Planet Russell

,

Planet DebianChris Lamb: Free software activities in August 2019

Here is my monthly update covering most of what I have been doing in the free software world during August 2019 (previous month):

  • Opened pull requests to make the build reproducible for Mozilla's Bleach [...] and the re2c regular expression library [...].

Tails

For the Tails privacy-oriented operating system, I was made a number of updates as part of the pkg-privacy-tools team in Debian:

  • onionshare:

    • Package new upstream version 2.1. [...]
    • Correct spelling, format and syntax errors in manpage.
    • Update debian/copyright; socks.py no longer in upstream.
    • Misc updates:
      • Drop "ancient" X-Python3-Version specifier (satisfied in oldoldstable).
      • Move to debhelper compatibility level 12 and use the debhelper-compat virtual package, dropping debian/compat.
    • debian/watch: Ignore dev releases and move to version 4 format.
  • monkeysphere:

    • Prevent a FTBFS by updating the tests to accommodate an updated GnuPG in stretch now producing a different output. (#934034).

    • I also filed a "proposed update" to actually update the package in the stretch distribution. (#934775)

  • onioncircuits: Update continuous integration tests to the Python 3.x version of Dogtail. (#935174)

  • seahorse-nautilus: (Almost) no-change upload to unstable to ensure migration to the testing distribution as binaries were uploaded with previous 3.11.92-3 release. [...]

  • obfs4proxy: Move to using the debian-compat virtual package, level 12. [...]


Reproducible builds

Whilst anyone can inspect the source code of free software for malicious flaws almost all software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised.

The initiative is proud to be a member project of the Software Freedom Conservancy, a not-for-profit 501(c)(3) charity focused on ethical technology and user freedom.

Conservancy acts as a corporate umbrella, allowing projects to operate as non-profit initiatives without managing their own corporate structure. If you like the work of the Conservancy or the Reproducible Builds project, please consider becoming an official supporter.

This month:


I also made the following changes to our tooling:

diffoscope

diffoscope is our in-depth and content-aware diff utility that can locate and diagnose reproducibility issues.

Improvements:

  • Don't fallback to an unhelpful raw hexdump when, for example, readelf(1) reports an minor issue in a section in an ELF binary. For example, when the .frames section is of the NOBITS type its contents are apparently "unreliable" and thus readelf(1) returns 1. (#58, #931962)
  • Include either standard error or standard output (not just the latter) when an external command fails. [...]

Bug fixes:

  • Skip calls to unsquashfs when we are neither root nor running under fakeroot. (#63)
  • Ensure that all of our artificially-created subprocess.CalledProcessError instances have output instances that are bytes objects, not str. [...]
  • Correct a reference to parser.diff; diff in this context is a Python function in the module. [...]
  • Avoid a possible traceback caused by a str/bytes type confusion when handling the output of failing external commands. [...]

Testsuite improvements:

  • Test for 4.4 in the output of squashfs -version, even though the Debian package version is 1:4.3+git190823-1. [...]
  • Apply a patch from László Böszörményi to update the squashfs test output and additionally bump the required version for the test itself. (#62 & #935684)
  • Add the wabt Debian package to the test-dependencies so that we run the WebAssembly tests on our continuous integration platform, etc. [...]

Improve debugging:

  • Add the containing module name to the (eg.) Using StaticLibFile for ... debugging messages. [...]
  • Strip off trailing "original size modulo 2^32 671" (etc.) from gzip compressed data as this is just a symptom of the contents itself changing that will be reflected elsewhere. (#61)
  • Avoid a lack of space between "... with return code 1" and "Standard output". [...]
  • Improve debugging output when instantantiating our Comparator object types. [...]
  • Add a literal "eg." to the comment on stripping "original size modulo..." text to emphasise that the actual numbers are not fixed. [...]

Internal code improvements:

  • No need to parse the section group from the class name; we can pass it via type built-in kwargs argument. [...]
  • Add support to Difference.from_command_exc and friends to ignore specific returncodes from the called program and treat them as "no" difference. [...]
  • Simplify parsing of optional command_args argument to Difference.from_command_exc. [...]
  • Set long_description_content_type to text/x-rst to appease the PyPI.org linter. [...]
  • Reposition a comment regarding an exception within the indented block to match Python code convention. [...]


strip-nondeterminism

strip-nondeterminism is our tool to remove specific non-deterministic results from a completed build.

  • Add support for enabling and disabling specific normalizers via the command line. (#10)
  • Drop accidentally-committed warning emitted on every fixture-based test. [...]
  • Reintroduce the .ar normalizer [...] but disable it by default so that it can be enabled with --normalizers=+ar or similar. (#3)
  • In verbose mode, print the normalizers that strip-nondeterminism will apply. [...]

Debian

Lintian

More hacking on the Lintian static analysis tool for Debian packages, including uploading versions 2.17.0, 2.18.0 and 2.19.0:

New features:

Bug fixes:

Other:


Debian LTS

This month I have worked 18 hours on Debian Long Term Support (LTS) and 12 hours on its sister Extended LTS project.

  • Frontdesk duties, responding to user/developer questions, reviewing others' packages, participating in mailing list discussions, etc.

  • Investigated and triaged cent, clamav, enigmail, freeradius, ghostscript, libcrypto++, musl, open-cobol, pango1.0, php5, python-django, python-werkzeug, radare2, salt, subversion, suricata, u-boot, xtrlock & yara.

  • Updated our lts-cve-triage.py script to correct undefined reference to colored when standard output is not a terminal [...] and address a number of flake8 issues [...].

  • Worked on a number of interations towards a comprehensive patch to xtrlock to address an issue whereby multitouch events (such as on a tablet or many modern laptops) are not correct locked. Whilst originally filed by a user as #830726 whilst triaging issues for this package I was able to reproduce it. I thus requested and was granted my first CVE number (CVE-2016-10894) and hope to upload a patched version early next month.

  • Issued DLA 1896-1 for to fix a remote arbitrary code vulnerability in commons-beanutils, a set of tools and utilities for manipulating JavaBeans.

  • Issued DLA 1872-1 for the Django web development framework correcting two denial of service vulnerabilities and requiring a backport of upstream's patch series. I also fixed these issues in the buster distribution as well as an SQL injection possibility and potential memory exhaustion issues.

You can find out more about the project in the following video:


Debian uploads


FTP Team

As a Debian FTP assistant I ACCEPTed 28 packages: bitshuffle, golang-github-abdullin-seq, golang-github-centurylinkcloud-clc-sdk, golang-github-cnf-structhash, golang-github-deanthompson-ginpprof, golang-github-ensighten-udnssdk, golang-github-gin-contrib-cors, golang-github-gin-contrib-gzip, golang-github-gin-contrib-static, golang-github-hansrodtang-randomcolor, golang-github-jarcoal-httpmock, golang-github-mcuadros-go-gin-prometheus, golang-github-mitchellh-go-linereader, golang-github-nesv-go-dynect, golang-github-sethvargo-go-fastly, golang-github-terra-farm-udnssdk, golang-github-yourbasic-graph, golang-github-ziutek-mymysql, golang-gopkg-go-playground-colors.v1, gulkan, kdeplasma-applets-xrdesktop, libcds, libinputsynth, openvr, parfive, transip, znc & znc-push.

,

CryptogramFriday Squid Blogging: Why Mexican Jumbo Squid Populations Have Declined

A group of scientists conclude that it's shifting weather patterns and ocean conditions.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

TEDWhat does it mean to become a TED Fellow?

TED Fellows celebrate the 10-year anniversary of the program at TEDSummit: A Community Beyond Borders, July 22, 2019 in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Every year, TED begins a new search looking for the brightest thinkers and innovators to be part of the TED Fellows program. With nearly 500 visionaries representing 300 different disciplines, these extraordinary individuals are making waves, disrupting the status quo and creating real impact.

Through a rigorous application process, we narrow down our candidate pool of thousands to just 20 exceptional people. (Trust us, this is not easy to do.) You may be wondering what makes for a good application (read more about that here), but just as importantly: What exactly does it mean to be a TED Fellow? Yes, you’ll work hand-in-hand with the Fellows team to give a TED Talk on stage, but being a Fellow is so much more than that. Here’s what happens once you get that call.

1. You instantly have a built-in support system.

Once selected, Fellows become part of our active global community. They are connected to a diverse network of other Fellows who they can lean on for support, resources and more. To get a better sense of who these people are (fishing cat conservationists! space environmentalists! police captains!), take a closer look at our class of 2019 Fellows, who represent 12 countries across four continents. Their common denominator? They are looking to address today’s most complex challenges and collaborate with others — which could include you.

2. You can participate in TED’s coaching and mentorship program.

To help Fellows achieve an even greater impact with their work, they are given the opportunity to participate in a one-of-a-kind coaching and mentoring initiative. Collaboration with a world-class coach or mentor helps Fellows maximize effectiveness in their professional and personal lives and make the most of the fellowship.

The coaches and mentors who support the program are some of the world’s most effective and intuitive individuals, each inspired by the TED mission. Fellows have reported breakthroughs in financial planning, organizational effectiveness, confidence and interpersonal relationships thanks to coaches and mentors. Head here to learn more about this initiative. 

3. You’ll receive public relations guidance and professional development opportunities, curated through workshops and webinars. 

Have you published exciting new research or launched a groundbreaking project? We partner with a dedicated PR agency to provide PR training and valuable media opportunities with top tier publications to help spread your ideas beyond the TED stage. The TED Fellows program has been recognized by PR News for our “PR for Fellows” program.

In addition, there are vast opportunities for Fellows to hone their skills and build new ones through invigorating workshops and webinars that we arrange throughout the year. We also maintain a Fellows Blog, where we continue to spotlight Fellows long after they give their talks.

***

Over the last decade, our program has helped Fellows impact the lives of more than 180 million people. Success and innovation like this doesn’t happen in a vacuum — it’s sparked by bringing Fellows together and giving them this kind of support. If this sounds like a community you want to join, apply to become a TED Fellow by August 27, 2019 11:59pm UTC.

Sociological ImagesSurviving Student Debt

Recent estimates indicate that roughly 45 million students in the United States have incurred student loans during college. Democratic candidates like Senators Elizabeth Warren and Bernie Sanders have proposed legislation to relieve or cancel  this debt burden. Sociologist Tressie McMillan Cottom’s congressional testimony on behalf of Warren’s student loan relief plan last April reveals the importance of sociological perspectives on the debt crisis. Sociologists have recently documented the conditions driving student loan debt and its impacts across race and gender. 

