Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

May 11, 2016

Hunting Bugs In Porn Site (or How to Explain Your Browsing History)

Filed under: Cybersecurity,Porn,Security — Patrick Durusau @ 10:19 am

Pornhub Launches Bug Bounty Program; Offering Reward up to $25,000 by Swati Khandelwal.

From the post:


The world’s most popular pornography site PornHub has launched a bug bounty program for security researchers and bug hunters who can find and report security vulnerabilities in its website.

Partnered with HackerOne, PornHub is offering to pay independent security researchers and bug hunters between $50 and $25,000, depending upon the impact of vulnerabilities they find. (emphasis in the original)

As always, there are some exclusions:


Vulnerabilities such as cross-site request forgery (CSRF), information disclosure, cross domain leakage, XSS attacks via Post requests, HTTPS related (such as HSTS), HttpOnly and Secure cookie flags, missing SPF records and session timeout will not be considered for the bounty program.

I take “information disclosure” to mean that if your hack involves NSA credentials it doesn’t count. Well, you can’t make it too easy.

The program is in beta so see Swati’s post for further details.

This PornHub program benefits people asked awkward questions about their browsing history.

Yes, you were looking at PornHub or related sites. You were doing “security research.”

Being in HR or accounting may make that claim less credible. 😉

May 10, 2016

False Rumors Spread Faster Than Truth

Filed under: Journalism,News,Reporting — Patrick Durusau @ 9:34 pm

Recent research reveals false rumours really do travel faster and further than the truth by Craig Silverman.

From the post:

A lie can travel halfway around the world before the truth has got its boots on, or so the saying goes, and new research has sought to prove just how long it takes fact checking to catch up.

On average, it takes more than 12 hours for a false claim to be debunked online, according to two recent projects that compared how falsehoods and truths spread.

One study analyzed rumors on Twitter and found that a rumor that turns out to be true is often resolved within two hours of first emerging. But a rumor that proves false takes closer to 14 hours to be debunked.

Another study looked at how long it took for a fact check or debunking article to be published as a counter measure to a fake story. It found “a characteristic lag of approximately 13 hours between the production of misinformation and that of fact checking”.

The studies used different methodologies and look at different elements of the online rumor and misinformation ecosystem. But they both provide evidence that falsehoods spread for hours and take hold online before being debunked.

Both research groups say their findings highlight the need for better — and especially faster — approaches to countering online misinformation.

A counter-factual response to these reports would be the failure of false U.S. social media propaganda falling to truthful Islamic State reports. Why It’s So Hard to Stop ISIS Propaganda.

Or is it that U.S. government lies are so clumsy that they lack the punch of other falsehoods?

Or perhaps the U.S. government tells so many lies that it’s hard to judge the impact of only one?

Unless and until better/faster approaches “…to countering online misinformation” appear, consider how you can use the gap between rumor and correction to your advantage.

Is that arbitrage in truth?

Panama Papers and “radical sharing” (Greed By Another Name)

Filed under: Journalism,News,Reporting — Patrick Durusau @ 4:03 pm

Alicia Shepard in A few weeks after the Panama Papers’ release, The New York Times and Washington Post start digging in caught me off guard with:

Many newspapers aren’t comfortable with ICIJ’s “radical sharing” concept.

Suspecting Alicia was using “sharing” to mean something beyond my experience, I had to read her post!

Alicia explains the absence of the New York Times and the Washington Post from the initial reporting on the Panama Papers saying:

Why weren’t the Times or the Post included originally? Walker said that, in general, many newspapers are not comfortable with ICIJ’s “radical sharing” concept, in which all journalists who agree to collaborate must promise to share their reporting, protect confidentiality, not share the data, and publish when ICIJ gives the go-ahead.

I see. “Radical sharing,” means collaborating on research, a good thing, protecting confidentiality, another good thing, then being bound to not share the data (restricting the data to ICIJ approved participants), a bad thing, and publishing when allowed by the ICIJ, another bad thing.

Not what I would consider “radical” sharing but I can see why newspapers, like many traditional publishers, fear the sharing of research. Even though sharing of research in other areas has been proven to float all boats higher.

The lizard brain reflex against sharing still dominates in many areas of human endeavor. News reporting in particular.

Alicia also quotes Marina Walker saying:

“We are excited to be working with The New York Times and The Washington Post, two of the world’s best newspapers,” said Marina Walker, deputy director of the Washington, D.C.–based ICIJ. “Both of them signed up at more or less the same time, two or three weeks ago. Both teams were recently trained by ICIJ researchers and reporters on how to use the data and we continue to assist them as needed, like we do with other partners. So far, so good.”

The “smoking gun” for my suggestion in Panama Papers – Shake That Money Maker that the ICIJ are hoarding the Panama Papers for their own power and profit.

The ICIJ wants control over the data, realizing that training and assistance are never free, to dictate who sees the data and when they can publish using the data.

Combine that with the largest data leak to date and the self-service nature of the claim the data might reveal the leaker becomes self-evident.

Hoarding data for profit is, as I have said, understandable and to some degree even reasonable.

But let’s have that conversation and not one based on specious claims about a leaker’s or public’s interest.

PS: Getting to dictate to the Washington Post and the New York Times must be heady stuff.

PPS: Any Panama Paper secondary leakers yet?

Panama Papers Import Scripts for Neo4j and Docker

Filed under: Graphs,Neo4j,Panama Papers — Patrick Durusau @ 3:35 pm

Panama Papers Import Scripts for Neo4j and Docker by Michael Hunger.

Michael’s import scripts enable you too to explore and visualize, a sub-set of the Panama Papers data.

Thanks Michael!

Panama Papers Database Warning: You Will Be Tracked

Filed under: Neo4j,Panama Papers — Patrick Durusau @ 9:49 am

As promised, a teaser database of 214,000 offshore entities created in 21 jurisdictions, has been released by International Consortium of Investigative Journalists (ICIJ).

