Archive for May, 2016

“This guy’s arrogance takes your breath away”

Tuesday, May 31st, 2016

“This guy’s arrogance takes your breath away” – Letters between John W Backus and Edsger W Dijkstra, 1979 by Jiahao Chen.

From the post:

Item No. 155: Correspondence with Edsger Dijkstra. 1979

At the time of this correspondence, Backus had just won the 1977 Turing Award and had chosen to talk about his then-current research on functional programming (FP) for his award lecture in Seattle. See this pdf of the published version, noting that Backus himself described “significant differences” with the talk that was actually given. Indeed, the transcript at the LoC was much more casual and easier to follow.

Dijkstra, in his characteristically acerbic and hyperbolic style, wrote a scathing public review (EWD 692) and some private critical remarks in what looks like a series of letters with Backus.

From what I can tell, these letters are not part of the E. W. Dijkstra archives at UT Austin, nor are they available online anywhere else. So here they are for posterity.

You won’t find Long form exchanges such as these in present-day near instant bait-reply cycles of email messages.

That’s unfortunate.

Chen has created a Github repository if you are interested in transcribing pre-email documents.

You can help create better access to the history of computer science and see how to craft a cutting remark, as opposed to blurting out the first insult that comes to mind.


Depressed Password Market?

Tuesday, May 31st, 2016

The relationship between the password market and Wall Street isn’t clear but it appears the password market is depressed.

Swati Khandelwal reports in Hacker Selling 65 Million Passwords From Tumblr Data Breach that 65 million Tumblr email addresses and passwords are selling:

for 0.4255 Bitcoin ($225) on the darknet marketplace The Real Deal.

That works out to 0.00038 cent per email/password.

Either this is very low-grade ore or the password market is depressed.

Any research on correlation with Wall Street?

Avoiding Imperial (Computer Fraud and Abuse Act (CFAA)) Entanglement – Identification

Monday, May 30th, 2016

FBI raids dental software researcher who discovered private patient data on public server by Dissent Doe.

Dissent Doe summarizes the facts of this case saying:

…Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.

Take these recent events with Shafer as an incentive to read up on the Andrew “weev” Auernheimer proceedings (reversed on venue grounds on appeal).

Non-lawyers may enjoy United States v. Auernheimer, and Why I Am Representing Auernheimer Pro Bono on Appeal Before the Third Circuit by Orin Kerr more than the legal briefs.

The legal briefs in Auernheimer are linked at the bottom of this post.

The briefs run five hundred and thirty-nine (539) pages.

That’s five hundred and thirty-nine (539) pages researched, written, edited and polished, all while Auernheimer was in jail.

While reading Orin’s much shorter account and/or the briefs, keep this question in mind:

What pre-condition must exists for the Auernheimer case?

There is one and while obvious, it is often assumed.

I like reading briefs, chasing down references, etc., but unlike Auernheimer was, I’m not sitting in jail, hoping that the appeals court will rule in my favor.

That’s a big difference to keep in mind when debating “great issues.” Some in the debate have more “skin in the game” than others.

I fully agree the poorly written and even more poorly applied Computer Fraud and Abuse Act (CFAA) should be reformed. Dissent Doe mentions a number of supporters for such reform in her post.

However, lots of things that should be true:

  • Robert Mugabe should no longer hold political power anywhere. So long as we are wishing, Mugabe should live long enough to pay for his many crimes. (A very long time.)
  • War criminals named in the Iraq Inquiry report should be extradited from their home countries and face war crimes tribunals in the Hague. This report is due out 6 July 2016.
  • Military spending in every country should be reduced to equal that of Laos.

You may have a different list of “things that should be true,” but aren’t.

While the Computer Fraud and Abuse Act (CFAA) should be re-written and sanely applied, it hasn’t been.

Accepting that, the question becomes how to avoid being snared by it?

Here’s a visual analogy for Shafer and Patterson/FBI:


Can you guess which of the things depicted in this image is Shafer and which is the Patterson/FBI?

The precondition for the Auernheimer case?

A nail that can be distinguished from all the other nails.

Knowing there are lots of nails doesn’t result in any search or arrest warrants. Having a nail you can point to does.

You may feel like (as I do) that’s unfair, the law should be different (sane), etc. Cf. my list and your lists of things that should be true.

I freely admit the cause of intellectual freedom can use martyrs and if you want to be one, test the limits of Computer Fraud and Abuse Act (CFAA), etc., be my guest.

On the other hand, being free to land body blows (legal ones of course) on corrupt and inept government agencies, their agents and masters, serves the cause of intellectual freedom as well.

Dissent Doe captures where I think Shafer went wrong:

Shafer discovered the exposed patient data at the beginning of February and contacted to request help with the notification and responsible disclosure. Both and Shafer began attempting to notify Patterson and clients whose unencrypted patient information had been exposed for an unknown period of time. Over the next few days, we emailed or called Patterson; Timberlea Dental Clinic in Alberta, Canada; Dr. M Stemalschuk in Canada; Massachusetts General Hospital Dental Group; and Dr. Rob McCanon.

Only after Shafer determined that the patient data had been secured did he and disclose the incident publicly. As reported on, Shafer found that 22,000 patients had had their unencrypted sensitive health information at risk of access by others. It is not clear how long the publicly accessible FTP server was available, and Patterson Dental did not answer the questions asked of it on the matter. Shafer told the Daily Dot, however, that the FTP server had been unsecured for years. In an email statement, he wrote (typos corrected):

“Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at Eaglesoft\Patterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around 2010.”

Shafer was waving a red flag to mark his location with “hit me” hand painted on the flag.

The result, so far, you know.

Even if the case goes no further, some other PR hungry Assistant United States Attorney (AUSA) could snatch someone else up for equally specious reasons.

If they wave a red flag with “hit me” hand painted on it.

The first step to avoiding entanglement in the Computer Fraud and Abuse Act (CFAA) is to not be identified with any of the acts that the EFF summarizes as:

There are seven types of criminal activity enumerated in the CFAA: obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing to defraud and obtain value, damaging a computer or information, trafficking in passwords, and threatening to damage a computer. Attempts to commit these crimes are also criminally punishable.

If you are not identified with any acts arguably covered by Computer Fraud and Abuse Act (CFAA), your odds of being arrested for such acts is greatly diminished.

Take the present facts. Clearly insane to claim that access to public data is ever unauthorized.

Multiple Choice Question:

Who is in jail as a result of: an insane view of the law + complaining witness + ASUS = warrant for your arrest.

A. The ASUS?

B. The complaining witness?

C. You?

If by accessing a server (doesn’t matter whether public, private, arguable) and you discover medical records, without revealing your identity, notify plaintiff’s attorneys in the legal jurisdictions where patients live or where the potential defendants are located.

If that seems to lack the “bang” of public shaming, consider that setting plaintiffs lawyers on them makes terriers hunting rats look quite tame. (not for the faint of heart)

You accomplish your goal of darkening the day for some N number of wrong-doers, increasing (perhaps) the protection offered patients, at a greatly diminished risk. A diminished risk that enables you to continue to do good deeds.

There are no, repeat no legal systems that give a shit, if you and all of your friends on social media think it is “unfair.” I may well agree with you too but entanglement in any legal system, even if you “win,” you have lost. Time, money, stress, etc.