College debt is the new black.
Photo Credit: Mike Rastiello, Flickr CC

In recent decades, students have enrolled in universities at increasing rates due to the “education gospel,” where college credentials are touted as public goods and career necessities, encouraging students to seek credit. At the same time, student loan debt has rapidly increased, urging students to ask whether the risks of loan debt during early adulthood outweigh the reward of a college degree. Student loan risks include economic hardship, mental health problems, and delayed adult transitions such as starting a family.Individual debt has also led to disparate impacts among students of color, who are more likely to hail from low-income families. Recent evidence suggests that Black students are more likely to drop out of college due to debt and return home after incurring more debt than their white peers. Racial disparities in student loan debt continue into their mid-thirties and impact the white-Black racial wealth gap.

365.75
Photo Credit: Kirstie Warner, Flickr CC

Other work reveals gendered disparities in student debt. One survey found that while women were more likely to incur debt than their male peers, men with higher levels of student debt were more likely to drop out of college than women with similar amounts of debt. The authors suggest that women’s labor market opportunities — often more likely to require college degrees than men’s — may account for these differences. McMillan Cottom’s interviews with 109 students from for-profit colleges uncovers how Black, low-income women in particular bear the burden of student loans. For many of these women, the rewards of college credentials outweigh the risks of high student loan debt.

Amber Joy is a PhD candidate in the Department of Sociology at the University of Minnesota. Her current research interests include punishment, policing, victimization, youth, and the intersections of race, gender, and sexuality. Her dissertation explores youth responses to sexual violence within youth correctional facilities.

(View original at https://thesocietypages.org/socimages)

Krebs on SecurityPhishers are Angling for Your Cloud Providers

Many companies are now outsourcing their marketing efforts to cloud-based Customer Relationship Management (CRM) providers. But when accounts at those CRM providers get hacked or phished, the results can be damaging for both the client’s brand and their customers. Here’s a look at a recent CRM-based phishing campaign that targeted customers of Fortune 500 construction equipment vendor United Rentals.

Stamford, Ct.-based United Rentals [NYSE:URI] is the world’s largest equipment rental company, with some 18,000 employees and earnings of approximately $4 billion in 2018. On August 21, multiple United Rental customers reported receiving invoice emails with booby-trapped links that led to a malware download for anyone who clicked.

While phony invoices are a common malware lure, this particular campaign sent users to a page on United Rentals’ own Web site (unitedrentals.com).

A screen shot of the malicious email that spoofed United Rentals.

In a notice to customers, the company said the unauthorized messages were not sent by United Rentals. One source who had at least two employees fall for the scheme forwarded KrebsOnSecurity a response from UR’s privacy division, which blamed the incident on a third-party advertising partner.

“Based on current knowledge, we believe that an unauthorized party gained access to a vendor platform United Rentals uses in connection with designing and executing email campaigns,” the response read.

“The unauthorized party was able to send a phishing email that appears to be from United Rentals through this platform,” the reply continued. “The phishing email contained links to a purported invoice that, if clicked on, could deliver malware to the recipient’s system. While our investigation is continuing, we currently have no reason to believe that there was unauthorized access to the United Rentals systems used by customers, or to any internal United Rentals systems.”

United Rentals told KrebsOnSecurity that its investigation so far reveals no compromise of its internal systems.

“At this point, we believe this to be an email phishing incident in which an unauthorized third party used a third-party system to generate an email campaign to deliver what we believe to be a banking trojan,” said Dan Higgins, UR’s chief information officer.

United Rentals would not name the third party marketing firm thought to be involved, but passive DNS lookups on the UR subdomain referenced in the phishing email (used by UL for marketing since 2014 and visible in the screenshot above as “wVw.unitedrentals.com”) points to Pardot, an email marketing division of cloud CRM giant Salesforce.

Companies that use cloud-based CRMs sometimes will dedicate a domain or subdomain they own specifically for use by their CRM provider, allowing the CRM to send emails that appear to come directly from the client’s own domains. However, in such setups the content that gets promoted through the client’s domain is actually hosted on the cloud CRM provider’s systems.

Salesforce told KrebsOnSecurity that this was not a compromise of Pardot, but of a Pardot customer account that was not using multi-factor authentication.

“UR uses a third party marketing agency that utilizes the Pardot platform,” said Salesforce spokesman Bradford Burns. “The third party marketing agency is who was compromised, not a Pardot employee.”

This attack comes on the heels of another targeted phishing campaign leveraging Pardot that was documented earlier this month by Netskope, a cloud security firm. Netskope’s Ashwin Vamshi said users of cloud CRM platforms have a high level of trust in the software because they view the data and associated links as internal, even though they are hosted in the cloud.

“A large number of enterprises provide their vendors and partners access to their CRM for uploading documents such as invoices, purchase orders, etc. (and often these happen as automated workflows),” Vamshi wrote. “The enterprise has no control over the vendor or partner device and, more importantly, over the files being uploaded from them. In many cases, vendor- or partner-uploaded files carry with them a high level of implicit trust.”

Cybercriminals increasingly are targeting cloud CRM providers because compromised accounts on these systems can be leveraged to conduct extremely targeted and convincing phishing attacks. According to the most recent stats (PDF) from the Anti-Phishing Working Group, software-as-a-service providers (including CRM and Webmail providers) were the most-targeted industry sector in the first quarter of 2019, accounting for 36 percent of all phishing attacks.

Image: APWG

Update, 2:55 p.m. ET: Added comments and responses from Salesforce.

Planet DebianDimitri John Ledkov: How to disable TLS 1.0 and TLS 1.1 on Ubuntu

Example of website that only supports TLS v1.0, which is rejected by the client

Overivew

TLS v1.3 is the latest standard for secure communication over the internet. It is widely supported by desktops, servers and mobile phones. Recently Ubuntu 18.04 LTS received OpenSSL 1.1.1 update bringing the ability to potentially establish TLS v1.3 connections on the latest Ubuntu LTS release. Qualys SSL Labs Pulse report shows more than 15% adoption of TLS v1.3. It really is time to migrate from TLS v1.0 and TLS v1.1.

As announced on the 15th of October 2018 Apple, Google, and Microsoft will disable TLS v1.0 and TLS v1.1 support by default and thus require TLS v1.2 to be supported by all clients and servers. Similarly, Ubuntu 20.04 LTS will also require TLS v1.2 as the minimum TLS version as well.

To prepare for the move to TLS v1.2, it is a good idea to disable TLS v1.0 and TLS v1.1 on your local systems and start observing and reporting any websites, systems and applications that do not support TLS v1.2.

How to disable TLS v1.0 and TLS v1.1 in Google Chrome on Ubuntu

  1. Create policy directory
    sudo mkdir -p /etc/opt/chrome/policies/managed
  2. Create /etc/opt/chrome/policies/managed/mintlsver.json with
    {
        "SSLVersionMin" : "tls1.2"

How to disable TLS v1.0 and TLS v1.1 in Firefox on Ubuntu

  1. Navigate to about:config in the URL bar
  2. Search for security.tls.version.min setting
  3. Set it to 3, which stand for minimum TLS v1.2

How to disable TLS v1.0 and TLS v1.1 in OpenSSL

  1. Edit /etc/ssl/openssl.cnf
  2. After oid_section stanza add
    # System default
    openssl_conf = default_conf
  3. After oid_section stanza add
    [default_conf]
    ssl_conf = ssl_sect

    [ssl_sect]
    system_default = system_default_sect

    [system_default_sect]
    MinProtocol = TLSv1.2
    CipherString = DEFAULT@SECLEVEL=2
  4.  Save the file

How to disable TLS v1.0 and TLS v1.1 in GnuTLS

  1. Create config directory
    sudo mkdir -p /etc/gnutls/
  2. Create /etc/gnutls/default-priorities with
    SYSTEM=SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2 
After performing above tasks most common applications will use TLS v1.2+

I have set these defaults on my systems, and I occasionally hit websites that only support TLS v1.0 and I report them. Have you found any websites and systems you use that do not support TLS v1.2 yet?

Planet DebianJonathan Dowland: PhD Stage 1 Progression Report

As promised, here's the report I wrote for my PhD Stage 1 progression in the hope that it is useful or interesting to someone. I've made some very small modifications to the submitted copy in order to remove some personal information.

I'll reiterate something from when I published my proposal:

A document produced for one institution's expectations might not be directly applicable to another. … You don't have any idea whether it has been judged to be particularly good or bad one by those who received it (you can make your own judgements).

CryptogramAttacking the Intel Secure Enclave

Interesting paper by Michael Schwarz, Samuel Weiser, Daniel Gruss. The upshot is that both Intel and AMD have assumed that trusted enclaves will run only trustworthy code. Of course, that's not true. And there are no security mechanisms that can deal with malicious enclaves, because the designers couldn't imagine that they would be necessary. The results are predictable.

The paper: "Practical Enclave Malware with Intel SGX."

Abstract: Modern CPU architectures offer strong isolation guarantees towards user applications in the form of enclaves. For instance, Intel's threat model for SGX assumes fully trusted enclaves, yet there is an ongoing debate on whether this threat model is realistic. In particular, it is unclear to what extent enclave malware could harm a system. In this work, we practically demonstrate the first enclave malware which fully and stealthily impersonates its host application. Together with poorly-deployed application isolation on personal computers, such malware can not only steal or encrypt documents for extortion, but also act on the user's behalf, e.g., sending phishing emails or mounting denial-of-service attacks. Our SGX-ROP attack uses new TSX-based memory-disclosure primitive and a write-anything-anywhere primitive to construct a code-reuse attack from within an enclave which is then inadvertently executed by the host application. With SGX-ROP, we bypass ASLR, stack canaries, and address sanitizer. We demonstrate that instead of protecting users from harm, SGX currently poses a security threat, facilitating so-called super-malware with ready-to-hit exploits. With our results, we seek to demystify the enclave malware threat and lay solid ground for future research on and defense against enclave malware.

,

Krebs on SecurityRansomware Bites Dental Data Backup Firm

PerCSoft, a Wisconsin-based company that manages a remote data backup service relied upon by hundreds of dental offices across the country, is struggling to restore access to client systems after falling victim to a ransomware attack.

West Allis, Wis.-based PerCSoft is a cloud management provider for Digital Dental Record (DDR), which operates an online data backup service called DDS Safe that archives medical records, charts, insurance documents and other personal information for various dental offices across the United States.

The ransomware attack hit PerCSoft on the morning of Monday, Aug. 26, and encrypted dental records for some — but not all — of the practices that rely on DDS Safe.

