Not Zero-Day But Effective Hacking

October 20th, 2017

Catalin Cimpanu reminds us in Student Expelled for Using Hardware Keylogger to Hack School, Change Grades not every effective hacking attack uses a zero-day vulnerability.

Zero-days get most of the press, ‘Zero Days’ Documentary Exposes A Looming Threat Of The Digital Age, but capturing the keystrokes on a computer keyboard, can be just as effective for stealing logins/passwords and other data.

Cimpanu suggests that hardware keyloggers can be had on Amazon or eBay for a little as $20.

I’m not sure when he looked but a search today shows the cheapest price on Amazon is $52.59 and on eBay $29.79. Check for current pricing.

I haven’t used it but the Keyllama 4MB USB Value Keylogger has an attractive form factor (1.6″) at $55.50.

USB keyloggers (there are software keyloggers) require physical access for installation and retrieval.

You can attempt to play your favorite spy character or you can identify the cleaning service used by your target. Turnover in the cleaning business runs from 75 percent to 400 percent so finding or inserting a confederate is only a matter of time.

USB keyloggers aren’t necessary at the NSA as logins/passwords are available for the asking. (Snowden)

Gender Discrimination and Pew – The Obvious and Fake News

October 19th, 2017

Women are more concerned than men about gender discrimination in tech industry by Kim Parker and Cary Funk.

From the post:

Women in the U.S. are substantially more likely than men to say gender discrimination is a major problem in the technology industry, according to a Pew Research Center survey conducted in July and August.

The survey comes amid public debate about underrepresentation and treatment of women – as well as racial and ethnic minorities – in the industry. Critics of Silicon Valley have cited high-profile cases as evidence that the industry has fostered a hostile workplace culture. For their part, tech companies point to their commitment to increasing workforce diversity, even as some employees claim the industry is increasingly hostile to white males.

Was Pew repeating old news?

Well, Vogue: New Study Finds Gender Discrimination in the Tech Industry Is Still Sky-High (2016), Forbes: The Lack Of Diversity In Tech Is A Cultural Issue (2015), Gender Discrimination and Sexism in the Technology Industry (2014), Women Matter (2013), to cite only a few of the literally thousands of studies and surveys, onto which to stack the repetitive Pew report.

Why waste Pew funds to repeat what was commonly known and demonstrated by published research?

One not very generous explanation is the survey provided an opportunity to repeat “fake news.” You know, news that gets repeated so often that you don’t remember its source but it has credibility because you hear it so often?

“Fake news,” is the correct category for:

…even as some employees claim the industry is increasingly hostile to white males.

Repeating that claim in a Pew publication legitimates the equivalent of cries coming from an asylum.

One quick quote from Forbes, hardly a bastion of forward social thinking dispels the “hostile to white male” fantasy, The Lack Of Diversity In Tech Is A Cultural Issue:


It has been a commonly held belief that the gender gap in tech is primarily a pipeline issue; that there are simply not enough girls studying math and science. Recently updated information indicates an equal number of high school girls and boys participating in STEM electives, and at Stanford and Berkeley, 50% of the introductory computer science students are women. That may be the case, but the U.S. Census Bureau reported last year that twice as many men as women with the same qualifications were working in STEM fields.

A USA Today study discloses that top universities graduate black and Hispanic computer science and computer engineering students at twice the rate that leading technology companies hire them. Although these companies state they don’t have a qualified pool of applicants, the evidence does not support that claim.

When 2/3 of the workers in a field are male, it’s strains the imagination to credit claims of “hostility.”

I have no fact based explanation for the reports of “hostility” to white males.

Speculations abound, perhaps they are so obnoxious that even other males can’t stand them? Perhaps they are using “hostility” as a cover for incompetence? Who knows?

What is known is that money is needed to address sexism in the workplace (not repeating the research of others) and fake news such as “hostile to white males” should not be repeated by reputable sources, like Pew.

Fake News, Facts, and Alternative Facts – Danger of Inaccurate News (Spoiler – Trump)

October 18th, 2017

Why Inaccurate News is a Threat by Josh Pasek.

Pasek’s clip is part of the larger Fake News, Facts, and Alternative Facts.

Pasek uses a couple of examples from the 2016 presidential campaign to conclude:


So what we end up with, then, is an environment where we have an ideal news consumer or even a suboptimal news consumer. And what can happen as they get and interact with inaccurate information, is they come to a point where their views and the way that they start voting, making decisions, etc., can be based on something that’s wrong. And that, in turn, can mean that we elect people who aren’t necessarily the candidates that will best enact what people want. That people end up saying that they’re for a particular thing. When, in fact, if they knew more about it, they’d be against it. And those sorts of biases can be hugely pernicious to a democracy that successfully represents what it is that its people want.

Pasek has decided “inaccurate information” resulted in the election of Donald Trump and that’s his proof of the danger of inaccurate news.

If you remember his earlier comments about inference, his case runs like this:

  • There was inaccurate information reported in the media during the 2016 presidential election.
  • Therefore inaccurate information was responsible for the election of Donald Trump.

I don’t doubt inaccurate information was circulating during the 2016 presidential election but it’s a terrifying leap from the presence of inaccurate information crediting a presidential election to that single cause.

Especially without asking inaccurate information as compared to how much accurate information?, how many voters were influenced?, to what degree were influenced voters influenced?, to which candidate were they influenced?, in which states were they influenced?, what other factors impacted voters?, to what degree did other factors influence voters?, etc.

Without much deeper and complex analysis of voters and their voting behavior, claims that inaccurate information was in circulation, while factually true, are akin to saying the sun rose and set on election day, 2016. True but its impact on the election is far from certain.

Fake News, Facts, and Alternative Facts – Claims vs. Deductions

October 18th, 2017

Auto-grading for the first quiz in Fake News, Facts, and Alternative Facts marked my responses as incorrect for:

On the contrary, in a news report, both:

  • “In a survey of Americans, Democrats were more likely than Republicans to believe that September 11th was a government cover-up.”
  • “Scientists have looked for a potential link between vaccinations and autism an cannot find any evidence across multiple epidemiological studies.”

are claims by the person reporting that information.

You have no doubt heard surveys show a majority of Americans favor gun control. Would your opinion about those reports change if you knew the survey asked: “Do you think convicted murderers should be allowed to own guns?” Prohibiting gun ownership by convicted murderers is a form of gun control.

Knowing the questions asked in a survey, how respondents were selected, the method of conducting the survey and a host of other information is necessary before treating any report of a survey as anything other than a claim. You have no way of knowing if a reporter knew any more about the survey than the statement shown in the test. That’s a claim, not “systematically derived evidence … [that] reflects deductive testing using the scientific method.”

The claim about scientists and a link between vaccinations and autism is even weaker. Notice you are given the reporters conclusion about a report by scientists and not the report per se. You have no way to evaluate the reporters claim by examining the article, what “multiple epidemiological studies” were compared, out of a universe of how many other “epidemiological studies,” in which countries, etc.

