Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

November 26, 2018

Big Brother’s Machine Learning Courses (free) [Fire Prediction As Weapon]

Filed under: Machine Learning — Patrick Durusau @ 11:49 am

Amazon’s own ‘Machine Learning University’ now available to all developers by Dr. Matt Wood.

From the post:

Today, I’m excited to share that, for the first time, the same machine learning courses used to train engineers at Amazon are now available to all developers through AWS.

We’ve been using machine learning across Amazon for more than 20 years. With thousands of engineers focused on machine learning across the company, there are very few Amazon retail pages, products, fulfillment technologies, stores which haven’t been improved through the use of machine learning in one way or another. Many AWS customers share this enthusiasm, and our mission has been to take machine learning from something which had previously been only available to the largest, most well-funded technology companies, and put it in the hands of every developer. Thanks to services such as Amazon SageMaker, Amazon Rekognition, Amazon Comprehend, Amazon Transcribe, Amazon Polly, Amazon Translate, and Amazon Lex, tens of thousands of developers are already on their way to building more intelligent applications through machine learning.

Regardless of where they are in their machine learning journey, one question I hear frequently from customers is: “how can we accelerate the growth of machine learning skills in our teams?” These courses, available as part of a new AWS Training and Certification Machine Learning offering, are now part of my answer.

There are more than 30 self-service, self-paced digital courses with more than 45 hours of courses, videos, and labs for four key groups: developers, data scientists, data platform engineers, and business professionals. Each course starts with the fundamentals, and builds on those through real-world examples and labs, allowing developers to explore machine learning through some fun problems we have had to solve at Amazon. These include predicting gift wrapping eligibility, optimizing delivery routes, or predicting entertainment award nominations using data from IMDb (an Amazon subsidiary). Coursework helps consolidate best practices, and demonstrates how to get started on a range of AWS machine learning services, including Amazon SageMaker, AWS DeepLens, Amazon Rekognition, Amazon Lex, Amazon Polly, and Amazon Comprehend.

Machine learning from one of our digital big brothers at any rate.

The classes are tuned to the capabilities and features of AWS machine learning services but that’s a feature and not a bug.

AWS machine learning services are essential to anyone who doesn’t have the on-call capabilities of the CIA or NSA. Even with AWS, you won’t match the shere capacity of government computing environments, but you have one thing they don’t have, your insight into a problem set.

Let’s say that with enough insight and funds to pay for AWS services, you will be competitive against government agencies.

Wood continues:

To help developers demonstrate their knowledge (and to help employers hire more efficiently), we are also announcing the new “AWS Certified Machine Learning – Specialty” certification. Customers can take the exam now (and at half price for a limited time). Customers at re:Invent can sit for the exam this week at our Training and Certification exam sessions.

The digital courses are now available at no charge at aws.training/machinelearning and you only pay for the services you use in labs and exams during your training.

Fire is a weapon rarely exploited well by counter-government forces. Consider the use of AWS machine learning services to resolve the trade-off between the areas most likely to burn and those where a burn would be the most damaging (by some criteria). Climate change presents opportunities for unconventional insurgent techniques. Will you be ready to recognize and/or seize them?

November 22, 2018

(90+) Best Hacking eBooks [Suggest benchmarks for “best?”]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 11:25 am

Hacking eBooks Free Download 2018 – (90+) Best Hacking eBooks by Mukesh Bhardwaj.

From the post:

Here are a top and a long list of Best Hacking eBooks released in 2018. I pick these PDF best hacking eBooks from top sources with latest hacking articles inside these eBooks. These download links are spam free and ads free. However, you will also get all hacking guides as well. We Give You Best Ads Free Download Links. (emphasis in original)

This listing dates from January 4, 2018, so as of November 22, 2018, it’s due for an update.

The items I have examined look useful but it’s not clear what criteria were used for “best.”

Do you have a suggestion for general or more specific hacking resources to use as benchmarks for best?

Top 20 Hacker Holiday Gifts of 2018

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:55 am

Top 20 Hacker Holiday Gifts of 2018

From the post:

For the uninitiated, it can be difficult to buy that special hacker in your life a perfect holiday gift. That’s why we’ve taken out the guesswork and curated a list of the top 20 most popular items our readers are buying. Whether you’re buying a gift for a friend or have been dying to share this list with someone shopping for you, we’ve got you covered with our 2018 selection of hacker holiday gifts.

For more ideas, make sure to check out our holiday hacker gift guide from last year, as well as Distortion’s excellent post for gear every hacker should try out. As for this year’s recommendations, they’re split up into different price points, so you can jump to each using the following links.

Great list of potential gifts for someone you know is hacking or who you want to encourage to hack.

Imagine the degree of transparency if hacking was taught as widely as keyboarding.

One Hacker One Computer – #OHOC

Enjoy!

November 21, 2018

Raspberry-Pi In Your Stocking?

