Maintaining Your Access to Sci-Hub

November 21st, 2017

A tweet today by @Sci_Hub advises:

Sci-Hub is working. To get around domain names problem, use custom Sci-Hub DNS servers 80.82.77.83 and 80.82.77.84. How to customize DNS in Windows: https://pchelp.ricmedia.com/set-custom-dns-servers-windows/

No doubt, Elsevier will continue to attempt to interfere with your access to Sci-Hub.

Already the largest, bloated and insecure presence academic publishing presence on the Internet, Elsevier labors every day to become more of an attractive nuisance.

What corporate strategy is served by painting a flashing target on your Internet presence?

Thoughts?

PS: Do update your DNS entries while pondering that question.

What do you mean, “We?”

November 20th, 2017

Prasad Ajgaonkar reports in 94pc of cyber attacks are caused by lack of infosecurity awareness training. Is your organisation safe?:

Do you know that a cyber attack takes place every 10 minutes in India? This rate is higher than that in 2016, where a cyber attack took place once every 12 minutes. A study conducted by Fortinet found that a whopping 94 percent of IT experts believe that information security (InfoSec) practices in Indian organizations are sorely inadequate and completely fail to protect from cyber attacks in today’s world.

It is crucial to be aware that the exorbitantly high cyber attacks in India is a human issue, rather than an IT issue. This means that employees failing to follow InfoSec practices- rather than IT system failures- is the biggest contributor of cyber attacks.

Therefore, it is critical to ensure that all employees at an organisation are vigilant, fully aware of cyber-threats, and trained to follow InfoSec practices at all times.

Focusing on the lack of training for employees, the post suggests this solution:

Story-telling and scenario based training would be an excellent and highly effective way to ensure that employees consistently practice InfoSec measures. An effective InfoSec training programme has the following features:

  1. Educating employees through story-telling and interactive media – …
  2. Continuous top of the mind recall – …
  3. Presenting InfoSec tips, trivia and reminders to employees through mobile phone apps…
  4. Training through scenario-based assessments – …
  5. Training through group discussions – …

I have a simpler explanation for poor cybersecurity practices of employees in India.

The Hindu captured it in one headline: India Inc pay gap: CEOs earn up to 1,200-times of average staff

Many thought the American pay gap at CEOs make 271 times the pay of most workers was bad.

Try almost four (4) times the American CEO – worker pay gap.

How much commonality of interest exists between the worker who gets $1 and for every $1, their CEO gets $1,200?

Conventional training, excluding the use of drugs and/or physical torture, isn’t likely to create a commonality of interest. Yes?

Cybersecurity “solutions” that don’t address the worker to CEO wage gap, are castles made of sand.

SPARQL queries of Beatles recording sessions

November 20th, 2017

SPARQL queries of Beatles recording sessions – Who played what when? by Bob DuCharme.

From the post:

While listening to the song Dear Life on the new Beck album, I wondered who played the piano on the Beatles’ Martha My Dear. A web search found the website Beatles Bible, where the Martha My Dear page showed that it was Paul.

This was not a big surprise, but one pleasant surprise was how that page listed absolutely everyone who played on the song and what they played. For example, a musician named Leon Calvert played both trumpet and flugelhorn. The site’s Beatles’ Songs page links to pages for every song, listing everyone who played on them, with very few exceptions–for example, for giant Phil Spector productions like The Long and Winding Road, it does list all the instruments, but not who played them. On the other hand, for the orchestra on A Day in the Life, it lists the individual names of all 12 violin players, all 4 violists, and the other 25 or so musicians who joined the Fab Four for that.

An especially nice surprise on this website was how syntactically consistent the listings were, leading me to think “with some curl commands, python scripting, and some regular expressions, I could, dare I say it, convert all these listings to an RDF database of everyone who played on everything, then do some really cool SPARQL queries!”

So I did, and the RDF is available in the file BeatlesMusicians.ttl. The great part about having this is the ability to query across the songs to find out things such as how many different people played a given instrument on Beatles recordings or what songs a given person may have played on, regardless of instrument. In a pop music geek kind of way, it’s been kind of exciting to think that I could ask and answer questions about the Beatles that may have never been answered before.

Will the continuing popularity of the Beatles drive interest in SPARQL? Hard to say but DuCharme gives it a hard push in this post. It will certainly appeal to Beatles devotees.

Is it coincidence that DuCharme posted this on November 19, 2017, the same day as the reported death of Charles Mason? (cf. Helter Skelter)

There’s a logical extension to DuCharme’s RDF file, Charles Mason, the Mason family and music of that era.

Many foolish things were said about rock-n-rock in the ’60’s that are now being repeated about social media and terrorists. Same rant, same lack of evidence, same intolerance, same ineffectual measures against it. Not only can elders not learn from the past, they can’t wait to repeat it.

Be inventive! Learn from past mistakes so you can make new ones in the future!

So You Want to be a WIZARD [Spoiler Alert: It Requires Work]

November 20th, 2017

So You Want to be a WIZARD by Julia Evans.

I avoid using terms like inspirational, transforming, etc. because it is so rare that software, projects, presentations merit merit those terms.

Today I am making an exception to that rule to say:

So You Want to be a Wizard by Julia Evans can transform your work in computer science.