Non-identification, however you accomplish that, is one step towards avoiding such entanglements.

Think of non-identification as the red team side of topic maps. The blue team tries to identify subjects while the red team attempts to avoid identification. A number of practical and theoretical issues ensue.

Auernheimer Legal Briefs

Auernheimer’s (Appellant) Initial Brief

Amicus Curiae Brief of Security Researchers Supporting Appellant

Amicus Curiae Brief of Mozilla Foundation, Computer Scientists, and Privacy Experts in Support of Appellant and Reversal

Brief of Amicus Curiae Digital Media Law Project in Support of Defendant-Appellant

Amicus Curiae Brief of National Association of Criminal Defense Lawyers in Support of Appellant

Addendum of National Association of Criminal Defense Lawyers

Government’s Auernheimer Answering Brief

Auernheimer’s Reply Brief

Auernheimer’s Amended Reply Brief

…The Word “Foolish” Is Spelled “SWIFT” [Two-Factor Authentication As Improvement. Really?]

Sunday, May 29th, 2016

Apparently The Word “Foolish” Is Spelled “SWIFT” by Paul Rosenzweig.

Paul welcomes SWIFT to the modern world by its “expanded support” for two-factor authentication.

Two-factor authentication has a legitimate role, for Amazon, Twitter, perhaps Facebook accounts, but for un-monitored transfers of $millions?

In a very crude sense, two-factor authentication is an “improvement” over the present SWIFT protocols, but only just.

Five attacks on two-factor authentication systems come to mind:

  1. Key logging and redirection. Not only software, USB drives but USB chargers too. (Think about the highly paid and respected cleaning staffs at banks.)
  2. Man-in-the-middle attacks. Man-in-the-Middle Tutorial
  3. Man-in-the-browser attacks. How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication, by Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos.
  4. Account recovery. Good old social engineering. What makes you think SWIFT isn’t vulnerable to this?
  5. Third parties. Hacking the origin of the second factor. Isn’t that like breaking Enigma? You want to use the results but preserve your source?

I didn’t remember these off the top of my head. I did look at: Five Most Common Security Attacks on Two-Factor Authentication, but I would avoid that site because every page displays a new ad pop-up. Quite annoying.

I reproduced the list, sans their annotations and gave you some useful links on each possible attack.

Two-factor authentication is an improvement over current SWIFT security, when it is used, but that hardly qualifies for a welcome into ranks of modern cybersecurity. Or as Paul puts it:

Apparently, however, SWIFT was not so swift. Only now, after the Bangladeshi attack (and others on banks in the Phillipines and Vietnam) will the bank move to expand its use of two-factor authentication. I would have assumed that for an organization like SWIFT, where security was a critical component of the business model, two-factor authentication would have been implemented long ago. That it has not been until now is simply incredible and says something very bad about SWIFT — for the failure is not just a lapse of technical implementation. The gap suggests very large failures of risk management and organizational governance — and that is not a good thing in an institution that is at the core of the world’s financial system.

I take that to mean there are technical, management and organizational vulnerabilities awaiting discovery and exploitation in SWIFT.

Take heart hackers of the world! Perhaps reporting a vulnerability will get you a new toaster.

(Non-Americans, the “toaster with a new bank account” isn’t a myth. According to Eddy Elfenbein, banks gave away toasters to pass cost savings onto depositors. How’s that for banking trivia?)

Bad Operational Security – Real Life Example – ISIS ‘fanboys’

Saturday, May 28th, 2016

How Twitter users tracked down 4 ISIS ‘fanboys’ from a PR campaign gone wrong by Alastair Reid.

From the post:

Militant death cult Daesh released an audio message from spokesperson Abu Muhammad al-Adnani on Saturday, a much-anticipated event among the group’s supporters.

So overcome with excitement where they that some photographed handwritten messages of support and published them to channels on Telegram, the encrypted messaging app where many pro-Daesh communities interact.

The only problem? Many included clues as to their location and have since been tracked down by Twitter users around the world. Eliot Higgins, founder of Bellingcat and a member of the First Draft Coalition, first saw “ISIS watchers” sharing the pictures on social media and corralled his followers into tracking down their location.

Four locations have so far been found, revealing not only the same scenery as in the pictures, but the likely position of the photographer. The locations include a private home, an apartment building and a hotel. Authorities have been alerted.

“There were more images, not that many,” Higgins said, “but the ISIS supporters were retweeting like crazy and trying to get this whole thing trending in Paris and claiming Amsterdam and London.

Ignore the political tone of this post and focus on the breaches of operational security that exposed the posters so quickly.

If I were writing a book on operational security, this would be chapter 2. Chapter 1 would be on not making time stamped chat logs while you are carrying out hacks, etc.

Don’t hold me to the chapter hierarchy, I suspect even dumber mistakes have been made.

Along with the photos themselves, this post would make a great training tool.

Possible homework assignment: Students take “propaganda” photos, exchange them with classmates, attempt to discover location, etc.

Better to discover your inability to maintain operational security in a classroom setting than elsewhere.

Asking the Impossible, Avoiding the Obvious – MS on Ransom:Win32/ZCryptor.A.

Saturday, May 28th, 2016

Link (.lnk) to Ransom.

From the post:

We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

The post goes onto note these avenues of infection:

Ransom:Win32/ZCryptor.A is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

If you think that sounds bad, consider one of the recommended means for avoiding Ransom:Win32/ZCryptor.A:

Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

And the other reasons for using the Internet would be? 😉

BTW, the bulletin avoids the most obvious solution to Ransom:Win32/ZCryptor.A:

Don’t run Windows.


Something to bear in mind when the GAO wants agencies to upgrade from pre-Windows software to “modern,” but insecure software.

Pamela Samuelson on Java and Fair Use – Test For Prospective Employers

Saturday, May 28th, 2016

Pamela Samuelson has posted a coherent and compelling narrative on why the Java API victory of Google over Oracle is a very good thing.

Here’s where she comes out:

Developers of software need some simple norms to live by. One such norm is that independent reimplementation of an API in one’s own original code does not infringe copyright. That’s the law as well as good public policy. The public has greatly benefited by the existence of this norm because anyone with a creative software idea can write programs that will run on existing platforms. The software industry has thrived under this norm, and the public has a wide array of choices of innovative programs in a competitive marketplace.

Put Pamela’s analysis to good use.

Ask at your next interview if the prospective employer agrees with Pamela’s post.

It’s 877 words and can double as an attention span test for the interviewer.

Ask before you leap.

Danger! Danger! Oracle Attorney Defends GPL

Saturday, May 28th, 2016

Op-ed: Oracle attorney says Google’s court victory might kill the GPL by Annette Hurst.

From the header:

Annette Hurst is an attorney at Orrick, Herrington & Sutcliffe who represented Oracle in the recent Oracle v. Google trial. This op-ed represents her own views and is not intended to represent those of her client or Ars Technica.

The Oracle v. Google trial concluded yesterday when a jury returned a verdict in Google’s favor. The litigation began in 2010, when Oracle sued Google, saying that the use of Java APIs in Android violated copyright law. After a 2012 trial, a judge held that APIs can’t be copyrighted at all, but that ruling was overturned on appeal. In the trial this month, Google successfully argued that its use of Java APIs, about 11,500 lines of code in all, was protected by “fair use.”

