2p infrastructure is not ready yet to handle all the complexity that the open value network is dealing with. This will probably come in two years from now. Moreover, when SENSORICA was created the block chain technology was still in its embryonic state. Therefore, it is probably difficult for the untrained eye to understand how this new SENSORICA proof of concept fits with new pure p2p processes. Think of SENSORICA as p2p at the socio-economic level, but not entirely at the infrastructure level. This is still a work in progress.

This crowdfunding endogenous to an open value network was implemented using the Custodian’s financial tools, a Paypal account (open the webpage where the contributions where gathered). See definition of a Custodian. All the contributions were recorded into a virtual account on SENSORICA’s NRP-VAS, specifically opened for the purchase of the 3D printer. Once the printer was purchased this account balance went back to 0$.

The lesson here is that an open value network is able to not only crowdsource and crowdfund innovation and production, but also infrastructure development. The tools used by SENSORICA, a p2p organization at the socio-economic level, are not entirely p2p, but we are building understanding and valuable experience, and we are anxiously waiting for the block chain technology to mature.

By Tiberius Brastaviceanu

By AllOfUs

Read More

Posted in Uncategorized Tagged

Open value networks and global economic fairness (SENSORICA)

Disclaimer: This blog entry reflects the thoughts of the author and does not speak on behalf of the Sensorica OVN. 

 ————————————————————————————————————–

image
davidsluka

In February 2011, economic fairness became a real possibility with the launch of SENSORICA. The new economic model proposed by this network promised open access to economic activities for everyone in the world, with a system for fair redistribution of benefits, based on merits. 

SENSORICA is an open value network. People propose projects and develop them in collaboration with others. The affiliates use open project development methodologies and generate tasks that are made available for anyone in the world. The time, the cash and any material resource that are used during the execution of a task are logged. A contribution accounting system compiles all the input to projects and displays a profile of the economic activity. If the project becomes a commercial venture the revenues are redistributed to all the participants, without exception, in proportion to everyone’s contribution. The venture belongs entirely to the participants, anyone can join, any time. We call these ventures open enterprises. SENSORICA is an incubator of many open enterprises. 
Since the inception of SENSORICA we spent a lot of time developing the open value network model, building infrastructure, designing new methodologies, refining the open governance, implementing a proper legal structure, and developing open new technologies. In 2015, SENSORICA is closer than ever to become an economic success, with a few projects to be crowdfunded during the summer and a few service offerings that have already generated revenue.
This post is not about revenue generation and sustainability. The main goal is to illustrate economic fairness, to show the world how we are fulfilling our promise. 
In January 2015 Atelier Barda, a group of architects and designers from Montreal, trusted SENSORICA with a contract to design an interactive imaging system, to be installed in Forillon National Park, in Gaspesie QC, Canada, which is administered by Parks Canada, a branch of the federal government. The project was executed in an open way. Three SENSORICA affiliates answered the call and delivered successfully, exceeding the client’s expectations, who was a bit skeptical in the beginning, knowing that he was dealing with a new type of organization. One of these affiliates, Abran, lives in Pakistan. The project was coordinated using SENSORICA’s new open service providing methodology, mediated by our virtual infrastructure.
In the end, the revenue was distributed according to everyone’s contribution, and Abran was paid as if he was working and living in Canada. 
image
credit to Massimo Sestini—Polaris
Europe is now dealing with a major social problem caused by waves of immigrants coming from Africa. This crisis is exacerbated by the drama surrounding the death of a few hundreds of these unfortunate people, who are desperate enough to put their lives in danger by crossing the Mediterranean sea, using inadequate means, lead by human traffickers who are mostly interested in profiteering. A social problem coupled with a humanitarian crisis that keeps politicians on their toes and pushes them to use extreme means, to militarize the Mediterranean sea using UN forces. Are these desperate human beings invaders? Are they the new enemies of Europe? Or are they the result of colonialism and victims years of political interference and economic exploitation? Are guns the solution to this problem? Or more economic fairness?

While our western governments, who created the problem in the first place, make it even worse, we are developing infra-national economic structures, a peer to peer economy, to address the problem at its core.