Notice the use of “can” in that sentence. No guarantees because unlike many promised solutions, Julia says up front that hard work is required to use her suggestions successfully.

That’s right. If these methods don’t work for you it will be because you did not apply them. (full stop)

No guarantees you will get praise, promotions, recognition, etc., as a result of using Julia’s techniques, but you will be a wizard none the less.

One consolation is that wizards rarely notice back-biters, office sycophants, and a range of other toxic co-workers. They are too busy preparing themselves to answer the next technical issue that requires a wizard.

Shirriffs and Elephant Poaching

November 19th, 2017

I asked on Twitter yesterday:

How can data/computer science disrupt, interfere with, burden, expose elephant hunters and their facilitators? Serious question.

@Pembient pointed to Vulcan’s Domain Awareness Tool, describe in New Tech Gives Rangers Real-Time Tools to Protect Elephants as:


The Domain Awareness System (DAS) is a tool that aggregates the positions of radios, vehicles, aircraft and animal sensors to provide users with a real-time dashboard that depicts the wildlife being protected, the people and resources protecting them, and the potential illegal activity threatening them.

“Accurate data plays a critical role in conservation,” said Paul Allen. “Rangers deserve more than just dedication and good luck. They need to know in real-time what is happening in their parks.”

The visualization and analysis capabilities of DAS allow park managers to make immediate tactical decisions to then efficiently deploy resources for interdiction and active management. “DAS has enabled us to establish a fully integrated approach to our security and anti-poaching work within northern Kenya,” said Mike Watson, chief executive officer of Lewa Conservancy where the first DAS installation was deployed late last year. “This is making us significantly more effective and coordinated and is showing us limitless opportunities for conservation applications.”

The system has been installed at six protected wildlife conservation sites since November 2016. Working with Save the Elephants, African Parks Network, Wildlife Conservation Society, and the Singita Grumeti Fund as well as the Lewa Conservancy and Northern Rangelands Trust, a total of 15 locations are expected to adopt the system this year.

Which is great and a project that needs support and expansion.

However, the question remains that having “spotted” poachers, where are the resources to physically safeguard elephants and other targets of poachers?

A second link, also suggested by @Pembient, Wildlife Works, Wildlife Works Carbon / Kasigau Corridor, Kenya, another great project, reminds me of the Shirriffs of the Hobbits, who were distinguished from other Hobbits by a feather they wore in their caps:


Physical protection and monitoring – Wildlife Works trained over 120 young people, men and women, from the local communities to be Wildlife Rangers, and they perform daily foot patrols of the forest to ensure that it remains intact. The rangers are unarmed, but have the power of arrest granted by the local community.

Environmental monitoring isn’t like confronting poachers, or ordinary elephant hunters for that matter, who travel in packs, armed with automatic weapons, with dubious regard for lives other than their own.

Great programs, having a real impact, that merit your support, but not quite on point to my question of:

How can data/computer science disrupt, interfere with, burden, expose elephant hunters and their facilitators? Serious question.

Poachers must be stopped with police/military force. The use of DAS and similar information systems have the potential to effective deploy forces to stop poachers. Assuming adequate forces are available. The estimated loss of 100 elephants per day suggests they are not.

Hunters, on the other hand, are protected by law and tradition in their slaughter of adult elephants, who have no natural predators.

To be clearer, we know the classes of elephant hunters and facilitators exist, how should we go about populating those classes with instances, where each instance has a name, address, employer, website, email, etc.?

And once having that information, what can be done to to acknowledge their past, present or ongoing hunting of elephants? Acknowledge it in such a way as to discourage any further elephant hunting by themselves or anyone who reads about them?

Elephants aren’t killed by anonymous labels such as “elephant hunters,” or “poachers,” but by identifiable, nameable, traceable individuals.

Use data science to identify, name and trace those individuals.

DHS Algorithms – Putting Discrimination Beyond Discussion

November 17th, 2017

Coalition of 100+ tech groups and leaders warn the DHS that “extreme vetting” software will be a worse-than-useless, discriminatory nightmare by Cory Doctorow.

From the post:

In a pair of open letters to Letter to The Honorable Elaine C. Duke, Acting Secretary of Homeland, a coalition of more than 100 tech liberties groups and leading technology experts urged the DHS to abandon its plan to develop a black-box algorithmic system for predicting whether foreigners coming to the USA to visit or live are likely to be positive contributors or risks to the nation.

The letters warn that algorithmic assessment tools will be prone to religious and racial bias, in which programmers get to decide, without evidence, debate or transparency, what kind of person should be an American — which jobs, attitudes, skills and family types are “American” and which ones are “undesirable.”

Further, the system for predicting terrorist proclivities will draw from an infinitesimal data-set of known terrorists, whose common characteristics will be impossible to divide between correlative and coincidental.

If the Department of Homeland Security (DHS) needed confirmation it’s on the right track, then Doctorow and “the 100 tech liberties groups and leading technology experts” have provided that confirmation.


The letters warn that algorithmic assessment tools will be prone to religious and racial bias, in which programmers get to decide, without evidence, debate or transparency, what kind of person should be an American — which jobs, attitudes, skills and family types are “American” and which ones are “undesirable.”

To discriminate “…without evidence, debate or transparency…” is an obvious, if unstated, goal of the DHS “black-box algorithmic system.”