I say “teaser” because of the information you won’t find in the database:


The new data that ICIJ is now making public represents a fraction of the Panama Papers, a trove of more than 11.5 million leaked files from the Panama-based law firm Mossack Fonseca, one of the world’s top creators of hard-to-trace companies, trusts and foundations.

ICIJ is not publishing the totality of the leak, and it is not disclosing raw documents or personal information en masse. The database contains a great deal of information about company owners, proxies and intermediaries in secrecy jurisdictions, but it doesn’t disclose bank accounts, email exchanges and financial transactions contained in the documents.

In all, the interactive application reveals more than 360,000 names of people and companies behind secret offshore structures. As the data are from leaked sources and not a standardized registry, there may be some duplication of names.

Warning: Even visits to the database are being logged, as shown by this initial greeting:

panama-papers-warning-450

How deep the tracking is post-entry to the site isn’t readily evident.

I would assume all searches are logged along with the IP address of origin.

Use Tor if you plan to visit this resource.

A couple of positive comments about the database:

First, you can download the database as CSV files, a file for each type of node and the other for edges (think relationships). A release of the Neo4j data files is forthcoming.

Second, the ICIJ gets the licensing right:

The ICIJ Offshore Leaks Database is licensed under the Open Database License and its contents under Creative Commons Attribution-ShareAlike license. Always cite the International Consortium of Investigative Journalists when using this data.

Be forewarned that a lot of loose headlines will be appearing about this release, such as: The Panama Papers can now be searched online. Hardly, see the ICIJ’s own statement of exclusions above. It’s always better to read a post before commenting on it.

I don’t now nor have I ever disagreed with the statement “the > 370 reporters and the ICIJ have done a great job of reporting on the Panama Papers.”

I do disagree with the refusal of the ICIJ to release the leak contents to law enforcement under the guise of protecting the leaker and its plans to never release the full leak to the public.

As I have said before, some period of exclusive access is understandable given the investment of ICIJ in the leak but only for a reasonable period of time.

May 9, 2016

Dark Matter: Driven by Data

Filed under: Dark Data,Data,LangSec — Patrick Durusau @ 8:47 pm

A delightful keynote by Dan Geer, presented at the 2015 LangSec Workshop at the IEEE Symposium on Security & Privacy Workshops, May 21, 2015, San Jose, CA.

Prepared text for the presentation.

A quote to interest you in watching the video:

Workshop organizer Meredith Patterson gave me a quotation from Taylor Hornby that I hadn’t seen. In it, Hornby succinctly states the kind of confusion we are in and which LANGSEC is all about:

The illusion that your program is manipulating its data is powerful. But it is an illusion: The data is controlling your program.

It almost appears that we are building weird machines on purpose, almost the weirder the better. Take big data and deep learning. Where data science spreads, a massive increase in tailorability to conditions follows. But even if Moore’s Law remains forever valid, there will never be enough computing hence data driven algorithms must favor efficiency above all else, yet the more efficient the algorithm, the less interrogatable it is,[MO] that is to say that the more optimized the algorithm is, the harder it is to know what the algorithm is really doing.[SFI]

And there is a feedback loop here: The more desirable some particular automation is judged to be, the more data it is given. The more data it is given, the more its data utilization efficiency matters. The more its data utilization efficiency matters, the more its algorithms will evolve to opaque operation. Above some threshold of dependence on such an algorithm in practice, there can be no going back. As such, if science wishes to be useful, preserving algorithm interrogatability despite efficiency-seeking, self-driven evolution is the research grade problem now on the table. If science does not pick this up, then Lessig’s characterization of code as law[LL] is fulfilled. But if code is law, what is a weird machine?

If you can’t interrogate an algorithm, could you interrogate a topic map that is an “inefficient” implementation of the algorithm?

Or put differently, could there be two representations of the same algorithm, one that is “efficient,” and one that can be “interrogated?”

Read the paper version but be aware the video has a very rich Q&A session that follows the presentation.

White Hat Hacker Jailed – Screen Capturing Your Crime

Filed under: Cybersecurity,Government,Security — Patrick Durusau @ 3:32 pm

White Hat Researcher Jailed for Exposing SQLi Flaws by Phil Muncaster.

The headline misleading and the lead paragraph makes the same mistake:

A cybersecurity researcher who exposed vulnerabilities in a Florida elections website was last week arrested and charged on three third-degree felony counts.

It isn’t until later that you read:


“Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data,” he explained in a blog post. “That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private).”

Watch the video that includes a screen capture not only of the attack, but of Dave Levin downloading files from the breached server.

All most people will read is “White Hat Hacker Jailed,” which is a severe disservice to the security community generally.

A more accurate headline would read:

White Hat Hacker Jailed For Screen Capturing His Crime

When you find a vulnerability you can:

  1. Report it, or
  2. Exploit it.

What is ill-advised is to screen capture yourself exploiting a vulnerability and then publishing it.

It’s true that corrupt politics are at play here but what other kind did you think existed?

No one, especially incompetent leadership, enjoys being embarrassed. Incompetent political leadership is often in a position to retaliate against those who embarrass it. Just a word to the wise.

PS: If you are going to commit a cyber-crime, best thinking is to NOT record it.

Who Is Special Agent Mark W. Burnett? (FBI)

Filed under: FBI,Government,Privacy,Tor — Patrick Durusau @ 10:38 am

In FBI Harassment, Tor developer isis agora lovecruft describes a tale of FBI harrassment, that begins with this business card:

burnett-fbi

The card was left while no one was at home. At best the business card is a weak indicator of a visitor’s identity. It was later confirmed Mark W. Burnett had visited, in various conversations between counsel and the FBI. See the original post for the harassment story.

What can we find out about Special Agent Mark W. Burnett? Reasoning if the FBI is watching us, we damned sure better be watching them.

