Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

August 31, 2018

Leonardo da Vinci’s Notebooks [IIIF + Topic Maps]

Victoria and Albert Museum brings Leonardo da Vinci’s notebooks to life online by Gareth Harris.

From the post:

Scholars and digital experts at the Victoria and Albert Museum (V&A) in London have posted online the contents of two notebooks by Leonardo da Vinci, enabling devotees of the Renaissance polymath to zoom in and examine his revolutionary ideas and concepts.

On the technical front, the use of IIIF (International Image Interoperability Framework) to present a digital version of the notebooks is an innovation. “It’s our use of the IIIF standard that has enabled us to present the codex in a new way. The V&A digital team has been doing a lot of work in the last 18 months using IIIF. We’ve used the deep-zoom functionality enabled through IIIF to present some of the most spectacular and detailed items in our collection,” says Kati Price, the V&A’s head of digital media and publishing.

Crucially, IIIF also lets scholars compare similar objects across several institutions’ collections. “Researchers can easily see the images together with Leonardo da Vinci items held by other institutions using IIIF, for side-by-side digital comparison,” Yvard says.

These two notebooks, not to mention those to be posted next year for the 500th anniversary of Leonardo’s death, are important in their own right.

However, I want to draw your attention to the use of International Image Interoperability Framework (IIIF) in this project.

From the IIIF FAQ:

What is IIIF?

The International Image Interoperability Framework (IIIF) is a set of shared application programming interface (API) specifications for interoperable functionality in digital image repositories. The IIIF is comprised of and driven by a community of libraries, museums, archives, software companies, and other organizations working together to create, test, refine, implement and promote the IIIF specifications. Using JSON-LD, linked data, and standard W3C web protocols such as Web Annotation, IIIF makes it easy to parse and share digital image data, migrate across technology systems, and provide enhanced image access for scholars and researchers. In short, IIIF enables better, faster and cheaper image delivery. It lets you leverage interoperability and the fabric of the Web to access new possibilities and new users for your image-based resources, while reducing long term maintenance and technological lock in. IIIF gives users a rich set of baseline functionality for viewing, zooming, and assembling the best mix of resources and tools to view, compare, manipulate and work with images on the Web, an experience made portable–shareable, citable, and embeddable.

What are the benefits of IIIF?

….

Advanced, interactive functionality for end users

  • Fast, rich, zoom and pan delivery of images
  • Manipulation of size, scale, region of interest, rotation, quality and format.
  • Annotation – IIIF has native compatibility with the W3C annotation working group’s Web Annotation Data Model, which supports annotating content on the Web. Users can comment on, transcribe, and draw on image-based resources using the Web’s inherent architecture.
  • Assemble and use image-based resources from across the Web, regardless of source. Compare pages, build an exhibit, or view a virtual collection of items served from different sites.
  • Cite and Share – IIIF APIs provide motivation for persistence, providing portable views of images and/or regions of images. Cite an image with confidence in stable image URIs, or share it for reference by others–or yourself in a different environment.

If you are looking to enhance your topic map with images, this sounds like the right way to go. Ping me with your examples of your uses of IIIF with topic maps.

BTW, the Draft IIIF v.3.0 Specifications have been released for review.

Latin Terms … Early Printed Books

Filed under: Books,Library — Patrick Durusau @ 11:46 am

Glossary of Common Latin Terms Found in Imprints of Early Printed Books Compiled by Robert L. Maxwell.

Despite my association with markup technologies, I have a long standing fascination with libraries and research into materials created long before the advent of digital texts.

One aspect of using such materials is decoding the meaning of Latin terms, known to scholars at the time of publication, but that have passed from scholarly practice over the centuries.

This glossary by Maxwell will be useful for Latin terms, but I’m also putting A Manual of European Languages for Librarians on my wish list. That link is to the 1976 edition, as the more recent (1999) lists for $128 and some change. With better pricing, the 1999 edition could be part of every scholar’s bookself. Given the publisher, that seems unlikey.

August 30, 2018

Censorship: Compensating for Poor Design, Assumed User Incompetence

Filed under: Censorship,Free Speech — Patrick Durusau @ 12:58 pm

Tumblr is explicitly banning hate speech, posts that celebrate school shootings, and revenge porn by Shannon Liao.

From the post:

Tumblr is changing its community guidelines to more explicitly ban hate speech, glorifying violence, and revenge porn. The new rules go into effect on September 10th.

“It’s on all of us to create a safe, constructive, and empowering environment,” Tumblr writes in its blog post. “Our community guidelines need to reflect the reality of the internet and social media today.” The previous version of the guidelines can still be viewed on GitHub for comparison.

Some people cheer censorship of undefined “hate speech, glorifying violence, and revenge porn.” At least until they realize that censorship is made necessary by poor design and assumptions about user incompetence.

Poor Design

The filtering options for a Tumblr account are especially sparse:

“Safe” mode is a shot-in-the-dark filter with no known settings.

You can only choose “tags” to filter on. As though “tags” are going to be assigned in good faith by bad actors.

A better design of filtering would include user (with wildcarding), terms (with wildcarding), tags, dates (with ranges), along with the ability to “follow” filters created by other Tumblr users. (That could be a commercial incentive for users to create and sell such filters.)

Centralized censorship at Tumblr is an attempt to correct for an engineering failure, a failure that denies users the ability to choose the content they wish to view.

Assuming User Incompetence

Closely allied with the lack of even minimal, shareable filters, is the Tumblr assumption that users are incompetent to filter their own content. Hence, Tumblr has to step in to filter content for everyone.