I won’t propogate Annette’s rant but you can read it for yourself at:

What are free software supporters to make of their long time deranged, drooling critic expressing support for GPL?

Should they flee as pursued by wraiths on wings?

Should they stuff their cloaks in their ears?

Are these like the lies of Suraman?

Or perhaps better, Wormtongue?

My suggestion? Point to Annette’s rant to alert others but don’t repeat it, don’t engage it, just pass over it in silence.

Repeating evil counsel gives it legitimacy.


Dissertations – Searching Tip

Friday, May 27th, 2016

It been years since I have ordered a dissertation but I ran across one today that isn’t already on the web.

I landed at ProQuest but there was no obvious place to search for a dissertation.

Ah, that’s because you have to follow “Order Now” before this interface is displayed:


I wasn’t “ready” to order so I missed the obvious link for several minutes.

Tip for ProQuest: Search Dissertations link should be on your homepage. (Who approved your homepage design? Management?)

Playpen Defendants 3, FBI 0

Friday, May 27th, 2016

Judge tosses evidence in FBI Tor hacking child abuse case by Bill Carmada.

From the post:

A US federal judge on Wednesday excluded all evidence in a child pornography case that was acquired by the FBI through an exploit compromising the Tor network. The federal government hasn’t announced what it’ll do next, but if it can’t prevail in an appeal, its case against Vancouver, Washington teacher Jay Michaud may well be doomed.

Defendant prevails on the grounds of the FBI refusing to disclose its exploit.

Criminal law 101. The state can’t produce “evidence,” gathered by some unknown means and use it to “prove” the guilt of a defendant.

Every defendant gets to contest the evidence produced against them. In this case, the FBI has chosen to deny a defendant that right.

There are two other Playpen decisions to be aware of:

1) Suppression of Evidence Obtained by FBI’s Use of Network Investigative Techniques (NIT) by Scott Hughes.

From the post:

Last month, a United States district court judge threw out evidence in a child abuse imagery case that the Federal Bureau of Investigation (FBI) had obtained using a hacking tool. While the court ruled to suppress the evidence, it did not prohibit the FBI from using the hacking tool—called a “network investigative technique” (NIT)—to install malware code on suspects’ computers. Rather, the court’s ruling stated that the magistrate judge wrongly granted the FBI’s NIT warrant because the case was not within her jurisdiction, thus violating Federal Rule of Evidence 41(b). Still, this ruling marks a possible stumbling block to an FBI probe and the resulting charges against approximately 137 individuals in the United States.

United States vs. Alex Levin (decision)

This result will be different if an amended Rule 41 is approved (Congress must act by 1 December 2016).

The BBC headline: US Supreme Court approves expanded hacking powers was the first one to catch my attention, although it failed to point to the Supreme Court document in question. To cure that shortfall, see this transmittal letter and amendments to the Federal Rules of Criminal Procedure.

BTW, Scott’s post is an excellent example of how to write a useful blog post on legal issues. Quoting, summarizing, characterizing is all well and good, but many of us are interested in sources and not but the sources.

2) Second Judge Recommends To Discard Evidence Obtained From FBI Mass Hack

From the post:

Paul J Cleary, a Magistrate Judge, is the second judge to suggest that evidence obtained in the FBI mass hack,using malware planted by the federal agency on the infiltrated child porn site PlayPen, be thrown out.

In the mass hack case, the FBI uploaded the malware in February 2015 as part of Operation Pacifier.

On the 25th of last month, the same judge recommended for suppression of evidence (obtainedin the FBI mass hack) in a similar case.

The case involves Scott Fredrick Arterbury.

United States vs. Scott Frederick Arterbury (decision)

Another Rule 41 based decision, which would be decided differently under proposed changes to Rule 41 rules on search warrants.


Although the Rule 41 violation is clear and clean cut, I much prefer the suppression of evidence for failure to disclose its alleged hack of the TOR network. There are many ways to gather the information the FBI claims to possess and proof of how they came to possess it, is a critical link in the chain of evidence.

I have read differing numbers on the defendants charged out of Playpen, but accepting 137 as the high, there are as many as 134 defendants remaining.

Suggestions on how to document the remaining cases? I have searched both the FBI and Justice Department for any mention of the Playpen operation. Number of “hits”: 0.

If you didn’t know better, you would say “the FBI and Justice Department are ashamed of Operation Playpen.” Do you think?

PS: If you need a general background on this story, see: The FBI’s ‘Unprecedented’ Hacking Campaign Targeted Over a Thousand Computers by Joseph Cox.

Reimplementation of an API is FAIR USE!

Thursday, May 26th, 2016

Google wins Oracle copyright fight over Android code by Russell Brandom.

Just one civil jury’s opinion but a major one considering there was $9 billion at stake.

Not a precedent for other cases but it may discourage this type of over-reaching.

Every now and again, even random dice roll a 7 for the good guys.

See Russell’s post for the details.

Help Defend MuckRock And Your Right To Know!

Wednesday, May 25th, 2016

A multinational demands to know who reads MuckRock and is suing to stop us from posting records about them by Michael Morisy.

Michael captures everything you need to know in his first paragraph:

A multinational owned by Toshiba is demanding MuckRock remove documents about them received under a public records act request, destroy any copies we have, and help identify MuckRock readers who saw them.

After skimming the petition and the two posted documents (Landis+Gyr Managed Services Report 2015 Final and Req 9_Security Overview), I feel like the man who remarked to George Bailey in It’s A Wonderful Life, “…you must mean two other trees,” taking George for being drunk. 😉

As far as I can tell, the posted documents contain no pricing information, no contact details, etc.

Do you disagree?

There are judges who insist that pleadings have some relationship to facts. Let’s hope that MuckRock draws one of those.

Do you wonder what other local governments are involved with Landis+Gyr?

There is a simple starting point: Landis+Gyr.

Hidden Inspector General Report on Clinton’s Emails?

Wednesday, May 25th, 2016

If you haven’t heard about the controversy surrounding Hillary Clinton’s handling of emails during her term as Secretary of State, you are one of the lucky ones.

The rest of us have been treated to a literal circus of pettifogging over her “private” email server for years now. Truly a tempest in a teapot.

But, along comes a much awaited report by the Inspector General for the State Department on those same emails, and where can you find it?

Not on the Inspector General for the State Department homepage (as of 25 May 2016, 9:00 PM EST)!

No, you will have to find that report, the one everyone has been waiting for, Office of the Secretary: Evaluation of Email Records Management and Cybersecurity Requirements to be posted by Politico.

I have no objection to Politico having the “scoop” on this report and/or distributing a document of great public interest. All fine and good.

But why does the Inspector General choose to hide this report from the general public?

Is the Inspector General ashamed of the report?

A report that encompasses other secretaries of state, as though to argue bad and/or criminal behavior can be excused because it is customary?

I’m not familiar with the “customary therefore not criminal” defense.

Perhaps that only obtains at Cabinet level positions.

In any event, please help Steve Linick, the current Inspector General for the State Department, own this report now and forever.

Cops Driving Cabs – Not Just Moonlighting (Awk)

Wednesday, May 25th, 2016

NYPD has at least five undercover ‘Cop Cabs’ by Matthew Guariglia.

