Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

May 8, 2017

OSS-Fuzz: Five months later, and rewarding projects

Filed under: Cybersecurity,Fuzzing,Security — Patrick Durusau @ 8:10 pm

OSS-Fuzz: Five months later, and rewarding projects

From the post:

Five months ago, we announced OSS-Fuzz, Google’s effort to help make open source software more secure and stable. Since then, our robot army has been working hard at fuzzing, processing 10 trillion test inputs a day. Thanks to the efforts of the open source community who have integrated a total of 47 projects, we’ve found over 1,000 bugs (264 of which are potential security vulnerabilities).

[graphic omitted]

Notable results

OSS-Fuzz has found numerous security vulnerabilities in several critical open source projects: 10 in FreeType2, 17 in FFmpeg, 33 in LibreOffice, 8 in SQLite 3, 10 in GnuTLS, 25 in PCRE2, 9 in gRPC, and 7 in Wireshark, etc. We’ve also had at least one bug collision with another independent security researcher (CVE-2017-2801). (Some of the bugs are still view restricted so links may show smaller numbers.)

A useful way to improve the quality of software and its security. Not only that, but rewards are offered for projects that adopt the ideal integration guidelines.

The Patch Rewards program now includes rewards for integration of fuzz targets into OSS-Fuzz.

Contributing to open source projects, here by contributing to the use of fuzzing in the development process, is a far cry from the labor market damaging “Hack the Air Force” program. The US Air Force can and does spend $millions if not $billions on insecure software and services.

Realizing it has endangered itself, but unwilling to either contract for better services and/or to hold its present contractors responsible for shabby work, the Air Force is attempting to damage the labor market for defensive cybersecurity services by soliciting free work. Or nearly so given the ratio of the prizes to Air Force spending on software.

$Millions in contributions to open source projects, not a single dime for poorly managed government IT contract results.

Zero-Day versus Tried-n-True Methods

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:38 pm

IBM shipped malware-laden USB sticks to unsuspecting customers by Chris Bing.

From the post:

Malware-laden USB sticks were accidentally sent by IBM to a series of enterprise customers that had purchased storage systems developed by the computing giant, according to a company advisory published last week.

An unidentified number of these drives were mailed as an installation tool for users setting up IBM Storewize V3700 and V5000 Gen 1 storage systems. IBM says that all of the infected USBs carried the same serial number: 01AC585.

An IBM spokesperson did not respond to CyberScoop’s inquiry. It remains unclear how the malware originally found its way onto the drives.

One upside of this story is you now know what a USB for the IBM Storewize V3700 and V5000 Gen 1 storage systems looks like.

Not that you would go out and create fake USBs for IBM Storewize V3700 and V5000 Gen 1 storage systems. Heaven forbid!

Another upside is the story acts as a reminder that you can purchase or sweat over find a new zero-day, versus taking the simpler route of getting a victim to infect themselves.

Professional DVD duplication is cheap and widespread. Recipients are unlikely to question the receipt of a “prize” DVD.

Selecting best DVD for a recipient is the real question. Pleading “responsible disclosure,” I have to omit details on ways to make that selection.

😉

The DVD route requires more preparation than phishing but unlike emails, due to sharing, malware DVDs are gifts that keep on giving.

How to Spot Visualization Lies

Filed under: Graphics,Statistics,Visualization — Patrick Durusau @ 4:47 pm

How to Spot Visualization Lies : Keep your eyes open by Nathan Yau.

From the post:

It used to be that we’d see a poorly made graph or a data design goof, laugh it up a bit, and then carry on. At some point though — during this past year especially — it grew more difficult to distinguish a visualization snafu from bias and deliberate misinformation.

Of course, lying with statistics has been a thing for a long time, but charts tend to spread far and wide these days. There’s a lot of them. Some don’t tell the truth. Maybe you glance at it and that’s it, but a simple message sticks and builds. Before you know it, Leonardo DiCaprio spins a top on a table and no one cares if it falls or continues to rotate.

So it’s all the more important now to quickly decide if a graph is telling the truth. This a guide to help you spot the visualization lies.

Warning: Your blind acceptance/enjoyment of news graphics may be diminished by this post. You have been warned.

Beautifully illustrated as always.

Perhaps Nathan will product a double-sided, laminated version to keep by your TV chair. A great graduation present!

Tackling “Fake News” (So You Don’t Have To, How Nice)

Filed under: Journalism,News,Reporting — Patrick Durusau @ 4:02 pm

A Global Guide to Initiatives Tackling “Fake News” by Fergus Bell.

