Archive for April, 2017

XSL Transformations (XSLT) Version 3.0 (Proposed Recommendation 18 April 2017)

Tuesday, April 18th, 2017

XSL Transformations (XSLT) Version 3.0 (Proposed Recommendation 18 April 2017)

Michael Kay tweeted today:

XSLT 3.0 is a Proposed Recommendation: https://www.w3.org/TR/xslt-30/ It’s taken ten years but we’re nearly there!

Congratulations to Michael and the entire team!

What’s new?

A major focus for enhancements in XSLT 3.0 is the requirement to enable streaming of source documents. This is needed when source documents become too large to hold in main memory, and also for applications where it is important to start delivering results before the entire source document is available.

While implementations of XSLT that use streaming have always been theoretically possible, the nature of the language has made it very difficult to achieve this in practice. The approach adopted in this specification is twofold: it identifies a set of restrictions which, if followed by stylesheet authors, will enable implementations to adopt a streaming mode of operation without placing excessive demands on the optimization capabilities of the processor; and it provides new constructs to indicate that streaming is required, or to express transformations in a way that makes it easier for the processor to adopt a streaming execution plan.

Capabilities provided in this category include:

  • A new xsl:source-document instruction, which reads and processes a source document, optionally in streaming mode;
  • The ability to declare that a mode is a streaming mode, in which case all the template rules using that mode must be streamable;
  • A new xsl:iterate instruction, which iterates over the items in a sequence, allowing parameters for the processing of one item to be set during the processing of the previous item;
  • A new xsl:merge instruction, allowing multiple input streams to be merged into a single output stream;
  • A new xsl:fork instruction, allowing multiple computations to be performed in parallel during a single pass through an input document.
  • Accumulators, which allow a value to be computed progressively during streamed processing of a document, and accessed as a function of a node in the document, without compromise to the functional nature of the XSLT language.

A second focus for enhancements in XSLT 3.0 is the introduction of a new mechanism for stylesheet modularity, called the package. Unlike the stylesheet modules of XSLT 1.0 and 2.0 (which remain available), a package defines an interface that regulates which functions, variables, templates and other components are visible outside the package, and which can be overridden. There are two main goals for this facility: it is designed to deliver software engineering benefits by improving the reusability and maintainability of code, and it is intended to streamline stylesheet deployment by allowing packages to be compiled independently of each other, and compiled instances of packages to be shared between multiple applications.

Other significant features in XSLT 3.0 include:

  • An xsl:evaluate instruction allowing evaluation of XPath expressions that are dynamically constructed as strings, or that are read from a source document;
  • Enhancements to the syntax of patterns, in particular enabling the matching of atomic values as well as nodes;
  • An xsl:try instruction to allow recovery from dynamic errors;
  • The element xsl:global-context-item, used to declare the stylesheet’s expectations of the global context item (notably, its type).
  • A new instruction xsl:assert to assist developers in producing correct and robust code.

XSLT 3.0 also delivers enhancements made to the XPath language and to the standard function library, including the following:

  • Variables can now be bound in XPath using the let expression.
  • Functions are now first class values, and can be passed as arguments to other (higher-order) functions, making XSLT a fully-fledged functional programming language.
  • A number of new functions are available, for example trigonometric functions, and the functions parse-xmlFO30 and serializeFO30 to convert between lexical and tree representations of XML.

XSLT 3.0 also includes support for maps (a data structure consisting of key/value pairs, sometimes referred to in other programming languages as dictionaries, hashes, or associative arrays). This feature extends the data model, provides new syntax in XPath, and adds a number of new functions and operators. Initially developed as XSLT-specific extensions, maps have now been integrated into XPath 3.1 (see [XPath 3.1]). XSLT 3.0 does not require implementations to support XPath 3.1 in its entirety, but it does requires support for these specific features.

This will remain a proposed recommendation until 1 June 2017.

How close can you read? 😉

Enjoy!

Every NASA Image In One Archive – Crowd Sourced Index?

Monday, April 17th, 2017

NASA Uploaded Every Picture It Has to One Amazing Online Archive by Will Sabel Courtney.

From the post:

Over the last five decades and change, NASA has launched hundreds of men and women from the planet’s surface into the great beyond. But America’s space agency has had an emotional impact on millions, if not billions, of others who’ve never gone past the Karmann Line separating Earth from space, thanks to the images, audio, and video generated by its astronauts and probes. NASA has given us our best glimpses at distant galaxies and nearby planets—and in the process, helped up appreciate our own world even more.

And now, the agency has placed them all in one place for everyone to see: images.nasa.gov.

No, viewing this site will not be considered an excuse for a late tax return. 😉

On the other hand, it’s an impressive bit of work, although a search only interface seems a bit thin to me.

The API docs don’t offer much comfort:

Name Description
q (optional) Free text search terms to compare to all 
indexed metadata.
center (optional) NASA center which published the media.
description(optional) Terms to search for in “Description” fields.
keywords (optional) Terms to search for in “Keywords” fields. 
Separate multiple values with commas.
location (optional) Terms to search for in “Location” fields.
media_type(optional) Media types to restrict the search to. 
Available types: [“image”, “audio”]. 
Separate multiple values with commas.
nasa_id (optional) The media asset’s NASA ID.
photographer(optional) The primary photographer’s name.
secondary_creator(optional) A secondary photographer/videographer’s name.
title (optional) Terms to search for in “Title” fields.
year_start (optional) The start year for results. Format: YYYY.
year_end (optional) The end year for results. Format: YYYY.

With no index, your results depend on your blind guessing the metadata entered by a NASA staffer.

Well, for “moon” I would expect “the Moon,” but the results are likely to include moons of other worlds, etc.

Indexing this collection has all the marks of a potential crowd sourcing project:

  1. Easy to access data
  2. Free data
  3. Interesting data
  4. Metadata

Interested?

More Leveling – Undetectable Phishing Attack

Monday, April 17th, 2017

Chrome, Firefox, and Opera Vulnerable to Undetectable Phishing Attack by Catalin Cimpanu.

From the post:

Browsers such as Chrome, Firefox, and Opera are vulnerable to a new variation of an older attack that allows phishers to register and pass fake domains as the websites of legitimate services, such as Apple, Google, eBay, and others.

Discovered by Chinese security researcher Xudong Zheng, this is a variation of a homograph attack, first identified by Israeli researchers Evgeniy Gabrilovich and Alex Gontmakher, and known since 2001.

This particular hack depends upon variant characters being available within one language set, which avoids characters from different languages (deemed phishing attempts).

To make this work, you will need a domain name written using Punycode (RFC 3492), which enables the writing of Unicode in ASCII.

There’s a task for deep learning, scanning the Unicode Code Charts for characters that are easy to confuse with ASCII characters.

If you have a link to such results, ping me with it.

Black Womxn Authors, Library of Congress and MarcXML (Part 1)

Monday, April 17th, 2017

This adventure started innocently enough with the 2017 Womxn of Color Reading Challenge by Der Vang. As an “older” White male Southerner working in technology, I don’t encounter works by womxn of color unless it is intentional.

