FBI, Malware, Carte Blanche and Cardinal Richelieu

July 15th, 2016

Graham Cluley has an amusing take on the FBI’s reaction to its Playpen NIT being characterized as “malware” in When is malware not malware? When the FBI says so, of course.

As Graham points out, the FBI has been denied the fruits of its operation of a child porn site (alleged identities of consumers of child porn), but there is a deeper issue here beyond than defining malware.

The deeper issue lies in a portion of the FBI brief that Graham quotes in part:


“Malicious” in criminal proceedings and in the legal world has very direct implications, and a reasonable person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious.

The FBI brief echoes Cardinal Richelieu in The Three Musketeers:


CARDINAL RICHELIEU. … Document three, the most important of all: A pardon — in case you get caught. It’s call a Carte Blanche. It has the force of law and is unbreakable, even by Royal fiat.

MILADY. (Reading it.) “It is by my order and for the benefit of the State that the bearer of this note has one what he has done.”

The FBI contends a court order, assuming it bothers to obtain one, operates as Carte Blanche and imposes no limits on FBI conduct.

Moreover, once a court order is obtained, reports by the FBI of guilt are sufficient for conviction. How the FBI obtained alleged evidence isn’t open to inspection.

Judges should disabuse the FBI of its delusions concerning the nature of court orders and remind it of its proper role in the criminal justice system. The courts, so far as I am aware, remain the arbiters of guilt and innocence, not the FBI.

Neil deGrasse Tyson and the Religion of Science

July 14th, 2016

The next time you see Neil deGrasse Tyson chanting “holy, holy, holy” at the altar of science, re-read The 7 biggest problems facing science, according to 270 scientists by Julia Belluz, Brad Plumer, and Brian Resnick.

From the post:


The scientific process, in its ideal form, is elegant: Ask a question, set up an objective test, and get an answer. Repeat. Science is rarely practiced to that ideal. But Copernicus believed in that ideal. So did the rocket scientists behind the moon landing.

But nowadays, our respondents told us, the process is riddled with conflict. Scientists say they’re forced to prioritize self-preservation over pursuing the best questions and uncovering meaningful truths.

Ah, a quick correction to: “So did the rocket scientists behind the moon landing.”

Not!

The post Did Politics Fuel the Space Race? points to a White House transcript that reveals politics drove the race to the moon:

James Webb – NASA Administrator, President Kennedy.


James Webb: All right, then let me say this: if I go out and say that this is the number-one priority and that everything else must give way to it, I’m going to lose an important element of support for your program and for your administration.

President Kennedy [interrupting]: By who? Who? What people? Who?

James Webb: By a large number of people.

President Kennedy: Who? Who?

James Webb: Well, particularly the brainy people in industry and in the universities who are looking at a solid base.

President Kennedy: But they’re not going to pay the kind of money to get that position that we are [who we are] spending it. I say the only reason you can justify spending this tremendous…why spend five or six billion dollars a year when all these other programs are starving to death?

James Webb: Because in Berlin you spent six billion a year adding to your military budget because the Russians acted the way they did. And I have some feeling that you might not have been as successful on Cuba if we hadn’t flown John Glenn and demonstrated we had a real overall technical capability here.

President Kennedy: We agree. That’s why we wanna put this program…. That’s the dramatic evidence that we’re preeminent in space.

The rocket to the moon wasn’t about science, it about “…dramatic evidence that we’re preeminent in space.

If you need a not so recent example, consider the competition between Edison and Westinghouse in what Wikipedia titles: War of Currents.

Science has always been a mixture of personal ambition, politics, funding, etc.

That’s not to take anything away from science but a caution to remember it is and always has been a human enterprise.

Tyson’s claims for science should be questioned and judged like all other claims.

Building A National FOIA Rejection Database (MuckRock)

July 14th, 2016

MuckRock is launching a national database of FOIA exemptions by Joseph Licterman.

From the post:

In the 2015 fiscal year, the U.S. federal government processed 769,903 Freedom of Information requests. The government fully fulfilled only 22.6 percent of those requests; 44.9 percent of federal FOIA requests were either partially or fully denied. Even though the government denied at least part of more than 345,000 requests, it only received 14,639 administrative appeals.

In an attempt to make the FOIA appeals process easier and help reporters and others understand how and why their requests are being denied, MuckRock is on Thursday launching a project to catalog and explain the exceptions both the federal and state governments are using to deny requests.

MuckRock is a nonprofit site that helps its users file FOIA requests, and cofounder Michael Morisy said that the site is planning to create a “Google for FOIA rejections” which will help users understand why their requests were denied and learn what they can do to appeal the case.

If your FOIA request is rejected, who knows about it? You and maybe a few colleagues?

If you contribute your rejected FOIA requests to this MuckRock project, your rejected requests will join thousands of others to create a database on which the government can be held accountable for its FOIA behavior.

Don’t let your rejected FOIA request languish in filing cabinets and boxes, contribute them along with support to MuckRock!

The government isn’t the only party that can take names and keep records.

Securing Your Cellphone For A Protest

July 14th, 2016

The instructions on preparing for a demonstration in Steal This Book read in part:


Ideally you should visit the proposed site of the demonstration before it actually takes place. This way you’ll have an idea of the terrain and the type of containment the police will be using. Someone in your group should mimeograph a map of the immediate vicinity which each person should carry. Alternative actions and a rendezvous point should be worked out. Everyone should have two numbers written on their arm, a coordination center number and the number of a local lawyer or legal defense committee. You should not take your personal phone books to demonstrations. If you get busted, pigs can get mighty Nosy when it comes to phone books. Any sharp objects can be construed as weapons. Women should not wear earrings or other jewelry and should tie their hair up to tuck it under a helmet. Wear a belt that you can use as a tourniquet. False teeth and contact lenses should be left at home if possible. You can choke on false teeth if you receive a sharp blow while running. Contact lenses can complicate eye damage if gas or Mace is used.