Filed under: Raspbery-Pi — Patrick Durusau @ 8:17 pm

Just in case you find, obtain or are given a Raspberry Pi over the holidays, check out awesome-raspberry-pi.

From the webpage:

A curated list of awesome Raspberry Pi tools, projects, images and resources.

I’m counting forty-eight (48) OS images, twenty (20) tools, fifty-six (56) projects, ten (10) useful apps, five (5) articles, sixteen (16) tutorials, and, thirteen (13) community links. (as of 21 November 2018)

I tried to find another category instead of adding Raspberry-Pi. Now I have to find all my posts that mention Raspberry-Pi and update their links!

Worth the time though when you consider a Raspberry-Pi is small enough to drop off in a target location or even plug into a target network. That alone makes it worth more attention.

Going Old School to Solve A Google Search Problem

Filed under: Bookmarking,Bookmarks,Javascript,Searching — Patrick Durusau @ 5:27 pm

Going Old School to Solve A Google Search Problem

I was completely gulled by the headline. I thought the “old school” solution was going to be:

Go ask a librarian.

My bad. Turns out the answer was:

Recently I got an email from my friend John Simpson. He was having a search problem and thought I might be able to help him out. I was, and wanted to share with you what I did, because a) you might be able to use it too and b) it’s not often in my Internet experience that you end up solving a problem using a method that was popular over ten years ago.

Here’s John’s problem: he does regular Google searches of a particular kind, but finds that with most of these searches he gets an overwhelming number of results from just a couple of sites. He wants to consistently exclude those sites from his search results, but he doesn’t want to have to type in the exclusions every time.

The rock-simple solution to this problem would be: do the Google search excluding all the sites you don’t want to see, bookmark the result, and then revisit that bookmark whenever you’re ready to search. But a more elegant solution would be to use an bookmark enhanced with JavaScript: a bookmarklet.

The rest of the post walks you through the creation of a simple bookmarketlet. Easier than the name promises.

When (not if) Google fails you, remember you can either visit (or call in many cases) the reference desk at your local library.

Under the title: Why You Should Fall To Your Knees And Worship A Librarian, I encountered this item:

I’ve always had a weakness for the line:

People become librarians because they know too much.

Google can quickly point you down any number of blind alleys. Librarians quickly provide you with productive avenues to pursue. Your call.

pugixml 1.9 quick start guide

Filed under: Parsers,XML,XPath — Patrick Durusau @ 4:20 pm

pugixml 1.9 quick start guide

From the webpage:

pugixml is a light-weight C++ XML processing library. It consists of a DOM-like interface with rich traversal/modification capabilities, an extremely fast XML parser which constructs the DOM tree from an XML file/buffer, and an XPath 1.0 implementation for complex data-driven tree queries. Full Unicode support is also available, with two Unicode interface variants and conversions between different Unicode encodings (which happen automatically during parsing/saving). The library is extremely portable and easy to integrate and use. pugixml is developed and maintained since 2006 and has many users. All code is distributed under the MIT license, making it completely free to use in both open-source and proprietary applications.

pugixml enables very fast, convenient and memory-efficient XML document processing. However, since pugixml has a DOM parser, it can’t process XML documents that do not fit in memory; also the parser is a non-validating one, so if you need DTD/Schema validation, the library is not for you.

This is the quick start guide for pugixml, which purpose is to enable you to start using the library quickly. Many important library features are either not described at all or only mentioned briefly; for more complete information you should read the complete manual.

Despite the disappointing lack of document/email leaks during the 2018 mid-terms, I am hopeful the same will not be true in 2020. The 2020 elections will include a presidential race.

I encountered pugixml today in another context and thought I should mention it as a possible addition to your toolkit.

The repository: http://github.com/zeux/pugixml.

Enjoy!

Stanford AI Lab (SAIL) Blog (Attn: All Hats)

Filed under: Artificial Intelligence,Hacking,Machine Learning — Patrick Durusau @ 3:45 pm

Stanford AI Lab (SAIL) Blog

From the Hello World post:

We are excited to launch the Stanford AI Lab (SAIL) Blog, where we hope to share our research, high-level discussions on AI and machine learning, and updates with the general public. SAIL has 18 faculty and 16 affiliated faculty, with hundreds of students working in diverse fields that span natural language processing, robotics, computer vision, bioinformatics, and more. Our vision is to make that work accessible to an audience beyond the academic and technical community.

Whether you are a White, Black, Grey, or Customer, hat, start watching the Stanford AI Lab (SAIL) Blog.

Like a Customer hat, AI (artificial intelligence) knows no preset side, only its purpose as set by others.

If that sounds harsh, remember that it has been preset sides that force otherwise decent people (in some cases) to support the starvation of millions in Yemen or the murder of children in Palestine.

Or to say it differently, laws are only advisory opinions on the morality of any given act.

November 20, 2018

Is It Looking Like IoT This Year?