From the post:

Here’s a list of initiatives that hope to fix trust in journalism and tackle “fake news”.

There’s a lot.

I’ve tried to collect an extensive list of projects, initiatives and tools created to fix trust in journalism and false/fake news and misinformation. This also includes efforts and initiatives around verification. Where possible I’ve also tried to attach where the funding has come from for each initiative.

A great resource for tracking efforts with the self-appointed goal of:

Protecting you from “fake news.”

The arrogance of such efforts is almost palpable. They can recognize “fake news” but millions of benighted souls on the Internet are victims in waiting.

I have a great deal of sympathy for the efforts to teach readers how to evaluate information, the source of its reporting and consistency with other sources of information.

However, efforts like that of Google, are an attempt to privilege certain narratives with an imprimatur of truth.

Skip to the “guides” section of Bell’s post and preserve your own judgment in the face of the hue and cry over “fake news.”

Guessing Valid GMail Addresses – Not A Bug (Must Be A Feature)

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:55 am

Abusing Gmail to get previously unlisted e-mail addresses

From the post:

tl;dr: I discovered a glitch that allowed me to guess, in large number, existing Google accounts addresses that could otherwise be unknown. DISCLAIMER: it’s just bruteforce that wasn’t properly rate-limited, nothing too fancy, so if you’re looking for some juicy 0day please pass along 😉
… (emphasis in original)

Cutting to the chase:


This way I was able to guess around 40,000 valid e-mail addresses per day with a stupid unoptimized PoC.
… (emphasis in original)

When advised of the issue, Google responded its not a security bug.

May 7, 2017

Hijacking Fleets of PCs

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:37 pm

Intel chip vulnerability lets hackers easily hijack fleets of PCs by Zack Whittaker.

From the post:

A vulnerability in Intel chips that went undiscovered for almost a decade allows hackers to remotely gain full control over affected Windows PCs without needing a password.

The “critical”-rated bug, disclosed by Intel last week, lies in a feature of Intel’s Active Management Technology (more commonly known as just AMT), which allows IT administrators to remotely carry out maintenance and other tasks on entire fleets of computers as if they were there in person, like software updates and wiping hard drives. AMT also allows the administrator to remotely control the computer’s keyboard and mouse, even if the PC is powered off.

To make life easier, AMT was also made available through the web browser — accessible even when the remote PC is asleep — that’s protected by a password set by the admin.

The problem is that a hacker can enter a blank password and still get into the web console, according to independent technical rundowns of the flaw by two security research labs.

Embedi researchers, credited with finding the bug, explained in a whitepaper posted Friday that a flaw in how the default “admin” account for the web interface processes the user’s passwords effectively lets anyone log in by entering nothing at the log-on prompt.

Opportunity to stretch your technical chops as fixes are due to roll out May 8th and thereafter.

Of course, as Verizon posted last week:

81% of hacking-related breaches leveraged either stolen and/or weak passwords. (page 3)

Decade old hardware bugs grab headlines but human fails are the bread and butter of cybersecurity.

The New York Times — Glory Days

Filed under: Journalism,News,Reporting — Patrick Durusau @ 4:48 pm

Hell hath no fury like The New York Times scorned by Hollywood by Thomas Vinciguerra.

From the post:

GOD, IT’S BEEN SAID, makes a lousy playwright. As far as an upcoming film that spotlights the Pentagon Papers is concerned, though, The New York Times is seething not at the Almighty but at the producers.

In March it was announced that Steven Spielberg would direct The Post, which offers as its backdrop the dramatic story of how the press exposed the federal government’s infamous secret history of the Vietnam War. Liz Hannah, who studied at the American Film Institute, sold her spec script to former Sony co-chair Amy Pascal’s production company last fall. Meryl Streep and Tom Hanks, Variety reported, are “attached to star” as Washington Post publisher Katharine Graham and executive editor Ben Bradlee.

But it was The New York Times—not the Washington Post—that broke the Pentagon Papers story. It is the Times whose name is on the landmark 1971 Supreme Court case that affirmed the right to publish the classified documents. And it was the Times that won the 1972 Pulitzer Prize for meritorious public service for its labors.

