Planet Topic Maps

May 26, 2016

Patrick Durusau

Reimplementation of an API is FAIR USE!

Google wins Oracle copyright fight over Android code by Russell Brandom.

Just one civil jury’s opinion but a major one considering there was $9 billion at stake.

Not a precedent for other cases but it may discourage this type of over-reaching.

Every now and again, even random dice roll a 7 for the good guys.

See Russell’s post for the details.

by Patrick Durusau at May 26, 2016 09:37 PM

Help Defend MuckRock And Your Right To Know!

A multinational demands to know who reads MuckRock and is suing to stop us from posting records about them by Michael Morisy.

Michael captures everything you need to know in his first paragraph:

A multinational owned by Toshiba is demanding MuckRock remove documents about them received under a public records act request, destroy any copies we have, and help identify MuckRock readers who saw them.

After skimming the petition and the two posted documents (Landis+Gyr Managed Services Report 2015 Final and Req 9_Security Overview), I feel like the man who remarked to George Bailey in It’s A Wonderful Life, “…you must mean two other trees,” taking George for being drunk. ;-)

As far as I can tell, the posted documents contain no pricing information, no contact details, etc.

Do you disagree?

There are judges who insist that pleadings have some relationship to facts. Let’s hope that MuckRock draws one of those.

Do you wonder what other local governments are involved with Landis+Gyr?

There is a simple starting point: Landis+Gyr.

by Patrick Durusau at May 26, 2016 02:14 AM

Hidden Inspector General Report on Clinton’s Emails?

If you haven’t heard about the controversy surrounding Hillary Clinton’s handling of emails during her term as Secretary of State, you are one of the lucky ones.

The rest of us have been treated to a literal circus of pettifogging over her “private” email server for years now. Truly a tempest in a teapot.

But, along comes a much awaited report by the Inspector General for the State Department on those same emails, and where can you find it?

Not on the Inspector General for the State Department homepage (as of 25 May 2016, 9:00 PM EST)!

No, you will have to find that report, the one everyone has been waiting for, Office of the Secretary: Evaluation of Email Records Management and Cybersecurity Requirements to be posted by Politico.

I have no objection to Politico having the “scoop” on this report and/or distributing a document of great public interest. All fine and good.

But why does the Inspector General choose to hide this report from the general public?

Is the Inspector General ashamed of the report?

A report that encompasses other secretaries of state, as though to argue bad and/or criminal behavior can be excused because it is customary?

I’m not familiar with the “customary therefore not criminal” defense.

Perhaps that only obtains at Cabinet level positions.

In any event, please help Steve Linick, the current Inspector General for the State Department, own this report now and forever.

by Patrick Durusau at May 26, 2016 01:13 AM

May 25, 2016

Patrick Durusau

Cops Driving Cabs – Not Just Moonlighting (Awk)

NYPD has at least five undercover ‘Cop Cabs’ by Matthew Guariglia.

Matthew walks you through the process of inferring the New York Police department has at least five (5) vehicles that look like taxi cabs.

Or at least they have taxi cab emblems.

A patrol car with a taxi cab emblem would look out of place.

A good lesson in persistence, asking more than one source and collating information.

Just for grins, I downloaded the Medallion Vehicles – Authorized file as a CSV file, said to contain 14265362 lines and as of today, runs a little over 2 GB.

I was curious about was under what name did the TLC issue cop medallions? Unlikely to have added them to a third-party account because of property tax issues. Would they have made up different owners for each of the five medallions? Or would they use a common owner for all five medallions?

Possible that they created the five medallions “off the books,” but that seems unlikely as well. They would want to tie them to license plates.

First observation on the data: The “name” field appears variously with enclosing quotes and no quotes at all.

For example:

License Number,Name,Expiration Date,Current Status,DMV License Plate Number,
Vehicle VIN Number,Vehicle Type,Model Year,Medallion Type,Agent Number,
Agent Name,Agent Telephone Number,Agent Website Address,Agent Address,
Last Date Updated,Last Time Updated


MUST DRIVE,000,,,,,03/12/2014,13:20
NAMED DRIVER,000,,,,,03/03/2014,13:20
MUST DRIVE,000,,,,,05/24/2014,13:20
WOODSIDE NY 11377,01/21/2014,13:20
MUST DRIVE,0,,,,,07/19/2013,13:20

This data snippet has no significance other than the variation in the name field and the fields of the CSV file.

I used awk to extract the name field to a separate file:

awk 'BEGIN { FS = "," }; { print $2 }' < Medallion__Vehicles_-_Authorized.csv > taxi-names

Then I sorted that file and used uniq plus -c (for count), to create a sorted list of the names with the number of times they occur.

sort < tax-names | uniq -c > taxi-unique-names

You will pickup a lot of data entry errors in this view, extra space in a name, etc.

Then because I am interested in names that occur only five (5) times, I re-sort the file to list names by the number of time they occur (this loses the view that reviews data entry errors):

sort -bn < taxi-unique-names > taxi-by-number

The -bn switches tell sort to ignore leading spaces and to sort in numeric order.

I appreciate New York making this available as “open data” but the interface has a number of limitations.

Another way to approach Matthew’s question is to sort on the addresses, assuming TLC is billing a cop address and not 1060 West Addison. ;-)

I haven’t tried this but checking the property tax rolls against the TLC records might be way to ferret out the cop driven taxis. Unless the city has someone paying the taxes for them. Along with the usual graft, who would know?

Other ideas or suggestions to help Matthew flush out these cop driven taxis?

by Patrick Durusau at May 25, 2016 09:57 PM

SWIFT Network – “that’s where the money is” (Slick Willie Sutton)

Recent headlines tout breaches in the SWIFT transfer network: Now It’s Three: Ecuador Bank Hacked via Swift (19 May 2016)

The best technical commentary I have found on SWIFT attacks is TWO BYTES TO $951M by Sergei Shevchenko (25 April 2016). (Bangladesh Bank’s (BB) SWIFT payment system attack.)

Sergei reports on malware used in the February 2016 attack on Bangladesh Bank’s (BB) SWIFT payment system. Malware thought to be part of a larger attack toolkit is identified, analyzed along with how the fraud was concealed.

I have gone through approximately thirty (30) reports that cite one or more of the malware file names and I have found no information beyond Sergei’s report. Avoid the duplication and repetition, start and end with Sergei’s report. (At least for now, new technical reports may emerge.)

For a public glimpse inside the world of SWIFT transfers, see Cyber thieves exploit banks’ faith in SWIFT transfer network by Tom Bergin and Nathan Layne. Bergin and Layne cover an earlier SWIFT breach, this one involving the Banco del Austro (BDA) in Ecuador, Wells Fargo and the transfer of approximately $12 million in 2015.

In an amusing twist, SWIFT found out about the breach from a Reuters query about the breach. Apparently banks are no better at sharing information among themselves than they are with the public.

Banco del Austro (BDA) filed suit in New York State Court and Wells Fargo removed that case to the Federal District Court for the Southern District of New York. The original complaint appears as Exhibit A of the removal notice. (full text) The docket number in Federal District Court is: 1:2016-cv-00628.

You may not be experienced in reading legal pleading but you should take a look at Exhibit A. Wells Fargo is said to have “boosted,” “assured,” etc. In addition to being a fun read, you will gain some insight into the operation of SWIFT.

While writing this up, I discovered other resources you may find useful:

ARNE Solutions has reportedly posted Bangladesh Bank’s #‎Malware‬ SWIFT decrypted config file. I say “reportedly” because I have not verified the file.

SWIFT homepage

SWIFT Security Notices

The Swift Codes has a complete listing of SWIFT codes.

The Bangladesh heist was in part the result of $10 network switches and no firewall. There are 11,000 banks and other institutions that use SWIFT.

What do you think the odds are that other vulnerable banks exist with access to the SWIFT network?

You can find all sorts of things related to SWIFT on the internet. Remittance Instructions Transportation Security Administration (TSA) Security Fees, which helpfully recites:


for example.

One step towards evaluating the security of SWIFT, is to collect and collate all the public information about SWIFT. Not a freebie, anyone interested purchasing/sponsoring such a collection?

by Patrick Durusau at May 25, 2016 07:44 PM

Defense Department “Off-The-Clock” Cyber-Nannies

When you are caught twixt poorly written legislation and imaginative reporting, its hard to decide which one to point to first.

Consider this report by Jack Moore in Lawmakers Want Off-The-Clock ‘Cyber Protection’ For Some Pentagon Personnel.

From the post:

Lawmakers crafting a massive annual Pentagon policy want the Defense Department to be able to provide off-the-clock cybersecurity protection to DOD personnel deemed “to be of highest risk of vulnerability to cyberattacks on their personal devices, networks and persons,”

That provision is included in the Senate’s version of the National Defense Authorization Act, which is headed for a vote in the Senate this week. Along with personal “cyber protection support,” the Senate bill would overhaul the role of the Pentagon chief information officer.

The phrase “off-the-clock” struck me as odd, even with lengthy experience at reading poorly written laws.

If you bother to check the text you will find:

Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters


(a) Authority To Provide Support.—The Secretary of Defense may provide cyber protection support to personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons.

(b) Nature Of Support.—Subject to the availability of resources, in providing cyber protection support pursuant to subsection (a), the Secretary may provide personnel described in that subsection training, advisement, and assistance regarding cyber attacks described in that subsection.

(c) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the provision of cyber protection support pursuant to subsection (a). The report shall include a description of the methodology used by the Secretary to determine the positions in the Department that are of highest vulnerability to cyber attacks for purposes of subsection (a).

No mention of “off-the-clock,” “round-the-clock,” “24×7,” etc.

Granting that Jack goes onto say:

Under the Senate bill, the Defense secretary would be authorized to identify high-risk positions and provide “training, advisements and assistance regarding cyberattacks,” according to the bill.

Last year, self-described “stoner high school student” hackers claimed to have breached personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson.

Neither man is a DOD employee, but the incidents raised concerns about the cybersecurity vulnerabilities posed by top government officials’ private email accounts.

The proposed move also comes amid increasing concerns about targeted malicious emails — phishing and “social engineering” attacks — aimed at tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails.

I think the critical text reads:

…tricking personnel into divulging login credentials or clicking on malicious links in otherwise legitimate-seeming emails….

Let’s amend the Senate version to make it more effective than the proposed cyber-nannies:

Subtitle C—Cyber Warfare, Cybersecurity, And Related Matters


(a) Preparation To Detect Phishing Susceptibility.—The Secretary of Defense shall designate personnel of the Department of Defense while such personnel occupy positions in the Department determined by the Secretary to be of highest risk of vulnerability to cyber attacks on their personal devices, networks, and persons, and publish a list of those personnel with their email addresses to Facebook.

(b) Detection Of Phishing Susceptibility.—The Secretary of Defense shall publish on Facebook an invitation for any citizen of any country to create and cause to be delivered, a phishing email to any of the personnel designated in (a), exempt from any statutes of the United States or its several states, prohibiting such emails. Upon receipt of proof of designated personnel being deceived by a phishing email, the Secretary of Defense will cause to be transmitted to the sender of such email, the sum of $5,000.00.

(c) Consequences Of Phishing Susceptibility.—The Secretary of Defense, upon receipt of proof of deception by phishing email, shall immediately cause to be suspended, all electronic or physical access to any and all DoD services and/or locations. This suspension will remain in effect until the person in question has been separated from their service.

(d) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary shall submit to the Committees on Armed Services of the Senate and the House of Representatives a report on the ongoing progress towards reducing phishing susceptibility at the Department of Defense.

Want to improve cybersecurity at the Department of Defense?

Test and separate personnel based on their susceptibility to phishing attacks.

Far saner and more effective than “off-the-clock” cyber-nannies.

by Patrick Durusau at May 25, 2016 03:31 AM

May 24, 2016

Patrick Durusau

Dear “Skeptics,”… [Attn: All Data Scientists]

Dear “Skeptics,” Bash Homeopathy and Bigfoot Less, Mammograms and War More by John Horgan.


Strings and multiverses can’t be experimentally detected. The theories aren’t falsifiable, which makes them pseudo-scientific, like astrology and Freudian psychoanalysis. Credit: parameter_bond/Flickr

The caption is from Horgan’s post. In case anyone asks, I retrieved and re-sized my own copy of the image.

From the post:

I hate preaching to the converted. If you were Buddhists, I’d bash Buddhism. But you’re skeptics, so I have to bash skepticism.

I’m a science journalist. I don’t celebrate science, I criticize it, because science needs critics more than cheerleaders. I point out gaps between scientific hype and reality. That keeps me busy, because, as you know, most peer-reviewed scientific claims are wrong.

So I’m a skeptic, but with a small S, not capital S. I don’t belong to skeptical societies. I don’t hang out with people who self-identify as capital-S Skeptics. Or Atheists. Or Rationalists.

When people like this get together, they become tribal. They pat each other on the back and tell each other how smart they are compared to those outside the tribe. But belonging to a tribe often makes you dumber.