PercSoft did not respond to requests for comment. But Brenna Sadler, director of  communications for the Wisconsin Dental Association, said the ransomware encrypted files for approximate 400 dental practices, and that somewhere between 80-100 of those clients have now had their files restored.

Sadler said she did not know whether PerCSoft and/or DDR had paid the ransom demand, what ransomware strain was involved, or how much the attackers had demanded.

But updates to PerCSoft’s Facebook page and statements published by both PerCSoft and DDR suggest someone may have paid up: The statements note that both companies worked with a third party software company and were able to obtain a decryptor to help clients regain access to files that were locked by the ransomware.

Update: Several sources are now reporting that PerCSoft did pay the ransom, although it is not clear how much was paid. One member of a private Facebook group dedicated to IT professionals serving the dental industry shared the following screenshot, which is purportedly from a conversation between PerCSoft and an affected dental office, indicating the cloud provider was planning to pay the ransom:

Another image shared by members of that Facebook group indicates the ransomware that attacked PerCSoft is an extremely advanced and fairly recent strain known variously as REvil and Sodinokibi.

Original story:

However, some affected dental offices have reported that the decryptor did not work to unlock at least some of the files encrypted by the ransomware. Meanwhile, several affected dentistry practices said they feared they might be unable to process payroll payments this week as a result of the attack.

Cloud data and backup services are a prime target of cybercriminals who deploy ransomware. In July, attackers hit QuickBooks cloud hosting firm iNSYNQ, holding data hostage for many of the company’s clients. In February, cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files. In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual.

It remains unclear whether PerCSoft or DDR — or perhaps their insurance provider — paid the ransom demand in this attack. But new reporting from independent news outlet ProPublica this week sheds light on another possible explanation why so many victims are simply coughing up the money: Their insurance providers will cover the cost — minus a deductible that is usually far less than the total ransom demanded by the attackers.

More to the point, ProPublica found, such attacks may be great for business if you’re in the insurance industry.

“More often than not, paying the ransom is a lot cheaper for insurers than the loss of revenue they have to cover otherwise,” said Minhee Cho, public relations director of ProPublica, in an email to KrebsOnSecurity. “But, by rewarding hackers, these companies have created a perverted cycle that encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.”

“In fact, it seems hackers are specifically extorting American companies that they know have cyber insurance,” Cho continued. “After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware.”

Read the full ProPublica piece here. And if you haven’t already done so, check out this outstanding related reporting by ProPublica from earlier this year on how security firms that help companies respond to ransomware attacks also may be enabling and emboldening attackers.

Planet DebianDirk Eddelbuettel: anytime 0.3.6

A fresh and very exciting release of the anytime package is arriving on CRAN right now. This is the seventeenth release, and it comes pretty much exactly one month after the preceding 0.3.5 release.

anytime is a very focused package aiming to do just one thing really well: to convert anything in integer, numeric, character, factor, ordered, … format to either POSIXct or Date objects – and to do so without requiring a format string. See the anytime page, or the GitHub README.md for a few examples.

This release updates a number of things (see below for details). For users, maybe the most important change is that we now also convert single-digit months, i.e. a not-quite ISO input like “2019-7-5” passes. This required adding %e as a month format; I had overlooked this detail in the (copious) Boost date_time documentation. Another nice change is that we now use standard S3 dispatching rather a manual approach as we probably should have for a long time :-) but better late than never. The code change was actually rather minimal and done in a few minutes. Another change is a further extended use of unit testing via the excellent tinytest package which remains a joy to use. We also expanded the introductory pdf vignette; the benchmark comparisons we included look pretty decent for anytime which still combines ease of use and versability with performance.

Lastly, a somewhat sad “lowlight”. We submitted the package to the Journal of Open Source Software who then told us within days of the unworthyness of anytime for lack of research focus. Needless to see, we disagree. So here is plea: If you use anytime in a research setting, would you mind adding to the this very issue ticket and saying so? This may permit us a somewhat more emphatic data-driven riposte to the editors. Many thanks in advance for considering this.

The full list of changes follows.

Changes in anytime version 0.3.6 (2019-08-29)

  • Added, and then removed, required file for JOSS; added 'unworthy' badge as we earned a desk reject (cf #1605 there).

  • Renamed internal helper function format() to fmt() to avoid clashes with base::format() (Dirk in #104).

  • Use S3 dispatch and generics for key functions (Dirk in #106).

  • Continued to tweak tests as we find some of the rhub platform to behave strangely (Dirk via commits as well as #107).

  • Added %e format for single-digit day parsing by Boost (Dirk addressing at least #24, #70 and #99).

  • Expansed and updated vignette with benchmark comparisons.

  • Updated unit tests using tinytest which remains a pleasure to use; versioned Suggests: is now '>= 1.0.0'.

Courtesy of CRANberries, there is a comparison to the previous release. More information is on the anytime page. The issue tracker tracker off the GitHub repo can be use for questions and comments.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

CryptogramAI Emotion-Detection Arms Race

Voice systems are increasingly using AI techniques to determine emotion. A new paper describes an AI-based countermeasure to mask emotion in spoken words.

Their method for masking emotion involves collecting speech, analyzing it, and extracting emotional features from the raw signal. Next, an AI program trains on this signal and replaces the emotional indicators in speech, flattening them. Finally, a voice synthesizer re-generates the normalized speech using the AIs outputs, which gets sent to the cloud. The researchers say that this method reduced emotional identification by 96 percent in an experiment, although speech recognition accuracy decreased, with a word error rate of 35 percent.

Academic paper.

Worse Than FailureCodeSOD: Bassackwards Compatibility

A long time ago, you built a web service. It was long enough ago that you chose XML as your serialization format. It worked fine, but before long, customers started saying that they’d really like to use JSON, so now you need to expose a slightly different, JSON-powered version of your API. To make it easy, you release a JSON client developers can drop into their front-ends.

Conor is one of those developers, and while examining the requests the client sent, he discovered a unique way of making your XML web-service JSON-friendly.

{"fetch":"<fetch version='1.0'><entity><entityDescriptor id='10'/>…<loadsMoreXML/></entity></fetch>"}

Simplicity itself!

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

,

Planet DebianSteve McIntyre: If you can't stand the heat, get out of the kitchen...

Wow, we had a hot weekend in Cambridge. About 40 people turned up to our place in Cambridge for this year's OMGWTFBBQ. Last year we were huddling under the gazebos for shelter from torrential rain; this year we again had all the gazebos up, but this time to hide from the sun instead. We saw temperatures well into the 30s, which is silly for Cambridge at the end of August.

I think it's fair to say that everybody enjoyed themselves despite the ludicrous heat levels. We had folks from all over the UK, and Lars and Soile travelled all the way from Helsinki in Finland to help him celebrate his birthday!

cake!

We had a selection of beers again from the nice folks at Milton Brewery:
is 3 firkins enough?

Lars made pancakes, Paul made bread, and people brought lots of nice food and drink with them too.

Many thanks to a number of awesome friendly companies for again sponsoring the important refreshments for the weekend. It's hungry/thirsty work celebrating like this!

Planet DebianJulien Danjou: The Art of PostgreSQL is out!

The Art of PostgreSQL is out!

If you remember well, a couple of years ago, I wrote about Mastering PostgreSQL, a fantastic book written by my friend Dimitri Fontaine.

Dimitri is a long-time PostgreSQL core developer — for example, he wrote the extension support in PostgreSQL — no less. He is featured in my book Serious Python, where he advises on using databases and ORM in Python.

Today, Dimitri comes back with the new version of this book, named The Art of PostgreSQL.

The Art of PostgreSQL is out!As a bonus, here's a picture of me and Dimitri having fun in a PostgreSQL meetup!

I love the motto of this book: Turn Thousands of Lines of Code into Simple Queries. I have spent all my career working with code that talks to databases, and I can't count the number of times where I've seen people write lengthy, slow code in their pet language rather than a single well-thought SQL query which would do a better job.

The Art of PostgreSQL is out!

This is exactly what this book is about.

That's why it's my favorite SQL book. I learned so many things from it. In many cases, I've been able to divide by 10 the size of the code I had to write in Python to implement a feature. All I had to do is to browse the book to discover the right PostgreSQL feature and write a single SQL query. The right query that does the job for me.

Less code, fewer bugs, more happiness!

The book also features interviews with great PostgreSQL users and developers — hey, no wonder where Dimitri got this idea, right? ;-)

The Art of PostgreSQL is out!

I loved those interviews. What's better than reading Kris Jenkins explaining how Clojure and PostgreSQL play nice together, or Markus Winand (from the famous use-the-index-luke.com) talking about the relationship developers have with their database. :-)

No need to say that you should get your hands on this right now. Dimitri just made a launch offer where he offers a 15% discount on the book until the end of this month! You can also read the free chapter to get an idea of what you'll get.

Last thing: it's DRM-free and money-back guaranteed. You can get this book with your eyes closed.

The Art of PostgreSQL is out!

Google AdsenseSimplifying our content policies for publishers

One of our top priorities is to sustain a healthy digital advertising ecosystem, one that works for everyone: users, advertisers and publishers. On a daily basis, teams of Google engineers, policy experts, and product managers combat and stop bad actors. Just last year, we removed 734,000 publishers and app developers from our ad network and ads from nearly 28 million pages that violated our publisher policies.

But we’re not just stopping bad actors. Just as critical to our mission is the work we do every day to help good publishers in our network succeed. One consistent piece of feedback we’ve heard from our publishers is that they want us to further simplify our policies, across products, so they are easier to understand and follow. That’s why we'll be simplifying the way our content policies are presented to publishers, and standardizing content policies across our publisher products.

A simplified publisher experience
In September, we’ll update the way our publisher content policies are presented with a clear outline of the types of content where advertising is not allowed or will be restricted.

Our Google Publisher Policies will outline the types of content that are not allowed to show ads through any of our publisher products. This includes policies against illegal content, dangerous or derogatory content, and sexually explicit content, among others.

Our Google Publisher Restrictions will detail the types of content, such as alcohol or tobacco, that don’t violate policy, but that may not be appealing for all advertisers. Publishers will not receive a policy violation for trying to monetize this content, but only some advertisers and advertising products—the ones that choose this kind of content—will bid on it. As a result, Google Ads will not appear on this content and this content will receive less advertising than non-restricted content will. 

The Google Publisher Policies and Google Publisher Restrictions will apply to all publishers, regardless of the products they use—AdSense, AdMob or Ad Manager.

These changes are the next step in our ongoing efforts to make it easier for publishers to navigate our policies so their businesses can continue to thrive with the help of our publisher products.