Nonetheless, as its title implies, the Spielberg project emphasizes the ancillary role of the Post. Not unexpectedly, Times people from back in the day are incensed.
… (emphasis in original)

Any mention of The New York Times and the Pentagon Papers brings Glory Days by Bruce Springsteen, E Street Band to mind:

I had a friend was a big baseball player
Back in high school
He could throw that speedball by you
Make you look like a fool boy
Saw him the other night at this roadside bar
I was walking in, he was walking out
We went back inside sat down had a few drinks
But all he kept talking about was

Glory days, well, they’ll pass you by
Glory days, in the wink of a young girl’s eye
Glory days, glory days

Well there’s a girl that lives up the block
Back in school she could turn all the boy’s heads
Sometimes on a Friday I’ll stop by
And have a few drinks after she put her kids to bed
Her and her husband Bobby well they split up
I guess it’s two years gone by now
We just sit around talking about the old times,
She says when she feels like crying
She starts laughing thinking about

Glory days, well, they’ll pass you by
Glory days, in the wink of a young girl’s eye
Glory days, glory days

To be sure, The New York Times (NYT) broke the story, fought for the right to publish up to the Supreme Court, but what has the NYT done for you or journalism lately?

The NYT, along with others, did publish the Afghan War Diaries, although sanitized as described by Bill Keller:


We used that month to study the material, try to assess its value and credibility, weigh it against our own reporters’ experience of the war and against other sources, and then tell our readers what it all meant. In doing so, we took great care both to put the information in context and to excise anything that would put lives at risk or jeopardize ongoing military missions.

What does that mean in practice? Obviously we did not disclose the names of Afghans, except for public officials, who have cooperated with the war effort, either in our articles or in the selection of documents we posted on our own Web site. We did not disclose anything that would compromise intelligence-gathering methods. We erred, if at all, on the side of prudence. For example, when a document reported that a certain aircraft left a certain place at a certain time and arrived at another place at a certain time, we omitted those details on the off chance that an enemy could gain some small tactical advantage by knowing the response time of military aircraft.

The administration, while strongly condemning WikiLeaks for making these documents public, did not suggest that The Times should not write about them. On the contrary, in our discussions prior to the publication of our articles, White House officials, while challenging some of the conclusions we drew from the material, thanked us for handling the documents with care, and asked us to urge WikiLeaks to withhold information that could cost lives. We did pass along that message.

Journalists have a role in supporting “…ongoing military missions[?]”

Pointers to any school of journalism that teaches that role? (Thanks!)

Worse, Keller describes the NYT consulting with and acting as a surrogate for the US government in urging Wikileaks to withhold information.

Isn’t withholding information contrary to creating an informed public?

Crowd-funding opportunity: Francis Ford Coppola directs: From Government Watchdog to Mouthpiece – The New York Times

May 6, 2017

Introduction: The New Face of Censorship

Filed under: Censorship,Free Speech,Journalism,News,NSA,Reporting — Patrick Durusau @ 8:41 pm

Introduction: The New Face of Censorship by Joel Simon.

From the post:

In the days when news was printed on paper, censorship was a crude practice involving government officials with black pens, the seizure of printing presses and raids on newsrooms. The complexity and centralization of broadcasting also made radio and television vulnerable to censorship even when the governments didn’t exercise direct control of the airwaves. After all, frequencies can be withheld; equipment can be confiscated; media owners can be pressured.

New information technologies–the global, interconnected internet; ubiquitous social media platforms; smart phones with cameras–were supposed to make censorship obsolete. Instead, they have just made it more complicated.

Does anyone still believe the utopian mantras that information wants to be free and the internet is impossible to censor or control?

The fact is that while we are awash in information, there are tremendous gaps in our knowledge of the world. The gaps are growing as violent attacks against the media spike, as governments develop new systems of information control, and as the technology that allows information to circulate is co-opted and used to stifle free expression.

The work of Joel Simon and the Committee to Protect Journalists is invaluable. The challenges, dangers and hazards for journalists around the world are constant and unrelenting.

I have no doubt about Simon’s account of suppression of journalists. His essay is a must read for everyone who opposes censorship, at least in its obvious forms.

A more subtle form of censorship is practiced in the United States, self-censorship.

How many stories on this theme have you read in the last couple of weeks? U.S. spy agency abandons controversial surveillance technique

Now, how many of those same stories mentioned that the NSA has a long and storied history of lying to the American public, presidents and congress?

By my count, which wasn’t exhaustive, the total is 0.

Instead of challenging this absurd account, Reuters reports the NSA reports as though it were true and fails to remind the public it is relying on a habitual liar.

Show of hands, how many readers think the Reuters staff forgot that the NSA is a hotbed of liars and cheats?

There is little cause for government censorship of US media outlets. They censor themselves before the government can even ask.

Support the Committee to Protect Journalists and perhaps their support of journalists facing real censorship will shame US media into growing a spine.

May 5, 2017

Archive.org (Internet Archive) Security Warning!

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:59 pm

Just in case you forgot, every packet of Internet traffic can disclose your identity.

