Bad Operational Security – Real Life Example – ISIS ‘fanboys’

May 28th, 2016

How Twitter users tracked down 4 ISIS ‘fanboys’ from a PR campaign gone wrong by Alastair Reid.

From the post:

Militant death cult Daesh released an audio message from spokesperson Abu Muhammad al-Adnani on Saturday, a much-anticipated event among the group’s supporters.

So overcome with excitement where they that some photographed handwritten messages of support and published them to channels on Telegram, the encrypted messaging app where many pro-Daesh communities interact.

The only problem? Many included clues as to their location and have since been tracked down by Twitter users around the world. Eliot Higgins, founder of Bellingcat and a member of the First Draft Coalition, first saw “ISIS watchers” sharing the pictures on social media and corralled his followers into tracking down their location.

Four locations have so far been found, revealing not only the same scenery as in the pictures, but the likely position of the photographer. The locations include a private home, an apartment building and a hotel. Authorities have been alerted.

“There were more images, not that many,” Higgins said, “but the ISIS supporters were retweeting like crazy and trying to get this whole thing trending in Paris and claiming Amsterdam and London.

Ignore the political tone of this post and focus on the breaches of operational security that exposed the posters so quickly.

If I were writing a book on operational security, this would be chapter 2. Chapter 1 would be on not making time stamped chat logs while you are carrying out hacks, etc.

Don’t hold me to the chapter hierarchy, I suspect even dumber mistakes have been made.

Along with the photos themselves, this post would make a great training tool.

Possible homework assignment: Students take “propaganda” photos, exchange them with classmates, attempt to discover location, etc.

Better to discover your inability to maintain operational security in a classroom setting than elsewhere.

Asking the Impossible, Avoiding the Obvious – MS on Ransom:Win32/ZCryptor.A.

May 28th, 2016

Link (.lnk) to Ransom.

From the post:

We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

The post goes onto note these avenues of infection:

Ransom:Win32/ZCryptor.A is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

If you think that sounds bad, consider one of the recommended means for avoiding Ransom:Win32/ZCryptor.A:

Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

And the other reasons for using the Internet would be? ;-)

BTW, the bulletin avoids the most obvious solution to Ransom:Win32/ZCryptor.A:

Don’t run Windows.

Yes?

Something to bear in mind when the GAO wants agencies to upgrade from pre-Windows software to “modern,” but insecure software.

Pamela Samuelson on Java and Fair Use – Test For Prospective Employers

May 28th, 2016

Pamela Samuelson has posted a coherent and compelling narrative on why the Java API victory of Google over Oracle is a very good thing.

Here’s where she comes out:


Developers of software need some simple norms to live by. One such norm is that independent reimplementation of an API in one’s own original code does not infringe copyright. That’s the law as well as good public policy. The public has greatly benefited by the existence of this norm because anyone with a creative software idea can write programs that will run on existing platforms. The software industry has thrived under this norm, and the public has a wide array of choices of innovative programs in a competitive marketplace.

Put Pamela’s analysis to good use.

Ask at your next interview if the prospective employer agrees with Pamela’s post.

It’s 877 words and can double as an attention span test for the interviewer.

Ask before you leap.

Danger! Danger! Oracle Attorney Defends GPL

May 28th, 2016

Op-ed: Oracle attorney says Google’s court victory might kill the GPL by Annette Hurst.

From the header:

Annette Hurst is an attorney at Orrick, Herrington & Sutcliffe who represented Oracle in the recent Oracle v. Google trial. This op-ed represents her own views and is not intended to represent those of her client or Ars Technica.

The Oracle v. Google trial concluded yesterday when a jury returned a verdict in Google’s favor. The litigation began in 2010, when Oracle sued Google, saying that the use of Java APIs in Android violated copyright law. After a 2012 trial, a judge held that APIs can’t be copyrighted at all, but that ruling was overturned on appeal. In the trial this month, Google successfully argued that its use of Java APIs, about 11,500 lines of code in all, was protected by “fair use.”

I won’t propogate Annette’s rant but you can read it for yourself at: http://arstechnica.com/tech-policy/2016/05/op-ed-oracle-attorney-says-googles-court-victory-might-kill-the-gpl/.

What are free software supporters to make of their long time deranged, drooling critic expressing support for GPL?

Should they flee as pursued by wraiths on wings?

Should they stuff their cloaks in their ears?

Are these like the lies of Suraman?

Or perhaps better, Wormtongue?

My suggestion? Point to Annette’s rant to alert others but don’t repeat it, don’t engage it, just pass over it in silence.

Repeating evil counsel gives it legitimacy.

Yours.

Dissertations – Searching Tip

May 27th, 2016

It been years since I have ordered a dissertation but I ran across one today that isn’t already on the web.

I landed at ProQuest but there was no obvious place to search for a dissertation.

Ah, that’s because you have to follow “Order Now” before this interface is displayed:

proquest-order-450

I wasn’t “ready” to order so I missed the obvious link for several minutes.

Tip for ProQuest: Search Dissertations link should be on your homepage. (Who approved your homepage design? Management?)

Playpen Defendants 3, FBI 0

May 27th, 2016

Judge tosses evidence in FBI Tor hacking child abuse case by Bill Carmada.

From the post:

A US federal judge on Wednesday excluded all evidence in a child pornography case that was acquired by the FBI through an exploit compromising the Tor network. The federal government hasn’t announced what it’ll do next, but if it can’t prevail in an appeal, its case against Vancouver, Washington teacher Jay Michaud may well be doomed.

Defendant prevails on the grounds of the FBI refusing to disclose its exploit.

Criminal law 101. The state can’t produce “evidence,” gathered by some unknown means and use it to “prove” the guilt of a defendant.

Every defendant gets to contest the evidence produced against them. In this case, the FBI has chosen to deny a defendant that right.

There are two other Playpen decisions to be aware of:

1) Suppression of Evidence Obtained by FBI’s Use of Network Investigative Techniques (NIT) by Scott Hughes.

From the post:

Last month, a United States district court judge threw out evidence in a child abuse imagery case that the Federal Bureau of Investigation (FBI) had obtained using a hacking tool. While the court ruled to suppress the evidence, it did not prohibit the FBI from using the hacking tool—called a “network investigative technique” (NIT)—to install malware code on suspects’ computers. Rather, the court’s ruling stated that the magistrate judge wrongly granted the FBI’s NIT warrant because the case was not within her jurisdiction, thus violating Federal Rule of Evidence 41(b). Still, this ruling marks a possible stumbling block to an FBI probe and the resulting charges against approximately 137 individuals in the United States.

United States vs. Alex Levin (decision)

This result will be different if an amended Rule 41 is approved (Congress must act by 1 December 2016).

