Unintended Consequences Of Slowly Strangling Flash To Death

May 24th, 2016

The long road to the final death knell for Flash has gotten slightly shorter.

Intent to implement: HTML5 by Default

From the post:

Later this year we plan to change how Chromium hints to websites about the presence of Flash Player, by changing the default response of Navigator.plugins and Navigator.mimeTypes. If a site offers an HTML5 experience, this change will make that the primary experience. We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site (see the proposal for the mock-ups).

To reduce the initial user impact, and avoid over-prompting, Chrome will introduce this feature with a temporary whitelist of the current top Flash sites(1). This whitelist will expire after one year, and will be periodically revisited throughout the year, to remove sites whose usage no longer warrants an exception.

Chrome will also be adding policy controls so that enterprises will be able to select the appropriate experience for their users, which will include the ability to completely disable the feature.

Any move away from Flash is good news but the unintended consequences of this news tempers my joy.

First, the Flash whitelist signals that delivery of Flash malware should concentrate on the top ten sites:

  1. YouTube.com
  2. Facebook.com
  3. Yahoo.com
  4. VK.com
  5. Live.com
  6. Yandex.ru
  7. OK.ru
  8. Twitch.tv
  9. Amazon.com
  10. Mail.ru

Second, offering users the option to run Flash, in spite of warnings, guarantees Flash will remain an expressway into your computer for years to come.

Third, as Flash usage drops, what is the likely curve of funding for fixing new bugs found in Flash? (That’s what I think as well.)

I don’t have a better alternative to offer, except to suggest that enterprises that care about security should offer cash bonuses to departments that abandon Flash altogether.

PS: Adobe should notify the community when the last copy of the source code for Flash is erased. To avoid some future computer archaeologist digging it up and becoming infected.

Inspiring Next-Gen Citizens – Phineas Fisher

May 24th, 2016

A Notorious Hacker Is Trying to Start a ‘Hack Back’ Political Movement by Lorenzo Franceschi-Bicchierai.

From the post:

In August of 2014, a hacker shook the cybersecurity world by exposing the secrets of the infamous government surveillance vendor Gamma Group, the makers of the spyware FinFisher.

The hacker jokingly called himself Phineas Fisher, publicizing the hack and taunting the company on Twitter. He also wrote a detailed guide on how he breached Gamma—not to brag, the hacker wrote, but to demystify hacking and “to hopefully inform and inspire you to go out and hack shit.”

Then, Phineas Fisher went dark. For almost a year, his public profiles remained silent. Given that he had just upset a company that sold tools to dozens of spy and police all over the world, it seemed like a wise move.

“For politically minded hackers, Phineas is a legend already.”

See Lorenzo’s post for a short history of Phineas Fisher.

I prefer my title because “notorious” and “hacker” imply that Phineas has transgressed in some way.

In the view of some legal systems, Phineas has transgressed but even within those systems, transgression is a matter of whim and caprice.

Consider the interference with the legitimate development of nuclear power by Iran. The U.S. and others have taken it upon themselves to create software to interfere with that program. Software and actions illegal under the same laws with which Phieas would be prosecuted, but no one has been brought before the bar.

Phineas has acted, no more or less than the Koch brothers, to influence public opinion. Every citizen has the right to influence government action, theirs and others.

Phineas is using information instead of cash to influence government but that distinction matters only to cash hungry politicians and cash flush favor seekers who want to feed them.

“Western democracies” don’t engage in, for the most part, in qui pro quo style corruption. Donors routinely contribute money, year in and year out and not surprisingly, when government decisions are to be made, they have a place at the decision making table. And when the decision making is done, a larger share of government benefits than others.

Information activities, such as those by Phineas, have the potential to create a publicly traded information economy. Imagine if rather than slow leak of the Panama Papers, they appeared on an Information Exchange, where you could bid on some or all of the data for particular countries.

Ownership could be, but not necessarily be, exclusive. Your ownership of the data for China, for example, would in no way interfere with my ownership of the same information.

What I am describing rather poorly is already set forth in Neil Stephenson‘s classic: Snow Crash.

Make no mistake, Snow Crash, like the mistaken for reality tale Atlas Shrugged, is a work of fiction. Despite the potential for the dawning of a new future, the present power system will put you in jail today.

Phineas Fisher is an inspiration for a cyber-aware citizenry gathering and distributing information. Hopefully he will also inspire better operational security in those efforts as well.

Bias? What Bias? We’re Scientific!

May 23rd, 2016

This ProPublica story by Julia Angwin, Jeff Larson, Surya Mattu and Lauren Kirchner, isn’t short but it is worth your time to not only read, but to download the data and test their analysis for yourself.

Especially if you have the mis-impression that algorithms can avoid bias. Or that clients will apply your analysis with the caution that it deserves.

Finding a bias in software, like finding a bug, is a good thing. But that’s just one, there is no estimate of how many others may exist.

And as you will find, clients may not remember your careful explanation of the limits to your work. Or apply it in ways you don’t anticipate.

Machine Bias – There’s software used across the country to predict future criminals. And it’s biased against blacks.

Here’s the first story to try to lure you deeper into this study:

ON A SPRING AFTERNOON IN 2014, Brisha Borden was running late to pick up her god-sister from school when she spotted an unlocked kid’s blue Huffy bicycle and a silver Razor scooter. Borden and a friend grabbed the bike and scooter and tried to ride them down the street in the Fort Lauderdale suburb of Coral Springs.

Just as the 18-year-old girls were realizing they were too big for the tiny conveyances — which belonged to a 6-year-old boy — a woman came running after them saying, “That’s my kid’s stuff.” Borden and her friend immediately dropped the bike and scooter and walked away.

But it was too late — a neighbor who witnessed the heist had already called the police. Borden and her friend were arrested and charged with burglary and petty theft for the items, which were valued at a total of $80.

Compare their crime with a similar one: The previous summer, 41-year-old Vernon Prater was picked up for shoplifting $86.35 worth of tools from a nearby Home Depot store.