From Twitter today:

I have no idea if this was the actual Macron leaker or an account being used to mask their true identity.

But, it’s worth a quick heads up to say:

Presume every packet from your computer is being captured (not necessarily read if encrypted) somewhere by someone.

Plan accordingly.

3,000 New Censorship Jobs At Facebook

Filed under: Censorship,Facebook,Free Speech — Patrick Durusau @ 8:46 pm

Quick qualification test for censorship jobs at Facebook:

  • Are you more moral than most people?
  • Are you more religious than most people?
  • Are you more sensitive than most people?
  • Do you want to suppress “harmful” content?
  • Do you enjoy protecting people who are easily mis-lead (unlike you)?
  • Do you support the United States, its agencies, offices and allies?
  • Do you recognize Goldman Sachs, Chase and all other NYSE listed companies as people with rights?

If you answered one or more of these questions with “yes,” congratulations! You have passed a pre-qualification test for one of the 3,000 new censorship positions for Facebook.

(Disclaimer: It is not known if Facebook will recognize this pre-qualification test and may have other tests or questions for actual applicants.)

For further details, see: Will Facebook actually hire 3,000 content moderators, or will they outsource? by Annalee Newitz.

Censorship is the question. The answer is no.

Verizon’s Hacking Retrospective For 2016 (2017 Report)

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:07 pm

Instead of running afoul of It’s hard to make predictions, especially about the future, Verizon is looking backwards at hacking in 2016.

The full report runs over seventy pages of hacker success stories but if you lack the time or stomach to read it in full, consider Kelly Sweeney’s Verizon 2017 Data Breach Investigation Report Released, which reads in part:

We follow the Verizon Data Breach Investigation Report each year. It just hit the news stand and as always, is full of insights.

The report collected data from 65 organizations in 84 countries, including 42,068 cybersecurity incidents and 1,935 data breaches.

The major themes of the report are:

  • No one thinks it’s going to be them. Until it is.
  • Organizations think they’ve got the basics covered.
  • People are also still failing to set strong passwords.
  • People rely on how they’ve always done things.

The conclusion is that all organizations and industries are at risk of cyber-attacks, and 61 percent of the data breaches experienced by those responding were companies with less than 1,000 employees.

You should not be asking why there is so much cybercrime, but rather, why isn’t there more?

My unscientific explanation is the number of potential targets out number hackers by two or more orders of magnitude.

Yours?

Hacking Not Limited To Rocket/CS Scientists

Filed under: Cybersecurity,Security — Patrick Durusau @ 5:42 pm

Want be a successful hacker but you’re not a rocket/CS scientist? There’s hope!

Lucian Constantin writes in Cyberspies tap free tools to make powerful malware framework:

Over the past year, a group of attackers has managed to infect hundreds of computers belonging to government agencies with a malware framework stitched together from JavaScript code and publicly available tools.

The attack, analyzed by researchers from antivirus firm Bitdefender, shows that cyberespionage groups don’t necessarily need to invest a lot of money in developing unique and powerful malware programs to achieve their goals. In fact, the use of publicly available tools designed for system administration can increase an attack’s efficiency and makes it harder for security vendors to detect it and link it to a particular threat actor.

The Bitdefender researchers have dubbed the newly discovered attack group Netrepser and traced back some of its attack campaigns to May 2016. The group is still active, but to Bitdefender’s knowledge its attacks have never been publicly documented before, which might be in part because its campaigns are highly targeted.

Some tools were developed at public expense (read CIA) and have gained wider usage.

You may not be Stephen Hawking but the effort you are willing to invest determines your success as a hacker.

The question to ask yourself: What am I going to learn today?

May 4, 2017

Congressional Fact Laundering

Filed under: Government,Marketing — Patrick Durusau @ 4:52 pm

How a Fake Cyber Statistic Raced Through Washington by Joseph Marks.

The statistic you are about to read is false:


The statistic, typically attributed to the National Cyber Security Alliance, is that 60 percent of small businesses that suffer a cyberattack will go out of business within six months.

It appears in a House bill that won unanimous support from that chamber’s Science Committee this week, cited as evidence the federal government must devote more resources to helping small businesses shore up their cybersecurity. It’s also in a companion Senate bill that sailed through the Commerce Committee in April.

Both bills require the government’s cyber standards agency, the National Institute of Standards and Technology, to devote more of its limited resources to creating cybersecurity guidance for small businesses.

Federal Trade Commissioner Maureen Ohlhausen cited the figure in testimony before the House Small Business Committee in March, as did Charles Romine, director of NIST’s Information Technology Laboratory.