Matthew walks you through the process of inferring the New York Police department has at least five (5) vehicles that look like taxi cabs.

Or at least they have taxi cab emblems.

A patrol car with a taxi cab emblem would look out of place.

A good lesson in persistence, asking more than one source and collating information.

Just for grins, I downloaded the Medallion Vehicles – Authorized file as a CSV file, said to contain 14265362 lines and as of today, runs a little over 2 GB.

I was curious about was under what name did the TLC issue cop medallions? Unlikely to have added them to a third-party account because of property tax issues. Would they have made up different owners for each of the five medallions? Or would they use a common owner for all five medallions?

Possible that they created the five medallions “off the books,” but that seems unlikely as well. They would want to tie them to license plates.

First observation on the data: The “name” field appears variously with enclosing quotes and no quotes at all.

For example:

License Number,Name,Expiration Date,Current Status,DMV License Plate Number,
Vehicle VIN Number,Vehicle Type,Model Year,Medallion Type,Agent Number,
Agent Name,Agent Telephone Number,Agent Website Address,Agent Address,
Last Date Updated,Last Time Updated


MUST DRIVE,000,,,,,03/12/2014,13:20
NAMED DRIVER,000,,,,,03/03/2014,13:20
MUST DRIVE,000,,,,,05/24/2014,13:20
WOODSIDE NY 11377,01/21/2014,13:20
MUST DRIVE,0,,,,,07/19/2013,13:20

This data snippet has no significance other than the variation in the name field and the fields of the CSV file.

I used awk to extract the name field to a separate file:

awk 'BEGIN { FS = "," }; { print $2 }' < Medallion__Vehicles_-_Authorized.csv > taxi-names

Then I sorted that file and used uniq plus -c (for count), to create a sorted list of the names with the number of times they occur.

sort < tax-names | uniq -c > taxi-unique-names

You will pickup a lot of data entry errors in this view, extra space in a name, etc.

Then because I am interested in names that occur only five (5) times, I re-sort the file to list names by the number of time they occur (this loses the view that reviews data entry errors):

sort -bn < taxi-unique-names > taxi-by-number

The -bn switches tell sort to ignore leading spaces and to sort in numeric order.

I appreciate New York making this available as “open data” but the interface has a number of limitations.

Another way to approach Matthew’s question is to sort on the addresses, assuming TLC is billing a cop address and not 1060 West Addison. 😉

I haven’t tried this but checking the property tax rolls against the TLC records might be way to ferret out the cop driven taxis. Unless the city has someone paying the taxes for them. Along with the usual graft, who would know?

Other ideas or suggestions to help Matthew flush out these cop driven taxis?

SWIFT Network – “that’s where the money is” (Slick Willie Sutton)

Wednesday, May 25th, 2016

Recent headlines tout breaches in the SWIFT transfer network: Now It’s Three: Ecuador Bank Hacked via Swift (19 May 2016)

The best technical commentary I have found on SWIFT attacks is TWO BYTES TO $951M by Sergei Shevchenko (25 April 2016). (Bangladesh Bank’s (BB) SWIFT payment system attack.)

Sergei reports on malware used in the February 2016 attack on Bangladesh Bank’s (BB) SWIFT payment system. Malware thought to be part of a larger attack toolkit is identified, analyzed along with how the fraud was concealed.

I have gone through approximately thirty (30) reports that cite one or more of the malware file names and I have found no information beyond Sergei’s report. Avoid the duplication and repetition, start and end with Sergei’s report. (At least for now, new technical reports may emerge.)

For a public glimpse inside the world of SWIFT transfers, see Cyber thieves exploit banks’ faith in SWIFT transfer network by Tom Bergin and Nathan Layne. Bergin and Layne cover an earlier SWIFT breach, this one involving the Banco del Austro (BDA) in Ecuador, Wells Fargo and the transfer of approximately $12 million in 2015.

In an amusing twist, SWIFT found out about the breach from a Reuters query about the breach. Apparently banks are no better at sharing information among themselves than they are with the public.

Banco del Austro (BDA) filed suit in New York State Court and Wells Fargo removed that case to the Federal District Court for the Southern District of New York. The original complaint appears as Exhibit A of the removal notice. (full text) The docket number in Federal District Court is: 1:2016-cv-00628.

You may not be experienced in reading legal pleading but you should take a look at Exhibit A. Wells Fargo is said to have “boosted,” “assured,” etc. In addition to being a fun read, you will gain some insight into the operation of SWIFT.

While writing this up, I discovered other resources you may find useful:

ARNE Solutions has reportedly posted Bangladesh Bank’s #‎Malware‬ SWIFT decrypted config file. I say “reportedly” because I have not verified the file.

SWIFT homepage

SWIFT Security Notices

The Swift Codes has a complete listing of SWIFT codes.

The Bangladesh heist was in part the result of $10 network switches and no firewall. There are 11,000 banks and other institutions that use SWIFT.

What do you think the odds are that other vulnerable banks exist with access to the SWIFT network?

You can find all sorts of things related to SWIFT on the internet. Remittance Instructions Transportation Security Administration (TSA) Security Fees, which helpfully recites:


for example.

One step towards evaluating the security of SWIFT, is to collect and collate all the public information about SWIFT. Not a freebie, anyone interested purchasing/sponsoring such a collection?

Defense Department “Off-The-Clock” Cyber-Nannies

Tuesday, May 24th, 2016

When you are caught twixt poorly written legislation and imaginative reporting, its hard to decide which one to point to first.

Consider this report by Jack Moore in Lawmakers Want Off-The-Clock ‘Cyber Protection’ For Some Pentagon Personnel.

From the post:

Lawmakers crafting a massive annual Pentagon policy want the Defense Department to be able to provide off-the-clock cybersecurity protection to DOD personnel deemed “to be of highest risk of vulnerability to cyberattacks on their personal devices, networks and persons,”

That provision is included in the Senate’s version of the National Defense Authorization Act, which is headed for a vote in the Senate this week. Along with personal “cyber protection support,” the Senate bill would overhaul the role of the Pentagon chief information officer.

The phrase “off-the-clock” struck me as odd, even with lengthy experience at reading poorly written laws.

If you bother to check the text you will find:

Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters


(a) Authority To Provide Support.—The Secretary of Defense may provide cyber protection support to personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons.

(b) Nature Of Support.—Subject to the availability of resources, in providing cyber protection support pursuant to subsection (a), the Secretary may provide personnel described in that subsection training, advisement, and assistance regarding cyber attacks described in that subsection.

(c) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the provision of cyber protection support pursuant to subsection (a). The report shall include a description of the methodology used by the Secretary to determine the positions in the Department that are of highest vulnerability to cyber attacks for purposes of subsection (a).

No mention of “off-the-clock,” “round-the-clock,” “24×7,” etc.

Granting that Jack goes onto say:

Under the Senate bill, the Defense secretary would be authorized to identify high-risk positions and provide “training, advisements and assistance regarding cyberattacks,” according to the bill.

Last year, self-described “stoner high school student” hackers claimed to have breached personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson.

Neither man is a DOD employee, but the incidents raised concerns about the cybersecurity vulnerabilities posed by top government officials’ private email accounts.