The claim by Doctorow and others the system will be ineffectual:

…the system for predicting terrorist proclivities will draw from an infinitesimal data-set of known terrorists, whose common characteristics will be impossible to divide between correlative and coincidental

imposes a requirement of effectiveness that has never been applied to the DHS.

Examples aren’t hard to find but consider that since late 2001, the Transportation Safety Administration (TSA) has not caught a single terrorist. Let me repeat that: Since late 2001, the Transportation Safety Administration (TSA) has not caught a single terrorist. But visit any airport and the non-terrorist catching TSA is in full force.

Since the Naturalization Act of 1790 forward, granting naturalization to “…free white person[s]…,” US immigration policy has been, is and likely will always be, a seething cauldron of discrimination.

That the DNS wants to formalize whim, caprice and discrimination into algorithms “…without evidence, debate or transparency…” comes as no surprise.

That Doctorow and others think pointing out discrimination to those with a history, habit and intent to discriminate is meaningful is surprising.

I’m doubtful that educating present members of Congress about the ineffective and discriminatory impact of the DHS plan will be useful as well. Congress is the source of the current discriminatory laws governing travel and immigration so I don’t sense a favorable reception there either.

Perhaps new members of Congress or glitches in DHS algorithms/operations that lead to unforeseen consequences?

Are You A Member of the 300+ Mile High Club? 1,738 Satellite Targets

November 16th, 2017

UCS Satellite Database – In-depth details on the 1,738 satellites currently orbiting Earth.

From the post:

Assembled by experts at the Union of Concerned Scientists (UCS), the Satellite Database is a listing of the more than 1000 operational satellites currently in orbit around Earth.

Our intent in producing the database is to create a research tool for specialists and non-specialists alike by collecting open-source information on operational satellites and presenting it in a format that can be easily manipulated for research and analysis.

It is available as both a downloadable Excel file and in a tab-delimited text format. A version is also provided in which the “Name” column contains only the official name of the satellite in the case of government and military satellites, and the most commonly used name in the case of commercial and civil satellites.

Satellites are much easier targets than undersea cables. Specialized equipment required for both, but undersea cables also require a submarine while satellites only a line of sight. Much easier to arrange.

With a high quality antenna and electronic gear, the sky is alive with targets. For extra points, install your antenna remote to you and use an encrypted channel to control and receive data. (Makes you less obvious than several satellite dishes in the back yard.)

PS: Follow the USC Satellite DB on Twitter. Plus, the Union of Concerned Scientists.

10 Papers Every Developer Should Read (At Least Twice) [With Hyperlinks]

November 16th, 2017

10 Papers Every Developer Should Read (At Least Twice) by Michael Feathers

Feathers omits hyperlinks for the 10 papers every developer should read, at least twice.

Hyperlinks eliminate searches by every reader, saving them time and load on their favorite search engine, not to mention providing access more quickly. Feathers’ list with hyperlinks follows.

Most are easy to read but some are rough going – they drop off into math after the first few pages. Take the math to tolerance and then move on. The ideas are the important thing.

See Feather’s post for his comments on each paper.

Even a shallow web composed of hyperlinks is better than no web at all.

Why You Should Follow Caitlin Johnstone

November 16th, 2017

Why Everyone Should Do What WikiLeaks Did

From the post:


WikiLeaks did exactly what I would do, and so should you. We should all be shamelessly attacking the unelected power structure which keeps our planet locked in endless war while promoting ecocidal corporate interests which threaten the very ecosystemic context in which our species evolved. And we should be willing to use any tools at our disposal to do that.

I’ve been quite shameless about the fact that I’m happy to have my ideas advanced by people all across the political spectrum, from far left to far right. I will never have the ear of the US President’s eldest son, but if I did I wouldn’t hesitate to try and use that advantage if I thought I could get him to put our stuff out there. This wouldn’t mean that I support the US president, it would mean that I saw an opening to throw an anti-establishment idea over the censorship fence into mainstream consciousness, and I exploited the partisan self-interest of a mainstream figure to do that.

We should all be willing to do this. We should all get very clear that America’s unelected power establishment is the enemy, and we should shamelessly attack it with any weapons we’ve got. I took a lot of heat for expressing my willingness to have my ideas shared by high profile individuals on the far right, and I see the same outrage converging upon Assange. Assange isn’t going to stop attacking the establishment death machine with every tool at his disposal because of this outrage, though, and neither am I. The more people we have attacking the elites free from any burden of partisan or ideological nonsense, the better.

What she said.

Tools you suggest I should cover?

Caitlin Johnstone at:

Facebook

Medium

Twitter

Shape Searching Dictionaries?

November 16th, 2017

Facebook, despite its spying, censorship, and being a shill for the U.S. government, isn’t entirely without value.

For example, this post by Simon St. Laurent:

Drew this response from Peter Cooper:

Which if you follow the link: Shapecatcher: Unicode Character Recognition you find:

Draw something in the box!

And let shapecatcher help you to find the most similar unicode characters!

Currently, there are 11817 unicode character glyphs in the database. Japanese, Korean and Chinese characters are currently not supported.
(emphasis in original)

I take “Japanese, Korean and Chinese characters are currently not supported.” means Anatolian Hieroglyphs; Cuneiform, Cuneiform Numbers and Punctuation, Early Dynastic Cuneiform, Old Persian, Ugaritic; Egyptian Hieroglyphs; Meroitic Cursive, and Meroitic Hieroglphs are not supported as well.

