Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

May 18, 2015

Summer DIY: Combination Lock Cracker

Filed under: Deep Learning,Security — Patrick Durusau @ 12:34 pm

Former virus writer open-sources his DIY combination lock-picking robot by Paul Ducklin.

Amusing account of Samy Kamkar and his hacking history up to and including:

…an open-source 3D-printed robot that can crack a combination lock in just 30 seconds by twiddling the dial all by itself.

Paul includes some insights into opening combination locks.

Good opportunity to learn about 3D printing and fundamentals of combination locks.

Advanced: Safe Cracker

If that seems too simple, try safe locks with the 3D-printed robot (adjust for the size/torque required to turn the dial). The robot will turn the dial more consistently than any human hand. Use very sensitive vibration detectors to pick up the mechanical movement of the lock, capture that vibration as a digital file, from knowledge of the lock, you know the turns, directions, etc.

Then use deep learning over several passes on the lock to discover the opening sequence. Need a stand for the robot to isolate its vibrations from the safe housing and for it to reach the combination dial.

Or you can call a locksmith and pay big bugs to open a safe.

The DIY way has you learning some mechanics, a little physics and deep learning.


If you are up for a real challenge, consider the X-09™ Locks (NSN #5340-01-498-2758), which is certified to meet FF-L-2740A, the “the US Government’s highest security standard for container locks and doors.”

The factory default combination is 50-25-50, so try that first. 😉

Pump Up The Noise! Real Time Video

Filed under: News,Video — Patrick Durusau @ 10:46 am

Why Meerkat and Periscope Are the Biggest Things Since, Well, Twitter by Ryan Holmes.

From the post:


Finally, there are the global and political implications. If every single person on earth with a phone is able to broadcast anything in real time, we’re going to see a democratization of sharing information in ways we’ve never seen before. Take for example the crucial role that Twitter played in the Egyptian revolution of 2011. In many cases, social media became a new type of lifeline for people on the ground to share accounts of what was happening with the world. Now, imagine a similar world event in which live updates from citizens are in real-time video. These types of updates will transport viewers to events and places in ways we have never seen before.

Live video streaming is valuable for some use cases but the thought of “…every single person on earth is able to broadcast anything in real time…” fills me with despair.

Seriously. Think about the bandwidth you lose from your real time circumstances to watch a partial view of someone else’s real time circumstance.

Every displaced person in every conflict around the world could broadcast a live feed of their plight, but how many of those can you fit into a day? (Assume you aren’t being tube fed and have some real time interaction in your own environment.)

Live video is imagining of a social context, a context that isn’t possible to display as part of a real time video. Every real time video feed has such a context, which require even more effort to acquire separate from the video feed.

As an example, take the “…the crucial role that Twitter played…” claim from the quote. Really? According to some accounts, The myth of the ‘social media revolution’, It’s Time to Debunk the Many Myths of the Egyptian Revolution, work on the issues and organization that resulted in the Arab Spring had been building for a decade, something the Twitter-centric pass over in silence.

Moreover, as of September 2011, Egypt had only 129,711 Twitter users, so as of the Arab Spring, it was even lower. Not to mention that the poor who provided the backbone of the revolution did not have Western style phones with Twitter accounts.

A tweeted revolution is one viewed through a 140 character lens with no social context.

Now imagine real time imagery of “riots by hooligans” or “revolts by the oppressed” or “historical reenactments.” Despite it high bandwidth, real time video can’t reliably provide you with the context necessary to distinguish any of those cases from the others. No doubt real time video can advocate for one case or the other, but that isn’t the same as giving you the facts necessary to reach your own conclusions.

Real time video is a market opportunity for editorial/summary services that mine live video and provide a synopsis of its content. Five thousand live video accounts about displaced persons suffering from cold temperatures and lack of food isn’t actionable. Knowing what is required and where to deliver it is.

May 17, 2015

Hijacking Planes and the Forgotten Network on ≤ 5,577 Planes

Filed under: Cybersecurity,Security — Patrick Durusau @ 1:49 pm

The recent flare of discussion about hijacking airlines armed only with a laptop was due in part to: AIR TRAFFIC CONTROL: FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen GAO-15-370: Published: Apr 14, 2015. Publicly Released: Apr 14, 2015.

The executive summary reads in part:

Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.

Security expert Bruce Schneier comments on this report, saying in part:


The report doesn’t explain how someone could do this, and there are currently no known vulnerabilities that a hacker could exploit. But all systems are vulnerable–we simply don’t have the engineering expertise to design and build perfectly secure computers and networks–so of course we believe this kind of attack is theoretically possible. (emphasis added)

Bruce may be right about wireless networks, but what about someone plugging directly into an existing network on a:

(In service statistics from: Airfleets.net.)

An FBI search warrant obtained on April 17, 2015 reads in part:

18. A Special Agent with the FBI interviewed Chris Roberts on February 13, 2015 and March 5, 2015 to obtain information about vulnerabilities with In Flight Entertainment (IFE) systems on airplanes. Chris Roberts advised that he had identified vulnerabilities with IFE systems on Boeing 737-800, 737-900, 757-200 and Airbus A-320 aircraft. Chris Roberts furnished the information because he would like the vulnerabilities to be fixed.

19. During these conversations, Mr. Roberts stated the following:

A. That he had exploited vulnerabilities with IFE systems on aircraft while in flight. He compromised the IFE systems approximately 15 to 20 times during the time period 2011 through 2014. He last exploited an IFE system during the middle of 2014. Each of the compromises occurred on airplanes equipped with IFE systems with monitors installed in the passenger seatbacks.

B. That the IFE systems he compromised were Thales and Panasonic systems. The IFE systems had video monitors installed in the passenger seatbacks.

C. That he was able to exploit/gain acccess to, or “hack” the IFE system after he would get physical access to the IFE system through the Seat Electronic Box (SEB) installed under the passenger seat on airplanes. He said he was able to remove the cover for the SEB under the seat in front of him by wiggling and squeezing the box.

D. After removing the cover to the SEB that was installed under the passenger seat in front of his seat, he would use a Cat6 ethernet cable with a modified connector to connect his laptop computer to the IFE system while in flight.

E. He then connected to other systems on the airplane network after he exploited/gained access to, or “hacked” the IFE system. He stated that he then overwrote code on the airplane’s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he accessed to issue the “CLB” or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. He also stated that he used Vortex software after compromising/exploiting or “hacking” the airplane’s network. He used the software to monitor traffic from the cockpit system.

F. Roberts said he use Kali Linux to perform penetration testing of the IFE system. He used the default IDs and passwords to compromise the IFE systems. He said that he used VBox which is a virtualized environment to build his own version of the airplane network. The virtual environment would replicate airplane network, and he used virtual machine’s on his laptop while compromising the airplane network.
… (emphasis added)

The FBI search warrant wasn’t based on hacking wireless networks, but an old fashioned hardwire connection to the network.

Assuming Roberts wasn’t trying to impress the FBI agents (never a good idea), there are approximately 5,577 planes that may be susceptible to hardwire hacking into the avionics system. (Models change over production and maintenance so the susceptibility of any particular airplane is a question of physical examination.)

If I were still flying, I would be voting with my feet on airline safety from hardwire hacking.

PS: I first saw the search warrant in: Feds Say That Banned Researcher Commandeered a Plane. by Kim Zetter.

May 16, 2015

The tensor renaissance in data science

Filed under: Data Science,Mathematics,Tensors — Patrick Durusau @ 8:02 pm

The tensor renaissance in data science by Ben Lorica.

From the post:

After sitting in on UC Irvine Professor Anima Anandkumar’s Strata + Hadoop World 2015 in San Jose presentation, I wrote a post urging the data community to build tensor decomposition libraries for data science. The feedback I’ve gotten from readers has been extremely positive. During the latest episode of the O’Reilly Data Show Podcast, I sat down with Anandkumar to talk about tensor decomposition, machine learning, and the data science program at UC Irvine.