The BBC headline: US Supreme Court approves expanded hacking powers was the first one to catch my attention, although it failed to point to the Supreme Court document in question. To cure that shortfall, see this transmittal letter and amendments to the Federal Rules of Criminal Procedure.

BTW, Scott’s post is an excellent example of how to write a useful blog post on legal issues. Quoting, summarizing, characterizing is all well and good, but many of us are interested in sources and not but the sources.

2) Second Judge Recommends To Discard Evidence Obtained From FBI Mass Hack

From the post:

Paul J Cleary, a Magistrate Judge, is the second judge to suggest that evidence obtained in the FBI mass hack,using malware planted by the federal agency on the infiltrated child porn site PlayPen, be thrown out.

In the mass hack case, the FBI uploaded the malware in February 2015 as part of Operation Pacifier.

On the 25th of last month, the same judge recommended for suppression of evidence (obtainedin the FBI mass hack) in a similar case.

The case involves Scott Fredrick Arterbury.

United States vs. Scott Frederick Arterbury (decision)

Another Rule 41 based decision, which would be decided differently under proposed changes to Rule 41 rules on search warrants.

Summary:

Although the Rule 41 violation is clear and clean cut, I much prefer the suppression of evidence for failure to disclose its alleged hack of the TOR network. There are many ways to gather the information the FBI claims to possess and proof of how they came to possess it, is a critical link in the chain of evidence.

I have read differing numbers on the defendants charged out of Playpen, but accepting 137 as the high, there are as many as 134 defendants remaining.

Suggestions on how to document the remaining cases? I have searched both the FBI and Justice Department for any mention of the Playpen operation. Number of “hits”: 0.

If you didn’t know better, you would say “the FBI and Justice Department are ashamed of Operation Playpen.” Do you think?

PS: If you need a general background on this story, see: The FBI’s ‘Unprecedented’ Hacking Campaign Targeted Over a Thousand Computers by Joseph Cox.

Reimplementation of an API is FAIR USE!

May 26th, 2016

Google wins Oracle copyright fight over Android code by Russell Brandom.

Just one civil jury’s opinion but a major one considering there was $9 billion at stake.

Not a precedent for other cases but it may discourage this type of over-reaching.

Every now and again, even random dice roll a 7 for the good guys.

See Russell’s post for the details.

Help Defend MuckRock And Your Right To Know!

May 25th, 2016

A multinational demands to know who reads MuckRock and is suing to stop us from posting records about them by Michael Morisy.

Michael captures everything you need to know in his first paragraph:

A multinational owned by Toshiba is demanding MuckRock remove documents about them received under a public records act request, destroy any copies we have, and help identify MuckRock readers who saw them.

After skimming the petition and the two posted documents (Landis+Gyr Managed Services Report 2015 Final and Req 9_Security Overview), I feel like the man who remarked to George Bailey in It’s A Wonderful Life, “…you must mean two other trees,” taking George for being drunk. ;-)

As far as I can tell, the posted documents contain no pricing information, no contact details, etc.

Do you disagree?

There are judges who insist that pleadings have some relationship to facts. Let’s hope that MuckRock draws one of those.

Do you wonder what other local governments are involved with Landis+Gyr?

There is a simple starting point: Landis+Gyr.

Hidden Inspector General Report on Clinton’s Emails?

May 25th, 2016

If you haven’t heard about the controversy surrounding Hillary Clinton’s handling of emails during her term as Secretary of State, you are one of the lucky ones.

The rest of us have been treated to a literal circus of pettifogging over her “private” email server for years now. Truly a tempest in a teapot.

But, along comes a much awaited report by the Inspector General for the State Department on those same emails, and where can you find it?

Not on the Inspector General for the State Department homepage (as of 25 May 2016, 9:00 PM EST)!

No, you will have to find that report, the one everyone has been waiting for, Office of the Secretary: Evaluation of Email Records Management and Cybersecurity Requirements to be posted by Politico.

I have no objection to Politico having the “scoop” on this report and/or distributing a document of great public interest. All fine and good.

But why does the Inspector General choose to hide this report from the general public?

Is the Inspector General ashamed of the report?

A report that encompasses other secretaries of state, as though to argue bad and/or criminal behavior can be excused because it is customary?

I’m not familiar with the “customary therefore not criminal” defense.

Perhaps that only obtains at Cabinet level positions.

In any event, please help Steve Linick, the current Inspector General for the State Department, own this report now and forever.

Cops Driving Cabs – Not Just Moonlighting (Awk)

May 25th, 2016

NYPD has at least five undercover ‘Cop Cabs’ by Matthew Guariglia.

Matthew walks you through the process of inferring the New York Police department has at least five (5) vehicles that look like taxi cabs.

Or at least they have taxi cab emblems.

A patrol car with a taxi cab emblem would look out of place.

A good lesson in persistence, asking more than one source and collating information.

Just for grins, I downloaded the Medallion Vehicles – Authorized file as a CSV file, said to contain 14265362 lines and as of today, runs a little over 2 GB.

I was curious about was under what name did the TLC issue cop medallions? Unlikely to have added them to a third-party account because of property tax issues. Would they have made up different owners for each of the five medallions? Or would they use a common owner for all five medallions?

Possible that they created the five medallions “off the books,” but that seems unlikely as well. They would want to tie them to license plates.

First observation on the data: The “name” field appears variously with enclosing quotes and no quotes at all.

For example:

License Number,Name,Expiration Date,Current Status,DMV License Plate Number,
Vehicle VIN Number,Vehicle Type,Model Year,Medallion Type,Agent Number,
Agent Name,Agent Telephone Number,Agent Website Address,Agent Address,
Last Date Updated,Last Time Updated

...

8E94,"SINGH,BAGICHA",MEDALLION,CUR,8E94H,1FMCU4K35BKA45650,HYB,2011,OWNER 
MUST DRIVE,000,,,,,03/12/2014,13:20
7A19,"SKLAVOUNAKIS, IOANNIS",MEDALLION,CUR,7A19A,JTDKN3DU4A0234023,HYB,2010,
NAMED DRIVER,000,,,,,03/03/2014,13:20
5E85,FIRST KD INC.,MEDALLION,CUR,5E85H,1N4CL21E39C141012,HYB,2009,OWNER 
MUST DRIVE,000,,,,,05/24/2014,13:20
8V19,GABBI CAB CORP,MEDALLION,CUR,8V19B,5TDZK3DC4CS218712,WAV,2012,NAMED 
DRIVER,234,WOODSIDE MANAGEMENT INC.,(718)8999369,,4913 ROOSEVELT AVENUE 
WOODSIDE NY 11377,01/21/2014,13:20
2V31,TIGER TAXI LLC,MEDALLION,CUR,2V31A,4T1BD1FK0EU127547,HYB,2014,NAMED 
DRIVER,000,,,,,02/25/2015,13:20
2V31,TIGER TAXI LLC,MEDALLION,CUR,2V31A,4T1BD1FK0EU127547,HYB,2014,NAMED 
DRIVER,000,,,,,02/25/2015,13:20
5J36,KFAR TAXI INC,MEDALLION,CUR,5J36B,4T1BD1FK9CU029209,HYB,2012,NAMED 
DRIVER,202,,,,,09/21/2013,13:20
3E13,"BABAEV, MAXIM",MEDALLION,CUR,3E13A,1FMCU49H38KC93552,HYB,2008,OWNER 
MUST DRIVE,0,,,,,07/19/2013,13:20

This data snippet has no significance other than the variation in the name field and the fields of the CSV file.