Here’s an example involving two idols of Capital-S Skepticism: biologist Richard Dawkins and physicist Lawrence Krauss. Krauss recently wrote a book, A Universe from Nothing. He claims that physics is answering the old question, Why is there something rather than nothing?

Krauss’s book doesn’t come close to fulfilling the promise of its title, but Dawkins loved it. He writes in the book’s afterword: "If On the Origin of Species was biology’s deadliest blow to supernaturalism, we may come to see A Universe From Nothing as the equivalent from cosmology."

Just to be clear: Dawkins is comparing Lawrence Krauss to Charles Darwin. Why would Dawkins say something so foolish? Because he hates religion so much that it impairs his scientific judgment. He succumbs to what you might call “The Science Delusion.”

“The Science Delusion” is common among Capital-S Skeptics. You don’t apply your skepticism equally. You are extremely critical of belief in God, ghosts, heaven, ESP, astrology, homeopathy and Bigfoot. You also attack disbelief in global warming, vaccines and genetically modified food.

These beliefs and disbeliefs deserve criticism, but they are what I call “soft targets.” That’s because, for the most part, you’re bashing people outside your tribe, who ignore you. You end up preaching to the converted.

Meanwhile, you neglect what I call hard targets. These are dubious and even harmful claims promoted by major scientists and institutions. In the rest of this talk, I’ll give you examples of hard targets from physics, medicine and biology. I’ll wrap up with a rant about war, the hardest target of all.

To get the full flavor of what it means to be a skeptic, read this post and John’s accounts of the reactions to both his presentation and this post.

The “tell” of a target

Whether you are being skeptical of a popular (read “soft”) target like Bigfoot or skeptical of a “hard” target like psychiatric drugs, the reaction from believers is nearly universal: anger, denial and fairly rapidly, denunciation of yourself as unreasonable, etc.

Try being skeptical of a soft/hard target in your work.

Ask if there is racial bias in the algorithms you use day to day? Gender bias? If the answer is no, ask how do they know? Ask them to confirm it for you using data. What their hands closely during the demonstration.

After all, you are a data scientist and questions should be settled based on data and understanding the algorithms applied to them.


Being a skeptic with a small “s” is a hard job. But your project, department, enterprise will be better for you being that skeptic.

Imagine one effective White House skeptic prior to the second war on Iraq. No $trillions spent, no countless lives lost, no instability in the region, etc. Skeptics with a small “s” can make all the difference in the world.

by Patrick Durusau at May 24, 2016 09:15 PM

Apache Spark as a Compiler:… [This is wicked cool!]

Apache Spark as a Compiler: Joining a Billion Rows per Second on a Laptop by Sameer Agarwal, Davies Liu and Reynold Xin.

From the post:

When our team at Databricks planned our contributions to the upcoming Apache Spark 2.0 release, we set out with an ambitious goal by asking ourselves: Apache Spark is already pretty fast, but can we make it 10x faster?

This question led us to fundamentally rethink the way we built Spark’s physical execution layer. When you look into a modern data engine (e.g. Spark or other MPP databases), a majority of the CPU cycles are spent in useless work, such as making virtual function calls or reading or writing intermediate data to CPU cache or memory. Optimizing performance by reducing the amount of CPU cycles wasted in this useless work has been a long-time focus of modern compilers.

Apache Spark 2.0 will ship with the second generation Tungsten engine. Built upon ideas from modern compilers and MPP databases and applied to data processing queries, Tungsten emits (SPARK-12795) optimized bytecode at runtime that collapses the entire query into a single function, eliminating virtual function calls and leveraging CPU registers for intermediate data. As a result of this streamlined strategy, called “whole-stage code generation,” we significantly improve CPU efficiency and gain performance.

(emphasis in original)

How much better you ask?

cost per row (in nanoseconds, single thread)

primitive Spark 1.6 Spark 2.0
filter 15 ns 1.1 ns
sum w/o group 14 ns 0.9 ns
sum w/ group 79 ns 10.7 ns
hash join 115 ns 4.0 ns
sort (8-bit entropy) 620 ns 5.3 ns
sort (64-bit entropy) 620 ns 40 ns
sort-merge join 750 ns 700 ns
Parquet decoding (single int column) 120 ns 13 ns

Don’t just stare at the numbers:

Try the whole-stage code generation notebook in Databricks Community Edition

What’s the matter?

Haven’t you ever seen a 1 billion record join in 0.8 seconds? (Down from 61.7 seconds.)

If all that weren’t impressive enough, the post walks you through the dominate (currently) query evaluation strategy as a setup to Spark 2.0 and then into why “whole-stage code generation is so powerful.”

A must read!

by Patrick Durusau at May 24, 2016 08:35 PM

FOIA – For Algorithms

We need to know the algorithms the government uses to make important decisions about us by Nicholas Diakopoulos.

From the post:

In criminal justice systems, credit markets, employment arenas, higher education admissions processes and even social media networks, data-driven algorithms now drive decision-making in ways that touch our economic, social and civic lives. These software systems rank, classify, associate or filter information, using human-crafted or data-induced rules that allow for consistent treatment across large populations.

But while there may be efficiency gains from these techniques, they can also harbor biases against disadvantaged groups or reinforce structural discrimination. In terms of criminal justice, for example, is it fair to make judgments on an individual’s parole based on statistical tendencies measured across a wide group of people? Could discrimination arise from applying a statistical model developed for one state’s population to another, demographically different population?

The public needs to understand the bias and power of algorithms used in the public sphere, including by government agencies. An effort I am involved with, called algorithmic accountability, seeks to make the influences of those sorts of systems clearer and more widely understood.

Existing transparency techniques, when applied to algorithms, could enable people to monitor, audit and criticize how those systems are functioning – or not, as the case may be. Unfortunately, government agencies seem unprepared for inquiries about algorithms and their uses in decisions that significantly affect both individuals and the public at large.

Nicholas makes a great case for Freedom of Information Act (FOIA) legislation being improved to explicitly include algorithms used by government or on its behalf.

I include “on its behalf” because as Nicholas documents, some states have learned the trick of having algorithms held by vendors, thus making them “proprietary.”

If you can’t see the algorithms behind data results, there is no meaningful transparency.

Demand meaningful transparency!

by Patrick Durusau at May 24, 2016 08:06 PM

Unintended Consequences Of Slowly Strangling Flash To Death

The long road to the final death knell for Flash has gotten slightly shorter.

Intent to implement: HTML5 by Default

From the post:

Later this year we plan to change how Chromium hints to websites about the presence of Flash Player, by changing the default response of Navigator.plugins and Navigator.mimeTypes. If a site offers an HTML5 experience, this change will make that the primary experience. We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site (see the proposal for the mock-ups).

To reduce the initial user impact, and avoid over-prompting, Chrome will introduce this feature with a temporary whitelist of the current top Flash sites(1). This whitelist will expire after one year, and will be periodically revisited throughout the year, to remove sites whose usage no longer warrants an exception.

Chrome will also be adding policy controls so that enterprises will be able to select the appropriate experience for their users, which will include the ability to completely disable the feature.

Any move away from Flash is good news but the unintended consequences of this news tempers my joy.

First, the Flash whitelist signals that delivery of Flash malware should concentrate on the top ten sites:


Second, offering users the option to run Flash, in spite of warnings, guarantees Flash will remain an expressway into your computer for years to come.

Third, as Flash usage drops, what is the likely curve of funding for fixing new bugs found in Flash? (That’s what I think as well.)

I don’t have a better alternative to offer, except to suggest that enterprises that care about security should offer cash bonuses to departments that abandon Flash altogether.

PS: Adobe should notify the community when the last copy of the source code for Flash is erased. To avoid some future computer archaeologist digging it up and becoming infected.

by Patrick Durusau at May 24, 2016 01:54 PM

Inspiring Next-Gen Citizens – Phineas Fisher

A Notorious Hacker Is Trying to Start a ‘Hack Back’ Political Movement by Lorenzo Franceschi-Bicchierai.

From the post:

In August of 2014, a hacker shook the cybersecurity world by exposing the secrets of the infamous government surveillance vendor Gamma Group, the makers of the spyware FinFisher.

The hacker jokingly called himself Phineas Fisher, publicizing the hack and taunting the company on Twitter. He also wrote a detailed guide on how he breached Gamma—not to brag, the hacker wrote, but to demystify hacking and “to hopefully inform and inspire you to go out and hack shit.”

Then, Phineas Fisher went dark. For almost a year, his public profiles remained silent. Given that he had just upset a company that sold tools to dozens of spy and police all over the world, it seemed like a wise move.

“For politically minded hackers, Phineas is a legend already.”

See Lorenzo’s post for a short history of Phineas Fisher.

I prefer my title because “notorious” and “hacker” imply that Phineas has transgressed in some way.

In the view of some legal systems, Phineas has transgressed but even within those systems, transgression is a matter of whim and caprice.

Consider the interference with the legitimate development of nuclear power by Iran. The U.S. and others have taken it upon themselves to create software to interfere with that program. Software and actions illegal under the same laws with which Phieas would be prosecuted, but no one has been brought before the bar.

Phineas has acted, no more or less than the Koch brothers, to influence public opinion. Every citizen has the right to influence government action, theirs and others.

Phineas is using information instead of cash to influence government but that distinction matters only to cash hungry politicians and cash flush favor seekers who want to feed them.

“Western democracies” don’t engage in, for the most part, in qui pro quo style corruption. Donors routinely contribute money, year in and year out and not surprisingly, when government decisions are to be made, they have a place at the decision making table. And when the decision making is done, a larger share of government benefits than others.

Information activities, such as those by Phineas, have the potential to create a publicly traded information economy. Imagine if rather than slow leak of the Panama Papers, they appeared on an Information Exchange, where you could bid on some or all of the data for particular countries.

Ownership could be, but not necessarily be, exclusive. Your ownership of the data for China, for example, would in no way interfere with my ownership of the same information.

What I am describing rather poorly is already set forth in Neil Stephenson‘s classic: Snow Crash.

Make no mistake, Snow Crash, like the mistaken for reality tale Atlas Shrugged, is a work of fiction. Despite the potential for the dawning of a new future, the present power system will put you in jail today.

Phineas Fisher is an inspiration for a cyber-aware citizenry gathering and distributing information. Hopefully he will also inspire better operational security in those efforts as well.

by Patrick Durusau at May 24, 2016 01:28 PM

Bias? What Bias? We’re Scientific!

This ProPublica story by Julia Angwin, Jeff Larson, Surya Mattu and Lauren Kirchner, isn’t short but it is worth your time to not only read, but to download the data and test their analysis for yourself.

Especially if you have the mis-impression that algorithms can avoid bias. Or that clients will apply your analysis with the caution that it deserves.

Finding a bias in software, like finding a bug, is a good thing. But that’s just one, there is no estimate of how many others may exist.

And as you will find, clients may not remember your careful explanation of the limits to your work. Or apply it in ways you don’t anticipate.

Machine Bias – There’s software used across the country to predict future criminals. And it’s biased against blacks.

Here’s the first story to try to lure you deeper into this study:

ON A SPRING AFTERNOON IN 2014, Brisha Borden was running late to pick up her god-sister from school when she spotted an unlocked kid’s blue Huffy bicycle and a silver Razor scooter. Borden and a friend grabbed the bike and scooter and tried to ride them down the street in the Fort Lauderdale suburb of Coral Springs.

Just as the 18-year-old girls were realizing they were too big for the tiny conveyances — which belonged to a 6-year-old boy — a woman came running after them saying, “That’s my kid’s stuff.” Borden and her friend immediately dropped the bike and scooter and walked away.

But it was too late — a neighbor who witnessed the heist had already called the police. Borden and her friend were arrested and charged with burglary and petty theft for the items, which were valued at a total of $80.

Compare their crime with a similar one: The previous summer, 41-year-old Vernon Prater was picked up for shoplifting $86.35 worth of tools from a nearby Home Depot store.

Prater was the more seasoned criminal. He had already been convicted of armed robbery and attempted armed robbery, for which he served five years in prison, in addition to another armed robbery charge. Borden had a record, too, but it was for misdemeanors committed when she was a juvenile.

Yet something odd happened when Borden and Prater were booked into jail: A computer program spat out a score predicting the likelihood of each committing a future crime. Borden — who is black — was rated a high risk. Prater — who is white — was rated a low risk.

Two years later, we know the computer algorithm got it exactly backward. Borden has not been charged with any new crimes. Prater is serving an eight-year prison term for subsequently breaking into a warehouse and stealing thousands of dollars’ worth of electronics.

This analysis demonstrates that malice isn’t required for bias to damage lives. Whether the biases are in software, in its application, in the interpretation of its results, the end result is the same, damaged lives.

I don’t think bias in software is avoidable but here, here no one was even looking.

What role do you think budget justification/profit making played in that blindness to bias?

by Patrick Durusau at May 24, 2016 01:37 AM

Balisage 2016 Program Posted! (Newcomers Welcome!)