I don’t recall Tumblr (or any other Internet censor) offering any evidence that users are incapable of choosing the content they wish to view or avoid.

Are you incapable of making that choice?

I ask because the Spanish Inquisition censors made similar fact-free assumptions about readers. Why should Tumblr repeat the mistakes of the Spanish Inquisition?

Censorship shouts at everyone they aren’t competent to choose their own reading materials.

Conclusion

Tumblr isn’t the only Internet forum that is covering up poor design and making false assumptions about users and their competence to in choosing material. I mention it here only as a sign that censorship is spreading and should be resisted without quarter.

I think you are smart enough to choose the content you wish to view and I extend that assumption to all other users.

Do you disagree?

August 29, 2018

How-To Read Kathy Griffin’s Thread on Sexism in the Workplace (For Men Only)

Filed under: Feminism,sexism — Patrick Durusau @ 4:29 pm

While describing sexism in the context of comedy, Kathy Griffin also points out the same could be said for any job or workplace.

Titled “(For Men Only)” because I have suggestions for how men should read Kathy Griffin’s thread. (I have no idea how women will or should read it.)

First, men should read this thread (A – Z) aloud to other men. Silently skimming it and nodding along may provide some benefit, but not much.

Second, read slowly and offer comments and discussion after every tweet. Reflecting back on women in your workplaces, are there instances that resonate with Griffin’s comments? What if anything did you do then? What if anything would you do differently now?

Third, telecommuting is no excuse for not doing #1 and #2. Find yourself a discussion partner to work through this thread.

I make these suggestions because changing ourselves (men) and hence workplace environments, requires effort. Saying we are different, getting a certificate we have been trained, assuring each other we are different, or that we aren’t as bad as Louis CK, doesn’t count.

Effort requires that we think about ourselves, our history with women, what a better future for women requires of us and steps we can take towards putting our new awareness into action.

Only we, by listening to women (#1), can work with women to create a better world for our mothers, sisters, wives, daughters,… for us all.

August 28, 2018

Hackers – Government Partnership? A New Model

Filed under: Cybersecurity,Government — Patrick Durusau @ 7:09 pm

The trials and tribulations of hiring hackers, much less hiring them by governments, are but a quick search away. A few of the articles I have encountered: Hiring hackers: The good, the bad and the ugly, Top 10 Pros and Cons of Hiring Hackers to Enhance Security, and, Hiring a hacker: Why and how you should do it.

These posts and others suffer from a lack of imagination in harnessing hackers for bettering government security.

Governments want fewer cybersecurity risks. Hackers want less risk from their hacking activities. Here’s one way to lessen the risks on both sides:

  1. Government creates a PGP key for encryption of method and proof of hack on a government information system.
  2. The encrypted package is signed by the hacker in question for proof of ownership of that hack.
  3. Uploading of the encrypted package to a public website, along with which a hacker can claim their handle, automatically grants the hacker immunity for the hack and use of its results. Additionally, the hack cannot be used in any other prosecution for any purpose.
  4. The government can solicit solutions for submitted hacks from the submitting hacker(s) or from hackers more generally.

Governments, any government, are already hemorrhaging data. Anyone who says differently is selling a mythical security solution. Be forewarned.

The proposed hack/immunity system gives governments notice of hacks and their specifics, in exchange for immunity in the unlikely event that anyone will be prosecuted for a hack.

Moreover, the privacy of hackers is preserved since they must produce the key to verify the signing of the encrypted package, which they would only do in case of a prosecution based on or using that hack.

The cybersecurity community as a whole gains greater reliability of breach information compared to:

…This year’s report is based on a global survey conducted by 451 Research during October and November of 2017.

In contrast to last year’s report, we surveyed 1,200+ senior security executives from across the globe (up from 1,100), including respondents from key regional markets in the U.S., U.K., Germany, Japan, Sweden, the Netherlands, Korea and India. We also surveyed key segments within those countries including federal government, retail, finance and healthcare. While all 1,200 respondents have at least some degree of influence in data security decision-making, more than one-third (34%) have ‘major’ influences on these decisions and nearly half (46%) have sole decision-making authority.
2018 THALES DATA THREAT REPORT

Misgivings over the trustworthiness of hackers is highly selective. Thales relies on people with an interest in their fails looking similar to everyone else’s. Rather odd “research” technique.

PS: Should anyone (US prosecutors, FBI, etc.) protest the automatic granting of immunity, ask them for their prosecution statistics versus the number of known breaches in their districts.

You can waste money on by chance prosecutions and cybersecurity myths or, you can correct your systems against the best hackers in the world. Your call.

Cybersecurity Fails Set To Spread Beyond Beltway Defense Contractors

Filed under: Cybersecurity,Government,Government Data — Patrick Durusau @ 3:01 pm

I’m sure you were as amused as I was to read: U.S. Department Of Defense Awards $37 Million Contract To Cybersecurity Startup Qadium. It’s only fair you know. Startups can fail at cybersecurity just as well as traditional contractors (names omitted to protect the guilty).

In transparency unlike most media outlets, the post includes a disclaimer that the following was written by Qadium:

Cybersecurity startup Qadium has been awarded a $37.6 million contract by the U.S. Department of Defense, making it the latest venture-backed startup from Silicon Valley to win a major federal contract over traditional Beltway defense contractors.

Qadium is the first company to provide real-time monitoring of the entire global Internet for customers’ assets. In a new era of machine-speed attacks, Qadium helps the world’s most sophisticated organizations define and secure their dynamic network edge.