Filed under: Hacking,IoT - Internet of Things — Patrick Durusau @ 8:10 pm

IoT-Pentesting-Methodology

From the webpage:

Resources to help get started with IoT Pentesting

The only resource is a mindmap of things to consider. Useful in and of itself but I had to kick the magnification up to 350% to make it readable.

Looking forward to other resources being added, perhaps as part of the mindmap?

While you are investigating IoT goodies this holiday season, take a break from pwning your brother-in-law’s car and add a couple of resources here.

😉

IoT creates an opportunity for gifts that keep on giving after you take control of them.

Not to mention sending, anonymously, IoT devices to neighbors, fellow staff members and, elected representatives.

Do Your Clients Know You’re Running Adobe Flash?

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 5:28 pm

Critical Adobe Flash Bug Impacts Windows, macOS, Linux and Chrome OS by Tom Spring.

From the post:

Adobe released a patch for a critical flaw on Tuesday that leaves its Flash Player vulnerable to arbitrary code execution by an adversary. Affected are versions of the Flash Player running on Windows, macOS, Linux and Chrome OS.

Unless you need the technical details to prepare an exploit, that’s about all that needs to be said about the latest Adobe Flash fail.

You aren’t running Flash? Yes?

Assuming you are not running Flash, download and save a known to be safe Flash file. Attach it to an email to your current contractor(s).

Call your contractor(s) and ask if they can open the attached Flash file. Should they say yes, start looking for new contractor(s).

What are you going to say when you get a “can you open the Flash attachment” call?

PS: I wonder if any of the techno-mages at the White House are running Flash? Thoughts?

Hackers: White, Black, Grey [, and Customer?] Hat

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:17 pm

Types of Hackers and What They Do: White, Black, and Grey:

Hackers are lumped into three (3) categories:

A black-hat hacker is an individual who attempts to gain unauthorized entry into a system or network to exploit them for malicious reasons. The black-hat hacker does not have any permission or authority to compromise their targets.

White-hat hackers, on the other hand, are deemed to be the good guys, working with organizations to strengthen the security of a system. A white hat has permission to engage the targets and to compromise them within the prescribed rules of engagement.

Grey hats exploit networks and computer systems in the way that black hats do, but do so without any malicious intent, disclosing all loopholes and vulnerabilities to law enforcement agencies or intelligence agencies.

I suppose but where is the category Customer-hat?

Customer-hat hackers carry out actions contracted for by a customer.

The customer-hat hacker designation avoids the attempts to pre-define moral or ethical dimensions to the work of hackers, generally summarized under the rubrics of black, white and grey hats.

Picking a recent post at random: Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign, you quickly get the impression that APT29 is a black-hat, i.e., is non-American.

As a contractor or customer, I’m more comfortable wearing a customer-hat. Are you?

PS: I’m aware that the black/grey/white hat designations are attempts to shame people into joining to protect institutions and systems unworthy of respect and/or protection. I decline the invitation.

November 17, 2018

IMSI-Catcher in 30 Minutes

Filed under: Government,Privacy,STINGER — Patrick Durusau @ 9:51 pm

With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes by Joseph Cox.

From the post:

With some dirt cheap tech I bought from Amazon and 30-minutes of set-up time, I was streaming sensitive information from phones all around me. IMSIs, the unique identifier given to each SIM card, can be used to confirm whether someone is in a particular area. They can also be used as part of another attack to take over a person’s phone number and redirect their text messages. Obtaining this information was incredibly easy, even for a non-expert.

But a DIY IMSI catcher is relatively trivial to setup, and the technology is accessible to anyone with a cheap laptop, $20 of gear, and, the ability to essentially copy and paste some commands into a computer terminal. This is about ease of access; a lower barrier of technical entry. In a similar way to so-called spouseware—malware used by abusive partners—surveillance takes on different character when it trickles down to more ordinary, everyday users. The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

Once you get up and running, project’s github page, other extensions and uses will occur to you.

I deeply disagree with the assessment:

The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

The greater danger comes when secret agencies and even police agencies, operate with no effective oversight. Either because their operations are too secret to be known to others or a toady, such as the FISA court, is called upon to pass judgment.

As the “threat” from IMSI-catchers increases, manufacturers will engineer phones that resist attacks from the government and the public. A net win for the public, if not the government.

IMSI-catchers and more need to be regulars around government offices and courthouses. Governments like surveillance so much, let’s provide them with a rich and ongoing experience of the same.

Query Expansion Techniques for Information Retrieval: a Survey

Filed under: Query Expansion,Subject Identity,Subject Recognition,Topic Maps — Patrick Durusau @ 9:12 pm

Query Expansion Techniques for Information Retrieval: a Survey by Hiteshwar Kumar Azad, Akshay Deepak.