The first book, “A book that became a movie,” was easy. I read the deeply moving Beloved by Toni Morrison. I recommend reading a non-critical edition before you read a critical one. Let Morrison speak for herself before you read others offering their views on the story.

The second book, “A book that came out the year you were born,” have proven to be more difficult. Far more difficult. You see I think Der Vang was assuming a reading audience younger than I am, for which womxn of color authors would not be difficult to find. That hasn’t proven to be the case for me.

I searched the usual places but likely collections did not denote an author’s gender or race. The Atlanta-Fulton Public Library reference service came riding to the rescue after I had exhausted my talents with this message:

‘Attached is a “List of Books Published by Negro Writers in 1954 and Late 1953” (pp. 10-12) by Blyden Jackson, IN “The Blithe Newcomers: Resume of Negro Literature in 1954: Part I,” Phylon v.16, no.1 (1st Quarter 1955): 5-12, which has been annotated with classifications (Biography) or subjects (Poetry). Thirteen are written by women; however, just two are fiction. The brief article preceding the list does not mention the books by the women novelists–Elsie Jordan (Strange Sinner) or Elizabeth West Wallace (Scandal at Daybreak). No Part II has been identified. And AARL does not own these two. Searching AARL holdings in Classic Catalog by year yields seventeen by women but no fiction. Most are biographies. Two is better than none but not exactly a list.

A Celebration of Women Writers – African American Writers (http://digital.library.upenn.edu/women/_generate/
AFRICAN%20AMERICAN.html
) seems to have numerous [More Information] links which would possibly allow the requestor to determine the 1954 novelists among them.’
(emphasis in original)

Using those two authors/titles as leads, I found in the Library of Congress online catalog:

https://lccn.loc.gov/54007603
Jordan, Elsie. Strange sinner / Elsie Jordan. 1st ed. New York : Pageant, c1954.
172 p. ; 21 cm.
PZ4.J818 St

https://lccn.loc.gov/54012342
Wallace, Elizabeth West. [from old catalog] Scandal at daybreak. [1st ed.] New York, Pageant Press [1954]
167 p. 21 cm.
PZ4.W187 Sc

Checking elsewhere, both titles are out of print, although I did see one (1) copy of Elise Jordan’s Strange Sinner for $100. I think I have located a university with a digital scan but will have to report back on that later.

Since both Jordan and Wallace published with Pageant Press the same year, I reasoned that other womxn of color may have also published with them and that could lead me to more accessible works.

Experienced librarians are no doubt already grinning because if you search for “Pageant Press,” with the Library of Congress online catalog, you get 961 “hits,” displayed 25 “hits” at a time. Yes, you can set the page to return 100 “hits at a time, but not while you have sort by date of publication selected. 🙁

That is you can display 100 “hits” per page in no particular order, or, you can display the “hits” in date of publication order, but only 25 “hits” at a time. (Or at least that was my experience, please correct me if that’s wrong.)

But, with the 100 “hits” per page, you can “save as,” but only as Marc records, Unicode (UTF-8) or not. No MarcXML format.

In the response to my query about the same, the response from the Library of Congress reads:

At the moment we have no plans to provide an option to save search results as MARCXML. We will consider it for future development projects.

I can understand that in the current climate in Washington but a way to convert Marc records to the easier (in my view) to manipulate MarcXMLformat, would be a real benefit to readers and researchers alike.

Fortunately there is a solution, MarcEdit.

From the webpage:

This LibGuide attempts to document the features of MarcEdit, which was developed by Terry Reese. It is open source software designed to facilitate the harvesting, editing, and creation of MARC records. This LibGuide was adapted from a standalone document, and while the structure of the original document has been preserved in this LibGuide, it is also available in PDF form at the link below. The original documentation and this LibGuide were written with the idea that it would be consulted on an as-needed basis. As a result, the beginning steps of many processes may be repeated within the same page or across the LibGuide as a whole so that users would be able to understand the entire process of implementing a function within MarcEdit without having to consult other guides to know where to begin. There are also screenshots that are repeated throughout, which may provide a faster reference for users to understand what steps they may already be familiar with.

Of course, installing MarcEdit on Ubuntu, isn’t a straightforward task. But I have 961 Marc records and possibly more that would be very useful in MarcXML. Tomorrow I will document the installation steps I followed with Ubuntu 16.04.

PS: I’m not ignoring the suggested A Celebration of Women Writers – African American Writers (http://digital.library.upenn.edu/women/_generate/
AFRICAN%20AMERICAN.html)
. But I have gotten distracted by the technical issue of how to convert all the holdings at the Library of Congress for a publisher into MarcXML. Suggestions on how to best use this resource?

Shadow Brokers Level The Playing Field

Monday, April 17th, 2017

The whining and moaning from some security analysts over Shadow Broker dumps is a mystery to me.

Apologies for the pie chart, but the blue area represents the widely vulnerable population pre-Shadow Brokers leak:

I’m sorry, you can’t really see the 0.01% or less, who weren’t vulnerable pre-Shadow Brokers leak. Try this enlargement:

Shadow Brokers, especially if they leak more current tools, are leveling the playing field for the average user/hacker.

Instead of 99.99% of users being in danger from people who buy/sell zero-day exploits, some governments and corporations, now it is closer to 100% of all users who are in danger.

Listen to them howl!

Was was not big deal, since people with power could hack the other 99.99% of us, certainly is now a really big deal.

Maybe we will see incentives for more secure software when everyone and I mean everyone is at equal risk.

Help Shadow Brokers level the security playing field.

A post on discovery policy for vulnerabilities promotes user equality.

Do you favor user equality or some other social regime?

The Line Between Safety and Peril – (patched) “Supported Products”

Saturday, April 15th, 2017

Dan Goodin in NSA-leaking Shadow Brokers just dumped its most damaging release yet reports in part:


Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks.

Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.
“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

News of the release has been fanned by non-technical outlets, such as CNN Tech, NSA’s powerful Windows hacking tools leaked online by Selena Larson.

Microsoft has responded with: Protecting customers and evaluating risk:

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.

Code Name Solution
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.
… (emphasis in original)

You are guaranteed to be in peril if you are not running patched, supported Microsoft products.

Even if you are running a supported product, know that 50% of all vulnerabilities are from failure to apply patches.

Unlike the hackers who may be in your system right now, liability of vendors for unreasonably poor coding practices or your company for data breaches caused by your practices, such as failure to apply patches, would be incentives for more secure software and better security practices.

If you are serious about cybersecurity, focus on people you can reach and not those you encounter at random (hackers).

Power to the User! + Pull Advertising

Friday, April 14th, 2017

Princeton’s Ad-Blocking Superweapon May Put an End to the Ad-Blocking Arms Race by Jason Koebler.

From the post:

An ad blocker that uses computer vision appears to be the most powerful ever devised and can evade all known anti ad blockers.

A team of Princeton and Stanford University researchers has fundamentally reinvented how ad-blocking works, in an attempt to put an end to the advertising versus ad-blocking arms race. The ad blocker they’ve created is lightweight, evaded anti ad-blocking scripts on 50 out of the 50 websites it was tested on, and can block Facebook ads that were previously unblockable.