The easiest thing to find is that Mark W. Burnett isn’t a “special agent in charge,” as per the FBI webpage for the Los Angeles office. A “special agent in charge” is a higher “rank” than a “special agent.”

Turning to Google, here’s a screenshot of my results:

burnett-google

The first two “hits” are the same Special Agent Mark W. Burnett (the second one requires a password) but the first one says in relevant part:

Special Luncheon Speaker – Mr. Mark W. Burnett, FBI Cyber Special Agent, who will discuss the Bureau’s efforts regarding cyber security measures

The event was:

3rd Annual West Coast Cyber Security Summit
Special Report on Cyber Technology and Its Impact on the Banking Community
The California Club
538 South Flower Street, Los Angeles, CA 90071
Tuesday, May 13, 2014

If you don’t know the California Club, as the song says “…you aren’t supposed to be here.”

So we know that Mark W. Burnett was working for the FBI in May of 2014.

The third “hit” is someone who says they know a Mark W. Burnett but it doesn’t go any further than that.

The last two “hits” are interesting because they both point to the Congressional Record on February 1, 2010, wherein the Senate confirms the promotion of a “Mark. W. Burnett” to the rank of colonel in the United States Army.

I searched U.S. District Court decisions at Justia but could not find any cases where Mark W. Burnett appeared.

The hand written “desk phone” detracts from the professionalism of the business card. It also indicates that Mark hasn’t been in the Los Angeles office long enough to get better cards.

What do you know about Special Agent Mark W. Burnett?

PS: There are hundreds of FBI agents from Los Angeles on LinkedIn but Mark W. Burnett isn’t one of them. At least not by that name.

May 8, 2016

Canary Watch [Tracking Warrant Service?]

Filed under: FBI,Free Speech,Government — Patrick Durusau @ 10:29 pm

Canary Watch

From the webpage:

“Warrant canary” is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received, such as a national security letter. Canarywatch tracks and documents these statements. This site lists warrant canaries we know about, tracks changes or disappearances of canaries, and allows submissions of canaries not listed on the site.

Follow us on Twitter for updates and notifications about canaries on this site.

All of the “warrant canaries” I saw listed were from service providers and other organizations.

I recently saw a “warrant canary” posted by an individual (more on that this week).

The thought did occur to me that if enough individuals had “warrant canaries” on fairly short (monthly?) renewal cycles, it would be possible to track the service of warrants through particular communities.

Comments/suggestions?

May 7, 2016

DIY – Chilling Free Speech

Filed under: Censorship,Free Speech — Patrick Durusau @ 8:21 am

Homeland Security Wants To Subpoena Us Over A Clearly Hyperbolic Techdirt Comment by Mike Masnick.

The Department of Homeland Security (DHS) has contacted Techdirt by phone and email asking where to send a subpoena and saying a subpoena was on the way for the identity of a commenter on Techdirt.

From Mike’s post:

Now, it’s entirely possible that there are more details here involving a legitimate investigation, but it’s difficult to believe that’s the case given the information we have to date. Also, we have not yet received the subpoena, just the phone calls and emails suggesting that it’s on its way. Normally, we’d wait for the details before publishing, but given a very similar situation involving commenters on the site Reason last year, which included a highly questionable and almost certainly unconstitutional gag order preventing Reason from speaking about it, we figured it would be worth posting about it before we’ve received any such thing.

While I appreciate Mike and Techdirt sounding the alarm about a possible subpoena, it is also distinctly possible that was the intended result of the contacts by DHS.

Not that Mike or Techdirt give a toss about the opinions held by DHS, but you can bet there are commenters and potential commenters who are quite so brave.

DHS and its unsavory companions in the government don’t have to seize newspapers, burn presses, or any of the overt things we usually associate with censorship.

They are much more insidious, not to mention cowardly.

The DHS avoids taking a chance a court might refuse its request for a subpoena but still creates a climate of fear for commenters at Techdirt.

Courts can’t rule on what is not presented to them and the DHS is well aware of that fact.

Which raises the interesting question: How often does DHS call or email about subpoenas and no subpoenas arrive? Is this, as I suspect, a systematic practice at DHS?

Question: Is anyone tracking DHS phone calls and emails about subpoenas? Where no subpoena arrives?

PS: I disagree that calling for violence, even in hyperbole, is in poor taste. People are condemned to death and worse every day in the polite language of privilege and power. It’s time we stopped having a double standard for privileged versus non-privileged violence.

May 6, 2016

Computer Programming for Lawyers:… [Educating a Future Generation of Judges]

Filed under: Law,Programming,Python — Patrick Durusau @ 8:46 pm

Computer Programming for Lawyers: An Introduction by Paul Ohm and Jonathan Frankle.

From the syllabus:

This class provides an introduction to computer programming for law students. The programming language taught may vary from year-to-year, but it will likely be a language designed to be both easy to learn and powerful, such as Python or JavaScript. There are no prerequisites, and even students without training in computer science or engineering should be able successfully to complete the class.

The course is based on the premise that computer programming has become a vital skill for non-technical professionals generally and for future lawyers and policymakers specifically. Lawyers, irrespective of specialty or type of practice, organize, evaluate, and manipulate large sets of text-based data (e.g. cases, statutes, regulations, contracts, etc.) Increasingly, lawyers are asked to deal with quantitative data and complex databases. Very simple programming techniques can expedite and simplify these tasks, yet these programming techniques tend to be poorly understood in legal practice and nearly absent in legal education. In this class, students will gain proficiency in various programming-related skills.

A secondary goal for the class is to introduce students to computer programming and computer scientific concepts they might encounter in the substantive practice of law. Students might discuss, for example, how programming concepts illuminate and influence current debates in privacy, intellectual property, consumer protection, antidiscrimination, antitrust, and criminal procedure.

The language for this year is Python. The course website, http://paulohm.com/classes/cpl16/ does not have any problem sets posted, yet. Be sure to check back for those.