Prater was the more seasoned criminal. He had already been convicted of armed robbery and attempted armed robbery, for which he served five years in prison, in addition to another armed robbery charge. Borden had a record, too, but it was for misdemeanors committed when she was a juvenile.

Yet something odd happened when Borden and Prater were booked into jail: A computer program spat out a score predicting the likelihood of each committing a future crime. Borden — who is black — was rated a high risk. Prater — who is white — was rated a low risk.

Two years later, we know the computer algorithm got it exactly backward. Borden has not been charged with any new crimes. Prater is serving an eight-year prison term for subsequently breaking into a warehouse and stealing thousands of dollars’ worth of electronics.

This analysis demonstrates that malice isn’t required for bias to damage lives. Whether the biases are in software, in its application, in the interpretation of its results, the end result is the same, damaged lives.

I don’t think bias in software is avoidable but here, here no one was even looking.

What role do you think budget justification/profit making played in that blindness to bias?

Balisage 2016 Program Posted! (Newcomers Welcome!)

May 23rd, 2016

Tommie Usdin wrote today to say:

Balisage: The Markup Conference
2016 Program Now Available

Balisage: where serious markup practitioners and theoreticians meet every August.

The 2016 program includes papers discussing reducing ambiguity in linked-open-data annotations, the visualization of XSLT execution patterns, automatic recognition of grant- and funding-related information in scientific papers, construction of an interactive interface to assist cybersecurity analysts, rules for graceful extension and customization of standard vocabularies, case studies of agile schema development, a report on XML encoding of subtitles for video, an extension of XPath to file systems, handling soft hyphens in historical texts, an automated validity checker for formatted pages, one no-angle-brackets editing interface for scholars of German family names and another for scholars of Roman legal history, and a survey of non-XML markup such as Markdown.

XML In, Web Out: A one-day Symposium on the sub rosa XML that powers an increasing number of websites will be held on Monday, August 1. http://balisage.net/XML-In-Web-Out/

If you are interested in open information, reusable documents, and vendor and application independence, then you need descriptive markup, and Balisage is the conference you should attend. Balisage brings together document architects, librarians, archivists, computer
scientists, XML practitioners, XSLT and XQuery programmers, implementers of XSLT and XQuery engines and other markup-related software, Topic-Map enthusiasts, semantic-Web evangelists, standards developers, academics, industrial researchers, government and NGO staff, industrial developers, practitioners, consultants, and the world’s greatest concentration of markup theorists. Some participants are busy designing replacements for XML while other still use SGML (and know why they do).

Discussion is open, candid, and unashamedly technical.

Balisage 2016 Program: http://www.balisage.net/2016/Program.html

Symposium Program: http://balisage.net/XML-In-Web-Out/symposiumProgram.html

Even if you don’t eat RELAX grammars at snack time, put Balisage on your conference schedule. Even if a bit scruffy looking, the long time participants like new document/information problems or new ways of looking at old ones. Not to mention they, on occasion, learn something from newcomers as well.

It is a unique opportunity to meet the people who engineered the tools and specs that you use day to day.

Be forewarned that most of them have difficulty agreeing what controversial terms mean, like “document,” but that to one side, they are a good a crew as you are likely to meet.


Alda (Music Programming Language) Update

May 23rd, 2016

Alda: A Music Programming Language, Built in Clojure by David Yarwood.

Presentation by David at Clojure Remote.

From the description:

Inspired by other music/audio programming languages such as PPMCK, LilyPond and ChucK, Alda aims to be a powerful and flexible programming language for the musician who wants to easily compose and generate music on the fly, using only a text editor.

Clojure proved to be an ideal language for building a language like Alda, not only because of its wealth of excellent libraries like Instaparse and Overtone, but also because of its Lispy transparency and facility for crafting DSLs.

From the Github page:

Slack: Sign up to the universe of Clojure chat @ http://clojurians.net/, then join us on #alda

Reddit: Come join us in /r/alda, where you can discuss all things Alda and share your Alda scores!

Alda is looking for contributors! Step up!

Incubate No Longer! Tinkerpop™!

May 23rd, 2016

The Apache Software Foundation Announces Apache® TinkerPop™ as a Top-Level Project

From the post:

The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today that Apache® TinkerPop™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project’s community and products have been well-governed under the ASF’s meritocratic process and principles.

Apache TinkerPop is a graph computing framework that provides developers the tools required to build modern graph applications in any application domain and at any scale.

“Graph databases and mainstream interest in graph applications have seen tremendous growth in recent years,” said Stephen Mallette, Vice President of Apache TinkerPop. “Since its inception in 2009, TinkerPop has been helping to promote that growth with its Open Source graph technology stack. We are excited to now do this same work as a top-level project within the Apache Software Foundation.”

As a graph computing framework for both real-time, transactional graph databases (OLTP) and and batch analytic graph processors (OLAP), TinkerPop is useful for working with small graphs that fit within the confines of a single machine, as well as massive graphs that can only exist partitioned and distributed across a multi-machine compute cluster.

TinkerPop unifies these highly varied graph system models, giving developers less to learn, faster time to development, and less risk associated with both scaling their system and avoiding vendor lock-in.

In addition to that good news, the announcement also answers the inevitable question about scaling:

Apache TinkerPop is in use at organizations such as DataStax and IBM, among many others. Amazon.com is currently using TinkerPop and Gremlin to process its order fullfillment graph which contains approximately one trillion edges. (emphasis added)

A trillion edges, unless you are a stealth Amazon, Tinkerpop™ will scale for you.

Congratulations to the Tinkerpop™ community!

Breaking News: Europe != World

May 23rd, 2016

Google’s appeal, described in GNI welcomes appeal to the global reach of “the right to be forgotten” by Ryan McChrystal, puts all of Europe on notice, despite centuries of Euro-centric education, publication, history writing and institutions:

Europe != World

From the post:

The Global Network Initiative welcomes the announcement that Google is appealing a French data protection authority ruling requiring the global take down of links to search information banned in France under Europe’s “right to be forgotten”.