Modeling higher-order relationships

The natural question is: why use tensors when (large) matrices can already be challenging to work with? Proponents are quick to point out that tensors can model more complex relationships. Anandkumar explains:

Tensors are higher order generalizations of matrices. While matrices are two-dimensional arrays consisting of rows and columns, tensors are now multi-dimensional arrays. … For instance, you can picture tensors as a three-dimensional cube. In fact, I have here on my desk a Rubik’s Cube, and sometimes I use it to get a better understanding when I think about tensors. … One of the biggest use of tensors is for representing higher order relationships. … If you want to only represent pair-wise relationships, say co-occurrence of every pair of words in a set of documents, then a matrix suffices. On the other hand, if you want to learn the probability of a range of triplets of words, then we need a tensor to record such relationships. These kinds of higher order relationships are not only important for text, but also, say, for social network analysis. You want to learn not only about who is immediate friends with whom, but, say, who is friends of friends of friends of someone, and so on. Tensors, as a whole, can represent much richer data structures than matrices.

The passage:

…who is friends of friends of friends of someone, and so on. Tensors, as a whole, can represent much richer data structures than matrices.

caught my attention.

The same could be said about other data structures, such as graphs.

I mention graphs because data representations carry assumptions and limitations that aren’t labeled for casual users. Such as directed acyclic graphs not supporting the representation of husband-wife relationships.

BTW, the Wikipedia entry on tensors has this introduction to defining tensor:

There are several approaches to defining tensors. Although seemingly different, the approaches just describe the same geometric concept using different languages and at different levels of abstraction.

Wonder if there is a mapping between the components of the different approaches?

Suggestions of other tensor resources appreciated!

May 15, 2015

Microsoft Security Intelligence Report (Volume 18: July 2014 – December 2014)

Filed under: Cybersecurity — Patrick Durusau @ 6:55 pm

Microsoft Security Intelligence Report (Volume 18: July 2014 – December 2014)

Pay particular attention to the featured report: “The life and times of an exploit.” An exploit that was successfully used despite a patch being available.

A good illustration that once buggy software is “in the wild,” patching those bugs only protects users bright enough to apply the patches.

For example, 77% of PCs are running unpatched Java JREs.

The lesson here is that patch maintenance is a necessary evil but to avoid evil altogether, less buggy software should be the goal.

May 14, 2015

Dynamical Systems on Networks: A Tutorial

Filed under: Dynamic Graphs,Dynamic Updating,Networks,Topic Maps — Patrick Durusau @ 2:55 pm

Dynamical Systems on Networks: A Tutorial by Mason A. Porter and James P. Gleeson.

Abstract:

We give a tutorial for the study of dynamical systems on networks. We focus especially on “simple” situations that are tractable analytically, because they can be very insightful and provide useful springboards for the study of more complicated scenarios. We briefly motivate why examining dynamical systems on networks is interesting and important, and we then give several fascinating examples and discuss some theoretical results. We also briefly discuss dynamical systems on dynamical (i.e., time-dependent) networks, overview software implementations, and give an outlook on the field.

At thirty-nine (39) pages and two hundred and sixty-three references, the authors leave the reader with an overview of the field and the tools to go further.

I am intrigued by the closer by the authors:


Finally, many networks are multiplex (i.e., include multiple types of edges) or have other multilayer features [16, 136]. The existence of multiple layers over which dynamics can occur and the possibility of both structural and dynamical correlations between layers offers another rich set of opportunities to study dynamical systems on networks. The investigation of dynamical systems on multilayer networks is only in its infancy, and this area is also loaded with a rich set of problems [16, 136, 144, 205].

Topic maps can have multiple type of edges and multiple layers.

For further reading on those topics see:

The structure and dynamics of multilayer networks by S. Boccaletti, G. Bianconi, R. Criado, C.I. del Genio, J. Gómez-Gardeñes, M. Romance, I. Sendiña-Nadal, Z. Wang, M. Zanin.

Abstract:

In the past years, network theory has successfully characterized the interaction among the constituents of a variety of complex systems, ranging from biological to technological, and social systems. However, up until recently, attention was almost exclusively given to networks in which all components were treated on equivalent footing, while neglecting all the extra information about the temporal- or context-related properties of the interactions under study. Only in the last years, taking advantage of the enhanced resolution in real data sets, network scientists have directed their interest to the multiplex character of real-world systems, and explicitly considered the time-varying and multilayer nature of networks. We offer here a comprehensive review on both structural and dynamical organization of graphs made of diverse relationships (layers) between its constituents, and cover several relevant issues, from a full redefinition of the basic structural measures, to understanding how the multilayer nature of the network affects processes and dynamics.

Multilayer Networks by Mikko Kivelä, Alexandre Arenas, Marc Barthelemy, James P. Gleeson, Yamir Moreno, Mason A. Porter.

Abstract:

In most natural and engineered systems, a set of entities interact with each other in complicated patterns that can encompass multiple types of relationships, change in time, and include other types of complications. Such systems include multiple subsystems and layers of connectivity, and it is important to take such “multilayer” features into account to try to improve our understanding of complex systems. Consequently, it is necessary to generalize “traditional” network theory by developing (and validating) a framework and associated tools to study multilayer systems in a comprehensive fashion. The origins of such efforts date back several decades and arose in multiple disciplines, and now the study of multilayer networks has become one of the most important directions in network science. In this paper, we discuss the history of multilayer networks (and related concepts) and review the exploding body of work on such networks. To unify the disparate terminology in the large body of recent work, we discuss a general framework for multilayer networks, construct a dictionary of terminology to relate the numerous existing concepts to each other, and provide a thorough discussion that compares, contrasts, and translates between related notions such as multilayer networks, multiplex networks, interdependent networks, networks of networks, and many others. We also survey and discuss existing data sets that can be represented as multilayer networks. We review attempts to generalize single-layer-network diagnostics to multilayer networks. We also discuss the rapidly expanding research on multilayer-network models and notions like community structure, connected components, tensor decompositions, and various types of dynamical processes on multilayer networks. We conclude with a summary and an outlook.

This may have been where we collectively went wrong in marketing topic maps. Yes, yes it is true that topic maps could do multilayer networks but network theory has made $billions with an overly simplistic model that bears little resemblance to reality.

As computation resources improve and closer to reality models, at least somewhat closer, become popular, something between simplistic networks and the full generality of topic maps could be successful.

Where Big Data Projects Fail

Filed under: BigData,Project Management — Patrick Durusau @ 10:00 am

Where Big Data Projects Fail by Bernard Marr.

From the post:

Over the past 6 months I have seen the number of big data projects go up significantly and most of the companies I work with are planning to increase their Big Data activities even further over the next 12 months. Many of these initiatives come with high expectations but big data projects are far from fool-proof. In fact, I predict that half of all big data projects will fail to deliver against their expectations.

Failure can happen for many reasons, however there are a few glaring dangers that will cause any big data project to crash and burn. Based on my experience working with companies and organizations of all shapes and sizes, I know these errors are all too frequent. One thing they have in common is they are all caused by a lack of adequate planning.

(emphasis added)

To whet your appetite for the examples Marr uses, here are the main problems he identifies:

  • Not starting with clear business objectives
  • Not making a good business case
  • Management Failure
  • Poor communication
  • Not having the right skills for the job

Marr’s post should be mandatory reading at the start of every proposed big data project. And after reading it, the project team should prepare a detailed statement of the business objectives and the business case, along with how it will be determined the business objectives will be measured.

Or to put it differently, no big data project should start without the ability to judge its success or failure.

RfCat – Summer Vacation Amusement

Filed under: Cybersecurity,Security — Patrick Durusau @ 8:46 am

RfCat

RfCat will keep you amused as you encounter new “home automation systems, smart meters, SCADA systems, “IOT” devices, mobile devices, and so many more” during summer travel.