I used awk to extract the name field to a separate file:

awk 'BEGIN { FS = "," }; { print $2 }' < Medallion__Vehicles_-_Authorized.csv > taxi-names

Then I sorted that file and used uniq plus -c (for count), to create a sorted list of the names with the number of times they occur.

sort < tax-names | uniq -c > taxi-unique-names

You will pickup a lot of data entry errors in this view, extra space in a name, etc.

Then because I am interested in names that occur only five (5) times, I re-sort the file to list names by the number of time they occur (this loses the view that reviews data entry errors):

sort -bn < taxi-unique-names > taxi-by-number

The -bn switches tell sort to ignore leading spaces and to sort in numeric order.

I appreciate New York making this available as “open data” but the interface has a number of limitations.

Another way to approach Matthew’s question is to sort on the addresses, assuming TLC is billing a cop address and not 1060 West Addison. ;-)

I haven’t tried this but checking the property tax rolls against the TLC records might be way to ferret out the cop driven taxis. Unless the city has someone paying the taxes for them. Along with the usual graft, who would know?

Other ideas or suggestions to help Matthew flush out these cop driven taxis?

SWIFT Network – “that’s where the money is” (Slick Willie Sutton)

May 25th, 2016

Recent headlines tout breaches in the SWIFT transfer network: Now It’s Three: Ecuador Bank Hacked via Swift (19 May 2016)

The best technical commentary I have found on SWIFT attacks is TWO BYTES TO $951M by Sergei Shevchenko (25 April 2016). (Bangladesh Bank’s (BB) SWIFT payment system attack.)

Sergei reports on malware used in the February 2016 attack on Bangladesh Bank’s (BB) SWIFT payment system. Malware thought to be part of a larger attack toolkit is identified, analyzed along with how the fraud was concealed.

I have gone through approximately thirty (30) reports that cite one or more of the malware file names and I have found no information beyond Sergei’s report. Avoid the duplication and repetition, start and end with Sergei’s report. (At least for now, new technical reports may emerge.)

For a public glimpse inside the world of SWIFT transfers, see Cyber thieves exploit banks’ faith in SWIFT transfer network by Tom Bergin and Nathan Layne. Bergin and Layne cover an earlier SWIFT breach, this one involving the Banco del Austro (BDA) in Ecuador, Wells Fargo and the transfer of approximately $12 million in 2015.

In an amusing twist, SWIFT found out about the breach from a Reuters query about the breach. Apparently banks are no better at sharing information among themselves than they are with the public.

Banco del Austro (BDA) filed suit in New York State Court and Wells Fargo removed that case to the Federal District Court for the Southern District of New York. The original complaint appears as Exhibit A of the removal notice. (full text) The docket number in Federal District Court is: 1:2016-cv-00628.

You may not be experienced in reading legal pleading but you should take a look at Exhibit A. Wells Fargo is said to have “boosted,” “assured,” etc. In addition to being a fun read, you will gain some insight into the operation of SWIFT.

While writing this up, I discovered other resources you may find useful:

ARNE Solutions has reportedly posted Bangladesh Bank’s #‎Malware‬ SWIFT decrypted config file. I say “reportedly” because I have not verified the file.

SWIFT homepage

SWIFT Security Notices

The Swift Codes has a complete listing of SWIFT codes.

The Bangladesh heist was in part the result of $10 network switches and no firewall. There are 11,000 banks and other institutions that use SWIFT.

What do you think the odds are that other vulnerable banks exist with access to the SWIFT network?


You can find all sorts of things related to SWIFT on the internet. Remittance Instructions Transportation Security Administration (TSA) Security Fees, which helpfully recites:

tsa-swift-account

for example.


One step towards evaluating the security of SWIFT, is to collect and collate all the public information about SWIFT. Not a freebie, anyone interested purchasing/sponsoring such a collection?

Defense Department “Off-The-Clock” Cyber-Nannies

May 24th, 2016

When you are caught twixt poorly written legislation and imaginative reporting, its hard to decide which one to point to first.

Consider this report by Jack Moore in Lawmakers Want Off-The-Clock ‘Cyber Protection’ For Some Pentagon Personnel.

From the post:

Lawmakers crafting a massive annual Pentagon policy want the Defense Department to be able to provide off-the-clock cybersecurity protection to DOD personnel deemed “to be of highest risk of vulnerability to cyberattacks on their personal devices, networks and persons,”

That provision is included in the Senate’s version of the National Defense Authorization Act, which is headed for a vote in the Senate this week. Along with personal “cyber protection support,” the Senate bill would overhaul the role of the Pentagon chief information officer.

The phrase “off-the-clock” struck me as odd, even with lengthy experience at reading poorly written laws.

If you bother to check the text you will find:


Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters

SEC. 1631. CYBER PROTECTION SUPPORT FOR DEPARTMENT OF DEFENSE PERSONNEL IN POSITIONS HIGHLY VULNERABLE TO CYBER ATTACK.

(a) Authority To Provide Support.—The Secretary of Defense may provide cyber protection support to personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons.

(b) Nature Of Support.—Subject to the availability of resources, in providing cyber protection support pursuant to subsection (a), the Secretary may provide personnel described in that subsection training, advisement, and assistance regarding cyber attacks described in that subsection.

(c) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the provision of cyber protection support pursuant to subsection (a). The report shall include a description of the methodology used by the Secretary to determine the positions in the Department that are of highest vulnerability to cyber attacks for purposes of subsection (a).

No mention of “off-the-clock,” “round-the-clock,” “24×7,” etc.

Granting that Jack goes onto say:


Under the Senate bill, the Defense secretary would be authorized to identify high-risk positions and provide “training, advisements and assistance regarding cyberattacks,” according to the bill.

Last year, self-described “stoner high school student” hackers claimed to have breached personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson.