We are concerned that the ruling, made by Commission Nationale de L’Informatique et des Libertes (CNIL) in March, sets a disturbing precedent for the cause of an open and free Internet, and sends the message to other countries that they can force the banning of search results not just inside their own jurisdictions, but assert that jurisdiction across the globe.

Google began delisting search content in response to the Costeja ruling in July of 2014. Search links that are delisted in response to French citizens’ requests are removed from the local French domain (google.fr) as well as all of Europe. In early 2016 the company announced that it would further restrict access to links delisted in Europe by using geolocation technology to restrict access to the content on any Google Search domain when an individual searches from France. Despite this, the French authorities continue to demand global removal of these links from all Google search domains – regardless of from where in the world they are accessed.

“We are concerned about the impact of the CNIL order, which effectively allows the government of one country to dictate what the rest of the world is allowed to access online,” said GNI Board Chair Mark Stephens, CBE. “Enshrined in international law is the principle that one country cannot infringe upon the rights of citizens of another country,” he said.

Make no mistake, I am utterly a child of the West/Europe but all the more reason to resist its cultural and legal imperialism.

Differences in cultures, languages, legal systems, whether current or historical, enrich the human experience.

Censoring expression and in the “right to be forgotten” case, censoring history, or rather attempts to discover history, impoverishes it.

The “right to be forgotten” is ample evidence that Europeans need productive leisure pursuits.

Non-Europeans should suggest hobbies, sports, or activities to distract Europeans from search engine results and towards more creative activities.

Terrorism and Internet Censorship

May 23rd, 2016

Bold stance: Microsoft says terrorism is bad by Shaun Nichols.

From the post:

Microsoft is enacting a new policy to remove terrorist content from its consumer services.

The Redmond software giant said that the new terms and conditions for its hosted services will bar any content containing graphic violence or supporting material for any group considered a terrorist organization by the United Nations Sanctions List.

Additionally, Microsoft says that it will remove terrorist-related content from its Bing search engine whenever requested by government agencies and will try to display links promoting anti-terror non-government organizations when returning queries for terrorism-related search results.

Censorship on the Internet and sadly support for the same grows every week.

From the Microsoft announcement:

We believe it’s important that we ground our approach to this critical issue in central principles and values. We have a responsibility to run our various Internet services so that they are a tool to empower people, not to contribute, however indirectly, to terrible acts. We also have a responsibility to run our services in a way that respects timeless values such as privacy, freedom of expression and the right to access information. We’ve therefore carefully considered how to address terrorist content that may appear on our services without sacrificing the fundamental rights we all hold dear. Although Microsoft does not run any of the leading social networks or video-sharing sites, from time to time, terrorist content may be posted to or shared on our Microsoft-hosted consumer services. In light of this, we want to be transparent about our approach to combatting terrorist content.

I have doubts about the statement:

We’ve therefore carefully considered how to address terrorist content that may appear on our services without sacrificing the fundamental rights we all hold dear.

If they had, “…carefully considered…,” the question they would not engage in censorship at all.

If you disagree, consider the United Nations Sanctions List, circa 1939:

CNi.001 Name: 1: Mao Zedong 2: Mao 3: na 4: na Name (original script) 毛泽东 Nationality: Chinese Passport no: na National Identification: na Address: China Listed on: January 1, 1927 Other information: Created the Southwest Jiangxi Provincial Soviet Government. Skilled in-fighter with many internal rivals.

CNe.001 Name: Southwest Jiangxi Provincial Soviet Government
Address: na Listed on: June 1, 1930 Other Information: na

Or the United Nations Sanctions List, circa 1800:

UKe.001 Name: Continental Congress 2: na 3: na 4: na
Address: British colonies, America Listed on: January 1, 1776 Other Information: Criminal association of traitors, former British military officers and opportunists.

UKi.001 Name: George Washington 2: na 3: na 4: na DOB: February 22, 1732 Nationality: UK Address: Virginia Listed on: January 1, 1775 Other information: Former colonel in British Army, skilled tactician, co-conspirator with other known traitors.

UKi.002 Name: Thomas Jefferson 2: “Tom” Jefferson 3: na 4: na DOB: April 13, 1743 Nationality: UK Address: Virginia Listed on: January 1, 1775 Other information: Propagandist of first order.

UKi.003 Name: Thomas Paine 2: “Tom” Paine 3: Thomas Pain 4: na DOB: January 29, 1737 Nationality: UK Address: various Listed on: January, 1774 Other information: Known associate of revolutionaries in American colonies of the UK, collaborator with French revolutionaries (1790’s), author of “Common Sense” and wanted for conviction on seditious libel (1792).

The question for Microsoft today is which of the publications and news reports from the revolution in China and/or the American Revolutionary War would they censor as supporting terrorists and/or terrorism?

With even a modicum of honesty, all will concede that acts of terrorism were committed both in China and in what is today known as the United States.

Unless you would censor Mao Zedong, George Washington, Thomas Jefferson, Thomas Paine, then “terrorist” and “terrorism” offer no basis for censoring content.

In truth, “terrorist,” and “terrorism,” are labels for atrocities committed by others, nothing more.

Strive for a free and non-censored Internet.

Let history judge who was or wasn’t a terrorist and even then that changes over time.

Does social media have a censorship problem? (Only if “arbitrary and knee-jerk?”)

May 22nd, 2016

Does social media have a censorship problem? by Ryan McChrystal.

From the post:

It is for this reason that we should be concerned by content moderators. Worryingly, they often find themselves dealing with issues they have no expertise in. A lot of content takedown reported to Online Censorship is anti-terrorist content mistaken for terrorist content. “It potentially discourages those very people who are going to be speaking out against terrorism,” says York.

Facebook has 1.5 billion users, so small teams of poorly paid content moderators simply cannot give appropriate consideration to all flagged content against the secretive terms and conditions laid out by social media companies. The result is arbitrary and knee-jerk censorship.

Yes, social media has a censorship problem. But not only when they lack “expertise” but when they attempt censorship at all.