Recommend this to any and all lawyers you encounter. It isn’t possible to predict who will or will not be a judge someday. Judges with a basic understanding of computing could improve the overall quality of decisions on computer technology.

Like discounting DOJ spun D&D tales about juvenile behavior.

Sketch of strace and tcpdump

Filed under: Cybersecurity,Linux OS — Patrick Durusau @ 4:26 pm

A workshop on strace & tcpdump by Julia Evans.

From the post:

This week at work, I ran a workshop on tcpdump and strace. a couple of people on Twitter asked about it so here are some notes. This is mostly just so I can reuse them more easily next time, but maybe you will also find it interesting. The notes are a bit sparse.

I basically did a bunch of live demos of how to use tcpdump & strace, and then took questions & comments as people had them. I ran it in an hour, which I think was fine for people who already had some familiarity with the tools, but really aggressive if you’re learning from scratch. Will do that differently next time.

As Julia says, the notes are rather sparse but you could expand them to make the presentation your own.

Good reminder that reports from tools are just that, reports from tools.

If you aren’t close to the metal, you are taking a tool’s word for messages and system state.

Do you trust your tools that much?

Deep Learning: Image Similarity and Beyond (Webinar, May 10, 2016)

Filed under: Authoring Topic Maps,Deep Learning,Machine Learning,Similarity,Topic Maps — Patrick Durusau @ 4:15 pm

Deep Learning: Image Similarity and Beyond (Webinar, May 10, 2016)

From the registration page:

Deep Learning is a powerful machine learning method for image tagging, object recognition, speech recognition, and text analysis. In this demo, we’ll cover the basic concept of deep learning and walk you through the steps to build an application that finds similar images using an already-trained deep learning model.

Recommended for:

  • Data scientists and engineers
  • Developers and technical team managers
  • Technical product managers

What you’ll learn:

  • How to leverage existing deep learning models
  • How to extract deep features and use them using GraphLab Create
  • How to build and deploy an image similarity service using Dato Predictive Services

What we’ll cover:

  • Using an already-trained deep learning model
  • Extracting deep features
  • Building and deploying an image similarity service for pictures 

Deep learning has difficulty justifying its choices, just like human judges of similarity, but could it play a role in assisting topic map authors in constructing explicit decisions for merging?

Once trained, could deep learning suggest properties and/or values to consider for merging it has not yet experienced?

I haven’t seen any webinars recently so I am ready to gamble on this being an interesting one.

Enjoy!

Hoarding of Panama Papers Weakens – Prosecutors, Maybe …

Filed under: Journalism,News,Panama Papers,Reporting — Patrick Durusau @ 3:11 pm

Panama Papers Source Offers Documents To Governments, Hints At More To Come

From the post:

The anonymous whistleblower behind the Panama Papers has conditionally offered to make the documents available to government authorities.

In a statement issued to the German newspaper Süddeutsche Zeitung and the International Consortium of Investigative Journalists, the so-called “John Doe” behind the biggest information leak in history cites the need for better whistleblower protection and has hinted at even more revelations to come.

Titled “The Revolution Will Be Digitized” the 1800-word statement gives justification for the leak, saying that “income inequality is one of the defining issues of our time” and says that government authorities need to do more to address it.

SĂźddeutsche Zeitung has authenticated that the statement came from the Panama Papers source. The statement in full:

As I pointed out in Panama Papers – Shake That Money Maker and $230 Billion Impact of Partial Use of Panama Papers, doing more than profiting Süddeutsche Zeitung and others requires releasing the Panama Papers to legal authorities.

My suggestion did not influence the relaxing of the hoarding of the Panama Papers but I welcome the move.

The full statement of “John Doe” throws SĂźddeutsche Zeitung a bone and says they have rightly refused to release the leak to authorities.

I’m sure you are as curious as I am about that statement.

BTW, if and when the Panama Papers are leaked to one or more governments, be on guard for fake Panama Papers which are infectious, etc. Possibly even those leaked by governments.

Leaks can always have malicious content but purported high visibility leaks perhaps more than others.

Elsevier – “…the law is a ass- a idiot.”

Filed under: Intellectual Property (IP),Law — Patrick Durusau @ 2:07 pm

Elsevier Complaint Shuts Down SCI-HUB Domain Name by Ernesto.

From the post:


However, as part of the injunction Elsevier is able to request domain name registrars to suspend Sci-Hub’s domain names. This happened to the original .org domain earlier, and a few days ago the Chinese registrar Now.cn appears to have done the same for Sci-hub.io.

The domain name has stopped resolving and is now listed as “reserved” according to the latest WHOIS info. TorrentFreak reached out to Sci-Hub founder Alexandra Elbakyan, who informed us that the registrar sent her a notice referring to a complaint from Elsevier.

In addition to the alternative domain names users can access the site directly through the IP-address 31.184.194.81, or its domain on the Tor-network, which is pretty much immune to any takedown efforts.

Meanwhile, academic pirates continue to flood to Sci-Hub, domain seizure or not.

The best response to Elsevier is found in Oliver Twist by Charles Dickens, Chapter 52

“If the law supposes that,” said Mr. Bumble, squeezing his hat emphatically in both hands, “the law is a ass- a idiot.”

I do disagree with Ernesto’s characterization of users of Sci-Hub as “academic pirates.”

Elsevier and others have fitted their business model to a system of laws that exploits the unpaid labor of academics, based on research funded by the public, profiting from sales to libraries and preventing wider access out of spite.

There is piracy going on in academic publishing but it isn’t on the part of those seeking to access published research.

Please share access points for Sci-Hub widely and often.