But my first thought wasn’t discovery of glyphs in Unicode Code Charts, although useful, but shape searching dictionaries, such as Faulkner’s A Concise Dictionary of Middle Egyptian.

A sample from Faulkner’s (1991 edition):

Or, The Student’s English-Sanskrit Dictionary by Vaman Shivram Apte (1893):

Imagine being able to search by shape for either dictionary! Not just as a gylph but as a set of glyphs, within any entry!

I suspect that’s doable based on Benjamin Milde‘s explanation of Shapecatcher:


Under the hood, Shapecatcher uses so called “shape contexts” to find similarities between two shapes. Shape contexts, a robust mathematical way of describing the concept of similarity between shapes, is a feature descriptor first proposed by Serge Belongie and Jitendra Malik.

You can find an indepth explanation of the shape context matching framework that I used in my Bachelor thesis (“On the Security of reCATPCHA”). In the end, it is quite a bit different from the matching framework that Belongie and Malik proposed in 2000, but still based on the idea of shape contexts.

The engine that runs this site is a rewrite of what I developed during my bachelor thesis. To make things faster, I used CUDA to accelereate some portions of the framework. This is a fairly new technology that enables me to use my NVIDIA graphics card for general purpose computing. Newer cards are quite powerful devices!

That was written in 2011 and no doubt shape matching has progressed since then.

No technique will be 100% but even less than 100% accuracy will unlock generations of scholarly dictionaries, in ways not imagined by their creators.

If you are interested, I’m sure Benjamin Milde would love to hear from you.

Going Among Capitalists? Don’t Forget Your S8 USB Cable!

November 15th, 2017

Teardown of a consumer voice/location cellular spying device that fits in the tip of a USB cable by Cory Doctorow.

From the post:

Mich from ha.cking bought a $25 “S8 data line locator” device — a cellular spying tool, disguised as a USB cable and marketed to the general public — and did a teardown of the gadget, offering a glimpse into the world of “trickle down surveillance” where the kinds of surveillance tools used by the NSA are turned into products and sold to randos over the internet for $25.

The S8 makes use of the GSM cellular network and takes a regular micro-SIM, and can use any of the international GSM bands. You communicate with it by sending it SMSes or by using a web front-end, which causes it to switch on a hidden mic so you can listen in on its surroundings; it can also give a coarse approximation of its location (based on GSM towers, not GPS, and accurate to within about 1.57km).

For all the technical details see: Inside a low budget consumer hardware espionage implant by mich @0x6d696368by.

In some legal jurisdictions use of this cable may be construed as a crime. But, as US torture of prisoners, NSA surveillance, and numerous other crimes by US operatives demonstrates, prosecution of crimes is at the whim and caprice of prosecutors.

Calling something a “crime” is pejorative labeling for media purposes, unless you are a prosecutor deciding on prosecution. Otherwise, it’s just labeling.

How-Keep A Secret, Well, Secret (Brill)

November 15th, 2017

Weapons of Mass Destruction: The Top Secret History of America’s Nuclear, Chemical and Biological Warfare Programs and Their Deployment Overseas, edited by Matthew M. Aid, is described as:

At its peak in 1967, the U.S. nuclear arsenal consisted of 31,255 nuclear weapons with an aggregate destructive power of 12,786 megatons – more than sufficient to wipe out all of humanity several hundred times over. Much less known is that hidden away in earth-covered bunkers spread throughout the U.S., Europe and Japan, over 40,000 tons of American chemical weapons were stored, as well as thousands of specially designed bombs that could be filled with even deadlier biological warfare agents.

The American WMD programs remain cloaked in secrecy, yet a substantial number of revealing documents have been quietly declassified since the late 1970s. Put together, they tell the story of how America secretly built up the world’s largest stockpile of nuclear, chemical, and biological weapons. The documents explain the role these weapons played in a series of world crises, how they shaped U.S. and NATO defense and foreign policy during the Cold War, and what incidents and nearly averted disasters happened. Moreover, they shed a light on the dreadful human and ecological legacy left by decades of nuclear, chemical and biological weapons manufacturing and testing in the U.S. and overseas.

This collection contains more than 2,300 formerly classified U.S. government documents, most of them classified Top Secret or higher. Covering the period from the end of World War II to the present day, it provides unique access to previously unpublished reports, memoranda, cables, intelligence briefs, classified articles, PowerPoint presentations, military manuals and directives, and other declassified documents. Following years of archival research and careful selection, they were brought together from the U.S. National Archives, ten U.S. presidential libraries, the NATO Archives in Brussels, the National Archives of the UK, the National Archives of Canada, and the National Archives of the Netherlands. In addition, a sizeable number of documents in this collection were obtained from the U.S. government and the Pentagon using the Freedom of Information Act (FOIA) and Mandatory Declassification Review (MDR) requests.

This collection comes with several auxiliary aids, including a chronology and a historiographical essay with links to the documents themselves, providing context and allowing for easy navigation for both students and scholars.

It’s an online resource of about 21,212 pages.