I don’t doubt the absence of such a connection but “summarizes deductive evidence that was generated to specifically and rigorously evaluate a particular question. It reflects deductive testing using the scientific method” is an attempt to dress the claim by a reporter in the garb of what may or may not be true for the scientific study.

Reporting a scientific study isn’t the same thing as a scientific study. A scientific study can be evaluated, questioned, etc., all things that a bare report, a “claim” in my view, cannot.

Every report of a scientific study should link or give a standard reference to the scientific study. Reports that don’t, I skip and you should as well.

Thinking Critically About “Fake News, Facts, and Alternative Facts” (Coursera)

October 17th, 2017

Fake News, Facts, and Alternative Facts by Will Potter, Josh Pasek, and Brian Weeks.

From “About this course:”

How can you distinguish credible information from “fake news”? Reliable information is at the heart of what makes an effective democracy, yet many people find it harder to differentiate good journalism from propaganda. Increasingly, inaccurate information is shared on Facebook and echoed by a growing number of explicitly partisan news outlets. This becomes more problematic because people have a tendency to accept agreeable messages over challenging claims, even if the former are less objectively credible. In this teach-out, we examine the processes that generate both accurate and inaccurate news stories, and that lead people to believe those stories. We then provide a series of tools that ordinary citizens can use to tell fact from fiction.

To honor the exhortations “use critical thinking,” here are some critical thoughts on course description for “Fake News, Facts, and Alternative Facts.”

How can you distinguish credible information from “fake news”?

The description starts with black and white, normative classifications, one good, “credible information,” and one bad,“fake news.” Information other than being alive or dead is rarely that clear cut. As Tom Petty recently proved, even being dead can be questionable.

You are being emotionally primed to choose “credible information,” as opposed to evaluating information to determine the degree, if any, it should be trusted or used.

Reliable information is at the heart of what makes an effective democracy,

A remarkable claim, often repeated but I have never seen any empirical evidence for that proposition. In critical thinking terms, you would first have to define “reliable information” and “effective democracy.” Then using those definitions, provide empirical evidence to prove that in the absence of “reliable information” democracy is ineffective and with “reliable information” democracy is effective.

It’s an easy claim to make, but in the context of a critical thinking course, isn’t more required than repeating popular cant?

I’ll grant many theories of democracy are predicated upon “reliable information but then those theories also posit equal treatment of all citizens, another popular fiction.

yet many people find it harder to differentiate good journalism from propaganda.

As opposed to when? What is the baseline for when people could more easily “…differentiate good journalism from propaganda…?” Whenever you hear this claim made, press for the study with evidence to prove this point.

You do realize any claiming such a position considers themselves capable of making those distinctions and you are very likely in the class of people who cannot. In traditional terminology, that’s called having a bias. In favor of their judgment as opposed to yours.

Increasingly, inaccurate information is shared on Facebook and echoed by a growing number of explicitly partisan news outlets.

You know the factual objections by this point, what documentation is there for an increase in “inaccurate information” (is that the same as false information?) over when? When was there less inaccurate information. Moreover, when were there fewer “explicitly partisan news outlets?”

By way of example, consider these statements about Jefferson during the presidential election in 1800:


In the election of 1800, ministers spread rumors that Jefferson held worship services at Monticello where he prayed to the “Goddess of Reason” and sacrificed dogs on an altar. Yale University president Timothy Dwight warned that if he became president, “we may see the Bible cast into a bonfire.” Alexander Hamilton asked the governor of New York to take a “legal and constitutional step” to stop the supposed atheist vice president from becoming head of state. Federalists who opposed him called him a “howling atheist,” a “manifest enemy to the religion of Christ,” a “hardened infidel,” and, for good measure, a “French infidel.” As Smith describes it, insults like these were issued forth from hundreds of pulpits in New England and the mid-Atlantic. When Jefferson won the election, many New England Federalists buried their Bibles in their gardens so the new administration would not confiscate and burn them.

It may just be me but it sounds like there was “inaccurate information” and “explicitly partisan news outlets” available during the presidential election of 1800.

When anyone claims there is more “inaccurate information” or “explicitly partisan news outlets,” ask for percentage evidence against some base period.

Surely if they are devoted to “credible/reliable information,” they would not make such statements in the absence of facts to back them up. Yes?

This becomes more problematic because people have a tendency to accept agreeable messages over challenging claims, even if the former are less objectively credible.

People accepting messages they find agreeable is a statement of how people process information. Thinking Fast, Thinking Slow, Kahneman.

The claim goes off the rails with “…even if the former are less objectively credible.”

Where does “…less objectively credible.” come from? It’s a nice sleight of hand but never fall for anyone claiming an “objective” context. It doesn’t, hasn’t and won’t ever exist.

You can make claims from the context of a community of people, scholars, experts, etc., that is every claim originates in shared values and worldview. (See Stanley Fish if you are interested in the objectivity issue.

As with all such claims, the authors have a criteria for “objectively credible” they want you to use in preference to other criteria, suggested by others.

There’s nothing wrong with advocating a particular criteria for judging information, we can all do no more or less. What I object to is cloaking it in the fiction of being beyond a context, to be “objective.” Let us all put forth our criteria and contend for which one should be preferred on an equal footing.

In this teach-out, we examine the processes that generate both accurate and inaccurate news stories, and that lead people to believe those stories. We then provide a series of tools that ordinary citizens can use to tell fact from fiction.

I can almost buy into “accurate” versus “inaccurate” news stories but then I’m promised “tools” to enable me to “…tell fact from fiction.”

Hmmm, but “Who is this class for:” promises:

This course is aimed at anyone who wants to distinguish credible news from “Fake News” by learning to identify biases and become a critical information consumer.

I don’t read “…learning to identify biases…” as being the same thing as “…tools…to tell fact for fiction.”

The latter sounds more like someone is telling me which is fact and fiction? Not the same as being on my own.

I’m enrolling in the course now and will have more comments along the way.

The crucial point here is that “critical thinking” should be universally applied, especially so to discussions of critical thinking.

Tor Keeps You Off #KRACK

October 17th, 2017

You have seen the scrambling to address KRACK (Key Reinstallation Attack), a weakness in the WPA2 protocol. Serious flaw in WPA2 protocol lets attackers intercept passwords and much more by Dan Goodin, Falling through the KRACKs by John Green, are two highly informative and amusing posts out of literally dozens on KRACK.

I won’t repeat their analysis here but wanted to point out Tor users are immune from KRACK, unpatched, etc.

A teaching moment to educate users about Tor!

Unicode Egyptian Hieroglyphic Fonts

October 16th, 2017

Unicode Egyptian Hieroglyphic Fonts by Bob Richmond.

From the webpage:

These fonts all contain the Unicode 5.2 (2009) basic set of Egyptian Hieroglyphs.

Please contact me if you know of any others, or information to include.