Electronic Frontier Foundation (EFF) 2015 Annual Report – (Highly Summarized)

Filed under: Electronic Frontier Foundation,Privacy — Patrick Durusau @ 1:14 pm

Electronic Frontier Foundation (EFF) 2015 Annual Report

If you have ever read an annual report, from any organization, you remember it as a stultifying experience. You could sense your life force ebbing away. 😉

To save you from a similar experience with the Electronic Frontier Foundation (EFF) 2015 Annual Report, I’ll hit high points in their own words:

Technology

Let’s Encrypt

A free, automated, and open certificate authority (CA), run for the public’s benefit, puts a secure Internet within reach.

Privacy Badger

Our browser extension, which automatically blocks hidden trackers that would otherwise spy on your web browsing habits, leaves beta.

Panopticlick

The latest version of our tracking and fingerprinting detection tool includes new tests, updating its ability to uniquely identify browsers with current techniques.

Activism

USA Freedom

After more than two years of work in the wake of the Snowden revelations, this bill’s passage marks the first significant reform on NSA surveillance in over 30 years.

Who Has Your Back?

Our yearly report—which documents the practices of major Internet companies and service providers, judges their publicly available policies, and highlights best practices—goes global.

Street Level Surveillance

Our new Web portal is loaded with comprehensive, easy-to-access information on police spying tools like license plate readers, biometric collection devices, and “Stingrays.”

Law

NSA Cases

EFF fights unconstitutional gag orders on behalf of clients forced to remain anonymous.

Save Podcasting

EFF successfully challenged the bogus podcasting patent owned by Personal Audio LLC.

ECPA

California is now the largest state to adopt digital privacy protections including both the content of messages and location data.

DMCA Exemptions

In the U.S. Copyright Office’s latest triennial rulemaking, EFF requested—and secured—6 anti-circumvention exemptions in 4 different categories.

Net Neutrality

Title II reclassification drew bright-line rules to protect the open Internet.

All of which is to say:

Join the EFF today!

Two hundred and ninety-eight words down to that last “!”

What more needs to be said?

May 5, 2016

Speak For Those Who Can’t Speak For Themselves

Filed under: Censorship,Government,Law — Patrick Durusau @ 3:48 pm

It’s no surprise the State of Texas has decided to violate the free speech rights of inmates in its prisons.

What’s violation of an inmate’s free speech rights when you are out of step with the civilized world on the death penalty?

Unlike the death penalty, which so far states are not practicing in secret, censorship of prisoner social media accounts is hidden from the public.

Make the public aware of prison censorship:


If you are managing a social media account on behalf of an inmate and suddenly find the account has been suspended or content otherwise removed, we urge you to submit a report to OnlineCensorship.org. The project, a collaboration between EFF and Visualizing Impact, draws on user-generated data to document how social media companies including Facebook, Twitter, Flickr, Google+, Instagram, and YouTube moderate content and the corresponding user experience when that occurs. (Report Inmate Social Media Takedowns to OnlineCensorship.org)

Who but the unjust fear cries for justice?

$230 Billion Impact of Partial Use of Panama Papers

Filed under: Journalism,News,Panama Papers,Reporting — Patrick Durusau @ 3:17 pm

The Value of Offshore Secrets – Evidence from the Panama Papers by James O’Donovan, Hannes F. Wagner, Stefan Zeume.

O’Donovan and colleagues find the keyhole view of the Panama Papers has erased $230 Billion in market capitalization among the firms exposed by those papers.

Imagine the impact if:

  • The Panama Papers were released to prosecutors charged with enforcing laws violated by the named firms and people.
  • Thousands of people, not < 400, were combining the Panama Papers with data on the named firms and individuals.

Until there is a full release, or a secondary leak, of the Panama Papers, we may never know.

Abstract:

We use the data leak of the Panama Papers on April 3, 2016 to study whether and how the use of offshore vehicles affects valuation around the world. The data leak made transparent the operations of more than 214,000 shell companies incorporated in tax havens by Panama-based law firm Mossack Fonseca. The Panama Papers implicate a wide range of firms, politicians, and other individuals around the globe to have used secret offshore vehicles. Allegations include tax evasion, financing corruption, money laundering, violation of sanctions, and hiding other activities. We find that, around the world, the data leak erased an unprecedented risk-adjusted US$230 billion in market capitalization among 1,105 firms with exposure to the revelations of the Panama Papers. Firms with subsidiaries in Panama, the British Virgin Islands, the Bahamas, or the Seychelles – representing 90% of the tax havens used by Mossack Fonseca – experienced an average drop in firm value of 0.5%-0.6% around the data leak. We also find that firms operating in perceivably corrupt countries – particularly in those where high-ranked government officials were implicated by name in the leaked data – suffered a similar decline in firm value. Further, firms operating both in Mossack Fonseca’s primary tax havens and in countries with implicated politicians experienced the largest negative abnormal returns. For instance, firms linked to Mossack Fonseca’s tax havens and operating in Iceland experienced negative abnormal returns of -1.4%; the data leak revealed that Iceland’s Prime Minister failed to disclose beneficial interest in a British Virgin Islands incorporated shell company. Overall, our estimates suggest that investors perceive the leak to destroy some of the value generated from offshore activity.

Want your leak hoarded for personal gain?

I think you know the lesson the Panama Papers teaches.

TEI XML -> HTML w/ XQuery [+ CSS -> XML]

Filed under: HTML,Text Encoding Initiative (TEI),XML,XQuery — Patrick Durusau @ 1:10 pm

Convert TEI XML to HTML with XQuery and BaseX by Adam Steffanick.

From the post:

We converted a document from the Text Encoding Initiative’s (TEI) Extensible Markup Language (XML) scheme to HTML with XQuery, an XML query language, and BaseX, an XML database engine and XQuery processor. This guide covers the basics of how to convert a document from TEI XML to HTML while retaining element attributes with XQuery and BaseX.

I’ve created a GitHub repository of sample TEI XML files to convert from TEI XML to HTML. This guide references a GitHub gist of XQuery code and HTML output to illustrate each step of the TEI XML to HTML conversion process.