Tommie Usdin wrote today to say:

Balisage: The Markup Conference
2016 Program Now Available

Balisage: where serious markup practitioners and theoreticians meet every August.

The 2016 program includes papers discussing reducing ambiguity in linked-open-data annotations, the visualization of XSLT execution patterns, automatic recognition of grant- and funding-related information in scientific papers, construction of an interactive interface to assist cybersecurity analysts, rules for graceful extension and customization of standard vocabularies, case studies of agile schema development, a report on XML encoding of subtitles for video, an extension of XPath to file systems, handling soft hyphens in historical texts, an automated validity checker for formatted pages, one no-angle-brackets editing interface for scholars of German family names and another for scholars of Roman legal history, and a survey of non-XML markup such as Markdown.

XML In, Web Out: A one-day Symposium on the sub rosa XML that powers an increasing number of websites will be held on Monday, August 1.

If you are interested in open information, reusable documents, and vendor and application independence, then you need descriptive markup, and Balisage is the conference you should attend. Balisage brings together document architects, librarians, archivists, computer
scientists, XML practitioners, XSLT and XQuery programmers, implementers of XSLT and XQuery engines and other markup-related software, Topic-Map enthusiasts, semantic-Web evangelists, standards developers, academics, industrial researchers, government and NGO staff, industrial developers, practitioners, consultants, and the world’s greatest concentration of markup theorists. Some participants are busy designing replacements for XML while other still use SGML (and know why they do).

Discussion is open, candid, and unashamedly technical.

Balisage 2016 Program:

Symposium Program:

Even if you don’t eat RELAX grammars at snack time, put Balisage on your conference schedule. Even if a bit scruffy looking, the long time participants like new document/information problems or new ways of looking at old ones. Not to mention they, on occasion, learn something from newcomers as well.

It is a unique opportunity to meet the people who engineered the tools and specs that you use day to day.

Be forewarned that most of them have difficulty agreeing what controversial terms mean, like “document,” but that to one side, they are a good a crew as you are likely to meet.


by Patrick Durusau at May 24, 2016 01:03 AM

May 23, 2016

Patrick Durusau

Alda (Music Programming Language) Update

Alda: A Music Programming Language, Built in Clojure by David Yarwood.

Presentation by David at Clojure Remote.

From the description:

Inspired by other music/audio programming languages such as PPMCK, LilyPond and ChucK, Alda aims to be a powerful and flexible programming language for the musician who wants to easily compose and generate music on the fly, using only a text editor.

Clojure proved to be an ideal language for building a language like Alda, not only because of its wealth of excellent libraries like Instaparse and Overtone, but also because of its Lispy transparency and facility for crafting DSLs.

From the Github page:

Slack: Sign up to the universe of Clojure chat @, then join us on #alda

Reddit: Come join us in /r/alda, where you can discuss all things Alda and share your Alda scores!

Alda is looking for contributors! Step up!

by Patrick Durusau at May 23, 2016 09:33 PM

Incubate No Longer! Tinkerpop™!

The Apache Software Foundation Announces Apache® TinkerPop™ as a Top-Level Project

From the post:

The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 Open Source projects and initiatives, announced today that Apache® TinkerPop™ has graduated from the Apache Incubator to become a Top-Level Project (TLP), signifying that the project’s community and products have been well-governed under the ASF’s meritocratic process and principles.

Apache TinkerPop is a graph computing framework that provides developers the tools required to build modern graph applications in any application domain and at any scale.

“Graph databases and mainstream interest in graph applications have seen tremendous growth in recent years,” said Stephen Mallette, Vice President of Apache TinkerPop. “Since its inception in 2009, TinkerPop has been helping to promote that growth with its Open Source graph technology stack. We are excited to now do this same work as a top-level project within the Apache Software Foundation.”

As a graph computing framework for both real-time, transactional graph databases (OLTP) and and batch analytic graph processors (OLAP), TinkerPop is useful for working with small graphs that fit within the confines of a single machine, as well as massive graphs that can only exist partitioned and distributed across a multi-machine compute cluster.

TinkerPop unifies these highly varied graph system models, giving developers less to learn, faster time to development, and less risk associated with both scaling their system and avoiding vendor lock-in.

In addition to that good news, the announcement also answers the inevitable question about scaling:

Apache TinkerPop is in use at organizations such as DataStax and IBM, among many others. is currently using TinkerPop and Gremlin to process its order fullfillment graph which contains approximately one trillion edges. (emphasis added)

A trillion edges, unless you are a stealth Amazon, Tinkerpop™ will scale for you.

Congratulations to the Tinkerpop™ community!

by Patrick Durusau at May 23, 2016 08:38 PM

Breaking News: Europe != World

Google’s appeal, described in GNI welcomes appeal to the global reach of “the right to be forgotten” by Ryan McChrystal, puts all of Europe on notice, despite centuries of Euro-centric education, publication, history writing and institutions:

Europe != World

From the post:

The Global Network Initiative welcomes the announcement that Google is appealing a French data protection authority ruling requiring the global take down of links to search information banned in France under Europe’s “right to be forgotten”.

We are concerned that the ruling, made by Commission Nationale de L’Informatique et des Libertes (CNIL) in March, sets a disturbing precedent for the cause of an open and free Internet, and sends the message to other countries that they can force the banning of search results not just inside their own jurisdictions, but assert that jurisdiction across the globe.

Google began delisting search content in response to the Costeja ruling in July of 2014. Search links that are delisted in response to French citizens’ requests are removed from the local French domain ( as well as all of Europe. In early 2016 the company announced that it would further restrict access to links delisted in Europe by using geolocation technology to restrict access to the content on any Google Search domain when an individual searches from France. Despite this, the French authorities continue to demand global removal of these links from all Google search domains – regardless of from where in the world they are accessed.

“We are concerned about the impact of the CNIL order, which effectively allows the government of one country to dictate what the rest of the world is allowed to access online,” said GNI Board Chair Mark Stephens, CBE. “Enshrined in international law is the principle that one country cannot infringe upon the rights of citizens of another country,” he said.

Make no mistake, I am utterly a child of the West/Europe but all the more reason to resist its cultural and legal imperialism.

Differences in cultures, languages, legal systems, whether current or historical, enrich the human experience.

Censoring expression and in the “right to be forgotten” case, censoring history, or rather attempts to discover history, impoverishes it.

The “right to be forgotten” is ample evidence that Europeans need productive leisure pursuits.

Non-Europeans should suggest hobbies, sports, or activities to distract Europeans from search engine results and towards more creative activities.

by Patrick Durusau at May 23, 2016 08:10 PM

Terrorism and Internet Censorship

Bold stance: Microsoft says terrorism is bad by Shaun Nichols.

From the post:

Microsoft is enacting a new policy to remove terrorist content from its consumer services.

The Redmond software giant said that the new terms and conditions for its hosted services will bar any content containing graphic violence or supporting material for any group considered a terrorist organization by the United Nations Sanctions List.

Additionally, Microsoft says that it will remove terrorist-related content from its Bing search engine whenever requested by government agencies and will try to display links promoting anti-terror non-government organizations when returning queries for terrorism-related search results.

Censorship on the Internet and sadly support for the same grows every week.

From the Microsoft announcement:

We believe it’s important that we ground our approach to this critical issue in central principles and values. We have a responsibility to run our various Internet services so that they are a tool to empower people, not to contribute, however indirectly, to terrible acts. We also have a responsibility to run our services in a way that respects timeless values such as privacy, freedom of expression and the right to access information. We’ve therefore carefully considered how to address terrorist content that may appear on our services without sacrificing the fundamental rights we all hold dear. Although Microsoft does not run any of the leading social networks or video-sharing sites, from time to time, terrorist content may be posted to or shared on our Microsoft-hosted consumer services. In light of this, we want to be transparent about our approach to combatting terrorist content.

I have doubts about the statement:

We’ve therefore carefully considered how to address terrorist content that may appear on our services without sacrificing the fundamental rights we all hold dear.

If they had, “…carefully considered…,” the question they would not engage in censorship at all.

If you disagree, consider the United Nations Sanctions List, circa 1939:

CNi.001 Name: 1: Mao Zedong 2: Mao 3: na 4: na Name (original script) 毛泽东 Nationality: Chinese Passport no: na National Identification: na Address: China Listed on: January 1, 1927 Other information: Created the Southwest Jiangxi Provincial Soviet Government. Skilled in-fighter with many internal rivals.

CNe.001 Name: Southwest Jiangxi Provincial Soviet Government
Address: na Listed on: June 1, 1930 Other Information: na

Or the United Nations Sanctions List, circa 1800:

UKe.001 Name: Continental Congress 2: na 3: na 4: na
Address: British colonies, America Listed on: January 1, 1776 Other Information: Criminal association of traitors, former British military officers and opportunists.

UKi.001 Name: George Washington 2: na 3: na 4: na DOB: February 22, 1732 Nationality: UK Address: Virginia Listed on: January 1, 1775 Other information: Former colonel in British Army, skilled tactician, co-conspirator with other known traitors.

UKi.002 Name: Thomas Jefferson 2: “Tom” Jefferson 3: na 4: na DOB: April 13, 1743 Nationality: UK Address: Virginia Listed on: January 1, 1775 Other information: Propagandist of first order.

UKi.003 Name: Thomas Paine 2: “Tom” Paine 3: Thomas Pain 4: na DOB: January 29, 1737 Nationality: UK Address: various Listed on: January, 1774 Other information: Known associate of revolutionaries in American colonies of the UK, collaborator with French revolutionaries (1790’s), author of “Common Sense” and wanted for conviction on seditious libel (1792).

The question for Microsoft today is which of the publications and news reports from the revolution in China and/or the American Revolutionary War would they censor as supporting terrorists and/or terrorism?

With even a modicum of honesty, all will concede that acts of terrorism were committed both in China and in what is today known as the United States.

Unless you would censor Mao Zedong, George Washington, Thomas Jefferson, Thomas Paine, then “terrorist” and “terrorism” offer no basis for censoring content.

In truth, “terrorist,” and “terrorism,” are labels for atrocities committed by others, nothing more.

Strive for a free and non-censored Internet.

Let history judge who was or wasn’t a terrorist and even then that changes over time.

by Patrick Durusau at May 23, 2016 03:24 PM

Does social media have a censorship problem? (Only if “arbitrary and knee-jerk?”)

Does social media have a censorship problem? by Ryan McChrystal.

From the post:

It is for this reason that we should be concerned by content moderators. Worryingly, they often find themselves dealing with issues they have no expertise in. A lot of content takedown reported to Online Censorship is anti-terrorist content mistaken for terrorist content. “It potentially discourages those very people who are going to be speaking out against terrorism,” says York.

Facebook has 1.5 billion users, so small teams of poorly paid content moderators simply cannot give appropriate consideration to all flagged content against the secretive terms and conditions laid out by social media companies. The result is arbitrary and knee-jerk censorship.

Yes, social media has a censorship problem. But not only when they lack “expertise” but when they attempt censorship at all.

Ryan’s post (whether Ryan thinks this or not I don’t know) presumes two kinds of censorship:

Bad Censorship: arbitrary and knee-jerk

Good Censorship: guided by expertise in a subject area

Bad is the only category for censorship. (period, full stop)

Although social media companies are not government agencies and not bound by laws concerning free speech, Ryan’s recitals about Facebook censorship should give you pause.

Do you really want social media companies, whatever their intentions, not only censoring present content but obliterating comments history on a whim?

Being mindful that today you may agree with their decision but tomorrow may tell another tale.

Social media has a very serious censorship problem, mostly borne of the notion that social media companies should be the arbiters of social discourse.

I prefer the hazards and dangers of unfettered free speech over discussions bounded by the Joseph Goebbels imitators of a new age.

Suggestions for non-censoring or the least censoring social media platforms?

by Patrick Durusau at May 23, 2016 02:28 AM

Modeling data with functional programming – State based systems

Modeling data with functional programming – State based systems by Brian Lee Yung Rowe.

Brian has just released chapter 8 of his Modeling data with functional programming in R, State based systems.

BTW, Brian mentions that his editor is looking for more proof reviewers.


by Patrick Durusau at May 23, 2016 02:06 AM

May 22, 2016

Patrick Durusau

TSA Cybersecurity Failures – The Good News

The TSA is failing spectacularly at cybersecurity by Violet Blue.

From the post:

Five years of Department of Homeland Security audits have revealed, to the surprise of few and the dismay of all, that the TSA is as great at cybersecurity as it is at customer service.

The final report from the DHS Office of Inspector General details serious persistent problems with TSA staff’s handling of IT security protocols. These issues include servers running software with known vulnerabilities, no incident report process in place, and zero physical security protecting critical IT systems from unauthorized access.

What we’re talking about here are the very basics of IT security, and the TSA has been failing at these quite spectacularly for some time.

Violet reports on a cornucopia of cybersecurity issues with the TSA and its information systems. Including:

As part of this year’s final report, auditors watched TSA staff as they scanned STIP servers located at two DHS data centers and the Orlando International Airport. The scans “detected a total of 12,282 high vulnerabilities on 71 of the 74 servers tested.”