Ryan’s post (whether Ryan thinks this or not I don’t know) presumes two kinds of censorship:

Bad Censorship: arbitrary and knee-jerk

Good Censorship: guided by expertise in a subject area

Bad is the only category for censorship. (period, full stop)

Although social media companies are not government agencies and not bound by laws concerning free speech, Ryan’s recitals about Facebook censorship should give you pause.

Do you really want social media companies, whatever their intentions, not only censoring present content but obliterating comments history on a whim?

Being mindful that today you may agree with their decision but tomorrow may tell another tale.

Social media has a very serious censorship problem, mostly borne of the notion that social media companies should be the arbiters of social discourse.

I prefer the hazards and dangers of unfettered free speech over discussions bounded by the Joseph Goebbels imitators of a new age.

Suggestions for non-censoring or the least censoring social media platforms?

Modeling data with functional programming – State based systems

May 22nd, 2016

Modeling data with functional programming – State based systems by Brian Lee Yung Rowe.

Brian has just released chapter 8 of his Modeling data with functional programming in R, State based systems.

BTW, Brian mentions that his editor is looking for more proof reviewers.


TSA Cybersecurity Failures – The Good News

May 21st, 2016

The TSA is failing spectacularly at cybersecurity by Violet Blue.

From the post:

Five years of Department of Homeland Security audits have revealed, to the surprise of few and the dismay of all, that the TSA is as great at cybersecurity as it is at customer service.

The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff’s handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access.

What we’re talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.

Violet reports on a cornucopia of cybersecurity issues with the TSA and its information systems. Including:

As part of this year’s final report, auditors watched TSA staff as they scanned STIP servers located at two DHS data centers and the Orlando International Airport. The scans “detected a total of 12,282 high vulnerabilities on 71 of the 74 servers tested.”

The redacted final report omits the names of the servers and due to space concerns (its only 47 pages long), omits the particulars of the 12,282 high vulnerabilities found. (That’s my assumption, the report doesn’t say that.)

What the report fails to mention is the good news about TSA cybersecurity failures:

Despite its woeful performance on cybersecurity and its utter failure to ever stop a terrorist, there have been no terrorist incidents on US airlines at points guarded by the TSA.

The TSA and its faulty cybersecurity equipment could be retired, en masse, and its impact on the incidence of terrorism on U.S. based air travel would be exactly zero.

Unless you need hacking practice on poorly maintained systems, avoid the TSA and its broken IT systems. Who wants to brag about stealing a candy bar from a vending machine? Do you?

Any cyberoffense against the TSA and its systems will expose you to long prison sentences for breaching systems that make no difference. That’s the definition of a bad deal. Just don’t go there.

Must Stingrays Be Mobile?

May 20th, 2016

While listening to ICYMI #17: Mike Katz-Lacabe – The Center for Human Rights & Privacy courtesy of North Star Post (NSP), the host commented on a possible detection of a stingray device because it was mobile.

The ACLU describes such devices as:

…devices that mimic cell phone towers and send out signals to trick cell phones in the area into transmitting their locations and identifying information. When used to track a suspect’s cell phone, they also gather information about the phones of countless bystanders who happen to be nearby.

Do you see anything about “mobile” in that description?

Granting that there are use cases for mobile surveillance devices, where else are you likely to encounter stingrays?

Airports, public transportation: Calls and messages to and from passengers.

Courthouses: Where lawyers, defendants and witnesses may be sending/receiving calls and text messages they would prefer to keep private.

Jails: Calls and text messages by inmates and visitors.

Schools: Calls and texts between students and others.

Other places?

Working on a data set that may help with avoiding mobile or stationary stingrays. More on that next week.

Ethereum Contracts – Future Hacker Candy

May 20th, 2016

Ethereum Contracts Are Going To Be Candy For Hackers by Peter Vessenes.

From the post:

Smart Contracts and Programming Defects

Ethereum promises that contracts will ‘live forever’ in the default case. And, in fact, unless the contract contains a suicide clause, they are not destroyable.

This is a double-edged sword. On the one hand, the default suicide mode for a contract is to return all funds embedded in the contract to the owner; it’s clearly unworkable to have a “zero trust” system in which the owner of a contract can at will claim all money.

So, it’s good to let people reason about the contract longevity. On the other hand, I have been reviewing some Ethereum contracts recently, and the code quality is somewhere between “optimistic as to required quality” and “terrible” for code that is supposed to run forever.

Dan Mayer cites research showing industry average bugs per 1000 lines of code at 15-50 and Microsoft released code at 0.5 per 1000, and 0(!) defects in 500,000 lines of code for NASA, with a very expensive and time consuming process.

Ethereum Smart Contract Bugs per Line of Code exceeds 100 per 1000

My review of Ethereum Smart Contracts available for inspection at dapps.ethercasts.com shows a likely error rate of something like 100 per 1000, maybe higher.

If you haven’t seen Ethereum, now is the time to visit.

From the homepage:

Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.

These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property. This enables developers to create markets, store registries of debts or promises, move funds in accordance with instructions given long in the past (like a will or a futures contract) and many other things that have not been invented yet, all without a middle man or counterparty risk.

The project was crowdfunded during August 2014 by fans all around the world. It is developed by the Ethereum Foundation, a Swiss nonprofit, with contributions from great minds across the globe.

Early in the life cycle and some contracts will be better written than others.

Vulnerabilities will be Authors x Contracts so the future looks bright for hackers.

The Islamic State’s suspected inroads into America – Data Set!

May 19th, 2016

The Islamic State’s suspected inroads into America by Adam Goldman , Jia Lynn Yang, and John Muyskens.

From the post:

Federal prosecutors have charged 84 men and women around the country in connection with the Islamic State. So far, 32 have been convicted. Men outnumber women in those cases by about 7 to 1. The average age of the individuals is 27. One is a minor. The FBI says that, in a handful of cases, it has disrupted plots targeting U.S. military or law enforcement personnel.