The post only treats six (6) TEI elements but the methods presented could be extended to a larger set of TEI elements.

TEI 5 has 563 elements, which may appear in varying, valid, combinations. It also defines 256 attributes which are distributed among those 563 elements.

Consider using XQuery as a quality assurance (QA) tool to insure that encoded texts conform your project’s definition of expected text encoding.

While I was at Adam’s site I encountered: Convert CSV to XML with XQuery and BaseX, which you should bookmark for future reference.

World Password Day (May 5th)

Filed under: Cybersecurity,Security — Patrick Durusau @ 10:13 am

World Password Day

Yeah, there is a website for “World Password Day.”

What Brian Barrett over at Wired refers to as a “made-up holiday.” 7 Password Experts on How to Lock Down Your Online Security.

I won’t tell Brian that all holidays are “made-up” if you don’t. Promise.

Read Brian’s post anyway because he does report seven tips that will make your password stronger than the average password.

Notice I did not say your password will be secure, just more secure than passwords on average.

Use this as a reminder to check your passwords.

I first saw this in Excellent advice for generating and maintaining your passwords by Cory Doctorow.

Mentioning Nazis or Hitler

Filed under: Natural Language Processing,Reddit — Patrick Durusau @ 9:51 am

78% of Reddit Threads With 1,000+ Comments Mention Nazis

From the post:

Let me start this post by noting that I will not attempt to test Godwin’s Law, which states that:

As an online discussion grows longer, the probability of a comparison involving Nazis or Hitler approaches 1.

In this post, I’ll only try to find out how many Reddit comments mention Nazis or Hitler and ignore the context in which they are made. The data source for this analysis is the Reddit dataset which is publicly available on Google BigQuery. The following graph is based on 4.6 million comments and shows the share of comments mentioning Nazis or Hitler by subreddit.

Left for a later post:

The next step would be to implement sophisticated text mining techniques to identify comments which use Nazi analogies in a way as described by Godwin. Unfortunately due to time constraints and the complexity of this problem, I was not able to try for this blog post.

Since Godwin’s law applies to inappropriate invocations of Nazis or Hitler, that implies there are legitimate uses of those terms.

What captures my curiosity is what characteristics must a subject have to be a legitimate comparison to Nazis and/or Hitler?

Or more broadly, what characteristics must a subject have to be classified as a genocidal ideology or a person who advocates genocide?

Thinking it isn’t Nazism (historically speaking) that needs to be avoided but the more general impulse that leads to genocidal rhetoric and policies.

Efficient R programming

Filed under: Programming,R — Patrick Durusau @ 9:24 am

Efficient R programming by Colin Gillespie and Robin Lovelace.

From the present text of Chapter 2:

An efficient computer set-up is analogous to a well-tuned vehicle: its components work in harmony, it is well-serviced, and it is fast. This chapter describes the software decisions that will enable a productive workflow. Starting with the basics and moving to progressively more advanced topics, we explore how the operating system, R version, startup files and IDE can make your R work faster (though IDE could be seen as basic need for efficient programming). Ensuring correct configuration of these elements will have knock-on benefits in many aspects of your R workflow. That’s why we cover them at this early stage (hardware, the other fundamental consideration, is covered in the next chapter). By the end of this chapter you should understand how to set-up your computer and R installation (skip to section 2.3 if R is not already installed on your computer) for optimal computational and programmer efficiency. It covers the following topics:

  • R and the operating systems: system monitoring on Linux, Mac and Windows
  • R version: how to keep your base R installation and packages up-to-date
  • R start-up: how and why to adjust your .Rprofile and .Renviron files
  • RStudio: an integrated development environment (IDE) to boost your programming productivity
  • BLAS and alternative R interpreters: looks at ways to make R faster

For lazy readers, and to provide a taster of what’s to come, we begin with our ‘top 5’ tips for an efficient R set-up. It is important to understand that efficient programming is not simply the result of following a recipe of tips: understanding is vital for knowing when to use a memorised solution to a problem and when to go back to first principles. Thinking about and understanding R in depth, e.g. by reading this chapter carefully, will make efficiency second nature in your R workflow.

Nope, go see Chapter 2 if you want the top 5 tips for efficient R set-up.

The text and code are being developed at the website and the authors welcome “pull requests and general comments.”

Don’t be shy!

Countries Wanting UK to Stay in EU [Bad Graphics]

Filed under: Graphics,Visualization — Patrick Durusau @ 8:47 am

eu-england-02

Before you read The map showing which countries want the UK to stay in the EU or my comment below, a question for you:

Do countries shaded in lighter colors support the UK remaining in the EU?

Simple enough question.

Unfortunately you are looking at one of the worst representations of sentiment I have seen in a long time.

From the post:

The indy100 have created the following graphic based on the data. In the map, the darker the shade of blue, the more support there is in that country for the UK to remain in the EU. The scores are calculated by subtracting the percentage of people who want Britain to leave, from those who want Britain to remain.

That last line:

The scores are calculated by subtracting the percentage of people who want Britain to leave, from those who want Britain to remain.

is what results in the odd visualization.

A chart later in the post reports that support for UK leaving the EU is only 18% in France, which would be hard to guess from the “32” shown on the map.

The map shows the gap between two positions, one for the UK to stay and the other for it to leave, and the shading represents the distance between staying and supporting positions.

That is if public opinion were 50% to stay in the EU and 50% to leave the EU, that county would be colored clear with a score of 0.

Reporting support and/or opposition percentages with coloration based on those percentages would be far clearer.

May 4, 2016

“Library of Babel” (Jorge Luis Borges)

Filed under: Literature,Mapping,Maps — Patrick Durusau @ 8:05 pm

buzz-feed-tower-of-babel-drewpatroopa17-plotted

Select the image for a larger view. Trust me, it’s worth it.