Also of interest:

UMdC Coding Manual for Egyptian Hieroglyphic in Unicode

UMdC (Unicode MdC) aims to provides guidelines for encoding Egyptian Hieroglyphic and related scripts In Unicode using plain text with optional lightweight mark-up.

This GitHub project is the central point for development of UMdC and associated resources. Features of UMdC are still in a discussion phase so everything here should be regarded as preliminary and subject to change. As such the project is initially oriented towards expert Egyptologists and software developers who wish to help ensure ancient Egyptian writing system is well supported in modern digital media.

The Manuel de Codage (MdC) system for digital encoding of Ancient Egyptian textual data was adopted as an informal standard in the 1980s and has formed the basis for most subsequent digital encodings, sometimes using extensions or revisions to the original scheme. UMdC links to the traditional methodology in various ways to help with the transition to Unicode-based solutions.

As with the original MdC system, UMdC data files (.umdc) can be viewed and edited in standard text editors (such as Windows Notepad) and the HTML <textarea></textarea> control. Specialist software applications can be adapted or developed to provide a simpler workflow or enable additional techniques for working with the material.

Also see UMdC overview [pdf].

A UMdC-compatible hieroglyphic font Aaron UMdC Alpha (relative to the current draft) can be downloaded from the Hieroglyphs Everywhere Fonts project.

For news and information on Ancient Egyptian in Unicode see https://hieroglyphseverywhere.blogspot.co.uk/.

I understand the need for “plain text” viewing of hieroglyphics, especially for primers and possibly for search engines, but Egyptian hieroglyphs can be written facing right or left, top to bottom and more rarely bottom to top. Moreover, artistic and other considerations can result in transposition of glyphs out of their “linear” order in a Western reading sense.

Unicode hieroglyphs are a major step forward for the interchange of hieroglyphic texts but we should remain mindful “linear” presentation of inscription texts is a far cry from their originals.

The greater our capacity for graphic representation, the more we simplify complex representations from the past. Are the needs of our computers really that important?

A cRyptic crossword with an R twist

October 13th, 2017

A cRyptic crossword with an R twist

From the post:

Last week’s R-themed crossword from R-Ladies DC was popular, so here’s another R-related crossword, this time by Barry Rowlingson and published on page 39 of the June 2003 issue of R-news (now known as the R Journal). Unlike the last crossword, this one follows the conventions of a British cryptic crossword: the grid is symmetrical, and eschews 4×4 blocks of white or black squares. Most importantly, the clues are in the cryptic style: rather than being a direct definition, cryptic clues pair wordplay (homonyms, anagrams, etc) with a hidden definition. (Wikipedia has a good introduction to the types of clues you’re likely to find.) Cryptic crosswords can be frustrating for the uninitiated, but are fun and rewarding once you get to into it.

In fact, if you’re unfamiliar with cryptic crosswords, this one is a great place to start. Not only are many (but not all) of the answers related in some way to R, Barry has helpfully provided the answers along with an explanation of how the cryptic clue was formed. There’s no shame in peeking, at least for a few, to help you get your legs with the cryptic style.

Another R crossword for your weekend enjoyment!

Enjoy!

Fact-Free Reporting on Kaspersky Lab – Stealing NSA Software Tip

October 12th, 2017

I tweeted:

@thegrugq Israelis they hacked Kerspersky, saw Russians there, tell NSA, lots of he, they, we say, few facts.

[T]the grugq‏ @thegrugq responded with the best question on the Kaspersky story:

What would count as a fact here? Kaspersky publicised the hack when it happened. Does that count as a fact?

What counts as a fact is central to my claim that thus far, all we have seen is fact-free reporting on the alleged use of Kaspersky Lab software to obtain NSA tools.

Opinions are reported but not facts you could give to an expert like Bruce Schneier ask for an opinion.

What would I think of as “facts” in this case?

What did Israeli intelligence allegedly see when it hacked into Kaspersky Lab?

Not some of the data, not part of the data, but a record of all the data seen upon which they then concluded the Russians were using it to search for NSA software.

To the automatic objection this was a “secret intelligence operation,” let me point out that without that evidence, the NSA and anyone else further down the chain of distribution of the Israeli opinion, were being manipulated by that opinion in the absence of facts.

Just as the NSA wants to foist its opinion on the public, through unnamed sources, without any evidence for the public to form its own opinion based on facts.

The prevention of contrary opinions or avoiding questioning of an opinion, can only be achieved by blocking access to the alleged evidence that “supports” the opinion.

Without any “facts” to speak of, the Department of Homeland Security, is attempting to govern all federal agencies and their use of Kaspersky security software.

Stating the converse, how do you dispute claims made by unnamed sources that say the Israelis saw the Russians using Kaspersky Lab software to look for NSA software?

The obvious answer is that you can’t. There are no facts to check, no data to examine, and that, in my opinion, is intentional.

PS: If you want to steal NSA software, history says the easiest route is to become an NSA contractor. Much simpler than hacking anti-virus software, then using it to identify likely computers, then hacking identified computers. Plus, you paid vacation every year until you are caught. Who can argue with that?

Cheap Tracking of Public Officials/Police

October 12th, 2017

The use of license plate readers by law enforcement and others is on the rise. Such readers record the location of your license plate at a particular time and place. They also relieve public bodies of large sums of money.

How I replicated an $86 million project in 57 lines of code by Tait Brown details how he used open source software to create a “…good enough…” license plate reader for far less than the ticket price of $86 million.

Brown has an amusing (read unrealistic) good Samaritan scenario for his less expensive/more extensive surveillance system:


While it’s easy to get caught up in the Orwellian nature of an “always on” network of license plate snitchers, there are many positive applications of this technology. Imagine a passive system scanning fellow motorists for an abductors car that automatically alerts authorities and family members to their current location and direction.

The Teslas vehicles are already brimming with cameras and sensors with the ability to receive OTA updates — imagine turning them into a virtual fleet of good samaritans. Ubers and Lyft drivers could also be outfitted with these devices to dramatically increase the coverage area.

Using open source technology and existing components, it seems possible to offer a solution that provides a much higher rate of return — for an investment much less than $86M.

The better use of Brown’s less expensive/more extensive surveillance system is tracking police and public official cars. Invite them to the gold fish bowl they have created for all the rest of us.

A great public data resource for testing testimony about the presence/absence of police officers at crime scenes, protests, long rides to the police station and public officials consorting with co-conspirators.

ACLU calls for government to monitor itself, reflect an unhealthy confidence in governmental integrity. Only a close watch on government by citizens enables governmental integrity.

XML Prague 2018 – Apology to Procrastinators

October 12th, 2017

Apology to all procrastinators, I just saw the Call for Proposals for XML Prague 2018

You only have 50 days (until November 30, 2017) to submit your proposals for XML Prague 2018.

Efficient people don’t realize that 50 days is hardly enough time to put off thinking about a proposal topic, much less fail to write down anything for a proposal. Completely unreasonable demand but, do try to procrastinate quickly and get a proposal done for XML Prague 2018.