Neither man is a DOD employee, but the incidents raised concerns about the cybersecurity vulnerabilities posed by top government officials’ private email accounts.

The proposed move also comes amid increasing concerns about targeted malicious emails — phishing and “social engineering” attacks — aimed at tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails.

I think the critical text reads:

…tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails….

Let’s amend the Senate version to make it more effective than the proposed cyber-nannies:

Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters

SEC. 1631. REDUCTION OF RISKS FROM PHISHING ATTACKS ON DOD PERSONNEL

(a) Preparation To Detect Phishing Susceptibility.—The Secretary of Defense shall designate personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons, and publish a list of those personnel with their email addresses to Facebook.


(b) Detection Of Phishing Susceptibility.—The Secretary of Defense shall publish on Facebook an invitation for any citizen of any country to create and cause to be delivered, a phishing email to any of the personnel designated in (a), exempt from any statutes of the United States or its several states, prohibiting such emails. Upon receipt of proof of designated personnel being deceived by a phishing email, the Secretary of Defense will cause to be transmitted to the sender of such email, the sum of $5,000.00.


(c) Consequences Of Phishing Susceptibility.—The Secretary of Defense, upon receipt of proof of deception by phishing email, shall immediately cause to be suspended, all electronic or physical access to any and all DoD services and/or locations. This suspension will remain in effect until the person in question has been separated from their service.


(d) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the ongoing progress towards reducing phishing susceptibility at the Department of Defense.

Want to improve cybersecurity at the Department of Defense?

Test and separate personnel based on their susceptibility to phishing attacks.

Far saner and more effective than “off-the-clock” cyber-nannies.

Dear “Skeptics,”… [Attn: All Data Scientists]

May 24th, 2016

Dear “Skeptics,” Bash Homeopathy and Bigfoot Less, Mammograms and War More by John Horgan.

string-theory

Strings and multiverses can’t be experimentally detected. The theories aren’t falsifiable, which makes them pseudo-scientific, like astrology and Freudian psychoanalysis. Credit: parameter_bond/Flickr

The caption is from Horgan’s post. In case anyone asks, I retrieved and re-sized my own copy of the image.

From the post:

I hate preaching to the converted. If you were Buddhists, I’d bash Buddhism. But you’re skeptics, so I have to bash skepticism.

I’m a science journalist. I don’t celebrate science, I criticize it, because science needs critics more than cheerleaders. I point out gaps between scientific hype and reality. That keeps me busy, because, as you know, most peer-reviewed scientific claims are wrong.

So I’m a skeptic, but with a small S, not capital S. I don’t belong to skeptical societies. I don’t hang out with people who self-identify as capital-S Skeptics. Or Atheists. Or Rationalists.

When people like this get together, they become tribal. They pat each other on the back and tell each other how smart they are compared to those outside the tribe. But belonging to a tribe often makes you dumber.

Here’s an example involving two idols of Capital-S Skepticism: biologist Richard Dawkins and physicist Lawrence Krauss. Krauss recently wrote a book, A Universe from Nothing. He claims that physics is answering the old question, Why is there something rather than nothing?

Krauss’s book doesn’t come close to fulfilling the promise of its title, but Dawkins loved it. He writes in the book’s afterword: "If On the Origin of Species was biology’s deadliest blow to supernaturalism, we may come to see A Universe From Nothing as the equivalent from cosmology."

Just to be clear: Dawkins is comparing Lawrence Krauss to Charles Darwin. Why would Dawkins say something so foolish? Because he hates religion so much that it impairs his scientific judgment. He succumbs to what you might call “The Science Delusion.”

“The Science Delusion” is common among Capital-S Skeptics. You don’t apply your skepticism equally. You are extremely critical of belief in God, ghosts, heaven, ESP, astrology, homeopathy and Bigfoot. You also attack disbelief in global warming, vaccines and genetically modified food.

These beliefs and disbeliefs deserve criticism, but they are what I call “soft targets.” That’s because, for the most part, you’re bashing people outside your tribe, who ignore you. You end up preaching to the converted.

Meanwhile, you neglect what I call hard targets. These are dubious and even harmful claims promoted by major scientists and institutions. In the rest of this talk, I’ll give you examples of hard targets from physics, medicine and biology. I’ll wrap up with a rant about war, the hardest target of all.

To get the full flavor of what it means to be a skeptic, read this post and John’s accounts of the reactions to both his presentation and this post.

The “tell” of a target

Whether you are being skeptical of a popular (read “soft”) target like Bigfoot or skeptical of a “hard” target like psychiatric drugs, the reaction from believers is nearly universal: anger, denial and fairly rapidly, denunciation of yourself as unreasonable, etc.

Try being skeptical of a soft/hard target in your work.

Ask if there is racial bias in the algorithms you use day to day? Gender bias? If the answer is no, ask how do they know? Ask them to confirm it for you using data. What their hands closely during the demonstration.

After all, you are a data scientist and questions should be settled based on data and understanding the algorithms applied to them.

Yes?

Being a skeptic with a small “s” is a hard job. But your project, department, enterprise will be better for you being that skeptic.

Imagine one effective White House skeptic prior to the second war on Iraq. No $trillions spent, no countless lives lost, no instability in the region, etc. Skeptics with a small “s” can make all the difference in the world.

Apache Spark as a Compiler:… [This is wicked cool!]

May 24th, 2016

Apache Spark as a Compiler: Joining a Billion Rows per Second on a Laptop by Sameer Agarwal, Davies Liu and Reynold Xin.

From the post:

When our team at Databricks planned our contributions to the upcoming Apache Spark 2.0 release, we set out with an ambitious goal by asking ourselves: Apache Spark is already pretty fast, but can we make it 10x faster?

This question led us to fundamentally rethink the way we built Spark’s physical execution layer. When you look into a modern data engine (e.g. Spark or other MPP databases), a majority of the CPU cycles are spent in useless work, such as making virtual function calls or reading or writing intermediate data to CPU cache or memory. Optimizing performance by reducing the amount of CPU cycles wasted in this useless work has been a long-time focus of modern compilers.

Apache Spark 2.0 will ship with the second generation Tungsten engine. Built upon ideas from modern compilers and MPP databases and applied to data processing queries, Tungsten emits (SPARK-12795) optimized bytecode at runtime that collapses the entire query into a single function, eliminating virtual function calls and leveraging CPU registers for intermediate data. As a result of this streamlined strategy, called “whole-stage code generation,” we significantly improve CPU efficiency and gain performance.