With the ever increasing size of web, relevant information extraction on the Internet with a query formed by a few keywords has become a big challenge. To overcome this, query expansion (QE) plays a crucial role in improving the Internet searches, where the user’s initial query is reformulated to a new query by adding new meaningful terms with similar significance. QE — as part of information retrieval (IR) — has long attracted researchers’ attention. It has also become very influential in the field of personalized social document, Question Answering over Linked Data (QALD), and, Text Retrieval Conference (TREC) and REAL sets. This paper surveys QE techniques in IR from 1960 to 2017 with respect to core techniques, data sources used, weighting and ranking methodologies, user participation and applications (of QE techniques) — bringing out similarities and differences.

Another goodie for the upcoming holiday season. At forty-three (43) pages and needing updating, published in 2017, a real joy for anyone interested in query expansion.

Writing this post I realized that something is missing in discussions of query expansion. It is assumed that end-users are querying the data set and they are called upon to evaluate the results.

What if we change that assumption to an expert user querying the data set and authoring filtered results for end users?

Instead of presenting an end user with a topic map, no matter how clever its merging rules, they are presented with a curated information resource.

Granting that an expert may have been using a topic map to produce the curated information resource but of what concern is that for the end user?

Got 20 Minutes? Black Friday ATM Hunting

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 11:06 am

One definition of Black Friday reads:

The Day After Thanksgiving (Friday) is known as Black Friday. This used to be unofficially or officially the start of holiday shopping season. Almost all stores come out with Doorbuster Sales with the early bird special to attract consumers to their shop. People stand in line hours before the stores are opened, to grab the bargains of the year. In last few years, we have witnessed a trend towards bringing those Black Friday Sales online before Friday.

Suffice it to say it is an orgy of consumerism and consumption, which originated in the United States but it has spread to other countries.

One constant at shopping locations, Black Friday or no, is the presence of ATM (Automated Teller Machines) machines. ATM finder services are offered by Visa and Mastercard. A search using “atm location” reveals many others.

I mention all that because I encountered Most ATMs can be hacked in under 20 minutes by Catalin Cimpanu.

From the post:

“More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case,” the PT team said. “Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale.” (emphasis added)

Cimpanu includes a list of the ATMs tested. Nothing is more innocent than using an ATM on Black Friday and noting its type and model number. Privacy is required for the attacks described but usually for less than 20 minutes.

Armed with a list of ATM with model numbers and locations, plus the attacks as described in the original report, you may have a reason to celebrate early this holiday season. (BTW, strictly for research purposes, did you know they sell ATMs on eBay?)

November 15, 2018

Fake ‘Master’ Fingerprints

Filed under: Artificial Intelligence,Security — Patrick Durusau @ 3:20 pm

DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution by Philip Bontrager et al.

Abstract:

Recent research has demonstrated the vulnerability of fingerprint recognition systems to dictionary attacks based on MasterPrints. MasterPrints are real or synthetic fingerprints that can fortuitously match with a large number of fingerprints thereby undermining the security afforded by fingerprint systems. Previous work by Roy et al. generated synthetic MasterPrints at the feature-level. In this work we generate complete image-level MasterPrints known as DeepMasterPrints, whose attack accuracy is found to be much superior than that of previous methods. The proposed method, referred to as Latent Variable Evolution, is based on training a Generative Adversarial Network on a set of real fingerprint images. Stochastic search in the form of the Covariance Matrix Adaptation Evolution Strategy is then used to search for latent input variables to the generator network that can maximize the number of impostor matches as assessed by a fingerprint recognizer. Experiments convey the efficacy of the proposed method in generating DeepMasterPrints. The underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis.

One review of this paper concludes:


At the highest level of security, the researchers note that the master print is “not very good” at spoofing the sensor—the master prints only fooled the sensor less than 1.2 percent of the time.

While this research doesn’t spell the end of fingerprint ID systems, the researchers said it will require the designers of these systems to rethink the tradeoff between convenience and security in the future.

But fingerprint ID systems are only one use case for DeepMasterPrints.

The generated fingerprints, for all intents and purposes, appear to be human fingerprints. If used to intentionally “leave” fingerprints for investigators to discover, there is no immediate “tell” these are artificial fingerprints.

If your goal is to delay or divert authorities for a few hours or even days with “fake” fingerprints, then DeepMasterPrints may be quite useful.

The test for any security or counter-security measure isn’t working forever or without fail but only for as long as needful. (For example, encryption that defeats decryption until after an attack has served its purpose. It need not do more than that.)

*exploitation not included

Filed under: Privacy — Patrick Durusau @ 2:24 pm

The title is a riff on Mozilla’s *privacy not included list of privacy insecure gifts for the holiday season.

While intended as a warning to consumers, I can’t think of a better shopping list for members of government, their staffs, corporate officers, lobbyists, or even your co-workers.

Unlike some, I don’t consider privacy to be a universal good, especially if a breach of privacy takes down someone like Senator Mitch McConnell or some similar ilk.