The suggestion of doing a “…short video…” seems rife with potential for humor and/or NSFW images. Perhaps XML Prague will post the best “…short videos…” to YouTube?

From the webpage:

XML Prague 2018 now welcomes submissions for presentations on the following topics:

  • Markup and the Extensible Web – HTML5, XHTML, Web Components, JSON and XML sharing the common space
  • Semantic visions and the reality – micro-formats, semantic data in business, linked data
  • Publishing for the 21th century – publishing toolchains, eBooks, EPUB, DITA, DocBook, CSS for print, …
  • XML databases and Big Data – XML storage, indexing, query languages, …
  • State of the XML Union – updates on specs, the XML community news, …
  • XML success stories – real-world use cases of successful XML deployments

There are several different types of slots available during the conference and you can indicate your preferred slot during submission:

30 minutes
15 minutes
These slots are suitable for normal conference talks.
90 minutes (unconference)
Ideal for holding users meeting or workshop during the unconference day (Thursday).

All proposals will be submitted for review by a peer review panel made up of the XML Prague Program Committee. Submissions will be chosen based on interest, applicability, technical merit, and technical correctness.

Authors should strive to contain original material and belong in the topics previously listed. Submissions which can be construed as product or service descriptions (adverts) will likely be deemed inappropriate. Other approaches such as use case studies are welcome but must be clearly related to conference topics.

Proposals can have several forms:

full paper
In our opinion still ideal and classical way of proposing presentation. Full paper gives reviewers enough information to properly asses your proposal.
extended abstract
Concise 1-4 page long description of your topic. If you do not have time to write full paper proposal this is one possible way to go. Try to make your extended abstract concrete and specific. Too short or vague abstract will not convince reviewers that it is worth including into the conference schedule.
short video (max. 5 minutes)
If you are not writing person but you still have something interesting to present. Simply capture short video (no longer then 5 minutes) containing part of your presentation. Video can capture you or it can be screen cast.

I mentioned XSLT security attacks recently, perhaps you could do something similar on XQuery? Other ways to use XML and related technologies to breach cybersecurity?

Do submit proposals and enjoy XML Prague 2018!

Online Verification Course (First Draft) [Open To Public – January 2018]

October 11th, 2017

First Draft launches its online verification training course

From the post:

Journalists strive to get the story right, but as we are bombarded by far more information than ever before, the tools and skills crucial to telling the whole story are undergoing a profound change. Understanding who took the photo or video, who created the website and why, enables journalists to meet these challenges. Verification training, up until now, has largely been done on the job and as needed. But today, we’re thrilled to announce the launch of our online verification course.

In this course, we teach you the steps involved in verifying the eyewitness media, fabricated websites, visual memes and manipulated videos that emerge on social media. The course is designed so that anyone can take the course from start to finish online, or educators can take elements and integrate into existing classroom teaching. For newsroom training managers, we hope the you can encourage your staff to take the course online, or you can take individual videos and tutorials and use during brown-bag lunches. We provide relevant and topical examples — from events such as Hurricane Irma and the conflict in Syria — to show how these skills and techniques are put into practice.

The course is open only to First Draft partners until January 2018, so consider that as an incentive for your organization to become a First Draft partner!

I haven’t seen the course material but the video introduction:

and the high quality of all other First Draft materials, sets high expectations for the verification course.

Looking forward to a First Draft course on skepticism for journalists, which uses the recent Wall Street Journal repetition of government slanders about Kerspersky Lab, which is subsequently discovered to be: “we (Israel) broke into the Kerpersky house and while robbing the place saw another burglar (Russia) there and they were looking for NSA software, so we alerted the NSA.” How Israel Caught Russian Hackers Scouring the World for U.S. Secrets

Only an editor suffering from nationalism to the point being a mental disorder would publish such a story without independent verification. Could well all be true but when all the sources are known liars, something more is necessary before reporting it as “fact.”

Busting Fake Tweeters

October 10th, 2017

The ultimate guide to bust fake tweeters: A video toolkit in 10 steps by Henk van Ess.

From the post:

Twitter is full of false information. Even Twitter co-founder Ev Williams recognizes that there is a “junk information epidemic going on,” as “[ad-driven platforms] are benefiting from people generating attention at pretty much any cost.”

This video toolkit is intended to help you debunk dubious tweets. It was first developed in research by the Institute for Strategic Dialogue and the Arena Program at the London School of Economics to detect Russian social media influence during the German elections. It was also the basis for a related BuzzFeed article on a Russian bot farm and tweets about the AfD  — the far-right party that will enter the German parliament for the first time.

This is an excellence resource for teaching users skepticism about Twitter accounts.

For your use in creating a personal cheatsheet (read van Ess for the links):

  1. Find the exact minute of birth
  2. Find the first words
  3. Check the followers
  4. Find Twitter users in Facebook
  5. Find suspicious words in tweets
  6. Searching in big data
  7. Connect a made up Twitter handle to a real social media account
  8. Find a social score
  9. How alive is the bot?
  10. When (and how) is your bot tweeting?

Deciding that a Twitter account maybe a legitimate is only the first step in evaluating tweeted content.

The @WSJ account belongs to the Wall Street Journal, but it doesn’t follow their tweets are accurate or even true. Witness their repetition of government rumors about Kerpersky Lab for example. Not one shred of evidence, but WSJ repeats it.

Be skeptical of all Tweets, not just ones attributed to the “enemy of the day.”

Wall Street Journal Misses Malvertising Story – Congressional Phishing Tip

October 10th, 2017

Warning: Millions of POrnhub Users Hit With Maltertising Attack by Mohit Kumar.

From the post:

Researchers from cybersecurity firm Proofpoint have recently discovered a large-scale malvertising campaign that exposed millions of Internet users in the United States, Canada, the UK, and Australia to malware infections.

Active for more than a year and still ongoing, the malware campaign is being conducted by a hacking group called KovCoreG, which is well known for distributing Kovter ad fraud malware that was used in 2015 malicious ad campaigns, and most recently earlier in 2017.

The KovCoreG hacking group initially took advantage of POrnHub—one of the world’s most visited adult websites—to distribute fake browser updates that worked on all three major Windows web browsers, including Chrome, Firefox, and Microsoft Edge/Internet Explorer.

According to the Proofpoint researchers, the infections in this campaign first appeared on POrnHub web pages via a legitimate advertising network called Traffic Junky, which tricked users into installing the Kovtar malware onto their systems.

When you spend your time spreading government directed character assassination rumors about Kerpersky Lab, you miss opportunities to warn your readers about malvertising infections from PornHub.

Just today, the Wall Street Journal WSJ left its readers in the dark about Kovter ad fraud malware from PornHub.

You can verify that claim by using site:wsj.com plus KovCoreG, Kovter, and PornHub to search wsj.com. As of 15:00 on October 9, 2017, I got zero “hits.”