The contract was awarded by the U.S. Navy’s Space and Warfare Command after the Department of Defense validated Qadium’s commercial software. Qadium is now recognized among a small handful of cybersecurity providers, with DoD making its software accessible department-wide.

“The Defense Department used to love to build its own IT, often poorly and at high cost to taxpayers,” said Qadium CEO and CIA veteran Tim Junio. “The times are finally changing. In the face of the greatest cybersecurity challenges in our nation’s history, we’re seeing the government and private tech companies coming together, making both sides better off.”

I can name one side that will be better off, to the tune of $37 Million.

Hackers also benefit from this news, Qadium becoming a known target for social engineering and other attention.

More GMail Addresses? Increasing Malware or Spam Chances?

Filed under: Email — Patrick Durusau @ 2:20 pm

I’m not sure why you would want to increase your malware/spam changes by having multiple gmail addresses, but, fyi, it is possible.

J. D. Biersdorfer details how to generate multiple gmail addresses from one gmail address in Make Several Gmail Addresses Out of One.

I like Biersdorfer’s suggestion of the use of multiple gmail addresses for tracking which “registration” shared your address with spammers. On the other hand, so long as it all goes to /dev/null, why would I care?

I assume all registrations are for the benefit those asking for the registration, they not meant to benefit me. So /dev/null it is, without further examination.

August 24, 2018

Compositionality: Now Open For Submissions [One Burning Editorial Policy Question]

Filed under: Category Theory,Mathematics — Patrick Durusau @ 4:48 pm

Compositionality: Now Open For Submissions by John Baez.

Our new journal Compositionality is now open for submissions!

It’s an open-access journal for research using compositional ideas, most notably of a category-theoretic origin, in any discipline. Topics may concern foundational structures, an organizing principle, or a powerful tool. Example areas include but are not limited to: computation, logic, physics, chemistry, engineering, linguistics, and cognition.

Compositionality is free of cost for both readers and authors.

After looking at the editorial policies, there is one burning question:

Can authors be listed as anonymous?

I ask because a friend of a friend recently confessed to using category theory on a medical domain ontology and concealed that fact from his users. My friend was cautioned to never reveal the use of category theory to those users.

Publications in Compositionality could show up in casual search results, tipping off users on the use of category theory.

A useful and productive tool could suddenly turn opaque and obscure.

The new journal sounds great but needs to be tweaked to hide authors from casual searches on the Internet. (Is this akin to the EU right to be forgotten? A right to not be found?)

Enjoy!

Looking forward to the first issue!

August 22, 2018

Politics of Code [If a question is not about power…, you didn’t understand the question.]

Filed under: Ethics,Programming,sexism — Patrick Durusau @ 9:04 pm

Politics of Code by Prof. Jacob Gaboury.

From the syllabus:

This course begins with the twin propositions that all technology is inherently political, and that digital technologies have come to define our contemporary media landscape. Software, hardware, and code shape the practices and discourses of our digital culture, such that in order to understand the present we must take seriously the politics of the digital. Beginning with an overview of cybernetics, information theory, systems theory, and distributed communications networks, the course will primarily focus on the politics and theory of the past twenty years, from the utopian discourses of the early web to the rise of immaterial labor economies and the quantification and management of subjects and populations. The course will be structured around close readings of specific technologies such as distributed networks, programming languages, and digital software platforms in an effort to ground critical theory with digital practice. Our ultimate goal will be to identify a political theory of the present age – one that takes seriously the role of computation and digitization.

If you don’t already have a reading program for the Fall of 2018, give this syllabus and its reading list serious consideration!

If time and interest permit, consider my suggestion: “If a question is not about power…, you didn’t understand the question.”

Uncovering who benefits from answers won’t get you any closer to a neutral decision making process but you can be more honest about the side you have chosen and why.

Data and the Midterm Elections:… [Enigma contest, swag prizes, September 21 deadline]

Filed under: Data Science,Government,Python — Patrick Durusau @ 4:44 pm

Data and the Midterm Elections: Enigma Public Call for Submissions

Calling all public data enthusiasts! To celebrate the launch of Enigma Public’s Python SDK, Enigma is hosting a contest for projects – ranging from data science to data visualization, data journalism and more – featuring Enigma’s public data in exploration of the upcoming U.S. elections.

We are excited to incentivize the creation of data-driven projects, exploring the critical U.S. midterm elections this fall. In this turbulent and confusing period in U.S. politics, data can help us interpret and understand both the news we’re reading and changes we’re seeing.

One of the suggested ideas:

Census Bureau data on voter registration by demographic category.

shows that Lakoff’s point about Clinton losing educated women around Philadelphia, “her” demographic, has failed to register with political types.

Let me say it in bold type: Demographics are not a reliable indicator of voting behavior.

Twice? Demographics are not a reliable indicator of voting behavior.

Demographics are easy to gather. Demographics are easy to analyze. But easy to gather and analyze, does not equal useful in planning campaign strategy.

Here’s an idea: Don’t waste money on traditional demographics, voting patterns, etc., but enlist vendors who market to those voting populations to learn what they focus on for their products.

There’s no golden bullet but repeating the mistakes of the past is a step towards repeating the failures of the past. (How would you like to be known as the only candidate for president beaten by a WWF promoter? That’s got to sting.)