How would you update this paragraph for the age of smart phones?

ACLU counsels protesters to secure their phones (read personal phone books) in The Two Most Important Things Protesters Can Do To Secure Their Phones.

You can do better than that, as Hoffman advises, leave your personal phone books (read smart phones) at home!

Your “whole life is on your phone.” Yes, I know. All the more reason to leave it out of the clutches of anyone interested in your “whole life.”

Buy clean burner phones in bulk.

Preset bookmarks for the protest area on Google maps, along with landmarks, rendezvous points, fall back positions, etc.

For texting during protests, create burner identities drawn from a list of characters in police shows, out of a hat. No changing, no choices. The same person should never re-use a burner identity. Patterns matter. (See the ACLU post for suggestions on secure messaging apps.)

Continue to write two phone numbers on your arm: coordination center and a local lawyer or legal defense committee.

Two reasons for these numbers on your arm: First, you may not have your cell phone when allowed to make a call from jail. Second, you should never have the number of another activist on your person.

Nothing takes the place of a site visit but technology has changed since Hoffman’s time.

High quality maps, photos, topographical (think elevation (high ground), drainage (as in running away from you)) features, not to mention reports of prior protests and police responses are available.

If my security suggestions sound extreme, recall that not all protests occur in the United States and even of those that do, not all are the “line up to be arrested” sort of events. Or are conducted in “free speech allotments,” like the upcoming Democratic and Republican political conventions this summer.

How-To Safely Protest on the Downtown Connector – #BLM

July 13th, 2016

Atlanta doesn’t have a spotless record on civil rights but Mayor Kasim Reed agreeing to meet with #BLM leaders on July 18, 2016, is a welcome contrast to response in the police state of Baton Rouge, for example.

During this “cooling off” period, I want to address Mayor Reed’s concern for the safety of #BLM protesters and motorists should #BLM protests move onto the Downtown Connector.

Being able to protest on the Downtown Connector would be far more effective than blocking random Atlanta surface streets, by day or night. Mayor Reed’s question is how to do so safely?

Here is Google Maps’ representation of a part of the Downtown Connector:

downtown-connector-map

That view isn’t helpful on the issue of safety but consider a smaller portion of the Downtown Connector as seen by Google Earth:

downtown-connector-earth-460

The safety question has two parts: How to transport #BLM protesters to a protest site on the Downtown Connector? How to create a safe protest site on the Downtown Connector?

A nearly constant element of the civil rights movement provides the answer: buses. From the Montgomery Bus Boycott, Freedom Riders, to the long experiment with busing to achieve desegregation in education.

Looking at an enlargement of an image of the Downtown Connector, you will see that ten (10) buses would fill all the lanes, plus the emergency lane and the shoulder, preventing any traffic from going around the buses. That provides safety for protesters. Not to mention transporting all the protesters safely to the protest site.

The Downtown Connector is often described as a “parking lot” so drivers are accustomed to traffic slowing to a full stop. If a group of buses formed a line across all lanes of the Downtown Connector and slowed to a stop, traffic would be safely stopped. That provides safety for drivers.

The safety of both protesters and drivers depends upon coordination between cars and buses to fill all the lanes of the Downtown Connector and then slowing down in unison, plus buses occupying the emergency lane and shoulder. Anything less than full interdiction of the highway would put both protesters and drivers at risk.

Churches and church buses have often played pivotal roles in the civil rights movement so the means for creating safe protest spaces, even on the Downtown Connector, are not out of reach.

There are other logistical and legal issues involved in such a protest but I have limited myself to offering a solution to Mayor Reed’s safety question.

PS: The same observations apply to any limited access motorway, modulo adaptation to your local circumstances.

New Linux Journal Subscription Benefit!

July 12th, 2016

Benefits of a Linux Journal subscription you already know:

  1. Linux Journal, currently celebrating its 20th year of publication, is the original magazine of the global Linux community, delivering readers the advice and inspiration they need to get the most out of their Linux systems.”
  2. $29.50 (US) buys 12 issues and access to the Linux Journal archive.
  3. Linux Journal has columns written by regular columns written by Mick Bauer, Reuven Lerner, Dave Taylor, Kyle Rankin, Bill Childers, John Knight, James Gray, Zack Brown, Shawn Powers and Doc Searls.
  4. For more see the Linux Journal FAQ.

Now there is a new Linux Journal subscription benefit:

You are flagged as an extremist by the NSA

NSA Labels Linux Journal Readers and TOR and TAILS Users as Extremists by Dave Palmer.

End the constant worry, nagging anxiety, endless arguments with friends about who is being tracked by the NSA! For the small sum of $29.50 (US) you can buy your way into the surveillance list at the NSA.

I can’t think of a cheaper way to get on a watch list, unless you send threatening letters to the U.S. President, which is a crime, so don’t do it.

Step up and assume the mantle of “extremist” in the eyes of the NSA.

You would be hard pressed to find better company.

PS: Being noticed may not seem like a good idea. But the bigger the NSA haystack, the safer all needles will be.

FYI: Glossary Issues with the Chilcot Report

July 10th, 2016

Anyone who is working on more accessible/useful versions of the Chilcot Report should be aware of the following issues with Annex 2 – Glossary.