(emphasis in original)

How much better you ask?

cost per row (in nanoseconds, single thread)

primitive Spark 1.6 Spark 2.0
filter 15 ns 1.1 ns
sum w/o group 14 ns 0.9 ns
sum w/ group 79 ns 10.7 ns
hash join 115 ns 4.0 ns
sort (8-bit entropy) 620 ns 5.3 ns
sort (64-bit entropy) 620 ns 40 ns
sort-merge join 750 ns 700 ns
Parquet decoding (single int column) 120 ns 13 ns

Don’t just stare at the numbers:

Try the whole-stage code generation notebook in Databricks Community Edition

What’s the matter?

Haven’t you ever seen a 1 billion record join in 0.8 seconds? (Down from 61.7 seconds.)

If all that weren’t impressive enough, the post walks you through the dominate (currently) query evaluation strategy as a setup to Spark 2.0 and then into why “whole-stage code generation is so powerful.”

A must read!

FOIA – For Algorithms

May 24th, 2016

We need to know the algorithms the government uses to make important decisions about us by Nicholas Diakopoulos.

From the post:

In criminal justice systems, credit markets, employment arenas, higher education admissions processes and even social media networks, data-driven algorithms now drive decision-making in ways that touch our economic, social and civic lives. These software systems rank, classify, associate or filter information, using human-crafted or data-induced rules that allow for consistent treatment across large populations.

But while there may be efficiency gains from these techniques, they can also harbor biases against disadvantaged groups or reinforce structural discrimination. In terms of criminal justice, for example, is it fair to make judgments on an individual’s parole based on statistical tendencies measured across a wide group of people? Could discrimination arise from applying a statistical model developed for one state’s population to another, demographically different population?

The public needs to understand the bias and power of algorithms used in the public sphere, including by government agencies. An effort I am involved with, called algorithmic accountability, seeks to make the influences of those sorts of systems clearer and more widely understood.

Existing transparency techniques, when applied to algorithms, could enable people to monitor, audit and criticize how those systems are functioning – or not, as the case may be. Unfortunately, government agencies seem unprepared for inquiries about algorithms and their uses in decisions that significantly affect both individuals and the public at large.

Nicholas makes a great case for Freedom of Information Act (FOIA) legislation being improved to explicitly include algorithms used by government or on its behalf.

I include “on its behalf” because as Nicholas documents, some states have learned the trick of having algorithms held by vendors, thus making them “proprietary.”

If you can’t see the algorithms behind data results, there is no meaningful transparency.

Demand meaningful transparency!

Unintended Consequences Of Slowly Strangling Flash To Death

May 24th, 2016

The long road to the final death knell for Flash has gotten slightly shorter.

Intent to implement: HTML5 by Default

From the post:


Later this year we plan to change how Chromium hints to websites about the presence of Flash Player, by changing the default response of Navigator.plugins and Navigator.mimeTypes. If a site offers an HTML5 experience, this change will make that the primary experience. We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site (see the proposal for the mock-ups).

To reduce the initial user impact, and avoid over-prompting, Chrome will introduce this feature with a temporary whitelist of the current top Flash sites(1). This whitelist will expire after one year, and will be periodically revisited throughout the year, to remove sites whose usage no longer warrants an exception.

Chrome will also be adding policy controls so that enterprises will be able to select the appropriate experience for their users, which will include the ability to completely disable the feature.

Any move away from Flash is good news but the unintended consequences of this news tempers my joy.

First, the Flash whitelist signals that delivery of Flash malware should concentrate on the top ten sites:

  1. YouTube.com
  2. Facebook.com
  3. Yahoo.com
  4. VK.com
  5. Live.com
  6. Yandex.ru
  7. OK.ru
  8. Twitch.tv
  9. Amazon.com
  10. Mail.ru

Second, offering users the option to run Flash, in spite of warnings, guarantees Flash will remain an expressway into your computer for years to come.

Third, as Flash usage drops, what is the likely curve of funding for fixing new bugs found in Flash? (That’s what I think as well.)

I don’t have a better alternative to offer, except to suggest that enterprises that care about security should offer cash bonuses to departments that abandon Flash altogether.

PS: Adobe should notify the community when the last copy of the source code for Flash is erased. To avoid some future computer archaeologist digging it up and becoming infected.

Inspiring Next-Gen Citizens – Phineas Fisher

May 24th, 2016

A Notorious Hacker Is Trying to Start a ‘Hack Back’ Political Movement by Lorenzo Franceschi-Bicchierai.

From the post:

In August of 2014, a hacker shook the cybersecurity world by exposing the secrets of the infamous government surveillance vendor Gamma Group, the makers of the spyware FinFisher.

The hacker jokingly called himself Phineas Fisher, publicizing the hack and taunting the company on Twitter. He also wrote a detailed guide on how he breached Gamma—not to brag, the hacker wrote, but to demystify hacking and “to hopefully inform and inspire you to go out and hack shit.”

Then, Phineas Fisher went dark. For almost a year, his public profiles remained silent. Given that he had just upset a company that sold tools to dozens of spy and police all over the world, it seemed like a wise move.

“For politically minded hackers, Phineas is a legend already.”

See Lorenzo’s post for a short history of Phineas Fisher.

I prefer my title because “notorious” and “hacker” imply that Phineas has transgressed in some way.

In the view of some legal systems, Phineas has transgressed but even within those systems, transgression is a matter of whim and caprice.

Consider the interference with the legitimate development of nuclear power by Iran. The U.S. and others have taken it upon themselves to create software to interfere with that program. Software and actions illegal under the same laws with which Phieas would be prosecuted, but no one has been brought before the bar.

Phineas has acted, no more or less than the Koch brothers, to influence public opinion. Every citizen has the right to influence government action, theirs and others.

Phineas is using information instead of cash to influence government but that distinction matters only to cash hungry politicians and cash flush favor seekers who want to feed them.

“Western democracies” don’t engage in, for the most part, in qui pro quo style corruption. Donors routinely contribute money, year in and year out and not surprisingly, when government decisions are to be made, they have a place at the decision making table. And when the decision making is done, a larger share of government benefits than others.

Information activities, such as those by Phineas, have the potential to create a publicly traded information economy. Imagine if rather than slow leak of the Panama Papers, they appeared on an Information Exchange, where you could bid on some or all of the data for particular countries.

Ownership could be, but not necessarily be, exclusive. Your ownership of the data for China, for example, would in no way interfere with my ownership of the same information.

What I am describing rather poorly is already set forth in Neil Stephenson‘s classic: Snow Crash.

Make no mistake, Snow Crash, like the mistaken for reality tale Atlas Shrugged, is a work of fiction. Despite the potential for the dawning of a new future, the present power system will put you in jail today.

Phineas Fisher is an inspiration for a cyber-aware citizenry gathering and distributing information. Hopefully he will also inspire better operational security in those efforts as well.

Bias? What Bias? We’re Scientific!