The proposed move also comes amid increasing concerns about targeted malicious emails — phishing and “social engineering” attacks — aimed at tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails.

I think the critical text reads:

…tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails….

Let’s amend the Senate version to make it more effective than the proposed cyber-nannies:

Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters


(a) Preparation To Detect Phishing Susceptibility.—The Secretary of Defense shall designate personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons, and publish a list of those personnel with their email addresses to Facebook.

(b) Detection Of Phishing Susceptibility.—The Secretary of Defense shall publish on Facebook an invitation for any citizen of any country to create and cause to be delivered, a phishing email to any of the personnel designated in (a), exempt from any statutes of the United States or its several states, prohibiting such emails. Upon receipt of proof of designated personnel being deceived by a phishing email, the Secretary of Defense will cause to be transmitted to the sender of such email, the sum of $5,000.00.

(c) Consequences Of Phishing Susceptibility.—The Secretary of Defense, upon receipt of proof of deception by phishing email, shall immediately cause to be suspended, all electronic or physical access to any and all DoD services and/or locations. This suspension will remain in effect until the person in question has been separated from their service.

(d) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the ongoing progress towards reducing phishing susceptibility at the Department of Defense.

Want to improve cybersecurity at the Department of Defense?

Test and separate personnel based on their susceptibility to phishing attacks.

Far saner and more effective than “off-the-clock” cyber-nannies.

Dear “Skeptics,”… [Attn: All Data Scientists]

Tuesday, May 24th, 2016

Dear “Skeptics,” Bash Homeopathy and Bigfoot Less, Mammograms and War More by John Horgan.


Strings and multiverses can’t be experimentally detected. The theories aren’t falsifiable, which makes them pseudo-scientific, like astrology and Freudian psychoanalysis. Credit: parameter_bond/Flickr

The caption is from Horgan’s post. In case anyone asks, I retrieved and re-sized my own copy of the image.

From the post:

I hate preaching to the converted. If you were Buddhists, I’d bash Buddhism. But you’re skeptics, so I have to bash skepticism.

I’m a science journalist. I don’t celebrate science, I criticize it, because science needs critics more than cheerleaders. I point out gaps between scientific hype and reality. That keeps me busy, because, as you know, most peer-reviewed scientific claims are wrong.

So I’m a skeptic, but with a small S, not capital S. I don’t belong to skeptical societies. I don’t hang out with people who self-identify as capital-S Skeptics. Or Atheists. Or Rationalists.

When people like this get together, they become tribal. They pat each other on the back and tell each other how smart they are compared to those outside the tribe. But belonging to a tribe often makes you dumber.

Here’s an example involving two idols of Capital-S Skepticism: biologist Richard Dawkins and physicist Lawrence Krauss. Krauss recently wrote a book, A Universe from Nothing. He claims that physics is answering the old question, Why is there something rather than nothing?

Krauss’s book doesn’t come close to fulfilling the promise of its title, but Dawkins loved it. He writes in the book’s afterword: "If On the Origin of Species was biology’s deadliest blow to supernaturalism, we may come to see A Universe From Nothing as the equivalent from cosmology."

Just to be clear: Dawkins is comparing Lawrence Krauss to Charles Darwin. Why would Dawkins say something so foolish? Because he hates religion so much that it impairs his scientific judgment. He succumbs to what you might call “The Science Delusion.”

“The Science Delusion” is common among Capital-S Skeptics. You don’t apply your skepticism equally. You are extremely critical of belief in God, ghosts, heaven, ESP, astrology, homeopathy and Bigfoot. You also attack disbelief in global warming, vaccines and genetically modified food.

These beliefs and disbeliefs deserve criticism, but they are what I call “soft targets.” That’s because, for the most part, you’re bashing people outside your tribe, who ignore you. You end up preaching to the converted.

Meanwhile, you neglect what I call hard targets. These are dubious and even harmful claims promoted by major scientists and institutions. In the rest of this talk, I’ll give you examples of hard targets from physics, medicine and biology. I’ll wrap up with a rant about war, the hardest target of all.

To get the full flavor of what it means to be a skeptic, read this post and John’s accounts of the reactions to both his presentation and this post.

The “tell” of a target

Whether you are being skeptical of a popular (read “soft”) target like Bigfoot or skeptical of a “hard” target like psychiatric drugs, the reaction from believers is nearly universal: anger, denial and fairly rapidly, denunciation of yourself as unreasonable, etc.

Try being skeptical of a soft/hard target in your work.

Ask if there is racial bias in the algorithms you use day to day? Gender bias? If the answer is no, ask how do they know? Ask them to confirm it for you using data. What their hands closely during the demonstration.

After all, you are a data scientist and questions should be settled based on data and understanding the algorithms applied to them.


Being a skeptic with a small “s” is a hard job. But your project, department, enterprise will be better for you being that skeptic.

Imagine one effective White House skeptic prior to the second war on Iraq. No $trillions spent, no countless lives lost, no instability in the region, etc. Skeptics with a small “s” can make all the difference in the world.

Apache Spark as a Compiler:… [This is wicked cool!]

Tuesday, May 24th, 2016

Apache Spark as a Compiler: Joining a Billion Rows per Second on a Laptop by Sameer Agarwal, Davies Liu and Reynold Xin.

From the post:

When our team at Databricks planned our contributions to the upcoming Apache Spark 2.0 release, we set out with an ambitious goal by asking ourselves: Apache Spark is already pretty fast, but can we make it 10x faster?

This question led us to fundamentally rethink the way we built Spark’s physical execution layer. When you look into a modern data engine (e.g. Spark or other MPP databases), a majority of the CPU cycles are spent in useless work, such as making virtual function calls or reading or writing intermediate data to CPU cache or memory. Optimizing performance by reducing the amount of CPU cycles wasted in this useless work has been a long-time focus of modern compilers.

Apache Spark 2.0 will ship with the second generation Tungsten engine. Built upon ideas from modern compilers and MPP databases and applied to data processing queries, Tungsten emits (SPARK-12795) optimized bytecode at runtime that collapses the entire query into a single function, eliminating virtual function calls and leveraging CPU registers for intermediate data. As a result of this streamlined strategy, called “whole-stage code generation,” we significantly improve CPU efficiency and gain performance.

(emphasis in original)

How much better you ask?

cost per row (in nanoseconds, single thread)

primitive Spark 1.6 Spark 2.0
filter 15 ns 1.1 ns
sum w/o group 14 ns 0.9 ns
sum w/ group 79 ns 10.7 ns
hash join 115 ns 4.0 ns
sort (8-bit entropy) 620 ns 5.3 ns
sort (64-bit entropy) 620 ns 40 ns
sort-merge join 750 ns 700 ns
Parquet decoding (single int column) 120 ns 13 ns

Don’t just stare at the numbers:

Try the whole-stage code generation notebook in Databricks Community Edition

What’s the matter?

Haven’t you ever seen a 1 billion record join in 0.8 seconds? (Down from 61.7 seconds.)

If all that weren’t impressive enough, the post walks you through the dominate (currently) query evaluation strategy as a setup to Spark 2.0 and then into why “whole-stage code generation is so powerful.”

A must read!

FOIA – For Algorithms

Tuesday, May 24th, 2016

We need to know the algorithms the government uses to make important decisions about us by Nicholas Diakopoulos.