Journal of the Ancient Near Eastern Society (JANES)

Filed under: Ancient World,Bible — Patrick Durusau @ 4:08 pm

Journal of the Ancient Near Eastern Society (JANES)

JANES, the Journal of the Ancient Near Eastern Society, was founded in 1968 at Columbia University, and has been housed at the Jewish Theological Seminary since 1982. Over these approximately forty years 30 volumes have been published under the editorship of former JTS professor Ed Greenstein and JTS professor David Marcus. The volumes include approximately three hundred and fifty articles written by over two hundred scholars and students from all over the world. The impressive array of scholars that have contributed articles to these volumes includes well-known names such as G. R. Driver, H. L. Ginsberg, Jonas Greenfield, William Hallo, Thorkild Jacobsen, Jacob Milgrom, A. L. Oppenheim, to mention but a few. Over the years there have been five special issues celebrating JTS and Columbia scholars Elias Bickerman, Meir Bravmann, Theodor Gaster, Moshe Held, and Yochanan Muffs. Articles have been written on all aspects of the Bible and Ancient Near East covering areas such as art history, archaeology, anthropology, language, linguistics, philology, and religion. There are articles on Assyriology, Ugaritic, Phoenician, Hittite, and all areas of Hebrew and Aramaic and on almost every book of the Bible. Manuscripts should be composed according to the SBL style sheet and sent to the Editors, c/o Ed Greenstein (greenstein.ed@gmail.com)

Biblical and Ancient Near Eastern studies were my primary focus area when I was drawn into markup languages and standardization efforts.

If you are looking for challenging material to index, consider those listed in AWOL – The Ancient World On Line. The languages range from ancient to modern, materials from images to digital texts.

Enjoy!

Battle of Impressively Bad Military Graphics

Filed under: Communication,Graphics,Visualization — Patrick Durusau @ 3:32 pm

Cav The Knife started a thread on Twitter with this image:

The original can be found in Joint Intelligence Preparation of the Operational Environment, page I-3.

Rob Levinson counters with:

The original can be found in Dynamic Planning for COIN in Afghanistan at page 22. The slide deck includes numerous other offenses against the art of explanation and visualization.

The contest is somewhat unfair because the Joint Intelligence graphic was composed by military lifers versus the COIN in Afghanistan, created by professionals at PA Consulting Group.

For my money, COIN in Afghanistan takes the prize in this comparison as the worst graphic, but Joint Intelligence should get a “best in amateur class” mention.

Other contestants?

August 21, 2018

EPIC APP CHALLENGE [Intelligence on Intelligence Community, Street Cred, Cash Prizes]

Filed under: Contest,Intelligence — Patrick Durusau @ 7:45 pm

EPIC APP CHALLENGE

From the post:

The EPIC App Challenge is an Intelligence-Community-focused challenge for developers directed at one or more hard problems the IC is facing today. Participating in the App Challenge is a great way to show off your school or company’s developers and technical talent to 3 esteemed judges and over 1,000 attendees at the 2018 Intelligence and National Security Summit. Similar to a hackathon, teams will be competing against each other in a 10-day sprint to create the best solution to the problem involved. Instead of running the challenge on-site, teams will work from their home, office, or school to create their solutions and then present them on the kickoff day of the Summit, September 4.

There will be cash prizes given to the first, second, and third place teams, which will be announced following the keynote luncheon on the opening day of the conference.

  • Grand Prize: $3,000
  • Second Place: $2,000
  • Third Place: $1,000

Phase 1: August 24 – September 4

  • We will host a virtual kick off at 11am on Friday, August 24 to provide all teams with the problem statement, as well as answer any questions you may have. We will also provide contact information if you have any questions along the way. You will have until 8:00am on Tuesday, September 4 to work on your project. Your solution can be presented in PowerPoint or Keynote slides, a Word document, a Prezi, video, etc.

Phase 2: September 4

  • You will arrive by 8:15am to present your solution to the judges. We will kick off the event with opening remarks, and then each team will present their solution. Judging will be done science fair style. Judges will give each team approximately 15 minutes to present their solution. Judging will conclude at 11:00am. Following the round of judging, the winners will be selected and recognized on stage following the opening keynote luncheon, which begins at 11:45am.
  • Teams are allowed to leave their solutions set up the rest of the day for the 1,000+ INSS attendees to come by and see your solution.

Problem Set

The App Challenge problem will focus on anticipating events based on open source data sets that may include data for natural disasters, social unrest, cyber attacks, or disease patterns. Participants will be judged on their ability to develop anticipatory intelligence solutions based on the final judging criteria. 

Utilize a publicly available open data set (i.e., CIA World Factbook, Data.gov, more) to provide indictors and warning (i.e., anticipatory intelligence, predictive analytics, pattern recognition) for an ongoing or upcoming global event that would be relevant to National Security Interests of the United States. Your solution will be judged on two prongs: First, on the problem sets impact to national security; and, second, the technical solution and how well the proposed solution will meet that need. Further details to be provided during the kickoff on Aug. 24.

Examples of data sets and technology to support the development of your solution:

  • Data sets: CIA World Factbook, Data.gov, US Census, Github, Socrata, DIUx, more
  • Indictors and warning: pattern recognition, machine learning, anticipatory intelligence, predictive analytics, etc.
  • Potential events with national security implications that could be of focus (this is not inclusive):
    • Cyber attacks
    • Natural disasters (i.e., fires, earthquakes, Tsunami)
    • Biological events (i.e., disease outbreak patterns)

Team Entry

  • Minimum of 1 person with a maximum of 5 team members
  • Participants in the EPIC App Challenge will be provided complimentary registration to the conference, as well as a complimentary ticket to the opening keynote luncheon
  • Teams must be able to attend the morning of September 4 to present your solution.
  • Cost is $50 per team to participate.