The illustration is from “Plotted: A Literary Atlas” by Andrew DeGraff and this particular image of the illustration is from the review: 9 Awesome Literary Maps Every Book Lover Needs To See by Krystie Lee Yandoli.

DeGraff has maps for portions of these works:

Adventures of Huckleberry Finn – Mark Twain

Around the World in Eighty Days – Jules Verne

A Christmas Carol – Charles Dickens

A Good Man Is Hard to Find – Flannery O’Connor

Hamlet, Prince of Denmark – William Shakespeare

Invisible Man – Ralph Ellison

The Library of Babel – Jorge Luis Borges

The Lottery – Shirley Jackson

Moby Dick, or, The Whale – Herman Melville

Narrative of the Life of Frederick Douglass, an American Slave – Frederick Douglas

A Narrow Fellow in the Grass – Emily Dickinson

The Odyssey – Homer

The Ones Who Walk Away from Omclas – Ursula K. Le Guinn

Pride and Prejudice – Jane Austen

A Report to the Academy – Franz Kafka

Robinson Crusoe – Daniel Defoe

Waiting for Godot – Samuel Beckett

Watership Down – Richard Adams

Wrinkle in Time – Madeleine L’Engle

Keep a copy of Plotted: A Literary Atlas on hand as inspiration.

At the same time, try your hand at capturing your spatial understanding of a narrative. Your reading experience, will be different.

Enjoy!

Network structure and resilience of Mafia syndicates

Filed under: Networks,Social Networks — Patrick Durusau @ 7:11 pm

Network structure and resilience of Mafia syndicates by Santa Agrestea, Salvatore Catanesea, Pasquale De Meoc, Emilio Ferrara, Giacomo Fiumaraa.

Abstract:

In this paper we present the results of our study of Sicilian Mafia organizations using social network analysis. The study investigates the network structure of a Mafia syndicate, describing its evolution and highlighting its plasticity to membership-targeting interventions and its resilience to disruption caused by police operations. We analyze two different datasets dealing with Mafia gangs that were built by examining different digital trails and judicial documents that span a period of ten years. The first dataset includes the phone contacts among suspected individuals, and the second captures the relationships among individuals actively involved in various criminal offenses. Our report illustrates the limits of traditional investigative methods like wiretapping. Criminals high up in the organization hierarchy do not occupy the most central positions in the criminal network, and oftentimes do not appear in the reconstructed criminal network at all. However, we also suggest possible strategies of intervention. We show that, although criminal networks (i.e., the network encoding mobsters and crime relationships) are extremely resilient to different kinds of attacks, contact networks (i.e., the network reporting suspects and reciprocated phone calls) are much more vulnerable, and their analysis can yield extremely valuable insights.

Studying the vulnerabilities identified here may help you strengthen your own networks against similar analysis.

To give you the perspective of the authors:

Due to its normative structure as well as strong ties with finance, entrepreneurs and politicians, Mafia has now risen to prominence as a worldwide criminal organization by controlling many illegal activities like the trade of cocaine, money laundering or illegal military weapon trafficking [4].

They say that as though it is a bad thing. As Neal Stephenson says in Snow Crash, the Mafia is just another franchise. 😉

Understanding the model others expect enables you to expose a model that doesn’t match their expectations.

Think of it as hiding in plain sight.

No Label (read “name”) for Medical Error – Fear of Terror

Filed under: Names,Subject Identity,Topic Maps — Patrick Durusau @ 2:06 pm

Medical error is third biggest cause of death in the US, experts say by Amanda Holpuch.

From the post:

Medical error is the third leading cause of death in the US, accounting for 250,000 deaths every year, according to an analysis released on Tuesday.

There is no US system for coding these deaths, but Martin Makary and Michael Daniel, researchers at Johns Hopkins University’s school of medicine, used studies from 1999 onward to find that medical errors account for more than 9.5% of all fatalities in the US.

Only heart disease and cancer are more deadly, according to the Centers for Disease Control and Prevention (CDC).

The analysis, which was published in the British Medical Journal, said that the science behind medical errors would improve if data was shared internationally and nationally “in the same way as clinicians share research and innovation about coronary artery disease, melanoma, and influenza”.

But death by medical error is not captured by government reports because the US system for assigning a code to cause of death, the international classification of disease (ICD), does not have a label for medical error.

In contrast to topic maps, where you can talk about any subject you want, the international classification of disease (ICD), does not have a label for medical error.

Impact? Not having a label conceals approximately 250,000 deaths per year in the United States.

What if Fear of Terror press releases were broadcast but along with “deaths due to medical error to date this year” as contextual information?

Medical errors result in approximately 685 deaths per day.

If you heard the report of the shootings in San Bernardino, December 2, 2015 and that 14 people were killed and the report pointed out that to date, approximately 230,160 had died due to medical errors, which one would you judge to be the more serious problem?

Lacking a label for medical error as cause of death, prevents public discussion of the third leading cause of death in the United States.

Contrast that with the public discussion over the largely non-existent problem of terrorism in the United States.

“Lite” Lists of Intelligence Agencies

Filed under: Government,Intelligence — Patrick Durusau @ 1:34 pm

I referenced World Wide Intelligence (and defense) Agencies as a list of intelligence agencies, but looking at it later, it appears to be a bit “lite.”

There are one hundred and forty-five (145) agencies by my count.

I think what captured my attention is that there are no intelligence agencies for Latin or South America. Come to think of it, there are no intelligence agencies for Africa as well.

Whereas, the List of Intelligence Agencies (Wikipedia) gives a rough count of six hundred and sixty-four (664) intelligence/signal agencies.

The advantage of the World Wide Intelligence (and defense) Agencies list is that it has URLs for the agencies themselves.

The larger Wikipedia list has links to other Wikipedia pages. Useful I suppose for the social engineering required for hacking a security service but not useful as a quick list of URLs for intelligence agencies.