Posted by:
Scott Spencer, Director of Sustainable Ads


Planet DebianArturo Borrero González: Wikimania 2019 Stockholm summary

Wikimania 2019 logo

A couple of weeks ago I attended the Wikimania 2019 conference in Stockholm, Sweden. This is the general and global conference for the Wikimedia movement, in which people interested in free knowledge gather together for a few days. The event happens annually, and this was my first time attending such conference. Wikimania 2019 main program ran for 3 days, but we had 2 pre-conference days in which a hackathon was held.

The venue was an amazing building in the Stockholm University, Aula Magna.

The hackathon reunited technical contributors, such as developers, which are interested in a variety of technical challenges in the wiki movement. You can find in the hackathon people interested in wiki edits automation, research, anti harassment tools and also infrastructure engineering and architecture, among other things.

My full time job is at the Wikimedia Cloud Services team. We provide platforms and services for wikimedia movement collaborators who want to perform technical tasks and contributions. Some examples of what we provide:

  • a public cloud service based on Openstack, AKA IaaS. We call this CloudVPS.
  • a PaaS product, based on Kubernetes and GridEngine. We call this Toolforge.
  • direct access to wiki databases in both SQL and XML format.
  • several other software products, like Quarry, PAWS, etc.

These services are widely used in the wiki community. About 40% of total edits to wiki projects come from software running in our platform. Some coworkers and myself attended the hackathon to provide support related to these tools and services, and to introduce them to new contributors.

Talk

We had session/talk called Introduction to Wikimedia Cloud Services the first day of the hackathon, and folks showed genuine interests in the things we offer. Some stuff I did during the hackathon included creating lots of Toolforge accounts, fixing issues in Cloud VPS projects, talks with many people about related technical topics, etc.

Once the hackathon ended, the main program conference started. I was amazed to see how vibrant the wiki movement is. Seeing people from all over the world sharing such a great mission and goals was really inspiring and I truly felt grateful for being part of it. The conference is joined by many wiki enthusiasts, editors and other volunteers from many organizations and local wiki chapters. For the record, the amount of paid staff from the Wikimedia Foundation is limited.

Honestly, until I attended this conference I was not aware of the scope and size of the movement and the variety of topics and approaches that involve free knowledge, the ultimate goal, which is not a far-fetched mission: we are in good track despite the many challenges :-)

After the conference, we had another week in Stockholm for a Tehcnical Engagement team offsite.

CryptogramThe Myth of Consumer-Grade Security

The Department of Justice wants access to encrypted consumer devices but promises not to infiltrate business products or affect critical infrastructure. Yet that's not possible, because there is no longer any difference between those categories of devices. Consumer devices are critical infrastructure. They affect national security. And it would be foolish to weaken them, even at the request of law enforcement.

In his keynote address at the International Conference on Cybersecurity, Attorney General William Barr argued that companies should weaken encryption systems to gain access to consumer devices for criminal investigations. Barr repeated a common fallacy about a difference between military-grade encryption and consumer encryption: "After all, we are not talking about protecting the nation's nuclear launch codes. Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications."

The thing is, that distinction between military and consumer products largely doesn't exist. All of those "consumer products" Barr wants access to are used by government officials -- heads of state, legislators, judges, military commanders and everyone else -- worldwide. They're used by election officials, police at all levels, nuclear power plant operators, CEOs and human rights activists. They're critical to national security as well as personal security.

This wasn't true during much of the Cold War. Before the Internet revolution, military-grade electronics were different from consumer-grade. Military contracts drove innovation in many areas, and those sectors got the cool new stuff first. That started to change in the 1980s, when consumer electronics started to become the place where innovation happened. The military responded by creating a category of military hardware called COTS: commercial off-the-shelf technology. More consumer products became approved for military applications. Today, pretty much everything that doesn't have to be hardened for battle is COTS and is the exact same product purchased by consumers. And a lot of battle-hardened technologies are the same computer hardware and software products as the commercial items, but in sturdier packaging.

Through the mid-1990s, there was a difference between military-grade encryption and consumer-grade encryption. Laws regulated encryption as a munition and limited what could legally be exported only to key lengths that were easily breakable. That changed with the rise of Internet commerce, because the needs of commercial applications more closely mirrored the needs of the military. Today, the predominant encryption algorithm for commercial applications -- Advanced Encryption Standard (AES) -- is approved by the National Security Agency (NSA) to secure information up to the level of Top Secret. The Department of Defense's classified analogs of the Internet­ -- Secret Internet Protocol Router Network (SIPRNet), Joint Worldwide Intelligence Communications System (JWICS) and probably others whose names aren't yet public -- use the same Internet protocols, software, and hardware that the rest of the world does, albeit with additional physical controls. And the NSA routinely assists in securing business and consumer systems, including helping Google defend itself from Chinese hackers in 2010.

Yes, there are some military applications that are different. The US nuclear system Barr mentions is one such example -- and it uses ancient computers and 8-inch floppy drives. But for pretty much everything that doesn't see active combat, it's modern laptops, iPhones, the same Internet everyone else uses, and the same cloud services.

This is also true for corporate applications. Corporations rarely use customized encryption to protect their operations. They also use the same types of computers, networks, and cloud services that the government and consumers use. Customized security is both more expensive because it is unique, and less secure because it's nonstandard and untested.

During the Cold War, the NSA had the dual mission of attacking Soviet computers and communications systems and defending domestic counterparts. It was possible to do both simultaneously only because the two systems were different at every level. Today, the entire world uses Internet protocols; iPhones and Android phones; and iMessage, WhatsApp and Signal to secure their chats. Consumer-grade encryption is the same as military-grade encryption, and consumer security is the same as national security.

Barr can't weaken consumer systems without also weakening commercial, government, and military systems. There's one world, one network, and one answer. As a matter of policy, the nation has to decide which takes precedence: offense or defense. If security is deliberately weakened, it will be weakened for everybody. And if security is strengthened, it is strengthened for everybody. It's time to accept the fact that these systems are too critical to society to weaken. Everyone will be more secure with stronger encryption, even if it means the bad guys get to use that encryption as well.

This essay previously appeared on Lawfare.com.

LongNowThe Vineyard Gazette on Revive & Restore’s Heath Hen De-extinction Efforts

 The world’s last heath hen went extinct in Martha’s Vineyard in 01932. The Revive & Restore team recently paid a visit there to discuss their efforts to bring the species back.

Members of the Revive & Restore team next to a statue of Booming Ben, the last heath hen.

From the Vineyard Gazette:

Buried deep within the woods of the Manuel Correllus State Forest is a statue of Booming Ben, the world’s final heath hen. Once common all along the eastern seaboard, the species was hunted to near-extinction in the 1870s. Although a small number of the birds found refuge on Martha’s Vineyard, they officially disappeared in 1932 — with Booming Ben, the last of their kind, calling for female mates who were no longer there to hear him.

“There is no survivor, there is no future, there is no life to be recreated in this form again,” Gazette editor Henry Beetle Hough wrote. “We are looking upon the uttermost finality which can be written, glimpsing the darkness which will not know another ray of light. We are in touch with the reality of extinction.”

The statue memorializes that reality.

Since 2013, however, a group of cutting-edge researchers with the group Revive and Restore have been hard at work to bring back the heath hen as part of an ambitious avian de-extinction project. The project got started when Ryan Phelan, who co-founded Revive and Restore with her husband, scientist and publisher of the Whole Earth Catalogue, Stewart Brand, began to think broadly about the goals for their organization.

“We started by saying what’s the most wild idea possible?” Ms. Phelan said. “What’s the most audacious? That would be bringing back an extinct species.”

Read the piece in full here.

Planet DebianDaniel Silverstone: RFH: Naming things is hard

As with all things in computing, one of two problems always seem to raise their ugly heads… We either have an off-by-one error, or we have a caching error, or we have a naming problem.

Lars and I have been working on an acceptance testing tool recently. You may have seen the soft launch announcement on Lars' blog. Sadly since that time we've discovered that Fable is an overloaded name in the domain of software quality assurance and we do not want to try and compete with Fable since (a) they were there first, and (b) accessibility is super-important and we don't want to detract from the work they're doing.

As such, this is a request for help. We need to name our tool usefully, since how can we make a git repository until we have a name? Previous incarnations of the tool were called Yarn and we chose Fable to carry on the sense of telling a story (the fundamental unit of testing in these systems is a scenario), but we are not wedded to the idea of continuing in the same vein.

If you have an idea for a name for our tool, please consider reading about it on the Fable website, and then either comment here, or send me an email, prod me on IRC, or indeed any of the various ways you have to find me.

Worse Than FailureTeleported Release

Matt works at an accounting firm, as a data engineer. He makes reports for people who don’t read said reports. Accounting firms specialize in different areas of accountancy, and Matt’s firm is a general firm with mid-size clients.

The CEO of the firm is a legacy from the last century. The most advanced technology on his desk is a business calculator and a pencil sharpener. He still doesn’t use a cellphone. But he does have a son, who is “tech savvy”, which gives the CEO a horrible idea of how things work.

Usually, this is pretty light, in that it’s sorting Excel files or sorting the output of an existing report. Sometimes the requests are bizarre or utter nonsense. And, because the boss doesn’t know what the technical folks are doing, some of the IT staff may be a bit lazy about following best practices.

This means that most of Matt’s morning is spent doing what is essentially Tier 1 support before he gets into doing his real job. Recently, there was a worse crunch, as actual support person Lucinda was out for materinity leave, and Jackie, the one other developer, was off on vacation on a foreign island with no Internet. Matt was in the middle of eating a delicious lunch of take-out lo mein when his phone rang. He sighed when he saw the number.

“Matt!” the CEO exclaimed. “Matt! We need to do a build of the flagship app! And a deploy!”

The app was rather large, and a build could take upwards of 45 minutes, depending on the day and how the IT gods were feeling. But the process was automated, the latest changes all got built and deployed each night. Anything approved was released within 24 hours. With everyone out of the office, there hadn’t been any approved changes for a few weeks.

Matt checked the Github to see if something went wrong with the automated build. Everything was fine.

“Okay, so I’m seeing that everything built on GitHub and everything is available in production,” Matt said.

“I want you to do a manual build, like you used to.”

“If I were to compile right now, it could take quite awhile, and redeploying runs the risk of taking our clients offline, and nothing would be any different.”

“Yes, but I want a build that has the changes which Jackie was working on before she left for vacation.”

Matt checked the commit history, and sure enough, Jackie hadn’t committed any changes since two weeks before leaving on vacation. “It doesn’t looked like she pushed those changes to Github.”