Register here!

If you want to gather intelligence on the intelligence community, here’s a cheap ($50) way to start. Not only will you discover what the intelligence community (IC) considers to be hard problems, you may come to the attention (assuming that’s desired) of members of the IC. They are further sources of what interests the IC.

Anyone up for a team using merging based on subject identity? Ping me.

Hacking: The hope for corporate and governmental transparency

Filed under: FOIA,Government,Hacking,Transparency — Patrick Durusau @ 1:31 pm

DEF CON 26 (2018) was the source of many headlines, including Hacking the US Midterms? It’s Child’s play., Hacking Medical Protocols to Change Vital Signs, and, Tesla Plans to Open-source its Vehicle Security Software, to say nothing of zero-day bugs and new attacks on old ones.

The most encouraging news, at least for transparency of corporations and governments comes from Breaking Badge – The DEFCON Crazy 8s by NodyaH.

“DEF CON City” is the location of a text-based adventure that can be solved only with interactions between 8 card types (depends on type of attendee) as well as hacking the cards themselves. The goal is to turn all the letters DEFCON green. There are resources at the end of the post, if you already have a badge.

NodyaH does a great job describing the starts, stops and re-tracing steps of participants as they rushed to break the badges.

It’s a fast moving tale so take a few minutes to read it. After having read it, can you name a corporate or governmental agency that would be more difficult to hack than the DEFCON badges?

The solution to grudging transparency and documents that mis-led more than they inform, is not more FOIA. Transparency requires hackers who peel corporate and government agencies like navel oranges.

Are you one of them or aspire to be?

Keep up with DEFCON!

August 15, 2018

Against Laptops & Phones in Class [Note Taking and Conference Videos]

Filed under: Education — Patrick Durusau @ 5:06 pm

Against Laptops & Phones in Class by Andrew Mills.

A great collection of studies on the negative impact on memory and student performance from having laptops and/or phones in class.

I certainly have my phone and main computer screens available while I watch conference videos.

Without a controlled scientific study, I venture those distractions have a negative impact on my learning from video presentations.

Mills advocates manual note taking and lists resources on same (two of which are working today):

It’s certainly possible to create transcriptions of videos but I suspect notes give a better view of video content. (Well, except for where your pen scrawls off the page because you went to sleep. Been there, done that.)

No promises but thinking of applying the lessons Mills advocates for the classroom in a home learning environment.

If you try this, ping me with your experiences.

Enjoy!

The Talk-First Strategy of Poster Design

Filed under: Conferences,Presentation — Patrick Durusau @ 1:22 pm

The Talk-First Strategy of Poster Design by Xanda Schofield and Prof. David Mimno.

From the post:

Posters are a great way to learn how to communicate your work, but designing and writing a poster is hard. Our group has developed a simple technique that works well, and we thought it could be helpful to others.

Presenting at poster sessions at conferences can be exhausting. You stand by your poster for several hours and, when people ask you for a description of your work, must give a tight three-to-five-minute talk. If you’re successful in grabbing the attention of passersby (and that in itself is a skill), this cycle could easily happen 10-20 times, each with a unique set of follow-up questions about what struck the listener as interesting or confusing. By the end of the session, we often find ourselves with a much clearer mental model of our work: you learn how to get someone’s interest quickly, what terms you need to define, what parts are confusing, and what the best examples are to illustrate successes and failures.

The problem with this pattern, of course, is that the great mental model arrives at the *end* of the process, when you are pulling out the thumb tacks and rolling up the poster. Oftentimes, we have presented posters that were full of things that we didn’t actually want to discuss. The clearest sign we had made this mistake was when we would find ourselves repeatedly pointing to one or two specific spots on the poster, and not really using anything else. It’s not that that content was bad or wrong; it may have been the key material of a longer talk. But in three to five minutes, there may not be space to actually explain everything.

So rather than spending a lot of time creating a poster in PowerPoint or OmniGraffle or something similar, and then figuring out what works and doesn’t at the poster session, we started what you might call the “talk first” method. The goal is to move away from thinking about a poster as a static document or a paper summary. Instead, we try to think of them as visual aids for mini-presentations — a series of things you want to point to as you are talking about your work. It’s not a bad thing for a poster to work as a self-contained, unattended unit. But it’s more important that it be the visual complement to your in-person description. By starting with that goal in mind, we have been able to design much more effective posters for our work,
… (emphasis in original)

Top three (3) lessons from Schofield and Mimno:

  1. Effective communication is NOT a matter of chance.
  2. People don’t luck into being good presenters.
  3. You can improve your presentation/poster skills. (with practice)

Schofield and Mimno provide a process for improving your poster presentation skills.

Caveat: You have to supply the practice on your own.

Good luck!

August 14, 2018

Process Doppelgänging meets…

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 4:29 pm

Process Doppelgänging meets Process Hollowing in Osiris dropper by hasherezade.

From the post:

One of the Holly Grails for malware authors is a perfect way to impersonate a legitimate process. That would allow them to run their malicious module under the cover, being unnoticed by antivirus products. Over the years, various techniques have emerged in helping them to get closer to this goal. This topic is also interesting for researchers and reverse engineers, as it shows creative ways of using Windows APIs.

Process Doppelgänging, a new technique of impersonating a process, was published last year at the Black Hat conference. After some time, a ransomware named SynAck was found adopting that technique for malicious purposes. Even though Process Doppelgänging still remains rare in the wild, we recently discovered some of its traits in the dropper for the Osiris banking Trojan (a new version of the infamous Kronos). After closer examination, we found out that the original technique was further customized.