The software, devised by Arvind Narayanan, Dillon Reisman, Jonathan Mayer, and Grant Storey, is novel in two major ways: First, it looks at the struggle between advertising and ad blockers as fundamentally a security problem that can be fought in much the same way antivirus programs attempt to block malware, using techniques borrowed from rootkits and built-in web browser customizability to stealthily block ads without being detected. Second, the team notes that there are regulations and laws on the books that give a fundamental advantage to consumers that cannot be easily changed, opening the door to a long-term ad-blocking solution.
… (emphasis in original)

How very cool! Putting users in charge of the content they view. What a radical idea!

Koebler does the required genuflection towards the “ethics” of blocking ads, but I see no “ethical” issue at all.

IBM, Cisco, etc., are wasting their time and mine advertising enterprise scale security solutions to me. Promise.

What’s broken is that advertisers, like telephone scammers, must contact millions of people to find those unlucky enough to answer the ad and/or phone.

What if instead of a push advertising model we had pull advertising?

For example, not this year but in a few years, I’m going to buy a new car. When that time comes, ads and offers on cars of certain types would be welcome.

What if I could specify a time period, price range, model of car and for that relevant period of time, I get card ads, etc. Notice I have pre-qualified myself as interested, so the advertisers aren’t talking about hits out of millions but possibly thousands if not hundreds. Depends on how good their offers are.

Or if generally I’m interested in books in particular categories or by particular authors? Or when cheese is on sale at Kroger? All of which I could pre-qualify myself.

Pull advertising reduces the bandwidth wasted by advertisers who push content never knowing where a mark (sorry, customer) may be found.

Such a system would need to protect the privacy of consumers, so they would not be pestered when they had not opted in for ads. But anonymous ad brokerage is certainly doable. (The opposite of finding a subject with topic maps is concealing it.)

Interested in ending web-based spam/click-bait?

Happy Easter From Shadow Brokers!

Friday, April 14th, 2017

Shadow Brokers Release New Files Revealing Windows Exploits, SWIFT Attacks by Catalin Cimpanu.

From the post:

On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft’s Windows OS and evidence the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world.

The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a blog post, as the group did in the past.

Called “Lost in Translation,” the blog post contains the usual indecipherable ramblings the Shadow Brokers have published in the past, and a link to a Yandex Disk file storage repo.

Cimpanu has a partial list of some of the more interesting hacking tools in the release.

Encouragement to grab a copy of the archive for yourself.

Assuming any, some or all of these tools are genuine, you can now start peeling banks, corporations and governments like eating an orange.

The only thing that’s missing is you.

Transparency anyone?

CIA To Silence Wikileaks? Donate/Leak to Wikileaks

Thursday, April 13th, 2017

CIA chief targets WikiLeaks and Julian Assange as ‘hostile,’ vows to take action by Tim Johnson.

From the post:

CIA Director Mike Pompeo on Thursday called the anti-secrecy group WikiLeaks a hostile intelligence service and said the group would soon face decisive U.S. action to stifle its disclosures of leaked material.

“It ends now,” Pompeo said in his first public remarks after 10 weeks on the job, indicating that President Donald Trump will take undefined but forceful action.

Pompeo lashed out aggressively against Julian Assange, the Australian founder of WikiLeaks – who has been holed up in the Ecuadorean embassy in London for nearly five years – calling him a narcissist and “a fraud, a coward hiding behind a screen.”

Really?

Given the perennial failure of the CIA to discover terror attacks before they happen, recognize when governments are about to fall, and maintain their own security, I can’t imagine Assange and Wikileaks are shaking in their boots.

I disagree with Wikileaks on their style of leaking, I prefer faster and unedited leaking but that’s a question of style and not whether to leak.

If, and it’s a big if, Wikileaks is silenced, the world will grow suddenly darker. Much of what Wikileaks has published would not be published by main stream media, much to the detriment of citizens around the world.

Two things you need to do:

The easy one, donate to support WikiLeaks. As often as you can.

The harder one, leak secrets to Wikileaks.

Repressive governments are pressing WikiLeaks, help WikiLeaks make a fire hose of leaks to push them back.

Tiny Narratives – Upgrade Your Writing

Thursday, April 13th, 2017

8 steps to upgrade your everyday news stories with ‘tiny narratives’ by Katia Savchuk.

From the post:

BEFORE BETH SCHWARTZAPFEL became a staff writer for The Marshall Project three years ago, she spent a decade as a freelance magazine writer. She got used to spinning 4,000-word narratives for places like Mother Jones and the Boston Review. When she arrived at the nonprofit newsroom, which covers criminal justice, Schwartzapfel found herself tackling an entirely different animal: breaking news and hard-hitting features that put the facts center stage.

Schwartzapfel considered how she could bring her storytelling chops to these new formats. Her answer was what she calls “tiny narratives”: compact anecdotes, sometimes only a few lines long, scattered throughout a fact-driven article. “I think of them as raisins in oatmeal, or the signs people hold on the sidelines of a marathon. They’re little surprises or jolts of pleasure to remind people of what they’re reading and why it matters,” she explained in a session at the Power of Narrative Conference at Boston University in late March.

Those nuggets of humanity can help keep readers on the page at a time when news organizations are scrambling for the public’s attention. But it isn’t easy to do well. Injecting narrative elements into a news or investigative story can bring unnecessary clutter or overwhelm the essential facts.

Here are tips from Schwartzapfel and other speakers at the conference about how to get “tiny narratives” right.
… (emphasis in original)

A series of great tips, but if you want more examples of Schwartzapfel’s writing, try Beth Schwartzapfel, Staff Writer.

I count fifty-five (55) stories.

More than enough for a Hunter Thompson exercise of re-typing great stories:

Posted by Brian John Spencer in Hunter S. Thompson – Typing out the work of the best writers.

Think of Thompson’s approach as developing “muscle and verbal cadence” memory.

I’m much more likely to try that with Schwartzapfel’s stories than with XQuery, but it would be an interesting exercise in both cases.

😉

Papers we Scrutinize: How to critically read papers

Thursday, April 13th, 2017

Papers we Scrutinize: How to critically read papers by Tomas Petricek.

From the post:

As someone who enjoys being at the intersection of the academic world and the world of industry, I’m very happy to see any attempts at bridging this harmful gap. For this reason, it is great to see that more people are interested in reading academic papers and that initiatives like Papers We Love are there to help.

There is one caveat with academic papers though. It is very easy to see academic papers as containing eternal and unquestionable truths, rather than as something that the reader should actively interact with. I recently remarked about this saying that “reading papers” is too passive. I also mentioned one way of doing more than just “reading”, which is to write “critical reviews” – something that we recently tried to do at the Salon des Refusés workshop. In this post, I would like to expand my remark.

First of all, it is very easy to miss the context in which papers are written. The life of an academic paper is not complete after it is published. Instead, it continues living its own life – people refer to it in various contexts, give different meanings to entities that appear in the paper and may “love” different parts of the paper than the author. This also means that there are different ways of reading papers. You can try to reconstruct the original historical context, read it according to the current main-stream interpretation or see it as an inspiration for your own ideas.