“Githoob? I thought everything was automated. You told me the process was automated,” the CEO said.

“It’s kind of like…” Matt paused to think of an analogy that could explain this to a golden retriever. “Your dishwasher, you could put a timer on it to run it every night, but if you don’t load the dishwasher first, nothing gets cleaned.”

There was a long pause as the CEO failed to understand this. “I want Jackie’s front-page changes to be in the demo I’m about to do. This is for Initech, and there’s millions of dollars riding on their account.”

“Well,” Matt said, “Jackie hasn’t pushed- hasn’t loaded her metaphorical dishes into the dishwasher, so I can’t really build them.”

“I don’t understand, it’s on her computer. I thought these computers were on the cloud. Why am I spending all this money on clouds?”

“If Jackie doesn’t put it on the cloud, it’s not there. It’s uh… like a fax machine, and she hasn’t sent us the fax.”

“Can’t you get it off her laptop?”

“I think she took it home with her,” Matt said.

“So?”

“Have you ever seen Star Trek? Unless Scotty can teleport us to Jackie’s laptop, we can’t get at her files.”

The CEO locked up on that metaphor. “Can’t you just hack into it? I thought the NSA could do that.”

“No-” Matt paused. Maybe Matt could try and recreate the changes quickly? “How long before this meeting?” he asked.

“Twenty minutes.”

“Just to be clear, you want me to do a local build with files I don’t have by hacking them from a computer which may or may not be on and connected to the Internet, and then complete a build process which usually takes 45 minutes- at least- deploy to production, so you can do a demo in twenty minutes?”

“Why is that so difficult?” the CEO demanded.

“I can call Jackie, and if she answers, maybe we can figure something out.”

The CEO sighed. “Fine.”

Matt called Jackie. She didn’t answer. Matt left a voicemail and then went back to eating his now-cold lo mein.

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

,

Planet DebianMike Gabriel: Release of nx-libs 3.5.99.22 (Call for Testing: Keyboard auto-grab Support)

Long time not blogged about, however, there is a new release of nx-libs: nx-libs 3.5.99.22.

What is nx-libs?

The nx-libs team maintains a software originally developed by NoMachine under the name nx-X11 (version 3) or shorter: NXv3. For years now, a small team of volunteers is continually improving, fixing and maintaining the code base (after some major and radical cleanups) of NXv3. NXv3 aka x2goagent has been the only graphical backend in X2Go [0], a remote desktop framework for Linux terminal servers, over the past years.

(Spoiler: in the near future, there will be two graphical backends for X2Go sessions, if you got curious... stay tuned...).

Credits

You may have noticed, that I skipped announcing several releases of nx-libs. All interim releases should have had their own announcements, indeed, as each of them deserved it. So I am sorry and I dearly apologize for not mentioning all the details of each individual release. I am sorry for not giving credits to the team of developers around me who do pretty hard work on keeping this beast intact.

The more, let me here here and now especially give credits to Ulrich Sibiller, Mihai Moldovan and Mario Trangoni for keeping the torch burning and for actually having achieved awesome results in each of the recent nx-libs releases over the past year or so. Thanks, folks!!!

Luckily, Mihai Moldovan (X2Go Release Manager) wrote regular release announcements for every version of nx-libs that he pulled over to the X2Go Git site and the X2Go upstream-DEBs archive site [1]. Also a big thanks for this!

Changes for nx-libs 3.5.99.21 and 3.5.99.22

3.5.99.21

  • Ulrich Sibiller did a major memory leak, double-free, etc. hunt all over the code and fixed several of such issues. Most of them will be in nx-libs shipped with Debian 10.1. (The one that is not yet in there has only recently been discovered).
  • There was also work done on the reparenting code when switching between fullscreen and windowed desktop session mode.
  • Ulrich Sibiller also reworked the NX-specific part of the XKB integration and cleaned up Font path handling.

For a complete list of changes, see the 3.5.99.21 upstream release commit [2].

3.5.99.22

  • The nxagent DDX code now uses the SAFE_Xfree and SAFE_free macros recently introduced everywhere.
  • The NX splash screen code had been tidied up entirely, plus: with nxagent option "-wr" you can now create a root window with white background.
  • Keyboard Auto-Grab support (see below)
  • Fix a double-free situation in the RandR implementation that occurred on NX session resumption

For a complete list of changes, see the 3.5.99.22 upstream release commit [3].

The new Feature: Keyboard auto-grab Support ( call for testing )

There is a new feature in nx-libs (aka nxagent, aka x2goagent) that people may find interesting. Ulrich Sibiller and I have been working on and off on a keyboard auto-grab feature for NX. See various discussions on nx-libs's issue tracker [4, 5, 6].

With keyboard auto-grab enabled (toggle switch is CTRL+ALT+G, configurable via /etc/{nxagent,x2goagent}/keystrokes.cfg), you can now run e.g. an "i3" [7] (or "awesome" [8]) window manager nested inside X2Go sessions with the local desktop environment also being an "i3" (or "awesome") window manager. I hear some of you cheering up now, in fact. Yes, it has become possible, finally.

Before we had this keyboard auto-grab feature in NX, it was not possible to connect to an X2Go session running i3 desktop from within an i3 window manager running on the local $DISPLAY. Keyboard input would never really end up in the X2Go session.

With keyboard auto-grab enabled, you can now nest "i3" (or "awesome") based desktops (local + remote via X2Go). If keyboard auto-grab is enabled, nearly all keyboard events (except the NX keystrokes) end up in the X2Go session window. With auto-grab disabled, all keyboard events end up in the local $DISPLAY's i3 (or "awesome") desktop.

Here is a little command line LOVE, to play with:

Log into a local desktop session, running the i3 window manager (if you have never touch i3, use awesome). If you don't know what tiling window managers are and how to use them... Try them out first.

If you are in a local i3wm session, do this from one terminal:

sudo apt-get install nxagent
nxagent -ac :1

And from another terminal:

export DISPLAY=:1
STARTUP=i3 dbus-run-session /etc/X11/Xsession

(You could do this more than once... You can use STARTUP=awesome instead of STARTUP=i3, too. ).

Have fun with nested tiling desktop environments tiled all over your screen. Use CTRL-ALT-G to toggle keyboard auto-grabbing for each NX session window individually. By default, auto-grab is disabled on startup of nxagent, so the local i3wm gets all the keyboard attention. Move the mouse over an nxagent + i3 window / tile and hit CTRL-ALT-G. Now the NX session window has all keyboard attention as long as the mouse pointer hovers above it.

And: please report any special and unexpected effects to the nx-libs issue tracker [9]. Thanks!

Have fun!!! Mike Gabriel (aka sunweaver)

References

Planet DebianMark Brown: Linux Audio Miniconference 2019

As in previous years we’re going to have an audio miniconference so we can get together and talk through issues, especially design decisions, face to face. This year’s event will be held on Sunday October 31st in Lyon, France, the day after ELC-E. This will be held at the Lyon Convention Center (the ELC-E venue), generously sponsored by Intel.

As with previous years let’s pull together an agenda through a mailing list discussion – this announcement has been posted to alsa-devel as well, the most convenient thing would be to follow up to it. Of course if we can sort things out more quickly via the mailing list that’s even better!

If you’re planning to attend please fill out the form here.

This event will be covered by the same code of conduct as ELC-E.

Thanks again to Intel for supporting this event.

Krebs on SecurityCybersecurity Firm Imperva Discloses Breach

Imperva, a leading provider of Internet firewall services that help Web sites block malicious cyberattacks, alerted customers on Tuesday that a recent data breach exposed email addresses, scrambled passwords, API keys and SSL certificates for a subset of its firewall users.

Redwood Shores, Calif.-based Imperva sells technology and services designed to detect and block various types of malicious Web traffic, from denial-of-service attacks to digital probes aimed at undermining the security of Web-based software applications.

Image: Imperva

Earlier today, Imperva told customers that it learned on Aug. 20 about a security incident that exposed sensitive information for some users of Incapsula, the company’s cloud-based Web Application Firewall (WAF) product.

“On August 20, 2019, we learned from a third party of a data exposure that impacts a subset of customers of our Cloud WAF product who had accounts through September 15, 2017,” wrote Heli Erickson, director of analyst relations at Imperva.

“We want to be very clear that this data exposure is limited to our Cloud WAF product,” Erickson’s message continued. “While the situation remains under investigation, what we know today is that elements of our Incapsula customer database from 2017, including email addresses and hashed and salted passwords, and, for a subset of the Incapsula customers from 2017, API keys and customer-provided SSL certificates, were exposed.”

Companies that use the Incapsula WAF route all of their Web site traffic through the service, which scrubs the communications for any suspicious activity or attacks and then forwards the benign traffic on to its intended destination.

Rich Mogull, founder and vice president of product at Kansas City-based cloud security firm DisruptOps, said Imperva is among the top three Web-based firewall providers in business today.

According to Mogull, an attacker in possession of a customer’s API keys and SSL certificates could use that access to significantly undermine the security of traffic flowing to and from a customer’s various Web sites.

At a minimum, he said, an attacker in possession of these key assets could reduce the security of the WAF settings and exempt or “whitelist” from the WAF’s scrubbing technology any traffic coming from the attacker. A worst-case scenario could allow an attacker to intercept, view or modify traffic destined for an Incapsula client Web site, and even to divert all traffic for that site to or through a site owned by the attacker.

“Attackers could whitelist themselves and begin attacking the site without the WAF’s protection,” Mogull told KrebsOnSecurity. “They could modify any of the security Incapsula security settings, and if they got [the target’s SSL] certificate, that can potentially expose traffic. For a security-as-a-service provider like Imperva, this is the kind of mistake that’s up there with their worst nightmare.”

Imperva urged all of its customers to take several steps that might mitigate the threat from the data exposure, such as changing passwords for user accounts at Incapsula, enabling multi-factor authentication, resetting API keys, and generating/uploading new SSL certificates.

Alissa Knight, a senior analyst at Aite Group, said the exposure of Incapsula users’ scrambled passwords and email addresses was almost incidental given that the intruders also made off with customer API keys and SSL certificates.

Knight said although we don’t yet know the cause of this incident, such breaches at cloud-based firms often come down to small but ultimately significant security failures on the part of the provider.

“The moral of the story here is that people need to be asking tough questions of software-as-a-service firms they rely upon, because those vendors are being trusted with the keys to the kingdom,” Knight said. “Even if the vendor in question is a cybersecurity company, it doesn’t necessarily mean they’re eating their own dog food.”