Indeed, the malware authors have merged elements from both Process Doppelgänging and Process Hollowing, picking the best parts of both techniques to create a more powerful combo. In this post, we take a closer look at how Osiris is deployed on victim machines, thanks to this interesting loader.

Way beyond my current skill level but it may not be beyond yours.

It also serves as an inspiration/target for a skill level sufficient to read along with a fair degree of understanding.

Enjoy!

Mouse > Sword – High Sierra Hack – 2 lines of code [Brett Kavanaugh documents?]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 3:30 pm

ex-NSA Hacker Discloses macOS High Sierra Zero-Day Vulnerability by Mohit Kumar.

The gist of the attack:


Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent.

To know, how dangerous it can go, Wardle explains: “Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? Click…allowed. Authorize keychain access? Click…allowed. Load 3rd-party kernel extension? Click…allowed. Authorize outgoing network connection? click …allowed.”

Wardle described his research into “synthetic” interactions with a user interface (UI) as “The Mouse is Mightier than the Sword,” showcasing an attack that’s capable of ‘synthetic clicks’—programmatic and invisible mouse clicks that are generated by a software program rather than a human.

Be sure to grab Wardle’s slides for: The Mouse is mightier than the sword.

It’s not a small file (194 MB) but it has goodies like:

and,

Not to mention numerous links and deep analysis of the Mac OS.

Enjoy!

PS: Do you think a current version of High Sierra has access to the files on Supreme Court nominee Brett Kavanaugh? The National Archives and Records Administration says it will take two months to review approximately 1 million records. If dumped, un-edited to the Internet, what? Two weeks? Tops?

To many eyes, all scandals (real or imagined) are transparent.

Man-in-the-Disk – Breaking and Entering Android Phones

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 1:14 pm

New Man-in-the-Disk attack leaves millions of Android phones vulnerable by Swati Khandelwal.

From the post:


Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize ‘External Storage’ system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

Khandelwal cites Man-in-the-Disk: A New Attack Surface for Android Apps, which provides this quick summary of the attack:

As the details of this attack may seem complex, let us recap the general outline and ramifications of these shortcomings of Android:

  • An Android device’s External Storage is a public area which can be observed or modified by any other application on the same device.
  • Android does not provide built-in protections for the data held in the External Storage. It only offers developers guidelines on proper use of this resource.
  • Developers anywhere are not always versed in the need for security and the potential risks, nor do they always follow guidelines.
  • Some of the pre-installed and popularly used apps ignore the Android guidelines and hold sensitive data in the unprotected External Storage.
  • This can lead to a Man-in-the-Disk attack, resulting in the manipulation and/or abuse of unprotected sensitive data.
  • Modification to the data can lead to unwelcome results on the user’s device.

Vulnerability pattern: Privileged execution of non-validated data.

Does anyone have a chart of the privileges required by Android apps using External Storage? That would help triage which apps to investigate first.

(Leaving to one side the deliberate creation of an app with high privileges with a plan to later update from External Storage.)

August 13, 2018

Hunting God Modes? [Get Thee to the Patent Office]

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 7:53 pm

God Mode unlocked: Hardware backdoors in x86 CPUs by Christopher Domas.

Domas has discovered a god mode in the VIA C3 Nehemiah chip (2003) by tracing a series of patents.

An impressive bit of work, but its greater importance lies in partially populating search terms to use when looking for similar patents.

Not to mention that confirmation of the existence of a god mode, not rumored, not whispered about, but a corroborated god mode, will encourage other security researchers to seek other god modes in other versions of chips.

There is a non-technical treatment of Domas’ discovery at: Hacker Finds Hidden ‘God Mode’ on Old x86 CPUs by Paul Wagenseil.

It’s a good summary article but be forewarned of Wagenseil’s take on security:


The good news is that, as far as Domas knows, this backdoor exists only on VIA C3 Nehemiah chips made in 2003 and used in embedded systems and thin clients. The bad news is that it’s entirely possible that such hidden backdoors exist on many other chipsets.

Wagenseil has that backwards. Good news would be god modes on all chipsets. Bad news would be god mode is a one-off mistake on the VIA C3 Nehemiah chip (2003). God modes make information security more sporting.

What chip set patents are you going to be researching this week?


Update, 14 August 2018: See the Rosenbridge project at Github for code, etc.

August 5, 2018

Color and Size Steps with Radare2 on Ubuntu 18.04

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 8:46 pm

I mentioned in First Steps with Radare2 on Ubuntu 18.04 that I needed to reset the default colors in Radare2, along with making the font larger.

Itay Cohen, @megabeets_, quickly responded:

Hi Patrick! I read that you had a bit of a struggle with the font colors. Did you know you can change the color theme? Just use “eco “. Screenshots of the different themes are available here: https://r2wiki.readthedocs.io/en/latest/home/themes/#themes. You can also use the Visual Color editor “VE”. Try ‘ec?’

Great way to change displays!

Since I am running XFCE as a desktop, ctrl + and ctrl -, don’t change the terminal font size. (Or at least I’m missing now to make that work in XFCE.)

For the time being, I’m starting r2 in an Emacs shell, which allows me to reset the font size quite easily. With the added advantage of being in Emacs!

Now to try out “eco “.

Several people mentioned that I should try Cutter, the new GUI for Radare2. Going to but I’m comfortable with command line interfaces. Not to mention that experience with the command line will enable me to notice groupings in the GUI.