May 23rd, 2016

This ProPublica story by Julia Angwin, Jeff Larson, Surya Mattu and Lauren Kirchner, isn’t short but it is worth your time to not only read, but to download the data and test their analysis for yourself.

Especially if you have the mis-impression that algorithms can avoid bias. Or that clients will apply your analysis with the caution that it deserves.

Finding a bias in software, like finding a bug, is a good thing. But that’s just one, there is no estimate of how many others may exist.

And as you will find, clients may not remember your careful explanation of the limits to your work. Or apply it in ways you don’t anticipate.

Machine Bias – There’s software used across the country to predict future criminals. And it’s biased against blacks.

Here’s the first story to try to lure you deeper into this study:

ON A SPRING AFTERNOON IN 2014, Brisha Borden was running late to pick up her god-sister from school when she spotted an unlocked kid’s blue Huffy bicycle and a silver Razor scooter. Borden and a friend grabbed the bike and scooter and tried to ride them down the street in the Fort Lauderdale suburb of Coral Springs.

Just as the 18-year-old girls were realizing they were too big for the tiny conveyances — which belonged to a 6-year-old boy — a woman came running after them saying, “That’s my kid’s stuff.” Borden and her friend immediately dropped the bike and scooter and walked away.

But it was too late — a neighbor who witnessed the heist had already called the police. Borden and her friend were arrested and charged with burglary and petty theft for the items, which were valued at a total of $80.

Compare their crime with a similar one: The previous summer, 41-year-old Vernon Prater was picked up for shoplifting $86.35 worth of tools from a nearby Home Depot store.

Prater was the more seasoned criminal. He had already been convicted of armed robbery and attempted armed robbery, for which he served five years in prison, in addition to another armed robbery charge. Borden had a record, too, but it was for misdemeanors committed when she was a juvenile.

Yet something odd happened when Borden and Prater were booked into jail: A computer program spat out a score predicting the likelihood of each committing a future crime. Borden — who is black — was rated a high risk. Prater — who is white — was rated a low risk.

Two years later, we know the computer algorithm got it exactly backward. Borden has not been charged with any new crimes. Prater is serving an eight-year prison term for subsequently breaking into a warehouse and stealing thousands of dollars’ worth of electronics.

This analysis demonstrates that malice isn’t required for bias to damage lives. Whether the biases are in software, in its application, in the interpretation of its results, the end result is the same, damaged lives.

I don’t think bias in software is avoidable but here, here no one was even looking.

What role do you think budget justification/profit making played in that blindness to bias?

Balisage 2016 Program Posted! (Newcomers Welcome!)

May 23rd, 2016

Tommie Usdin wrote today to say:

Balisage: The Markup Conference
2016 Program Now Available
http://www.balisage.net/2016/Program.html

Balisage: where serious markup practitioners and theoreticians meet every August.

The 2016 program includes papers discussing reducing ambiguity in linked-open-data annotations, the visualization of XSLT execution patterns, automatic recognition of grant- and funding-related information in scientific papers, construction of an interactive interface to assist cybersecurity analysts, rules for graceful extension and customization of standard vocabularies, case studies of agile schema development, a report on XML encoding of subtitles for video, an extension of XPath to file systems, handling soft hyphens in historical texts, an automated validity checker for formatted pages, one no-angle-brackets editing interface for scholars of German family names and another for scholars of Roman legal history, and a survey of non-XML markup such as Markdown.

XML In, Web Out: A one-day Symposium on the sub rosa XML that powers an increasing number of websites will be held on Monday, August 1. http://balisage.net/XML-In-Web-Out/

If you are interested in open information, reusable documents, and vendor and application independence, then you need descriptive markup, and Balisage is the conference you should attend. Balisage brings together document architects, librarians, archivists, computer
scientists, XML practitioners, XSLT and XQuery programmers, implementers of XSLT and XQuery engines and other markup-related software, Topic-Map enthusiasts, semantic-Web evangelists, standards developers, academics, industrial researchers, government and NGO staff, industrial developers, practitioners, consultants, and the world’s greatest concentration of markup theorists. Some participants are busy designing replacements for XML while other still use SGML (and know why they do).

Discussion is open, candid, and unashamedly technical.

Balisage 2016 Program: http://www.balisage.net/2016/Program.html

Symposium Program: http://balisage.net/XML-In-Web-Out/symposiumProgram.html

Even if you don’t eat RELAX grammars at snack time, put Balisage on your conference schedule. Even if a bit scruffy looking, the long time participants like new document/information problems or new ways of looking at old ones. Not to mention they, on occasion, learn something from newcomers as well.

It is a unique opportunity to meet the people who engineered the tools and specs that you use day to day.

Be forewarned that most of them have difficulty agreeing what controversial terms mean, like “document,” but that to one side, they are a good a crew as you are likely to meet.

Enjoy!

Alda (Music Programming Language) Update

May 23rd, 2016

Alda: A Music Programming Language, Built in Clojure by David Yarwood.

Presentation by David at Clojure Remote.

From the description:

Inspired by other music/audio programming languages such as PPMCK, LilyPond and ChucK, Alda aims to be a powerful and flexible programming language for the musician who wants to easily compose and generate music on the fly, using only a text editor.

Clojure proved to be an ideal language for building a language like Alda, not only because of its wealth of excellent libraries like Instaparse and Overtone, but also because of its Lispy transparency and facility for crafting DSLs.

From the Github page:

Slack: Sign up to the universe of Clojure chat @ http://clojurians.net/, then join us on #alda

Reddit: Come join us in /r/alda, where you can discuss all things Alda and share your Alda scores!

Alda is looking for contributors! Step up!

Incubate No Longer! Tinkerpop™!

May 23rd, 2016

The Apache Software Foundation Announces Apache® TinkerPop™ as a Top-Level Project

From the post:

The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today that Apache® TinkerPop™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project’s community and products have been well-governed under the ASF’s meritocratic process and principles.

Apache TinkerPop is a graph computing framework that provides developers the tools required to build modern graph applications in any application domain and at any scale.

“Graph databases and mainstream interest in graph applications have seen tremendous growth in recent years,” said Stephen Mallette, Vice President of Apache TinkerPop. “Since its inception in 2009, TinkerPop has been helping to promote that growth with its Open Source graph technology stack. We are excited to now do this same work as a top-level project within the Apache Software Foundation.”

As a graph computing framework for both real-time, transactional graph databases (OLTP) and and batch analytic graph processors (OLAP), TinkerPop is useful for working with small graphs that fit within the confines of a single machine, as well as massive graphs that can only exist partitioned and distributed across a multi-machine compute cluster.

TinkerPop unifies these highly varied graph system models, giving developers less to learn, faster time to development, and less risk associated with both scaling their system and avoiding vendor lock-in.