IMG_1014_medium

From the catalog:

The RfCat USB Radio Dongle is custom hardware designed for use with the custom RFCat firmware written by At1as.

The RFCat USB Radio Dongle is capable of transmitting, receiving, snooping, SpectrumAnalysis on frequencies between 300-928MHz giving the user the ability sniff or attack any wireless data protocols that transmit in those frequency ranges. These include: home automation systems, smart meters, SCADA systems, “IOT” devices, mobile devices, and so many more.

The RFCat hardware is based on Chipcon “eleven eleven” (CC1111) and will (like all other INT3.CC products) be sold fully assembled and ready to use with simple instructions for setup and deployment.

At $75 plus shipping, RfCat is less than a one day ticket to Disney World ($105) ticket and can provide years of education and entertainment.

So far as I know, there are no commercial maps of weak hot spots, interesting network spots, known “IOT” devices, etc. Updated, downloadable maps of vulnerabilities at or near popular tourist destinations, could become the ubiquitous gas station road maps of yesteryear.

May 13, 2015

The Traffic Factories…

Filed under: Journalism,News — Patrick Durusau @ 7:27 pm

The Traffic Factories: Metrics at Chartbeat, Gawker Media, and The New York Times by Caitlan Petre.

From the executive summary:

In a 2010 New Yorker profile, founder and CEO of Gawker Media Nick Denton argued, “probably the biggest change in Internet media isn’t the immediacy of it, or the low costs, but the measurability.” 1Digital media scholars and commentators could debate this claim exhaustively (and have), but there is little doubt that the ability to extensively track news readers’ behavior online is indeed a profound shift from the pre-Internet era. Newsrooms can now access real-time data on how readers arrive at a particular site or article, how often they visit, and what they do once they get there (e.g., how long they spend on a page, how far they scroll, and whether they are moving their mouse or pressing any keys).

What does all this data mean for the production of news? In the earlier days of web analytics, editorial metrics had both enthusiastic proponents and impassioned detractors. Nowadays the prevailing view is that metrics aren’t, by definition, good or bad for journalism. Rather, the thinking goes, it all depends what is measured: Some metrics, like page views, incentivize the production of celebrity slide shows and other vapid content, while others, like time on a page, reward high-quality journalism. Still, there are some who doubt that even so-called “engagement metrics” can peacefully coexist with (let alone bolster) journalistic values.

This report’s premise is that it will be impossible to settle these debates until we understand how people and organizations are producing, interpreting, and using metrics. I conducted an ethnographic study of the role of metrics in contemporary news by examining three case studies: Chartbeat, Gawker Media, and The New York Times. Through a combination of observation and interviews with product managers, data scientists, reporters, bloggers, editors, and others, my intention was to unearth the assumptions and values that underlie audience measures, the effect of metrics on journalists’ daily work, and the ways in which metrics interact with organizational culture. Among the central discoveries:

No, you need to go read the discoveries for yourself! 😉

Suffice it to say that it isn’t just the presence of metrics that is addressed but the influence of the presentation of metrics as well.

Petre asks of news readers:


Are they aware that their behavior on news sites is being tracked to the extent that it is? If so, how (if at all) does this affect their behavior?

On observation impacting behavior, see the Hawthorne effect. Subject to varying interpretations, the original study found that showing increased attention to workers boosted their productivity, which fell when the increased observation ceased. Research continues on this topic until the present day.

A harder to answer question would be how to measure the impact of observation, which in and of itself, has to impact the people being observed. The observational impact is in interaction with a large number of other variables, which are as difficult to measure as the impact of observation.

This is a great read for journalists or anyone who is interested in effective communication and the potential of metrics to measure the same.

Is Coding Necessary to be a Hacker?

Filed under: Cybersecurity,Security — Patrick Durusau @ 3:51 pm

You may get the impression from reports like Floppy Disk Hole in VMs (seriously) that serious coding skills are required to be a hacker.

Nothing could be further from the truth!

Sure, if you want to take over entire data centers, millions of VMs, take on the NSA in denial of service exchanges, ok, you are going to need some coding skills, not to mention some serious bandwidth and hardware.

If you lack those skills or resources, take heart from a recent Intel report on phishing that tested over 19,000 users from around the world.

Don’t be misled by headlines like: Intel Security’s Phishing Quiz Reveals 97 Per Cent of People Worldwide Cannot Identify Destructive Phishing Emails: “Make it a Rule to Never Click on Links or Attachments in Emails / Texts”. That is NOT what Intel reports.

The Intel post says:

Let’s take a look at the numbers:

  • Of the 19,000 plus visitors from more than 140 countries, only 3% of test-takers identified every email correctly.
  • Perhaps more importantly, 80% of those who took the quiz incorrectly identified least one phishing email. And unfortunately, one email is all it takes to fall victim to an attack.
  • The worldwide average score was 65.4%, which means test takers missed one in four phishing emails on average.

The test had phishing and non-phishing emails. To be in the 3%, you needed to accurately identify phishing and non-phishing emails correctly. There is no danger from thinking a non-phishing email is phishing. The reverse is not true.

Take heart, 80% or 8 out of every 10 employees where you work will fall for phishing emails. Deep coding skills not required.

BTW, from the quiz post:

On average, industry insiders were only able to pick out two-thirds of the fakes. A slim six percent of quiz-takers got all the questions right, and 17 percent got half or more wrong. Remember, this is their job.

There may be a career for you in hacking via phishing. Remember, its an 80% shot for very little effort.

PS: Journalists/bloggers: It took five or six jumps to find the original Intel posts. Please include links to the original source of information in your posts.

Floppy Disk Hole in VMs (seriously)

Filed under: Cybersecurity,Security — Patrick Durusau @ 2:48 pm

Security Researcher Claims ‘VENOM’ Leaves Millions of Virtual Machines Vulnerable by David Bisson.

From the post:

A security researcher has discovered a new vulnerability that he claims could allow a hacker to infiltrate potentially every machine on a datacenter’s network, leaving millions of virtual machines vulnerable to attack.

According to CrowdStrike Senior Security Researcher Jason Geffner, ‘VENOM’ (CVE-2015-3456), which is an acronym for “Virtual Environment Neglected Operations Manipulation,” is a vulnerability that exists in the floppy disk controller driver for QEMU, an open-source computer emulator known as a hypervisor that is used for managing virtual machines.

The vulnerable section of QEMU’s code has been integrated into other virtualization platforms, including Xen, Kernel-based Virtual Machine (KVM), and Oracle VM, potentially leaving hundreds of thousands if not millions of virtual machines susceptible to attacks that exploit the VENOM bug.

Other hypervisors, including VMware, Microsoft Hyper-V, and Bochs, are not affected.

A patch is due out tomorrow (March 14th) but example exploit code won’t be posted.

Should not be that hard to work out. You know it is in the floppy code of QEMU. It is an overflow situation, so you identify the data structure in question, create the overflow and decide where you go from there.

If you are dreaming of taking over millions of VMs in data centers, you will need some computer programming skills. If you don’t have those skills, you aren’t doomed as a “hacker,” more news on it way.


PoC for VENOM: https://marc.info/?l=oss-security&m=143155206320935&w=2 Untested, use at your own risk.


Rackspace issues with VENOM Power cycle required for VMs. See the thread for details.


Jason Geffner has posted a full workup of the FDC vulnerability in: VENOM Vulnerability Details.

New: Library of Congress Demographic Group Terms (LCDGT)

Filed under: Demographics,Library,Vocabularies — Patrick Durusau @ 1:51 pm

From an email:

As part of its ongoing effort to provide effective access to library materials, the Library of Congress is developing a new vocabulary, entitled Library of Congress Demographic Group Terms (LCDGT). This vocabulary will be used to describe the creators of, and contributors to, resources, and also the intended audience of resources. It will be created and maintained by the Policy and Standards Division, and be distinct from the other vocabularies that are maintained by that division: Library of Congress Subject Headings (LCSH), Library of Congress Genre/Form Terms for Library and Archival Materials (LCGFT), and the Library of Congress Medium of Performance Thesaurus for Music (LCMPT).

