Income shares and top tax rates since 1960: the strong correlation

This graph speaks a thousand words:

The trend evident here is probably no great surprise, and we’ve noted it before – but hard data is always worth remarking on.

Where is it from? Via @MilesCorak (via @alexcobham) we see this 2013 paper from the renowned group of Facundo Alvaredo, Anthony Atkinson, Thomas Piketty, and Emmanuel Saez. The full paper is here. The authors conclude:

The rise in top income shares in the United States has been dramatic. In seeking explanations, however, it would be misleading to focus just on the doubling of the share of income going to the top 1 percent of the US distribution over the past 40 years. We also have to account for the fact that a number of high-income coun- tries have seen more modest or little increase in top shares. Hence, the explanation cannot rely solely on forces common to advanced countries, like the impact of new technologies and globalization on the supply and demand for skills. Moreover, the explanations have to accommodate the falls in top income shares earlier in the twen- tieth century that characterize the countries discussed here.

And they cite four factors explaining the rise in top income shares:

  • tax policy: top tax rates have moved in the opposite direction from top pre-tax income shares
  • a richer view of the labor market, considering changes to bargaining power and greater individualisation of pay. “Tax cuts may have led managerial energies to be diverted to increasing their remuneration at the expense of enterprise growth and employment.”
  • capital income. In Europe—but less so in the United States—private wealth (relative to national income) has followed a spectacular U-shaped path over time, and inherited wealth may be making a return, implying that “inheritance and capital income taxation will become again central policy tools for curbing inequality.” TJN would support such moves, of course, and tax competition will be fighting hard, if more impersonally, in the opposite, wrong, direction.
  • a rising correlation between earned income and capital income, particularly in the United States.

Computing Security Awards 2014 – Titania Needs Your Vote

It’s that time of the year again. The time when the prestigious Computing Security Awards open for nominations and we need to kindly ask you to vote for us. Thanks to your votes we’ve been successful in these awards before. Here’s a look at how we did previously: 


Computing Security Award for 
Network Security Solution of the Year 
2012
Computing Security Award for 
Enterprise Security Solution of the Year 
2012

Computing Security Award for 
Enterprise Security Solution of the Year 
2013
Computing Security Award
Editor’s Choice
2013

This was all due to you and your recognition for what we do, and we would love to achieve the awards again this year. If you can give us a quick nomination, follow this link: http://www.computingsecurityawards.co.uk

Fill in a couple of details (to make sure the entry is legitimate and no spamming takes place) and then choose a category. For those of you who are not necessarily in the cyber security sector, the most appropriate categories for us are:

Network Security Solution of the Year

Enterprise Security Solution of the Year

Security Company of the Year

SME Security Solution

Personal Contribution to IT Security 
(Ian Whiting Titania CEO & Creator of Nipper Studio)

Please feel free to vote for us in as many categories as you like! More than one vote per company is allowed, if you want to share this with your colleagues and friends. Voting closes on the 25th of July, 2014. If we have been made finalists in any category, we will ask you for your help in voting again to decide the winners. 

Here’s a quick refresh on our products: Nipper Studio is network security software for auditing firewalls, switches and routers, while Paws Studio is a compliance auditing and vulnerability assessment tool for servers, workstations and laptops.

A heartfelt thank you for your support from the entire team at Titania!


Titania Free Tools

Nigel Matthews and Max McFarlane (Free Tools Development Team, Titania)


About the Authors

Titania’s Free Tools Team have worked hard to build and maintain a number of free tools which have now been released to help assist other auditors and penetration testers with their work.
Since the developers at Titania come from a penetration testing background, over the years they have created a number of tools to assist with their work. Furthermore, some of those tools have been released to help assist other penetration testers with their work. This article takes a look at two of those tools, SSL Scan and Banner Grab, and will also offer an exclusive insight into a number of updates that will be released soon.

Although packages are available on Linux platforms for some of these tools, they are distributed in source code form. This article shows how they can be compiled from the source code and run.

SSL Scan

The purpose of SSL Scan is to determine what encryption ciphers are supported by a particular SSL service. It also obtains a copy of the SSL certificate, determines default ciphers and can send additional service probes to determine if the cipher can actually be used with the service. Some SSL servers will accept negotiation with an encryption cipher, but the service then disallows it.

SSL Scan makes use of the OpenSSL library to create a list of potential ciphers that are then used to test a service.

Compilation

From the SSL Scan page on the Titania website, follow the link to download SSL Scan (the latest version is 1.8.2). You will also need OpenSSL (and the development libraries, if these are separate on your system) and the GNU C++ compiler. You may be able to use Cygwin / MinGW on Windows.

Extract the source code to a directory and then option a command prompt in that directory. You can then compile the source code using the following command:
gcc -lssl -lcrypto -o sslscan sslscan.c

On Apple Mac OS X systems, the procedure is slightly different as you need to use the Ports version of OpenSSL, rather than the restricted version that Apple supply. You can download and install Ports from macports.org. Once installed execute the following command to install the Ports version of OpenSSL:
sudo port install openssl 

Then you can compile SSL Scan using the following command:
gcc -I/opt/local/include -L/opt/local/lib -lssl -lcrypto -o sslscan sslscan.c

Using SSL Scan

Now that SSL Scan is compiled, you can obtain help on the command line options by typing the following command (see Listing 1):
./sslscan –help

Listing 1. ‘sslscan –help’ results

Command:
./sslscan [Options] [host:port | host]

Options:

–targets=<file>             A file containing a list of hosts to

                             check. Hosts can be supplied with
                             ports (i.e. host:port).

–no-failed                  List only accepted ciphers (default
                             is to listing all ciphers).

–ssl2                       Only check SSLv2 ciphers.
–ssl3                       Only check SSLv3 ciphers.
–tls1                       Only check TLSv1 ciphers.