The post breaks down proceedings by state and lists each person separately, along with the source of the information.

If you are looking for a small but significant data set on terrorism, I think this is the place.

If you develop further information on these cases, repay the original authors by sharing your discoveries.

Thoughts On How-To Help Drown A Copyright Troll?

May 19th, 2016

Copyright Trolls Rightscorp Are Teetering On The Verge Of Bankruptcy riff on (arstechnica.com).


Think of it as a service to the entire community, including legitimate claimants to intellectual property.

I tried to think of any methods I would exclude and came up empty.


FindFace – Party Like It’s 2001

May 19th, 2016

What a difference fifteen years make!

Is Google or Facebook evil? Forget it!

Russian nerds have developed a new Face Recognition technology based app called FindFace, which is a nightmare for privacy lovers and human right advocates.

FindFace is a terrifyingly powerful facial recognition app that lets you photograph strangers in a crowd and find their real identity by connecting them to their social media accounts with 70% success rate, putting public anonymity at risk.

(From This App Lets You Find Anyone’s Social Profile Just By Taking Their Photo by Mohit Kumar)

Compare that breathless, “…nightmare for privacy lovers…public anonymity at risk…” prose to:

Super Bowl, or Snooper Bowl?

As 100,000 fans stepped through the turnstiles at Super Bowl XXXV, a camera snapped their image and matched it against a computerized police lineup of known criminals, from pickpockets to international terrorists.

It’s not a new kind of surveillance. But its use at the Super Bowl — dubbed “Snooper Bowl” by critics — has highlighted a debate about the balance between individual privacy and public safety.

Law enforcement officials say what was done at the Super Bowl is no more intrusive than routine video surveillance that most people encounter each day as they’re filmed in stores, banks, office buildings or apartment buildings.

But to critics, the addition of the face-recognition system can essentially put everyone in a police lineup.

“I think it presents a whole different picture of America,” said Howard Simon, executive director of the American Civil Liberties Union in Florida.

(From Biometrics Used to Detect Criminals at Super Bowl by Vickie Chachere)

If you don’t keep up with American football, Super Bowl XXXV was held in January of 2001.

Facial recognition being common in 2001, why the sudden hand wringing over privacy and FindFace?

Oh, I get it. It is the democratization of the loss of privacy.

Those whose privacy would be protected by privilege or position are suddenly fair game to anyone with a smartphone.

A judge coming out of a kinky bar can be erased or not noticed on police surveillance video, but in a smartphone image, not so much.

The “privacy” of the average U.S. citizen depends on the inattention of state actors.

I’m all for sharing our life-in-the-goldfish-bowl condition with the powerful and privileged.

Get FindFace and use it.

Create similar apps and use topic maps to bind the images to social media profiles.

When the State stops surveillance, perhaps, just perhaps, citizens can stop surveillance of the State. Maybe.

If “privacy” advocates object, ask them what surveillance by the State they support? If the answer isn’t “none,” they have chosen the side of power and privilege. What more is there to say? (BTW, take their photo with FindFace or a similar app.)

Allo, Allo, Google and the Government Can Both Hear You

May 19th, 2016

Google’s Allo fails to use end-to-end encryption by default by Graham Cluley.

The lack of end-to-end encryption by default in Google’s Allo might look like a concession to law enforcement.

Graham points out given the choice of no government or Google spying versus government and Google spying, Google chose the latter.

Anyone working on wrappers for apps to encrypt their output and/or to go dark in terms of reporting to the mother ship?

PS: Yes, Allo offers encryption you can “turn on” but will you trust encryption from someone who obviously wants to spy on you? Your call.

Before There Was Big Data … There Was XLDB!

May 18th, 2016

9th Extremely Large Databases Conference

Online registration closes 19 May 2016!

May 24-26, 2016


Rumor has it that some sponsorships are still available.

Hard to imagine but check with xldb-admin@slac.stanford.edu if you want to be associated with the premier extreme scale event of the year.

Best Served From The Ukraine [Aside on Jury Instruction Re FBI Evidence]

May 18th, 2016

Experts Warn of Super-Stealthy Furtim Malware by Phil Muncaster.

From the post:

Security experts are warning of newly discovered credential-stealing malware which prioritizes stealth, scoring a 0% detection rate in VirusTotal.

Furtim, a Latin word meaning “by stealth,” was first spotted by researcher @hFireF0X and consists of a driver, a downloader and three payloads, according to enSilo researcher Yotam Gottesman.

The payloads are: a power-saving configuration tool which ensures a victim’s machine is always on and communicating with Furtim’s C&C server; Pony Stealer – a powerful commercial credential stealer; and a third file that communicates back to the server but has yet to be fully analyzed.

Interestingly, Furtim goes to great lengths to stay hidden, going well beyond most malware in checking for the presence of over 400 security tools on the targeted PC, Gottesman claimed.

Phil’s post summarizes some of the better ideas used in this particular bit of malware.

The post by enSilo researcher Yotam Gottesman includes this description:

Upon initial communication, Furtim collects unique information from the device it is running on, such as the computer name and installation date and sends that information to a specific server. The server stores the received details about the infected machine to ensure that the payload is sent only once.

That reminds me of the search warrant Ben Cox posted in Here Is the Warrant the FBI Used to Hack Over a Thousand Computers, which reads in part:

From any “activating” computer described in Attachment A:

1. The “activating” computer’s actual IP address, and the date and time that the NIT determines what that IP address is;

2. a unique identifier generated by the NIT (e.g., a series of numbers, letters, and/or special characters) to distinguish data from that of other “activating” comptuers, that will be sent with and collected by the NIT;

3. the type of operating system running on the computer, including type (e.g., Windows), version (e.g., Windows 7), and architecture (e.g., x 86);

4. information about whether the NIT has already been delivered to the “activating” computer;

5. the “activating” computer’s Host name;

6. the “activating” computer’s active operating system username; and

7. the “activating” computer’s media access control (“MAC”) address;


I mention that because if the FBI can’t prove its NIT’s capabilities against the users computer, who knows where they got the information they now claim to have originated from a child porn website?