Although the editor, Aid and/or Brill did a considerable amount of work assembling these document, the outright purchase price: €4.066,00, $4,886.00 or the daily access price: $39.95/day, effectively keeps these once secret documents secret.

Of particular interest to historians and arms control experts, I expect those identifying recurrent patterns of criminal misconduct in governments will find the data of interest as well.

It does occur to me that when you look at the Contents tab, http://primarysources.brillonline.com/browse/weapons-of-mass-destruction#content-tab, each year lists the documents in the archive. Lists that could be parsed for recovery of the documents from other sources on the Internet.

You would still have to index (did I hear someone say topic map?) the documents, etc., but as a long term asset for the research community, it would be quite nice.

If you doubt the need for such a project, toss “USAF, Cable, CINCUSAFE to CSAF, May 6, 1954, Top Secret, NARA” into your nearest search engine.

How do you feel about Brill being the arbiter of 20th century history, for a price?

Me too.

From Forever Vulnerable (aka Microsoft) – Seventeen Years of Vulnerability

November 15th, 2017

A seventeen year old vulnerability was patched in the Microsoft Equation Editor yesterday.

For a semi-technical overview, see Office Equation Editor Security Bug Runs Malicious Code Without User Interaction by Catalin Cimpanu.

For all the details and a back story useful for finding vulnerabilities, see: Skeleton in the closet. MS Office vulnerability you didn’t know about by Embedi.

Walking through the steps in the post to “re-discover” this vulnerability is good exercise.

It’s not the fault of Microsoft that its users fail to patch/upgrade Microsoft products. That being said, CVE-2017-11882, with a seventeen year range, should be added to your evergreen list of Microsoft vulnerabilities.

Call For Cyber Weapons (Arsenal at Black Hat Asia 2018)

November 15th, 2017

Welcome to Arsenal at Black Hat Asia 2018 – Call for Tools Open

Deadline: January 10 at 23:59 Pacific

From the webpage:

The Black Hat Arsenal team will be back in Singapore with the very same goal: give hackers & security researchers the opportunity to demo their newest and latest code.

The Arsenal tool demo area is dedicated to researchers and the open source community. The concept is quite simple: we provide the space and you bring your machine to showcase your work and answer questions from delegates attending Black Hat.

Once again, the ToolsWatch (@toolswatch) team will work in conjunction with Black Hat for the special event Black Hat Arsenal Asia 2018.

The 16th session will be held at the Marina Bay Sands in Singapore from March 22-March 23, 2018.

The same rules to consider before applying to Arsenal:

  • Bring your computer (with VGA output), adapter, your tool, your stickers
  • Avoid stodgy presentations. Folks are expecting action, so give’em action.
  • No vendor pitches or gear!
  • Be yourself, be cool, and wear a smile.
  • Hug the folks at Arsenal :)
  • Above all, have tremendous fun!!

For any questions, contact blackhatarsenal@ubm.com.

*Please note: You may use the plaint text “Upload File” section if you wish to include whitepapers or research; however, this field is optional and not required.

Not as much advance notice as you have for Balisage 2018 but surely you are building new tools on a regular basis!

As you have learned from tools written by others, come to Arsenal at Black Hat Asia 2018 and enable others to learn from you.

Terminology: I say “weapons” instead of “tools” to highlight the lack of any “us” when it comes to cybersecurity.

Governments and corporations have an interest in personal privacy and security only when it furthers their agendas and none when it doesn’t.

Making governments and corporations more secure isn’t in my interest. Is it in yours? (Governments have declared their lack of interest in your privacy and security by their actions. Nothing more need be said.)

A Docker tutorial for reproducible research [Reproducible Reporting In The Future?]

November 15th, 2017

R Docker tutorial: A Docker tutorial for reproducible research.

From the webpage:

This is an introduction to Docker designed for participants with knowledge about R and RStudio. The introduction is intended to be helping people who need Docker for a project. We first explain what Docker is and why it is useful. Then we go into the the details on how to use it for a reproducible transportable project.

Six lessons, instructions for installing Docker, plus zip/tar ball of the materials. What more could you want?

Science has paid lip service to the idea of replication of results for centuries but with the sharing of data and analysis, reproducible research is becoming a reality.

Is reproducible reporting in the near future? Reporters preparing their analysis and releasing raw data and their extraction methods?

Or will selective releases of data, when raw data is released at all, continue to be the norm?

Please let @ICIJorg know how you feel about data hoarding, #ParadisePapers, #PanamaPapers, when data and code sharing are becoming the norm in science.

How-To Avoid Sexually Harassing Others

November 15th, 2017

“Sensitivity” training will divert resources, be seen as “forced” on employees (primarily a male reaction), and results in a certificate, not the desired change in behavior. (Albeit “sensitivity” training is a growth industry right now.)

Here’s my rough draft to combat sexual harassment. Not 100% because mothers, spouses and significant other vary widely. But if answers are followed, in general, behavior will improve.

It should have been 3 questions and not 5 because people can’t remember more than 3 things at a time so suggestions for how to shorten it are welcome.

Hmmm, perhaps call mother, spouse, other and ask:

May I (describe behavior) to/with/on (name) without their permission?

One question. What do you think?

The key being “without their permission.” Something the AI people could create a mother, spouse, other bot for.