I suspect that many people, both in academia and outside, read papers without worrying about how they are reading them. You can certainly “do science” or “read papers” without reflecting on the process. That said, I think the philosophical reflection is important if we do not want to get stuck in local maxima.

Petricek goes on to define three (3) different ways to read a paper, using A Formulation of the Simple Theory of Types by Alonzo Church.

Worth reading and following, but consider more concrete guidance as well:

The requirements to make reading and peer review useful activities are well known.

Only you can prevent the failure to meet those requirements in your case. Yes?

How To Win Friends – The Malamud Strategy

Thursday, April 13th, 2017

Last week, Judge Richard W. Story (Northern District of Georgia), ruled in favor of the State of Georgia and ordered Carl Malamud to remove the Official Code of Georgia Annotated (OCGA) from public.resource.org.

There are a number of reports circulating:

The State of Georgia wins its suit against Carl Malamud for publishing official annotations to the law of the land by Simon Reichley.

If you publish Georgia’s state laws, you’ll get sued for copyright and lose by Joe Mullin.

Reprinting Georgia legal code violates copyright law, US judge rules in Ars Technica.

I think fees for FOIA requests serve to suppress inquiry so you can imagine where my sympathies lie in this case.

However, to promote greater public access to law, Malamud’s strategy with the State of Georgia is a lesson in how NOT to proceed (from Ars Technica):


In 2013, Malamud scanned all 186 volumes and supplements of the OCGA and posted copies on the website. He also sent flash drives with copies of the laws to Georgia speaker of the House, David Ralston, and other lawmakers, lawyers and policymakers.

Accompanying the flash drives, Malamud wrote a letter stating his intention to make the laws available so that “public servants, members of the bar, citizens, and members of the business community have ready access to the laws that govern them.”
… (emphasis in the original)

Whether the Code Revision Committee withholds the OCGA from the public out of spite, some deluded notion of competition between digital and print products, or for more nefarious reasons isn’t known to me.

But taking Code Revision Committee’s toy and waving it in front of them, isn’t going improve the situation.

Now we have have bad case law on law + annotation. Bad case law likely to be affirmed in this circuit. (Poor forum shopping.) Reversal requires Malamud to win the Supreme Court lottery. Way to go.

Here’s an alternative:

First, Judge Story lists contents of each O.C.G.A volume:

The Agreement requires the official Code to include not only the statutory provisions, but also “annotations, captions, catchlines, headings, history lines, editorial notes, cross-references, indices, title and chapter analyses, research references, amendment notes. Code Commission notes, and other material related to or included in such Code at the direction of the Commission” [Doc. No. 29-8, p. 2]. Each O.C.G.A. volume and supplement therefore contains statutory text and non-statutory annotation text, including judicial decision summaries, editor’s notes, research references, notes on law review articles, summaries of the opinions of the Attorney General of Georgia, indexes, and title, chapter, article, part, and subpart captions, which are all prepared by Lexis/Nexis under the requirements of the Agreement [Doc. No. 17, ¶¶ 3, 9, 18, and 26]. (Code Revision Commission, et
al. vs. Public.Resource.Org, Inc.
, page 3)

You will notice that court decisions, law review articles, opinions of Attorney General of Georgia are all “facts” and not subject to copyright. That is you could not use Lexis/Nexis summaries but you certainly could provide your own.

Some other “facts” in the annotations include:

The Official Code of Georgia’s copious annotations help you expand your research and include:

• Decisions of the U.S. Supreme Court, the Supreme Court of Georgia, the Courts of Appeals of Georgia, and all federal cases arising in Georgia
• Opinions of the Georgia Attorney General
• State law reviews
ALR
American Jurisprudence
American Jurisprudence, Pleading and Practice
American Jurisprudence, Proof of Facts
American Jurisprudence, Trials
Corpus Juris Secundum
Uniform Laws Annotated
• Cross reference notes to statutes, rules, and regulations including the United States Code and the Official Compilation of the Rules and Regulations of the State of Georgia
• All case citations are Shepardized® for accuracy and relevant subsequent history.

… (Official Code of Georgia Annotated)

The first step in production of a public access version of Georgia law would be the acquisition of LexisNexis CD – Georgia Primary Law as a comparison or proofing copy to be used against your OCR of the scanned volumes. Once that’s done, use XQuery to purge the non-factual material, leaving markers where new summaries need to be added.

The second step would be to crowd-source among law students the missing summaries. Proposed summaries are critiqued by other law students. Not every student makes law review but a killer annotation in the Unofficial Code of Georgia Annotated (U.C.G.A.) could provide some street cred.

A possible third step, taking the U.C.G.A. beyond the traditional product, is to use crowd-sourcing to annotate statutes with trial judge rulings, parties and their lawyers. Facts have some relationship to outcomes in court cases but not as much as you may think. Why do so many IP cases go to the Eastern District of Texas? I promise, it’s not the facts of the cases.

More complicated than scanning and posting images but public access, a value-add and a better product than is currently available.

PS: I would omit Code Revision Committee annotations as they are unlikely to grant permission and the U.C.G.A. will be valuable even without their participation. This means, of course, they would not be getting any royalties from the use of the U.C.G.A.

PPS: These principles apply to other legal publishing monopolists. I’m game if you are.

Unpaywall (Access to Academic Publishing)

Wednesday, April 12th, 2017

How a Browser Extension Could Shake Up Academic Publishing by Lindsay McKenzie.

From the post:

Open-access advocates have had several successes in the past few weeks. The Bill & Melinda Gates Foundation started its own open-access publishing platform, which the European Commission may replicate. And librarians attending the Association of College and Research Libraries conference in March were glad to hear that the Open Access Button, a tool that helps researchers gain free access to copies of articles, will be integrated into existing interlibrary-loan arrangements.

Another initiative, called Unpaywall, is a simple browser extension, but its creators, Jason Priem and Heather Piwowar, say it could help alter the status quo of scholarly publishing.

“We’re setting up a lemonade stand right next to the publishers’ lemonade stand,” says Mr. Priem. “They’re charging $30 for a glass of lemonade, and we’re showing up right next to them and saying, ‘Lemonade for free’. It’s such a disruptive, exciting, and interesting idea, I think.”

Like the Open Access Button, Unpaywall is open-source, nonprofit, and dedicated to improving access to scholarly research. The button, devised in 2013, has a searchable database that comes into play when a user hits a paywall.

When an Unpaywall user lands on the page of a research article, the software scours thousands of institutional repositories, preprint servers, and websites like PubMed Central to see if an open-access copy of the article is available. If it is, users can click a small green tab on the side of the screen to view a PDF.

Sci-Hub gets an honorable mention as a “..pirate website…,” usage of which carries “…so much fear and uncertainty….” (Disclaimer, the author of those comments is one of the creators of Unpaywall (Jason Priem).)