–pk=<file>                  A file containing the private key or
                             a PKCS#12 file containing a private
                             key/certificate pair (as produced by

                             MSIE and Netscape).

–pkpass=<password>          The password for the private key or

                             PKCS#12 file.

–certs=<file>               A file containing PEM/ASN1 formatted
                             client certificates.

–starttls                   If a STARTTLS is required to kick an

                             SMTP service into action.

–http                       Test a HTTP connection.

–bugs                       Enable SSL implementation bug                                          workarounds.
–xml=<file>                 Output results to an XML file.

–version                    Display the program version.

–quiet                      Be quiet

–help                       Display the help text you are now
                             reading.

Example:
./sslscan 127.0.0.1

To use SSL Scan to determine what ciphers a standard HTTPS server operating on port 443 supports (using Google as an example):
./sslscan www.google.com

You will then receive information similar to what you can see in Listing 2.

Listing 2. Testing SSL server www.google.com on port 443

Testing SSL server www.google.com on port 443

Supported Server Cipher(s):
Rejected SSLv2 168 bits  DES-CBC3-MD5
Rejected SSLv2 128 bits  RC2-CBC-MD5
Rejected SSLv2 128 bits  RC4-MD5
Rejected SSLv2 56  bits  DES-CBC-MD5
Rejected SSLv2 40  bits  EXP-RC2-CBC-MD5
Rejected SSLv2 40  bits  EXP-RC4-MD5
Failed SSLv3 256 bits  ECDHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits  ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits  ECDHE-RSA-AES256-SHA384
Failed SSLv3 256 bits  ECDHE-ECDSA-AES256-SHA384
Accepted SSLv3 256 bits  ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits  ECDHE-ECDSA-AES256-SHA
Rejected SSLv3 256 bits  SRP-DSS-AES-256-CBC-SHA
Rejected SSLv3 257 bits  SRP-RSA-AES-256-CBC-SHA
Failed SSLv3 258 bits  DHE-DSS-AES256-GCM-SHA384
SSL Scan can be integrated in to third-party products by using the XML output option. The XML results can then be easily imported and managed by your own custom applications. To do this you can use the following command:
./sslscan –xml=scan-results.xml www.google.com

Banner Grab

When performing a penetration assessment, obtaining network service banners can often provide useful information. This information is not always accurately processed and reported by vulnerability scanners. Information leakage from a network service banner can have the potential to lead an attacker toward software vulnerabilities. For example, SSH service banners will often include both software and version details.

Titania developed Banner Grab to go and get the service banner information for you. In addition to standard service banners, Banner Grab has the ability to send specially formatted triggers for different types of service in order to obtain as much information as possible. By default Banner Grab will send triggers when a common port is used that has a trigger defined.

Compilation

From the Banner Grab page on the Titania website, follow the link to download Banner Grab (the latest version is 3.6). If you want to compile Banner Grab with SSL support then you will need to download OpenSSL (and the development libraries, if these are separate on your system). You will also need the GNU C++ compiler. You may be able to use Cygwin / MinGW on Windows.

Extract the source code to a directory and then option a command prompt in that directory. You can then compile the source code using the following command:
gcc –lssl –lcrypto –o bannergrab bannergrab.c

If you want to build Banner Grab without SSL support you can use the following:
gcc –DNOSSL –o bannergrab bannergrab.c

Using Banner Grab

Once compiled you can get help on Banner Grab by typing the following command:
./bannergrab –help

The result should be similar to what you can see in Listing 3.

Listing 3. ‘./bannergrab –help’ results

Command:
./bannergrab [Options] host port

Options:
–udp                        Connect to a port using UDP.                                          The default is to use TCP.

–no-triggers                Collect only the connection banner,                                    no triggers and no SSL.

–trigger=<trigger>          Specify the trigger to use. Specify
                             DEFAULT to use the default trigger.

–no-ssl                     Prevent SSL connection creation.

–no-hex                     Output containing non-printable
                             characters are converted to hex.                                      This option prevents the                                              conversion.

–conn-time=<secs>           Connection timeout (default is 5s).

–read-time=<secs>           Read timeout (default is 3s).

–verbose                    Show additional program details such                                  as any errors.

–show-triggers              Show the supported triggers.

–version                    Show the program version.

–help                       Display the help text you are                                          reading now.

Example:

./bannergrab 127.0.0.1 80

To get a simple banner from an SSH server you could type the following:
./bannergrab 192.168.0.22 22

On my test SSH service the result was:
SSH-2.0-OpenSSH_5.3

As you can see the SSH service returned not only the SSH protocol but the SSH service software and version. This is very useful information for an attacker attempting to identify software vulnerabilities to exploit.

I mentioned earlier about Banner Grab sending triggers to a service to identify additional information. In the next example I will use Banner Grab to get service information from a SNMP service. The command was:
./bannergrab –udp 192.168.0.12 161

See the results in Listing 4.

Listing 4. ‘./bannergrab –udp 192.168.0.12 161’ results



When the information returned from a service includes non-printable characters, Banner Grab returns the information in a HEX value format with the printable characters to the right. As you can see from the returned information it appears to be a HP device and has community strings of “public” and “private” supported.

Future Developments

There are a number of exciting updates coming through the Titania Free Tool Development Team at the moment. SSL Scan and Banner Grab tools described in this article are being updated, together with graphical versions of the tools. The Banner Grab tool now also includes a port scanning tool to identify the live ports on a device prior to performing the banner grabbing.

The Free Tool Team has also been updating our other tools such as IP Calculator, which now includes IPv6 support and provides much more address details. Plus there will be pre-compiled binary packages available for Windows, Linux and Mac systems making them all much easier to use. For more information on our full portfolio of free tools, visit our website.