Datasette: instantly create and publish an API for your SQLite databases

November 14th, 2017

Datasette: instantly create and publish an API for your SQLite databases by Simon Willison.

From the webpage:

I just shipped the first public version of datasette, a new tool for creating and publishing JSON APIs for SQLite databases.

You can try out out right now at fivethirtyeight.datasettes.com, where you can explore SQLite databases I built from Creative Commons licensed CSV files published by FiveThirtyEight. Or you can check out parlgov.datasettes.com, derived from the parlgov.org database of world political parties which illustrates some advanced features such as SQLite views.

That sounds really great but then I read:


Or you can try it out on your own machine. If you run OS X and use Google Chrome, try running the following:

pip3 install datasette
datasette ~/Library/Application\ Support/Google/Chrome/Default/History

This will start a web server on http://127.0.0.1:8001/ displaying an interface that will let you browse your Chrome browser history, which is conveniently stored in a SQLite database.

Warning – Warning:: Don’t have datasette on your laptop at a conference. Yes?

Other than the caution about your own security, this looks very cool!

Enjoy!

Top GIS Programming Languages You Should Use [Ad Avoidance]

November 14th, 2017

Top GIS Programming Languages You Should Use

No surprises and to help you avoid the one language per page plus ads presentation:

  1. Python
  2. JavaScript
  3. R
  4. SQL (not a programming language, their mistake, not mine)
  5. Java
  6. C#
  7. C++

Best guide is to use whatever other people you work with use, so you can share experience and techniques. All of these languages have more documentation, examples, etc., than any one person can master. Share that load and you will all be more productive.

Data Hoarding Journalists and Information Security

November 14th, 2017

A Study of Technology in Newsrooms

From the post:

We face a global media landscape rife with both uncertainty and excitement. The need to understand this new digital era — and what it means for journalists — has never been more urgent. That’s why we at the International Center for Journalists (ICFJ) launched the first-ever global survey on the adoption of new technologies in news media.

More than 2,700 newsroom managers and journalists, from 130 countries, responded to our survey, which was conducted in 12 languages. Storyful, Google News Lab and SurveyMonkey supported the research. ICFJ worked with Georgetown University’s Communication, Culture, and Technology (CCT) program to administer and analyze the survey, conducted using SurveyMonkey.

One highlight from the report:

Perhaps data hoarding journalists aren’t as secure as they imagine.

Considering they are hoarding stolen data for their own benefit, what would be their complaint if the data was liberated from them?

I’ve heard the “we act in the public interest” argument but unless and until the public can compare the data to their reports, it’s hard to judge such claims.

Notice I said “the public” and not me. There are entire areas of no interest to me or in which I lack the skills to judge the evidence. Interests and skills possessed by other members of the public.

I’m not interested in access to hoarded information until everyone has access to the same information. To exclude anyone from access is to put them at a disadvantage in any ensuing discussion. I’m not willing to go there. Are you?

pynlp – Pythonic Wrapper for Stanford CoreNLP [& Rand Paul]

November 14th, 2017

pynlp – Pythonic Wrapper for Stanford CoreNLP by Sina.

The example text for this wrapper:

text = (
'GOP Sen. Rand Paul was assaulted in his home in Bowling Green, 
Kentucky, on Friday, ''according to Kentucky State Police. State 
troopers responded to a call to the senator\'s ''residence at 3:21 
p.m. Friday. Police arrested a man named Rene Albert Boucher, who 
they ''allege "intentionally assaulted" Paul, causing him "minor 
injury. Boucher, 59, of Bowling ''Green was charged with one count of 
fourth-degree assault. As of Saturday afternoon, he ''was being held 
in the Warren County Regional Jail on a $5,000 bond.')

[Warning: Reformatted for readability. See the Github page for the text]

Nice to see examples using contemporary texts. Any of the recent sexual abuse apologies or non-apologies would work as well.

Enjoy!

Hackers! 90% of Federal IT Managers Aiming for Their Own Feet!

November 14th, 2017

The Federal Cyber AI IQ Test November 14, 2017 reports:


Most Powerful Applications:

  • 90% of Feds say AI could help prepare agencies for real-world cyber attack scenarios and 87% say it would improve the efficiency of the Federal cyber security workforce
  • 91% say their agency could utilize AI to monitor human activity and deter insider threats, including detecting suspicious elements and large amounts of data being downloaded, and analyzing risky user behavior
  • (emphasis in original)

One sure conclusion from this report, 90% of Feds don’t know AIs mistake turtles for rifles, 90% of the time. The adversarial example literature is full of such cases and getting more robust by the day.

The trap federal IT managers have fallen into is a familiar one. To solve an entirely human problem, a shortage of qualified labor, they want mechanize the required task, even if it means a lower qualify end result. Human problems are solved poorly, if at all, by mechanized solutions.

Opposed by lowest common denominator AI systems, hackers will be all but running the mints as cybersecurity AI systems spread across the federal government. “Ghost” federal installations will appear on agency records for confirmation of FedEx/UPS shipments. The possibilities are endless.

If you are a state or local government or even a federal IT manager, letting hackers run wild isn’t a foregone conclusion.

You could pattern your compensation packages after West Coast start-ups, along with similar perks. Expensive but do you want an OMB type data leak on your record?