Hardly. What was long suspected about academic publishing has become widely known: Peer review is a fiction, even at the best known publishers, to say nothing of lesser lights in the academic universe. The “contribution” of publishers is primarily maintaining lists of editors for padding the odd resume. (Peer Review failure: Science and Nature journals reject papers because they “have to be wrong”.)

I should not overlook publishers as a source of employment for “gatekeepers.” “Gatekeepers” being those unable to make a contribution on their own, who seek to prevent others from doing so and failing that, preventing still others from learning of those contributions.

Serfdom was abolished centuries ago, academic publishing deserves a similar fate.

PS: For some reason authors are reluctant to post the web address for Sci-Hub: https://sci-hub.cc/.

MS Patch for Zero Day Leaves 56% Of Office Users Exposed

Tuesday, April 11th, 2017

Microsoft Patches Word Zero-Day Spreading Dridex Malware by Tom Spring.

From the post:

Microsoft on Tuesday released a patch for a zero-day vulnerability that was discovered late last week and used to spread the Dridex banking Trojan.

Attacks were spreading via a massive spam campaign where emails contain Microsoft Word documents with malicious attachments that exploited a vulnerability in the way Microsoft handles OLE2Link objects. According to researchers, the attacks were effective at bypassing most mitigation efforts.

Err, well, except that Tom goes on to say:


However, Microsoft notes “you must have the release version of Service Pack 2 for Office 2010 installed on the computer” to apply the security update. Alternatively, security experts recommend blocking RTF documents in Microsoft Word via the File Block Settings in the Microsoft Office Trust Center. They also recommend using Microsoft Office Protected View, which they say can help prevent exploitation without user interaction.

A highly unscientific survey of MS Office users at: http://www.msofficeforums.com/versionchart.php?mon=12, shows the patch leaves 56% of Office users vulnerable.

Is that the total you get?

Anyone spreading the Dridex malware need not despair about the MS patch. The majority of Office users remain unprotected.

Textbook manifesto

Sunday, April 9th, 2017

Textbook manifesto by Allen B. Downey.

From the post:

My textbook manifesto is so simple it sounds stupid. Here it is:

Students should read and understand textbooks.

That’s it. It’s hard to imagine that anyone would disagree, but here’s the part I find infuriating: the vast majority of textbook authors, publishers, professors and students behave as if they do not expect students to read or understand textbooks.

Here’s how it works. Most textbook authors sit down with the goal writing the bible of their field. Since it is meant to be authoritative, they usually stick to well-established ideas and avoid opinion and controversy. The result is a book with no personality.

For publishers, the primary virtue is coverage. They want books that can be used for many classes, so they encourage authors to include all the material for all possible classes. The result is a 1000-page book with no personality.
… (emphasis in original)

You probably know Downey from his Think Python, Think Bayes books.

Think Python, with the index, front matter, etc. runs 244 pages from tip to tail.

Longer than his proposed 10 pages per week for a semester course, total pages of 140 pages for a class, but not unreasonably so.

Take this as encouragement that a useful book need not be comprehensive, just effectively communicating more than the reader knows already.

Fact Check now available in Google… [Whose “Facts?”]

Friday, April 7th, 2017

Fact Check now available in Google Search and News around the world by Justin Kosslyn and Cong Yu.

From the post:

Google was built to help people find useful information by surfacing the great content that publishers and sites create. This access to high quality information is what drives people to use the web and for contributors to continue to engage and invest in it.

However, with thousands of new articles published online every minute of every day, the amount of content confronting people online can be overwhelming. And unfortunately, not all of it is factual or true, making it hard for people to distinguish fact from fiction. That’s why last October, along with our partners at Jigsaw, we announced that in a few countries we would start enabling publishers to show a “Fact Check” tag in Google News for news stories. This label identifies articles that include information fact checked by news publishers and fact-checking organizations.

After assessing feedback from both users and publishers, we’re making the Fact Check label in Google News available everywhere, and expanding it into Search globally in all languages. For the first time, when you conduct a search on Google that returns an authoritative result containing fact checks for one or more public claims, you will see that information clearly on the search results page. The snippet will display information on the claim, who made the claim, and the fact check of that particular claim.

And the fact checking criteria?


For publishers to be included in this feature, they must be using the Schema.org ClaimReview markup on the specific pages where they fact check public statements (documentation here), or they can use the Share the Facts widget developed by the Duke University Reporters Lab and Jigsaw. Only publishers that are algorithmically determined to be an authoritative source of information will qualify for inclusion. Finally, the content must adhere to the general policies that apply to all structured data markup, the Google News Publisher criteria for fact checks, and the standards for accountability and transparency, readability or proper site representation as articulated in our Google News General Guidelines. If a publisher or fact check claim does not meet these standards or honor these policies, we may, at our discretion, ignore that site’s markup.

An impressive 115 separate organizations are approved fact checkers but most of them, the New York Times for example, publish “facts” from the US State Department, US Department of Defense, members of US Congress, White House, and other dubious sources of information.

Not to mention how many times have you read the New York Times supporting:

  • Palestinian Martyrs
  • State destruction of Afro-American homes as retribution for crimes
  • Supporting armed white encampments in traditionally Afro-American neighborhoods

No?

Do you think perhaps the New York Times has a “point of view?”

We all do you know. Have a point of view.

What I find troubling about “fact checking” by Google is that some points of view, such as that of the NYT, are going to be privileged as “facts,” whereas other points of view will not enjoy such a privilege.

Need I mention that not so long ago the entire Middle East was thrown into disarray, a disarray that continues to this day, because the “facts” as judged by the NTY and others, said that Saddam Hussein possessed weapons of mass destruction?

I have no doubt that a fact checking Google at the time would have said it’s a fact that Saddam Hussein possessed weapons of mass destruction, at least until years after that had been proven to be false. Everybody who was anybody said it was a fact. Must be true.

As a super-Snopes, if I hear a rumor about Pete Rose and the Baseball Hall of Fame, Google fact checking may be useful.

For more subtle questions, consider whose “facts” in evaluating a Google fact check response.

Sci Hub It!

Friday, April 7th, 2017

Sci Hub It!

Simple add-on to make it easier to use Sci-Hub.

If you aren’t already using this plug-in for Firefox you should be.

Quite handy!

Enjoy!

Wikileaks Vault 7 “Grasshopper” – A Value Added Listing

Friday, April 7th, 2017

Wikileaks has released Vault 7 “Grasshopper.”