Planet DebianHolger Levsen: 20190827-cccamp

On my way home from CCCamp 2019

During the last week I've been swimming many times in 4 different lakes, enjoyed a great variety of talks, music, food, drinks and lots of nerdstuff. The small forest I put my tent in was illuminated through a disco ball. And almost best of it all, until an hour ago, I spent the last 72h offline with friends.

I <3 cccamp.

Planet DebianMike Gabriel: Debian goes libjpeg-turbo 2.0.x [RFH]

I recently uploaded libjpeg-turbo 2.0.2-1~exp1 to Debian experimental. This has been the first upload of the 2.0.x release series of libjpeg-turbo.

After 3 further upload iterations (~exp4 that is), the package now builds on nearly all (except 3) architectures supported by Debian.

@all: Please Test

For those architectures that libjpeg-turbo 2.0.2-1~exp* is already available in Debian experimental, please start testing your applications on Debian testing/unstable systems with libjpeg-turbo 2.0.2-1~exp* installed from experimental. If you observe any peculiarities, please file bugs against src:libjpeg-turbo on Debian BTS. Thanks!

Please note: the major 2.x release series does not introduce an SOVERSION bump, so applications don't have to be rebuilt against the newer libjpeg-turbo. Simply drop-in-replace installed libjpeg62-turbo bin:pkg by the version from Debian experimental.

[RFH] FTBFS during Unit Tests

On the alphas, powerpc and sparc64 architectures, the builds [1] fail during unit tests:

301/302 Test #155: tjunittest-static-yuv-alloc .......................   Passed   60.08 sec
302/302 Test #156: tjunittest-static-yuv-nopad .......................   Passed   60.01 sec

99% tests passed, 2 tests failed out of 302

Total Test time (real) = 121.40 sec

The following tests FAILED:
     83 - djpeg-shared-3x2-float-prog-cmp (Failed)
    234 - djpeg-static-3x2-float-prog-cmp (Failed)
Errors while running CTest
make[1]: *** [Makefile:133: test] Error 8
make[1]: Leaving directory '/<<PKGBUILDDIR>>/obj-sparc64-linux-gnu'
dh_auto_test: cd obj-sparc64-linux-gnu && make -j8 test ARGS\+=-j8 returned exit code 2
make: *** [debian/rules:40: build-arch] Error 255

As I am not so much a porter, nor a JPEG adept, I'll appreciate some help from people with more porting and/or JPEG experience. If you feel called to work on this, please ping me on IRC (OFTC) so we can coordinate our research. The packaging Git of libjpeg-turbo has recently been migrated to Salsa [2].

References

Thanks in advance to anyone who chimes in,
Mike (aka sunweaver)

Planet DebianJonathan Dowland: Debian hiatus

Back In July I decided to take a (minimum) six months hiatus from involvement in the Debian project. This is for a number of reasons, but I completely forgot to write about it publically. So here we are.

I'm going to look at things again no sooner than January 2020 and decide whether or not (or how much) to pick it back up.

CryptogramThe Threat of Fake Academic Research

Interesting analysis of the possibility, feasibility, and efficacy of deliberately fake scientific research, something I had previously speculated about.

Planet DebianColin Watson: man-db 2.8.7

I’ve released man-db 2.8.7 (announcement, NEWS), and uploaded it to Debian unstable.

There are a few things of note that I wanted to talk about here. Firstly, I made some further improvements to the seccomp sandbox originally introduced in 2.8.0. I do still think it’s correct to try to confine subprocesses this way as a defence against malicious documents, but it’s also been a pretty rough ride for some users, especially those who use various kinds of VPNs or antivirus programs that install themselves using /etc/ld.so.preload and cause other programs to perform additional system calls. As well as a few specific tweaks, a recent discussion on LWN reminded me that it would be better to make seccomp return EPERM rather than raising SIGSYS, since that’s easier to handle gracefully: in particular, it fixes an odd corner case related to glibc’s nscd handling.

Secondly, there was a build failure on macOS that took a while to figure out, not least because I don’t have a macOS test system myself. In 2.8.6 I tried to make life easier for people on this platform with a CFLAGS tweak, but I made it a bit too general and accidentally took away configure’s ability to detect undefined symbols properly, which caused very confusing failures. More importantly, I hadn’t really thought through why this change was necessary and whether it was a good idea. man-db uses private shared libraries to keep its executable size down, and it passes -no-undefined to libtool to declare that those shared libraries have no undefined symbols after linking, which is necessary to build shared libraries on some platforms. But the CFLAGS tweak above directly contradicts this! So, instead of playing core wars with my own build system, I did some refactoring so that the assertion that man-db’s shared libraries have no undefined symbols after linking is actually true: this involved moving decompression code out of libman, and arranging for the code in libmandb to take the database path as a parameter rather than as a global variable (something I’ve meant to fix for ages anyway; 252d7cbc23, 036aa910ea, a97d977b0b). Lesson: don’t make build system changes you don’t quite understand.

Planet DebianRuss Allbery: Review: Space Opera

Review: Space Opera, by Catherynne M. Valente

Publisher: Saga
Copyright: 2018
ISBN: 1-4814-9751-0
Format: Kindle
Pages: 304

Life is not, as humans had come to think, rare. The universe is packed with it, bursting at the seams. The answer to the Fermi paradox is not that life on Earth is a flukish chance. It's that, until recently, everyone else was distracted by total galactic war.

Thankfully by the time the other intelligent inhabitants of the galaxy stumble across Earth the Sentience Wars are over. They have found a workable solution to the everlasting problem of who counts as people and who counts as meat, who is sufficiently sentient and self-aware to be allowed to join the galactic community and who needs to be quietly annihilated and never spoken of again. That solution is the Metagalactic Grand Prix, a musical extravaganza that is also the highest-rated entertainment in the galaxy. All the newly-discovered species has to do is not finish dead last.

An overwhelmingly adorable giant space flamingo appears simultaneously to every person on Earth to explain this, and also to reassure everyone that they don't need to agonize over which musical act to send to save their species. As their sponsors and the last new species to survive the Grand Prix, the Esca have made a list of Earth bands they think would be suitable. Sadly though, due to some misunderstandings about the tragically short lifespans of humans, every entry on the list is dead but one: Decibel Jones and the Absolute Zeroes. Or their surviving two members, at least.

Space Opera is unapologetically and explicitly The Hitchhiker's Guide to the Galaxy meets Eurovision. Decibel Jones and his bandmate Oort are the Arthur Dent of this story, whisked away in an impossible spaceship to an alien music festival where they're expected to sing for the survival of their planet, minus one band member and well past their prime. When they were at the height of their career, they were the sort of sequin-covered glam rock act that would fit right in to a Eurovision contest. Decibel Jones still wants to be that person; Oort, on the other hand, has a wife and kids and has cashed in the glitterpunk life for stability. Neither of them have any idea what to sing, assuming they even survive to the final round; sabotage is allowed in the rules (it's great for ratings).

I love the idea of Eurovision, one that it shares with the Olympics but delivers with less seriousness and therefore possibly more effectiveness. One way to avoid war is to build shared cultural ties through friendly competition, to laugh with each other and applaud each other, and to make a glorious show out of it. It's a great hook for a book. But this book has serious problems.

The first is that emulating The Hitchhiker's Guide to the Galaxy rarely ends well. Many people have tried, and I don't know of anyone who has succeeded. It sits near the top of many people's lists of the best humorous SF not because it's a foundational model for other people's work, but because Douglas Adams had a singular voice that is almost impossible to reproduce.

To be fair, Valente doesn't try that hard. She goes a different direction: she tries to stuff into the text of the book the written equivalent of the over-the-top, glitter-covered, hilariously excessive stage shows of unapologetic pop rock spectacle. The result... well, it's like an overstuffed couch upholstered in fuchsia and spangles, onto which have plopped the four members of a vaguely-remembered boy band attired in the most eye-wrenching shade of violet satin and sulking petulantly because you have failed to provide usable cans of silly string due to the unfortunate antics of your pet cat, Eunice (it's a long story involving an ex and a book collection), in an ocean-reef aquarium that was a birthday gift from your sister, thus provoking a frustrated glare across an Escher knot of brilliant yellow and now-empty hollow-sounding cans of propellant, when Joe, the cute blonde one who was always your favorite, asks you why your couch and its impossibly green rug is sitting in the middle of Grand Central Station, and you have to admit that you do not remember because the beginning of the sentence slipped into a simile singularity so long ago.

Valente always loves her descriptions and metaphors, but in Space Opera she takes this to a new level, one covered in garish, cheap plastic. Also, if you can get through the Esca's explanation of what's going on without wanting to strangle their entire civilization, you have a higher tolerance for weaponized cutesy condescension than I do.

That leads me back to Hitchhiker's Guide and the difficulties of humor based on bizarre aliens and ludicrous technology: it's not funny or effective unless someone is taking it seriously.

Valente includes, in an early chapter, the rules of the Metagalactic Grand Prix. Here's the first one:

The Grand Prix shall occur once per Standard Alumizar Year, which is hereby defined by how long it takes Aluno Secundus to drag its business around its morbidly obese star, get tired, have a nap, wake up cranky, yell at everyone for existing, turn around, go back around the other way, get lost, start crying, feel sorry for itself and give up on the whole business, and finally try to finish the rest of its orbit all in one go the night before it's due, which is to say, far longer than a year by almost anyone else's annoyed wristwatch.

This is, in isolation, perhaps moderately amusing, but it's the formal text of the rules of the foundational event of galactic politics. Eurovision does not take itself that seriously, but it does have rules, which you can read, and they don't sound like that, because this isn't how bureaucracies work. Even bureaucracies that put on ridiculous stage shows. This shouldn't have been the actual rules. It should have been the Hitchhiker's Guide entry for the rules, but this book doesn't seem to know the difference.

One of the things that makes Hitchhiker's Guide work is that much of what happens is impossible for Arthur Dent or the reader to take seriously, but to everyone else in the book it's just normal. The humor lies in the contrast.

In Space Opera, no one takes anything seriously, even when they should. The rules are a joke, the Esca think the whole thing is a lark, the representatives of galactic powers are annoying contestants on a cut-rate reality show, and the relentless drumbeat of more outrageous descriptions never stops. Even the angst is covered in glitter. Without that contrast, without the pause for Arthur to suddenly realize what it means for the planet to be destroyed, without Ford Prefect dryly explaining things in a way that almost makes sense, the attempted humor just piles on itself until it collapses under its own confusing weight. Valente has no characters capable of creating enough emotional space to breathe. Decibel Jones only does introspection by moping, Oort is single-note grumbling, and each alien species is more wildly fantastic than the last.