The redacted final report omits the names of the servers and due to space concerns (its only 47 pages long), omits the particulars of the 12,282 high vulnerabilities found. (That’s my assumption, the report doesn’t say that.)

What the report fails to mention is the good news about TSA cybersecurity failures:

Despite its woeful performance on cybersecurity and its utter failure to ever stop a terrorist, there have been no terrorist incidents on US airlines at points guarded by the TSA.

The TSA and its faulty cybersecurity equipment could be retired, en masse, and its impact on the incidence of terrorism on U.S. based air travel would be exactly zero.

Unless you need hacking practice on poorly maintained systems, avoid the TSA and its broken IT systems. Who wants to brag about stealing a candy bar from a vending machine? Do you?

Any cyberoffense against the TSA and its systems will expose you to long prison sentences for breaching systems that make no difference. That’s the definition of a bad deal. Just don’t go there.

by Patrick Durusau at May 22, 2016 01:48 AM

May 21, 2016

Patrick Durusau

Must Stingrays Be Mobile?

While listening to ICYMI #17: Mike Katz-Lacabe – The Center for Human Rights & Privacy courtesy of North Star Post (NSP), the host commented on a possible detection of a stingray device because it was mobile.

The ACLU describes such devices as:

…devices that mimic cell phone towers and send out signals to trick cell phones in the area into transmitting their locations and identifying information. When used to track a suspect’s cell phone, they also gather information about the phones of countless bystanders who happen to be nearby.

Do you see anything about “mobile” in that description?

Granting that there are use cases for mobile surveillance devices, where else are you likely to encounter stingrays?

Airports, public transportation: Calls and messages to and from passengers.

Courthouses: Where lawyers, defendants and witnesses may be sending/receiving calls and text messages they would prefer to keep private.

Jails: Calls and text messages by inmates and visitors.

Schools: Calls and texts between students and others.

Other places?

Working on a data set that may help with avoiding mobile or stationary stingrays. More on that next week.

by Patrick Durusau at May 21, 2016 01:16 AM

May 20, 2016

Patrick Durusau

Ethereum Contracts – Future Hacker Candy

Ethereum Contracts Are Going To Be Candy For Hackers by Peter Vessenes.

From the post:

Smart Contracts and Programming Defects

Ethereum promises that contracts will ‘live forever’ in the default case. And, in fact, unless the contract contains a suicide clause, they are not destroyable.

This is a double-edged sword. On the one hand, the default suicide mode for a contract is to return all funds embedded in the contract to the owner; it’s clearly unworkable to have a “zero trust” system in which the owner of a contract can at will claim all money.

So, it’s good to let people reason about the contract longevity. On the other hand, I have been reviewing some Ethereum contracts recently, and the code quality is somewhere between “optimistic as to required quality” and “terrible” for code that is supposed to run forever.

Dan Mayer cites research showing industry average bugs per 1000 lines of code at 15-50 and Microsoft released code at 0.5 per 1000, and 0(!) defects in 500,000 lines of code for NASA, with a very expensive and time consuming process.

Ethereum Smart Contract Bugs per Line of Code exceeds 100 per 1000

My review of Ethereum Smart Contracts available for inspection at shows a likely error rate of something like 100 per 1000, maybe higher.

If you haven’t seen Ethereum, now is the time to visit.

From the homepage:

Ethereum is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference.

These apps run on a custom built blockchain, an enormously powerful shared global infrastructure that can move value around and represent the ownership of property. This enables developers to create markets, store registries of debts or promises, move funds in accordance with instructions given long in the past (like a will or a futures contract) and many other things that have not been invented yet, all without a middle man or counterparty risk.

The project was crowdfunded during August 2014 by fans all around the world. It is developed by the Ethereum Foundation, a Swiss nonprofit, with contributions from great minds across the globe.

Early in the life cycle and some contracts will be better written than others.

Vulnerabilities will be Authors x Contracts so the future looks bright for hackers.

by Patrick Durusau at May 20, 2016 06:56 PM

The Islamic State’s suspected inroads into America – Data Set!

The Islamic State’s suspected inroads into America by Adam Goldman , Jia Lynn Yang, and John Muyskens.

From the post:

Federal prosecutors have charged 84 men and women around the country in connection with the Islamic State. So far, 32 have been convicted. Men outnumber women in those cases by about 7 to 1. The average age of the individuals is 27. One is a minor. The FBI says that, in a handful of cases, it has disrupted plots targeting U.S. military or law enforcement personnel.

The post breaks down proceedings by state and lists each person separately, along with the source of the information.

If you are looking for a small but significant data set on terrorism, I think this is the place.

If you develop further information on these cases, repay the original authors by sharing your discoveries.

by Patrick Durusau at May 20, 2016 12:18 AM

May 19, 2016

Patrick Durusau

Thoughts On How-To Help Drown A Copyright Troll?

Copyright Trolls Rightscorp Are Teetering On The Verge Of Bankruptcy riff on (


Think of it as a service to the entire community, including legitimate claimants to intellectual property.

I tried to think of any methods I would exclude and came up empty.


by Patrick Durusau at May 19, 2016 11:33 PM

FindFace – Party Like It’s 2001

What a difference fifteen years make!

Is Google or Facebook evil? Forget it!

Russian nerds have developed a new Face Recognition technology based app called FindFace, which is a nightmare for privacy lovers and human right advocates.

FindFace is a terrifyingly powerful facial recognition app that lets you photograph strangers in a crowd and find their real identity by connecting them to their social media accounts with 70% success rate, putting public anonymity at risk.

(From This App Lets You Find Anyone’s Social Profile Just By Taking Their Photo by Mohit Kumar)

Compare that breathless, “…nightmare for privacy lovers…public anonymity at risk…” prose to:

Super Bowl, or Snooper Bowl?

As 100,000 fans stepped through the turnstiles at Super Bowl XXXV, a camera snapped their image and matched it against a computerized police lineup of known criminals, from pickpockets to international terrorists.

It’s not a new kind of surveillance. But its use at the Super Bowl — dubbed “Snooper Bowl” by critics — has highlighted a debate about the balance between individual privacy and public safety.

Law enforcement officials say what was done at the Super Bowl is no more intrusive than routine video surveillance that most people encounter each day as they’re filmed in stores, banks, office buildings or apartment buildings.

But to critics, the addition of the face-recognition system can essentially put everyone in a police lineup.

“I think it presents a whole different picture of America,” said Howard Simon, executive director of the American Civil Liberties Union in Florida.

(From Biometrics Used to Detect Criminals at Super Bowl by Vickie Chachere)

If you don’t keep up with American football, Super Bowl XXXV was held in January of 2001.

Facial recognition being common in 2001, why the sudden hand wringing over privacy and FindFace?

Oh, I get it. It is the democratization of the loss of privacy.

Those whose privacy would be protected by privilege or position are suddenly fair game to anyone with a smartphone.

A judge coming out of a kinky bar can be erased or not noticed on police surveillance video, but in a smartphone image, not so much.

The “privacy” of the average U.S. citizen depends on the inattention of state actors.

I’m all for sharing our life-in-the-goldfish-bowl condition with the powerful and privileged.

Get FindFace and use it.

Create similar apps and use topic maps to bind the images to social media profiles.

When the State stops surveillance, perhaps, just perhaps, citizens can stop surveillance of the State. Maybe.

If “privacy” advocates object, ask them what surveillance by the State they support? If the answer isn’t “none,” they have chosen the side of power and privilege. What more is there to say? (BTW, take their photo with FindFace or a similar app.)

by Patrick Durusau at May 19, 2016 11:27 PM

Allo, Allo, Google and the Government Can Both Hear You

Google’s Allo fails to use end-to-end encryption by default by Graham Cluley.

The lack of end-to-end encryption by default in Google’s Allo might look like a concession to law enforcement.

Graham points out given the choice of no government or Google spying versus government and Google spying, Google chose the latter.

Anyone working on wrappers for apps to encrypt their output and/or to go dark in terms of reporting to the mother ship?

PS: Yes, Allo offers encryption you can “turn on” but will you trust encryption from someone who obviously wants to spy on you? Your call.

by Patrick Durusau at May 19, 2016 03:35 PM

Before There Was Big Data … There Was XLDB!

9th Extremely Large Databases Conference

Online registration closes 19 May 2016!

May 24-26, 2016


Rumor has it that some sponsorships are still available.

Hard to imagine but check with if you want to be associated with the premier extreme scale event of the year.

by Patrick Durusau at May 19, 2016 02:17 AM

May 18, 2016

Patrick Durusau

Best Served From The Ukraine [Aside on Jury Instruction Re FBI Evidence]

Experts Warn of Super-Stealthy Furtim Malware by Phil Muncaster.

From the post:

Security experts are warning of newly discovered credential-stealing malware which prioritizes stealth, scoring a 0% detection rate in VirusTotal.

Furtim, a Latin word meaning “by stealth,” was first spotted by researcher @hFireF0X and consists of a driver, a downloader and three payloads, according to enSilo researcher Yotam Gottesman.

The payloads are: a power-saving configuration tool which ensures a victim’s machine is always on and communicating with Furtim’s C&C server; Pony Stealer – a powerful commercial credential stealer; and a third file that communicates back to the server but has yet to be fully analyzed.

Interestingly, Furtim goes to great lengths to stay hidden, going well beyond most malware in checking for the presence of over 400 security tools on the targeted PC, Gottesman claimed.

Phil’s post summarizes some of the better ideas used in this particular bit of malware.

The post by enSilo researcher Yotam Gottesman includes this description:

Upon initial communication, Furtim collects unique information from the device it is running on, such as the computer name and installation date and sends that information to a specific server. The server stores the received details about the infected machine to ensure that the payload is sent only once.

That reminds me of the search warrant Ben Cox posted in Here Is the Warrant the FBI Used to Hack Over a Thousand Computers, which reads in part:

From any “activating” computer described in Attachment A:

1. The “activating” computer’s actual IP address, and the date and time that the NIT determines what that IP address is;

2. a unique identifier generated by the NIT (e.g., a series of numbers, letters, and/or special characters) to distinguish data from that of other “activating” comptuers, that will be sent with and collected by the NIT;

3. the type of operating system running on the computer, including type (e.g., Windows), version (e.g., Windows 7), and architecture (e.g., x 86);

4. information about whether the NIT has already been delivered to the “activating” computer;

5. the “activating” computer’s Host name;

6. the “activating” computer’s active operating system username; and

7. the “activating” computer’s media access control (“MAC”) address;


I mention that because if the FBI can’t prove its NIT’s capabilities against the users computer, who knows where they got the information they now claim to have originated from a child porn website?

Considering the FBI knowingly gave flawed testimony for twenty years, including in death penalty cases, when prosecutors were aware of those flaws, absence both source code and a demonstration of its use against the defendant’s computer as it existed then, the NIT evidence should be excluded at trial.

Or at the very least, a jury instruction that recites the FBI’s history of flawed technical testimony in detail and cautioning the jury that they should view all FBI “evidence” as originating from habitual liars.

Could be telling the truth, but that hasn’t been their habit. (Judicial notice of the FBI practice of providing flawed evidence.)

by Patrick Durusau at May 18, 2016 09:21 PM

Colleges Shouldn’t Have to Deal With Copyright Monitoring [Broods of Copyright Vipers]

Colleges Shouldn’t Have to Deal With Copyright Monitoring by Pamela Samuelson.

From the post:

Colleges have a big stake in the outcome of the lawsuit that three publishers, Cambridge University Press, Oxford University Press, and Sage Publications, brought against Georgia State University officials for copyright infringement. The lawsuit, now in its eighth year, challenged GSU’s policy that allowed faculty members to upload excerpts (mainly chapters) of in-copyright books for students to read and download from online course repositories.

Four years ago, a trial court held that 70 of the 75 challenged uses were fair uses. Two years ago, an appellate court sent the case back for a reassessment under a revised fair-use standard. The trial court has just recently ruled that of the 48 claims remaining in the case, only four uses, each involving multiple chapters, infringed. The question now is, What should be the remedy for those four infringements?

Sage was the only publisher that prevailed at all, and it lost more infringement claims than it won. Cambridge and Oxford came away empty-handed. Despite the narrowness of Sage’s win, all three publishers have asked the court for a permanent injunction that would impose many new duties on GSU and require close monitoring of all faculty uploads to online course repositories.

I expected better out of Cambridge and Oxford, especially Cambridge, which has in recent years allowed free electronic access to some printed textbooks.

Sage and the losing publishers, Cambridge and Oxford, seek to chill the exercise of fair use by not only Georgia State University but universities everywhere.

Pamela details the outrageous nature of the demands made by the publishers and concludes that she is rooting for GSU on appeal.

We should all root for GSU on appeal but that seems so unsatisfying.

It does nothing to darken the day for the broods of copyright vipers at Cambridge, Oxford or Sage.