Use your imagination or ping me (not free) for development of a list of likely recipients of your holiday largess.

But as the title suggests: *exploitation not included.

PS: And no, I don’t want to know the intended purpose of your list. Enjoy the holidays!

The Unlearned Lesson Of Amazon’s automated hiring tool

Filed under: Artificial Intelligence,Diversity,Machine Learning — Patrick Durusau @ 1:57 pm

Gender, Race and Power: Outlining a New AI Research Agenda.

From the post:


AI systems — which Google and others are rapidly developing and deploying in sensitive social and political domains — can mirror, amplify, and obscure the very issues of inequality and discrimination that Google workers are protesting against. Over the past year, researchers and journalists have highlighted numerous examples where AI systems exhibited biases, including on the basis of race, class, gender, and sexuality.

We saw a dramatic example of these problems in recent news of Amazon’s automated hiring tool. In order to “learn” to differentiate between “good” and “bad” job candidates, it was trained on a massive corpus of of (sic) data documenting the company’s past hiring decisions. The result was, perhaps unsurprisingly, a hiring tool that discriminated against women, even demoting CVs that contained the word ‘women’ or ‘women’s’. Amazon engineers tried to fix the problem, adjusting the algorithm in the attempt to mitigate its biased preferences, but ultimately scrapped the project, concluding that it was unsalvageable.

From the Amazon automated hiring tool and other examples, the AI Now Institute draws this conclusion:


It’s time for research on gender and race in AI to move beyond considering whether AI systems meet narrow technical definitions of ‘fairness.’ We need to ask deeper, more complex questions: Who is in the room when these technologies are created, and which assumptions and worldviews are embedded in this process? How does our identity shape our experiences of AI systems? In what ways do these systems formalize, classify, and amplify rigid and problematic definitions of gender and race? We share some examples of important studies that tackle these questions below — and we have new research publications coming out to contribute to this literature.

AI New misses the most obvious lesson from the Amazon automated hiring tool experience:

In the face of an AI algorithm that discriminates, we don’t know how to cure its discrimination.

Predicting or curing discrimination from an algorithm alone lies beyond our ken.

The creation of reference datasets for testing AI algorithms, however, enables testing and comparison of algorithms. With concrete results that could be used to reduce discrimination in fact.

Actual hiring and other databases are private for good reasons but wholly artificial reference databases would have no such concerns.

Since we don’t understand discrimination in humans, I caution against a quixotic search for its causes in algorithms. Keep or discard algorithms based on their discrimination in practice. Something we have been shown to be capable of spotting.

PS: Not all discrimination is unethical or immoral. If a position requires a law degree, it is “discrimination” to eliminate all applicants without one, but that’s allowable discrimination.

Before You Make a Thing [Technology and Society]

Filed under: Computer Science,Ethics,Politics — Patrick Durusau @ 10:55 am

Before You Make a Thing: some tips for approaching technology and society by Jentery Sayers.

From the webpage:

This is a guide for Technology and Society 200 (Fall 2018; 60 undergraduate students) at the University of Victoria. It consists of three point-form lists. The first is a series of theories and concepts drawn from assigned readings, the second is a rundown of practices corresponding with projects we studied, and the third itemizes prototyping techniques conducted in the course. All are intended to distill material from the term and communicate its relevance to project design and development. Some contradiction is inevitable. Thank you for your patience.

An extraordinary summary of the Prototyping Pasts + Futures class, whose description reads:

An offering in the Technology and Society minor at UVic, this course is about the entanglement of Western technologies with society and culture. We’ll examine some histories of these entanglements, discuss their effects today, and also speculate about their trajectories. One important question will persist throughout the term: How can and should we intervene in technologies as practices? Rather than treating technologies as tools we use or objects we examine from the outside, we’ll prototype with and through them as modes of inquiry. You’ll turn patents into 3-D forms, compose and implement use scenarios, “datify” old tech, and imagine a device you want to see in the world. You’ll document your research and development process along the way, reflect on what you learned, present your prototypes and findings, and also build a vocabulary of keywords for technology and society. I will not assume that you’re familiar with fields such as science and technology studies, media studies, critical design, or experimental art, and the prototyping exercises will rely on low-tech approaches. Technical competency required: know how to send an email.

Deeply impressive summary of the “Theories and Concepts,” “Practices,” and “Prototyping Techniques” from Prototyping Pasts + Futures.

Whether you want a benign impact of your technology or are looking to put a fine edge on it, this is the resource for you!

Not to mention learning a great deal that will help you better communicate to clients the probable outcomes of their requests.

Looking forward to spending some serious time with these materials.

Enjoy!

November 14, 2018

ScalaQuest! (Video Game Approach to Language Learning)

Filed under: Programming,Scala — Patrick Durusau @ 8:45 pm

ScalaQuest!

From the announcement on Reddit:

Learn to program in Scala while stepping into a world called DataLand – where chaos and complexity threaten the universe itself!