As I have come to expect the release:

  • Is in no particular order
  • Requires loading an HTML page before obtaining a PDF file

Here is a value-added listing that corrects both of those problems (and includes page numbers):

  1. GH-Drop-v1_0-UserGuide.pdf 2 pages
  2. GH-Module-Bermuda-v1_0-UserGuide.pdf 9 pages
  3. GH-Module-Buffalo-Bamboo-v1_0-UserGuide.pdf 7 pages
  4. GH-Module-Crab-v1_0-UserGuide.pdf 6 pages
  5. GH-Module-NetMan-v1_0-UserGuide.pdf 6 pages
  6. GH-Module-Null-v2_0-UserGuide.pdf 5 pages
  7. GH-Module-Scrub-v1_0-UserGuide.pdf 6 pages
  8. GH-Module-Wheat-v1_0-UserGuide.pdf 5 pages
  9. GH-Module-WUPS-v1_0-UserGuide.pdf 6 pages
  10. GH-Run-v1_0-UserGuide.pdf 2 pages
  11. GH-Run-v1_1-UserGuide.pdf 2 pages
  12. GH-ScheduledTask-v1_0-UserGuide.pdf 3 pages
  13. GH-ScheduledTask-v1_1-UserGuide.pdf 4 pages
  14. GH-ServiceDLL-v1_0-UserGuide.pdf 4 pages
  15. GH-ServiceDLL-v1_1-UserGuide.pdf 5 pages
  16. GH-ServiceDLL-v1_2-UserGuide.pdf 5 pages
  17. GH-ServiceDLL-v1_3-UserGuide.pdf 6 pages
  18. GH-ServiceProxy-v1_0-UserGuide.pdf 4 pages
  19. GH-ServiceProxy-v1_1-UserGuide.pdf 5 pages
  20. Grasshopper-v1_1-AdminGuide.pdf 107 pages
  21. Grasshopper-v1_1-UserGuide.pdf 53 pages
  22. Grasshopper-v2_0_1-UserGuide.pdf 134 pages
  23. Grasshopper-v2_0_2-UserGuide.pdf 134 pages
  24. Grasshopper-v2_0-UserGuide.pdf 134 pages
  25. IVVRR-Checklist-StolenGoods-2_0.pdf 2 pages
  26. StolenGoods-2_0-UserGuide.pdf 11 pages
  27. StolenGoods-2_1-UserGuide.pdf 22 pages

If you notice that the Grasshopper-*****-UserGuide.pdf appears in four different versions, good for you!

I suggest you read only Grasshopper-v2_0_2-UserGuide.pdf.

The differences between Grasshopper-v1_1-UserGuide.pdf at 53 pages and Grasshopper-v2_0-UserGuide.pdf at 134 pages, are substantial.

However, between Grasshopper-v2_0-UserGuide.pdf and Grasshopper-v2_0_1-UserGuide.pdf the only differences from Grasshopper-v2_0_2-UserGuide.pdf are these:

diff Grasshopper-v2_0-UserGuide.txt Grasshopper-v2_0_1-UserGuide.txt

4c4
< Grasshopper v2.0 
---
> Grasshopper v2.0.1 
386a387,389
> 
> Payloads arguments can be added with the optional -a parameter when adding a 
> payload component. 


diff Grasshopper-v2_0_1-UserGuide.txt Grasshopper-v2_0_2-UserGuide.txt

4c4
< Grasshopper v2.0.1 
---
> Grasshopper v2.0.2 
1832c1832
< winxppro-sp0 winxppro-sp1 winxppro-sp2 winxppro-sp3 
---
> winxp-x64-sp0 winxp-x64-sp1 winxp-x64-sp2 winxp-x64-sp3 
1846c1846
< winxppro win2003 
---
> winxp-x64 win2003 

Unless you are preparing a critical edition for the CIA and/or you are just exceptionally anal, the latest version, Grasshopper-v2_0_2-UserGuide.pdf, should be sufficient for most purposes.

Not to mention saving you 321 pages of duplicated reading.

Enjoy!

Naming German Censors

Friday, April 7th, 2017

Germany gives social networks 24 hours to delete criminal content by Simon Sharwood.

From the post:

Germany has followed through on its proposal to make social networks remove slanderous hate speech and fake news or face massive fines.

The nation’s Bundesministerium der Justiz und für Verbraucherschutz (Federal Ministry of Justice and Consumer Protection) has announced that cabinet approved a plan to force social network operators to create a complaints mechanism allowing members of the public to report content that online translate-o-tronic services categorise as “insults, libel, slander, public prosecutions, crimes, and threats.”

The Bill approved by Cabinet proposes that social networks be required to establish complaints officer who is subject to local law and gets the job of removing obviously criminal content 24 hours after receiving a complaint. A seven-day deadline will apply to content that’s not immediately identifiable as infringing. Social networks will also be required to inform complainants of the outcome of their takedown requests and to provide quarterly summaries of their activities.

The ministry’s statement also suggests that those who feel aggrieved by material posted about them should be able to learn the true identity of the poster.

A Faktenpapier (PDF) on the Bill says that if the deadlines mentioned above aren’t met the social network’s designated complaints-handler could be fined up to five million Euros, while the network itself could cop a fine of 50 million Euros. An appeal to Germany’s courts will be possible.

Sharwood’s post is a great summary of this censorship proposal but fails to identify those responsible for it.

“Germany” in the abstract sense isn’t responsible for it. And to say the “Cabinet,” leaves the average reader no more informed than saying “Germany.”

Perhaps this helps: German Cabinet / Censors:

Peter Altmaier Alexander Dobrindt Sigmar Gabriel
Hermann Gröhe Barbara Hendricks Ursula von der Leyen
Heiko Maas Thomas de Maizière Angela Merkel
Gerd Müller Andrea Nahles Wolfgang Schäuble
Christian Schmidt Manuela Schwesig Johanna Wanka
Brigitte Zypries

I don’t have their staff listings, yet, but that’s a start on piercing the veil that “Germany,” and “Cabinet” puts between the reader and wannabe censors.

Other veils that hide/protect censors that need piercing?

Garden Variety Terrorism

Thursday, April 6th, 2017

If you haven’t seen images from the I-85 fire in Atlanta, which caused a 100 foot section of a bridge to collapse, consider:

resulted in:

The fire being powered by HPDE coils:

HPDE coils burn at 341 degrees, according to its manufacturer.

One more fact you need:

Q: What is the temperature of a Bic lighter flame?
A: The temperature of a Bic lighter can reach nearly 1,977 degrees Celsius or 3,590.6 degrees Fahrenheit. The temperature of a lighter’s flame depends on what type of fuel the lighter uses. Bic lighters use butane and are called butane lighters.

From: https://www.reference.com/science/temperature-bic-lighter-flame-1ca2e364e38d1085 (emphasis added)

It has been alleged a mentally ill crackhead (there’s some other kind?) set furniture on fire, which spread to other materials and then the HPDE coils.

I mention this after having read I write thrillers. My research showed me how easily terrorists can strike us by Matthew Quirk.

Quirk writes in part:

A gray SUV idled across the street from the chemical plant. Gas storage tanks, four stories tall, towered over the low-slung neighborhood. It was a hot, dry Sunday in southeast Los Angeles.

The plant’s front gate was open. The driver tapped the throttle, then cut into the facility, past the “no trespassing” notices and the signs demanding that all trucks stop and check in with a guard. He pointed the car straight at three trailers loaded with compressed hydrogen. Behind them, on the other side of a rusting chain-link fence, rail tankers sat outside a facility that uses chlorine to manufacture bleach. One tanker car of chlorine, if ruptured (by, say, a nearby hydrogen explosion), could reach 4.9 million people in the Los Angeles Basin and kill 10,000 under worst-case conditions.