Chaff Bugs: Deterring Attackers by Making Software Buggier

Filed under: Cybersecurity,Hacking — Patrick Durusau @ 2:20 pm

Chaff Bugs: Deterring Attackers by Making Software Buggier by Zhenghao Hu, Yu Hu, Brendan Dolan-Gavitt.

Abstract:

Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes).

A deeply interesting paper but testing the effectiveness of chaff bugs falls short. The researchers used standard tools to create their estimates of the effectiveness of the chaff bugs. But that isn’t the same as measuring their effectiveness against hackers.

By analogy, consider a team authoring a cracking puzzle and then estimating its difficulty, as opposed to relying on other teams to crack it. Different people, different perspectives, habits, tools, could all make a substantial difference.

Looking forward to seeing this technique appearing in hacking contests.

August 4, 2018

First Steps with Radare2 on Ubuntu 18.04

Filed under: Cybersecurity,Hacking,Radare2 — Patrick Durusau @ 3:19 pm

If you read Reverse Engineering With Radare2, Part 1 by Sam Symons, you will be hot to jump in and start using Radare2!

Of course, like me, you will ignore most of the introduction and quickly search for Radare2, only to encounter an array of installation options, most of which don’t concern you.

Avoid that mistake, follow this link, http://radare.org/r/down.html (yes, same one that Symons has in his post, and follow these directions:

git clone https://github.com/radare/radare2
cd radare2
sys/install.sh # just run this script to update from r2 from git

OK, you need to:

sudo sys/install.sh if you aren’t in a root shell.

Symons points you to course materials for a Modern Binary Exploitation course and their website.

Starting with ./crackme0x00a, you are introduced to the r2 command to open the first challenge.

Presented in a different order, you will encounter:

  • ? – help (append to any command)
  • aa – analyze all
  • cd – change directories
  • pdf – Print disassemble function – pdf@main (simple example)
  • pwd – identify working directory
  • s – seek
  • x – print

I’m working on resetting the colors! Even in a much larger size, this is terribly difficult to read!

That reminds me, there is a book on radare2, imaginatively titled: R2 “Book.” (There is truth to the claim that naming is one of the hardest problems in computer science.)

I got to the end of the first exercise and have some confidence that the Radare2 installation is working properly.

Before going any further, I’m going to experiment with and fix the color display. It’s painful to look at. More on its way!

Enjoy!

August 3, 2018

Browser-based GDB frontend: gdbGUI [With cameo by Thomas Hobbes]

Filed under: .Net,Cybersecurity,gdb,Hacking,Programming,Reverse Engineering — Patrick Durusau @ 8:26 pm

Browser-based GDB frontend: gdbGUI

From the post:

A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust! Simply run gdbgui from the terminal and a new tab will open in your browser.

Features:

  • Debug a different program in each tab (new gdb instance is spawned for each tab)
  • Set/remove breakpoints
  • View stack, threads
  • Switch frame on stack, switch between threads
  • Intuitively explore local variables when paused
  • Hover over variables in source code to view contents
  • Evaluate arbitrary expressions and plot their values over time
  • Explore an interactive tree view of your data structures
  • Jump back into the program’s state to continue debug unexpected faults (i.e. SEGFAULT)
  • Inspect memory in hex/character form
  • View all registers
  • Dropdown of files used to compile binary, with autocomplete functionality
  • Source code explorer with ability to jump to line
  • Show assembly next to source code, highlighting current instruction. Can also step through instructions.
  • Assembly is displayed if source code cannot be found
  • Notifications when new gdbgui updates are available

While cybersecurity is always relative, the more skills you have, the more secure you can be relative to other users. Or, as Thomas Hobbes observed in De Cive, revised edition, printed in 1760 at Amsterdam, bellum omnium contra omnes, “the war of all against all.” (The quote is found on pages 25-26 of this edition. The following image is from the revised edition, 1647.)

Look to your own security. It is always less valuable to others.

Hints for Computer System Design

Filed under: Computer Science,Design — Patrick Durusau @ 7:24 pm

Hints for Computer System Design by Butler W. Lampson (1983)

Abstract:

Studying the design and implementation of a number of computer has led to some general hints for system design. They are described here and illustrated by many examples, ranging from hardware such as the Alto and the Dorado to application programs such as Bravo and Star.

Figure 1 is the most common quote you will see:

Figure 1 is a great summary, but don’t cheat yourself by using it in place of reading the full article. All of those slogans have a context of origin and usage.

I saw this in a tweet by Joe Duffy, who says he reads it at least once a year. Not a bad plan.

Russian Bot Spotting, Magic Bullets, New York Times Tested

Filed under: Bots,Social Media,Twitter — Patrick Durusau @ 4:39 pm

How to Spot a Russian Bot by Daniel Costa-Roberts.

Spotting purported Russian bots on Twitter is a popular passtime for people unaware the “magic bullet” theory of communication has been proven to be false. One summary of “magic bullet” thinking:


The media (magic gun) fired the message directly into audience head without their own knowledge. The message cause the instant reaction from the audience mind without any hesitation is called “Magic Bullet Theory”. The media (needle) injects the message into audience mind and it cause changes in audience behavior and psyche towards the message. Audience are passive and they can’t resist the media message is called “Hypodermic Needle Theory”.

The “magic bullet” is an attractive theory for those selling advertising, but there is no scientific evidence to support it:


The magic bullet theory is based on assumption of human nature and it was not based on any empirical findings from research. Few media scholars do not accepting this model because it’s based on assumption rather than any scientific evidence. In 1938, Lazarsfeld and Herta Herzog testified the hypodermic needle theory in a radio broadcast “The War of the Worlds” (a famous comic program) by insert a news bulletin which made a widespread reaction and panic among the American Mass audience. Through this investigation he found the media messages may affect or may not affect audience.