First, the “glossary” appears to be a mix of acronyms, with their expansions, along with random terms or phrases for which definitions are offered. For example, “FFCD – Full, Final and Complete declaration,” immediately followed by “Five Mile Market – Area in Basra.” (at page 247)

Second, the concept of unique acronyms never occurred to the authors:

AG Adjutant General
AG Advocate General
AG Attorney General
(page 235)

AM Aftermath
AM Air Marshal
(page 236)

BCU Basic Capability Unit
BCU Basra Crimes Unit
(page 238)

BOC Basra Operational Command
BOC Basra Operations Centre
(page 238)

CG Commander General
CG Consul General
CG Consulate General (see BEO)
(page 240)

CIC Coalition Information Centre
CIC Communication and Information Centre
(page 240)

CO Cabinet Office
CO Commanding Officer
(page 241)

DCC Deputy Chief Constable
DCC Dismounted Close Combat
(page 243)

DG Diego Garcia
DG Director General
(page 244)

DIA Defence Intelligence Agency
DIA Department of Internal Affairs
(page 244)

DPA Data Protection Act
DPA Defence Procurement Agency
(page 245)

DSP Defence Strategic Plan
DSP Deployable Spares Pack
(page 245)

EP Equipment Plan
EP Equipment Programme
(page 246)

ESC Emergency Security Committee
ESC Executive Steering Committee
(page 246)

EST Eastern Standard Time
EST Essential Services Team
(page 246)

FP Force Posture
FP Force Protection
(page 247)

IA Interim Administration
IA Iraqi Army
(page 250)

ID Identification
ID (US) Infantry Division
(page 251)

ING Iraqi National Gathering
ING Iraqi National Guard
(page 252)

IO Information Operations
IO International Organisations
(page 252)

ISG Information Strategy Group
ISG Iraq Security Group
ISG Iraq Strategy Group
ISG Iraq Survey Group
(page 253)

MAS Manned Airborne Surveillance
MAS Muqtada al-Sadr
(page 256)

Op Operation
OP Operative Paragraph
(page 260)

OSD US Office of the Secretary of Defense
OSD Out of Service Date
(page 261)

PM Prime Minister
PM Protected Mobility
(page 262)

RA Research Analysts
RA Regular Army
(page 264)

RDD Radiological Dispersal Devices
RDD Required Delivery Date
(page 264)

SAF Small Arms Fire
SAF Stabilisation Aid Fund
(page 265)

SC Security Committee
SC Security Council
(page 265)

SE Scottish Executive
SE South-East
(page 266)

SFA Service Family Accommodation
SFA Strategic Framework Agreement
(page 266)

SG Secretary-General
SG Special Groups
(page 266)

SLA Scottish Lord Advocate
SLA Service Level Agreement
(page 266)

SSE Sensitive Site Exploitation
SSE Spring Supplementary Estimate
(page 267)

UNSC UN Security Council
UNSC UN Special Co-ordinator
(page 270)

Yes, seventy-four (74) items that may be mistaken in any automated processing of the text.

Third, there are items in the glossary that don’t appear in the text outside of the glossary:

H of C House of Commons page 249
HoC House of Commons page 250

The House of Commons is never referred to by “H of C” or “HoC” outside of the glossary.

Fourth, there are items in the glossary that are not specialized vocabulary, as though the glossary is also a mini-English dictionary:

de facto In fact
de jure According to law
(page 244)

Fifth, the acronyms as mis-leading. For example, if you search for “EPW – Enemy Prisoners of War” (is there another kind?), outside of the glossary there is only one (1) “hit:”

the-report-of-the-iraq-inquiry_section-061.pdf.txt:Communication] and handling of EPW [Enemy Prisoners of War]”.

If you search for the other acronym, “PW – Prisoner of War,” outside of the glossary there is only one (1) “hit:”

the-report-of-the-iraq-inquiry_section-064.pdf.txt:A mass PW [prisoner of war] problem and/or a humanitarian crisis could both

With only casual knowledge of the war in Iraq, that doesn’t sound right does it?

Try searching for “prison.” That will return 185 “hits.”

Interesting isn’t it? The official acronyms (plural) return one “hit” each and a term not in the glossary returns 185 “hits.”

Makes me wonder about the criteria for inclusion in the glossary.

You?


If you are working with the Chilcot report I hope you find these comments useful. I working on an XML format version of the glossary that treats this as acronym -> expansion, suitable for putting the expansion markup inline.

The report randomly, from a reader’s perspective, uses acronyms and expansions. Consistently recording the acronyms and expansions will benefit readers and researchers. Two audiences ignored in the Chilcot Report.

“Going Dark, Going Forward:…” Everyone Is Now Dumber For Having Read It.

July 9th, 2016

Homeland Security’s big encryption report wasn’t fact-checked by Violet Blue.

From the post:

This past week, everyone’s been so focused on Hillary, Trump, police shootings and Dallas that few noticed that the Majority Staff of the House Homeland Security Committee finally released its encryption report — with some pretty big falsehoods in it. “Going Dark, Going Forward: A Primer on the Encryption Debate” is a guide for Congress and stakeholders that makes me wonder if we have a full-blown American hiring crisis for fact-checkers.

The report relied on more than “100 meetings with … experts from the technology industry, federal, state, and local law enforcement, privacy and civil liberties, computer science and cryptology, economics, law and academia, and the Intelligence Community.” And just a little bit of creative license.

The first line of the report is based on flat-out incorrect information.

Do us all a favor, read Violet Blue’s summary of the report and not the report itself.

Reading “Going Dark, Going Forward: A Primer on the Encryption Debate” will leave you mis-informed, annoyed/amazed at congressional committee ignorance, despairing over the future of civilization, and dumber.

I differ from Violet because I think the report is intended to mis-inform, mis-lead and set false terms into play for a debate over encryption.

That is not an issue of fact-checking but of malice.

Consider the “big lie” that Violet quotes from the report (its opening line):

“Public engagement on encryption issues surged following the 2015 terrorist attacks in Paris and San Bernardino, particularly when it became clear that the attackers used encrypted communications to evade detection — a phenomenon known as ‘going dark.'”

Every time that claim is made and repeated in popular media, a disclaimer should immediately appear:

The claim that encrypted communications were used to evade detection in the 2015 terrorist attacks in Paris and San Bernardino is a lie. A lie told with the intend to deceive and manipulate everyone who hears it.

I know, it’s too long to be an effective disclaimer. Do you think “Lying bastards!” in closed captioning would be clear enough?

Counter false narratives like Going Dark, Going Forward: A Primer on the Encryption Debate.