From the post:

In criminal justice systems, credit markets, employment arenas, higher education admissions processes and even social media networks, data-driven algorithms now drive decision-making in ways that touch our economic, social and civic lives. These software systems rank, classify, associate or filter information, using human-crafted or data-induced rules that allow for consistent treatment across large populations.

But while there may be efficiency gains from these techniques, they can also harbor biases against disadvantaged groups or reinforce structural discrimination. In terms of criminal justice, for example, is it fair to make judgments on an individual’s parole based on statistical tendencies measured across a wide group of people? Could discrimination arise from applying a statistical model developed for one state’s population to another, demographically different population?

The public needs to understand the bias and power of algorithms used in the public sphere, including by government agencies. An effort I am involved with, called algorithmic accountability, seeks to make the influences of those sorts of systems clearer and more widely understood.

Existing transparency techniques, when applied to algorithms, could enable people to monitor, audit and criticize how those systems are functioning – or not, as the case may be. Unfortunately, government agencies seem unprepared for inquiries about algorithms and their uses in decisions that significantly affect both individuals and the public at large.

Nicholas makes a great case for Freedom of Information Act (FOIA) legislation being improved to explicitly include algorithms used by government or on its behalf.

I include “on its behalf” because as Nicholas documents, some states have learned the trick of having algorithms held by vendors, thus making them “proprietary.”

If you can’t see the algorithms behind data results, there is no meaningful transparency.

Demand meaningful transparency!

Unintended Consequences Of Slowly Strangling Flash To Death

Tuesday, May 24th, 2016

The long road to the final death knell for Flash has gotten slightly shorter.

Intent to implement: HTML5 by Default

From the post:

Later this year we plan to change how Chromium hints to websites about the presence of Flash Player, by changing the default response of Navigator.plugins and Navigator.mimeTypes. If a site offers an HTML5 experience, this change will make that the primary experience. We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site (see the proposal for the mock-ups).

To reduce the initial user impact, and avoid over-prompting, Chrome will introduce this feature with a temporary whitelist of the current top Flash sites(1). This whitelist will expire after one year, and will be periodically revisited throughout the year, to remove sites whose usage no longer warrants an exception.

Chrome will also be adding policy controls so that enterprises will be able to select the appropriate experience for their users, which will include the ability to completely disable the feature.

Any move away from Flash is good news but the unintended consequences of this news tempers my joy.

First, the Flash whitelist signals that delivery of Flash malware should concentrate on the top ten sites:


Second, offering users the option to run Flash, in spite of warnings, guarantees Flash will remain an expressway into your computer for years to come.

Third, as Flash usage drops, what is the likely curve of funding for fixing new bugs found in Flash? (That’s what I think as well.)

I don’t have a better alternative to offer, except to suggest that enterprises that care about security should offer cash bonuses to departments that abandon Flash altogether.

PS: Adobe should notify the community when the last copy of the source code for Flash is erased. To avoid some future computer archaeologist digging it up and becoming infected.

Inspiring Next-Gen Citizens – Phineas Fisher

Tuesday, May 24th, 2016

A Notorious Hacker Is Trying to Start a ‘Hack Back’ Political Movement by Lorenzo Franceschi-Bicchierai.

From the post:

In August of 2014, a hacker shook the cybersecurity world by exposing the secrets of the infamous government surveillance vendor Gamma Group, the makers of the spyware FinFisher.

The hacker jokingly called himself Phineas Fisher, publicizing the hack and taunting the company on Twitter. He also wrote a detailed guide on how he breached Gamma—not to brag, the hacker wrote, but to demystify hacking and “to hopefully inform and inspire you to go out and hack shit.”

Then, Phineas Fisher went dark. For almost a year, his public profiles remained silent. Given that he had just upset a company that sold tools to dozens of spy and police all over the world, it seemed like a wise move.

“For politically minded hackers, Phineas is a legend already.”

See Lorenzo’s post for a short history of Phineas Fisher.

I prefer my title because “notorious” and “hacker” imply that Phineas has transgressed in some way.

In the view of some legal systems, Phineas has transgressed but even within those systems, transgression is a matter of whim and caprice.

Consider the interference with the legitimate development of nuclear power by Iran. The U.S. and others have taken it upon themselves to create software to interfere with that program. Software and actions illegal under the same laws with which Phieas would be prosecuted, but no one has been brought before the bar.

Phineas has acted, no more or less than the Koch brothers, to influence public opinion. Every citizen has the right to influence government action, theirs and others.

Phineas is using information instead of cash to influence government but that distinction matters only to cash hungry politicians and cash flush favor seekers who want to feed them.

“Western democracies” don’t engage in, for the most part, in qui pro quo style corruption. Donors routinely contribute money, year in and year out and not surprisingly, when government decisions are to be made, they have a place at the decision making table. And when the decision making is done, a larger share of government benefits than others.

Information activities, such as those by Phineas, have the potential to create a publicly traded information economy. Imagine if rather than slow leak of the Panama Papers, they appeared on an Information Exchange, where you could bid on some or all of the data for particular countries.

Ownership could be, but not necessarily be, exclusive. Your ownership of the data for China, for example, would in no way interfere with my ownership of the same information.

What I am describing rather poorly is already set forth in Neil Stephenson‘s classic: Snow Crash.

Make no mistake, Snow Crash, like the mistaken for reality tale Atlas Shrugged, is a work of fiction. Despite the potential for the dawning of a new future, the present power system will put you in jail today.

Phineas Fisher is an inspiration for a cyber-aware citizenry gathering and distributing information. Hopefully he will also inspire better operational security in those efforts as well.

Bias? What Bias? We’re Scientific!

Monday, May 23rd, 2016

This ProPublica story by Julia Angwin, Jeff Larson, Surya Mattu and Lauren Kirchner, isn’t short but it is worth your time to not only read, but to download the data and test their analysis for yourself.

Especially if you have the mis-impression that algorithms can avoid bias. Or that clients will apply your analysis with the caution that it deserves.

Finding a bias in software, like finding a bug, is a good thing. But that’s just one, there is no estimate of how many others may exist.

And as you will find, clients may not remember your careful explanation of the limits to your work. Or apply it in ways you don’t anticipate.

Machine Bias – There’s software used across the country to predict future criminals. And it’s biased against blacks.

Here’s the first story to try to lure you deeper into this study:

ON A SPRING AFTERNOON IN 2014, Brisha Borden was running late to pick up her god-sister from school when she spotted an unlocked kid’s blue Huffy bicycle and a silver Razor scooter. Borden and a friend grabbed the bike and scooter and tried to ride them down the street in the Fort Lauderdale suburb of Coral Springs.

Just as the 18-year-old girls were realizing they were too big for the tiny conveyances — which belonged to a 6-year-old boy — a woman came running after them saying, “That’s my kid’s stuff.” Borden and her friend immediately dropped the bike and scooter and walked away.

But it was too late — a neighbor who witnessed the heist had already called the police. Borden and her friend were arrested and charged with burglary and petty theft for the items, which were valued at a total of $80.

Compare their crime with a similar one: The previous summer, 41-year-old Vernon Prater was picked up for shoplifting $86.35 worth of tools from a nearby Home Depot store.

