Food, History, Security

American Honey Locust Bean Stew

1 Comment

When I grew up on the American prairie there were edible plants everywhere.

However, there also was a trend among ranchers and farmers (driven by overly technology-focused agriculture investors — like what Bill Gates is doing today) to see only the worst of native species instead of the best.

Take the honey locust (Gleditsia triacanthos) for just one example.

Here’s how the U.S. government’s National Park service describes them:

Imagine walking through a forested area alongside the Missouri and discovering one of these – a honey locust tree. It’s very possible the men of the Corps did come face-to-face with these nasty thorns, especially in today’s Missouri, Iowa, Nebraska and southeastern South Dakota. But if anyone was injured by them, it didn’t get recorded in the journals.

One of the times honey locusts are mentioned is by John Ordway on July 3, 1804: “The land is Good high bottom pine Timber & black wallnut honey locas oak &C.”

In nature honey locusts grow in both thornless and thorned forms, with spikes growing up to 12″ long. Many regions in the South once referred to the trees as Confederate pin trees because those thorns were used to pin uniforms together during the Civil War. Others claim the thorns have been used throughout history as nails.

And here’s the image the NPS wants you to see.

Source: NPS

Nasty thorns. Any guesses why nobody on the expedition recorded being injured by them? My bet is because it didn’t deserve any more mention than any other thorns.

And I have found zero evidence to support any such idea that Confederate soldiers used tree thorns to “pin” their uniforms. Nada. Zilch.

Or let me put it this way: the alleged phrase “pin tree” appears exactly never in an exhaustive search of literature from the 19th Century.

Any guesses why nobody ever recorded the phrase “pin tree”? My bet is because it never happened.

To be fair to the NPS perspective of today, these trees do have a lot of thorns on them. Yet so do roses and raspberries, and how many people go around describing those two beloved plants as nasty?

Instead of focusing just on the thorns of a branch or trunk, let’s talk about delicious edible beans of the locust tree for a minute.

They get the name “honey” from the fact that they in fact have a tasty orange “goo” between seeds in a pod.

And their beans seem to be a high protein source easily grown in the wild (member of the legume family, like lentils and garbanzo).

Ingredients

  • 4 Tbsp oil or fat
  • 1 Tbsp locust beans
  • 1 small chopped onion
  • 2 small tomatoes
  • Handful of dried and seasoned meat (e.g. fish, fowl)
  • Pinch of seasonings (e.g. salt, pepper)

Recipe

  1. Depod the locust beans (clean, soak/boil for tenderness, wash and remove hull)
  2. Chop and mix onions and tomatoes
  3. Put pan on fire and pour in oil or fat to heat for 2 minutes
  4. Add prepared chopped mix to the oil/fat, stir and cover for 2 minutes
  5. Add seasonings, prepared locust beans, stir and cover for 5 minutes
  6. Add prepared meat, stir and cover for 5 minutes

Of course the younger green pods of the tree could be cooked like a green bean. And of course the hard seeds of a mature (dry, brown) pod could be ground into a flour. There are many options, so this is just one to give you an idea of why the NPS focus on the thorns in a story about exploration seems… not very exploratory.

What is truly unfortunate and bizarre is how nobody anywhere seems to have collected traditional recipes from the people who lived on locust bean for generations — Native Americans.

A few years back the President of the National Cattleman’s Beef Association (NCBA) paid me a visit in Silicon Valley.

Very purposefully I took him out for a nice sushi dinner and ordered edamame.

“Soy beans” he exclaimed! “We are supposed to eat livestock feed” he stated flatly albeit genuinely.

“Wait until you see the bill. We’re paying $5 a bowl” I sat back and replied with a wide grin.

Then I helped him off the floor and back into his chair as he said “what in the… we get barely $5 a bushel for our damn soy beans!”

If only he had explored what was all around him the whole time; tried harvesting honey locust beans growing naturally (literally falling from the tree).

Who knows what could have happened if he had ever thought about packaging honey locust beans for human consumption…

Source: freshola
Security

NETGEAR meltdown: CVE-2021-34991 “Pre-Authentication Buffer Overflow”

Leave a comment

A serious and fresh vulnerability discovered in September led to a notice in November from NETGEAR. As you might expect, that company “strongly recommends that you download the latest firmware as soon as possible”.