A general rationale for the development of LCDGT, information about the pilot vocabulary, and a link to the Tentative List of terms in the pilot may be found on LC’s Acquisitions and Bibliographic Access website at http://www.loc.gov/catdir/cpso/lcdgt-announcement.html.

The Policy and Standards Division is accepting comments on the pilot vocabulary and the principles guiding its development through June 5, 2015. Comments may be sent to Janis L. Young at jayo@loc.gov.

A follow-up question to this post asked:

Is there a list of the codes used in field 072 in these lists? Some I can figure out, but it would be nice to see a list of the categories you’re using.

The list in question is: DEMOGRAPHIC GROUP TERMS.

To which Adam Schiff replied:

The list of codes is in http://www.loc.gov/catdir/cpso/lcdgt-principles.pdf and online at http://www.loc.gov/standards/valuelist/lcdgt.html (although the latter is still lacking a few of the codes found in the former).

Enjoy!

When Citizens Differ From Their Governments

Filed under: Government,Politics — Patrick Durusau @ 1:07 pm

Treatment of Foreign Fighters in Selected Jurisdictions from the Library of Congress.

Summary:

This report contains information on provisions in place or under consideration by the United Nations (UN), the European Union, and 73 countries on the treatment of individuals who join and fight for terrorist organizations in foreign countries. A number of countries are currently considering action following the September 2014 adoption of a UN Security Council resolution expressing concern about the threat of foreign terrorist fighters. Many nations, as illustrated below, already have punishments applicable to such fighters, including imprisonment and/or loss of citizenship. In a number of jurisdictions, penalties for joining terrorist organizations increase when the individual recruits others or undergoes military training with those organizations. A unique approach is being taken in one city in Denmark, where instead of facing punishment, returning fighters are being given study or employment opportunities. In addition to the report on these jurisdictions, two maps have been included to illustrate the findings.

The city government of Aarhus, Denmark, has chosen to not criminalize disagreement with its national government. Some of its citizens disagree with the characterization of the IS as a terrorist organization and have fought on its side in Syria and returned to Aarhus. Where they have not been jailed but offered dialogue and treated as members of the community.

“Terrorist organization” is a label of convenience for any group disliked by a national government, which are themselves amoral organizations. The prison sentences and other punishments detailed in this document are governmental thought and action control. The ringing of freedom stops when you disagree with a national government.

The report summarizes the efforts in Aarhus (footnotes included) as follows:


Among twenty-five countries that have given official estimates, Denmark reportedly has one of the largest numbers of inhabitants fighting in Syria measured as a percentage of the total Muslim population, 98 but the suggested treatment of and measures against returning IS fighters have Danes divided. The Danish government has promised a review of the current terror laws to determine whether they are consistent with human rights. 99 The opposition party Danske Folkepartiet has made clear that they would prefer to see that IS fighters, regardless of their citizenship status, never set foot on Danish soil. 100 Following problems with several jihadists, reportedly twenty-three in number, being sent to Syria from a mosque in Aarhus (Denmark’s second largest city), the political right has asked that the mosque be closed. 101 The Danish government has opposed such measures. 102 Instead Aarhus has chosen to welcome home IS warriors with a soft approach tailored at finding them jobs and providing university studies, according to news reports. 103

[Footnotes]

98> See, e.g., Bharati Naik, Atika Shubert & Nick Thompson, Denmark Offers Some Foreign Fighters Rehab Without Jail Time – But Will It Work?, CNN.COM (Oct. 28, 2014), http://www.cnn.com/2014/10/28/world/europe/denmark-syria-deradicalization-program/.

99 Denmark to Reconsider Its Terror Laws, THE LOCAL (Aug. 12, 2014), http://www.thelocal.dk/20140812/denmark-to-reconsider-its-terror-laws.

100 Martin Henriksen, Op-ed., Sharia politi? Aldrig i Danmark, BERLINGSKE (Sept. 11, 2014), http://www.b.dk/kommentarer/sharia-politi-aldrig-i-danmark.

101 Michael Ørtz Christiansen, Borgerlige partier kræver Aarhus-moské lukket, BERLINGSKE (Sept. 3, 2014), http://www.politiko.dk/nyheder/borgerlige-partier-kraever-aarhus-moske-lukket.

102 Id.

103 Denmark Tries a Soft Handed Approach to Returned Islamist Fighters, WASHINGTON POST (Oct. 19, 2014), http://www.washingtonpost.com/world/europe/denmark-tries-a-soft-handed-approach-to-returned-islamist-fighters/2014/10/19/3516e8f3-515e-4adc-a2cb-c0261dd7dd4a_story.html; CNN.COM, supra note 98.

Anti-terrorism laws are blatant efforts by national governments to suppress support by their own citizens for groups with which the government disagrees. Suppression of the moral right of their citizens to choose who is or is not worthy of their support. Suppression of the moral right of their citizens to act on their beliefs.

Reform of “terrorist” laws in Denmark should conclude that citizens should not be penalized for moral choices that disagree with self-serving amoral choices made by governments.

By the same token, opposition to some groups by the United States, driven by funding bases of political parties and bizarre religious ideology, should not prohibit me from making different choices. Or else let’s amend the last line from the United States National Anthem:

O’er the land of the unfree and the home of the graves?

If a citizen cannot make moral choices different from their government and act on those beliefs, in way sense are they free? In what sense are they brave if draconian punishments deter them from acting their moral choices?

May 12, 2015

IoDT – Internet of Dangerous Things

Filed under: Cybersecurity,Security — Patrick Durusau @ 6:57 pm

CHIP — The World’s First $9 Computer by Swati Khandelwal.

From the post:

A Californian startup lead by Dave Rauchwerk is currently seeking crowdfunding on Kickstarter to create a computer that will cost as much as $9 (or £6).

The new microcomputer, dubbed CHIP, is a tiny, Linux-based, super-cheap computer that’s described as being “built for work, play, and everything in between!”

CHIP packs a 1GHz R8 ARM processor, 4GB of internal flash storage, 512MB of DDR3 RAM, Bluetooth, and Wi-Fi — something you do not find in even the modern microcomputer, Raspberry Pi.

If look at the output front of the CHIP, it features a single full-sized USB port, headphones output, microphone input, a composite video output (with options for VGA and HDMI via an adapter) that even supports older televisions, and a micro USB that supports OTG.

Only 24 days left to sign up at: https://www.kickstarter.com/projects/1598272670/chip-the-worlds-first-9-computer/video_share.

Not the first but certainly a player on the Internet of Dangerous Things (IoDT).

Imagine induction powering this puppy in removable outlets or light switches in a hotel room. Or giving it more sophisticated detection, timing or other duties. DHCP isn’t going anywhere and I only need physical access once. Do you trust everyone who has ever been in your building? Just asking.

Software’s 150 Year Old Disclosure Policy

Filed under: Cybersecurity,Security — Patrick Durusau @ 6:15 pm

Katie Moussouris writes:


The year 1853 called. They want their disclosure debate back.

A locksmith living over 150 years ago named Alfred Charles Hobbs said it beautifully when discussing whether revealing lock-picking techniques publicly was acceptable: “Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.”

The irony that the modern lock manufacturers have not learned the lessons of their industrial-age forebears indicates that we haven’t sufficiently shifted the norms of vendor behavior in over a century and a half or more.

As Katie details in her post, the attitude that vulnerabilities should be kept secret, persists even to this day.

She points out that incentives can help with the discovery of bugs, see: HackerOne Now Offers Bounties For New Bug Discovery Tools And Techniques.

Are you ready to update your 150 year old disclosure of vulnerability policy?

If not, then you have chosen for hackers to win the cybersecurity war.