Considering the FBI knowingly gave flawed testimony for twenty years, including in death penalty cases, when prosecutors were aware of those flaws, absence both source code and a demonstration of its use against the defendant’s computer as it existed then, the NIT evidence should be excluded at trial.

Or at the very least, a jury instruction that recites the FBI’s history of flawed technical testimony in detail and cautioning the jury that they should view all FBI “evidence” as originating from habitual liars.

Could be telling the truth, but that hasn’t been their habit. (Judicial notice of the FBI practice of providing flawed evidence.)

Colleges Shouldn’t Have to Deal With Copyright Monitoring [Broods of Copyright Vipers]

May 18th, 2016

Colleges Shouldn’t Have to Deal With Copyright Monitoring by Pamela Samuelson.

From the post:

Colleges have a big stake in the outcome of the lawsuit that three publishers, Cambridge University Press, Oxford University Press, and Sage Publications, brought against Georgia State University officials for copyright infringement. The lawsuit, now in its eighth year, challenged GSU’s policy that allowed faculty members to upload excerpts (mainly chapters) of in-copyright books for students to read and download from online course repositories.

Four years ago, a trial court held that 70 of the 75 challenged uses were fair uses. Two years ago, an appellate court sent the case back for a reassessment under a revised fair-use standard. The trial court has just recently ruled that of the 48 claims remaining in the case, only four uses, each involving multiple chapters, infringed. The question now is, What should be the remedy for those four infringements?

Sage was the only publisher that prevailed at all, and it lost more infringement claims than it won. Cambridge and Oxford came away empty-handed. Despite the narrowness of Sage’s win, all three publishers have asked the court for a permanent injunction that would impose many new duties on GSU and require close monitoring of all faculty uploads to online course repositories.

I expected better out of Cambridge and Oxford, especially Cambridge, which has in recent years allowed free electronic access to some printed textbooks.

Sage and the losing publishers, Cambridge and Oxford, seek to chill the exercise of fair use by not only Georgia State University but universities everywhere.

Pamela details the outrageous nature of the demands made by the publishers and concludes that she is rooting for GSU on appeal.

We should all root for GSU on appeal but that seems so unsatisfying.

It does nothing to darken the day for the broods of copyright vipers at Cambridge, Oxford or Sage.

In addition to creating this money pit for their publishers, the copyright vipers want to pad their nests by:

As if that were not enough, the publishers want the court to require GSU to provide them with access to the university’s online course system and to relevant records so the publishers could confirm that the university had complied with the record-keeping and monitoring obligations. The publishers have asked the court to retain jurisdiction so that they could later ask it to reopen and modify the court order concerning GSU compliance measures.

I don’t know how familiar you are with academic publishing but every academic publisher has a copyright department that shares physical space with acquisitions and publishing.

Whereas acquisitions and publishing are concerned with collection and dissemination of knowledge, while recovering enough profit to remain viable, the copyright department could just as well by employed by Screw.

Expanding the employment rolls of copyright departments to monitor fair use by publishers is another drain on their respective publishers.

If you need proof of copyright departments being a dead loss for their publishers, consider the most recent annual reports for Cambridge and Oxford.

Does either one highlight their copyright departments as centers of exciting development and income? Do they tout this eight year long battle against fair use?

No? I didn’t think so but wanted your confirmation to be sure.

I can point you to a history of Sage, but as a privately held publisher, it has no public annual report. Even that history, over changing economic times in publishing, finds no space to extol its copyright vipers and their role in the GSU case.

Beyond rooting for GSU, work with the acquisitions and publication departments at Cambridge, Oxford and Sage, to help improve their bottom line profit and drown their respective broods of copyright vipers.


Before you sign a publishing agreement, ask your publisher for a verified statement of the ROI contributed by their copyright office.

If enough of us ask, the question will resonant across the academic publishing community.

Password Security – Not Blaming Victims

May 18th, 2016


No, don’t waste your breath blaming victims.

Do use this list and similar lists as checks on allowable passwords.

One really good starting place would be: Today I Am Releasing Ten Million Passwords by Mark Burnett.

iPad Security – Just Brick It! Just Brick It!

May 18th, 2016


Apple has released a new method for securing your iPad, brick it!

Darren Pauli reports in Apple’s iOS updates brick iPads the brick your iPad upgrade process is 100% effective at securing iPads, at least until restored by users and/or Apple support is contacted.

Office of Personnel Management managers have expressed interest in iPad bricking in light of its most recent IT security fiasco. The cost of upgrading to iPads, suitable for bricking, is unknown.

Mozilla/Tor Vulnerabilities – You Can Help!

May 17th, 2016

You have probably heard the news that the FBI doesn’t have to reveal its Tor hack. Judge Changes Mind, Says FBI Doesn’t Have to Reveal Tor Browser Hack by Joseph Cox.

Which of course means that Mozilla isn’t going to get the hack fourteen days before the defense attorneys do.

While knowing the FBI hack would help fix that particular vulnerability, it would not help fix any other Mozilla/Tor vulnerabilities.

Rather than losing any sleep or keystrokes over the FBI’s one hack, clasped in its grubby little hands, contribute to the discovery and more importantly, fixing of vulnerabilities in Mozilla and Tor.

Let the FBI have its one-trick pony. From what I understand you had to have Flash installed for it to work.

Flash? Really?

Flash users need to mirror their SSN, address, hard drives, etc., to public FTP site. At least then you will have a record of when your data is stolen, I mean downloaded.

Whether vulnerabilities persist in Mozilla/Tor isn’t up to the FBI. It’s up to you.

Your call.

Unicode Code Chart Reviewers Needed – Now!

May 17th, 2016

I saw an email from Rick McGowan of the Unicode Consortium that reads:

As we near the release of Unicode 9.0, we’re looking for volunteers to review the latest code charts for regressions from the 8.0 charts… If you have a block that you’re particularly fond of, please consider checking the glyphs and names against the 8.0 charts… To see the latest 9.0 charts, you can start here:


The “blocks” directory has all of the individual block charts, and the charts with specific additions/changes are here:


Not for everyone but if you can contribute, please do.