ScalaQuest is a web-based video game that takes you on the first few steps of learning the Scala programming language. Play through the 4 levels available and discover some of what makes Scala unique, while trying to survive and to help the people of DataLand survive the danger that could gargabe-collect everything!

The scope of the game is modest, as any real beginings must be. Fully learning Scala is the adventure we want to make if this first release is successful.

Scala – the powerful and exotic programming language loved by many but challenging to learn, is a realm that we want to open up to motivated learners. With some unique gameplay mechanics, we believe we are changing how people can be introduced to languages and make it into an adventure where fun, risk and failure come together into a stimulating challenge.

Can you save DataLand?

Sign up now! http://scalaquest.com.

I only saw the video, it’s too late for me to spring the $8 for the first module. I would not remember any of it tomorrow. Maybe this coming weekend.

I started to make a rude suggestion about games involving Sen. Mitch McConnell as an inducement to learn how to program. Use your imagination and see what turns up.

Systematic vs. Ad Hoc Attacks and Defenses

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:16 pm

A Systematic Evaluation of Transient Execution Attacks and Defenses by Claudio Canella, et al.

Abstract:

Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU’s microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Unfortunately, both the industry and academia are now focusing on finding efficient defenses that mostly address only one specific variant or exploitation methodology. This is highly problematic, as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses.

In this paper, we present a sound and extensible systematization of transient execution attacks. Our systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far. This includes 2 new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. It also includes 5 new Spectre mistraining strategies. We evaluate all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM). Our systematization does not only yield a complete picture of the attack surface, but also allows a systematic evaluation of defenses. Through this systematic evaluation, we discover that we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.

If you guessed from the title (or experience) that being systematic wins the prize, you’re right!

Between the failure to patch behavior of users and the “good enough” responses of vendors to vulnerabilities, it’s surprising cybersecurity is in the dictionary at all. Other than as a marketing term like “salvation,” etc.

November 12, 2018

Holiday Avoidance Videos! Black Hat USA 2018

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:25 pm

Just in time for the 2018 holiday season, Black Hat USA 2018 videos have been posted on Youtube! Abstracts/presentation materials.

I count one-hundred and twenty-five (125) videos!

I’m not suggesting you would pwn the TV remote, video game controller or surf the local mall’s wifi if forced to go shopping, but with the Black Hat videos, visions of the same can dance in your head!

Enjoy!

PS: Be sure to give a big shout out to Black Hat and presenters for all videos that stand out to you.

November 11, 2018

Why You Should Study Adobe Patch Releases

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:02 pm

Adobe ColdFusion servers under attack from APT group by Catalin Cimpanu.

A cyber-espionage group appears to have reverse engineered an Adobe security patch and is currently going after unpatched ColdFusion servers.

If you review the Adobe Security Bulletin, I don’t think “reverse engineer” is the term I would use in this case:

Nor would I use “Advanced Persistent Threat (APT)” for this vulnerability.

The Adobe fail here is the equivalent to leaving a liquor store unattended with the door propped open and the lights on. Theft there doesn’t require a criminal mastermind.

Given patch rates, reading patches could be the easiest way to add exploits to your toolkit.

Hiding Places for Bias in Deep Learning

Filed under: Bias,Deep Learning — Patrick Durusau @ 8:17 pm

Are Deep Policy Gradient Algorithms Truly Policy Gradient Algorithms? by Andrew Ilyas, et al.

Abstract:

We study how the behavior of deep policy gradient algorithms reflects the conceptual framework motivating their development. We propose a fine-grained analysis of state-of-the-art methods based on key aspects of this framework: gradient estimation, value prediction, optimization landscapes, and trust region enforcement. We find that from this perspective, the behavior of deep policy gradient algorithms often deviates from what their motivating framework would predict. Our analysis suggests first steps towards solidifying the foundations of these algorithms, and in particular indicates that we may need to move beyond the current benchmark-centric evaluation methodology.

Although written as an evaluation of the framework for deep policy gradient algorithms with suggestions for improvement, it isn’t hard to see how the same factors create hiding places for bias in deep learning algorithms.

  • Gradient Estimation: we find that even while agents are improving in terms of reward, the gradient
    estimates used to update their parameters are often virtually uncorrelated with the true gradient.
  • Value Prediction: our experiments indicate that value networks successfully solve the supervised learning task they are trained on, but do not fit the true value function. Additionally, employing a value network as a baseline function only marginally decreases the variance of gradient estimates (but dramatically increases agent’s performance).
  • Optimization Landscapes: we also observe that the optimization landscape induced by modern policy gradient algorithms is often not reflective of the underlying true reward landscape, and that the latter is often poorly behaved in the relevant sample regime.
  • Trust Regions: our findings show that deep policy gradient algorithms sometimes violate theoretically motivated trust regions. In fact, in proximal policy optimization, these violations stem from a fundamental problem in the algorithm’s design.