Sen. Jeanne Shaheen, D-N.H., ranking member on the Senate Small Business Committee, cited the figure in a letter to Amazon asking the internet commerce giant what it was doing to improve cybersecurity for its third-party sellers.

Reminder: The 60 percent of small businesses that suffer a cyberattack will go out of business within six months statement is FALSE.

The bulk of the article is an amusing romp through various parties attempting to deny they were the source of the false information and/or that the presence of false information had any impact on the legislation.

The second part, that false information had no impact on the legislation seems plausible to me. Legislation rarely has any relationship to information true or false so I can understand why false information doesn’t trouble those cited.

Congressional hearing documents could simply repeat the standard Lorem Ipsum:

“Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.”

It has as much of a relationship to any legislation Congress passes as the carefully published committee hearings.

There is an upside to Joseph’s story:


The size and expertise of congressional staffs who write and vet legislation have also steadily diminished over time as have the staffs of congressional services such as the Government Accountability Office and the Congressional Research Service designed to provide Congress with authoritative data.

“Basically, [congressional staffers] have less expertise available to them, are more reliant on what other people tell them and it’s much easier for erroneous information to get into the political system,” said Daniel Schuman, a former House and Senate staffer who also worked for the Congressional Research Service and is now policy director for Demand Progress, a left-leaning internet rights and open government organization.

It’s what I call “fact laundering.” It’s like money laundering but legal.

You load your member of Congress up with fake facts, which they cite (without naming you), which are spread by other people (with no checking), cited by other members of congress and agencies, and in just weeks, you have gone from a false fact to a congressional fact.

An added bonus, even when denied, a congressional fact can become stronger.

Facts on demand as it were.

What’s Your Best Star Wars Line?

Filed under: Journalism,News,Reporting — Patrick Durusau @ 3:19 pm

Ben Child has gathered the forty (40) best lines from the Star Wars saga in: May the 4th be with you: the 40 best lines from the Star Wars saga.

No spoilers here!

Read Ben’s post and support the Guardian while you are there.

Seriously, do support the Guardian. They’re a bit conservative for my tastes but still worthy of support.

Addictive Technology (And the Problem Is?)

Filed under: Advertising,Ethics,Marketing — Patrick Durusau @ 3:08 pm

Tech Companies are Addicting People! But Should They Stop? by Nir Eyal.

From the post:

To understand technology addiction (or any addiction for that matter) you need to understand the Q-tip. Perhaps you’ve never noticed there’s a scary warning on every box of cotton swabs that reads, “CAUTION: Do not enter ear canal…Entering the ear canal could cause injury.” How is it that the one thing most people do with Q-tips is the thing manufacturers explicitly warn them not to do?

“A day doesn’t go by that I don’t see people come in with Q-tip-related injuries,” laments Jennifer Derebery, an inner ear specialist in Los Angeles and the past president of the American Academy of Otolaryngology. “I tell my husband we ought to buy stock in the Q-tips company; it supports my practice.” It’s not just that people do damage to their ears with Q-tips, it’s that they keep doing damage. Some even call it an addiction.

On one online forum, a user asks, “Anyone else addicted to cleaning their ears with Q-tips?…I swear to God if I go more than a week without sticking Q-tips in my ears, I go nuts. It’s just so damn addicting…” Elsewhere, another ear-canal enterer also associates ear swabbing with dependency: “How can I detox from my Q-tips addiction?” The phenomenon is so well known that MADtv based a classic sketch on a daughter having to hide Q-tip use from her parents like a junkie.

Q-tip addiction shares something in common with other, more prevalent addictions like gambling, heroin, and even Facebook use. Understanding what I call, the Q-tip Effect, raises important questions about products we use every day, and the responsibilities their makers have in relation to the welfare of their users.
… (emphasis in original)

It’s a great post on addiction (read the definition), technology, etc., but Nir loses me here:


However, there’s a difference between accepting the unavoidable edge cases among unknown users and knowingly promoting the Q-tip Effect. When it comes to companies that know exactly who’s using, how, and how much, much more can be done. To do the right thing by their customers, companies have an obligation to help when they know someone wants to stop, but can’t. Silicon Valley technology companies are particularly negligent by this ethical measure.

The only basis for this “…obligation to help when they know someone wants to stop, but can’t” appears to be Nir’s personal opinion.

That’s ok and he is certainly entitled to it, but Nir hasn’t offered to pay the cost of meeting his projected ethical obligation.

People enjoy projecting ethical obligations on others, from the anti-abortion, anti-birth control, anti-drugs, etc.