Human Trafficking Resources (@gijn)

November 14th, 2017

The Global Investigative Journalism Network, @gijn, has created three guide for investigative reporters covering human trafficking:

  1. Human Trafficking Resources: Data.
  2. Human Trafficking Resources: Stories.
  3. Human Trafficking Resources: Best Practices in Reporting.

It’s a tough subject this close to the holidays but the victims of human traffickers don’t enjoy holidays, 365 days out of the year.

What I missed in “Best Practices” was mention of the use of data science to combat human trafficking.

On that score, a starter set of three resources:

Data science can help us fight human trafficking by Renata Konrad and Andrew C. Trapp.

Combating Human Trafficking Using Data Science (Booz Allen whitepaper)

How Data Analytics Is Helping to Fight Human Trafficking by Alex Woodie.

It’s unlikely that human traffickers are more cyber secure than your average corporation or government agency, so there is a role for hackers to breach information systems used by human traffickers.

If you have resources on human trafficking to suggest, contact @gijn.

XML Prague 2017 – 21 Reasons to Attend 2018 – Offensive Use of XQuery

November 13th, 2017

XML Prague 2017 Videos

Need reasons for your attending XML Prague 2018?

The XML Prague 2017 YouTube playlist has twenty-one (21) very good reasons (videos). (You may have to hold the hands of c-suite types if you share the videos with them.)

Two things that I see missing from the presentations, security and offensive use of XQuery.

XML Security

You may have noticed that corporations, governments and others have been hemorrhaging data in 2017 (and before). While legislators wail ineffectually and wish for a 18th century world, the outlook for cybersecurity looks grim for 2018.

XML and XML applications exist in a law of the jungle security context. But there weren’t any presentations on security related issues at XML Prague in 2017. Are you going to break the ice in 2018?

Offensive use of XQuery

XQuery has the power to extract, enhance and transform data to serve your interests, not those of its authors.

I’ve heard the gospel that technologists should disarm themselves and righteously await a better day. Meanwhile, governments, military forces, banks, and their allies loot and rape the Earth and its peoples.

Are data scientists at the NSA, FSB, MSS, MI6, Mossad, CIA, etc., constrained by your “do no evil” creeds?

Present governments or their successors, can move towards more planet and people friendly policies, but they require, ahem, encouragement.

XQuery, which doesn’t depend upon melting data centers, supercomputers, global data vacuuming, etc., can help supply that encouragement.

How would you use XQuery to transform government data to turn it against its originator?

Intro to Low-Level Graphics on Linux – Impressing Spouse’s Family

November 12th, 2017

Intro to Low-Level Graphics on Linux

From the webpage:

This tutorial attempts to explain a few of the possible methods that exist on Linux to access the graphics hardware from a low level. I am not talking about using Xlib instead of GTK+ or QT5, nor am I talking about using DirectFB, I want to go even lower than that; I’m talking about drawing graphics to the screen without needing any external dependencies; I’m talking about communicating directly with the Linux kernel. I will also provide information about programming for newer graphical systems (Wayland/Mir) even though those do not involve direct communication with the kernel drivers. The reason I want to provide this information in this tutorial is that even though their APIs are higher level, the programming techniques used in low-level graphics programming can easily be adapted to work with Wayland and Mir. Also, similar to fbdev and KMS/DRM APIs, good programming resources are hard to come by.

Most Linux systems actually provide a few different methods for drawing graphics to the screen; there are options. However, the problem is that documentation is basically non-existent. So, I would like to explain here what you need to know to get started.

Please note that this tutorial assumes you have a basic knowledge of C, this is not a beginner tutorial, this is for people who are interested in something like learning more about how Linux works, or about programming for embedded systems, or just doing weird experimental stuff for fun.

You can impress your spouse’s family this holiday season by writing C code for low-level graphics on Linux. They won’t know you are frantically typing comments to the example code and will be suitably impressed by compiling.

The other reason to mention this is the presence of Linux on embedded systems. Embedded systems such as in industrial controllers, monitoring equipment, etc. The more comfortable you are will such systems the easy they will be to explore.

Enjoy!

Scipy Lecture Notes

November 12th, 2017

Scipy Lecture Notes edited by Gaël Varoquaux, Emmanuelle Gouillart, Olav Vahtras.

From the webpage:

Tutorials on the scientific Python ecosystem: a quick introduction to central tools and techniques. The different chapters each correspond to a 1 to 2 hours course with increasing level of expertise, from beginner to expert.

In PDF format, some six-hundred and fifty-seven pages of top quality material on Scipy.

In addition to the main editors, there are fourteen chapter editors and seventy-three contributors.

Good documentation needs maintenance so if you improvements or examples to offer, perhaps your name will appear here in the not too distant future.

Enjoy!

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l

November 12th, 2017

Azeria-Labs VM – Naked Ubuntu VM w/ emulated ARMv6l by Azeria.

From the webpage:

Let me guess, you don’t want to bother with any of this and just want a ready-made Ubuntu VM with all QEMU stuff setup and ready-to-play. Very well. The first Azeria-Labs VM is ready. It’s a naked Ubuntu VM containing an emulated ARMv6l.

This VM is also for those of you who tried emulating ARM with QEMU but got stuck for inexplicable linux reasons. I understand the struggle, trust me.