Creative computing with Clojure

Filed under: Art,Clojure,Music — Patrick Durusau @ 3:56 pm

Creative computing with Clojure by Carin Meier.

From the post:

Clojure is gaining traction and popularity as a programming language. Both enterprises and startups are adopting this functional language because of the simplicity, elegance, and power that it brings to their business. The language originated on the JVM, but has since spread to run on the CLR and Node.js, including web browsers and mobile devices. With this spread of practical innovation, there has been another delightful development: a groundswell of people making art with Clojure.

Carin covers music, visual arts, dance, and animation, with pointers to videos and projects.

If you are looking for a challenging but enjoyable escape from the daily news, this is a good place to start!

Fast Track, Obama and Silencing Democracy

Filed under: Government,Politics — Patrick Durusau @ 3:32 pm

TheCapitalNet produced a great chart of the legislative process in Congress:

legislation-flowchart

Wikipedia reports the fast track process (non-tariff) as follows:

If the President transmits a fast track trade agreement to Congress, then the majority leaders of the House and Senate or their designees must introduce the implementing bill submitted by the President on the first day on which their House is in session. (19 U.S.C. § 2191(c)(1).) Senators and Representatives may not amend the President’s bill, either in committee or in the Senate or House. (19 U.S.C. § 2191(d).) The committees to which the bill has been referred have 45 days after its introduction to report the bill, or be automatically discharged, and each House must vote within 15 days after the bill is reported or discharged. (19 U.S.C. § 2191(e)(1).)

Perhaps a flowchart would be better:

fast-track

Admittedly, mine is the poorer quality of the two but you can see the full procedure is far more democratic.

President Obama supports democratic processes, at least until he is in charge.

As a second term president, Obama has no further need for the voices of the people or their representatives, and it shows.

Senator Elizabeth Warren is right, this needs to be defeated now and every time it is proposed. No more non-democratic law making in secret.

PS: As I post this, news came out that the Senate has voted to not take up the fast track authority bill. Let’s hope that effort dies as non-democratic.

Lone Wolf Cyber-Porno-Terrorist Strikes!

Filed under: Government,Politics,Security — Patrick Durusau @ 8:22 am

Just a day after the headlines read: Lone-wolf terrorists could attack U.S. ‘at any moment,’ Homeland Security chief admits (by Adam Edelman), a digital billboard was hacked in Buckhead (Atlanta) and a male nude image was inserted in the photo rotation. According to local news reports:

The case is now in the hands of the APD’s Homeland Security unit.

Why treat this as a terrorist strike?

1. The male nude image is the first tip-off. Had it been a female nude image, it could have been a Victoria Secrets ad, a new Sport’s Illustrated cover, or even a bath oil ad:

chael-ad

Female nudes are advertising. Male nudes, well, that is a psychic attack on everyone who sees it.

2. Disruption of a legitimate commercial activity (advertising). Another sign of terrorism is the disruption of legitimate commerce, in this case, advertising various products. Disrupting advertising is the moral equivalent urinating in the corners of a cathedral.

3. Hacking into computers is a classic “lone wolf” activity. Keep an eye out for anyone working at a computer display/keyboard by themselves. One of the early signs of a computer hacker/lone wolf. Look around on your commute. See all the single passenger vehicles? Another sign of lone wolves.

4. When they capture this lone wolf cyber-porno-terrorist, no doubt they never discussed their hatred of the United States, loyalty to whatever they are loyal too and their plans to rain death and destruction, as well as psychic distress on innocent civilians. People of certain groups, wink, wink, who don’t discuss their plans for terrorism, are obviously concealing those plans. Non-discussion is another tip off that you are dealing with a terrorist, possibly a lone wolf one.

BTW, fear lackey Sen. Barbara Feinstein is quoted in the Edelman post:


Democratic Sen. Barbara Feinstein said there appears to be a new model for terrorist attacks, in which ISIS encourages people across the world to launch attacks, and then the group takes credit.

“(ISIS) is putting that lone wolf in a position that they have never been in before: ‘You do it, we’ll take credit for it,’” she said on NBC’s “Meet the Press.”

There has been no word so far if ISIS has taken credit for the Buckhead digital billboard hack.

Security Budgets as a Percent of Revenue

Filed under: Cybersecurity,Security — Patrick Durusau @ 7:39 am

All the passionate speeches about cybersecurity, strike teams, etc. to one side, security budgets tell a different tale.

security-budgets

Remember? No incentives to have better software or security.

Expect this budget “trend” to continue so long as incentives are lacking.

I found this at Cyber-Security Stat of the Day. Great site!

May 11, 2015

Sovereignty For International Investors (Trans-Pacific Partnership (TPP))

Filed under: Government,Politics — Patrick Durusau @ 7:36 pm

Elizabeth Warren makes a compelling case against the Trans-Pacific Partnership in The Trans-Pacific Partnership clause everyone should oppose, where she says:


ISDS [Investor-State Dispute Settlement] would allow foreign companies to challenge U.S. laws — and potentially to pick up huge payouts from taxpayers — without ever stepping foot in a U.S. court. Here’s how it would work. Imagine that the United States bans a toxic chemical that is often added to gasoline because of its health and environmental consequences. If a foreign company that makes the toxic chemical opposes the law, it would normally have to challenge it in a U.S. court. But with ISDS, the company could skip the U.S. courts and go before an international panel of arbitrators. If the company won, the ruling couldn’t be challenged in U.S. courts, and the arbitration panel could require American taxpayers to cough up millions — and even billions — of dollars in damages.

If that seems shocking, buckle your seat belt. ISDS could lead to gigantic fines, but it wouldn’t employ independent judges. Instead, highly paid corporate lawyers would go back and forth between representing corporations one day and sitting in judgment the next. Maybe that makes sense in an arbitration between two corporations, but not in cases between corporations and governments. If you’re a lawyer looking to maintain or attract high-paying corporate clients, how likely are you to rule against those corporations when it’s your turn in the judge’s seat?


The use of ISDS is on the rise around the globe. From 1959 to 2002, there were fewer than 100 ISDS claims worldwide. But in 2012 alone, there were 58 cases. Recent cases include a French company that sued Egypt because Egypt raised its minimum wage, a Swedish company that sued Germany because Germany decided to phase out nuclear power after Japan’s Fukushima disaster, and a Dutch company that sued the Czech Republic because the Czechs didn’t bail out a bank that the company partially owned. U.S. corporations have also gotten in on the action: Philip Morris is trying to use ISDS to stop Uruguay from implementing new tobacco regulations intended to cut smoking rates.

I understand Senator Warren’s focus on the United States, but it diverts her from a darker issue raised by the TPP.

The TPP gives international investors sovereignty equivalent to national governments.

Without the TPP and similar agreements, an international investor with a dispute with Australia, Brunei Darussalam, Canada, Chile, Malaysia, Mexico, Peru, Singapore,United States, Vietnam, or New Zealand, has to sue in the courts of that country.

With the TPP, international investors being equal sovereigns with those countries, can use Investor-State Dispute Settlement (ISDS) to bring a national government before privately selected arbiters, in possibly secret proceedings, because of laws or regulations they find objectionable.

Is that scare mongering?

Why don’t you ask:

Australia. Phillip Morris is suing Australia over legislation to regulate tobacco packaging. The Australian government has assembled all the public documents from that process at: Tobacco plain packaging—investor-state arbitration. The proceedings are based on: (Hong Kong – Australia treaty) (I have read predatory agreements before but nothing on this scale. There are no limits on the rights of investors. None at all.)

Or,

Uruguay. Phillip Morris is suing Uruguay because of laws that has been reducing smoking by 4.3% a year.
(Philip Morris Sues Uruguay Over Graphic Cigarette Packaging) Not in court, a Investor-State Dispute Settlement (ISDS) proceeding. This proceeding is based on: (The Swiss Confederation – Uruguay Bilateral Trade Agreement)

The Uruguay agreement provides in part:


Article 2 Promotion, admission

(1) Each Contracting Party shall in its territory promote as far as possible investments by investors of the other Contracting Party and admit such investments in accordance with its law. The Contracting Parties recognize each other’s right not to allow economic activities for reasons of public security and order, public health or morality, as well as activities which are by law reserved to their own investors.