Otherwise, the encryption “debate” will be held on false terms.

Weka MOOCs – Self-Paced Courses

July 8th, 2016

All three Weka MOOCs available as self-paced courses

From the post:

All three MOOCs (“Data Mining with Weka”, “More Data Mining with Weka” and “Advanced Data Mining with Weka”) are now available on a self-paced basis. All the material, activities and assessments are available from now until 24th September 2016 at:

https://weka.waikato.ac.nz/

The Weka software and MOOCs are great introductions to machine learning!

Donald Knuth: Literate Programming on Channel 9

July 7th, 2016

Donald Knuth: Literate Programming on Channel 9.

Description:

The speaker will discuss what he considers to be the most important outcome of his work developing TeX in the 1980s, namely the accidental discovery of a new approach to programming — which caused a radical change in his own coding style. Ever since then, he has aimed to write programs for human beings (not computers) to read. The result is that the programs have fewer mistakes, they are easier to modify and maintain, and they can indeed be understood by human beings. This facilitates reproducible research, among other things.

Presentation at the R User Conference 2016.

Increase your book budget before watching this video!

Faking Government Transparency: The Chilcot Report

July 7th, 2016

The Chilcot Report (Iraq Inquiry) is an example of faking governmental transparency.

You may protest: “But look at all the files, testimony, documents, etc. How can it be more transparent than that?”

That’s not a hard question to answer.

Preventing Shared Public Discussion

The release of the Chilcot Report as PDF files, eliminates any possibility of shared public discussion of its contents.

The report will be discussed by members of the media, experts and the public. Public comments are going to be scattered over blogs, newspapers, Twitter, Facebook and other media. And over a long period of time as well.

For example, the testimony of Mr. Jonathan Powell is likely to draw comments:

“… it was a mistake to go so far with de‑Ba’athification. It is a similar mistake the Americans made after the Second World War with de‑Nazification and they had to reverse it. Once it became clear to us, we argued with the administration to reverse it, and they did reverse it, although with difficulty because the Shia politicians in the government were very reluctant to allow it to be reversed, and at the time we were being criticised for not doing enough de‑Ba’athification.”75

75 Public hearing, 18 January 2010, page 128.

Had the report been properly published as HTML, that quote could appear as:

<blockquote id=”iraq-inquiry_volume-10-section-111-para78-powell>
“… it was a mistake to go so far with de‑Ba’athification. It is a similar mistake the Americans made after the Second World War with de‑Nazification and they had to reverse it. Once it became clear to us, we argued with the administration to reverse it, and they did reverse it, although with difficulty because the Shia politicians in the government were very reluctant to allow it to be reversed, and at the time we were being criticised for not doing enough de‑Ba’athification.”75
<blockquote>

The primary difference is that with an official identifier for the Powell quote, then everyone discussing it can point to the same quote.

Which enables a member of the public, researcher, reporter or even a member of government, to search for: iraq-inquiry_volume-10-section-111-para78-powell and find every discussion that is indexed on the Internet, that points to that quote.

Granting that it depends on authors using that identifier but it enables public discussion and research in ways that PDF simply blocks.

Every paragraph, every quote, every list item, every map, should have a unique ID to facilitate pointing to portions of the original report.

A Lack of Hyperlinks

One of the more striking deficits of the Chilcot Report is its lack of hyperlinks. Footnote 75, which you saw above,

75 Public hearing, 18 January 2010, page 128.

is not a hyperlink to that public hearing.

Why should the public be tasked with rummaging through multiple documents when publishing all of the texts as HTML would enable point to point navigation to relevant material?

If you are thinking the lack of HTML/hyperlinks impairs the public’s use of this report is a rationale for PDF, you are right in one.

Or consider the lack of hyperlinks to other published materials:

Introduction to the Iraq Inquiry

  • The House of Commons Foreign Affairs Committee published The Decision to go to War in Iraq on 3 July 2003.
  • The Intelligence and Security Committee of Parliament published Iraqi Weapons of Mass Destruction – Intelligence and Assessments on 10 September 2003.
  • Lord Hutton published his Report of the Inquiry into the Circumstances Surrounding the Death of Dr David Kelly CMG on 28 January 2004.
  • A Committee of Privy Counsellors, chaired by Lord Butler of Brockwell, published its Review of Intelligence on Weapons of Mass Destruction on 14 July 2004. Sir John Chilcot was a member of Lord Butler’s Committee.
  • The Baha Mousa Inquiry, chaired by Sir William Gage, was established in May 2008 and published its conclusions on 8 September 2011.2

pages 2 and 3, numbered paragraph 4.

Nary a hyperlink in the lot.

But let’s just take the first one as an example:

The House of Commons Foreign Affairs Committee published The Decision to go to War in Iraq on 3 July 2003.

Where would you go to find that report?

Searching on the title finds volume 1 of that report relatively easily: House of Commons Foreign Affairs Committee The Decision to go to War in Iraq Ninth Report of Session 2002–03 Volume I.

Seeing “volume 1,” makes me suspect there is also a volume 2. Casting about a bit more we find:

http://www.parliament.uk/business/committees/committees-archive/foreign-affairs-committee/fac-pn-28-02-03-/, of which I took the following screenshot:

war-in-iraq-page

(select for a larger image)

In the larger version you will see there are three volumes to The Decision to go to War in Iraq, not one. Where the other two volumes are now, your guess is probably better than mine. I tried a number of queries but did not get useful results.

Multiple those efforts by everyone in the UK who has an interest in this report and you will see the lack of hyperlinks for what it truly is, a deliberate ploy to impede the public’s use of this report.

Degree of Difficulty?

Lest anyone protest that production of HTML with hyperlinks represents an extreme burden on the Iraq Inquiry’s staff, recall the excellent use Parliament makes of the web. (I know a number of markup experts in the UK that I can recommend should the holders of the original text wish to issue a text that would be useful to the public.)