Prater was the more seasoned criminal. He had already been convicted of armed robbery and attempted armed robbery, for which he served five years in prison, in addition to another armed robbery charge. Borden had a record, too, but it was for misdemeanors committed when she was a juvenile.

Yet something odd happened when Borden and Prater were booked into jail: A computer program spat out a score predicting the likelihood of each committing a future crime. Borden — who is black — was rated a high risk. Prater — who is white — was rated a low risk.

Two years later, we know the computer algorithm got it exactly backward. Borden has not been charged with any new crimes. Prater is serving an eight-year prison term for subsequently breaking into a warehouse and stealing thousands of dollars’ worth of electronics.

This analysis demonstrates that malice isn’t required for bias to damage lives. Whether the biases are in software, in its application, in the interpretation of its results, the end result is the same, damaged lives.

I don’t think bias in software is avoidable but here, here no one was even looking.

What role do you think budget justification/profit making played in that blindness to bias?

Balisage 2016 Program Posted! (Newcomers Welcome!)

Monday, May 23rd, 2016

Tommie Usdin wrote today to say:

Balisage: The Markup Conference
2016 Program Now Available

Balisage: where serious markup practitioners and theoreticians meet every August.

The 2016 program includes papers discussing reducing ambiguity in linked-open-data annotations, the visualization of XSLT execution patterns, automatic recognition of grant- and funding-related information in scientific papers, construction of an interactive interface to assist cybersecurity analysts, rules for graceful extension and customization of standard vocabularies, case studies of agile schema development, a report on XML encoding of subtitles for video, an extension of XPath to file systems, handling soft hyphens in historical texts, an automated validity checker for formatted pages, one no-angle-brackets editing interface for scholars of German family names and another for scholars of Roman legal history, and a survey of non-XML markup such as Markdown.

XML In, Web Out: A one-day Symposium on the sub rosa XML that powers an increasing number of websites will be held on Monday, August 1.

If you are interested in open information, reusable documents, and vendor and application independence, then you need descriptive markup, and Balisage is the conference you should attend. Balisage brings together document architects, librarians, archivists, computer
scientists, XML practitioners, XSLT and XQuery programmers, implementers of XSLT and XQuery engines and other markup-related software, Topic-Map enthusiasts, semantic-Web evangelists, standards developers, academics, industrial researchers, government and NGO staff, industrial developers, practitioners, consultants, and the world’s greatest concentration of markup theorists. Some participants are busy designing replacements for XML while other still use SGML (and know why they do).

Discussion is open, candid, and unashamedly technical.

Balisage 2016 Program:

Symposium Program:

Even if you don’t eat RELAX grammars at snack time, put Balisage on your conference schedule. Even if a bit scruffy looking, the long time participants like new document/information problems or new ways of looking at old ones. Not to mention they, on occasion, learn something from newcomers as well.

It is a unique opportunity to meet the people who engineered the tools and specs that you use day to day.

Be forewarned that most of them have difficulty agreeing what controversial terms mean, like “document,” but that to one side, they are a good a crew as you are likely to meet.


Alda (Music Programming Language) Update

Monday, May 23rd, 2016

Alda: A Music Programming Language, Built in Clojure by David Yarwood.

Presentation by David at Clojure Remote.

From the description:

Inspired by other music/audio programming languages such as PPMCK, LilyPond and ChucK, Alda aims to be a powerful and flexible programming language for the musician who wants to easily compose and generate music on the fly, using only a text editor.

Clojure proved to be an ideal language for building a language like Alda, not only because of its wealth of excellent libraries like Instaparse and Overtone, but also because of its Lispy transparency and facility for crafting DSLs.

From the Github page:

Slack: Sign up to the universe of Clojure chat @, then join us on #alda

Reddit: Come join us in /r/alda, where you can discuss all things Alda and share your Alda scores!

Alda is looking for contributors! Step up!

Incubate No Longer! Tinkerpop™!

Monday, May 23rd, 2016

The Apache Software Foundation Announces Apache® TinkerPop™ as a Top-Level Project

From the post:

The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today that Apache® TinkerPop™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project’s community and products have been well-governed under the ASF’s meritocratic process and principles.

Apache TinkerPop is a graph computing framework that provides developers the tools required to build modern graph applications in any application domain and at any scale.

“Graph databases and mainstream interest in graph applications have seen tremendous growth in recent years,” said Stephen Mallette, Vice President of Apache TinkerPop. “Since its inception in 2009, TinkerPop has been helping to promote that growth with its Open Source graph technology stack. We are excited to now do this same work as a top-level project within the Apache Software Foundation.”

As a graph computing framework for both real-time, transactional graph databases (OLTP) and and batch analytic graph processors (OLAP), TinkerPop is useful for working with small graphs that fit within the confines of a single machine, as well as massive graphs that can only exist partitioned and distributed across a multi-machine compute cluster.

TinkerPop unifies these highly varied graph system models, giving developers less to learn, faster time to development, and less risk associated with both scaling their system and avoiding vendor lock-in.

In addition to that good news, the announcement also answers the inevitable question about scaling:

Apache TinkerPop is in use at organizations such as DataStax and IBM, among many others. is currently using TinkerPop and Gremlin to process its order fullfillment graph which contains approximately one trillion edges. (emphasis added)

A trillion edges, unless you are a stealth Amazon, Tinkerpop™ will scale for you.

Congratulations to the Tinkerpop™ community!

Breaking News: Europe != World

Monday, May 23rd, 2016

Google’s appeal, described in GNI welcomes appeal to the global reach of “the right to be forgotten” by Ryan McChrystal, puts all of Europe on notice, despite centuries of Euro-centric education, publication, history writing and institutions:

Europe != World

From the post:

The Global Network Initiative welcomes the announcement that Google is appealing a French data protection authority ruling requiring the global take down of links to search information banned in France under Europe’s “right to be forgotten”.

We are concerned that the ruling, made by Commission Nationale de L’Informatique et des Libertes (CNIL) in March, sets a disturbing precedent for the cause of an open and free Internet, and sends the message to other countries that they can force the banning of search results not just inside their own jurisdictions, but assert that jurisdiction across the globe.

Google began delisting search content in response to the Costeja ruling in July of 2014. Search links that are delisted in response to French citizens’ requests are removed from the local French domain ( as well as all of Europe. In early 2016 the company announced that it would further restrict access to links delisted in Europe by using geolocation technology to restrict access to the content on any Google Search domain when an individual searches from France. Despite this, the French authorities continue to demand global removal of these links from all Google search domains – regardless of from where in the world they are accessed.

“We are concerned about the impact of the CNIL order, which effectively allows the government of one country to dictate what the rest of the world is allowed to access online,” said GNI Board Chair Mark Stephens, CBE. “Enshrined in international law is the principle that one country cannot infringe upon the rights of citizens of another country,” he said.

Make no mistake, I am utterly a child of the West/Europe but all the more reason to resist its cultural and legal imperialism.

Differences in cultures, languages, legal systems, whether current or historical, enrich the human experience.

Censoring expression and in the “right to be forgotten” case, censoring history, or rather attempts to discover history, impoverishes it.

The “right to be forgotten” is ample evidence that Europeans need productive leisure pursuits.