The WSJ isn’t a computer security publication but an infection from one of the most popular websites in the world, especially one of interest to likely WSJ subscribers, Harvey Weinstein, Donald Trump, for example, should be front page, above the fold.

Yes?

PS: Congressional Phishing Tip: For phishing congressional staffers, members of congress, their allies and followers, take a hint from the line: “…POrnHub—one of the world’s most visited adult websites….” Does that suggest subject matter for phishing that has proven to be effective?

Euromyths A-Z index

October 9th, 2017

Euromyths A-Z index an index of foolish acts by the EU that are false.

See the EU site for foolish acts that are true.

Enjoy!

PS: There are Snopes and Politifact for US politics, should there be a more legislation/regulation oriented resource?

The IRS hiring Equifax after its data breach for security, for example (true). I don’t find that surprising, compared to government security practices, Equifax is the former KGB.

How To Be A Wizard Programmer – Julia Evans @b0rk

October 9th, 2017

See at full scale.

Criticism: Julia does miss one important step!

Follow: Julia Evans @b0rk

😉

OnionShare – Safely Sharing Email Leaks – 394 Days To Mid-terms

October 8th, 2017

FiveThirtyEight concludes Clinton’s leaked emails had some impact on the 2016 presidential election, but can’t say how much. How Much Did WikiLeaks Hurt Hillary Clinton?

Had leaked emails been less boring and non-consequential, “smoking gun” sort of emails, their impact could have been substantial.

The lesson being the impact of campaign/candidate/party emails is impossible to judge until they have been leaked. Even then the impact may be uncertain.

“Leaked emails” presumes someone has leaked the emails, which in light of the 2016 presidential election, is a near certainty for the 2018 congressional mid-term elections.

Should you find yourself in possession of leaked emails, you may want a way to share them with others. My preference for public posting without edits or deletions, but not everyone shares my confidence in the public.

One way to share files securely and anonymously with specific people is OnionShare.

From the wiki page:

What is OnionShare?

OnionShare lets you securely and anonymously share files of any size. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable URL to access and download the files. It doesn’t require setting up a server on the internet somewhere or using a third party filesharing service. You host the file on your own computer and use a Tor onion service to make it temporarily accessible over the internet. The other user just needs to use Tor Browser to download the file from you.

How to Use

http://asxmi4q6i7pajg2b.onion/egg-cain. This is the secret URL that can be used to download the file you’re sharing.

Send this URL to the person you’re sending the files to. If the files you’re sending aren’t secret, you can use normal means of sending the URL, like by emailing it, or sending it in a Facebook or Twitter private message. If you’re sending secret files then it’s important to send this URL securely.

The person who is receiving the files doesn’t need OnionShare. All they need is to open the URL you send them in Tor Browser to be able to download the file.
(emphasis in original)

Download OnionShare 1.1. Versions are available for Windows, Mac OS X, with instructions for Ubuntu, Fedora and other flavors of Linux.

Caveat: If you are sending a secret URL to leaked emails or other leaked data, use ordinary mail, no return address, standard envelope from a package of them you discard, on the back of a blank counter deposit slip, with letters from a newspaper, taped in the correct order, sent to the intended recipient. (No licking, it leaves trace DNA.)

Those are the obvious security points about delivering a secret URL. Take that as a starting point.

PS: I would never contact the person chosen for sharing about shared emails. They can be verified separate and apart from you as the source. Every additional contact puts you in increased danger of becoming part of a public story. What they don’t know, they can’t tell.

Shaming Hackers – New (Failing) FBI Strategy

October 8th, 2017

There are times, not often, when government agencies are so clueless that I feel pity for them.

Case in point, the FBI strategy reported in FBI’s Cyber Strategy: Shame the Hackers.

From the post:

The Federal Bureau of Investigation wants to publicly shame cyber criminals after they’ve been caught as part of an effort to make sure malicious actors don’t count on anonymity.

“You will be identified pursued, and held to account no matter where you are in the world,” Paul Abbate, the FBI’s executive assistant director of the Criminal, Cyber, Response and Services Branch, said at a U.S. Chamber of Commerce event in Washington Wednesday.

The FBI’s cyber response team is focused on tracking down “high-level network and computer intrusion,” carried out by “state-sponsored hackers and global organized criminal syndicates,” Abbate said. Often, these malicious actors are operating from overseas, using “foreign technical infrastructure” that makes the threats especially difficult to detect.

Once those actors are identified, the FBI tries to “impose costs on them,” which might include ”economic sanctions, prison terms, or battlefield death.” It also aims to “publicly name them, shame them, and let everyone know who they are…[so they] don’t feel immune or anonymous.”

Hmmmm, but if being anonymous is the goal of hackers, why do so many claim credit for hacks?

A smallish sampling of such claims: “Anonymous” claims credit for hacking into Federal Reserve (“Anonymous”), Guccifer 2.0 takes credit for hacking another Democratic committee (Guccifer 2.0), Hacker claims credit for WikiLeaks takedown (Jester), Hacker Group Claims Credit For Taking Xbox Live Offline (Lizard Squad), Hacking Group From Russia, China Claims Credit For Massive Cyberattack (New World Hackers), OurMine claims credit for attack on Pokemon Go servers (OurMine), Grandpa, patriot who goes by ‘The Raptor,’ claims credit for taking down Al Qaeda websites (The Raptor), Iranian Group Claims Credit for Hack Attack on New York Dam (SOBH Cyber Jihad), etc., etc.

Oh, the FBI equates being “anonymous” with:

You didn’t use your home/work email address, leaving your home/work phone numbers and addresses on an “I hacked your computer” note on the victim’s computer.

Hackers avoid leaving their true identity information just like skilled bank robbers don’t write robbery notes on their own deposit slips, it’s a way of avoiding interaction with the police. That’s not shame, that’s just good sense.

As far as “shaming” hackers, the FBI learned nothing from the case of Aaron Swartz, Aaron Swartz stood up for freedom and fairness – and was hounded to his death. Swartz was known among geeks but no where nearly as widely known until prosecutors hounded him to death. How’d shaming work for the FBI in that case?

Public “shaming” of hackers, most of who attack the least sympathetic targets in society, is going to build the public (as opposed to hacker) reputations of “shamed” hackers.

Go ahead FBI, grant hackers the benefit of your PR machinery. “Shame” away.

Building Data Science with JS – Lifting the Curtain on Game Reviews

October 7th, 2017

Building Data Science with JS by Tim Ermilov.

Three videos thus far:

Building Data Science with JS – Part 1 – Introduction

Building Data Science with JS – Part 2 – Microservices

Building Data Science with JS – Part 3 – RabbitMQ and OpenCritic microservice

Tim starts with the observation that the percentage of users assigning a score to a game isn’t very helpful. It tells you nothing about the content of the game and/or the person rating it.

In subject identity terms, each level, mighty, strong, weak, fair, collapses information about the game and a particular reviewer into a single summary subject. OpenCritic then displays the percent of reviewers who are represented by that summary subject.