Imposing moral obligations that others pay for is more popular in the U.S. than adultery. I don’t have any hard numbers on that last point. Let’s say imposing moral obligations paid for by others is wildly popular and leave it at that.

If I had a highly addictive (in Nir’s sense) app, I would be using the profits to rent backhoes for anyone who needed one along the DAPL pipeline. No questions asked.

It’s an absolute necessity to raise ethical questions about technology and society in general.

But my first question is always: Who pays the cost of your ethical concern?

If it’s not you, that says a lot to me about your concern.

Sheriff’s Capt. Jason Gearman Signals DAPL Opponents

Filed under: #DAPL,Government — Patrick Durusau @ 2:08 pm

Sheriff’s Capt. Jason Gearman adopted one of my suggestions from Protecting DAPL From Breaches (Maps and Hunting Safety) and has signaled DAPL opponents of increased law enforcement patrols in Buena Vista County, Iowa and Minnehaha County, South Dakota.

Express your appreciation to Capt. Jason Gearman for keeping DAPL opponents and sheriff’s deputies safely apart. Not all law enforcement personnel are pipeline stooges.

For more details see: New Vandalism on DAPL.

Text Mining For Lawyers (The 55% Google Weaned Lawyers Are Missing)

Filed under: eDiscovery,Law,Searching,Text Mining — Patrick Durusau @ 1:52 pm

Working the Mines: How Text Mining Can Help Create Value for Lawyers by Rees Morrison, Juris Datoris, Legaltech News.

From the post:

To most lawyers, text mining may sound like a magic wand or more hype regarding “artificial intelligence.” In fact, with the right input, text mining is a well-grounded genre of software that can find patterns and insights from large amounts of written material. So, if your law firm or law department has a sizable amount of text from various sources, it can extract value from that collection through powerful software tools.

To help lawyers recognize the potential of text mining and demystify it, this article digs through typical steps of a project. Terms of art related to this domain of software are in bold and, yes, there will be a quiz at the end.

Our example project assumes that your law firm (or law department) has gathered a raft of written comments through an internal survey of lawyers or from clients who have typed their views in a client satisfaction survey (perhaps in response to an open-ended question like “In what ways could we improve?”). All that writing is grist for the mill of text mining!

Great overview of the benefits and complexities of text mining!

I was recently assured by a Google weaned lawyer that natural language searching enabled him and his friends to do a few quick searches to find relevant authorities.

I could not help but point out my review of Blair and Maron’s work that demonstrated while attorneys estimated they recovered 75% of relevant documents, in fact they recovered barely 20%.

No solution returns 100% of the relevant documents for any non-trivial dataset, but leaving 55% on the floor doesn’t inspire confidence.

Especially when searchers consider a relevant result to be success. Depends.

Depends on how many relevant authorities existed and if any were closer to your facts than those found? Among other things.

Is a relevant result your test for research success or the best relevant research result, with a measure of confidence in it’s quality?

May 3, 2017

Interactive Data Visualization (D3, 2nd Ed) / Who Sank My Battleship?

Filed under: D3,Graphics,Visualization — Patrick Durusau @ 4:24 pm

Interactive Data Visualization for the Web, 2nd Edition: An Introduction to Designing with D3 by Scott Murray.

From the webpage:

Interactive Data Visualization for the Web addresses people interested in data visualization but new to programming or web development, giving them what they need to get started creating and publishing their own data visualization projects on the web. The recent explosion of interest in visualization and publicly available data sources has created need for making these skills accessible at an introductory level. The second edition includes greatly expanded geomapping coverage, more real-world examples, a chapter on how to put together all the pieces, and an appendix of case studies, in addition to other improvements.

It’s pre-order time!

Estimated to appear in August of 2017 at $49.99.

This shipping map, created by Kiln, based on data from the UCL Energy Institute, should inspire you to try D3.

The Interactive version, using 2012 data, illustrates the ability to select types of shipping:

  • Container
  • Dry Bulk
  • Gas Bulk
  • Tanker
  • Vehicles

with locations, port information and a variety of other information.

All of which reminds me of the Who Sank My Battleship? episode with Gen. Paul Van Riper (ret.), who during war games, used pleasure craft and highly original tactics to sink the vast majority of the opposing American fleet. So much so that the American fleet had to be “refloated” to continue the games with any chance of winning. War game was fixed to ensure American victory, claims general.

Given the effectiveness of Gen. Van Riper’s tactics had on military vessels, you can imagine how unarmored civilian shipping would fare. You don’t need an self-immolating F-35 or a nuclear sub to damage civilian shipping.