Non-Europeans should suggest hobbies, sports, or activities to distract Europeans from search engine results and towards more creative activities.

Terrorism and Internet Censorship

Monday, May 23rd, 2016

Bold stance: Microsoft says terrorism is bad by Shaun Nichols.

From the post:

Microsoft is enacting a new policy to remove terrorist content from its consumer services.

The Redmond software giant said that the new terms and conditions for its hosted services will bar any content containing graphic violence or supporting material for any group considered a terrorist organization by the United Nations Sanctions List.

Additionally, Microsoft says that it will remove terrorist-related content from its Bing search engine whenever requested by government agencies and will try to display links promoting anti-terror non-government organizations when returning queries for terrorism-related search results.

Censorship on the Internet and sadly support for the same grows every week.

From the Microsoft announcement:

We believe it’s important that we ground our approach to this critical issue in central principles and values. We have a responsibility to run our various Internet services so that they are a tool to empower people, not to contribute, however indirectly, to terrible acts. We also have a responsibility to run our services in a way that respects timeless values such as privacy, freedom of expression and the right to access information. We’ve therefore carefully considered how to address terrorist content that may appear on our services without sacrificing the fundamental rights we all hold dear. Although Microsoft does not run any of the leading social networks or video-sharing sites, from time to time, terrorist content may be posted to or shared on our Microsoft-hosted consumer services. In light of this, we want to be transparent about our approach to combatting terrorist content.

I have doubts about the statement:

We’ve therefore carefully considered how to address terrorist content that may appear on our services without sacrificing the fundamental rights we all hold dear.

If they had, “…carefully considered…,” the question they would not engage in censorship at all.

If you disagree, consider the United Nations Sanctions List, circa 1939:

CNi.001 Name: 1: Mao Zedong 2: Mao 3: na 4: na Name (original script) 毛泽东 Nationality: Chinese Passport no: na National Identification: na Address: China Listed on: January 1, 1927 Other information: Created the Southwest Jiangxi Provincial Soviet Government. Skilled in-fighter with many internal rivals.

CNe.001 Name: Southwest Jiangxi Provincial Soviet Government
Address: na Listed on: June 1, 1930 Other Information: na

Or the United Nations Sanctions List, circa 1800:

UKe.001 Name: Continental Congress 2: na 3: na 4: na
Address: British colonies, America Listed on: January 1, 1776 Other Information: Criminal association of traitors, former British military officers and opportunists.

UKi.001 Name: George Washington 2: na 3: na 4: na DOB: February 22, 1732 Nationality: UK Address: Virginia Listed on: January 1, 1775 Other information: Former colonel in British Army, skilled tactician, co-conspirator with other known traitors.

UKi.002 Name: Thomas Jefferson 2: “Tom” Jefferson 3: na 4: na DOB: April 13, 1743 Nationality: UK Address: Virginia Listed on: January 1, 1775 Other information: Propagandist of first order.

UKi.003 Name: Thomas Paine 2: “Tom” Paine 3: Thomas Pain 4: na DOB: January 29, 1737 Nationality: UK Address: various Listed on: January, 1774 Other information: Known associate of revolutionaries in American colonies of the UK, collaborator with French revolutionaries (1790’s), author of “Common Sense” and wanted for conviction on seditious libel (1792).

The question for Microsoft today is which of the publications and news reports from the revolution in China and/or the American Revolutionary War would they censor as supporting terrorists and/or terrorism?

With even a modicum of honesty, all will concede that acts of terrorism were committed both in China and in what is today known as the United States.

Unless you would censor Mao Zedong, George Washington, Thomas Jefferson, Thomas Paine, then “terrorist” and “terrorism” offer no basis for censoring content.

In truth, “terrorist,” and “terrorism,” are labels for atrocities committed by others, nothing more.

Strive for a free and non-censored Internet.

Let history judge who was or wasn’t a terrorist and even then that changes over time.

Does social media have a censorship problem? (Only if “arbitrary and knee-jerk?”)

Sunday, May 22nd, 2016

Does social media have a censorship problem? by Ryan McChrystal.

From the post:

It is for this reason that we should be concerned by content moderators. Worryingly, they often find themselves dealing with issues they have no expertise in. A lot of content takedown reported to Online Censorship is anti-terrorist content mistaken for terrorist content. “It potentially discourages those very people who are going to be speaking out against terrorism,” says York.

Facebook has 1.5 billion users, so small teams of poorly paid content moderators simply cannot give appropriate consideration to all flagged content against the secretive terms and conditions laid out by social media companies. The result is arbitrary and knee-jerk censorship.

Yes, social media has a censorship problem. But not only when they lack “expertise” but when they attempt censorship at all.

Ryan’s post (whether Ryan thinks this or not I don’t know) presumes two kinds of censorship:

Bad Censorship: arbitrary and knee-jerk

Good Censorship: guided by expertise in a subject area

Bad is the only category for censorship. (period, full stop)

Although social media companies are not government agencies and not bound by laws concerning free speech, Ryan’s recitals about Facebook censorship should give you pause.

Do you really want social media companies, whatever their intentions, not only censoring present content but obliterating comments history on a whim?

Being mindful that today you may agree with their decision but tomorrow may tell another tale.

Social media has a very serious censorship problem, mostly borne of the notion that social media companies should be the arbiters of social discourse.

I prefer the hazards and dangers of unfettered free speech over discussions bounded by the Joseph Goebbels imitators of a new age.

Suggestions for non-censoring or the least censoring social media platforms?

Modeling data with functional programming – State based systems

Sunday, May 22nd, 2016

Modeling data with functional programming – State based systems by Brian Lee Yung Rowe.

Brian has just released chapter 8 of his Modeling data with functional programming in R, State based systems.

BTW, Brian mentions that his editor is looking for more proof reviewers.


TSA Cybersecurity Failures – The Good News

Saturday, May 21st, 2016

The TSA is failing spectacularly at cybersecurity by Violet Blue.

From the post:

Five years of Department of Homeland Security audits have revealed, to the surprise of few and the dismay of all, that the TSA is as great at cybersecurity as it is at customer service.

The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff’s handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access.

What we’re talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.

Violet reports on a cornucopia of cybersecurity issues with the TSA and its information systems. Including:

As part of this year’s final report, auditors watched TSA staff as they scanned STIP servers located at two DHS data centers and the Orlando International Airport. The scans “detected a total of 12,282 high vulnerabilities on 71 of the 74 servers tested.”

The redacted final report omits the names of the servers and due to space concerns (its only 47 pages long), omits the particulars of the 12,282 high vulnerabilities found. (That’s my assumption, the report doesn’t say that.)

What the report fails to mention is the good news about TSA cybersecurity failures:

Despite its woeful performance on cybersecurity and its utter failure to ever stop a terrorist, there have been no terrorist incidents on US airlines at points guarded by the TSA.

The TSA and its faulty cybersecurity equipment could be retired, en masse, and its impact on the incidence of terrorism on U.S. based air travel would be exactly zero.

Unless you need hacking practice on poorly maintained systems, avoid the TSA and its broken IT systems. Who wants to brag about stealing a candy bar from a vending machine? Do you?

Any cyberoffense against the TSA and its systems will expose you to long prison sentences for breaching systems that make no difference. That’s the definition of a bad deal. Just don’t go there.