No, the publication of the Iraq Inquiry as non-hyperlinked PDF was a deliberate choice. One designed to impede its use for reasons best known to those making that decision. Unsavory reasons I have no doubt.

PS: In the future, do not accept reports with footnotes/endnotes represented in layout. As logical elements, footnotes/endnotes are much easier to manage.

Unicode® Standard, Version 9.0

July 6th, 2016

Unicode® Standard, Version 9.0

From the webpage:

Version 9.0 of the Unicode Standard is now available. Version 9.0 adds exactly 7,500 characters, for a total of 128,172 characters. These additions include six new scripts and 72 new emoji characters.

The new scripts and characters in Version 9.0 add support for lesser-used languages worldwide, including:

  • Osage, a Native American language
  • Nepal Bhasa, a language of Nepal
  • Fulani and other African languages
  • The Bravanese dialect of Swahili, used in Somalia
  • The Warsh orthography for Arabic, used in North and West Africa
  • Tangut, a major historic script of China

Important symbol additions include:

  • 19 symbols for the new 4K TV standard
  • 72 emoji characters such as the following

Why they choose to omit the bacon emoji from the short list is a mystery to me:

bacon-emoji-460

Get your baking books out! I see missing bread emojis. ;-)

Chilcot Report – Collected PDFs, Converted to Text

July 6th, 2016

I didn’t see a bulk download option for the chapters of the Chilcot Report at: The Iraq Inquiry Report page so I have collected those files and bundled them up for download as Iraq-Inquiry-Report-All-Volumes.tar.gz.

I wrote about Apache PDFBox recently so I also converted all of those files to text and have bundled them up as a Iraq-Inquiry-Report-Text-Conversion.tar.gz.

Some observations on the text files:

  • Numbered paragraphs have the format: digit(one or more)-period-space
  • Footnotes are formatted: digit(1 or more)-space-text
  • Page numbers: digit(1 or more)-space-no following text

Suggestions on other processing steps?

The Iraq Inquiry (Chilcot Report) [4.5x longer than War and Peace]

July 6th, 2016

The Iraq Inquiry

To give a rough sense of the depth of the Chilcot Report, the executive summary runs 150 pages. The report appears in twelve (12) volumes, not including video testimony, witness transcripts, documentary evidence, contributions and the like.

Cory Doctorow reports a Guardian project to crowd source collecting facts from the 2.6 million word report. The Guardian observes the Chilcot report is “…almost four-and-a-half times as long as War and Peace.”

Manual reading of the Chilcot report is doable, but unlikely to yield all of the connections that exist between participants, witnesses, evidence, etc.

How would you go about making the Chilcot report and its supporting evidence more amenable to navigation and analysis?

The Report

The Evidence

Other Material

Unfortunately, sections within volumes were not numbered according to their volume. In other words, volume 2 starts with section 3.3 and ends with 3.5, whereas volume 4 only contains sections beginning with “4.,” while volume 5 starts with section 5 but also contains sections 6.1 and 6.2. Nothing can be done for it but be aware that section numbers don’t correspond to volume numbers.

When AI’s Take The Fifth – Sign Of Intelligence?

July 6th, 2016

Taking the fifth amendment in Turing’s imitation game by Kevin Warwick and Huma Shahb.

Abstract:

In this paper, we look at a specific issue with practical Turing tests, namely the right of the machine to remain silent during interrogation. In particular, we consider the possibility of a machine passing the Turing test simply by not saying anything. We include a number of transcripts from practical Turing tests in which silence has actually occurred on the part of a hidden entity. Each of the transcripts considered here resulted in a judge being unable to make the ‘right identification’, i.e., they could not say for certain which hidden entity was the machine.

A delightful read about something never seen in media interviews: silence of the person being interviewed.

Of the interviews I watch, which is thankfully a small number, most people would seem more intelligent by being silent more often.

I take author’s results as a mark in favor of Fish’s interpretative communities because “interpretation” of silence falls squarely on the shoulders of the questioner.

If you don’t know the name Kevin Warwick, you should.


As of today, footnote 1 correctly points to the Fifth Amendment text at Cornell but mis-quotes it. In relevant part the Fifth Amendment reads, “…nor shall be compelled in any criminal case to be a witness against himself….”

Everything You Wanted to Know about Book Sales (But Were Afraid to Ask)

July 5th, 2016

Everything You Wanted to Know about Book Sales (But Were Afraid to Ask) by Lincoln Michel.

From the post:

Publishing is the business of creating books and selling them to readers. And yet, for some reason we aren’t supposed to talk about the latter.

Most literary writers consider book sales a half-crass / half-mythological subject that is taboo to discuss.
While authors avoid the topic, every now and then the media brings up book sales — normally to either proclaim, yet again, the death of the novel, or to make sweeping generalizations about the attention spans of different generations. But even then, the data we are given is almost completely useless for anyone interested in fiction and literature. Earlier this year, there was a round of excited editorials about how print is back, baby after industry reports showed print sales increasing for the second consecutive year. However, the growth was driven almost entirely by non-fiction sales… more specifically adult coloring books and YouTube celebrity memoirs. As great as adult coloring books may be, their sales figures tell us nothing about the sales of, say, literary fiction.

Lincoln’s account mirrors my experience (twice) with a small press decades ago.

While you (rightfully) think that every sane person on the planet will forego the rent in order to purchase your book, sadly your publisher is very unlikely to share that view.

One of the comments to this post reads:

…Writing is a calling but publishing is a business.

Quite so.

Don’t be discouraged by this account but do allow it to influence your expectations, at least about the economic rewards of publishing.

Just in case I get hit with the publishing bug again, good luck to us all!

Free Programming Books – Update

July 5th, 2016

Free Programming Books by Victor Felder.

From the webpage:

This list initially was a clone of stackoverflow – List of Freely Available Programming Books by George Stocker. Now updated, with dead links gone and new content.

Moved to GitHub for collaborative updating.

Great listing of resources!

But each resource stands alone as its own silo. It can (and many do) refer to other materials, even with hyperlinks, but if you want to explore any of them, you must explore them separately. That’s what being in a silo means. You have to start over at the beginning. Every time.

That is complicated by the existence of thousands of slideshows and videos on programming topics not listed here. Search for your favorite programming language at Slideshare and Youtube. There are other repositories of slideshows and videos, those are just examples.

Each one of those slideshows and/or videos is also a silo. Not to mention that with video you need a time marker if you aren’t going to watch every second of it to find relevant material.

What if you could traverse each of those silos, books, posts, slideshows, videos, documentation, source code, seamlessly?

Making that possible for C/C++ now, given the backlog of material, would have a large upfront cost before it could be useful.

Making that possible for languages with shorter histories, well, how useful would it need to be to justify its cost?

And how would you make it possible for others to easily contribute gems that they find?

Something to think about as you wander about in each of these separate silos.

Enjoy!

Using A Shared Password Is A Crime (9th Circuit, U.S. v. Nosal) Full Text of Opinion

July 5th, 2016

U.S. appeals court rejects challenge to anti-hacking law by Jonathan Stempel.

From the post:

A divided federal appeals court on Tuesday gave the U.S. Department of Justice broad leeway to police password theft under a 1984 anti-hacking law, upholding the conviction of a former Korn/Ferry International executive for stealing confidential client data.

The 9th U.S. Circuit Court of Appeals in San Francisco said David Nosal violated the Computer Fraud and Abuse Act in 2005 when he and two friends, who had also left Korn/Ferry, used an employee’s password to access the recruiting firm’s computers and obtain information to help start a new firm.

Writing for a 2-1 majority, Circuit Judge Margaret McKeown said Nosal acted “without authorization” even though the employee, his former secretary, had voluntarily provided her password.

The full text of the decision (plus dissent) in U.S. v. Nosal, No. 14-10037.

This case has a long history, which I won’t try to summarize now.

Hillary Clinton Email Archive

July 5th, 2016

Hillary Clinton Email Archive by Wikileaks.

From the webpage:

On March 16, 2016 WikiLeaks launched a searchable archive for 30,322 emails & email attachments sent to and from Hillary Clinton’s private email server while she was Secretary of State. The 50,547 pages of documents span from 30 June 2010 to 12 August 2014. 7,570 of the documents were sent by Hillary Clinton. The emails were made available in the form of thousands of PDFs by the US State Department as a result of a Freedom of Information Act request. The final PDFs were made available on February 29, 2016.

“Truthers” may be interested in this searchable archive of Clinton’s emails while Secretary of State.

“Truthers” because the FBI’s recommendation of no charges effectively ends this particular approach to derail Clinton’s run for the presidency.

Many wish the result were different but when the last strike is called, arguing about it isn’t going to change the score of the game.

New evidence and new facts, on the other hand, are unknown factors and could make a difference whereas old emails will not.

Are you going to be looking for new evidence and facts or crying over calls in a game already lost?

Promiscuous Use of USB Sticks

July 5th, 2016

17% of US employees would use a USB stick found in the street by Marika Samarati.

From the post:


The social experiment – 17% caught in the net

The team of researchers hypothesized that, while there is increasing concern about cyber attacks and data breaches, people still have poor cybersecurity hygiene that puts their own devices at risk. To test this assumption, they dropped 200 USB sticks in public spaces. Each stick contained text files prompting the reader to click on a link or send an email to a specific address. After a few weeks, 17% of the sticks were picked up, plugged in, and resulted in the researchers being notified, either because the user clicked on the link or sent an email. The hypothesis turned out to be true: Despite people’s awareness of cyber threats, they still make decisions that could have disastrous outcomes.

I take the 17% to be the low estimate of users who used the USB sticks left in public places. It’s not possible to tell how many employees used the USB sticks without ever opening the text files or if they did, simply ignoring the request for contact.

Incentive to take fashionable/attractive USB sticks on job interviews, tours, site visits, etc.

Apache PDFBox 2 – Vulnerability Warning

July 5th, 2016

Apache PDFBox 2 by Dustin Marx.

From the post:

Apache PDFBox 2 was released earlier this year and Apache PDFBox 2.0.1 and Apache PDFBox 2.0.2 have since been released. Apache PDFBox is open source (Apache License Version 2) and Java-based (and so is easy to use with wide variety of programming language including Java, Groovy, Scala, Clojure, Kotlin, and Ceylon). Apache PDFBox can be used by any of these or other JVM-based languages to read, write, and work with PDF documents.

Apache PDFBox 2 introduces numerous bug fixes in addition to completed tasks and some new features. Apache PDFBox 2 now requires Java SE 6 (J2SE 5 was minimum for Apache PDFBox 1.x). There is a migration guide, Migration to PDFBox 2.0.0, that details many differences between PDFBox 1.8 and PDFBox 2.0, including updated dependencies (Bouncy Castle 1.53 and Apache Commons Logging 1.2) and “breaking changes to the library” in PDFBox 2.

PDFBox can be used to create PDFs. The next code listing is adapted from the Apache PDFBox 1.8 example “Create a blank PDF” in the Document Creation “Cookbook” examples. The referenced example explicitly closes the instantiated PDDocument and probably does so for benefit of those using a version of Java before JDK 7. For users of Java 7, however, try-with-resources is a better option for ensuring that the PDDocument instance is closed and it is supported because PDDocument implements AutoCloseable.

If you don’t know Apache PDFBox™, its homepage lists the following features:

  • Extract Text
  • Print
  • Split & Merge
  • Save as Image
  • Fill Forms
  • Create PDFs
  • Preflight
  • Signing

Warning: If you are using Apache PDFBox, update to the most recent version.

CVE-2016-2175 XML External Entity vulnerability (2016-05-27)

Due to a XML External Entity vulnerability we strongly recommend to update to the most recent version of Apache PDFBox.

Versions Affected: Apache PDFBox 1.8.0 to 1.8.11 and 2.0.0. Earlier, unsupported versions may be affected as well.

Mitigation: Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1

SEO Tools: The Complete List (153 Free and Paid Tools) [No IEO Tools?]

July 5th, 2016

SEO Tools: The Complete List (153 Free and Paid Tools) by Brian Dean.

Updated as of May 20, 2016.

There is a PDF version but that requires sacrifice of your email address, indeterminate waiting for the confirmation email, etc.

The advantage of the PDF version isn’t clear, other than you can print it on marketing’s color printer. Something to cement that close bond between marketing and IT.

With the abundance of search engine optimization tools, have you noticed the lack of index engine optimization (IEO) tools?

When an indexing engine is “optimized,” settings of the indexing engine are altered to produce a “better” result. So far as I know, the data being indexed isn’t normally changed to alter the behavior of the indexing engine.

In contrast to an indexing engine, it is expected data destined for a search engine can and will change/optimize itself to alter the behavior of the search engine.

What if data were index engine optimized, say to distinguish terms with multiple meanings, at the time of indexing? Say articles in the New York Times were paired with vocabulary lists of the names, terms, etc. that appear within them.

Bi-directional links so that an index of the vocabulary lists would at the same time be an index of the articles themselves.

Thoughts?

Securing A Travel iPhone

July 5th, 2016

Securing A Travel iPhone by Filippo Valsorda.

From the post:

These are dry notes I took in the process of setting up a burner iPhone SE as a secure travel device. They are roughly in setup order.

I believe iOS to be the most secure platform one can use at this time, but there are a lot of switches and knobs. This list optimizes for security versus convenience.

Don’t to use anything older than an iPhone 5S, it wouldn’t have the TPM.

Needless to say, use long unique passwords everywhere.

There are more than forty (40) tasks/sub-tasks to securing a travel iPhone so you best start well ahead of time.

No security is perfect but if you follow this guide, you will be more secure than the vast majority of travelers.

Were You Paying Attention In June 2016?

July 4th, 2016

June’s fake news quiz: Football fans, kissing politicians and Arnie on safari by Alastair Reid, First Draft.

Alastair’s fake news quiz is a good way to find out.

Prior fake news quizzes are listed in case you want to test your long term memory.

Cybersecurity By Design?

July 4th, 2016

Shaun Nichols reports in Mozilla emits nightly builds of heir-to-Firefox browser engine Servo:

Mozilla has started publishing nightly in-development builds of its experimental Servo browser engine so anyone can track the project’s progress.

Executables for macOS and GNU/Linux are available right here to download and test drive even if you’re not a developer. If you are, the open-source engine’s code is here if you want to build it from scratch, fix bugs, or contribute to the effort.

Right now, the software is very much in a work-in-progress state, with a very simple user interface built out of HTML. It’s more of a technology demonstration than a viable web browser, although Mozilla has pitched Servo as a potential successor to Firefox’s Gecko engine.

Crucially, Servo is written using Rust – Mozilla’s more-secure C-like systems programming language. If Google has the language of Go, Moz has the language of No: Rust. It works hard to stop coders making common mistakes that lead to exploitable security bugs, and we literally mean stop: the compiler won’t build the application if it thinks dangerous code is present.

Rust focuses on safety and speed: its security measures do not impact it at run-time as the safety mechanisms are in the language by design. For example, variables in Rust have an owner and a lifetime; they can be borrowed by another owner. When a variable is being used by one owner, it cannot be used by another. This is supposed to help enforce memory safety and stop data races between threads.

It also forces the programmer to stop and think about their software’s design – Rust is not something for novices to pick up and quickly bash out code on.

Even though pre-release and rough, I was fairly excited until I read:


One little problem is that Servo relies on Mozilla’s SpiderMonkey JavaScript engine, which is written in C/C++. So while the HTML-rendering engine will run secured Rust code, fingers crossed nothing terrible happens within the JS engine.

Really?

But then I checked Mozilla JavaScript-C Engine – SpiderMonkey at BlackDuck | Security, which shows zero (0) vulnerabilities over the last 10 versions.

Other than SpiderMonkey vulnerabilities known to the NSA, any others you care to mention?

Support, participate, submit bug reports on the new rendering engine but don’t forget about the JavaScript engine.

Breaking Honeypots For Fun And Profit – Detecting Deception

July 4th, 2016

by Dean Sysman & Gadi Evron & Itamar Sher

The description:

We will detect, bypass, and abuse honeypot technologies and solutions, turning them against the defender. We will also release a global map of honeypot deployments, honeypot detection vulnerabilities, and supporting code.

The concept of a honeypot is strong, but the way honeypots are implemented is inherently weak, enabling an attacker to easily detect and bypass them, as well as make use of them for his own purposes. Our methods are analyzing the network protocol completeness and operating system software implementation completeness, and vulnerable code.

As a case study, we will concentrate on platforms deployed in real organizational networks, mapping them globally, and demonstrating how it is possible to both bypass and use these honeypots to the attacker’s advantage.

The slides for the presentation.

This presentation addresses the question of detecting (identifying) a deception.

Detection of the following honeypots discussed:

Artillery: https://github.com/BinaryDefense/artillery (Updated URL)

BearTrap: https://github.com/chrisbdaemon/BearTrap

honeyd: http://www.honeyd.org

Dionaea: http://dionaea.carnivore.it/ (timed out on July 4, 2016)

Glastopf: http://glastopf.org/

Kippo: https://github.com/desaster/kippo

KFSensor: http://www.keyfocus.net/kfsensor/

Nova: https://github.com/DataSoft/Nova

Identification of an attack was argued to possibly result in the attack being prevented in all anti-attack code, whereas identification of an attacker, could have consequences for the attack as an operation.