That sounds like a public health exception to me.

If the United States and the other countries are daft enough to confer sovereignty on international investors, are there any limits to their rights?

From the TPP:


3 (b) Non-discriminatory regulatory actions by a Party that are designed and applied to protect legitimate public welfare objectives, such as public health, safety, and the environment, do not constitute indirect expropriations, except in rare circumstances. [TPP Annex II-B]

I don’t know what “rare circumstances” might mean in this context so I wrote to the Office of the United States Trade Representative at: correspondence@ustr.eop.gov, on March 28, 2015, saying:

I am trying to follow the discussion of the Trans-Pacific Partnership agreement 
and have a question about Annex 11-B paragraph 3, sub-point (b), which reads:

*****
Non-discriminatory regulatory actions by a Party that are designed and applied
to protect legitimate public welfare objectives, such as public health, safety, 
and the environment, do not constitute indirect expropriations, except in rare
circumstances.
*****

My question is: Have there been any cases of "rare circumstances?"

I assume from the wording not many but that it is mentioned at all 
implies it isn't unknown.

Is there are source for decisions that would include those "rare 
circumstances" that is available online?

Or other sources though those would be difficult for me to consult 
since I don't travel. Perhaps I could request copies of such decisions.

Thanks! 

I can quote the response of the Office of the United States Trade Representative in full:

 
 
 
 
 

That’s right, no response at all.

The Phillip Morris cases are concrete evidence of how investment treaties as used in fact to over turn public health laws passed by a sovereign government.

Why should the United States, or any other country need confer sovereignty on international investors, so they can have a very private court between themselves and nation states?

The United States has fine courts open for litigation. The Second Circuit Court of Appeals recently ruled the NSA bulk collection of domestic calling records to be unconstitutional. I don’t think anyone can truthfully say that the U.S. government has an unfair advantage in U.S. courts.

As a matter of fact, there is a free trade agreement with Australia Section 11 Investment, that has no Investor-State Dispute Settlement (ISDS) language at all.

The most it says is found in Article 11.5 Minimum Standard of Treatment, 2. (a):

“fair and equitable treatment” includes the obligation not to deny justice in criminal, civil, or administrative adjudicatory proceedings in accordance with the principle of due process embodied in the principal legal systems of the world; and

If investors from either country has a problem, they can sue in the courts of the other country. That was at the instigation of Australia as I understand the back story on that agreement.

Adoption of the TPP will mean that six hundred and forty five million (645) people (estimates for 2015), who produce forty (40%) percent of the world GDP, will be ruled over by their governments and an unknown number of unelected international investors.


Other resources to consult:

United Nations Conference on Trade and Agreement

Investor-state dispute settlement: A sequel (UNCTAD Series on Issues in International Investment Agreements II)

At page 52 it comments on non-discriminatory regulations (public health for example), saying:


IIAs’ substantive obligations can be delineated by general exceptions. The latter allow States to derogate from the IIA obligations when such derogation pursues a policy objective included in the general-exceptions clause. Such policy may include public health and safety, national security, environmental protection and some others. A number of treaties now contain general exceptions, but how they will work in practice is yet to be tested.

Claims by TPP supporters that the TPP will not impact national laws is at best disingenuous and at worse an outright lie. No one really knows how far sovereignty granted to international investors will go under the TPP language.

Issues in International Investment Agreements (First series)UNCTAD

Thirty five (35) documents that cover investment agreements in great detail. This is part of the second series referenced in Investor-state dispute settlement: A sequel (UNCTAD Series on Issues in International Investment Agreements II).

One volume of particular interest: Expropriation, at pages 57-109.


II. Establishing An Indirect Exprorpriation and Distinguishing It From Noncompensable Regulation.

The matter of establishing an indirect expropriation without impeding the right of States to regulate in the public interest has been one of the more challenging problems in recent years. This section aims to review the relevant treaty and arbitral practice and contribute to the development of an appropriate analytical framework.

Section A examines the factors used to evaluate whether an indirect expropriation has occurred. These include assessing the impact on the investment, interference with investor’s legitimate expectations and the characteristics of the measure at stake.

Section B discusses how IIAs have singled out noncompensable regulatory measures and distinguishes them from cases of indirect expropriation. Such measures do not require compensation even where they produce a significant negative effect on an investment.

Section C concludes the preceding discussion by providing a framework for analysis of whether a certain governmental measure constitutes an indirect expropriation.

I lack the author’s confidence that the police powers of the state will be respected, particularly in light of the “practice” of international investors as shown by Phillip Morris.

International Investment Agreements Navigator A very useful resource for finding international investment agreements.

May 10, 2015

Open Terrorist Leadership Positions

Filed under: Government,Politics — Patrick Durusau @ 3:43 pm

With all the discussions about a shortage of IT talent in the near future, I wanted to draw your attention to employment/promotion opportunities inside terrorist organizations.

Just searching today I discovered:

senior al qaeda killed: 9,460,000 “hits”

senior isis killed: 5,130,000 “hits”

senior hamas killed: 922,000 “hits”

senior taliban killed: 760,000 “hits”

Of course, “hits” included duplicate stories of the same event, so don’t take those figures as representing the number of open leadership positions.

I haven’t seen any reports that take credit for killing foot soldiers and/or innocent civilians.

To any United States government employee reading this post, this is not an attempt to recruit anyone for any group or organization.

It is an attempt to highlight the absurdity of repeating the Vietnam “body count” propaganda in the guise of killing “senior officials.”

The United States has been successful at terrorizing entire populations who never know when a cruise missile, drone or other explosive will be inflicted on them. That does not equate to “killing senior officials” and as the CIA has discovered, makes the United States less secure, not more secure.

Novel suggestion: Why not fight terrorism by not engaging in terrorism?

Simple Math Defeats NSA

Filed under: Cybersecurity,NSA,Security — Patrick Durusau @ 3:13 pm

The simple math problem that blows apart the NSA’s surveillance justifications by Ryan Cooper.

From the post:

Here’s a question about death and probability, done first by Cory Doctorow. Suppose one out of every million people is a terrorist (if anything, an overestimate), and you’ve got a machine that can determine whether someone is a terrorist with 99.9 percent accuracy. You’ve used the machine on your buddy Jeff Smith, and it gives a positive result. What are the odds Jeff is a terrorist?

Try to figure it out, or at least guess, before you read on.

Similar conclusion to Begging National Security Questions #1 where out of 10,295,642,951 airline passengers screened from 2002 – 2015, the TSA has yet to catch a single terrorist. Not one.

Perhaps critics (I’m one) of the NSA are asking the wrong questions.

Surely NSA staff mathematicians know the problems both formal and practical with the surveillance activities at the NSA. Even the political appointees at DHS have noticed a drought of ten years without a single terrorist. Their competitors at the FBI coerce the mentally ill into terrorist suspects.

What if the debate over the justifications for surveillance is a distraction? While we sally back and forth over statistics, methodologies, legal issues, etc., the real drivers for the activity are elsewhere?

Since the NSA budget is top-secret, let’s look at the Department of Homeland Security budget, from 2002 to 2015. I used the budget-in-brief documents from DHS Budget. (I didn’t see any machine readable files. Let me know if there are other sources with machine readable files. Thanks!)