Just so you know, this is the 25th anniversary of the Unicode Consortium!

Even if you don’t proof the code charts, do remember to wish the Unicode Consortium a happy 25th anniversary!

Map for Long Term Investors in British Isles

May 16th, 2016

For any long range planners in the crowd:


Censored SIDtoday File Release

May 16th, 2016

Snowden Archive — The SIDtoday Files

From the post:

The Intercept’s first SIDtoday release comprises 166 articles, including all articles published between March 31, 2003, when SIDtoday began, and June 30, 2003, plus installments of all article series begun during this period through the end of the year. Major topics include the National Security Agency’s role in interrogations, the Iraq War, the war on terror, new leadership in the Signals Intelligence Directorate, and new, popular uses of the internet and of mobile computing devices.

Along with this batch, we are publishing the stories featured below, which explain how and why we’re releasing these documents, provide an overview of SIDtoday as a publication, report on one especially newsworthy set of revelations, and round up other interesting tidbits from the files.

There are a series of related stories with this initial release:

The Intercept is Broadening Access to the Snowden Archive. Here’s Why by Glenn Greenwald.

NSA Closely Involved in Guantánamo Interrogations, Documents Show by Cora Currier.

The Most Intriguing Spy Stories From 166 Internal NSA Reports by Micah Lee, Margot Williams.

What It’s Like to Read the NSA’s Newspaper for Spies by Peter Maass.

How We Prepared the NSA’s Sensitive Internal Reports for Release by The Intercept.

A master zip file has all the SIDtoday files released thus far.

Comments on the censoring of these files will follow.

Office of Personnel Management Upgrade Crashes and Burns

May 16th, 2016

You may remember Flash Audit on OPM Infrastructure Update Plan which gave you a summary of the Inspector General for the Office of Personnel Management (OPM) report on OPM’s plans to upgrade its IT structure.

Unfortunately for U.S. taxpayers and people whose records are held by the OPM, the Inspector General doesn’t have veto power over the mis-laid plans of the OPM.

As a consequence, we read today:

Contractor Working on OPM’s Cyber Upgrades Suddenly Quits, Citing ‘Financial Distress” by Jack Moore.

From the post:

The contractor responsible for the hacked Office of Personnel Management’s major IT overhaul is now in financial disarray and no longer working on the project.

OPM awarded the Arlington, Virginia-based Imperatis Corporation a sole-source contract in June 2014 as part of an initial $20 million effort to harden OPM’s cyber defenses, after agency officials discovered an intrusion into the agency’s network.

In the past week, however, Imperatis ceased operations on the contract, citing “financial distress,” an OPM spokesman confirmed to Nextgov.

After Imperatis employees failed to show up for work May 9, OPM terminated Imperatis’ contract for nonperformance and defaulting on its contract.

“DHS and OPM are currently assessing the operational effect of the situation and expect there to be very little impact on current OPM operations,” OPM spokesman Sam Schumach said in a statement to Nextgov. Schumach said OPM had been planning for performance on the contract to end in June 2016.

Show of hands: Who is surprised by this news?

The Board of Directors/Advisors page for Imperatis is now blank.

To help you avoid becoming entangled with these individuals in future contacts, the Wayback Machine has a copy of their Board of Directors/Advisors as of March 31, 2016.

So you can identify the right people:

Board of Directors


Retired Major General Charles (Chuck) Henry became Chairman of the Board of Directors in early 2013. Henry retired after 32 years in the U.S. Army, during which he held various important Quartermaster, mission-related, command, and staff positions. He was the Army’s first Competition Advocate General and reported directly to the Secretary of the Army. His overseas assignments included tours of duty in Vietnam, Europe, and Saudi Arabia. Henry is a member of the Army Quartermaster and Defense Logistics Agency Halls of Fame. In his last position with the federal government, he was the founder and first commander of the Defense Contract Management Command (DCMC).

Henry spent 20 years as a senior executive working in industry, serving as the CEO of five companies. He currently sits on two public boards, Molycorp (NYSE) and Gaming Partners International Corp (NASDAQ), and also sits on the Army Science Board, an advisory committee that makes recommendations on scientific and technological concerns to the U.S. Army.


Sally Donnelly is founder and CEO of SBD Advisors, an international consulting and communications firm. Donnelly is also a senior advisor and North American representative to C5, a UK-based investment fund in safety and security markets.

Prior to founding SBD Advisors, Donnelly served as head of Washington’s office for U.S. Central Command. Donnelly was a key advisor to General Jim Mattis on policy issues, Congressional relations, communications, and engagements with foreign governments. Before joining U.S. Central Command, Donnelly was a Special Assistant to the Chairman of the Joint Chiefs of Staff, Admiral Mike Mullen.

Before joining the Chairman’s staff, Donnelly worked at Time Magazine for 21 years. Donnelly currently sits on the Board of the American Friends of Black Stork, a British-based military veterans’ charity and is a consultant to the Pentagon’s Defense Business Board.


Retired Admiral Eric T. Olson joined the Imperatis Board in April 2013. Olson retired from the U.S. Navy in 2011 after more than 38 years of military service. He was the first Navy SEAL officer to be promoted to the three-star and four-star ranks. He served as head of the US Special Operations Command, where he was responsible for the mission readiness of all U.S. Army, Navy, Air Force, and Marine Corps Special Operations Forces.

Olson is now an independent national security consultant for private and public sector organizations as the president of the ETO Group. He is an adjunct professor in the School of International and Public Affairs at Columbia University and serves as director of Iridium Communications, Under Armour, the non-profit Special Operations Warrior Foundation, and the National Navy UDT-SEAL Museum.