What you need is shipping broken down into targeting categories with their locations (see https://www.shipmap.org/), one or more pleasure craft stuffed with explosives and some rudimentary planning.


For the details of what I call the Who Sank My Battleship? episode, the official report, U.S. Joint Forces Command Millennium Challenge 2002: Experiment Report, runs some 752 pages.

Hacker Wish Book 2017 (Who Got Left Out?)

Filed under: Cybersecurity,Security — Patrick Durusau @ 2:46 pm

Symantec continues the Sears Wish Book tradition:

for hackers with the 2017 Internet Security Threat Report (Symantec, ISTR 22).

Like the original, the Hacker Wish Book 2017 has:

Flashy graphics:

(Did you make the top ten?)

Exciting textual tidbits:


Our data found that 76 percent of websites scanned contained vulnerabilities—the same percentage as 2014 and just two percent less than the 2015 figure. at page 33)

Holiday tips (best practices):

  • Targeted attacks: Espionage, subversion, & sabotage (page 22)
  • Email: Malware, spam, & phishing (page 31)
  • Web attacks, toolkits, & exploiting vulnerabilities online (page 36)
  • Cyber crime & the underground economy (page 54)
  • Ransomware: Extorting businesses & consumers (page 62)
  • New frontiers: Internet of Things, mobile, & cloud threats (page 67)
  • Mobile (page 72)
  • Cloud (page 74)

Who Was Left Out?

Before you print a full-color copy of 2017 Internet Security Threat Report (Symantec, ISTR 22) for your “reading” room, ask who was left out?

Hackers are covered by the list of schemes, devices and strategies. Managers are interested in comparative statistics, “see, almost everybody else gets hacked too.” Hmmmm, but a class of people are missing.

Here’s a hint: Use the search function to look for salary (0 hits), hiring (0 hits), training (0 hits), compensation (0 hits).

The cyberdefense community gets no joy from the Hacker Wish Book 2017.

Not one mention of the need to pay competitive compensation for cyberdefense employees (not part-time contractors) with benefits and working conditions suitable for that community.

We have all seen legislatures flail about on cybercrime (CFAA). Not to mention management’s foolish belief that urging present staff “to do better,” is a solution to cyber-insecurity (the best practices mentioned above).

If you credit the Symantec report at all, how would you grade both of those strategies?

If your answer is anything other than “F,” contact me as I have the deed to bridges in New York City. (Apologies to other readers, it’s hard to resist clipping business types with more money than judgment.)

Anyone interested in improved cybersecurity needs to invest in cybersecurity. Including full-time staff and resources.

When I say “full-time” staff, I mean just that. Not sysadmin, DBA, webmaster, and cybersecurity all rolled into one position. Any one of those, with further sub-specialization as necessary, is a full-time job. (Just because you don’t understand a task doesn’t make it easy.)

Of course you can have your data breach figure in the Hacker Wish Book 2018. Or be the first in your industry to get tagged with punitive damages for a data breach. That’s going to happen. The question is: Will it be you?

Your call.

May 2, 2017

The Marshall Index: A Guide to Negro Periodical Literature, 1940-1948

Filed under: Black Literature,Books,Library,Literature — Patrick Durusau @ 7:30 pm

The Marshall Index: A Guide to Negro Periodical Literature, 1940-1948 by Albert P. Marshall, revised edition, Danky and Newman, 2002. Posted by ProQuest as a guide to their literature collections.

From the introduction:


For researchers today, one of the rewarding aspects of Marshall’s Guide, and an important one, is the number of obscure, little-collected, and discontinued African-American serials that he includes. Who today is familiar, for example, with Pulse, Service, New Vistas, Negro Traveler, Informer, Whetstone, Sphinx. Ivy Leaf, or Oracle? Until the large and comprehensive bibliography of black periodicals collected and edited by James P. Danky and Maureen Hady of the State Historical Society of Wisconsin and published by Harvard University Press is widely disseminated, few will even know the existence of many of these rare sources.

Superseded in some sense by African American newspapers and periodicals : a national bibliography by James P. Danky, but only in a sense.

The Marshall Index will always remain the first index of Black periodical literature and reflect the choices and judgments of its author.

Pass this along to your librarian friends and anyone interested in Black literature.

One For The Hounds – C & C Servers

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:34 pm

New Shodan Tool Can Find Malware Command and Control (C&C) Servers by Catalin Cimpanu.

From the post:

Shodan and Recorded Future have launched today a search engine for discovering malware command-and-control (C&C) servers. Named Malware Hunter, this new tool is integrated into Shodan, a search engine for discovering Internet-connected devices.