It’s Sunday evening here and I have conference calls tomorrow. 🙁

Still, I wanted to pass on the news about the Azeria-Labs VM and Azeria’s pointer to “ARM” challenges at Root Me.

Enjoy!

Beginner’s Guide to Exploitation on ARM

November 12th, 2017

Beginner’s Guide to Exploitation on ARM by Billy Ellis.

From the website:

‘Beginner’s Guide to Exploitation on ARM’ is a beginner-friendly book aimed at individuals who are interested in learning the core concepts behind software vulnerability analysis & exploit development.

It explains everything from the basics of the ARM architecture to the various methods of exploitation used to take advantage of memory corruption vulnerabilities within modern systems today, using diagrams and example applications along the way to ensure that each chapter is easy to follow!

Judging from the rave reviews on Twitter and other forums, the time to order is now!

We’re all expecting relatives for the holiday season, at least in the US and Europe, so why not treat yourself to some reading material?

I will be posting more on this book after it arrives.

Enjoy!

WiMonitor – Hacker Arsenal, Design Suggestions

November 12th, 2017

WiMonitor

From the webpage:

WiMonitor makes Wi-Fi packet sniffing and network monitoring dead simple!

Once configured the device automatically scans channels 1-13 in the 2.4GHz band, captures packets and sends them to a remote IP address over Ethernet for further processing. The encapsulation is compatible with Wireshark so you can analyze Wi-Fi traffic using it.

More information on how to get started: Getting Started Guide.

Design Suggestions:

I’m not the artistic type but I do have a couple of suggestions for the housing of the WiMonitor.

Stock image from website:

Right, let’s make the case a bright white, use “Hacker Arsenal” with a bright graphic on top surface, have labels for Wan/Lan and USB (those are hard to recognize) and of course, a power light to attract attention.

Sigh. I guess it go well with your standard working shirt:

Those c-suite types won’t notice you at all. Completely invisible.

If you strive to be a little less noticeable, ask Hacker Arsenal for a little less obvious WiMonitor. Something along these lines:

First, a black case, lose the cover as well:

(Yes, I need to work on my graphic editing skills. 😉 )

Second, make an internal USB connection sufficient for 256GB USB thumb drive, battery for power and lose the power light.

Make it drop and retrieve ready.

Now that would be a hot package!

Hacking 90% of the Commercial Air Fleet

November 12th, 2017

Short notice for the holiday travel season but 90% of the commercial air fleet can be hacked without insider or physical access.

Boeing 757 Testing Shows Airplanes Vulnerable to Hacking, DHS Says by Calvin Biesecker.

While the research is classified (making this a CTF type problem), Biesecker reports these broad hints:


“[Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft.

The aircraft that DHS is using for its tests is a legacy Boeing 757 commercial plane purchased by the S&T branch. After his speech at the CyberSat Summit, Hickey told Avionics sister publication Defense Daily that the testing is with the aircraft on the ground at the airport in Atlantic City, New Jersey. The initial response from experts was, “’We’ve known that for years,’” and, “It’s not a big deal,” Hickey said.

But in March 2017, at a technical exchange meeting, he said seven airline pilot captains from American Airlines and Delta Air Lines in the room had no clue.

“All seven of them broke their jaw hitting the table when they said, ‘You guys have known about this for years and haven’t bothered to let us know because we depend on this stuff to be absolutely the bible,’” Hickey said.

Terminology for researching this issue can be found in Boeing 757 Operations Manual Volume 2, sections 5.40.1 and 5.50.1. Hardware for testing your hack can be found at one or more aircraft boneyards. Or you can always purchase new systems and advice.

No need to rush for fear of patching:

…Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said.

The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s, he said, adding that other airlines that fly 737s would also see their earnings hurt. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.

Aircraft also represent different challenges for cybersecurity and traditional land-based networks, Hickey said. He said that whether it’s the U.S. Air Force or the commercial sector, there are no maintenance crews that can deal with ferreting out cyber threats aboard an aircraft.

No one checking for vulnerabilities and if discovered too expensive to fix?

Sounds like a hacker’s wet dream.

Have Orwell‘s pigs built their palaces out of straw?

PS: The meaning of “hack” when used by the DHS isn’t clear. It could mean bad temperature or location information, up to and including interference with flight control systems (highly unlikely). Interference with flight control systems is more likely to be a feature of the F-35.

Antivirus Engines Have Design Flaws?

November 12th, 2017

Antivirus Engine Design Flaw Helps Malware Sink Its Teeth Into Your System by Catalin Cimpanu.

Cimpanu routs the chest beating of antivirus vendors with this report on a design flaw common to Windows antivirus products. Code named AVGater by its discoverer, Florian Bogner, who also created a colorful logo for the vulnerability:

(Source: #AVGater: Getting Local Admin by Abusing the Anti-Virus Quarantine by Florian Bogner)

Cimpanu gives a high level summary and Bogner more details to support further investigation of this design flaw. An incomplete list of impacted vendors: Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Ikarus, and Zone Alarm by Check Point.

So the answer is yes, antivirus engines do have design, and other, flaws.

Antivirus and other security software, increase the available attack surface for discovery of flaws and vulnerabilities.

If your antivirus or security software vendor denies increasing your attack surface, best you consider another vendor.