In addition to creating this money pit for their publishers, the copyright vipers want to pad their nests by:

As if that were not enough, the publishers want the court to require GSU to provide them with access to the university’s online course system and to relevant records so the publishers could confirm that the university had complied with the record-keeping and monitoring obligations. The publishers have asked the court to retain jurisdiction so that they could later ask it to reopen and modify the court order concerning GSU compliance measures.

I don’t know how familiar you are with academic publishing but every academic publisher has a copyright department that shares physical space with acquisitions and publishing.

Whereas acquisitions and publishing are concerned with collection and dissemination of knowledge, while recovering enough profit to remain viable, the copyright department could just as well by employed by Screw.

Expanding the employment rolls of copyright departments to monitor fair use by publishers is another drain on their respective publishers.

If you need proof of copyright departments being a dead loss for their publishers, consider the most recent annual reports for Cambridge and Oxford.

Does either one highlight their copyright departments as centers of exciting development and income? Do they tout this eight year long battle against fair use?

No? I didn’t think so but wanted your confirmation to be sure.

I can point you to a history of Sage, but as a privately held publisher, it has no public annual report. Even that history, over changing economic times in publishing, finds no space to extol its copyright vipers and their role in the GSU case.

Beyond rooting for GSU, work with the acquisitions and publication departments at Cambridge, Oxford and Sage, to help improve their bottom line profit and drown their respective broods of copyright vipers.


Before you sign a publishing agreement, ask your publisher for a verified statement of the ROI contributed by their copyright office.

If enough of us ask, the question will resonant across the academic publishing community.

by Patrick Durusau at May 18, 2016 08:20 PM

Password Security – Not Blaming Victims


No, don’t waste your breath blaming victims.

Do use this list and similar lists as checks on allowable passwords.

One really good starting place would be: Today I Am Releasing Ten Million Passwords by Mark Burnett.

by Patrick Durusau at May 18, 2016 03:10 PM

iPad Security – Just Brick It! Just Brick It!


Apple has released a new method for securing your iPad, brick it!

Darren Pauli reports in Apple’s iOS updates brick iPads the brick your iPad upgrade process is 100% effective at securing iPads, at least until restored by users and/or Apple support is contacted.

Office of Personnel Management managers have expressed interest in iPad bricking in light of its most recent IT security fiasco. The cost of upgrading to iPads, suitable for bricking, is unknown.

by Patrick Durusau at May 18, 2016 02:31 PM

Mozilla/Tor Vulnerabilities – You Can Help!

You have probably heard the news that the FBI doesn’t have to reveal its Tor hack. Judge Changes Mind, Says FBI Doesn’t Have to Reveal Tor Browser Hack by Joseph Cox.

Which of course means that Mozilla isn’t going to get the hack fourteen days before the defense attorneys do.

While knowing the FBI hack would help fix that particular vulnerability, it would not help fix any other Mozilla/Tor vulnerabilities.

Rather than losing any sleep or keystrokes over the FBI’s one hack, clasped in its grubby little hands, contribute to the discovery and more importantly, fixing of vulnerabilities in Mozilla and Tor.

Let the FBI have its one-trick pony. From what I understand you had to have Flash installed for it to work.

Flash? Really?

Flash users need to mirror their SSN, address, hard drives, etc., to public FTP site. At least then you will have a record of when your data is stolen, I mean downloaded.

Whether vulnerabilities persist in Mozilla/Tor isn’t up to the FBI. It’s up to you.

Your call.

by Patrick Durusau at May 18, 2016 12:45 AM

May 17, 2016

Patrick Durusau

Unicode Code Chart Reviewers Needed – Now!

I saw an email from Rick McGowan of the Unicode Consortium that reads:

As we near the release of Unicode 9.0, we’re looking for volunteers to review the latest code charts for regressions from the 8.0 charts… If you have a block that you’re particularly fond of, please consider checking the glyphs and names against the 8.0 charts… To see the latest 9.0 charts, you can start here:

The “blocks” directory has all of the individual block charts, and the charts with specific additions/changes are here:

Not for everyone but if you can contribute, please do.

Just so you know, this is the 25th anniversary of the Unicode Consortium!

Even if you don’t proof the code charts, do remember to wish the Unicode Consortium a happy 25th anniversary!

by Patrick Durusau at May 17, 2016 11:59 PM

May 16, 2016

Patrick Durusau

Censored SIDtoday File Release

Snowden Archive — The SIDtoday Files

From the post:

The Intercept’s first SIDtoday release comprises 166 articles, including all articles published between March 31, 2003, when SIDtoday began, and June 30, 2003, plus installments of all article series begun during this period through the end of the year. Major topics include the National Security Agency’s role in interrogations, the Iraq War, the war on terror, new leadership in the Signals Intelligence Directorate, and new, popular uses of the internet and of mobile computing devices.

Along with this batch, we are publishing the stories featured below, which explain how and why we’re releasing these documents, provide an overview of SIDtoday as a publication, report on one especially newsworthy set of revelations, and round up other interesting tidbits from the files.

There are a series of related stories with this initial release:

The Intercept is Broadening Access to the Snowden Archive. Here’s Why by Glenn Greenwald.

NSA Closely Involved in Guantánamo Interrogations, Documents Show by Cora Currier.

The Most Intriguing Spy Stories From 166 Internal NSA Reports by Micah Lee, Margot Williams.

What It’s Like to Read the NSA’s Newspaper for Spies by Peter Maass.

How We Prepared the NSA’s Sensitive Internal Reports for Release by The Intercept.

A master zip file has all the SIDtoday files released thus far.

Comments on the censoring of these files will follow.

by Patrick Durusau at May 16, 2016 11:52 PM

Office of Personnel Management Upgrade Crashes and Burns

You may remember Flash Audit on OPM Infrastructure Update Plan which gave you a summary of the Inspector General for the Office of Personnel Management (OPM) report on OPM’s plans to upgrade its IT structure.

Unfortunately for U.S. taxpayers and people whose records are held by the OPM, the Inspector General doesn’t have veto power over the mis-laid plans of the OPM.

As a consequence, we read today:

Contractor Working on OPM’s Cyber Upgrades Suddenly Quits, Citing ‘Financial Distress” by Jack Moore.

From the post:

The contractor responsible for the hacked Office of Personnel Management’s major IT overhaul is now in financial disarray and no longer working on the project.

OPM awarded the Arlington, Virginia-based Imperatis Corporation a sole-source contract in June 2014 as part of an initial $20 million effort to harden OPM’s cyber defenses, after agency officials discovered an intrusion into the agency’s network.

In the past week, however, Imperatis ceased operations on the contract, citing “financial distress,” an OPM spokesman confirmed to Nextgov.

After Imperatis employees failed to show up for work May 9, OPM terminated Imperatis’ contract for nonperformance and defaulting on its contract.

“DHS and OPM are currently assessing the operational effect of the situation and expect there to be very little impact on current OPM operations,” OPM spokesman Sam Schumach said in a statement to Nextgov. Schumach said OPM had been planning for performance on the contract to end in June 2016.

Show of hands: Who is surprised by this news?

The Board of Directors/Advisors page for Imperatis is now blank.

To help you avoid becoming entangled with these individuals in future contacts, the Wayback Machine has a copy of their Board of Directors/Advisors as of March 31, 2016.

So you can identify the right people:

Board of Directors


Retired Major General Charles (Chuck) Henry became Chairman of the Board of Directors in early 2013. Henry retired after 32 years in the U.S. Army, during which he held various important Quartermaster, mission-related, command, and staff positions. He was the Army’s first Competition Advocate General and reported directly to the Secretary of the Army. His overseas assignments included tours of duty in Vietnam, Europe, and Saudi Arabia. Henry is a member of the Army Quartermaster and Defense Logistics Agency Halls of Fame. In his last position with the federal government, he was the founder and first commander of the Defense Contract Management Command (DCMC).

Henry spent 20 years as a senior executive working in industry, serving as the CEO of five companies. He currently sits on two public boards, Molycorp (NYSE) and Gaming Partners International Corp (NASDAQ), and also sits on the Army Science Board, an advisory committee that makes recommendations on scientific and technological concerns to the U.S. Army.


Sally Donnelly is founder and CEO of SBD Advisors, an international consulting and communications firm. Donnelly is also a senior advisor and North American representative to C5, a UK-based investment fund in safety and security markets.

Prior to founding SBD Advisors, Donnelly served as head of Washington’s office for U.S. Central Command. Donnelly was a key advisor to General Jim Mattis on policy issues, Congressional relations, communications, and engagements with foreign governments. Before joining U.S. Central Command, Donnelly was a Special Assistant to the Chairman of the Joint Chiefs of Staff, Admiral Mike Mullen.

Before joining the Chairman’s staff, Donnelly worked at Time Magazine for 21 years. Donnelly currently sits on the Board of the American Friends of Black Stork, a British-based military veterans’ charity and is a consultant to the Pentagon’s Defense Business Board.


Retired Admiral Eric T. Olson joined the Imperatis Board in April 2013. Olson retired from the U.S. Navy in 2011 after more than 38 years of military service. He was the first Navy SEAL officer to be promoted to the three-star and four-star ranks. He served as head of the US Special Operations Command, where he was responsible for the mission readiness of all U.S. Army, Navy, Air Force, and Marine Corps Special Operations Forces.

Olson is now an independent national security consultant for private and public sector organizations as the president of the ETO Group. He is an adjunct professor in the School of International and Public Affairs at Columbia University and serves as director of Iridium Communications, Under Armour, the non-profit Special Operations Warrior Foundation, and the National Navy UDT-SEAL Museum.


Retired Major General Mastin Robeson joined Imperatis as President and Chief Executive Officer in March 2013. Robeson retired in February 2010 after 34 years of active service in the U.S. Marine Corps, during which time he served in more than 60 countries. He commanded a Combined/Joint Task Force in the Horn of Africa, two Marine Brigades, two Marine Divisions, and Marine Corps Special Operations Command. He also served as Secretary of Defense William Cohen’s Military Assistant and General David Petraeus’ Director of Strategy, Plans, and Assessments. He has extensive strategic planning, decision-making, and crisis management experience.

Since retiring in 2010, Robeson has operated his own consulting company, assisting more than 20 companies in business development, marketing strategy, strategic planning, executive leadership, and crisis management. He has also served on three Boards of Directors, two Boards of Advisors, a college Board of Trustees, and a major hospital’s Operations Council.



James (Jim) Cluck joined the Imperatis Board of Advisors in 2013. Cluck formerly served as acquisition executive, U.S. Special Operations Command. He was responsible for all special operations forces research, development, acquisition, procurement, and logistics.

Cluck held a variety of positions at USSOCOM, including program manager for both intelligence systems and C4I automation systems; Deputy Program Executive Officer for Intelligence and Information Systems; Director of Management for the Special Operations Acquisition and Logistics Center; and Chief Information Officer and Director for the Center for Networks and Communications. During these assignments, he consolidated diverse intelligence, command and control, and information programs through common migration and technical management techniques to minimize Major Force Program-11 resourcing and enhance interoperability.


Retired Rear Admiral Ed Winters joined the Imperatis Board of Advisors in September 2014. Winters retired from the U.S. Navy after more than 33 years of military service. As a Navy SEAL, he commanded at every level in the Naval Special Warfare community as well as serving two tours in Iraq under the Multi-National Security Transition Command (MNSTC-I). During his first tour with MNSTC-I he led the successful efforts to establish the Iraqi National Counter-Terrorism Task Force. During his second tour with MNSTC-I he served as Deputy Commander, overseeing the daily training and mentoring of the Iraqi Security Architecture and Government institutions. Since retiring, Winters has consulted to multiple corporations.

Should any of these individuals appear in any relationship with any contractor on a present or future contract, run the other way. Dig in your heels and refuse to sign any checks, contracts, etc.

Imperatis Corporation was once known as Jorge Scientific, which also crashed and burned. You can find their “leadership team” at the Wayback Machine as well.

You have to wonder how many Imperatis and Jorge Scientific “leaders” are involved in other government contracts.

Suggestions for a good starting place to root them out?

by Patrick Durusau at May 16, 2016 09:32 PM

Shame! Shame! John McAfee Tricks Illiterates

My day started with reading WhatsApp Message Hacked By John McAfee And Crew by Steve Morgan.

I thought it made the important point that while the WhatsApp message is secured by bank vault quality encryption:


By LoKiLeCh (Own work) [GFDL, CC-BY-SA-3.0, CC BY-SA 2.5-2.0-1.0, GFDL, CC-BY-SA-3.0 or CC BY-SA 2.5-2.0-1.0], via Wikimedia Commons

When you enlarge the little yellow note on the front (think Android) you find:


While your message encryption may be Shannon secure end-to-end, the security of your OS, to say nothing of your personal, organizational, etc., security counts whether the message is indeed “secure.”

A better illustration would be to show McAfee and crew taking the vault out of the wall (think OS) but my graphic skills aren’t up to that task. ;-)

That’s a useful lesson and to be honest, McAfee says as much, in the fifth paragraph of the story.