This book works best when Valente puts the plot aside and tells the stories of the previous Grands Prix. By that point in the book, I was somewhat acclimated to the over-enthusiastic descriptions and was able to read past them to appreciate some entertainingly creative alien designs. Those sections of the book felt like a group of friends read a dozen books on designing alien species, dropped acid, and then tried to write a Traveler supplement. A book with those sections and some better characters and less strained writing could have been a lot of fun.

Unfortunately, there is a plot, if a paper-thin one, and it involves tedious and unlikable characters. There were three people I truly liked in this book: Decibel's Nani (I'm going to remember Mr. Elmer of the Fudd) who appears only in quotes, Oort's cat, and Mira. Valente, beneath the overblown writing, does some lovely characterization of the band as a trio, but Mira is the anchor and the only character of the three who is interesting in her own right. If this book had been about her... well, there are still a lot of problems, but I would have enjoyed it more. Sadly, she appears mostly around the edges of other people's manic despair.

That brings me to a final complaint. The core of this book is musical performance, which means that Valente has set herself the challenging task of describing music and performance sufficiently well to give the reader some vague hint of what's good, what isn't, and why. This does not work even a little bit. Most of the alien music is described in terms of hyperspecific genres that the characters are assumed to have heard of and haven't, which was a nice bit of parody of musical writing but which doesn't do much to create a mental soundtrack. The rest is nonspecific superlatives. Even when a performance is successful, I had no idea why, or what would make the audience like one performance and not another. This would have been the one useful purpose of all that overwrought description.

Clearly some people liked this book well enough to nominate it for awards. Humor is unpredictable; I'm sure there are readers who thought Space Opera was hilarious. But I wanted to salvage about 10% of this book, three of the supporting characters, and a couple of the alien ideas, and transport them into a better book far away from the tedious deluge of words.

I am now inspired to re-read The Hitchhiker's Guide to the Galaxy, though, so there is that.

Rating: 3 out of 10

,

Planet DebianAlberto García: The status of WebKitGTK in Debian

Like all other major browser engines, WebKit is a project that evolves very fast with releases every few weeks containing new features and security fixes.

WebKitGTK is available in Debian under the webkit2gtk name, and we are doing our best to provide the most up-to-date packages for as many users as possible.

I would like to give a quick summary of the status of WebKitGTK in Debian: what you can expect and where you can find the packages.

  • Debian unstable (sid): The most recent stable version of WebKitGTK (2.24.3 at the time of writing) is always available in Debian unstable, typically on the same day of the upstream release.
  • Debian testing (bullseye): If no new bugs are found, that same version will be available in Debian testing a few days later.
  • Debian stable (buster): WebKitGTK is covered by security support for the first time in Debian buster, so stable releases that contain security fixes will be made available through debian-security. The upstream dependencies policy guarantees that this will be possible during the buster lifetime. Apart from security updates, users of Debian buster will get newer packages during point releases.
  • Debian experimental: The most recent development version of WebKitGTK (2.25.4 at the time of writing) is always available in Debian experimental.

In addition to that, the most recent stable versions are also available as backports.

  • Debian stable (buster): Users can get the most recent stable releases of WebKitGTK from buster-backports, usually a couple of days after they are available in Debian testing.
  • Debian oldstable (stretch): While possible we are also providing backports for stretch using stretch-backports-sloppy. Due to older or missing dependencies some features may be disabled when compared to the packages in buster or testing.

You can also find a table with an overview of all available packages here.

One last thing: as explained on the release notes, users of i386 CPUs without SSE2 support will have problems with the packages available in Debian buster (webkit2gtk 2.24.2-1). This problem has already been corrected in the packages available in buster-backports or in the upcoming point release.

CryptogramDetecting Credit Card Skimmers

Modern credit card skimmers hidden in self-service gas pumps communicate via Bluetooth. There's now an app that can detect them:

The team from the University of California San Diego, who worked with other computer scientists from the University of Illinois, developed an app called Bluetana which not only scans and detects Bluetooth signals, but can actually differentiate those coming from legitimate devices -- like sensors, smartphones, or vehicle tracking hardware -- from card skimmers that are using the wireless protocol as a way to harvest stolen data. The full details of what criteria Bluetana uses to differentiate the two isn't being made public, but its algorithm takes into account metrics like signal strength and other telltale markers that were pulled from data based on scans made at 1,185 gas stations across six different states.

LongNowDavid Byrne Launches New Online Magazine, Reasons to Be Cheerful

In his Long Now talk earlier this summer, David Byrne announced that he would soon launch a new website called Reasons to Be Cheerful. The premise, Byrne said, was to document stories and projects that give cause for optimism in troubles times. He was after solutions-oriented efforts that provided tangible lessons that could be broadly utilized in different parts of the world.

“I didn’t want something that would only be applied to one culture,” Byrne said.

Reasons to Be Cheerful has now officially launched. Here is Byrne on the project from the press release:

It often seems as if the world is going straight to Hell. I wake up in the morning, I look at the paper, and I say to myself, “Oh no!” Often I’m depressed for half the day. I imagine some of you feel the same.

Recently, I realized this isn’t helping. Nothing changes when you’re numb. So, as a kind of remedy, and possibly as a kind of therapy, I started collecting good news. Not schmaltzy, feel-good news, but stuff that reminded me, “Hey, there’s positive stuff going on! People are solving problems and it’s making a difference!”

I began telling others about what I’d found.

Their responses were encouraging, so I created a website called Reasons to be Cheerful and started writing. Later on, I realized I wanted to make the endeavor a bit more formal. So we got a team together and began commissioning stories from other writers and redesigned the website. Today, we’re relaunching Reasons to be Cheerful as an ongoing editorial project.

We’re telling stories that reveal that there are, in fact, a surprising number of reasons to feel cheerful — that provide a more optimistic and, we believe, more accurate depiction of the world. We hope to balance out some of the amplified negativity and show that things might not be as bad as we think. Stop by whenever you need a reminder.

Learn More

  • Byrne also released a trailer for the website, which you can watch below:
  • Watch David Byrne’s Long Now talk here.

Worse Than FailureCodeSOD: Checksum Yourself Before you Wrecksum Yourself

Mistakes happen. Errors crop up. Since we know this, we need to defend against it. When it comes to things like account numbers, we can make a rule about which numbers are valid by using a checksum. A simple checksum might be, "Add the digits together, and repeat until you get a single digit, which, after modulus with a constant, must be zero." This means that most simple data-entry errors will result in an invalid account number, but there's still a nice large pool of valid numbers to draw from.

James works for a company that deals with tax certificates, and thus needs to generate numbers which meet a similar checksum rule. Unfortunately for James, this is how his predecessor chose to implement it:

while (true) { digits = ""; for (int i = 0; i < certificateNumber.ToString().Length; i++) { int doubleDigit = Convert.ToInt32(certificateNumber.ToString().Substring(i, 1)) * 2; digits += (doubleDigit.ToString().Length > 1 ? Convert.ToInt32(doubleDigit.ToString().Substring(0, 1)) + Convert.ToInt32(doubleDigit.ToString().Substring(1, 1)) : Convert.ToInt32(doubleDigit.ToString().Substring(0, 1))); } int result = digits.ToString().Sum(c => c - '0'); if ((result % 10) == 0) break; else certificateNumber++; }

Whitespace added to make the ternary vaguely more readable.

We start by treating the number as a string, which allows us to access each digit individually, and as we loop, we'll grab a digit and double it. That, unfortunately, gives us a number, which is a big problem. There's absolutely no way to tell if a number is two digits long without turning it back into a string. Absolutely no way! So that's what we do. If the number is two digits, we'll split it back up and add those digits together.

Which again, gives us one of those pesky numbers. So once we've checked every digit, we'll convert that number back to a useful string, then Sum the characters in the string to produce a result. A result which, we hope, is divisible by 10. If not, we check the next number. Repeat and repeat until we get a valid result.

The worst part is, though, is that you can see from the while loop that this is just dropped into a larger method. This isn't a single function which generates valid certificate numbers. This is a block that gets dropped in line. Similar, but slightly different blocks are dropped in when numbers need to be validated. There's no single isValidCertificate method.

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Planet DebianUtkarsh Gupta: Farewell, GSoC o/

Hello, there.

In open source, we feel strongly that to really do something well, you have to get a lot of people involved.

Guess Linus Torvalds got that right from the start.
While GSoC 2019 comes to end, this project hasn’t. With GSoC, I started this project from scratch and I guess, this won’t “die” an early age.

Here’s a quick recap:

My GSoC project is to package a software called Loomio.
A little about it, Loomio is a decision-making software, designed to assist groups with the collaborative decision-making process.
It is a free software web-application, where users can initiate discussions and put up proposals.

In the span of last 3 months, I worked on creating a package of Loomio for the Debian repositories. Loomio is a big, complex software to package.
With over 484 directories and 4607 files as a part of it’s code base, it has a huge number of Ruby and Node dependencies, along with a couple of fonts that it uses.
Out of which, around 72 ruby gems, 58 node modules, 3 fonts, and other 27 packages which were the reverse dependencies needed work. Both, including packaged and unpackaged libraries.

Also, little did I know about the need of having loomio-installer.
Thus a good amount of time went there as well (which I also talked about in my first and second report).


Work done so far!

At the time of writing this report, the following work has been done:

NEW packages

Packages that have been uploaded to the archive:

» ruby-ahoy-matey
» ruby-aws-partitions
» ruby-aws-sdk-core
» ruby-aws-sdk-kms
» ruby-aws-sdk-s3
» ruby-aws-sigv4
» ruby-cancancan
» ruby-data-uri
» ruby-geocoder
» ruby-google-cloud-core
» ruby-google-cloud-env
» ruby-inherited-resources
» ruby-maxitest
» ruby-safely-block
» ruby-terrapin
» ruby-memory-profiler
» ruby-devise-i18n
» ruby-discourse-diff
» ruby-discriminator
» ruby-doorkeeper-i18n
» ruby-friendly-id
» ruby-google-cloud-core
» ruby-google-cloud-env
» ruby-has-scope
» ruby-has-secure-token
» ruby-heroku-deflater
» ruby-i18n-spec
» ruby-iso
» ruby-omniauth-openid-connect
» ruby-paper-trail
» ruby-referer-parser
» ruby-safely-block
» ruby-user-agent-parser
» ruby-google-cloud-translate
» ruby-maxminddb
» ruby-omniauth-ultraauth

Packages that are yet to be uploaded:

» ruby-arbre
» ruby-paperclip
» ruby-ahoy-email
» ruby-ransack
» ruby-benchmark-memory
» ruby-ammeter
» ruby-rspec-tag-matchers
» ruby-formtastic
» ruby-formtastic-i18n
» ruby-rails-serve-static-assets
» ruby-activeadmin
» ruby-rails-12factor
» ruby-rails-stdout-logging
» loomio-installer

Updated packages

» rails
» ruby-devise
» ruby-globalid
» ruby-pg
» ruby-activerecord-import
» ruby-rack-oauth2
» ruby-rugged
» ruby-task-list
» gem2deb
» node-find-up
» node-matcher
» node-supports-color
» node-array-union
» node-dot-prop
» node-flush-write-stream
» node-irregular-plurals
» node-loud-rejection
» node-make-dir
» node-tmp
» node-strip-ansi


Work left!