Total DHS Budgets by Year:

2002 $20 billion
2003 $38 billion
2004 $36 billion
2005 $40 billion
2006 $41 billion
2007 $43 billion
2008 $46 billion
2009 $51 billion
2010 $55 billion
2011 $56 billion
2012 $57 billion
2013 $59 billion
2014 $60 billion
2015 $61 billion
2016 $65 billion
Total $628 billion

The self-professed justification of the DHS can be found in the first paragraph if its Budget-in-Brief for 2016:

The Department of Homeland Security’s (DHS) ultimate mission is to secure the Nation from the many threats we face. This requires the dedication of nearly a quarter million employees with responsibilities that range from facilitating the efficient flow of commerce; preventing terrorism; protecting our national leaders; securing and managing the border; enforcing and administering immigration laws; and preparing for and responding to disasters. Our duties are wide-ranging, but our goal is quite clear—keep America safe.

It is an article of faith, dogma, inerrant truth, at least for the DHS that America faces many threats. No amount of evidence can shake their faith in that proposition.

Why not take a non-refutation approach? Just bypass the bass intoning of “America faces many threats,” and jump to what is being done to respond to those threats?

I hate conceding factual falsehoods but more effective engagement on budget waste may (no guarantees) lead to less surveillance and more useful spending of federal funds.

First, we need an image that captures the essence of the DHS budget. Here is my suggestion:

cookie-jar

Second, focus on the cookie part of the imagery. What cookies did your locality get last year from the DHS? Those cookies have more to do with the distribution of money than any attempt to “…keep American safe.” And no doubt some of those 250,000 DHS staff work in your community, shop in your stores, buy homes, etc. If you aren’t getting your share of the cookies, time to complain.

Third, mine the DHS budget for the many ineffectual programs (like the TSA) which have yet to produce a single terrorist. Go ahead and concede the fantasy of terrorists and even encourage it. Then you can ask: “OK, so if terrorists are lurking nearly everywhere, why haven’t you caught even one?”

I think there are a variety of factors driving DHS:

  • The government wants to be seen as doing something to prevent terrorism, even if their efforts are totally ineffectual. Such as feeling up little children at airports.
  • The DHS distributed jobs and purchases across the economy and that is viewed as a benefit (cookie) by many member of congress.
  • Preservation of the DHS as a department, which is its main rationale for continuing to exist. Going on fourteen (14) years without a single terrorist arrest by the TSA should be proof enough that the United States is a terrorist desert (except for the mentally ill entrapped by the FBI).

Let’s concede the terrorist fantasy and then cut the legs out from under DHS.

May 9, 2015

David Smith Slays Big Data Straw Person

Filed under: BigData,Business Intelligence — Patrick Durusau @ 4:36 pm

The Business Economics And Opportunity Of Open-Source Data Science by David Smith.

David sets out to slay the big data myth that: “It’s largely hype, with little practical business value.”

Saying:

The second myth, that big data is hype with no clear economic benefits, is also easy to disprove. The fastest-growing sectors of the global economy are enabled by big data technologies. Mobile and social services would be impossible today without big data fueled by open-source software. (Google’s search and advertising businesses were built on top of data science applications running on open-source software.)

You may have read on my blog earlier today, Slicing and Dicing Users – Google Style, which details how Google has built that search and advertising business. If rights to privacy don’t trouble you, Google’s business models beckons.

David is right that the straw person myth he erected, that big data is “…largely hype, with little practical business value,” is certainly a myth.

In his haste to slay that straw person, David overlooks is the repeated hype — there is value in big data. That is incorrect.

You can create value, lots of it, from big data, but that isn’t the same thing. Creating value from big data requires appropriate big data, technical expertise, a clear business plan for a product or service, marketing, all the things that any business requires.

The current hype about “…there is value in big data” reminds me of the header for lottery by the Virginia Company:

virginia-header

True enough, Virginia is quite valuable now and has been for some time. However, there was no gold on the ground to be gathered by the sack full and big data isn’t any different.

Value can and will be extracted from big data, but only by hard work and sound business plans.

Ask yourself, would you invest in a big data project proposed by this person?

john-smith

[Images are from: The Project Gutenberg EBook of The Virginia Company Of London, 1606-1624, by Wesley Frank Craven.]

PS: The vast majority of the time I deeply enjoy David Smith‘s posts but I do tire of seeing “there is value in big data” as a religious mantra at every turn. A number of investors are only going to hear “there is value in big data” and not stop to ask why or how? We all suffer when technology bubbles burst. Best not to build them at all.

Exposure to Diverse Information on Facebook [Skepticism]

Filed under: Facebook,News,Opinions,Social Media,Social Networks,Social Sciences — Patrick Durusau @ 3:06 pm

Exposure to Diverse Information on Facebook by Eytan Bakshy, Solomon Messing, Lada Adamicon.

From the post:

As people increasingly turn to social networks for news and civic information, questions have been raised about whether this practice leads to the creation of “echo chambers,” in which people are exposed only to information from like-minded individuals [2]. Other speculation has focused on whether algorithms used to rank search results and social media posts could create “filter bubbles,” in which only ideologically appealing content is surfaced [3].

Research we have conducted to date, however, runs counter to this picture. A previous 2012 research paper concluded that much of the information we are exposed to and share comes from weak ties: those friends we interact with less often and are more likely to be dissimilar to us than our close friends [4]. Separate research suggests that individuals are more likely to engage with content contrary to their own views when it is presented along with social information [5].

Our latest research, released today in Science, quantifies, for the first time, exactly how much individuals could be and are exposed to ideologically diverse news and information in social media [1].

We found that people have friends who claim an opposing political ideology, and that the content in peoples’ News Feeds reflect those diverse views. While News Feed surfaces content that is slightly more aligned with an individual’s own ideology (based on that person’s actions on Facebook), who they friend and what content they click on are more consequential than the News Feed ranking in terms of how much diverse content they encounter.

The Science paper: Exposure to Ideologically Diverse News and Opinion

The definition of an “echo chamber” is implied in the authors’ conclusion:


By showing that people are exposed to a substantial amount of content from friends with opposing viewpoints, our findings contrast concerns that people might “list and speak only to the like-minded” while online [2].

The racism of the Deep South existed in spite of interaction between whites and blacks. So “echo chamber” should not be defined as association of like with like, at least not entirely. The Deep South was a echo chamber of racism but not for a lack of diversity in social networks.

Besides lacking a useful definition of “echo chamber,” the author’s ignore the role of confirmation bias (aka “backfire effect”) when confronted with contrary thoughts or evidence. To some readers seeing a New York Times editorial disagreeing with their position, can make them feel better about being on the “right side.”

That people are exposed to diverse information on Facebook is interesting, but until there is a meaningful definition of “echo chambers,” the role Facebook plays in the maintenance of “echo chambers” remains unknown.

Slicing and Dicing Users – Google Style

Filed under: Cybersecurity,Privacy,Security — Patrick Durusau @ 1:54 pm

Courts docs show how Google slices users into “millions of buckets” by Jeff Gould.

From the post:

The first law of selling is to know your customer. This simple maxim has made Google into the world’s largest purveyor of advertisements, bringing in more ad revenue this year than all the world’s newspapers combined. What makes Google so valuable to advertisers is that it knows more about their customers — that is to say, about you — than anyone else.

Where does Google get this knowledge? Simple. It watches most everything you do and say online — reads your email (paying special attention to purchase confirmations), peers over your shoulder while you browse, knows what you watch on YouTube, and — by tracking your devices — even knows where you are at this very moment. Then it assembles all these bits of information into a constantly updated profile that tells advertisers when, where and what you may hanker to buy.

Your Google profile contains far more than basic facts such as age, gender and product categories you might be interested in. It also makes statistically plausible guesses about things you didn’t voluntarily disclose. It estimates how much you earn by looking up IRS income data for your zip code. It knows if you have children at home — a trick it performs by surveying hundreds of thousands of parents, observing their online behavior, then extrapolating to millions of other users. Google also offers advertisers over 1,000 “interest-based advertising” categories to target users by their web browsing habits. When advertisers are ready to buy ads they can review all these attributes in a convenient browser interface and select exactly the users they want to target.