In addition to that good news, the announcement also answers the inevitable question about scaling:


Apache TinkerPop is in use at organizations such as DataStax and IBM, among many others. Amazon.com is currently using TinkerPop and Gremlin to process its order fullfillment graph which contains approximately one trillion edges. (emphasis added)

A trillion edges, unless you are a stealth Amazon, Tinkerpop™ will scale for you.

Congratulations to the Tinkerpop™ community!

Breaking News: Europe != World

May 23rd, 2016

Google’s appeal, described in GNI welcomes appeal to the global reach of “the right to be forgotten” by Ryan McChrystal, puts all of Europe on notice, despite centuries of Euro-centric education, publication, history writing and institutions:

Europe != World

From the post:

The Global Network Initiative welcomes the announcement that Google is appealing a French data protection authority ruling requiring the global take down of links to search information banned in France under Europe’s “right to be forgotten”.

We are concerned that the ruling, made by Commission Nationale de L’Informatique et des Libertes (CNIL) in March, sets a disturbing precedent for the cause of an open and free Internet, and sends the message to other countries that they can force the banning of search results not just inside their own jurisdictions, but assert that jurisdiction across the globe.

Google began delisting search content in response to the Costeja ruling in July of 2014. Search links that are delisted in response to French citizens’ requests are removed from the local French domain (google.fr) as well as all of Europe. In early 2016 the company announced that it would further restrict access to links delisted in Europe by using geolocation technology to restrict access to the content on any Google Search domain when an individual searches from France. Despite this, the French authorities continue to demand global removal of these links from all Google search domains – regardless of from where in the world they are accessed.

“We are concerned about the impact of the CNIL order, which effectively allows the government of one country to dictate what the rest of the world is allowed to access online,” said GNI Board Chair Mark Stephens, CBE. “Enshrined in international law is the principle that one country cannot infringe upon the rights of citizens of another country,” he said.

Make no mistake, I am utterly a child of the West/Europe but all the more reason to resist its cultural and legal imperialism.

Differences in cultures, languages, legal systems, whether current or historical, enrich the human experience.

Censoring expression and in the “right to be forgotten” case, censoring history, or rather attempts to discover history, impoverishes it.

The “right to be forgotten” is ample evidence that Europeans need productive leisure pursuits.

Non-Europeans should suggest hobbies, sports, or activities to distract Europeans from search engine results and towards more creative activities.

Terrorism and Internet Censorship

May 23rd, 2016

Bold stance: Microsoft says terrorism is bad by Shaun Nichols.

From the post:

Microsoft is enacting a new policy to remove terrorist content from its consumer services.

The Redmond software giant said that the new terms and conditions for its hosted services will bar any content containing graphic violence or supporting material for any group considered a terrorist organization by the United Nations Sanctions List.

Additionally, Microsoft says that it will remove terrorist-related content from its Bing search engine whenever requested by government agencies and will try to display links promoting anti-terror non-government organizations when returning queries for terrorism-related search results.

Censorship on the Internet and sadly support for the same grows every week.

From the Microsoft announcement:


We believe it’s important that we ground our approach to this critical issue in central principles and values. We have a responsibility to run our various Internet services so that they are a tool to empower people, not to contribute, however indirectly, to terrible acts. We also have a responsibility to run our services in a way that respects timeless values such as privacy, freedom of expression and the right to access information. We’ve therefore carefully considered how to address terrorist content that may appear on our services without sacrificing the fundamental rights we all hold dear. Although Microsoft does not run any of the leading social networks or video-sharing sites, from time to time, terrorist content may be posted to or shared on our Microsoft-hosted consumer services. In light of this, we want to be transparent about our approach to combatting terrorist content.

I have doubts about the statement:

We’ve therefore carefully considered how to address terrorist content that may appear on our services without sacrificing the fundamental rights we all hold dear.

If they had, “…carefully considered…,” the question they would not engage in censorship at all.

If you disagree, consider the United Nations Sanctions List, circa 1939:

CNi.001 Name: 1: Mao Zedong 2: Mao 3: na 4: na Name (original script) 毛泽东 Nationality: Chinese Passport no: na National Identification: na Address: China Listed on: January 1, 1927 Other information: Created the Southwest Jiangxi Provincial Soviet Government. Skilled in-fighter with many internal rivals.

CNe.001 Name: Southwest Jiangxi Provincial Soviet Government
Address: na Listed on: June 1, 1930 Other Information: na

Or the United Nations Sanctions List, circa 1800:

UKe.001 Name: Continental Congress 2: na 3: na 4: na
Address: British colonies, America Listed on: January 1, 1776 Other Information: Criminal association of traitors, former British military officers and opportunists.

UKi.001 Name: George Washington 2: na 3: na 4: na DOB: February 22, 1732 Nationality: UK Address: Virginia Listed on: January 1, 1775 Other information: Former colonel in British Army, skilled tactician, co-conspirator with other known traitors.

UKi.002 Name: Thomas Jefferson 2: “Tom” Jefferson 3: na 4: na DOB: April 13, 1743 Nationality: UK Address: Virginia Listed on: January 1, 1775 Other information: Propagandist of first order.

UKi.003 Name: Thomas Paine 2: “Tom” Paine 3: Thomas Pain 4: na DOB: January 29, 1737 Nationality: UK Address: various Listed on: January, 1774 Other information: Known associate of revolutionaries in American colonies of the UK, collaborator with French revolutionaries (1790’s), author of “Common Sense” and wanted for conviction on seditious libel (1792).

The question for Microsoft today is which of the publications and news reports from the revolution in China and/or the American Revolutionary War would they censor as supporting terrorists and/or terrorism?

With even a modicum of honesty, all will concede that acts of terrorism were committed both in China and in what is today known as the United States.

Unless you would censor Mao Zedong, George Washington, Thomas Jefferson, Thomas Paine, then “terrorist” and “terrorism” offer no basis for censoring content.

In truth, “terrorist,” and “terrorism,” are labels for atrocities committed by others, nothing more.

Strive for a free and non-censored Internet.

Let history judge who was or wasn’t a terrorist and even then that changes over time.

Does social media have a censorship problem? (Only if “arbitrary and knee-jerk?”)

May 22nd, 2016

Does social media have a censorship problem? by Ryan McChrystal.

From the post:


It is for this reason that we should be concerned by content moderators. Worryingly, they often find themselves dealing with issues they have no expertise in. A lot of content takedown reported to Online Censorship is anti-terrorist content mistaken for terrorist content. “It potentially discourages those very people who are going to be speaking out against terrorism,” says York.

Facebook has 1.5 billion users, so small teams of poorly paid content moderators simply cannot give appropriate consideration to all flagged content against the secretive terms and conditions laid out by social media companies. The result is arbitrary and knee-jerk censorship.