Read More

Posted in Uncategorized Tagged

Extracting RAW pictures from memory dumps (w00tsec)

Introduction

Earlier today, while reading my Twitter timeline, I saw some Infosec folks discussing about scripts/tools to identify RAW pictures in memory dumps. I decided, then, to write this blog post and share a small hack that I use to visualize data (including memory dumps).

image

A few months ago, I wrote a post detailing how to Scan the Internet & Screenshot All the Things, now it’s time to Dump the Memory & Screenshot All the Things.

image



Memory Dumps

The first thing you will want to do is to narrow the analysis to the process containing interesting images/pictures. I’m going to use three different memory dumps here:

Remote Desktop Client – Windows 7 x64 (mstsc.exe)

Let’s use the Windows built-in RDP client to connect to an external server and dump the process
memory using procdump:

image

procdump.exe -ma mstsc.exe mstsc.dmp

image

Microsoft Paint – Windows 7 x64 (mspaint.exe)

    Let’s load/save a simple image file on Paint and run procdump again:

    image

    procdump.exe -ma mspaint.exe mspaint.dmp

    image

    9447 2014 CTF Challenge: coor coor – Windows XP (VirtualBox.exe)

      There’s an awesome write-up for this CTF challenge here, go read it now if you haven’t yet. We are going to use volatility to isolate the VirtualBox memory dump:
      python vol.py -f challenge.vmem pslist
      image

      python vol.py -f challenge.vmem memdump -p 1568 –dump-dir=dump/

      image

      RAW Image Data

      Rename the file extensions from *.dmp to *.data, download/install GIMP and open them as “RAW Image Data”:

      image

      That’s it, now you can use GIMP to navigate within the memory dump and analyse the rendered pixels/bitmaps on their corresponding offsets. It’s worth mentioning that different images will be rendered using different Image types and variable widths: you may need to adjust these values accordingly.

      So what can we spot here?

      • On the RDP memory dump, we can retrieve the tiles and Windows displayed during the connection, including IP’s, usernames and commands:
      image
      Windows commands
      image
      Remote Desktop Client Window
      image
      RDP session
      • The Microsoft Paint picture can be easily spotted: they’re upside down because that’s the way BMP’s are stored:
      image
      We need upside down backdoors “this big”

      • The most interesting artifacts were collected from the Coor Coor dump. The user was running a TrueCrypt container inside VirtualBox and after some offset adjustment we can see the Pidgin Window, the user account (testicool69@yodawg.9447.plumbing) and a few OTR settings:
      image
      While True: width ++ || width–

      Notice that the Windows are not perfectly aligned here, but we can see the data by zooming in:

      image
      Enhance pls

      image
      Looks like our killer is screwed. YEEAAAH.

      We can also spot the Window taskbar, just like the volatility screenshot plugin showed us on the previous write-up:

      image

      image
      python vol.py -f challenge.vmem screenshot -D screenshot/

      It’s also possible to spot icons from the running programs, like this one from Virtualbox:

      image
      VirtualBox icon

      Conclusion

      This technique is very common among ROM hackers as they try to find image patterns inside raw game dumps. Check my write-up from Hack.lu 2014 CTF to find more about it. By the way, you can also use Tile Molester instead of GIMP to browse the RAW data.

      You may be asking – why not carve the dumps using binwalk and foremost or extract them using the dumpfiles volatility module? If you try it yourself you will notice that they won’t find the magic bytes for all those images.

      As far as I know, there’s no off-the-shelf tool to automagically extract them, but it should’t be that hard to write a binwalk/volatility plugin for this based on some heuristics. Binwalk, for example, can find raw deflate/lzma streams by building headers on top of the raw compressed data and writing it back do disk.

      I’m no Computer Visualization expert, but here’s a few suggestions:

      • Set the image width to common display resolutions. The taskbar from the coor coor memory dump could be displayed by setting the width to 1440 points (1440×900 is a common screen resolution).
      • Use common window background/patterns as a template to find interesting sections.
      • Create a multi-view/side-by-side RAW image browser based on GIMP source code (multiple image types, multiple widths etc).
      • Use Google’s artificial brain to find cat videos.
      • Get a bigger monitor (yeah, it helps).

      I hope you all use these skills wisely, avoiding any kind of superfishal investigation like our Lenovo friends.

      image

      Read More

      Posted in Uncategorized Tagged