So I almost fell off my perch when later in the morning I read:

John McAfee Apparently Tried to Trick Reporters Into Thinking He Hacked WhatsApp by William Turton.

Here’s the lead paragraph:

John McAfee, noted liar and one-time creator of anti-virus software, apparently tried to convince reporters that he hacked the encryption used on WhatsApp. To do this, he attempted to send them phones with preinstalled malware and then convince them he was reading their encrypted conversations.

Just in case you don’t follow the “noted liar” link, that’s another post written by William Turton.

The “admitted lie” was one of simplification, compressing an iPhone hack into sound bite length.

Ever explain (attempt) computer technology to the c-suite? You are guilty of the same type of lies.

If someone divested themselves of their interest in WhatsApp because they didn’t read to the fifth paragraph of the original story, I’m sorry.

Read before you re-tweet/re-post and/or change your investments. Whether it’s a John McAfee story or not.

by Patrick Durusau at May 16, 2016 08:10 PM

Twitter Giveth and Taketh Away (NSA as Profit Center?)

Twitter Giveth: GCHQ intelligence agency joins Twitter. Just about anyone can get a Twitter account these days.

Do see the GCHQ GitHub site for shared software.

Taketh Away Twitter Bars Intelligence Agencies From Using Analytics Service.

Twitter has barred Dataminr from providing services to government intelligence services.

Dataminr monitors the entire Twitter pipe and provides analytics based on that stream.

Will this result in the NSA sharing its signal detection in the Twitter stream with other intelligence agencies?

Or for that matter, the NSA could start offering commercial signal detection services across all its feeds. Make it a profit center for the government rather than a money pit.

BTW, don’t be deceived by the illusion of space between government and Twitter, or any other entity that cooperates with a national government. Take “compromised” as a given. The real questions are by who and for what purpose?

by Patrick Durusau at May 16, 2016 02:39 PM

How to create interactive maps with MapHub

How to create interactive maps with MapHub by Mădălina Ciobanu.

From the post:

Maps may not be every graphics editor or reporter’s favourite way to illustrate information, particularly a more interesting dataset that can lend itself to a more creative format, but sometimes they are the best way to take your readers from point A to point B – literally.

We have written about mapping tools before, so make sure you check out the list (and stay tuned for an update!), but in the meantime this guide will show you how to create a quick interactive map using free platform MapHub, which is currently available in beta.

After you read about using MapHub, be sure to follow the link to resources on other mapping tools as well.

One quick use of maps for stories such as Congress, Maps and a Research Tale – Part 1, where public land is going to be mined in a noisy and toxic way, is to plot the physical residences of those who support the project versus those who oppose it.

I haven’t gathered that data, yet, but won’t be surprised if supporters DO NOT have the mine in their backyards.

Other examples of how distance increases political support for noxious activities?

by Patrick Durusau at May 16, 2016 01:26 PM

A Linguistic Divide: Cow Tipping vs. Fly-tipping

When I read Private landowners face increasing costs and fines as fly-tipping reaches one million cases a year, I immediately thought of the urban legend of cow tipping.

Stories about cow tipping usually involve intoxicated people who attempt to push over, “tip,” a sleeping cow onto its side.

Before you verify for yourself that such deeds are urban legends, be aware that cows are quite large, often accompanied by bulls and always owned by people who take exception to drunks molesting their cattle at night. You have been warned.

When the story mentioned England and Wales, the idea of “fly-tipping” made a little more sense but not the increased costs and fines.

Who cares if drunk English/Welshmen want to tip over flies or not?

It does sound very British doesn’t it?

In any event, reading further revealed the unfortunate usage of “fly-tipping,” to mean “illegal dumping.”

Why the British have departed from the mainstream usage of “illegal dumping” to use “fly-tipping” isn’t clear.

But, if you are making a list of ill-advised synonyms, be sure to add “fly-tipping” to your list.

by Patrick Durusau at May 16, 2016 01:07 PM

Congress, Maps, A Research Tale – Part 1


A close friend posted this to Facebook. I pressed them for further details because alone, all this does is raise my blood pressure, it offers no opportunity for meaningful action.

With their response I was able to locate the offending act: Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015, which given the date, fiscal year 2015, means it likely passed in 2014.

The timeless nature of most web posts increases the difficult of even minimal searching. If what you are complaining about has a date, please recite it. If it is legislation, provide the date and a pointer.

Having located the act, if you are reading along you want Section 3003.

In subsection (b), Definitions, you will find:

(1) APACHE LEAP.—The term ‘‘Apache Leap’’ means the approximately 807 acres of land depicted on the map entitled ‘‘Southeast Arizona Land Exchange and Conservation Act of 2011–Apache Leap’’ and dated March 2011.

(2) FEDERAL LAND.—The term ‘‘Federal land’’ means the approximately 2,422 acres of land located in Pinal County, Arizona, depicted on the map entitled ‘‘Southeast Arizona Land Exchange and Conservation Act of 2011–Federal Parcel–Oak Flat’’ and dated March 2011.

(5) OAK FLAT CAMPGROUND.—The term ‘‘Oak Flat Campground’’ means the approximately 50 acres of land comprising approximately 16 developed campsites depicted on the map entitled ‘‘Southeast Arizona Land Exchange and Conservation Act of 2011–Oak Flat Campground’’ and dated March 2011.

(6) OAK FLAT WITHDRAWAL AREA.—The term ‘‘Oak Flat Withdrawal Area’’ means the approximately 760 acres of land depicted on the map entitled ‘‘Southeast Arizona Land Exchange and Conservation Act of 2011–Oak Flat Withdrawal Area’’ and dated March 2011.

OK, I like maps and so went looking for these maps. Searched all of, fourteen hits for the names, but no maps.

I started to write to the law librarians at the Library of Congress and for due diligence, did a search on the term ” maps ” (note the leading and following spaces). There were twenty-eight (28) “hits” and the eight one reads:

(b) AVAILABILITY OF MAPS AND LEGAL DESCRIPTIONS.—Maps are entitled ‘‘Trinity County Land Exchange Act of 2014 – Parcel A’’ and ‘‘Trinity County Land Exchange Act of 2014 – Parcel B’’, both dated March 24, 2014. The maps shall be on file and available for public inspection in the Office of the Chief of the Forest Service and the appropriate office of the Bureau of Land Management.

Ah! So map titles in the bill don’t refer to maps attached to the bill (a sensible assumption), nor do they refer to maps already available elsewhere, of necessity. Maps referenced in legislation may not exist at the time of the reference.

I would not vote based on a to-be-produced-map but then many in Congress don’t vote as I would. ;-) (Not always a criticism, just an observation.)

So, the solution to finding the maps lies in

PUBLIC LAW 113–291, Section 3003, (i) (2) MAPS, Estimates, AND Descriptions (C) Availability:

(C) AVAILABILITY.—On the date of enactment of this, Act, the Secretary shall file and make available for public inspection in the Office of the Supervisor, Tonto National Forest, each map referred to in this section.

A quick search at the Tonto National Forest website does not turn up the maps in question.

Nor does a search for “Oak Flat Withdrawal Area” at the Secretary of Agriculture site:


At this point I have the following outstanding questions:

What is the source of these maps, alleged to be dated 2011?

Bearing in mind the advice in the Moon is a Harsh Mistress, “Always cut cards.”

I’m fine with maps, so long as it is my map.

Can these maps be accessed without traveling to the “…Office of the Supervisor, Tonto National Forest….?”

What maps were available to members of congress voting on this legislation?

I have feelers out for additional information and will be posting a follow-up later this week.

by Patrick Durusau at May 16, 2016 12:26 AM

May 15, 2016

Patrick Durusau

Consent/Anonymised Data Concerns For

Famous Hacking Forum Suffers Devastating Data Breach by Catalin Cimpanu.

From the post:

According to security firm Risk Based Security, the leaked data was offered as a 1.3 GB tar archive that decompressed to a 9.45 GB db.sql file, which was a database dump of the entire forum’s database.

Everything from user accounts to private messages, and from VIP forum posts to financial transactions were included. More precisely, the data contained 536,064 user accounts, 800,593 user personal messages, 5,582 purchase records, and 12,600 invoices.

For each user, leaked data included his forum username, email address, hashed password, join date, IP records, and other forum-related tidbits such as titles and post counts.

Crime investigation agencies are most likely to be interested in this leak since it also includes 907,162 authentication logs with geolocation data that will allow them to tie various criminal activity to IPs, forum usernames, and email addresses.

I am waiting to see Oliver Keyes, OKCupid data and Scientific Censorship, ride in to condemn this unknown hacker for breaching the privacy of the users of and for the data not being anonymised.

Or in Oliver’s words on another data breach:

…this is without a doubt one of the most grossly unprofessional, unethical and reprehensible data releases I have ever seen.

I wonder where this one ranks?

Considering that criminal charges are a distinct possibility from the data breach?

I haven’t looked at the data, yet, but if hackers failed to take steps to conceal their identities on a site devoted to hacking, user education on security may be a lost cause.

by Patrick Durusau at May 15, 2016 03:06 AM

May 14, 2016

Patrick Durusau

Receding Trust In Internet Privacy

You may have seen this post on Twitter:


So, what is this:

…single problem that we just can’t seem to solve[?]

The Washington Post headline was even more lurid: Why a staggering number of Americans have stopped using the Internet the way they used to.

The government post releasing the data was somewhat calmer: Lack of Trust in Internet Privacy and Security May Deter Economic and Other Online Activities by Rafi Goldberg.

Rafi writes:

Every day, billions of people around the world use the Internet to share ideas, conduct financial transactions, and keep in touch with family, friends, and colleagues. Users send and store personal medical data, business communications, and even intimate conversations over this global network. But for the Internet to grow and thrive, users must continue to trust that their personal information will be secure and their privacy protected.

NTIA’s analysis of recent data shows that Americans are increasingly concerned about online security and privacy at a time when data breaches, cybersecurity incidents, and controversies over the privacy of online services have become more prominent. These concerns are prompting some Americans to limit their online activity, according to data collected for NTIA in July 2015 by the U.S. Census Bureau. This survey included several privacy and security questions, which were asked of more than 41,000 households that reported having at least one Internet user.

Perhaps the most direct threat to maintaining consumer trust is negative personal experience. Nineteen percent of Internet-using households—representing nearly 19 million households—reported that they had been affected by an online security breach, identity theft, or similar malicious activity during the 12 months prior to the July 2015 survey. Security breaches appear to be more common among the most intensive Internet-using households. For example, while 9 percent of online households that used just one type of computing device (either a desktop, laptop, tablet, Internet-connected mobile phone, wearable device, or TV-connected device) reported security breaches, 31 percent of those using at least five different types of devices suffered this experience (see Figure 1).

No real surprises in the report until you reach:

NTIA’s initial analysis only scratches the surface of this important area, but it is clear that policymakers need to develop a better understanding of mistrust in the privacy and security of the Internet and the resulting chilling effects. In addition to being a problem of great concern to many Americans, privacy and security issues may reduce economic activity and hamper the free exchange of ideas online.

I’m sorry, given that almost 1 out of every 5 households surveyed had suffered from an online security breach, what is there to “…better understand…” about their mistrust?

The Internet, their computers and other online devices, etc., are all insecure.

What seems to be the problem with acknowledging that fact?

It’s mis-leading for the Washington Post to wave it hands and say this is a …single problem that we just can’t seem to solve.

Online services and computers can be made less insecure, but no computer system is completely secure. (Not even the ones used by the NSA. Remember Snowden.)

Nor can computer systems be less insecure without some effort from users.

I know, I know, I blaming all those users who get hacked. Teaching users to protect themselves has some chance of a positive outcome. Wringing your hands over poor hacked users that someone should be protecting has none.

Educate yourself about basic computer security and be careful out there. The number of assholes on the Internet seems to multiply geometrically. Even leaving state actors to one side.

by Patrick Durusau at May 14, 2016 01:49 AM

Flawed Input Validation = Flawed Subject Recognition

In Vulnerable 7-Zip As Poster Child For Open Source, I covered some of the details of two vulnerabilities in 7-Zip.

Both of those vulnerabilities were summarized by the discoverers:

Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security.

The first vulnerability is described as:


An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.

Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.

(code in original post omitted)

This vulnerability can be triggered by any entry that contains a malformed Long Allocation Descriptor. As you can see in lines 898-905 from the code above, the program searches for elements on a particular volume, and the file-set starts based on the RootDirICB Long Allocation Descriptor. That record can be purposely malformed for malicious purpose. The vulnerability appears in line 392, when the PartitionRef field exceeds the number of elements in PartitionMaps vector.

I would describe the lack of a check on the “PartitionRef” field in topic maps terms as allowing a subject, here a string, of indeterminate size. That is there is no constraint on the size of the subject, which is here a string.