The driver veered away from the gas tanks, then stopped the car and waited. No one came to check on him as he took a few photos on his phone. After five minutes, he pulled away.

That was me. I write thrillers for a living. For my latest novel, “Dead Man Switch,” I spent a lot of time researching the materials lying around the United States that terrorists could use to kill tens of thousands of people. I like to think my books are pretty tense, but they have nothing on reality: More than 15 years after 9/11, we have failed to take basic steps to address glaring threats that have already cost American lives.

With its ongoing attempts to enact a ban on many Muslim travelers and “extreme vetting” for visitors to the United States, the Trump administration has treated terrorism as a political cudgel rather than the grave and present threat it truly represents. In the years after 9/11, there was extraordinary bipartisan momentum to identify threats and safeguard against them, but the work is unfinished. With terrorism back atop the agenda, we should spend our time and money addressing the obvious risks, not the hypothetical or concocted ones.
… (emphasis added)

I disagree with Quirk and Washington Post on their assessment of the risk of terrorist attacks but have to second addressing actual risks and not imaginary ones.

Security speakers who wax eloquently about smallpox infected travelers and weaponized anthrax, fail to recognize a good Mission Impossible plot when they see one. Things like HPDE coils, Interstate bridges and Bic lighters escape their notice.

Terrorism doesn’t require elaborate cell infrastructures, much and unfairly maligned encrypted cellphone apps, or any of the highly convoluted schemes in popular fiction (read Homeland Security reports).

No, if I were concerned about terrorism, it would be over garden variety terrorism. The sort that uses no tool or implement not readily available to the average home owner.

Perhaps using those tools/implements in unexpected ways, in combination with open data to create, what did the American general say about Tet (1968)? Oh, yes, “to create maximum consternation.”

Web Scraping Reference: …

Thursday, April 6th, 2017

Web Scraping Reference: A Simple Cheat Sheet for Web Scraping with Python by Hartley Brody.

From the post:

Once you’ve put together enough web scrapers, you start to feel like you can do it in your sleep. I’ve probably built hundreds of scrapers over the years for my own projects, as well as for clients and students in my web scraping course.

Occasionally though, I find myself referencing documentation or re-reading old code looking for snippets I can reuse. One of the students in my course suggested I put together a “cheat sheet” of commonly used code snippets and patterns for easy reference.

I decided to publish it publicly as well – as an organized set of easy-to-reference notes – in case they’re helpful to others.

Brody uses Beautiful Soup, a Python library that will parse even the worst formed HTML.

I mention this so I will remember the next time I scrape Wikileaks, instead of the download then repair with Tidy, parse with Saxon/XQuery, there are easier ways to do the job!

Enjoy!

Build Your Own Text Editor (“make changes, see the results”)

Thursday, April 6th, 2017

Build Your Own Text Editor by Jeremy Ruten.

From the webpage:

Welcome! This is an instruction booklet that shows you how to build a text editor in C.

The text editor is antirez’s kilo, with some changes. It’s about 1000 lines of C in a single file with no dependencies, and it implements all the basic features you expect in a minimal editor, as well as syntax highlighting and a search feature.

This booklet walks you through building the editor in 184 steps. Each step, you’ll add, change, or remove a few lines of code. Most steps, you’ll be able to observe the changes you made by compiling and running the program immediately afterwards.

I explain each step along the way, sometimes in a lot of detail. Free free to skim or skip the prose, as the main point of this is that you are going to build a text editor from scratch! Anything you learn along the way is bonus, and there’s plenty to learn just from typing in the changes to the code and observing the results.

See the appendices for more information on the tutorial itself (including what to do if you get stuck, and where to get help).

If you’re ready to begin, then go to chapter 1!
… (emphasis in original)

I mention this tutorial because:

  • It’s an opportunity to see editor issues “from the other side.”
  • Practice reading and understanding C
  • I like the “make changes, see the results” approach

Of the three, the “make changes, see the results” approach is probably the most important.

Examples that “just work” are great and I look for them all the time. 😉

But imagine examples that take you down the false leads and traps, allowing you to observe the cryptic error messages from XQuery for example. You do work your way to a solution but are not given one out of the box.

“Cryptic” is probably overly generous with regard to XQuery error messages. Suggestions of a better one word term, usable in mixed company for them?

Mastodon (Tor Access Recommended)

Wednesday, April 5th, 2017

Mastodon

From the homepage:

Mastodon is a free, open-source social network. A decentralized alternative to commercial platforms, it avoids the risks of a single company monopolizing your communication. Pick a server that you trust — whichever you choose, you can interact with everyone else. Anyone can run their own Mastodon instance and participate in the social network seamlessly.

What sets Mastodon apart:

  • Timelines are chronological
  • Public timelines
  • 500 characters per post
  • GIFV sets and short videos
  • Granular, per-post privacy settings
  • Rich block and muting tools
  • Ethical design: no ads, no tracking
  • Open API for apps and services

… (emphasis in original)

No regex for filtering posts but it does have:

  • Block notifications from non-followers
  • Block notifications from people you don’t follow

One or both should cover most of the harassment cases.

I was surprised by the “Pick a server that you trust…” suggestion.

Really? A remote server being run by someone unknown to me? Bad enough that I have to “trust” my ISP, to a degree, but an unknown?

You really need a Tor based email account and use Tor for access to Mastodon. Seriously.

Pursuing Cybersecurity

Wednesday, April 5th, 2017

Reading:

should make you realize hunting and punishing hackers a very doubtful approach to improving cybersecurity.

Even if flaws are fixed in software, users resist upgrading and in other cases, vulnerabilities persist over decades. To put it bluntly, the opportunities for hacking increase with every software release or patch.

Hackers can be and are caught, then tried or plead out with great fanfare, but if security reports are to be credited, cybercrime continues to increase by leaps and bounds.

Using a non-cybersecurity example, what if your locality had a burglary problem? Every month, as new homes are built, the burglary rates go up. Upon investigation you discover that builders are not putting locks on doors or windows of new homes.

Your policy choices are:

  1. Hire more police officers and step up patrols to catch burglars, or
  2. Require builders to install and test locks on windows and doors.

Option #1, like punishing hackers, requires you to catch the burglars first. A chancy proposition at best, even more so for hackers. The bottom line is you are catching and punishing a minuscule portion of the burglars or hackers. For our example, assume that burglaries continue to increase despite your high conviction rate.

Option #2, well, builders are a lot easier to catch than burglars or hackers. They are selling a commercial product that depends upon repeat business so we can not only set requirements, we can also monitor if those requirements are being met.

Setting the standards for legal liability for flaws in software won’t be easy, but consider that despite the liabilities imposed on pharmaceutical companies:


Last year, five pharmaceutical companies made a profit margin of 20% or more – Pfizer, Hoffmann-La Roche, AbbVie, GlaxoSmithKline (GSK) and Eli Lilly.
… (from Pharmaceutical industry gets high on fat profits)

Ask your CFO when was the last time your company made a 20% profit, after liabilities and R&D, etc.?

Vendors can compete to produce more secure software (less liability) or compete to race to market with insecure software (feeding hackers).