Malware Hunter works via search bots that crawl the Internet looking for computers configured to function as a botnet C&C server.

In order to trick a C&C server to reveal its location, the search bot uses various predefined requests to pretend to be infected computer that’s reporting back to the C&C server. If the scanned computer responds, Malware Hunter logs the IP and makes it available via the Shodan interface.

Take this news as encouragement to step up your game.

On the upside, perhaps Malware Hunter or some successor will “out” government spy malware.

EU Censorship Emboldens Torpid UK Parliament Members

Filed under: Censorship,Free Speech,Government — Patrick Durusau @ 3:24 pm

Social media companies “shamefully far” from tackling illegal and dangerous content

From the webpage:

The Home Affairs Committee has strongly criticised social media companies for failing to take down and take sufficiently seriously illegal content – saying they are “shamefully far” from taking sufficient action to tackle hate and dangerous content on their sites.

The Committee recommends the Government should assess whether failure to remove illegal material is in itself a crime and, if not, how the law should be strengthened. They recommend that the Government also consult on a system of escalating sanctions to include meaningful fines for social media companies which fail to remove illegal content within a strict timeframe.
… (emphasis in original)

I can only guess the recent EU censorship spasm, EU’s Unfunded Hear/See No Evil Policy, has made the UK parliament bold. Or at least bolder than usual.

what leaves me puzzled though, is that “hate crimes,” are by definition crimes. Yes? And even the UK laws against hate crimes, police officials to enforce those laws and courts in which to try those suspected of hate crimes and prisons in the event they are convicted. Yes?

If all that’s true, then for social media, really media in general, you need only one rule:

If what you see, hear and/or read disturbs you, look, listen and/or read something else.

It’s really that simple. No costs to social media companies, no extra personnel to second guess what some number of UK parliament members find to be “hate and dangerous content,” no steady decay of the right to speak without government pre-approval, etc.

As far as what other people prefer to see, hear and/or read, well, that’s really none of your business.

Practical Suggestions For Improving Transparency

Filed under: Government,Journalism,Leaks,News,Reporting — Patrick Durusau @ 2:50 pm

A crowd wail about Presidents Obama, Trump, opacity, lack of transparency, loss of democracy, freedom of the press, the imminent death of civilization, etc., isn’t going to improve transparency.

I have two practical suggestions for improving transparency.

First suggestion: Always re-post, tweet, share stories with links to leaked materials. If the story you read doesn’t have such a link, seek out one that does to re-post, tweet, share.

Some stories of leaks include a URL to the leaked material, like Hacker leaks Orange is the New Black new season after ransom demands ignored by Sean Gallagher, or NSA-leaking Shadow Brokers just dumped its most damaging release yet by Dan Goodin, both of Ars Technica

Some stories of the same leaks do not include a URL to the leaked material,The Netflix ‘Orange is the New Black’ Leak Shows TV Piracy Is So 2012 (which does have the best strategy for fighting piracy I have ever read) or, Shadow Brokers leak trove of NSA hacking tools.

Second suggestion: If you encounter leaked materials, post, tweet and share them as widely as possible. (Translations are always needed.)

Improving transparency requires only internet access and the initiative to do so.

Are you game?

May 1, 2017

Airport WiFi Passwords Map (Frequent Face?)

Filed under: Cybersecurity,Security — Patrick Durusau @ 4:41 pm

A Map Of Wireless Passwords From Airports And Lounges Around The World (Updated Regularly) by Anil Polat.

From the post:

Finding an open wireless connection in many airports isn’t always easy, or possible, without a password (or local phone number which is stupid). The difficulty of getting online is why I asked you for and created an always-up-to-date list of airport wireless passwords around the world. You’ve been sending me your tips regularly and I post on the foXnoMad Facebook page when there’s a new password or airport added.

Recently, reader Zach made a great suggestion that will make it easier for you to search, add, and keep up with this airport wireless password list.
….

I applaud Polat taking the initiative and investing the effort to make this wonderful resource available. Certainly a benefit to travelers who are quite casual about WiFi security.

I say “travelers who are quite casual about WiFi security” because any false WiFi hotspot is going to set the same password as the pay-to-play airport WiFi.

Being charged for a service is no guarantee of non-abuse. Any cable subscriber knows that already.

The password list makes airports sound like great hacking locations. Free WiFi, cheap food, easy targets, but, not such a great spot after all.

Presume all faces are scanned at airports, processed and stored. Becoming a “frequent face (FF)” doesn’t carry the same benefits as “frequent flyer.? You have been warned.

« Newer Posts

Powered by WordPress