The Federation of American Scientists (FAS) maintains a set of webpages that start with World Intelligence and Security Agencies. Organized by country and below the country pages, the amount of details varies. Pages have been updated unevenly and should be checked before relying on the information you find.

The Crypto Museum also maintains a list of intelligence
organizations.

None of the lists appear to be “complete.”

I didn’t see any listing for the fifty (50) state police organizations in the United States. Nor any for major cities, such as Chicago which operates its own gulag.

I haven’t looked on the “Dark Web” but I assume useful lists there are fairly expensive.

Enjoy!

May 3, 2016

Command Line Profiles (What’s Yours?)

Filed under: Cybersecurity,Latent Semantic Analysis,Security — Patrick Durusau @ 4:57 pm

Employing Latent Semantic Analysis to Detect Malicious Command Line Behavior by Jonathan Woodbridge.

From the post:

Detecting anomalous behavior remains one of security’s most impactful data science challenges. Most approaches rely on signature-based techniques, which are reactionary in nature and fail to predict new patterns of malicious behavior and modern adversarial techniques. Instead, as a key component of research in Intrusion Detection, I’ll focus on command line anomaly detection using a machine-learning based approach. A model based on command line history can potentially detect a range of anomalous behavior, including intruders using stolen credentials and insider threats. Command lines contain a wealth of information and serve as a valid proxy for user intent. Users have their own discrete preferences for commands, which can be modeled using a combination of unsupervised machine learning and natural language processing. I demonstrate the ability to model discrete commands, highlighting normal behavior, while also detecting outliers that may be indicative of an intrusion. This approach can help inform at scale anomaly detection without requiring extensive resources or domain expertise.

This is very cool and a must read on all sides of cybersecurity.

From the perspective of Jonathan’s post, how do you detect “malicious” command line behavior? From the perspective of a defender.

Equally useful for what profiles do you mimic in order to not be detected as engaging in “malicious” command line behavior?

For example, do you mimic the profile of the sysadmin who is in charge of backups, since their “normal” behavior will be copying files in bulk and/or running scripts that accomplish that task?

Or for that matter, how do you build up profiles and possibly modify profiles over time, by running commands in the user’s absence, to avoid detection?

Opportunity is knocking, are you going to answer the door?

I first saw this in a tweet by Kirk Borne.

Life for Car Hacking? (and the timids)

Filed under: Cybersecurity,Government — Patrick Durusau @ 4:23 pm

Car hackers could get a life sentence under proposed anti-hacking law by John Zorabedian.

From the post:

Hacking a car in Michigan could become a felony with a life sentence, if proposed legislation introduced last week becomes law in the home state of the US auto industry.

The proposed legislation, Senate Bill 927, would make it illegal for any person to access an electronic system of a motor vehicle to “willfully destroy, damage, impair, alter, or gain unauthorized control” of the vehicle:

John does his readers a big favor by linking directly to the legislation in question! Thanks John!

John summarizes policy issues on car hacking legislation and has quotes from the timids who worry that legitimate security researchers will be prosecuted under such laws.

To be sure, county prosecutors go off on wild tangents, engage in abuse of discretion, etc., but for the most part, they aren’t looking for more cases to prosecute. Especially dodgy ones.

Security researchers, real security researchers, not just hackers who claim to be security researchers, should not be like the timids who wanted legal coverage before they would torture people.

What’s with that? If you really thought that a briefcase nuke was about to go off in the Mall of the Americas, would you really worry about being prosecuted for torture, if you thought that would work?

You wouldn’t nor would any other sensible person. It’s what’s called prosecutorial discretion. Yes, what you did was a crime but you saved X lives, etc., etc. No one is going to be prosecuted in such a case.

If as a security researcher you come up with an easy hack that the state attorney general can get PR from by forcing a recall, what do you think the odds are of a strained reading that would subject you to prosecution?

Does that mean there is no risk of prosecution? Of course not. Prosecution is always possible, whether you are guilty of any offense or not.

We do need better legislation in general and on cybersecurity in particular. Having the timids wring their hands in anguish over imagined literalism on the part of prosecutors isn’t going to get us there.

PS: To illustrate how dis-connected the anti-hacking legislation is from any commonly shared reality, consider this summary of laws on car hijacking. The only ones carrying a life penalty were for murder during a hijacking, repeat offenders, etc.

“Rule of Law” and Lauri Love

Filed under: Cybersecurity,FBI,Government,NSA — Patrick Durusau @ 9:45 am

My recent post, How-To Document Conspiracies and Other Crimes raised concerns with some readers since I did not address the legal niceties of the indictment. Burden of proof, claims not facts, etc. All of which were irrelevant to my point of using “secure IRC” to document a conspiracy or other crimes.

True or false, the indictment serves to illustrate the impact of self-documenting the commission of crimes, if indeed any crimes were committed.

What prompted this post was the suggestion that I was ignoring the “rule of law” in cases such as the one involving Lauri Love.

Perhaps the hacker community is unaware that the “rule of law” is a fiction which the sovereign sets aside at its convenience.

That has always been the case but the disturbing development during the Fear of Terror era, is that abandonment of the “rule of law” has become overt policy.

Iran-Contra is an example of abandoning the “rule of law” but at least those involved were talked about as criminals.

Fast forward to post 9/11 and examples of abandoning the “rule of law” explode: FBI instructs agents to conceal information from triers of fact U.s. v. Michaud, FBI hacking (FBI uses zero day exploits), Director of National Intelligence lies to Congress (Lies, Damned Lies, and Clapper (2015)), are just a few examples. (Is anyone keeping a list of the admitted lies to triers of fact and/or Congress?)

The public and unashamed abandonment of the “rule of law” along with any notion of an independent judiciary, has a deeply corrosive effect on the legitimacy of government.

Judges where alleged crimes against the state are prosecuted, should remember the state abandoned the “rule of law” first. It has no one but itself to blame for the consequences that follow.

« Newer PostsOlder Posts »

Powered by WordPress