The problem with the summary subject is that one critic may have down rated the game for poor content, another for sexism and still another for bad graphics. But a user only knows for reasons unknown, a critic whose past behavior is unknown, evaluated unknown content and assigned it a rating.

A user could read all the reviews, study the history of each reviewer, along with the other movies they have evaluated, but Ermilov proposes a more efficient means to peak behind the curtain of game ratings. (part 1)

In part 2, Ermilov designs a microservice based application to extract, process and display game reviews.

If you thought the first two parts were slow, you should enjoy Part 3. 😉 Ermilov speeds through a number of resources, documents, JS libraries, not to mention his source code for the project. You are likely to hit pause during this video.

Some links you will find helpful for Part 3:

AMQP 0-9-1 library and client for Node.JS – Channel-oriented API reference

AMQP 0-9-1 library and client for Node.JS (Github)

https://github.com/BuildingXwithJS

https://github.com/BuildingXwithJS/building-data-science-with-js

Microwork – simple creation of distributed scalable microservices in node.js with RabbitMQ (simplifies use of AMQP)

node-unfluff – Automatically extract body content (and other cool stuff) from an html document

OpenCritic

RabbitMQ. (Recommends looking at the RabbitMQ tutorials.)

A cRossword about R [Alternative to the NYTimes Sunday Crossword Puzzle]

October 6th, 2017

A cRossword about R by David Smith.

From the post:

The members of the R Ladies DC user group put together an R-themed crossword for a recent networking event. It’s a fun way to test out your R knowledge. (Click to enlarge, or download a printable version here.)

Maybe not a complete alternative to the NYTimes Sunday Crossword Puzzle but R enthusiasts will enjoy it.

I suspect the exercise of writing a crossword puzzle is a greater learning experience than solving it.

Thoughts?

Computational Data Analysis Workflow Systems

October 6th, 2017

Computational Data Analysis Workflow Systems

An incomplete list of existing workflow systems. As of today, approximately 17:00 EST, 173 systems in no particular order.

I first saw this mentioned in a tweet by Michael R. Crusoe.

One of the many resources found at: Common Workflow Language.

From the webpage:

The Common Workflow Language (CWL) is a specification for describing analysis workflows and tools in a way that makes them portable and scalable across a variety of software and hardware environments, from workstations to cluster, cloud, and high performance computing (HPC) environments. CWL is designed to meet the needs of data-intensive science, such as Bioinformatics, Medical Imaging, Astronomy, Physics, and Chemistry.

You should take a quick look at: Common Workflow Language User Guide to get a feel for CWL.

Try to avoid thinking of CWL as “documenting” your workflow if that is an impediment to using it. That’s a side effect but its main purpose is to make your more effective.

Lauren Duca Declares War!

October 6th, 2017

The latest assault on women’s health, which impacts women, men and children, is covered by Jessie Hellmann in: Trump officials roll back birth-control mandate.

Lauren is right, this is war. It is a war on behalf of women, men and children. Women are more physically impacted by reproduction issues but there are direct impacts on men and children as well. When the reproductive health of women suffers, the women, men in their lives and children suffer as well. The reproductive health of women is everyone’s concern.

For OpSec reasons, don’t post your answer, but have you picked a specific target for this war?

I ask because diffuse targets, Congress for example, leads to diffuse results.

Specific targets, now former representative Tim Murphy for example, can have specific results.

PS: Follow and support Lauren Duca, @laurenduca!

XSLT Server Side Injection Attacks

October 6th, 2017

XSLT Server Side Injection Attacks by David Turco.

From the post:

Extensible Stylesheet Language Transformations (XSLT) vulnerabilities can have serious consequences for the affected applications, often resulting in remote code execution. Examples of XSLT remote code execution vulnerabilities with public exploits are CVE-2012-5357 affecting the .Net Ektron CMS; CVE-2012-1592 affecting Apache Struts 2.0; and CVE-2005-3757 which affected the Google Search Appliance.

From the examples above it is clear that XSLT vulnerabilities have been around for a long time and, although they are less common than other similar vulnerabilities such as XML Injection, we regularly find them in our security assessments. Nonetheless the vulnerability and the exploitation techniques are not widely known.

In this blog post we present a selection of attacks against XSLT to show the risks of using this technology in an insecure way.

We demonstrate how it is possible to execute arbitrary code remotely; exfiltrate data from remote systems; perform network scans; and access resources on the victim’s internal network.

We also make available a simple .NET application vulnerable to the described attacks and provide recommendations on how to mitigate them.

A great post for introducing XML and XSLT to potential hackers!

Equally great potential for a workshop at a markup conference.

Enjoy!

Software McCarthyism – Wall Street Journal and Kaspersky Lab

October 5th, 2017

The Verge reports this instance of software McCarthyism by the Wall Street Journal against Kaspersky Lab saying:


According to the report, the hackers seem to have identified the files — which contained “details of how the U.S. penetrates foreign computer networks and defends against cyberattacks” — after an antivirus scan by Kaspersky antivirus software, which somehow alerted hackers to the sensitive files.
… (emphasis added)

Doesn’t “…somehow alerted hackers to the sensitive files…” sound a bit weak? Even allowing for restating the content of the original WSJ report?

The Wall Street Journal reports in Russian Hackers Stole NSA Data on U.S. Cyber Defense:

Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.

The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab, these people said.

U.S. investigators believe the contractor’s use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

Investigators did determine that, armed with the knowledge that Kaspersky’s software provided of what files were suspected on the contractor’s computer, hackers working for Russia homed in on the machine and obtained a large amount of information, according to the people familiar with the matter.

The facts reported by the Wall Street Journal support guilt by association style McCarthyism but in a software context.

Here are the only facts I can glean from the WSJ report and common knowledge of virus software:

  1. NSA contractor removed files from NSA and put them on his home computer
  2. Home computer was either a PC or Mac (only desktops supported by Kaspersky)
  3. Kaspersky anti-virus software was on the PC or Mac
  4. Kaspersky anti-virus software is either active or runs at specified times
  5. Kaspersky anti-virus software scanned the home computer one or more times
  6. Hackers stole NSA files from the home computer

That’s it, those are all the facts reported in the Wall Street Journal “story,” better labeled a slander against Kaspersky Lab.

The following claims are made with no evidence whatsoever:

  1. “after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab”
  2. “believe the contractor’s use of the software alerted Russian hackers to the presence of files”
  3. “whether Kaspersky technicians programed the software to look for specific parameters”
  4. “unclear is whether Kaspersky employees alerted the Russian government to the finding”
  5. “armed with the knowledge that Kaspersky’s software provided”

The only evidence in the possession of investigators is the co-locations of the NSA files and Kaspersky anti-virus software on the same computer.

All the other beliefs, suppositions, assumptions, etc., of investigators are attempts to further the government’s current witch hunt against Kaspersky Labs.

The contractor’s computer likely also had MS Office, the home of more than a few security weaknesses. To say nothing of phishing emails, web browsers, and the many other avenues for penetration.