The key take-away is that if you can’t explain the behavior of an algorithm, then how do you detect or guard against bias in such an algorithm? Or as the authors put it:

Deep reinforcement learning (RL) algorithms are rooted in a well-grounded framework of classical RL, and have shown great promise in practice. However, as our investigations uncover, this framework fails to explain much of the behavior of these algorithms. This disconnect impedes our understanding of why these algorithms succeed (or fail). It also poses a major barrier to addressing key challenges facing deep RL, such as widespread brittleness and poor reproducibility (cf. Section 4 and [3, 4]).

Do you plan on offering ignorance about your algorithms as a defense for discrimination?

Interesting.

November 10, 2018

Relational inductive biases, deep learning, and graph networks

Filed under: Deep Learning,Graphs,Networks — Patrick Durusau @ 9:15 pm

Relational inductive biases, deep learning, and graph networks by Peter W. Battaglia, et al.

Abstract:

Artificial intelligence (AI) has undergone a renaissance recently, making major progress in key domains such as vision, language, control, and decision-making. This has been due, in part, to cheap data and cheap compute resources, which have fit the natural strengths of deep learning. However, many defining characteristics of human intelligence, which developed under much different pressures, remain out of reach for current approaches. In particular, generalizing beyond one’s experiences–a hallmark of human intelligence from infancy–remains a formidable challenge for modern AI.

The following is part position paper, part review, and part unification. We argue that combinatorial generalization must be a top priority for AI to achieve human-like abilities, and that structured representations and computations are key to realizing this objective. Just as biology uses nature and nurture cooperatively, we reject the false choice between “hand-engineering” and “end-to-end” learning, and instead advocate for an approach which benefits from their complementary strengths. We explore how using relational inductive biases within deep learning architectures can facilitate learning about entities, relations, and rules for composing them. We present a new building block for the AI toolkit with a strong relational inductive bias–the graph network–which generalizes and extends various approaches for neural networks that operate on graphs, and provides a straightforward interface for manipulating structured knowledge and producing structured behaviors. We discuss how graph networks can support relational reasoning and combinatorial generalization, laying the foundation for more sophisticated, interpretable, and flexible patterns of reasoning. As a companion to this paper, we have released an open-source software library for building graph networks, with demonstrations of how to use them in practice.

Forty pages of very deep sledding.

Just on a quick scan, I do take encouragement from:

An entity is an element with attributes, such as a physical object with a size and mass. (page 4)

Could it be that entities have identities defined by their attributes? Are the attributes and their values recursive subjects?

Only a close read of the paper will tell but I wanted to share it today.

Oh, the authors have released a library for building graph networks: https://github.com/deepmind/graph_nets.

PyCoder’s Weekly Archive 2012-2018 [Indexing Data Set?]

Filed under: Indexing,Python,Search Engines,Searching — Patrick Durusau @ 8:53 pm

PyCoder’s Weekly Archive 2012-2018

Python programmers already know about PyCoder Weekly but if you don’t, it’s a weekly newsletter with headline Python news, discussions, Python jobs, articles & tutorials, projects & code, and events. Yeah, every week!

I mention it too as a potential indexing set for search software. I’m reasoning you are more likely to devote effort to indexing material of interest than out of copyright newspapers. Besides, you will be better able to judge a good search result from a bad one when indexing PyCoder’s Weekly.

Enjoy!

November 9, 2018

RunCode – (Was Codewarz last year) – Starts Nov 10 0900 (EST)

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:47 pm

RunCode.

From the webpage:

Complete challenges to attain points. Attain points to impress your friends. Impress your friends to… lol, you don’t have any friends, what are you talking about!

The competition will begin at Nov 10 0900(EST) and run until Nov 12 0900(EST). The top 10 players will be able to pick a prize out of our prize list. In order to receive the prize you must provide the RunCode team your physical mailing address as we will be shipping you the prize. If you’d rather donate your prize instead of giving us your physical mailing address, we will give the prize of your choice or donate the equivalent monetary amount to a charity you choose. If you’re looking for the list of prizes, they can be found on our twitter. Good luck in the competition, and if you have any questions feel free to reach out to us on our slack chat server for support (you’ll get an email invite to our slack after making an account).

If you’d like to practice on some of our previous challenges. Head over to our main website where we have all of our previous challenges available for you to work on (the logins/accounts for the competition site and the main site are separate).

Sign up! Not many hours left!

I’ve got a full weekend of editing on tap already but registering will give me incentive to at least try some of the challenges.

I first read about the RunCode event in: Codewarz, reloaded: programming contest ads pwning, prizes as RunCode by Sean Gallagher.

November 8, 2018

Shape-Guided Image Generation [Danger! Danger! Sarah Huckabee Sanders]

Filed under: Deep Learning,Image Processing,Image synthesis — Patrick Durusau @ 9:34 pm

A Variational U-Net for Conditional Appearance and Shape Generation by Patrick Esser, Ekaterina Sutter, Björn Ommer.