Fine. That sounds normal until you consider the totality of vulnerable products versus the ones getting updates (those models under active firmware maintenance are fixed, other models are… uh-oh):

Source: GRIMM

Note that big caveat/footnote from the researcher that a previous NETGEAR fix “broke” GRIMM’s exploit code. An odd perspective on something being fixed for users, calling it “inadvertently broken” for adversaries…

Speaking of perspective, it’s worth noting that perhaps GRIMM smelled blood in the water after NETGEAR had to disclose major issues in March and June.

I mean this kind of attention gathering could help explain why summer months turned into two additional unique September disclosures (1 and 2) before now.

To be fair, 2020 was an even noisier vulnerability banner year for NETGEAR disclosures with 22 unique CVE assigned (mostly XSS).

Source: CVE Details

As bad as all this year’s unauthenticated bypass disclosures sound, still we’re talking UPnP in the latest one. Thus it’s also worth mentioning that Shodan probes give a clear “honeypot” warning for those scanning the globe right now.

Source: Shodan
Security

Palo Alto zero-day (CVE-2021-3064) used for a year by Randori before disclosure

Leave a comment

This timeline is published by Randori itself, disclosing “authorized use” of a zero-day in Palo Alto products.

  • 2020-10-26: Randori began initial research on GlobalProtect.
  • 2020-11-19: Randori discovered the buffer overflow vulnerability.
  • 2020-11-20: Randori discovered the HTTP smuggling capability.
  • 2020-12-01: Randori began authorized use of the vulnerability chain as part of Randori’s continuous and automated red team platform.
  • 2021-09-22: The buffer overflow vulnerability was disclosed by Randori to PAN.
  • 2021-10-11: The HTTP smuggling capability was disclosed by Randori to PAN.
  • 2021-11-10: PAN released patches and a security bulletin assigning the vulnerability CVE-2021-3064.
  • 2021-11-10: This report was published.
Source: Randori

CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. The problematic code is not reachable externally without utilizing an HTTP smuggling technique. Exploitation of these together yields remote code execution under the privileges of the affected component on the firewall device. The smuggling capability was not designated a CVE identifier as it is not considered a security boundary by the affected vendor. In order to exploit this vulnerability, an attacker must have network access to the device on the GlobalProtect service port (default port 443). As the affected product is a VPN portal, this port is often accessible over the Internet.

What does this mean? While it’s tempting to focus on the ethics of Palo Alto for “authorizing” behavior, or for the ethics of that behavior… the reality on the ground is Randori has painted a very large target on themselves as a suspicious repository of zero-day information.

In related news of very large targets, even though this sounds like a headline from a decade ago, Sky admits just now that it left 6 million consumer network devices vulnerable for 1.5 years.

…researchers say it took Sky 18 months to address. The vulnerability could have affected anyone who had not changed the router’s default admin password.

The BBC headline really should have been “The Sky is failing” as in Sky was “failing to meet numerous deadlines they set themselves”.

Security

How Gaining Knowledge Violates the U.S. First Amendment

Leave a comment

Here is an excellent lecture by legal scholar Robert C. Post on why speech must be regulated for an environment to encourage free speech.

Research, Post said, is ultimately based in the notion that not everyone has equal knowledge of a given topic and that expert knowledge is created through disciplinary study. “When we are talking about university research and expanding knowledge, it is resting on a disciplinary hierarchy, which is exactly opposite of the democratic equality on which freedom of speech rests,” he said.

Therefore, in order to perform research and to advance it, he said, universities must discriminate on content, make judgments that some ideas are better than others and compel professors and researchers to speak in order to communicate their knowledge. Though these actions further the mission of a university, he said, they violate the rules of the First Amendment.

In other words (pun not intended) improving knowledge using a process of evaluation with measured results, where some inputs can be judged by an authorized process, violates a political framework designed to maintain power (rights) of ignorance.

This is hardly different than saying a moving environment should be regulated based on science of physics (e.g. dismissing the political controversy about seat belts given basic economics of safety) for society to be more physically safe.

Post continues:

“Any teacher knows that students who are threatened or assaulted don’t listen,” he said. “They don’t learn. So you have to create the conditions under which learning is possible, and you have to regulate the speech in order to advance that goal.” Again, he said, these requirements of good teaching and learning necessarily violate the rules of the First Amendment.

Related: