Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

December 26, 2018

Practical Gremlin – An Apache TinkerPop Tutorial

Filed under: Gremlin,TinkerGraph,TinkerPop — Patrick Durusau @ 4:06 pm

Practical Gremlin – An Apache TinkerPop Tutorial by Kelvin R. Lawrence.

From the webpage:

This book is a work in progress. Feedback (ideally via issue) is very much encouraged and welcomed!

The title of this book could equally well be “A getting started guide for users of graph databases and the Gremlin query language featuring hints, tips and sample queries”. It turns out that is a bit too too long to fit on one line for a heading but in a single sentence that describes the focus of this book pretty well.

The book introduces the Apache TinkerPop 3 Gremlin graph query and traversal language via real examples against a real world graph. They are given as a set of working examples against a graph that is also provided in the sample-data folder. The graph, air-routes.graphml, is a model of the world airline route network between 3,367 airports including 43,160 routes. The examples we present will work unmodified with the air-routes.graphml file loaded into the Gremlin console running with a TinkerGraph.

What do you think? Is “A getting started guide for users of graph databases and the Gremlin query language featuring hints, tips and sample queries”. too long for a title? Perhaps not for a German dissertation (too short) but web title? I suspect Lawrence is right.

Still, at 400 pages with more content to be added, it won’t be a quick read. Enjoyable one, but not a quick one! Be sure to give feedback as issues if your New Year starts off with this book.

December 24, 2018

Intel Neural Compute Stick 2

Filed under: Neural Information Processing,Neural Networks — Patrick Durusau @ 3:20 pm

Intel Neural Compute Stick 2 (Mouser Electronics)

From the webpage:

Intel® Neural Compute Stick 2 is powered by the Intel™ Movidius™ X VPU to deliver industry leading performance, wattage, and power. The NEURAL COMPUTE supports OpenVINO™, a toolkit that accelerates solution development and streamlines deployment. The Neural Compute Stick 2 offers plug-and-play simplicity, support for common frameworks and out-of-the-box sample applications. Use any platform with a USB port to prototype and operate without cloud compute dependence. The Intel NCS 2 delivers 4 trillion operations per second with 8X performance boost over previous generations.

At $99 (US) with a USB stick form factor, the Intel® Neural Compute Stick 2 makes a great gift any time of the year. Not to mention offering the opportunity to test your hacking skills on “out-of-the-box sample applications.” The most likely ones you will see in the wild.

Enjoy!

December 6, 2018

Teaching Cybersecurity Law and Policy (Chesney) [Cui Bono?]

Filed under: Cybersecurity,Law — Patrick Durusau @ 11:43 am

Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer by Robert Chesney.

From the post:

Cybersecurity law and policy is a fun subject to teach. There is vast room for creativity in selecting topics, readings and learning objectives. But that same quality makes it difficult to decide what to cover, what learning objectives to set, and which reading assignments to use.

With support from the Hewlett Foundation, I’ve spent a lot of time in recent years wrestling with this challenge, and last spring I posted the initial fruits of that effort in the form of a massive “syllabus” document. Now, I’m back with version 2.0.

Here’s the document.

At 62 pages (including a great deal of original substantive content, links to readings, and endless discussion prompts), it is probably most accurate to describe it as a hybrid between a syllabus and a textbook. Though definitely intended in the first instance to benefit colleagues who teach in this area or might want to do so, I think it also will be handy as a primer for anyone—practitioner, lawyer, engineer, student, etc.—who wants to think deeply about the various substrands of this emergent field and how they relate to one another.

Feel free to make use of this any way you wish. Share it with others who might enjoy it (or at least benefit from it), and definitely send me feedback if you are so inclined (rchesney@law.utexas.edu or @bobbychesney on Twitter).

The technical side of the law is deeply fascinating and perhaps even more so in cybersecurity. It’s worth noting that Chesney does a great job laying out normative law as a given.

You are not going to find an analysis of the statutes cited to identify who benefits or is penalized by those statutes. You know the adage about laws that prohibit the rich and the poor equally from sleeping under bridges? The same applies to cybersecurity statutes. They are always presented as fair and accomplished public policies. Nothing could be further from the truth.

That’s not a criticism of Chesney’s syllabus, the technical side of existing laws is a quite lucrative one for anyone who masters its complexities. And it is certainly a worthy subject for study. I mention looking behind laws as it were to promote an awareness that shaping the winners and losers encoded in laws, also merits your attention.

Cybersecurity laws have adversely impacted security researchers, as steps suggested to reduce the odds of your liability for disclosure of a vulnerability show:

  • Don’t ask for money in exchange for keeping vulnerability information quiet. Researchers have been accused of extortion after saying they would reveal the vulnerability unless the company wants to pay a finder’s fee or enter into a contract to fix the problem. See, e.g. GameSpy warns security researcher
  • If you are under a non-disclosure agreement, you may not be allowed to publish. Courts are likely to hold researchers to their promises to maintain confidentiality.
  • You may publish information to the general public, but do not publish directly to people you know intend to break the law.
  • Consider disclosing to the vendor or system administrator first and waiting a reasonable and fair amount of time for a patch before publishing to a wider audience.
  • Consider having a lawyer negotiate an agreement with the company under which you will provide details about the vulnerability—thus helping to make the product better—in exchange for the company’s agreement not to sue you for the way you discovered the problem.
  • Consider the risks and benefits of describing the flaw with proof-of-concept code, and whether that code could describe the problem without unnecessarily empowering an attacker.
  • Consider whether your proof of concept code is written or distributed in a manner that suggests it is “primarily” for the purpose of gaining unauthorized access or unlawful data interception, or marketed for that purpose. Courts look both to the attributes of the tool itself as well as the circumstances surrounding the distribution of that tool to determine whether it would violate such a ban.
  • Consider whether to seek advance permission to publish, even if getting it is unlikely.
  • Consider how to publish your advisory in a forum and manner that advances the state of knowledge in the field.
  • Do not publish in a manner that enables or a forum that encourages copyright infringement, privacy invasions, computer trespass or other offenses.

The oppression of independent security researchers in cybersecurity law is fairly heavy-handed but there are subtleties and nuances that lie deeper in the interests that drove drafting of such legislation.

Fairly obvious but have you noticed there is no liability for faulty software? The existence of EULAs, waivers of liability, are a momentary diversion. It is a rare case when a court finds such agreements enforceable, outside the context of software.

The discovery and publication of vulnerabilities, should vendors not fix them in a timely fashion, would raise serious questions about their “gross negligence” in failing to fix such vulnerabilities. And thence to greater abilities to attack EULAs.

Not only are major software vendors bastards, but they are clever bastards as well.

That’s only one example of an unlimited number once you ask qui bono? (whose good) for any law.

In a world where governments treat the wholesale slaughter of millions of people of color and condemning of millions to lives of deprivation and want as “business as usual,” you may ask, what obligation is there to obey any cybersecurity or other law?

Your obligation to obey any law is a risk assesment of the likelihood of a soverign attributing a particular act to you. The better your personal security, the greater the range of behavior choices you have.

Basic Text [Leaked Email] Processing in R

Filed under: R,Text Mining — Patrick Durusau @ 10:08 am

Basic Text Processing in R by Taylor Arnold and Lauren Tilton.

From Learning Goals:

A substantial amount of historical data is now available in the form of raw, digitized text. Common examples include letters, newspaper articles, personal notes, diary entries, legal documents and transcribed speeches. While some stand-alone software applications provide tools for analyzing text data, a programming language offers increased flexibility to analyze a corpus of text documents. In this tutorial we guide users through the basics of text analysis within the R programming language. The approach we take involves only using a tokenizer that parses text into elements such as words, phrases and sentences. By the end of the lesson users will be able to:

  • employ exploratory analyses to check for errors and detect high-level patterns;
  • apply basic stylometric methods over time and across authors;
  • approach document summarization to provide a high-level description of the
    elements in a corpus.

The tutorial uses United States Presidential State of the Union Addresses, yawn, as their dataset.

Great tutorial but aren’t there more interesting datasets to use as examples?

Modulo that I haven’t prepared such a dataset or matched it to a tutorial such as this one.

Question: What would make a more interesting dataset than United States Presidential State of the Union Addresses?

Anything is not a helpful answer.

Suggestions?

December 5, 2018

Open Letter to NRCC Hackers

Filed under: Cybersecurity,Government,Hacking,Politics,Wikileaks — Patrick Durusau @ 11:04 am

We have never met or communicated but I wanted to congratulate you on the hack of top NRCC officials in 2018. Good show!

I’m sure you remember the drip-drip-drip release technique used by Wikileads with the Clinton emails. I had to check the dates but the first batch was in early October 2016, before the presidential election in November 2016.

The weekly release cycle, with the prior publicity concerning the leak, kept both alternative and mainstream media on the edge of climaxing every week. Even though the emails themselves were mostly office gossip and pettiness found in any office email system.

The most obvious target event for weekly drops of the NRCC emails is the 2020 election but that is subject to change.

Please consider the Wikileaks partial release tactic, which transformed office gossip into front-page news, when you select a target event for releasing the NRCC emails.

Your public service in damaging the NRCC will go unrewarded but not unappreciated. Once again, good show!

December 4, 2018

Bulk US Congress Bills, Laws in XML

Filed under: Government,Government Data,Law,Legal Informatics,XML — Patrick Durusau @ 8:47 am

GPO Makes Documents Easy To Download and Repurpose in New XML Format

From the news release:

The U.S. Government Publishing Office (GPO) makes available a subset of enrolled bills, public and private laws, and the Statutes at Large in Beta United States Legislative Markup (USLM) XML, a format that makes documents easier to download and repurpose. The documents available in the Beta USLM XML format include enrolled bills and public laws beginning with the 113th Congress (2013) and the Statutes at Large beginning with the 108th Congress (2003). They are available on govinfo, GPO’s one-stop site to authentic, published Government information. https://www.govinfo.gov/bulkdata.

The conversion of legacy formats into Beta USML XML will provide a uniform set of laws for the public to download. This new format maximizes the number of ways the information can be used or repurposed for mobile apps or other digital or print projects. The public will now be able to download large sets of data in one click rather than downloading each file individually, saving significant time for developers and others who seek to repurpose the data.

GPO is collaborating with various legislative and executive branch organizations on this project, including the Office of the Clerk of the House, the Office of the Secretary of the Senate, and the Office of the Federal Register. The project is being done in support of the Legislative Branch Bulk Data Task Force which was established to examine the increased dissemination of Congressional information via bulk data download by non-Governmental groups for the purpose of supporting openness and transparency in the legislative process.

“Making these documents available in Beta USLM XML is another example of how GPO is meeting the technological needs of Congress and the public,“ said GPO Acting Deputy Director Herbert H. Jackson, Jr. “GPO is committed to working with Congress on new formats that provide the American people easy access to legislative information.“

GPO is the Federal Government’s official, digital, secure resource for producing, procuring, cataloging, indexing, authenticating, disseminating, and preserving the official information products of the U.S. Government. The GPO is responsible for the production and distribution of information products and services for all three branches of the Federal Government, including U.S. passports for the Department of State as well as the official publications of Congress, the White House, and other Federal agencies in digital and print formats. GPO provides for permanent public access to Federal Government information at no charge through www.govinfo.gov and partnerships with approximately 1,140 libraries nationwide participating in the Federal Depository Library Program. For more information, please visit www.gpo.gov.

Not that I have lost any of my disdain and distrust for government, but when any government does something good, they should be praised.

Making “enrolled bills, public and private laws, and the Statues at Large in Beta United States Legislative markup (USML) XML” is a step towards to tracing and integrating legislation with those it benefits.

I’m not convinced that if you could trace specific legislation to a set of donations that the outcomes on legislation would be any different. It’s like tracing payments made to a sex worker. That’s their trade, why should they be ashamed of it?

The same holds true for most members of Congress, save that the latest election has swept non-sex worker types into office. It remains to be seen how many will resist the temptation to sell their offices and which will not.

In either case, kudos to the GPO and Lauren Wood, who I understand has been a major driver in this project!

December 3, 2018

Remotely Hijacking Zoom Clients

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:45 pm

Remotely Hijacking Zoom Clients by David Wells.

From the post:

I would like to walkthrough a severe logic flaw vulnerability found in Zoom’s Desktop Conferencing Application. This logic flaw (CVE-2018–15715) affects Zoom clients for MacOS, Linux, and Windows and allows an attacker (doesn’t even have to be meeting attendee) to hijack various components of a live meeting such as forcefully enable desktop control permissions and send keystrokes to meeting attendees sharing their screen. Zoom has released an update for MacOS and Windows and users of Zoom should make sure they are running the most up-to-date version.

Great description of a vulnerability, even if Wells reports that Zoom servers now appear to be patched.

Telecommuting Trend Data from GlobalWorkplaceAnalytics.com leaves no doubt that remote work by employees is increasing, meaning so are avenues into corporate computer infrastructures.

To say nothing of moves towards telecommuting by the United States government, led by of all agencies, the IRS. Telecommuting Options in Government Jobs

Vulnerabilities in telecommuting and/or video conferencing software may result is a bountiful harvest of data. But you won’t know if you don’t look for them.

Distributed Denial of Secrets (#DDoSecrets) – There’s a New Censor in Town

Filed under: Censorship,CIA,Leaks,NSA — Patrick Durusau @ 6:59 pm

Distributed Denial of Secrets (#DDoSecrets) (ddosecretspzwfy7.onion/)

From a tweet by @NatSecGeek:

Distributed Denial of Secrets (#DDoSecrets), a collective/distribution system for leaked and hacked data, launches today with over 1 TB of data from our back catalogue (more TK).

Great right? Well, maybe not so great:

Our goal is to preserve info and ensure its available to those who need it. When possible, we will distribute complete datasets to everyone. In some instances, we will offer limited distribution due to PII or other sensitive info. #DDoSecrets currently has ~15 LIMDIS releases.

As we’re able, #DDoSecrets will produce sanitized versions of these datasets for public distribution. People who can demonstrate good cause for a copy of the complete dataset will be provided with it.

Rahael Satter in Leak site’s launch shows dilemma of radical transparency documents the sad act of self-mutilation (self-censorship) by #DDoSecrets.

Hosting the Ashley Madison hack drew criticism from Joseph Cox (think Motherboard) and Gabriella Coleman (McGill University anthropologist). The Ashley Madison data is available for searching (by email for example https://ashley.cynic.al/), so the harm of a bulk release isn’t clear.

What is clear is the reasoning of Coleman:


Best said the data would now be made available to researchers privately on a case-by-case basis, a decision that mollified some critics.

“Much better,” said Coleman after reviewing the newly pared-back site. “Exactly the model we might want.”

I am not surprised this is the model Coleman wants, academics are legendary for treating access as a privilege, thus empowering themselves to sit in judgment on others.

Let me explicitly say that I have no doubts that Emma Best will be as fair handed with such judgments as anyone.

But once we concede any basis for censorship, the withholding of information of any type, then we are cast into a darkness from which there is no escape. A censor claims to have withheld only X, but how are we to judge? We have no access to the original data. Only its mutilated, bastard child.

Emma Best is likely the least intrusive censor you can find but what is your response when the CIA or the NSA makes the same claim?

Censorship is a danger when practiced by anyone for any reason.

Support and leak to the project but always condition deposits on raw leaking by #DDoSecrets.

December 2, 2018

Programming Language Foundations in Agda [Hackers Fear Not!]

Filed under: Agda,Computer Science,Cybersecurity,Hacking,Programming,Proof Theory — Patrick Durusau @ 11:47 am

Programming Language Foundations in Agda by Philip Wadler and Wen Kokke.

From the preface:

The most profound connection between logic and computation is a pun. The doctrine of Propositions as Types asserts that a certain kind of formal structure may be read in two ways: either as a proposition in logic or as a type in computing. Further, a related structure may be read as either the proof of the proposition or as a programme of the corresponding type. Further still, simplification of proofs corresponds to evaluation of programs.

Accordingly, the title of this book also has two readings. It may be parsed as “(Programming Language) Foundations in Agda” or “Programming (Language Foundations) in Agda” — the specifications we will write in the proof assistant Agda both describe programming languages and are themselves programmes.

The book is aimed at students in the last year of an undergraduate honours programme or the first year of a master or doctorate degree. It aims to teach the fundamentals of operational semantics of programming languages, with simply-typed lambda calculus as the central example. The textbook is written as a literate script in Agda. The hope is that using a proof assistant will make the development more concrete and accessible to students, and give them rapid feedback to find and correct misapprehensions.

The book is broken into two parts. The first part, Logical Foundations, develops the needed formalisms. The second part, Programming Language Foundations, introduces basic methods of operational semantics.

Hackers should attend closely to Wadler and Kokke’s text to improve their own tools. The advantages of type-dependent programming are recited by Andrew Hynes in Why you should care about dependently typed programming and I won’t repeat them here.

Hynes also reassures hackers (perhaps not his intent) that a wave of type-dependent programming is not on the near horizon saying:

So we’ve got these types that act as self-documenting proofs that functionality works, add clarity, add confidence our code works as well as runs. And, more than that, they make sense. Why didn’t we have these before? The short answer is, they’re a new concept, they’re not in every language, a large amount of people don’t know they exist or that this is even possible. Also, there are those I mentioned earlier, who hear about its use in research and dismiss it as purely for that purpose (let’s not forget that people write papers about languages like C and [Idealized] Algol, too). The fact I felt the need to write this article extolling their virtues should be proof enough of that.

Like object orientation and other ideas before it, it may take a while before this idea seeps down into being taught at universities and seen as standard. Functional programming has only just entered this space. The main stop-gap right now is this knowledge, and it’s the same reason you can’t snap your fingers together and have a bunch of Java devs who have never seen Haskell before writing perfect Haskell day one. Dependently typed programming is still a new concept, but that doesn’t mean you need to wait. Things we take for granted were new once, too.

I’m not arguing in favour of everybody in the world switching to a dependently typed language and doing everything possible dependently typed, that would be silly, and it encourages misuse. I am arguing in favour of, whenever possible (e.g. if you’re already using Haskell or similar) perhaps thinking whether dependent types suit what you’re writing. Chances are, there’s probably something they do suit very well indeed. They’re a truly fantastic tool and I’d argue that they will get better as time goes on due to way architecture will evolve. I think we’ll be seeing a lot more of them in the future. (emphasis in original)

Vulnerabilities have been, are and will continue to be etched into silicon. Vulnerabilities exist in decades of code and in the code written to secure it. Silicon and code that will still be running as type-dependent programming slowly seeps into the mainstream.

Hackers should benefit from and not fear type-dependent programming!

November 26, 2018

Big Brother’s Machine Learning Courses (free) [Fire Prediction As Weapon]

Filed under: Machine Learning — Patrick Durusau @ 11:49 am

Amazon’s own ‘Machine Learning University’ now available to all developers by Dr. Matt Wood.

From the post:

Today, I’m excited to share that, for the first time, the same machine learning courses used to train engineers at Amazon are now available to all developers through AWS.

We’ve been using machine learning across Amazon for more than 20 years. With thousands of engineers focused on machine learning across the company, there are very few Amazon retail pages, products, fulfillment technologies, stores which haven’t been improved through the use of machine learning in one way or another. Many AWS customers share this enthusiasm, and our mission has been to take machine learning from something which had previously been only available to the largest, most well-funded technology companies, and put it in the hands of every developer. Thanks to services such as Amazon SageMaker, Amazon Rekognition, Amazon Comprehend, Amazon Transcribe, Amazon Polly, Amazon Translate, and Amazon Lex, tens of thousands of developers are already on their way to building more intelligent applications through machine learning.

Regardless of where they are in their machine learning journey, one question I hear frequently from customers is: “how can we accelerate the growth of machine learning skills in our teams?” These courses, available as part of a new AWS Training and Certification Machine Learning offering, are now part of my answer.

There are more than 30 self-service, self-paced digital courses with more than 45 hours of courses, videos, and labs for four key groups: developers, data scientists, data platform engineers, and business professionals. Each course starts with the fundamentals, and builds on those through real-world examples and labs, allowing developers to explore machine learning through some fun problems we have had to solve at Amazon. These include predicting gift wrapping eligibility, optimizing delivery routes, or predicting entertainment award nominations using data from IMDb (an Amazon subsidiary). Coursework helps consolidate best practices, and demonstrates how to get started on a range of AWS machine learning services, including Amazon SageMaker, AWS DeepLens, Amazon Rekognition, Amazon Lex, Amazon Polly, and Amazon Comprehend.

Machine learning from one of our digital big brothers at any rate.

The classes are tuned to the capabilities and features of AWS machine learning services but that’s a feature and not a bug.

AWS machine learning services are essential to anyone who doesn’t have the on-call capabilities of the CIA or NSA. Even with AWS, you won’t match the shere capacity of government computing environments, but you have one thing they don’t have, your insight into a problem set.

Let’s say that with enough insight and funds to pay for AWS services, you will be competitive against government agencies.

Wood continues:

To help developers demonstrate their knowledge (and to help employers hire more efficiently), we are also announcing the new “AWS Certified Machine Learning – Specialty” certification. Customers can take the exam now (and at half price for a limited time). Customers at re:Invent can sit for the exam this week at our Training and Certification exam sessions.

The digital courses are now available at no charge at aws.training/machinelearning and you only pay for the services you use in labs and exams during your training.

Fire is a weapon rarely exploited well by counter-government forces. Consider the use of AWS machine learning services to resolve the trade-off between the areas most likely to burn and those where a burn would be the most damaging (by some criteria). Climate change presents opportunities for unconventional insurgent techniques. Will you be ready to recognize and/or seize them?

November 22, 2018

(90+) Best Hacking eBooks [Suggest benchmarks for “best?”]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 11:25 am

Hacking eBooks Free Download 2018 – (90+) Best Hacking eBooks by Mukesh Bhardwaj.

From the post:

Here are a top and a long list of Best Hacking eBooks released in 2018. I pick these PDF best hacking eBooks from top sources with latest hacking articles inside these eBooks. These download links are spam free and ads free. However, you will also get all hacking guides as well. We Give You Best Ads Free Download Links. (emphasis in original)

This listing dates from January 4, 2018, so as of November 22, 2018, it’s due for an update.

The items I have examined look useful but it’s not clear what criteria were used for “best.”

Do you have a suggestion for general or more specific hacking resources to use as benchmarks for best?

Top 20 Hacker Holiday Gifts of 2018

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 10:55 am

Top 20 Hacker Holiday Gifts of 2018

From the post:

For the uninitiated, it can be difficult to buy that special hacker in your life a perfect holiday gift. That’s why we’ve taken out the guesswork and curated a list of the top 20 most popular items our readers are buying. Whether you’re buying a gift for a friend or have been dying to share this list with someone shopping for you, we’ve got you covered with our 2018 selection of hacker holiday gifts.

For more ideas, make sure to check out our holiday hacker gift guide from last year, as well as Distortion’s excellent post for gear every hacker should try out. As for this year’s recommendations, they’re split up into different price points, so you can jump to each using the following links.

Great list of potential gifts for someone you know is hacking or who you want to encourage to hack.

Imagine the degree of transparency if hacking was taught as widely as keyboarding.

One Hacker One Computer – #OHOC

Enjoy!

November 21, 2018

Raspberry-Pi In Your Stocking?

Filed under: Raspbery-Pi — Patrick Durusau @ 8:17 pm

Just in case you find, obtain or are given a Raspberry Pi over the holidays, check out awesome-raspberry-pi.

From the webpage:

A curated list of awesome Raspberry Pi tools, projects, images and resources.

I’m counting forty-eight (48) OS images, twenty (20) tools, fifty-six (56) projects, ten (10) useful apps, five (5) articles, sixteen (16) tutorials, and, thirteen (13) community links. (as of 21 November 2018)

I tried to find another category instead of adding Raspberry-Pi. Now I have to find all my posts that mention Raspberry-Pi and update their links!

Worth the time though when you consider a Raspberry-Pi is small enough to drop off in a target location or even plug into a target network. That alone makes it worth more attention.

Going Old School to Solve A Google Search Problem

Filed under: Bookmarking,Bookmarks,Javascript,Searching — Patrick Durusau @ 5:27 pm

Going Old School to Solve A Google Search Problem

I was completely gulled by the headline. I thought the “old school” solution was going to be:

Go ask a librarian.

My bad. Turns out the answer was:

Recently I got an email from my friend John Simpson. He was having a search problem and thought I might be able to help him out. I was, and wanted to share with you what I did, because a) you might be able to use it too and b) it’s not often in my Internet experience that you end up solving a problem using a method that was popular over ten years ago.

Here’s John’s problem: he does regular Google searches of a particular kind, but finds that with most of these searches he gets an overwhelming number of results from just a couple of sites. He wants to consistently exclude those sites from his search results, but he doesn’t want to have to type in the exclusions every time.

The rock-simple solution to this problem would be: do the Google search excluding all the sites you don’t want to see, bookmark the result, and then revisit that bookmark whenever you’re ready to search. But a more elegant solution would be to use an bookmark enhanced with JavaScript: a bookmarklet.

The rest of the post walks you through the creation of a simple bookmarketlet. Easier than the name promises.

When (not if) Google fails you, remember you can either visit (or call in many cases) the reference desk at your local library.

Under the title: Why You Should Fall To Your Knees And Worship A Librarian, I encountered this item:

I’ve always had a weakness for the line:

People become librarians because they know too much.

Google can quickly point you down any number of blind alleys. Librarians quickly provide you with productive avenues to pursue. Your call.

pugixml 1.9 quick start guide

Filed under: Parsers,XML,XPath — Patrick Durusau @ 4:20 pm

pugixml 1.9 quick start guide

From the webpage:

pugixml is a light-weight C++ XML processing library. It consists of a DOM-like interface with rich traversal/modification capabilities, an extremely fast XML parser which constructs the DOM tree from an XML file/buffer, and an XPath 1.0 implementation for complex data-driven tree queries. Full Unicode support is also available, with two Unicode interface variants and conversions between different Unicode encodings (which happen automatically during parsing/saving). The library is extremely portable and easy to integrate and use. pugixml is developed and maintained since 2006 and has many users. All code is distributed under the MIT license, making it completely free to use in both open-source and proprietary applications.

pugixml enables very fast, convenient and memory-efficient XML document processing. However, since pugixml has a DOM parser, it can’t process XML documents that do not fit in memory; also the parser is a non-validating one, so if you need DTD/Schema validation, the library is not for you.

This is the quick start guide for pugixml, which purpose is to enable you to start using the library quickly. Many important library features are either not described at all or only mentioned briefly; for more complete information you should read the complete manual.

Despite the disappointing lack of document/email leaks during the 2018 mid-terms, I am hopeful the same will not be true in 2020. The 2020 elections will include a presidential race.

I encountered pugixml today in another context and thought I should mention it as a possible addition to your toolkit.

The repository: http://github.com/zeux/pugixml.

Enjoy!

Stanford AI Lab (SAIL) Blog (Attn: All Hats)

Filed under: Artificial Intelligence,Hacking,Machine Learning — Patrick Durusau @ 3:45 pm

Stanford AI Lab (SAIL) Blog

From the Hello World post:

We are excited to launch the Stanford AI Lab (SAIL) Blog, where we hope to share our research, high-level discussions on AI and machine learning, and updates with the general public. SAIL has 18 faculty and 16 affiliated faculty, with hundreds of students working in diverse fields that span natural language processing, robotics, computer vision, bioinformatics, and more. Our vision is to make that work accessible to an audience beyond the academic and technical community.

Whether you are a White, Black, Grey, or Customer, hat, start watching the Stanford AI Lab (SAIL) Blog.

Like a Customer hat, AI (artificial intelligence) knows no preset side, only its purpose as set by others.

If that sounds harsh, remember that it has been preset sides that force otherwise decent people (in some cases) to support the starvation of millions in Yemen or the murder of children in Palestine.

Or to say it differently, laws are only advisory opinions on the morality of any given act.

November 20, 2018

Is It Looking Like IoT This Year?

Filed under: Hacking,IoT - Internet of Things — Patrick Durusau @ 8:10 pm

IoT-Pentesting-Methodology

From the webpage:

Resources to help get started with IoT Pentesting

The only resource is a mindmap of things to consider. Useful in and of itself but I had to kick the magnification up to 350% to make it readable.

Looking forward to other resources being added, perhaps as part of the mindmap?

While you are investigating IoT goodies this holiday season, take a break from pwning your brother-in-law’s car and add a couple of resources here.

😉

IoT creates an opportunity for gifts that keep on giving after you take control of them.

Not to mention sending, anonymously, IoT devices to neighbors, fellow staff members and, elected representatives.

Do Your Clients Know You’re Running Adobe Flash?

Filed under: Cybersecurity,Hacking,Security — Patrick Durusau @ 5:28 pm

Critical Adobe Flash Bug Impacts Windows, macOS, Linux and Chrome OS by Tom Spring.

From the post:

Adobe released a patch for a critical flaw on Tuesday that leaves its Flash Player vulnerable to arbitrary code execution by an adversary. Affected are versions of the Flash Player running on Windows, macOS, Linux and Chrome OS.

Unless you need the technical details to prepare an exploit, that’s about all that needs to be said about the latest Adobe Flash fail.

You aren’t running Flash? Yes?

Assuming you are not running Flash, download and save a known to be safe Flash file. Attach it to an email to your current contractor(s).

Call your contractor(s) and ask if they can open the attached Flash file. Should they say yes, start looking for new contractor(s).

What are you going to say when you get a “can you open the Flash attachment” call?

PS: I wonder if any of the techno-mages at the White House are running Flash? Thoughts?

Hackers: White, Black, Grey [, and Customer?] Hat

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:17 pm

Types of Hackers and What They Do: White, Black, and Grey:

Hackers are lumped into three (3) categories:

A black-hat hacker is an individual who attempts to gain unauthorized entry into a system or network to exploit them for malicious reasons. The black-hat hacker does not have any permission or authority to compromise their targets.

White-hat hackers, on the other hand, are deemed to be the good guys, working with organizations to strengthen the security of a system. A white hat has permission to engage the targets and to compromise them within the prescribed rules of engagement.

Grey hats exploit networks and computer systems in the way that black hats do, but do so without any malicious intent, disclosing all loopholes and vulnerabilities to law enforcement agencies or intelligence agencies.

I suppose but where is the category Customer-hat?

Customer-hat hackers carry out actions contracted for by a customer.

The customer-hat hacker designation avoids the attempts to pre-define moral or ethical dimensions to the work of hackers, generally summarized under the rubrics of black, white and grey hats.

Picking a recent post at random: Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign, you quickly get the impression that APT29 is a black-hat, i.e., is non-American.

As a contractor or customer, I’m more comfortable wearing a customer-hat. Are you?

PS: I’m aware that the black/grey/white hat designations are attempts to shame people into joining to protect institutions and systems unworthy of respect and/or protection. I decline the invitation.

November 17, 2018

IMSI-Catcher in 30 Minutes

Filed under: Government,Privacy,STINGER — Patrick Durusau @ 9:51 pm

With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes by Joseph Cox.

From the post:

With some dirt cheap tech I bought from Amazon and 30-minutes of set-up time, I was streaming sensitive information from phones all around me. IMSIs, the unique identifier given to each SIM card, can be used to confirm whether someone is in a particular area. They can also be used as part of another attack to take over a person’s phone number and redirect their text messages. Obtaining this information was incredibly easy, even for a non-expert.

But a DIY IMSI catcher is relatively trivial to setup, and the technology is accessible to anyone with a cheap laptop, $20 of gear, and, the ability to essentially copy and paste some commands into a computer terminal. This is about ease of access; a lower barrier of technical entry. In a similar way to so-called spouseware—malware used by abusive partners—surveillance takes on different character when it trickles down to more ordinary, everyday users. The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

Once you get up and running, project’s github page, other extensions and uses will occur to you.

I deeply disagree with the assessment:

The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

The greater danger comes when secret agencies and even police agencies, operate with no effective oversight. Either because their operations are too secret to be known to others or a toady, such as the FISA court, is called upon to pass judgment.

As the “threat” from IMSI-catchers increases, manufacturers will engineer phones that resist attacks from the government and the public. A net win for the public, if not the government.

IMSI-catchers and more need to be regulars around government offices and courthouses. Governments like surveillance so much, let’s provide them with a rich and ongoing experience of the same.

Query Expansion Techniques for Information Retrieval: a Survey

Filed under: Query Expansion,Subject Identity,Subject Recognition,Topic Maps — Patrick Durusau @ 9:12 pm

Query Expansion Techniques for Information Retrieval: a Survey by Hiteshwar Kumar Azad, Akshay Deepak.

With the ever increasing size of web, relevant information extraction on the Internet with a query formed by a few keywords has become a big challenge. To overcome this, query expansion (QE) plays a crucial role in improving the Internet searches, where the user’s initial query is reformulated to a new query by adding new meaningful terms with similar significance. QE — as part of information retrieval (IR) — has long attracted researchers’ attention. It has also become very influential in the field of personalized social document, Question Answering over Linked Data (QALD), and, Text Retrieval Conference (TREC) and REAL sets. This paper surveys QE techniques in IR from 1960 to 2017 with respect to core techniques, data sources used, weighting and ranking methodologies, user participation and applications (of QE techniques) — bringing out similarities and differences.

Another goodie for the upcoming holiday season. At forty-three (43) pages and needing updating, published in 2017, a real joy for anyone interested in query expansion.

Writing this post I realized that something is missing in discussions of query expansion. It is assumed that end-users are querying the data set and they are called upon to evaluate the results.

What if we change that assumption to an expert user querying the data set and authoring filtered results for end users?

Instead of presenting an end user with a topic map, no matter how clever its merging rules, they are presented with a curated information resource.

Granting that an expert may have been using a topic map to produce the curated information resource but of what concern is that for the end user?

Got 20 Minutes? Black Friday ATM Hunting

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 11:06 am

One definition of Black Friday reads:

The Day After Thanksgiving (Friday) is known as Black Friday. This used to be unofficially or officially the start of holiday shopping season. Almost all stores come out with Doorbuster Sales with the early bird special to attract consumers to their shop. People stand in line hours before the stores are opened, to grab the bargains of the year. In last few years, we have witnessed a trend towards bringing those Black Friday Sales online before Friday.

Suffice it to say it is an orgy of consumerism and consumption, which originated in the United States but it has spread to other countries.

One constant at shopping locations, Black Friday or no, is the presence of ATM (Automated Teller Machines) machines. ATM finder services are offered by Visa and Mastercard. A search using “atm location” reveals many others.

I mention all that because I encountered Most ATMs can be hacked in under 20 minutes by Catalin Cimpanu.

From the post:

“More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case,” the PT team said. “Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale.” (emphasis added)

Cimpanu includes a list of the ATMs tested. Nothing is more innocent than using an ATM on Black Friday and noting its type and model number. Privacy is required for the attacks described but usually for less than 20 minutes.

Armed with a list of ATM with model numbers and locations, plus the attacks as described in the original report, you may have a reason to celebrate early this holiday season. (BTW, strictly for research purposes, did you know they sell ATMs on eBay?)

November 15, 2018

Fake ‘Master’ Fingerprints

Filed under: Artificial Intelligence,Security — Patrick Durusau @ 3:20 pm

DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution by Philip Bontrager et al.

Abstract:

Recent research has demonstrated the vulnerability of fingerprint recognition systems to dictionary attacks based on MasterPrints. MasterPrints are real or synthetic fingerprints that can fortuitously match with a large number of fingerprints thereby undermining the security afforded by fingerprint systems. Previous work by Roy et al. generated synthetic MasterPrints at the feature-level. In this work we generate complete image-level MasterPrints known as DeepMasterPrints, whose attack accuracy is found to be much superior than that of previous methods. The proposed method, referred to as Latent Variable Evolution, is based on training a Generative Adversarial Network on a set of real fingerprint images. Stochastic search in the form of the Covariance Matrix Adaptation Evolution Strategy is then used to search for latent input variables to the generator network that can maximize the number of impostor matches as assessed by a fingerprint recognizer. Experiments convey the efficacy of the proposed method in generating DeepMasterPrints. The underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis.

One review of this paper concludes:


At the highest level of security, the researchers note that the master print is “not very good” at spoofing the sensor—the master prints only fooled the sensor less than 1.2 percent of the time.

While this research doesn’t spell the end of fingerprint ID systems, the researchers said it will require the designers of these systems to rethink the tradeoff between convenience and security in the future.

But fingerprint ID systems are only one use case for DeepMasterPrints.

The generated fingerprints, for all intents and purposes, appear to be human fingerprints. If used to intentionally “leave” fingerprints for investigators to discover, there is no immediate “tell” these are artificial fingerprints.

If your goal is to delay or divert authorities for a few hours or even days with “fake” fingerprints, then DeepMasterPrints may be quite useful.

The test for any security or counter-security measure isn’t working forever or without fail but only for as long as needful. (For example, encryption that defeats decryption until after an attack has served its purpose. It need not do more than that.)

*exploitation not included

Filed under: Privacy — Patrick Durusau @ 2:24 pm

The title is a riff on Mozilla’s *privacy not included list of privacy insecure gifts for the holiday season.

While intended as a warning to consumers, I can’t think of a better shopping list for members of government, their staffs, corporate officers, lobbyists, or even your co-workers.

Unlike some, I don’t consider privacy to be a universal good, especially if a breach of privacy takes down someone like Senator Mitch McConnell or some similar ilk.

Use your imagination or ping me (not free) for development of a list of likely recipients of your holiday largess.

But as the title suggests: *exploitation not included.

PS: And no, I don’t want to know the intended purpose of your list. Enjoy the holidays!

The Unlearned Lesson Of Amazon’s automated hiring tool

Filed under: Artificial Intelligence,Diversity,Machine Learning — Patrick Durusau @ 1:57 pm

Gender, Race and Power: Outlining a New AI Research Agenda.

From the post:


AI systems — which Google and others are rapidly developing and deploying in sensitive social and political domains — can mirror, amplify, and obscure the very issues of inequality and discrimination that Google workers are protesting against. Over the past year, researchers and journalists have highlighted numerous examples where AI systems exhibited biases, including on the basis of race, class, gender, and sexuality.

We saw a dramatic example of these problems in recent news of Amazon’s automated hiring tool. In order to “learn” to differentiate between “good” and “bad” job candidates, it was trained on a massive corpus of of (sic) data documenting the company’s past hiring decisions. The result was, perhaps unsurprisingly, a hiring tool that discriminated against women, even demoting CVs that contained the word ‘women’ or ‘women’s’. Amazon engineers tried to fix the problem, adjusting the algorithm in the attempt to mitigate its biased preferences, but ultimately scrapped the project, concluding that it was unsalvageable.

From the Amazon automated hiring tool and other examples, the AI Now Institute draws this conclusion:


It’s time for research on gender and race in AI to move beyond considering whether AI systems meet narrow technical definitions of ‘fairness.’ We need to ask deeper, more complex questions: Who is in the room when these technologies are created, and which assumptions and worldviews are embedded in this process? How does our identity shape our experiences of AI systems? In what ways do these systems formalize, classify, and amplify rigid and problematic definitions of gender and race? We share some examples of important studies that tackle these questions below — and we have new research publications coming out to contribute to this literature.

AI New misses the most obvious lesson from the Amazon automated hiring tool experience:

In the face of an AI algorithm that discriminates, we don’t know how to cure its discrimination.

Predicting or curing discrimination from an algorithm alone lies beyond our ken.

The creation of reference datasets for testing AI algorithms, however, enables testing and comparison of algorithms. With concrete results that could be used to reduce discrimination in fact.

Actual hiring and other databases are private for good reasons but wholly artificial reference databases would have no such concerns.

Since we don’t understand discrimination in humans, I caution against a quixotic search for its causes in algorithms. Keep or discard algorithms based on their discrimination in practice. Something we have been shown to be capable of spotting.

PS: Not all discrimination is unethical or immoral. If a position requires a law degree, it is “discrimination” to eliminate all applicants without one, but that’s allowable discrimination.

Before You Make a Thing [Technology and Society]

Filed under: Computer Science,Ethics,Politics — Patrick Durusau @ 10:55 am

Before You Make a Thing: some tips for approaching technology and society by Jentery Sayers.

From the webpage:

This is a guide for Technology and Society 200 (Fall 2018; 60 undergraduate students) at the University of Victoria. It consists of three point-form lists. The first is a series of theories and concepts drawn from assigned readings, the second is a rundown of practices corresponding with projects we studied, and the third itemizes prototyping techniques conducted in the course. All are intended to distill material from the term and communicate its relevance to project design and development. Some contradiction is inevitable. Thank you for your patience.

An extraordinary summary of the Prototyping Pasts + Futures class, whose description reads:

An offering in the Technology and Society minor at UVic, this course is about the entanglement of Western technologies with society and culture. We’ll examine some histories of these entanglements, discuss their effects today, and also speculate about their trajectories. One important question will persist throughout the term: How can and should we intervene in technologies as practices? Rather than treating technologies as tools we use or objects we examine from the outside, we’ll prototype with and through them as modes of inquiry. You’ll turn patents into 3-D forms, compose and implement use scenarios, “datify” old tech, and imagine a device you want to see in the world. You’ll document your research and development process along the way, reflect on what you learned, present your prototypes and findings, and also build a vocabulary of keywords for technology and society. I will not assume that you’re familiar with fields such as science and technology studies, media studies, critical design, or experimental art, and the prototyping exercises will rely on low-tech approaches. Technical competency required: know how to send an email.

Deeply impressive summary of the “Theories and Concepts,” “Practices,” and “Prototyping Techniques” from Prototyping Pasts + Futures.

Whether you want a benign impact of your technology or are looking to put a fine edge on it, this is the resource for you!

Not to mention learning a great deal that will help you better communicate to clients the probable outcomes of their requests.

Looking forward to spending some serious time with these materials.

Enjoy!

November 14, 2018

ScalaQuest! (Video Game Approach to Language Learning)

Filed under: Programming,Scala — Patrick Durusau @ 8:45 pm

ScalaQuest!

From the announcement on Reddit:

Learn to program in Scala while stepping into a world called DataLand – where chaos and complexity threaten the universe itself!

ScalaQuest is a web-based video game that takes you on the first few steps of learning the Scala programming language. Play through the 4 levels available and discover some of what makes Scala unique, while trying to survive and to help the people of DataLand survive the danger that could gargabe-collect everything!

The scope of the game is modest, as any real beginings must be. Fully learning Scala is the adventure we want to make if this first release is successful.

Scala – the powerful and exotic programming language loved by many but challenging to learn, is a realm that we want to open up to motivated learners. With some unique gameplay mechanics, we believe we are changing how people can be introduced to languages and make it into an adventure where fun, risk and failure come together into a stimulating challenge.

Can you save DataLand?

Sign up now! http://scalaquest.com.

I only saw the video, it’s too late for me to spring the $8 for the first module. I would not remember any of it tomorrow. Maybe this coming weekend.

I started to make a rude suggestion about games involving Sen. Mitch McConnell as an inducement to learn how to program. Use your imagination and see what turns up.

Systematic vs. Ad Hoc Attacks and Defenses

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 8:16 pm

A Systematic Evaluation of Transient Execution Attacks and Defenses by Claudio Canella, et al.

Abstract:

Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU’s microarchitectural state. This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches). Unfortunately, both the industry and academia are now focusing on finding efficient defenses that mostly address only one specific variant or exploitation methodology. This is highly problematic, as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses.

In this paper, we present a sound and extensible systematization of transient execution attacks. Our systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far. This includes 2 new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. It also includes 5 new Spectre mistraining strategies. We evaluate all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM). Our systematization does not only yield a complete picture of the attack surface, but also allows a systematic evaluation of defenses. Through this systematic evaluation, we discover that we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.

If you guessed from the title (or experience) that being systematic wins the prize, you’re right!

Between the failure to patch behavior of users and the “good enough” responses of vendors to vulnerabilities, it’s surprising cybersecurity is in the dictionary at all. Other than as a marketing term like “salvation,” etc.

November 12, 2018

Holiday Avoidance Videos! Black Hat USA 2018

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:25 pm

Just in time for the 2018 holiday season, Black Hat USA 2018 videos have been posted on Youtube! Abstracts/presentation materials.

I count one-hundred and twenty-five (125) videos!

I’m not suggesting you would pwn the TV remote, video game controller or surf the local mall’s wifi if forced to go shopping, but with the Black Hat videos, visions of the same can dance in your head!

Enjoy!

PS: Be sure to give a big shout out to Black Hat and presenters for all videos that stand out to you.

November 11, 2018

Why You Should Study Adobe Patch Releases

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 9:02 pm

Adobe ColdFusion servers under attack from APT group by Catalin Cimpanu.

A cyber-espionage group appears to have reverse engineered an Adobe security patch and is currently going after unpatched ColdFusion servers.

If you review the Adobe Security Bulletin, I don’t think “reverse engineer” is the term I would use in this case:

Nor would I use “Advanced Persistent Threat (APT)” for this vulnerability.

The Adobe fail here is the equivalent to leaving a liquor store unattended with the door propped open and the lights on. Theft there doesn’t require a criminal mastermind.

Given patch rates, reading patches could be the easiest way to add exploits to your toolkit.

« Newer PostsOlder Posts »

Powered by WordPress