“People’s Choice” a study conducted by Lazarsfeld in 1940 about Franklin D. Roosevelt election campaign and the effects of media messages. Through this study Lazarsfeld disproved the Magic Bullet theory and added audience are more influential in interpersonal than a media messages.

Nevertheless, MotherJones and Costa-Roberts outline five steps to spot a Russian bot:

  1. Hyperactivity – more than 50 or 60 tweets per day
  2. Suspicious images – stock avatar
  3. URL shorterners – use indicates a bot
  4. Multiple languages – polyglot indicates a bot
  5. Unlikely popularity – for given # of followers

OK, so let’s test those steps against a known non-Russian bot that favors the US government, the New York Times.

  1. Hyperactivity – New York Times joined Twitter, 2 March 2007, 4173 days, 328,555 tweets as of this afternoon, so, 78.73 on average per day. That’s hyperactive.
  2. Suspicious images – NYT symbol
  3. URL shorterners – Always – signals bot. (displays nytimes.com but if you check the links, URL shorterner)
  4. Multiple languages – Nope.
  5. Unlikely popularity – In which direction? NYT has 41,665,676 followers and only 17,145 likes, or one like for every 2340 followers.

On balance I would say the New York Times isn’t a Russian bot, but given it’s like to follower ratio, it needs to work on its social media posts.

Maybe the New York Times needs to hire a Russian bot farm?

Podcasting from Scratch

Filed under: Podcasting,Topic Maps — Patrick Durusau @ 3:27 pm

Podcasting from Scratch by Alex Laughlin and Julia Furlan.

No promises but while thinking about a podcast on topic map authoring (something never covered in the standards) I encountered this eight (8) page guide.

It’s not everything you need to know but it’s enough to get you past the initial fear of starting a new activity or skill.

If and when I do post one or more podcasts, don’t judge Laughlin and Furlan by my efforts!

See how helpful they are in launching your podcasting career for yourself!

Red Team Tips

Filed under: .Net,Cybersecurity,Hacking,Security — Patrick Durusau @ 2:11 pm

Red Team Tips by Vincent Yiu.

Overview:

The following “red team tips” were posted by myself, Vincent Yiu (@vysecurity) over Twitter for about a year. This is still on-going but I took the opportunity to publish these in one solidified location on my blog. These will be updated ocassionally, but will not be bleeding edge updates. To receive my “red team tips”, thoughts, and ideas behind Cyber attack simulations, follow my Twitter account @vysecurity.

For the full Tweet and thread context (a lot of my followers will comment and give their insights also), visit Twitter.

Collection of three hundred and twenty-nine (329) red team (is there another kind?) tips!

Great way to start the weekend!

Enjoy!

August 2, 2018

Visual Guide to Data Joins – Leigh Tami

Filed under: .Net,Data Aggregation,Data Integration,Data Science,Joins — Patrick Durusau @ 7:06 pm

Leigh Tami created a graphic involving a person and a coat to explain data set joins.

Scaling it down won’t do it justice here so see the original.

Preview any data science book with this image in mind. If it doesn’t match or exceed this explanation of joins, pass it by.

Leaking 4Julian – Non-Sysadmin Leaking

Filed under: .Net,Journalism,Leaks,News,Reporting — Patrick Durusau @ 6:15 pm

Non-sysadmins read username: 4julian password: $etJulianFree!2Day and wish they could open corporate or government archives up to mining.

Don’t despair! Even non-sysadmins can participate in the Assange Data Tsunami, worldwide leaking of data in the event of the arrest of Julian Assange.

Check out the Whistle Blower FAQ – International Consortium of Investigative Journalists (ICIJ) by Gerald Ryle.

FYI, By some unspecified criteria, the ICIJ decides which individuals and groups mentioned in a leak that merit public exposure and those that do not. This is a universal practice amoung journalists. Avoiding it requires non-journalist outlets.

The ICIJ does a great job with leaks but if I were going to deprive a government or corporation of power over information, why would I empower journalists to make the same tell/don’t tell decision? Let the public decide what to make of the all the information. Assisted by the efforts of journalists but not with some information being known only to the journalists.

From the FAQ:

‘What information should I include?’ and other frequently asked questions about becoming a whistleblower

In my 30-year career as a journalist, I’ve spoken with thousands of potential sources, some of them with interesting tips or insider knowledge, others with massive datasets to share. Conversations often start with questions about the basics of whistleblowing. If you’re thinking about leaking information, here are some of the things you should keep in mind:

Q. What is a whistleblower?

A whistleblower is someone who has evidence of wrongdoing, abuse of power, fraud or misconduct and who shares it with a third party such as an investigative journalism organization like the International Consortium of Investigative Journalists.

By blowing the whistle you can help prevent the possible escalation of misconduct or corruption.

Edward Snowden is one of the world’s best-known Whistleblowers.

Q. Can a whistleblower remain anonymous?

Yes. We will always go out of our way to protect whistleblowers. You can remain anonymous for as long as you want, and, in fact, this is sometimes the best protection that journalists can offer whistleblowers.

Q. What information should I include?

To enable a thorough investigation, you should include a detailed description of the issue you are concerned about. Ideally, you should also include documents or data. The more information you provide, the better the work the journalists can do.

I need to write something up on “raw leaking,” that is not using a journalist. Look for that early next week!

Older Posts »

Powered by WordPress