That may seem like an obtuse way of putting it, but consider that for a subject, here a string that is longer than the “available amount of partition may objects,” can be in association with other subjects, such as the user (subject) who has invoked the application(association) containing the 7-Zip vulnerability (subject).

Err, you don’t allow users with shell access to suid root do you?

If you don’t, at least not running a vulnerable program as root may help dodge that bullet.

Or in topic maps terms, knowing the associations between applications and users may be a window on the severity of vulnerabilities.

Lest you think logging suid is an answer, remember they were logging Edward Snowden’s logins as well.

Suid logs may help for next time, but aren’t preventative in nature.

BTW, if you are interested in the details on buffer overflows, Smashing The Stack For Fun And Profit looks like a fun read.

by Patrick Durusau at May 14, 2016 12:47 AM

May 13, 2016

Patrick Durusau

Vulnerable 7-Zip As Poster Child For Open Source

Anti-virus products, security devices affected by 7-Zip flaws by David Bisson.

From the post:

But users be warned. Cisco Talos recently discovered multiple vulnerabilities in 7-Zip that are more serious than regular security flaws. As explained in a blog post by Marcin Noga and Jaeson Schultz, two members of the Cisco Talos Security Intelligence & Research Group:

“These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”

Cisco Talos has identified two flaws in particular. The first (CVE-2016-2335) is an out-of-bounds read vulnerability that exists in the way 7-Zip handles Universal Disk Format (UDF) files. An attacker could potentially exploit this vulnerability to achieve arbitrary code execution.

The “many products and appliances” link results in:


If you use the suggested search string:


Every instance of software running a vulnerable 7-Zip library is subject to this hack. A number likely larger than the total 2,490,000 shown by these two searches.

For open source software, you can check to see if it has been upgraded to 7-Zip, version 16.0.

If you have non-open source software, how are you going to check for the upgrade?

Given the lack of liability under the usual EULA, are you really going to take a vendor’s word for the upgrade?

The vulnerable 7-Zip library is a great poster child for open source software.

Not only for the discovery of flaws but to verify vendors have properly patched those flaws.

by Patrick Durusau at May 13, 2016 05:28 PM

For The Artistically Challenged (that includes me)


If you are looking for animated gifs for a blog post, presentation, etc., give GIPHY a try.

Now that I have found it, I’m likely to spend too much time looking for the perfect animated GIF.


by Patrick Durusau at May 13, 2016 01:29 AM

May 12, 2016

Patrick Durusau

OKCupid data and Scientific Censorship

Scientific consent, data, and doubling down on the internet by Oliver Keyes.

From the post:

There is an excellent Tim Minchin song called If You Open Your Mind Too Much, Your Brain Will Fall Out. I’m sad to report that the same is also true of your data and your science.

At this point in the story I’d like to introduce you to Emil Kirkegaard, a self-described “polymath” at the University of Aarhus who has neatly managed to tie every single way to be irresponsible and unethical in academic publishing into a single research project. This is going to be a bit long, so here’s a TL;DR: linguistics grad student with no identifiable background in sociology or social computing doxes 70,000 people so he can switch from publishing pseudoscientific racism to publishing pseudoscientific homophobia in the vanity journal that he runs.

Yeah, it’s just as bad as it sounds.

The Data

Yesterday morning I woke up to a Twitter friend pointing me to a release of OKCupid data, by Kirkegaard. Having now spent some time exploring the data, and reading both public statements on the work and the associated paper: this is without a doubt one of the most grossly unprofessional, unethical and reprehensible data releases I have ever seen.

There are two reasons for that. The first is very simple; Kirkegaard never asked anyone. He didn’t ask OKCupid, he didn’t ask the users covered by the dataset – he simply said ‘this is public so people should expect it’s going to be released’.

This is bunkum. A fundamental underpinning of ethical and principled research – which is not just an ideal but a requirement in many nations and in many fields – is informed consent. The people you are studying or using as a source should know that you are doing so and why you are doing so.

And the crucial element there is “informed”. They need to know precisely what is going on. It’s not enough to simply say ‘hey, I handed them a release buried in a pile of other paperwork and they signed it': they need to be explicitly and clearly informed.

Studying OKCupid data doesn’t allow me to go through that process. Sure: the users “put it on the internet” where everything tends to end up public (even when it shouldn’t). Sure: the users did so on a site where the terms of service explicitly note they can’t protect your information from browsing. But the fact of the matter is that I work in this field and I don’t read the ToS, and most people have a deeply naive view of how ‘safe’ online data is and how easy it is to backtrace seemingly-meaningless information to a real life identity.

In fact, gathering of the data began in 2014, meaning that a body of the population covered had no doubt withdrawn their information from the site – and thus had a pretty legitimate reason to believe that information was gone – when Kirkegaard published. Not only is there not informed consent, there’s good reason to believe there’s an implicit refusal of consent.

The actual data gathered is extensive. It covers gender identity, sexuality, race, geographic location; it covers BDSM interests, it covers drug usage and similar criminal activity, it covers religious beliefs and their intensity, social and political views. And it does this for seventy thousand different people. Hell, the only reason it doesn’t include profile photos, according to the paper, is that it’d take up too much hard-drive space.

Which nicely segues into the second reason this is a horrifying data dump: it is not anonymised in any way. There’s no aggregation, there’s no replacement-of-usernames-with-hashes, nothing: this is detailed demographic information in a context that we know can have dramatic repercussions for subjects.

This isn’t academic: it’s willful obtuseness from a place of privilege. Every day, marginalised groups are ostracised, excluded and persecuted. People made into the Other by their gender identity, sexuality, race, sexual interests, religion or politics. By individuals or by communities or even by nation states, vulnerable groups are just that: vulnerable.

This kind of data release pulls back the veil from those vulnerable people – it makes their outsider interests or traits clear and renders them easily identifiable to their friends and communities. It’s happened before. This sort of release is nothing more than a playbook and checklist for stalkers, harassers, rapists.

It’s the doxing of 70,000 people for a fucking paper.

I offer no defense for the Emil Kirkegaard’s paper, its methods or conclusions.

I have more sympathy for Oliver’s concerns over consent and anonymised data than say the International Consortium of Investigative Journalists (ICIJ) and their concealment of the details from the Panama Papers, but only just.

It is in the very nature of data “leaks” that no consent is asked of or given by those exposed by the “leak.”

Moreover, anonymised data sounds suspiciously like ICIJ saying they can protect the privacy of the “innocents” in the Panama Papers leak.

I don’t know, hiding from the tax man doesn’t raise a presumption of innocence to me. You?

Someone has to decide who are “innocents,” or who merits protection of anonymised data. To claim either one, means you have someone in mind to fill that august role.

In our gender-skewed academic systems, would that be your more than likely male department head?

My caveat to Oliver’s post is even with good intentions, the power to censor data releases is a very dangerous one. One that reinforces the power of those who possess it.

The less dangerous strategy is to teach users if information is recorded, it is leaked. Perhaps not today, maybe not tomorrow, but certainly by the day after that.

Choose what information you record carefully.

by Patrick Durusau at May 12, 2016 07:40 PM

107,000 Anal Fisting Aficionados But No Senate Torture Report

Huge embarrassment over fisting site data breach by John Leyden.

From the post:

A data breach at a forum for “anal fisting” has resulted in the exposure of 107,000 accounts.

Of course, ‘;–have i been pwned? plays the “I know something you don’t” game, loads the data but blocks searching.

I didn’t look hard for the data dump but for details sufficient to replicate this hack, see:

Another Day, Another Hack: Is Your Fisting Site Updating Its Forum Software? by Joseph Cox.

Quick search shows there are about 15K reports (including duplicates) on exposure of these 107,000 anal fisting aficionados.

It’s mildly amusing to think of the reactions of elected officials, military officers, etc., caught up in such data breach (sorry) but where is the full U.S. Senate Torture Report?

If you are going to risk jail time for hacking, shouldn’t it be for something more lasting than a list of anal fisters?

Is there a forum for nominating and voting on (anonymously) targets for hacking?

PS: Leaking data to ‘;–have i been pwned?, the International Consortium of Investigative Journalists or Wikileaks, etc., only empowers new exercises of privilege. Leak to them if you like but leak to the public as well.

by Patrick Durusau at May 12, 2016 03:01 PM

May 11, 2016

Patrick Durusau

MOOGI – The Film Discovery Engine

MOOGI – The Film Discovery Engine

Not the most recent movie I have seen but under genre I entered:

movies about B.C.

Thinking that it would return (rather quickly):

One Million Years B.C. (1966)

Possibly just load on this alpha site but after a couple of minutes, I just reloaded the homepage.

Using “keyword,” just typing “B.C.” brought up a pick list where One Million Years B.C. (1966) was eight in the list. Without any visible delay.

The keyword categories are interesting and many.

Learned a new word, canuxploitation! There is an entire site devoted to Canadian B-movies, i.e., Canuxploitation! – Your Complete Guide to Canadian B-Film.

You will recognize most of the other keywords.

If not, check the New York Times or the Washington Post and include the term plus “member of congress.” You will get several stories that will flesh out the meaning of “erotic,” “female nudity,” “drugs,” “prostitution,” “monster,” “hotel,” “adultery” and the like.

If search isn’t your strong point, try the “explore” option. You can search for movies “similar to” some named movie.

Just for grins, I typed in:

The Dirty Dozen. When I saw it during its first release, it had been given a “condemned” rating by Catholic movie rating service. Had no redeeming qualities at all. No one should see it.

I miss those lists because they were great guides to what movies to go see! ;-)

One of five (5) results was The Dirty Dozen: The Deadly Mission (1987).

When I chose that movie, the system failed so I closed out the window and tried again. Previous quick response is taking a good bit of time, suspect load/alpha quality. (I will revisit fairly soon and update this report.)

In terms of aesthetics, they really should lose the hand in the background moving around with a remote control. Adds nothing to the experience other than annoyance.

The site is powered by Mindmaps. Which means you are going to find Apache Tinkerpop under the hood.


by Patrick Durusau at May 11, 2016 08:14 PM

Moderate Rebels ™

By the U.S. Dept. of Fear.


FYI, why sailing from Australia to join ISIS is a bad idea:


I keep expecting either governments or terrorists to up their game but so far, no joy.

Is that intentional?

With an unknown number of terrorists about, governments can justify their terrorism budgets. Ineffectual and counter-productive government strategies to fight terrorism, writes terrorist recruitment literature for them.

Could it be that governments need terrorists and terrorists need governments?

by Patrick Durusau at May 11, 2016 07:27 PM

Hunting Bugs In Porn Site (or How to Explain Your Browsing History)

Pornhub Launches Bug Bounty Program; Offering Reward up to $25,000 by Swati Khandelwal.

From the post:

The world’s most popular pornography site PornHub has launched a bug bounty program for security researchers and bug hunters who can find and report security vulnerabilities in its website.

Partnered with HackerOne, PornHub is offering to pay independent security researchers and bug hunters between $50 and $25,000, depending upon the impact of vulnerabilities they find. (emphasis in the original)

As always, there are some exclusions:

Vulnerabilities such as cross-site request forgery (CSRF), information disclosure, cross domain leakage, XSS attacks via Post requests, HTTPS related (such as HSTS), HttpOnly and Secure cookie flags, missing SPF records and session timeout will not be considered for the bounty program.

I take “information disclosure” to mean that if your hack involves NSA credentials it doesn’t count. Well, you can’t make it too easy.

The program is in beta so see Swati’s post for further details.

This PornHub program benefits people asked awkward questions about their browsing history.

Yes, you were looking at PornHub or related sites. You were doing “security research.”

Being in HR or accounting may make that claim less credible. ;-)

by Patrick Durusau at May 11, 2016 03:19 PM

Panama Papers and “radical sharing” (Greed By Another Name)

Alicia Shepard in A few weeks after the Panama Papers’ release, The New York Times and Washington Post start digging in caught me off guard with:

Many newspapers aren’t comfortable with ICIJ’s “radical sharing” concept.

Suspecting Alicia was using “sharing” to mean something beyond my experience, I had to read her post!

Alicia explains the absence of the New York Times and the Washington Post from the initial reporting on the Panama Papers saying:

Why weren’t the Times or the Post included originally? Walker said that, in general, many newspapers are not comfortable with ICIJ’s “radical sharing” concept, in which all journalists who agree to collaborate must promise to share their reporting, protect confidentiality, not share the data, and publish when ICIJ gives the go-ahead.

I see. “Radical sharing,” means collaborating on research, a good thing, protecting confidentiality, another good thing, then being bound to not share the data (restricting the data to ICIJ approved participants), a bad thing, and publishing when allowed by the ICIJ, another bad thing.

Not what I would consider “radical” sharing but I can see why newspapers, like many traditional publishers, fear the sharing of research. Even though sharing of research in other areas has been proven to float all boats higher.

The lizard brain reflex against sharing still dominates in many areas of human endeavor. News reporting in particular.