Retired Major General Mastin Robeson joined Imperatis as President and Chief Executive Officer in March 2013. Robeson retired in February 2010 after 34 years of active service in the U.S. Marine Corps, during which time he served in more than 60 countries. He commanded a Combined/Joint Task Force in the Horn of Africa, two Marine Brigades, two Marine Divisions, and Marine Corps Special Operations Command. He also served as Secretary of Defense William Cohen’s Military Assistant and General David Petraeus’ Director of Strategy, Plans, and Assessments. He has extensive strategic planning, decision-making, and crisis management experience.

Since retiring in 2010, Robeson has operated his own consulting company, assisting more than 20 companies in business development, marketing strategy, strategic planning, executive leadership, and crisis management. He has also served on three Boards of Directors, two Boards of Advisors, a college Board of Trustees, and a major hospital’s Operations Council.



James (Jim) Cluck joined the Imperatis Board of Advisors in 2013. Cluck formerly served as acquisition executive, U.S. Special Operations Command. He was responsible for all special operations forces research, development, acquisition, procurement, and logistics.

Cluck held a variety of positions at USSOCOM, including program manager for both intelligence systems and C4I automation systems; Deputy Program Executive Officer for Intelligence and Information Systems; Director of Management for the Special Operations Acquisition and Logistics Center; and Chief Information Officer and Director for the Center for Networks and Communications. During these assignments, he consolidated diverse intelligence, command and control, and information programs through common migration and technical management techniques to minimize Major Force Program-11 resourcing and enhance interoperability.


Retired Rear Admiral Ed Winters joined the Imperatis Board of Advisors in September 2014. Winters retired from the U.S. Navy after more than 33 years of military service. As a Navy SEAL, he commanded at every level in the Naval Special Warfare community as well as serving two tours in Iraq under the Multi-National Security Transition Command (MNSTC-I). During his first tour with MNSTC-I he led the successful efforts to establish the Iraqi National Counter-Terrorism Task Force. During his second tour with MNSTC-I he served as Deputy Commander, overseeing the daily training and mentoring of the Iraqi Security Architecture and Government institutions. Since retiring, Winters has consulted to multiple corporations.

Should any of these individuals appear in any relationship with any contractor on a present or future contract, run the other way. Dig in your heels and refuse to sign any checks, contracts, etc.

Imperatis Corporation was once known as Jorge Scientific, which also crashed and burned. You can find their “leadership team” at the Wayback Machine as well.

You have to wonder how many Imperatis and Jorge Scientific “leaders” are involved in other government contracts.

Suggestions for a good starting place to root them out?

Shame! Shame! John McAfee Tricks Illiterates

May 16th, 2016

My day started with reading WhatsApp Message Hacked By John McAfee And Crew by Steve Morgan.

I thought it made the important point that while the WhatsApp message is secured by bank vault quality encryption:


By LoKiLeCh (Own work) [GFDL, CC-BY-SA-3.0, CC BY-SA 2.5-2.0-1.0, GFDL, CC-BY-SA-3.0 or CC BY-SA 2.5-2.0-1.0], via Wikimedia Commons

When you enlarge the little yellow note on the front (think Android) you find:


While your message encryption may be Shannon secure end-to-end, the security of your OS, to say nothing of your personal, organizational, etc., security counts whether the message is indeed “secure.”

A better illustration would be to show McAfee and crew taking the vault out of the wall (think OS) but my graphic skills aren’t up to that task. ;-)

That’s a useful lesson and to be honest, McAfee says as much, in the fifth paragraph of the story.

So I almost fell off my perch when later in the morning I read:

John McAfee Apparently Tried to Trick Reporters Into Thinking He Hacked WhatsApp by William Turton.

Here’s the lead paragraph:

John McAfee, noted liar and one-time creator of anti-virus software, apparently tried to convince reporters that he hacked the encryption used on WhatsApp. To do this, he attempted to send them phones with preinstalled malware and then convince them he was reading their encrypted conversations.

Just in case you don’t follow the “noted liar” link, that’s another post written by William Turton.

The “admitted lie” was one of simplification, compressing an iPhone hack into sound bite length.

Ever explain (attempt) computer technology to the c-suite? You are guilty of the same type of lies.

If someone divested themselves of their interest in WhatsApp because they didn’t read to the fifth paragraph of the original story, I’m sorry.

Read before you re-tweet/re-post and/or change your investments. Whether it’s a John McAfee story or not.

Twitter Giveth and Taketh Away (NSA as Profit Center?)

May 16th, 2016

Twitter Giveth: GCHQ intelligence agency joins Twitter. Just about anyone can get a Twitter account these days.

Do see the GCHQ GitHub site for shared software.

Taketh Away Twitter Bars Intelligence Agencies From Using Analytics Service.

Twitter has barred Dataminr from providing services to government intelligence services.

Dataminr monitors the entire Twitter pipe and provides analytics based on that stream.

Will this result in the NSA sharing its signal detection in the Twitter stream with other intelligence agencies?

Or for that matter, the NSA could start offering commercial signal detection services across all its feeds. Make it a profit center for the government rather than a money pit.

BTW, don’t be deceived by the illusion of space between government and Twitter, or any other entity that cooperates with a national government. Take “compromised” as a given. The real questions are by who and for what purpose?

How to create interactive maps with MapHub

May 16th, 2016

How to create interactive maps with MapHub by Mădălina Ciobanu.

From the post:

Maps may not be every graphics editor or reporter’s favourite way to illustrate information, particularly a more interesting dataset that can lend itself to a more creative format, but sometimes they are the best way to take your readers from point A to point B – literally.

We have written about mapping tools before, so make sure you check out the list (and stay tuned for an update!), but in the meantime this guide will show you how to create a quick interactive map using free platform MapHub, which is currently available in beta.

After you read about using MapHub, be sure to follow the link to resources on other mapping tools as well.

One quick use of maps for stories such as Congress, Maps and a Research Tale – Part 1, where public land is going to be mined in a noisy and toxic way, is to plot the physical residences of those who support the project versus those who oppose it.

I haven’t gathered that data, yet, but won’t be surprised if supporters DO NOT have the mine in their backyards.

Other examples of how distance increases political support for noxious activities?