Yes, social media has a censorship problem. But not only when they lack “expertise” but when they attempt censorship at all.

Ryan’s post (whether Ryan thinks this or not I don’t know) presumes two kinds of censorship:

Bad Censorship: arbitrary and knee-jerk

Good Censorship: guided by expertise in a subject area

Bad is the only category for censorship. (period, full stop)

Although social media companies are not government agencies and not bound by laws concerning free speech, Ryan’s recitals about Facebook censorship should give you pause.

Do you really want social media companies, whatever their intentions, not only censoring present content but obliterating comments history on a whim?

Being mindful that today you may agree with their decision but tomorrow may tell another tale.

Social media has a very serious censorship problem, mostly borne of the notion that social media companies should be the arbiters of social discourse.

I prefer the hazards and dangers of unfettered free speech over discussions bounded by the Joseph Goebbels imitators of a new age.

Suggestions for non-censoring or the least censoring social media platforms?

Modeling data with functional programming – State based systems

May 22nd, 2016

Modeling data with functional programming – State based systems by Brian Lee Yung Rowe.

Brian has just released chapter 8 of his Modeling data with functional programming in R, State based systems.

BTW, Brian mentions that his editor is looking for more proof reviewers.

Enjoy!

TSA Cybersecurity Failures – The Good News

May 21st, 2016

The TSA is failing spectacularly at cybersecurity by Violet Blue.

From the post:

Five years of Department of Homeland Security audits have revealed, to the surprise of few and the dismay of all, that the TSA is as great at cybersecurity as it is at customer service.

The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff’s handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access.

What we’re talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.

Violet reports on a cornucopia of cybersecurity issues with the TSA and its information systems. Including:


As part of this year’s final report, auditors watched TSA staff as they scanned STIP servers located at two DHS data centers and the Orlando International Airport. The scans “detected a total of 12,282 high vulnerabilities on 71 of the 74 servers tested.”

The redacted final report omits the names of the servers and due to space concerns (its only 47 pages long), omits the particulars of the 12,282 high vulnerabilities found. (That’s my assumption, the report doesn’t say that.)

What the report fails to mention is the good news about TSA cybersecurity failures:

Despite its woeful performance on cybersecurity and its utter failure to ever stop a terrorist, there have been no terrorist incidents on US airlines at points guarded by the TSA.

The TSA and its faulty cybersecurity equipment could be retired, en masse, and its impact on the incidence of terrorism on U.S. based air travel would be exactly zero.

Unless you need hacking practice on poorly maintained systems, avoid the TSA and its broken IT systems. Who wants to brag about stealing a candy bar from a vending machine? Do you?

Any cyberoffense against the TSA and its systems will expose you to long prison sentences for breaching systems that make no difference. That’s the definition of a bad deal. Just don’t go there.

Must Stingrays Be Mobile?

May 20th, 2016

While listening to ICYMI #17: Mike Katz-Lacabe – The Center for Human Rights & Privacy courtesy of North Star Post (NSP), the host commented on a possible detection of a stingray device because it was mobile.

The ACLU describes such devices as:

…devices that mimic cell phone towers and send out signals to trick cell phones in the area into transmitting their locations and identifying information. When used to track a suspect’s cell phone, they also gather information about the phones of countless bystanders who happen to be nearby.

Do you see anything about “mobile” in that description?

Granting that there are use cases for mobile surveillance devices, where else are you likely to encounter stingrays?

Airports, public transportation: Calls and messages to and from passengers.

Courthouses: Where lawyers, defendants and witnesses may be sending/receiving calls and text messages they would prefer to keep private.

Jails: Calls and text messages by inmates and visitors.

Schools: Calls and texts between students and others.

Other places?

Working on a data set that may help with avoiding mobile or stationary stingrays. More on that next week.

Ethereum Contracts – Future Hacker Candy

May 20th, 2016

Ethereum Contracts Are Going To Be Candy For Hackers by Peter Vessenes.

From the post:

Smart Contracts and Programming Defects

Ethereum promises that contracts will ‘live forever’ in the default case. And, in fact, unless the contract contains a suicide clause, they are not destroyable.

This is a double-edged sword. On the one hand, the default suicide mode for a contract is to return all funds embedded in the contract to the owner; it’s clearly unworkable to have a “zero trust” system in which the owner of a contract can at will claim all money.

So, it’s good to let people reason about the contract longevity. On the other hand, I have been reviewing some Ethereum contracts recently, and the code quality is somewhere between “optimistic as to required quality” and “terrible” for code that is supposed to run forever.

Dan Mayer cites research showing industry average bugs per 1000 lines of code at 15-50 and Microsoft released code at 0.5 per 1000, and 0(!) defects in 500,000 lines of code for NASA, with a very expensive and time consuming process.

Ethereum Smart Contract Bugs per Line of Code exceeds 100 per 1000

My review of Ethereum Smart Contracts available for inspection at dapps.ethercasts.com shows a likely error rate of something like 100 per 1000, maybe higher.

If you haven’t seen Ethereum, now is the time to visit.

From the homepage:

Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.

These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property. This enables developers to create markets, store registries of debts or promises, move funds in accordance with instructions given long in the past (like a will or a futures contract) and many other things that have not been invented yet, all without a middle man or counterparty risk.

The project was crowdfunded during August 2014 by fans all around the world. It is developed by the Ethereum Foundation, a Swiss nonprofit, with contributions from great minds across the globe.

Early in the life cycle and some contracts will be better written than others.

Vulnerabilities will be Authors x Contracts so the future looks bright for hackers.

The Islamic State’s suspected inroads into America – Data Set!

May 19th, 2016

The Islamic State’s suspected inroads into America by Adam Goldman , Jia Lynn Yang, and John Muyskens.

From the post:

Federal prosecutors have charged 84 men and women around the country in connection with the Islamic State. So far, 32 have been convicted. Men outnumber women in those cases by about 7 to 1. The average age of the individuals is 27. One is a minor. The FBI says that, in a handful of cases, it has disrupted plots targeting U.S. military or law enforcement personnel.

The post breaks down proceedings by state and lists each person separately, along with the source of the information.

If you are looking for a small but significant data set on terrorism, I think this is the place.

If you develop further information on these cases, repay the original authors by sharing your discoveries.

Thoughts On How-To Help Drown A Copyright Troll?

May 19th, 2016

Copyright Trolls Rightscorp Are Teetering On The Verge Of Bankruptcy riff on (arstechnica.com).

Suggestions?

Think of it as a service to the entire community, including legitimate claimants to intellectual property.

I tried to think of any methods I would exclude and came up empty.

You?