As far as “discovering” the contractor to get the files in question, it could have been by chance and/or the contractor bragging to a waitress about his work. We’re not talking about the sharpest knife in the drawer on security matters.

Judging hacking claims based on co-location of software is guilt by association pure and simple. The Wall Street Journal should not dignify such government rumors by reporting them.

Visualizing Nonlinear Narratives with Story Curves [Nonlinear Investigations, Markup, Statements]

October 5th, 2017

Visualizing Nonlinear Narratives with Story Curves by Nam Wook Kim, et al.

From the webpage:

A nonlinear narrative is a storytelling device that portrays events of a story out of chronological order, e.g., in reverse order or going back and forth between past and future events. Story curves visualize the nonlinear narrative of a movie by showing the order in which events are told in the movie and comparing them to their actual chronological order, resulting in possibly meandering visual patterns in the curve. We also developed Story Explorer, an interactive tool that visualizes a story curve together with complementary information such as characters and settings. Story Explorer further provides a script curation interface that allows users to specify the chronological order of events in movies. We used Story Explorer to analyze 10 popular nonlinear movies and describe the spectrum of narrative patterns that we discovered, including some novel patterns not previously described in the literature. (emphasis in original)

Applied here to movie scripts, an innovative visualization that has much broader application.

Investigations by journalists or police officers don’t develop in linear fashion. There are leaps forwards and backwards in time as a narrative is assembled. The resulting “linear” narrative bears little resemblance to its construction.

Imagine being able to visualize and compare the nonlinear narratives of multiple witnesses to a series of events. Use of the same nonlinear sequence isn’t proof they are lying but should suggest at least coordination of their testimony.

Linear markup systems struggle with nonlinear narratives and there may be value here for at least visualizing those pinch points.

Sadly the code for Story Curve and Story Explorer is temporarily unavailable as of 5 October 2017. Hoping that gets sorted out in the near future.

Printer Exploitation Toolkit: PRET [398 Days to Congressional MidTerm Elections]

October 5th, 2017

Printer Exploitation Toolkit: PRET

From the post:

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. PRET connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers today. This allows PRET to do cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.

The main idea of PRET is to facilitate the communication between the end-user and a printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.

Billed in the post as:

The tool that made dumpster diving obsolete (emphasis in original)

I would not go that far, after all, there are primitives without networked printers, or so I have heard. For those cases, dumpster diving remains a needed skill.

Reading Exploiting Network Printers – A Survey of Security Flaws in Laser Printers and Multi-Function Devices (the master’s thesis) isn’t required, but it may help extend this work.

Abstract:

Over the last decades printers have evolved from mechanic devices with microchips to full blown computer systems. From a security point of view these machines remained unstudied for a long time. This work is a survey of weaknesses in the standards and various proprietary extensions of two popular printing languages: PostScript and PJL. Based on tests with twenty laser printer models from various vendors practical attacks were systematically performed and evaluated including denial of service, resetting the device to factory defaults, bypassing accounting systems, obtaining and manipulating print jobs, accessing the printers’ file system and memory as well as code execution through malicious firmware updates and software packages. A generic way to capture PostScript print jobs was discovered. Even weak attacker models like a web attacker are capable of performing the attacks using advanced cross-site printing techniques.

As of July of 2016, Appendix A.1 offers a complete list of printer CVEs. (CVE = Common Vulnerabilities and Exposures.)

The author encountered a mapping issue when attempting to use vFeed to map between CVEs to CWE (CWE = Common Weakness Enumeration).


Too many CWE identifier however match a single CVE identifier. To keep things clear, we instead grouped vulnerabilities into nine categories of attack vectors as shown in Table 3.2. It is remarkable that half of the identified security flaws are web-related while only one twelfth are caused by actual printing languages like PostScript or PJL.
… (page 11 of master’s thesis)

I haven’t examined the mapping problem but welcome suggestions from those of you who do. Printer exploitation is a real growth area in cybersecurity.

I mentioned the 398 Days to Congressional MidTerm Elections in anticipation that some bright lasses and lads will arrange for printers to print not only at a local location but remote one as well.

Think of printers as truthful but not loyal campaign staffers.

Enjoy!

TruthBuzz: Announcing the winners! [Does Fake/False News Spread Differently?]

October 4th, 2017

TruthBuzz: Announcing the winners! by Oren Levine.

From the post:

Caricatures of politicians, time-lapse videos and an app modeled on a classic video game were among the winners of TruthBuzz, the Viral Fact-Checking Challenge.

Organized by the International Center for Journalists (ICFJ) with support from the Craig Newmark Foundation, the TruthBuzz contest aimed to find new ways to help verified facts reach the widest possible audience. The competition sought creative solutions to take fact-checking beyond long-form explanations and bullet points.

The goal of the contest was to “…make the truth go viral…,” which the winners did with style.

Except no distinction is offered between the spread of fake/false news and “truth.”

Enjoy reading about the winners but then ask yourself:

Could these same techniques be used to spread fake/false news?

My answer is yes.

What’s yours?

PS: My answer to why fake/false news spreads unchecked? There are fewer ad dollars in corrections than headline stories. You?

Defeating Israeli Predictive Policing Algorithm

October 4th, 2017

The Israeli algorithm criminalizing Palestinians for online dissent by Nadim Nashif and Marwa Fatafta.

From the post:

The Palestinian Authority’s (PA) arrest of West Bank human rights defender Issa Amro for a Facebook post last month is the latest in the the PA’s recent crackdown on online dissent among Palestinians. Yet it’s a tactic long used by Israel, which has been monitoring social media activity and arresting Palestinians for their speech for years – and has recently created a computer algorithm to aid in such oppression.

Since 2015, Israel has detained around 800 Palestinians because of content they wrote or shared online, mainly posts that are critical of Israel’s repressive policies or share the reality of Israeli violence against Palestinians. In the majority of these cases, those detained did not commit any attack; mere suspicion was enough for their arrest.

The poet Dareen Tatour, for instance, was arrested on October 2015 for publishing a poem about resistance to Israel’s 50-year-old military rule on her Facebook page. She spent time in jail and has been under house arrest for over a year and a half. Civil rights groups and individuals in Israel, the Occupied Palestinian Territory (OPT), and abroad have criticized Israel’s detention of Tatour and other Palestinian internet users as violations of civil and human rights.

Israeli officials have accused social media companies of hosting and facilitating what they claim is Palestinian incitement. The government has pressured these companies, most notably Facebook, to remove such content. Yet the Israeli government is mining this content. Israeli intelligence has developed a predictive policing system – a computer algorithm – that analyzes social media posts to identify Palestinian “suspects.”

One response to Israel’s predictive policing is to issue a joint statement: Predictive Policing Today: A Shared Statement of Civil Rights Concerns.

Another response, undertaken by Nadim Nashif and Marwa Fatafta, is to document the highly discriminatory and oppressive use of Israel’s predictive policing.