Which approach do you think leads to greater cybersecurity overall?

Non-Fox News journalists: Investigate Bill O’Reilly & Fox News Reporters

Tuesday, April 4th, 2017

Fox News journalists: Don’t stay silent amid Bill O’Reilly controversy by Kyle Pope.

From the post:

WHAT DOES IT TELL US WHEN advertisers get ahead of reporters in matters of newsroom ethics? It tells us something is seriously wrong at Fox News, and it’s time for the real journalists at the network (and beyond) to make themselves heard.

On Tuesday, more companies moved to distance themselves from the network and its host, Bill O’Reilly, in response to a April 1 piece in The New York Times detailing sexual harassment allegations against Fox’s top-rated host and cash cow. The alleged behavior ranges the gamut of smut, from unwanted advances to phone calls in which O’Reilly—he of an $18 million-a-year salary from Rupert Murdoch et al—sounds as if he is masturbating.
… (emphasis in original)

Pope’s call for legitimate journalists at Fox to step forward is understandable, but too little too late.

From campus rape at UT Austin to the conviction of former Penn State President Graham Spanier’s conviction for failing to report alleged child abuse, it is always that case that somebody knew what was going on and remained silent.

What did the “legitimate journalists” at Fox News and when?

Will the journalism community toss 0’Reilly to the wolves and give his colleagues a free pass?

That’s seems like an odd sense of ethics for journalists.

Yes?

Targeting Tuesday: 600,000 Windows Server 2003 Installations

Tuesday, April 4th, 2017

Zero-day on Windows Server 2003 could affect up to 600,000 servers by Rene Millman.

From the post:

A vulnerability has been discovered in Windows Server 2003 running IIS6 by two security researchers at the South China University of Technology, but Microsoft said it won’t issue a patch even though up to 600,000 servers could be running the unsupported software.

The researchers posted a proof-of-concept exploit for the zero-day to Github. The flaw is a zero-day buffer overflow vulnerability (CVE-2017-7269) which has been traced to an improper validation of an ‘IF’ header in a PROPFIND request.

The researchers said it’s not a theoretical risk as the flaw was exploited in the wild in July or August 2016. It was disclosed to the public this week.

“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro.

He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC).

No patch from Microsoft so this vulnerability will be around for quite some time. Long enough to test your skills at working from a PoC or a CVE (CVE-2017-7269) to develop working code.

Test against your local Windows Server 2003 installation on a VM.

If you are serious about security research, start collecting OS editions and their patches. Refresh your storage media on a regular schedule.

The Upside To Overturning Internet Privacy Rules

Monday, April 3rd, 2017

Trump signs measure overturning internet privacy rules by David McCabe.

From the post:

President Trump has signed a Congressional resolution overturning Federal Communications Commission rules that would have required internet providers to get their customers’ permission before sharing personal data like browsing history with advertisers. The rules had yet to go into effect.

Is this a bad thing?

Sure, but there is an upside.

You have already seen media reports urging everyone to start using VPNs and the like to protect their privacy from ISP predators.

What happens if VPNs come into everyday use by the average user? Aside from greater profits for VPN vendors.

Hmmm, several orders of magnitude more VPN connections than are being tracked by the usual alphabet soup agencies.

Encourage every user you know to use a VPN connection. Hell, offer them as swag at conferences.

Teacher and library conferences. Church camps. Oh, yeah, technical conferences too.

Hackers in the mist? 😉

Substituting Their Judgment For Yours

Monday, April 3rd, 2017

Merrill Perlman captures in From cyberattacks to fake news: notable recent changes in AP style my complaint on reference free reporting.

Perlman quotes a recent change in Associated Press (AP) style:

Holding politicians and public figures accountable for their words often requires reporting or research to verify facts that affirm or disprove a statement, or that show a gray area.

Fact-checking also is essential in debunking fabricated stories or parts of stories done as hoaxes, propaganda, jokes or for other reasons, often spread widely on the internet and mistaken as truth by some news consumers.

The term fake news may be used in quotes or as shorthand for the modern phenomenon of deliberate falsehoods or fiction masked as news circulating on the internet.

However, do not label as fake news specific or individual news items that are disputed.

In all cases, the goal of fact-checking is to push back on falsehoods, exaggeration and political spin. Be specific in describing what is false and back up those descriptions with facts.

… (emphasis added)

I would extend the AP’s

Be specific in describing what is false and back up those descriptions with facts.

to:

Be specific in describing what is false, back up those descriptions with facts, with links/references to resources for those facts.

Absent links/references for facts, I see two parties, both wanting to foist their judgment on “facts” onto me.

I appreciate the effort to save me from thinking for myself, but no thanks.

The absence of links/references to third-party resources is proof of intent to usurp the reader’s judgment.

The same reasoning applies to leak publishers who decide what you should or should not be allowed to see.

Encouraging ATM Security Upgrades

Monday, April 3rd, 2017

The cost of potential future losses from ATMs is baked into every bank fee. Good planning for banks because 95% of ATMs are still running Windows XP. The losses are coming, just not there, yet.

Mail this image to your local bank, ditto for members of board of directors:

I can’t promise your bank will upgrade its ATM software but pass any reduction in anticipated future costs along to you.

However, the staff and directors are likely to give their Errors and Omission (E&O) policies a close review. 😉

Come to think of it, you should pass this along to any insurance agents selling E&O coverage. Great technique to drive their business and perhaps result in better security for banking customers.

Eroding the Presumption of Innocence in USA

Saturday, April 1st, 2017

You may be laboring under the false impression that people charged with crimes in the USA are presumed innocence until proven guilty beyond a reasonable doubt in a court of law.

I regret to inform you that presumption is being eroded away.

Kevin Poulsen has a compelling read in FBI Arrests Hacker Who Hacked No One about the case of Taylor Huddleston was arraigned on March 31, 2017 in the Federal District Court for the Eastern District of Virginia, docket number: 1:2017 cr 34.

Kevin’s crime? He wrote a piece of software that has legitimate uses, such as sysadmins trouble shooting a user’s computer remotely. That tool was pirated by others and put to criminal use. Now the government wants to take his freedom and his home.

Compare Kevin’s post to the indictment, which I have uploaded for your reading pleasure. There is a serious disconnect between Poulsen’s post and the indictment, as the government makes much out of a lot of hand waving and very few specifics.

Taylor did obtain a Release on Personal Recognizance or Unsecured Bond, which makes you think the judge isn’t overly impressed with the government’s case.

I would have jumped at such a release as well but I find it disturbing, from a presumption of innocence perspective, that the judge also required:

My transcription:

No access to internet through any computer or other data capable device including smart phones

Remember that Taylor Huddleston is presumed innocence so how is that consistent with prohibiting him from a lawful activity, such as access to the internet?

Simple response: It’s not.

As I said, I would have jumped at the chance for a release on personal recognizance too. Judges are eroding the presumption of innocence with the promise of temporary freedom.

Wishing Huddleson the best of luck and that this erosion of the presumption of innocence won’t go unnoticed/unchallenged.