Alicia also quotes Marina Walker saying:

“We are excited to be working with The New York Times and The Washington Post, two of the world’s best newspapers,” said Marina Walker, deputy director of the Washington, D.C.–based ICIJ. “Both of them signed up at more or less the same time, two or three weeks ago. Both teams were recently trained by ICIJ researchers and reporters on how to use the data and we continue to assist them as needed, like we do with other partners. So far, so good.”

The “smoking gun” for my suggestion in Panama Papers – Shake That Money Maker that the ICIJ are hoarding the Panama Papers for their own power and profit.

The ICIJ wants control over the data, realizing that training and assistance are never free, to dictate who sees the data and when they can publish using the data.

Combine that with the largest data leak to date and the self-service nature of the claim the data might reveal the leaker becomes self-evident.

Hoarding data for profit is, as I have said, understandable and to some degree even reasonable.

But let’s have that conversation and not one based on specious claims about a leaker’s or public’s interest.

PS: Getting to dictate to the Washington Post and the New York Times must be heady stuff.

PPS: Any Panama Paper secondary leakers yet?

by Patrick Durusau at May 11, 2016 02:12 PM

False Rumors Spread Faster Than Truth

Recent research reveals false rumours really do travel faster and further than the truth by Craig Silverman.

From the post:

A lie can travel halfway around the world before the truth has got its boots on, or so the saying goes, and new research has sought to prove just how long it takes fact checking to catch up.

On average, it takes more than 12 hours for a false claim to be debunked online, according to two recent projects that compared how falsehoods and truths spread.

One study analyzed rumors on Twitter and found that a rumor that turns out to be true is often resolved within two hours of first emerging. But a rumor that proves false takes closer to 14 hours to be debunked.

Another study looked at how long it took for a fact check or debunking article to be published as a counter measure to a fake story. It found “a characteristic lag of approximately 13 hours between the production of misinformation and that of fact checking”.

The studies used different methodologies and look at different elements of the online rumor and misinformation ecosystem. But they both provide evidence that falsehoods spread for hours and take hold online before being debunked.

Both research groups say their findings highlight the need for better — and especially faster — approaches to countering online misinformation.

A counter-factual response to these reports would be the failure of false U.S. social media propaganda falling to truthful Islamic State reports. Why It’s So Hard to Stop ISIS Propaganda.

Or is it that U.S. government lies are so clumsy that they lack the punch of other falsehoods?

Or perhaps the U.S. government tells so many lies that it’s hard to judge the impact of only one?

Unless and until better/faster approaches “…to countering online misinformation” appear, consider how you can use the gap between rumor and correction to your advantage.

Is that arbitrage in truth?

by Patrick Durusau at May 11, 2016 02:34 AM

May 10, 2016

Patrick Durusau

Panama Papers Import Scripts for Neo4j and Docker

Panama Papers Import Scripts for Neo4j and Docker by Michael Hunger.

Michael’s import scripts enable you too to explore and visualize, a sub-set of the Panama Papers data.

Thanks Michael!

by Patrick Durusau at May 10, 2016 08:35 PM

Panama Papers Database Warning: You Will Be Tracked

As promised, a teaser database of 214,000 offshore entities created in 21 jurisdictions, has been released by International Consortium of Investigative Journalists (ICIJ).

I say “teaser” because of the information you won’t find in the database:

The new data that ICIJ is now making public represents a fraction of the Panama Papers, a trove of more than 11.5 million leaked files from the Panama-based law firm Mossack Fonseca, one of the world’s top creators of hard-to-trace companies, trusts and foundations.

ICIJ is not publishing the totality of the leak, and it is not disclosing raw documents or personal information en masse. The database contains a great deal of information about company owners, proxies and intermediaries in secrecy jurisdictions, but it doesn’t disclose bank accounts, email exchanges and financial transactions contained in the documents.

In all, the interactive application reveals more than 360,000 names of people and companies behind secret offshore structures. As the data are from leaked sources and not a standardized registry, there may be some duplication of names.

Warning: Even visits to the database are being logged, as shown by this initial greeting:


How deep the tracking is post-entry to the site isn’t readily evident.

I would assume all searches are logged along with the IP address of origin.

Use Tor if you plan to visit this resource.

A couple of positive comments about the database:

First, you can download the database as CSV files, a file for each type of node and the other for edges (think relationships). A release of the Neo4j data files is forthcoming.

Second, the ICIJ gets the licensing right:

The ICIJ Offshore Leaks Database is licensed under the Open Database License and its contents under Creative Commons Attribution-ShareAlike license. Always cite the International Consortium of Investigative Journalists when using this data.

Be forewarned that a lot of loose headlines will be appearing about this release, such as: The Panama Papers can now be searched online. Hardly, see the ICIJ’s own statement of exclusions above. It’s always better to read a post before commenting on it.

I don’t now nor have I ever disagreed with the statement “the > 370 reporters and the ICIJ have done a great job of reporting on the Panama Papers.”

I do disagree with the refusal of the ICIJ to release the leak contents to law enforcement under the guise of protecting the leaker and its plans to never release the full leak to the public.

As I have said before, some period of exclusive access is understandable given the investment of ICIJ in the leak but only for a reasonable period of time.

by Patrick Durusau at May 10, 2016 02:57 PM

Dark Matter: Driven by Data

A delightful keynote by Dan Geer, presented at the 2015 LangSec Workshop at the IEEE Symposium on Security & Privacy Workshops, May 21, 2015, San Jose, CA.

Prepared text for the presentation.

A quote to interest you in watching the video:

Workshop organizer Meredith Patterson gave me a quotation from Taylor Hornby that I hadn’t seen. In it, Hornby succinctly states the kind of confusion we are in and which LANGSEC is all about:

The illusion that your program is manipulating its data is powerful. But it is an illusion: The data is controlling your program.

It almost appears that we are building weird machines on purpose, almost the weirder the better. Take big data and deep learning. Where data science spreads, a massive increase in tailorability to conditions follows. But even if Moore’s Law remains forever valid, there will never be enough computing hence data driven algorithms must favor efficiency above all else, yet the more efficient the algorithm, the less interrogatable it is,[MO] that is to say that the more optimized the algorithm is, the harder it is to know what the algorithm is really doing.[SFI]

And there is a feedback loop here: The more desirable some particular automation is judged to be, the more data it is given. The more data it is given, the more its data utilization efficiency matters. The more its data utilization efficiency matters, the more its algorithms will evolve to opaque operation. Above some threshold of dependence on such an algorithm in practice, there can be no going back. As such, if science wishes to be useful, preserving algorithm interrogatability despite efficiency-seeking, self-driven evolution is the research grade problem now on the table. If science does not pick this up, then Lessig’s characterization of code as law[LL] is fulfilled. But if code is law, what is a weird machine?

If you can’t interrogate an algorithm, could you interrogate a topic map that is an “inefficient” implementation of the algorithm?

Or put differently, could there be two representations of the same algorithm, one that is “efficient,” and one that can be “interrogated?”

Read the paper version but be aware the video has a very rich Q&A session that follows the presentation.

by Patrick Durusau at May 10, 2016 01:47 AM

May 09, 2016

Patrick Durusau

White Hat Hacker Jailed – Screen Capturing Your Crime

White Hat Researcher Jailed for Exposing SQLi Flaws by Phil Muncaster.

The headline misleading and the lead paragraph makes the same mistake:

A cybersecurity researcher who exposed vulnerabilities in a Florida elections website was last week arrested and charged on three third-degree felony counts.

It isn’t until later that you read:

“Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data,” he explained in a blog post. “That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private).”

Watch the video that includes a screen capture not only of the attack, but of Dave Levin downloading files from the breached server.

All most people will read is “White Hat Hacker Jailed,” which is a severe disservice to the security community generally.

A more accurate headline would read:

White Hat Hacker Jailed For Screen Capturing His Crime

When you find a vulnerability you can:

  1. Report it, or
  2. Exploit it.

What is ill-advised is to screen capture yourself exploiting a vulnerability and then publishing it.

It’s true that corrupt politics are at play here but what other kind did you think existed?

No one, especially incompetent leadership, enjoys being embarrassed. Incompetent political leadership is often in a position to retaliate against those who embarrass it. Just a word to the wise.

PS: If you are going to commit a cyber-crime, best thinking is to NOT record it.

by Patrick Durusau at May 09, 2016 08:32 PM

Who Is Special Agent Mark W. Burnett? (FBI)

In FBI Harassment, Tor developer isis agora lovecruft describes a tale of FBI harrassment, that begins with this business card:


The card was left while no one was at home. At best the business card is a weak indicator of a visitor’s identity. It was later confirmed Mark W. Burnett had visited, in various conversations between counsel and the FBI. See the original post for the harassment story.

What can we find out about Special Agent Mark W. Burnett? Reasoning if the FBI is watching us, we damned sure better be watching them.

The easiest thing to find is that Mark W. Burnett isn’t a “special agent in charge,” as per the FBI webpage for the Los Angeles office. A “special agent in charge” is a higher “rank” than a “special agent.”

Turning to Google, here’s a screenshot of my results:


The first two “hits” are the same Special Agent Mark W. Burnett (the second one requires a password) but the first one says in relevant part:

Special Luncheon Speaker – Mr. Mark W. Burnett, FBI Cyber Special Agent, who will discuss the Bureau’s efforts regarding cyber security measures

The event was:

3rd Annual West Coast Cyber Security Summit
Special Report on Cyber Technology and Its Impact on the Banking Community
The California Club
538 South Flower Street, Los Angeles, CA 90071
Tuesday, May 13, 2014

If you don’t know the California Club, as the song says “…you aren’t supposed to be here.”

So we know that Mark W. Burnett was working for the FBI in May of 2014.

The third “hit” is someone who says they know a Mark W. Burnett but it doesn’t go any further than that.

The last two “hits” are interesting because they both point to the Congressional Record on February 1, 2010, wherein the Senate confirms the promotion of a “Mark. W. Burnett” to the rank of colonel in the United States Army.

I searched U.S. District Court decisions at Justia but could not find any cases where Mark W. Burnett appeared.

The hand written “desk phone” detracts from the professionalism of the business card. It also indicates that Mark hasn’t been in the Los Angeles office long enough to get better cards.

What do you know about Special Agent Mark W. Burnett?

PS: There are hundreds of FBI agents from Los Angeles on LinkedIn but Mark W. Burnett isn’t one of them. At least not by that name.

by Patrick Durusau at May 09, 2016 03:38 PM

Canary Watch [Tracking Warrant Service?]

Canary Watch

From the webpage:

“Warrant canary” is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received, such as a national security letter. Canarywatch tracks and documents these statements. This site lists warrant canaries we know about, tracks changes or disappearances of canaries, and allows submissions of canaries not listed on the site.

Follow us on Twitter for updates and notifications about canaries on this site.

All of the “warrant canaries” I saw listed were from service providers and other organizations.

I recently saw a “warrant canary” posted by an individual (more on that this week).

The thought did occur to me that if enough individuals had “warrant canaries” on fairly short (monthly?) renewal cycles, it would be possible to track the service of warrants through particular communities.


by Patrick Durusau at May 09, 2016 03:29 AM

May 07, 2016

Patrick Durusau

DIY – Chilling Free Speech

Homeland Security Wants To Subpoena Us Over A Clearly Hyperbolic Techdirt Comment by Mike Masnick.

The Department of Homeland Security (DHS) has contacted Techdirt by phone and email asking where to send a subpoena and saying a subpoena was on the way for the identity of a commenter on Techdirt.

From Mike’s post:

Now, it’s entirely possible that there are more details here involving a legitimate investigation, but it’s difficult to believe that’s the case given the information we have to date. Also, we have not yet received the subpoena, just the phone calls and emails suggesting that it’s on its way. Normally, we’d wait for the details before publishing, but given a very similar situation involving commenters on the site Reason last year, which included a highly questionable and almost certainly unconstitutional gag order preventing Reason from speaking about it, we figured it would be worth posting about it before we’ve received any such thing.

While I appreciate Mike and Techdirt sounding the alarm about a possible subpoena, it is also distinctly possible that was the intended result of the contacts by DHS.

Not that Mike or Techdirt give a toss about the opinions held by DHS, but you can bet there are commenters and potential commenters who are quite so brave.

DHS and its unsavory companions in the government don’t have to seize newspapers, burn presses, or any of the overt things we usually associate with censorship.

They are much more insidious, not to mention cowardly.

The DHS avoids taking a chance a court might refuse its request for a subpoena but still creates a climate of fear for commenters at Techdirt.

Courts can’t rule on what is not presented to them and the DHS is well aware of that fact.

Which raises the interesting question: How often does DHS call or email about subpoenas and no subpoenas arrive? Is this, as I suspect, a systematic practice at DHS?

Question: Is anyone tracking DHS phone calls and emails about subpoenas? Where no subpoena arrives?

PS: I disagree that calling for violence, even in hyperbole, is in poor taste. People are condemned to death and worse every day in the polite language of privilege and power. It’s time we stopped having a double standard for privileged versus non-privileged violence.

by Patrick Durusau at May 07, 2016 01:21 PM