Both of those responses depend upon 1) the Israeli government agreeing it has acted wrongfully, and 2) the Israeli government in fact changing its behavior.

No particular reflection on the Israeli government but I don’t trust any government claiming, unverified, to have changed its behavior. How would you ever know for sure? Trusting any unverified answer from any government (read party) is a fool’s choice.

Discovering the Israeli algorithm for social media based arrests

What facts do we have about Israeli monitoring of social media?

  1. Identity of those arrested on basis of social media posts
  2. Content posted prior to their arrests
  3. Content posted by others who were not arrested
  4. Relationships with others, etc.

Think of the problem as being similar to breaking the Engima machine during WWII. We don’t have to duplicate the algorithm in use by Israel, we only have to duplicate it output. We have on hand some of the inputs and the outcomes of those inputs to start our research.

Moreover, as Israel uses social media monitoring, present guesses at the algorithm can be refined on the basis of more arrests.

Knowing Israeli’s social media algorithm is cold comfort to arrested Palestinians, but that knowledge can help prevent future arrests or make the cost of the method too high to be continued.

Social Media Noise Based on Israeli Social Media Algorithm

What makes predictive policing algorithms effective is their narrowing of the field of suspects to a manageable number. If instead of every male between the ages of 16 and 30 you have 20 suspects with scattered geographic locations, you can reduce the number of viable suspects fairly quickly.

But that depends upon being able to distinguish between all the males between the ages of 16 and 30. What if based on the discovered parallel algorithm to the Israeli predictive policing one, a group of 15,000 or 20,000 young men were “normalized” so they present the Israeli algorithm with the same profile?

If instead of 2 or 3 people who seem to be angry enough to commit violence, you have real and fake, 10,000 people right on the edge of extreme violence.

Judicious use of social media noise, informed by a parallel to the Israeli social media algorithm, could make the Israeli algorithm useless in practice. There would be too much noise for it to be effective. Or the resources required to eliminate the noise would be prohibitively expensive.

For predictive policing algorithms based on social media, “noise” is its Achilles heel.

PS: Actually defeating a predictive policing algorithm, to say nothing of generating noise on social media, isn’t a one man band sort of project. Experts in data mining, predictive algorithms, data analysis, social media plus support personnel. Perhaps a multi-university collaboration?

PPS: I don’t dislike the Israeli government any more or less than any other government. It was happenstance Israel was the focus of this particular article. I see the results of such research as applicable to all other governments and private entities (such as Facebook, Twitter).

Law Library of Congress Chatbot

October 4th, 2017

We are Excited to Announce the Release of the Law Library of Congress Chatbot by Robert Brammer.

From the webpage:

We are excited to announce the release of a new chatbot that can connect you to primary sources of law, Law Library research guides and our foreign law reports. The chatbot has a clickable interface that will walk you through a basic reference interview. Just click “get started,” respond “yes” or “no” to its questions, and then click on the buttons that are relevant to your needs. If you would like to return to the main menu, you can always type “start over.”

(image omitted)

The chatbot can also respond to a limited number of text commands. Just type “list of commands” to view some examples. We plan to add to the chatbot’s vocabulary based on user interaction logs, particularly whenever a question triggers the default response, which directs the user to our Ask A Librarian service. To give the chatbot a try, head over to our Facebook page and click the blue “Send Message” button.

The response to “list of commands” returns in part this content:

This page provides examples of text commands that can be used with the Law Library of Congress chat bot. The chat bot should also understand variations of these commands and its vocabulary will increase over time as we add new responses. If you have any questions, please contact us through Ask A Librarian.

(I deleted the table of contents to the following commands)


Advance Healthcare Directives
-I want to make an advanced health care directive
-I want to make a living will

Caselaw
– I want to find a case

Civil Rights
My voting rights were violated
– I was turned away at the polling station
– I feel I have been a victim of sexual harassment

Constitutional Law
– I want to learn about the U.S. Constitution
– I want to locate a state constitution
-I want to learn about the history of the U.S. Constitution

Employment Law
-I would like to learn more about employment law
-I was not paid overtime

Family Law
– I have been sued for a divorce
– I want to sue for child custody
– I want to sue for child support
– My former spouse is not paying child support

Federal Statutes
– I want to find a federal statute

File a Lawsuit
– I want to file a lawsuit

Foreclosure
– My house is in foreclosure

Immigration
– I am interested in researching immigration law
-I am interested in researching asylum law

Landlord-Tenant Law
– My landlord is violating my lease
-My landlord does not maintain my property

Legal Drafting
Type “appeal”, “motion”, or “complaint”

Lemon Laws
– I bought a car that is a lemon

Municipal Law
– My neighbor is making loud noise
-My neighbor is letting their dog out without a leash
-My neighbor is not maintaining their property
-My neighbor’s property is overgrown

Real Estate
-I’m looking for a deed
– I’m looking for a real estate form

State Statutes
I want to find state statutes

Social Security Disability
– I want to apply for disability

Wills and Probate
– I want to draft a will
– I want to probate an estate

Unlike some projects, the Law Library of Congress chat bot doesn’t learn from its users, at least not automatically. Interactions are reviewed by librarians and content changed/updated.

Have you thought about a chat bot user interface to a topic map? The user might have no idea that results are merged and otherwise processed before presentation.

When I say “user interface,” I’m thinking of the consumer of a topic map, who may or may not be interested in how the information is being processed, but is interested in a useful answer.

Procrastinators – Dates/Location for Balisage: The Markup Conference 2018

October 4th, 2017

Procrastinators can be caught short, without enough time for proper procrastination on papers and slides.

To insure ample time for procrastination, Balisage: The Markup Conference 2018 has published its dates and location.

31 July 2018–3 August 2018 … Balisage: The Markup Conference
30 July 2018 … Symposium – topic to be announced
CAMBRiA Hotel & Suites
1 Helen Heneghan Way
Rockville, Maryland 20850
USA

For indecisive procrastinators, Balisage offers suggestions for your procrastination:

The 2017 program included papers discussing XML vocabularies, cutting-edge digital humanities, lossless JSON/XML roundtripping, reflections on concrete syntax and abstract syntax, parsing and generation, web app development using the XML stack, managing test cases, pipelining and micropipelinging, electronic health records, rethinking imperative algorithms for XSLT and XQuery, markup and intellectual property, digitiziging Ethiopian and Eritrean manuscripts, exploring “shapes” in RDF and their relationship to schema validation, exposing XML data to users of varying technical skill, test-suite management, and use case studies about large conversion applications, DITA, and SaxonJS.

Innovative procrastinators can procrastinate on other related topics, including any they find on the Master Topic List (ideas procrastinated on for prior Balisage conferences).

Take advantage of this opportunity to procrastinate early and long on your Balisage submissions. You and your audience will be glad you did!

PS: Don’t procrastinate on saying thank you to Tommie Usdin and company for another year of Balisage. Balisage improves XML theory and practice every year it is held.