Combining an IP address along with other dimensions of identification, say with a topic map, could prove to be a means of sharpening the consequences for attackers.

Of course, I am assuming that at least within an agency, agents share data/insights towards a common objective. That may not be the case in your agency.

While looking for other resources on honeypots, I did find Collection of Awesome Honeypots, dating from December of 2015.

Thomas Jefferson (Too Early For Tor – TEFT)

July 4th, 2016

Official Presidential portrait of Thomas Jefferson (by Rembrandt Peale, 1800)

Thomas Jefferson lived centuries before the internet and the rise of Tor but he is easy to see as a Tor user.

He was the author of the Declaration of Independence, which if you read the details, is a highly offensive document:


He has affected to render the Military independent of and superior to the Civil Power.

He has combined with others to subject us to a jurisdiction foreign to our constitution, and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:

For quartering large bodies of armed troops among us:

For protecting them, by a mock Trial from punishment for any Murders which they should commit on the Inhabitants of these States:

For cutting off our Trade with all parts of the world:

For imposing Taxes on us without our Consent:

For depriving us in many cases, of the benefit of Trial by Jury:

For transporting us beyond Seas to be tried for pretended offences:

He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation, and tyranny, already begun with circumstances of Cruelty & Perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

Update the language of “For transporting us beyond Seas to be tried for pretended offences” to “Transporting people to Guantanamo Bay prison for unlawful detention” and you have a good example of what FBI wants discussed in clear text.

Make no mistake, the FBI of today, working for George III, would have arrested Thomas Jefferson if it caught wind of the Declaration of Independence. At that time, Jefferson was not the towering figure of liberty that he is today. Then he was the opponent of a nation-state.

Jefferson was too early for Tor but he is the type of person that Tor protects.

Do you want to be on the side of George III or Jefferson in history?

Support Tor!

Outing Dark Web Spies (Donate to Tor)

July 3rd, 2016

Two security experts have conducted a study that allowed them to spot over 100 snooping Tor Nodes spying on Dark Web Sites by Pierluigi Paganini.

From the post:

…Joseph Cox from Motherboad reported a study conducted by Guevara Noubir, a professor from the College of Computer and Information Science at Northeastern University, and Amirali Sanatinia, a PhD candidate also from Northeaster who revealed the existence of s number of Tor hidden service directories that are spying on Tor websites. Such kind of attacks could allow law enforcement to discover IP addresses of black markets and child pornography sites.

A similar technique could be very useful also for security firms that offer dark web intelligence services.

Threat actors using this technique could reveal the IP address of Tor hidden services, Noubir will present the results of the research at the Def Con hacking conference in August.

“We create what we call ‘honey onions’ or ‘honions.’ These are onion addresses that we don’t share with anyone,” Noubir said.

The security researchers ran 4,500 honey onions over 72 days, they identified that at least 110 HSDirs have been configured to spy on hidden services.

The experts highlighted that some of the threat actors operating the bogus HSDirs were active observers involved in many activities, including penetration testing.

While Next Generation Onion Services (issue 224), (Montreal 2016 update), is under development, outing dark web spies may be your next best defense.

Your best defense is supporting the Tor project. You support will help it gain and keep the advantage over dark web spies.

By helping Tor, you will be helping all of us, yourself included.

PS: Def Con 24 is August 4-7, 2016, at Paris + Bally’s in Las Vegas. No pre-registration, $240 USD cash at the door.

Developing Expert p-Hacking Skills

July 2nd, 2016

Introducing the p-hacker app: Train your expert p-hacking skills by Ned Bicare.

Ned’s p-hacker app will be welcomed by everyone who publishes where p-values are accepted.

Publishers should mandate authors and reviewers to submit six p-hacker app results along with any draft that contains, or is a review of, p-values.

The p-hacker app results won’t improve a draft and/or review, but when compared to the draft, will improve the publication in which it might have appeared.

From the post:

My dear fellow scientists!

“If you torture the data long enough, it will confess.”

This aphorism, attributed to Ronald Coase, sometimes has been used in a disrespective manner, as if it was wrong to do creative data analysis.

In fact, the art of creative data analysis has experienced despicable attacks over the last years. A small but annoyingly persistent group of second-stringers tries to denigrate our scientific achievements. They drag psychological science through the mire.

These people propagate stupid method repetitions; and what was once one of the supreme disciplines of scientific investigation – a creative data analysis of a data set – has been crippled to conducting an empty-headed step-by-step pre-registered analysis plan. (Come on: If I lay out the full analysis plan in a pre-registration, even an undergrad student can do the final analysis, right? Is that really the high-level scientific work we were trained for so hard?).

They broadcast in an annoying frequency that p-hacking leads to more significant results, and that researcher who use p-hacking have higher chances of getting things published.

What are the consequence of these findings? The answer is clear. Everybody should be equipped with these powerful tools of research enhancement!

The art of creative data analysis

Some researchers describe a performance-oriented data analysis as “data-dependent analysis”. We go one step further, and call this technique data-optimal analysis (DOA), as our goal is to produce the optimal, most significant outcome from a data set.

I developed an online app that allows to practice creative data analysis and how to polish your p-values. It’s primarily aimed at young researchers who do not have our level of expertise yet, but I guess even old hands might learn one or two new tricks! It’s called “The p-hacker” (please note that ‘hacker’ is meant in a very positive way here. You should think of the cool hackers who fight for world peace). You can use the app in teaching, or to practice p-hacking yourself.

Please test the app, and give me feedback! You can also send it to colleagues: http://shinyapps.org/apps/p-hacker.

Enjoy!

Five Essential Research Tips for Journalists Using Google

July 2nd, 2016

Five Essential Research Tips for Journalists Using Google by Temi Adeoye.

This graphic:

google-search-460

does not appear in Temi’s post but rather in a tweet by the International Center For Journalism (ICFJ) about his post.

See Temi’s post for the details but this graphic is a great reminder.

This will make a nice addition to my local page of search links.