Abstract:

Deep generative models have demonstrated great performance in image synthesis. However, results deteriorate in case of spatial deformations, since they generate images of objects directly, rather than modeling the intricate interplay of their inherent shape and appearance. We present a conditional U-Net [30] for shape-guided image generation, conditioned on the output of a variational autoencoder for appearance. The approach is trained end-to-end on images, without requiring samples of the same object with varying pose or appearance. Experiments show that the model enables conditional image generation and transfer. Therefore, either shape or appearance can be retained from a query image, while freely altering the other. Moreover, appearance can be sampled due to its stochastic latent representation, while preserving shape. In quantitative and qualitative experiments on COCO [20], DeepFashion [21, 23], shoes [43], Market-1501 [47] and handbags [49] the approach demonstrates significant improvements over the state-of-the-art.

The abstract fails to convey the results described in the paper. Try:

The animated versions are based on the single image on the left.

There is a Github site with training data: https://github.com/CompVis/vunet which carries this short description:

The model learns to infer appearance from a single image and can synthesize images with that appearance in different poses.

My answer to anyone who objects to Sarah Huckabee Sanders or other members of the current regime in Washington being the subjects of this technique: Jim Acosta video.

This is war friends and you don’t win wars by praying for the other side to be more courteous.

November 5, 2018

ꓘamerka —… [On Ubuntu 18.04] 

Filed under: Open Source Intelligence,Privacy,Shodan — Patrick Durusau @ 1:25 pm

ꓘamerka — Build interactive map of cameras from Shodan by Wojciech.

From the post:

This post will be really quick one, I want to share one of the curiosity I wrote recently. It’s proof of concept to visualize cameras from Shodan API into real map. Some of the cameras are left open with no authentication so you don’t need to have any hacking skills to get access, and depends on where camera is located you can get interesting view in some cases. With lot of luck, it can help you with OSINT investigations or geolocating photos. Imagine you have photo to geolocate and you found open camera exactly pointing to this place, or somewhere nearby, which can give you hint.

Source: https://github.com/woj-ciech/kamerka

OK, so I git clone git:github.com/woj-ciech/kamerka in a directory.

After changing to the kamerka directory:

pip -r install requirements

Answer:

Usage:
pip [options]

no such option: -r

Syntax error. Try:

pip install -r requirements.txt

Success!

Restriction: Works only with paid Shodan.io accounts.

Opps! I don’t have a commercial Shodan account (at the moment) so I need to break here.

When I obtain a commercial Shodan account I will report further on this script. Thinking Venice Beach would be a nice location to test for cameras. 😉

November 1, 2018

Field Notes: Building Data Dictionaries [Rough-n-Ready Merging]

Filed under: Data Management,Data Provenance,Documentation,Merging,Topic Maps — Patrick Durusau @ 4:33 pm

Field Notes: Building Data Dictionaries by Caitlin Hudon.

From the post:

The scariest ghost stories I know take place when the history of data — how it’s collected, how it’s used, and what it’s meant to represent — becomes an oral history, passed down as campfire stories from one generation of analysts to another like a spooky game of telephone.

These stories include eerie phrases like “I’m not sure where that comes from”, “I think that broke a few years ago and I’m not sure if it was fixed”, and the ever-ominous “the guy who did that left”. When hearing these stories, one can imagine that a written history of the data has never existed — or if it has, it’s overgrown with ivy and tech-debt in an isolated statuary, never to be used again.

The best defense I’ve found against relying on an oral history is creating a written one.

Enter the data dictionary. A data dictionary is a “centralized repository of information about data such as meaning, relationships to other data, origin, usage, and format”, and provides us with a framework to store and share all of the institutional knowledge we have about our data.

Unless you have taken over the administration of an undocumented network, you cannot really appreciate Hudon’s statement:


As part of my role as a lead data scientist at a start-up, building a data dictionary was one of the first tasks I took on (started during my first week on the job).

I have taken over undocumented Novell and custom-written membership systems. They didn’t remain that way but moving to fully documented systems was perilous and time-consuming.

The first task for any such position is to confirm an existing data dictionary and/or build one if it doesn’t exist. No other task, except maybe the paperwork for HR so you can get paid, is more important.

Hudon’s outline of her data dictionary process is as good as any, but it doesn’t allow for variant and/or possibly conflicting data dictionaries. Or for detecting when “variants” are only apparent and not real.

Where Hudon has Field notes, consider inserting structured properties that you can then query for “merging” purposes.

It’s not necessary to work out how to merge all the other fields automatically, especially if you are exploring data or data dictionaries.

Or to put it differently, not every topic map results in a final, publishable, editorial product. Sometimes you only want enough subject identity to improve your data set or results. That’s not a crime.

Powered by WordPress