But these explicit attributes only scratch the surface. The online ad giant knows much more about you than it can put into a form easily understandable by humans. Just how much it knows came to light last year, when a Federal judge ordered the publication of some remarkable internal Google emails discussing how Gmail data mining works. Google’s lawyers fought the disclosure tooth and nail, but they were ultimately overruled. The emails reveal that Gmail can sort users not just into a few thousand demographic and interest categories, but into literally millions of distinct “buckets”. A “bucket” is just a cluster of users, however small, who share some feature in common that might interest advertisers.

The document shown in this post can be found at: https://musictechpolicy.files.wordpress.com/2010/09/183-6-google-employee-emails.pdf

If you want more documents from the case, see: Dunbar v. Google, Inc. (Justia)

Jeff’s post is a great illustration of how massive data collection can discover more about you than you would choose to share.

Efforts to legislate the collection/preservation of data leave your safety in the hands of those with few motivations to follow the law.

A better solution leaves few, if any fingerprints at all. What isn’t visible, can’t be collected.

GPU Linux Rootkit/Keylogger

Filed under: Cybersecurity,GPU,Security — Patrick Durusau @ 11:40 am

New GPU-based Linux Rootkit and Keylogger with Excellent Stealth and Computing Power by Swati Khandelwal.

From the post:

The world of hacking has become more organized and reliable over recent years and so the techniques of hackers.

Nowadays, attackers use highly sophisticated tactics and often go to extraordinary lengths in order to mount an attack.

And there is something new to the list:

A team of developers has created not one, but two pieces of malware that run on an infected computer’s graphics processor unit (GPU) instead of its central processor unit (CPU), in order to enhance their stealthiness and computational efficiency.

The two pieces of malware:

The source code of both the Jellyfish Rootkit and the Demon keylogger, which are described as proof-of-concepts malware, have been published on Github.

Until now, security researchers have discovered nasty malware running on the CPU and exploiting the GPU capabilities in an attempt to mine cryptocurrencies such as Bitcoins.

However, these two malware could operate without exploiting or modifying the processes in the operating system kernel, and this is why they do not trigger any suspicion that a system is infected and remain hidden.

As Swati says, proof-of-concept, but the distance between proof-of-concept and in the wild isn’t predictable.

After an overview of the rootkit and keylogger, Swati asks:

However, if exploited in future, What could be the area of attack vectors? Hit the comments below.

No comments as of 12:28 EST on Saturday, 9 May 2015.

One resource that may spur comments on your part:

Vulnerability analysis of GPU computing by Michael James Patterson.

Comments for Swati?

Breaking the Similarity Bottleneck

Ultra-Fast Data-Mining Hardware Architecture Based on Stochastic Computing by Antoni Morro, et al.

Abstract:

Minimal hardware implementations able to cope with the processing of large amounts of data in reasonable times are highly desired in our information-driven society. In this work we review the application of stochastic computing to probabilistic-based pattern-recognition analysis of huge database sets. The proposed technique consists in the hardware implementation of a parallel architecture implementing a similarity search of data with respect to different pre-stored categories. We design pulse-based stochastic-logic blocks to obtain an efficient pattern recognition system. The proposed architecture speeds up the screening process of huge databases by a factor of 7 when compared to a conventional digital implementation using the same hardware area.

I haven’t included the hyperlinks, but:


In this work we present a highly efficient methodology for data mining based on probabilistic processing. High dimensional data is inherently complex in clustering, classification and similarity search [15]. The proposed approach is evaluated showing its application to a similarity search over a huge database. Most data mining algorithms use similarity search as a subroutine core [16–18], and thus the time taken for this task is the bottleneck of virtually all data mining algorithms [19]. Similarity search plays a fundamental role in many data mining and machine learning problems, e.g. text categorization [20], collaborative filtering [21], time-series analysis [22,23], protein sequencing [24] or any application-specific task as petroglyphs comparison [25]. At the same time, the mining of huge datasets implies the use of large computer clusters [26,27]. The proposed approach based on the use of probabilistic processing shows large improvements in terms of hardware resources when compared with conventional solutions.

Sorry they omitted topic maps but what is a merging criteria if it isn’t a type of “similarity?”

From the conclusion:


This implementation uses less hardware resources than conventional digital methodologies (based on binary and not probabilistic logic) and is able to process the order of 13GBytes of information per second (in contrast to the estimated 2GBytes/s of speed that could be achieved by the conventional implementation using the same hardware area). With the 12-dimensional space used to allocate each vector in the example shown in this paper we obtain the order of 1 billion of comparisons per second. A patent application has been done for this new mining methodology [32].

The patent was filed in Spanish but English and French auto-translations are available.

Hopefully the patent will be used in such a way as to promote widespread implementation of this technique.

I could stand 1 billion comparisons a second, quite easily. Interactive development of merging algorithms anyone?

I first saw this in a tweet by Stefano Bertolo.

A History of the Revolutionary Working Class

Filed under: Government,History,Politics — Patrick Durusau @ 10:18 am

A History of the Revolutionary Working Class

From the webpage:

Since capitalism arose in the world, workers have been banding together; at first locally in small groups, but increasingly workers realized that the greater the strength of workers’ organisation, the better able workers are to challenge capitalism. This section provides in-depth history of these efforts of organising workers regardless of race, ethnicity, gender – or border, the effort to organise and create collaboration and co-operation between workers the world over in order to win the world for those who make it run.

A great source for balancing the standard narratives about socialism/communism in the 19th and 20th centuries.

Their lack of success reminds me of (paraphrase):

…if you’re unwilling to talk about violence, you aren’t ready to talk about revolution….

I don’t remember if the source was a newspaper (LA Free Press for example), a book, etc. Does that ring a bell for you?

I first saw this link in a Facebook post by Steve Pepper.

Hacking Team Software Manuals (RCS)

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:35 am

Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide by Cora Currier and Morgan Marquis-Boire.

From the post:

When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn’t be able to unlock evidence on criminals’ digital devices. What they didn’t say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.

We’re publishing in full, for the first time, manuals explaining the prominent commercial implant software “Remote Control System,” manufactured by the Italian company Hacking Team. Despite FBI director James Comey’s dire warnings about the impact of widespread data scrambling — “criminals and terrorists would like nothing more,” he declared — Hacking Team explicitly promises on its website that its software can “defeat encryption.”

The manuals describe Hacking Team’s software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team’s manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software.

The flagship package, “Remote Control System (RCS),” runs between 200,000 to 1 million euros, creating a market opportunity for anyone who wants to reverse engineer from the manuals to options for less well heeled users.

As far as the claims of being able to defeat encryption, assuming you paid 1 million euros for software to illegally spy on your own citizens, who are you going to complain to if it fails in some way? Post an angry note on the customer support wiki? It’s the same reason drug dealers rarely have product liability issues.

Becoming aware of cybersecurity issues can improve your security. Appeals to and discussions of abusive stepparents (governments) continues the cycle of abuse.

Police Story: Hacking Team’s Government Surveillance Malware by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, does a deep technical dive on one use of RCS. Excellent reading.

Enjoy!

May 8, 2015

Education on Anonymity…

Filed under: Cybersecurity,Security — Patrick Durusau @ 9:00 pm

Education on Anonymity – Sharif University Courses on How to Hide Tor.

From the post:

817-902-lecture-19_page_14

Well planned efforts by Iran to educate their students starts before University levels. Regardless, Iranian universities with funding from the government (IRGC), oversight by Basij, capture the flag exercises, internships through Ashiyane and AmnPardaz, and unauthorized testing on adversary websites provide a structured program. Much like the West, Iran is institutionalizing cyber in their young. The below is a lecture given at Sharif University using Western technologies and materials. The use of TOR is well explained.

Treadstone 71

You can guess why Treadstone 71 has chosen a lecture from Iran on Tor to post. 😉

Of course, the same course here would pass without comment.

« Newer PostsOlder Posts »

Powered by WordPress