Whilst it is clear how big and complex Loomio is, it was not humanly possible to complete the entire package of Loomio.
At the moment, the following tasks are remaining for this project to get close to completion:

» Debug loomio-installer.
» Check what all node dependencies are not really needed.
» Package and update the needed dependencies for loomio.
» Package loomio.
» Fix autopkgtests (if humanly possible).
» Maintain it for life :D


Other Debian activites!

Debian is more than just my GSoC organisation to me.
As my NM profile says and I quote,

Debian has really been an amazing journey, an amazing place, and an amazing family!

With such lovely people and teams and with my DM hat on, I have been involved with a lot more than just GSoC. In the last 3 months, my activity within Debian (other than GSoC) can be summarized as follows.

Cloud Team

Since I’ve been interested in the work they do, I joined the team recently and currently helping in packaging image finder.

NEW packages

» python-flask-marshmallow
» python-marshmallow-sqlalchemy


Perl Team

With Gregor, Intrigeri, Yadd, Nodens, and Bremner being there, I learned Perl packaging and helped in maintaining the Perl modules.

NEW packages

» libdata-dumper-compact-perl
» libminion-backend-sqlite-perl
» libmoox-shorthas-perl
» libmu-perl

Updated packages

» libasync-interrupt-perl
» libbareword-filehandles-perl
» libcatalyst-manual-perl
» libdancer2-perl
» libdist-zilla-plugin-git-perl
» libdist-zilla-plugin-makemaker-awesome-perl
» libdist-zilla-plugin-ourpkgversion-perl
» libdomain-publicsuffix-perl
» libfile-find-object-rule-perl
» libfile-flock-retry-perl
» libgeoip2-perl
» libgraphics-colornames-www-perl
» libio-aio-perl
» libio-async-perl
» libmail-box-perl
» libmail-chimp3-perl
» libmath-clipper-perl
» libminion-perl
» libmojo-pg-perl
» libnet-amazon-s3-perl
» libnet-appliance-session-perl
» libnet-cli-interact-perl
» libnet-frame-perl
» libnetpacket-perl
» librinci-perl
» libperl-critic-policy-variables-prohibitlooponhash-perl
» libsah-schemas-rinci-perl
» libstrictures-perl
» libsisimai-perl
» libstring-tagged-perl
» libsystem-info-perl
» libtex-encode-perl
» libxxx-perl


Python Team

Since I lately learned Python packaging, there are a couple of packages that I worked on which I haven’t pushed yet, but by later this month.

» python3-dotenv
» python3-phonenumbers
» django-phonenumber-field
» django-phone-verify
» Helping newbies (thanks to DC19 talk).


JavaScript Team

Super thanks to Xavier (yadd) and Praveen for being right there. Worked on the following things.

» Helping in webpack transition (bit).
» Helping in nodejs transition.
» Helping in complying pkg-js-tools in all packages.
» Packaging dependencies of ava.
» node-d3-request
» node-find-up
» node-matcher
» node-supports-color
» node-array-union
» node-dot-prop
» node-flush-write-stream
» node-irregular-plurals
» node-loud-rejection
» node-make-dir
» node-tmp
» node-strip-ansi


Golang Team

I joined the Golang team to mostly help in doing the GitLab stuff. Thus did the following things.

» gitlab-workhorse
» gitaly
» Upstream contribution to gitaly.


Ruby Team

This is where I started from. All thanks to Praveen, Abhijith, and Raju.
In the last 3 months, except for maintaining packages for Loomio, I did the following things.

» Helping in maintaining GitLab (one of the maintainers).
» Setting the fasttrack repo; announcements soon!
» Fixing gem2deb for adding d/upstream/metadata.
» Enabling Salsa CI for 1392 packages (yes, I broke salsa :/).
» Reviewing and sponsoring packages.
» Co-chairing the Ruby Team BoF.
» And others.


Others

» Part of DC19 Content Team (thanks to Antonio).
» Part of DC19 Bursary Team (thanks to Jonathan).
» Perl sprint (DebCamp).
» Newbie’s Perspective Towards Debian talk (Open day).
» Chairing Ruby Team BoF.
» Presenting my GSoC project.
» Part of DC19 Video Team.
» Talking about Debian elsewhere (cf: mail archive).
» DC21 Indian bid ;)
» Organising MiniDebConf Goa :D


Acknowledgement :)

Never forget your roots.

And I haven’t. The last 8 months with Debian have been super amazing. Nothing I’d like to change, even if I could. Every person here is a mentor to me.
But above all, there are a couple of people who helped me immensely.
Starting with Pirate Praveen, Rajudev, Abhijith, Sruthi, Gregor, Xavier, Intrigeri, Nodens, Holger, Antonio Terceiro, Kanashiro, Boutil, Georg, Sanyam, Sakshi, Jatin, and Samyak. And of course, my little brother, Aryan.
Sorry if I’m forgetting anyone. Thank y’all :)

NOTE: Sorry for making this extremely long; someone told me to put in all the crap I did in last 90 days :P
Also, sorry if it gets too long on planet.d.o. :)

Until next time.
:wq for today.

,

Planet DebianRuss Allbery: Review: A Memory Called Empire

Review: A Memory Called Empire, by Arkady Martine

Series: Teixcalaan #1
Publisher: Tor
Copyright: March 2019
ISBN: 1-250-18645-5
Format: Kindle
Pages: 462

Mahit Dzmare grew up dreaming of Teixcalaan. She learned its language, read its stories, and even ventured some of her own poetry, in love with the partial and censored glimpses of its culture that were visible outside of the empire. From her home in Lsel Station, an independent mining station, Teixcalaan was a vast, lurking weight of history, drama, and military force. She dreamed of going there in person. She did not expect to be rushed to Teixcalaan as the new ambassador from Lsel Station, bearing a woefully out-of-date imago that she's barely begun to integrate, with no word from the previous ambassador and no indication of why Teixcalaan has suddenly demanded a replacement.

Lsel is small, precarious, and tightly managed, a station without a planet and with only the resources that it can maintain and mine for itself, but it does have a valuable secret. It cannot afford to lose vital skills to accident or age, and therefore has mastered the technology of recording people's personalities, memories, and skills using a device called an imago. The imago can then be implanted in the brain of another, giving them at first a companion in the back of their mind and, with time, a unification that grants them inherited skills and memory. Valuable expertise in piloting, mining, and every other field of importance need not be lost to death, but can be preserved through carefully tended imago lines and passed on to others who test as compatible.

Mahit has the imago of the previous ambassador to Teixcalaan, but it's a copy from five years after his appointment, and he was the first of his line. Yskandr Aghavn served another fifteen years before the loss of contact and Teixcalaan's emergency summons, never returning home to deposit another copy. Worse, the implantation had to be rushed due to Teixcalaan's demand. Rather than the normal six months of careful integration under active psychiatric supervision, Mahit has had only a month with her new imago, spent on a Teixcalaan ship without any Lsel support.

With only that assistance from home, Mahit's job is to navigate the complex bureaucracy and rich culture of an all-consuming interstellar empire to prevent the ruthlessly expansionist Teixcalaanli from deciding to absorb Lsel Station like they have so many other stations, planets, and cultures before them. Oh, and determine what happened to her predecessor, while keeping the imagos secret.

I love when my on-line circles light up with delight about a new novel, and it turns out to be just as good as everyone said it was.

A Memory Called Empire is a fascinating, twisty, complex political drama set primarily in the City at the heart of an empire, a city filled with people, computer-controlled services, factions, manuevering, frighteningly unified city guards, automated defense mechanisms, unexpected allies, and untrustworthy offers. Martine weaves a culture that feels down to its bones like an empire at the height of its powers and confidence: glorious, sophisticated, deeply aware of its history, rich in poetry and convention, inward-looking, and alternately bemused by and contemptuous of anyone from outside what Teixcalaan defines as civilization, when Teixcalaan thinks of them at all.

But as good as the setting is (and it's superb, with a deep, lived-in feel), the strength of this book is its characters. Mahit was expecting to be the relatively insignificant ambassador of a small station, tasked with trade negotiations and routine approvals and given time to get her feet under her. But when it quickly becomes clear that Yskandr was involved in some complex machinations at the heart of the Teixcalaan government, she shows admirable skill for thinking on her feet, making fast decisions, and mixing thoughtful reserve and daring leaps of judgment.

Mahit is here alone from Lsel, but she's not without assistance. Teixcalaan has assigned her an asekreta, a cultural liaison who works for the Information Ministry. Her name is Three Seagrass, and she is the best part of this book. Mahit starts wisely suspicious of her, and Three Seagrass starts carefully and thoroughly professional. But as the complexities of Mahit's situation mount, she and Three Seagrass develop a complex and delightful friendship, one that slowly builds on cautious trust and crosses cultural boundaries without ignoring them. Three Seagrass's nearly-unflappable curiosity and guidance is a perfect complement to Mahit's reserve and calculated gambits, and then inverts beautifully later in the book when the politics Mahit uncovers start to shake Three Seagrass's sense of stability. Their friendship is the emotional heart of this story, full of delicate grace notes and never falling into stock patterns.

Martine also does some things with gender and sexuality that are remarkable in how smoothly they lie below the surface. Neither culture in this novel cares much about the gender configurations of sexual partnerships, which means A Memory Called Empire shares with Nicola Griffith novels an unmarked acceptance of same-sex relationships. It's also not eager to pair up characters or put romance at the center of the story, which I greatly appreciated. And I was delighted that the character who navigates hierarchy via emotional connection and tumbling into the beds of the politically influential is, for once, the man.

I am stunned that this is a first novel. Martine has masterful control over both the characters and plot, keeping me engrossed and fully engaged from the first chapter. Mahit's caution towards her possible allies and her discovery of the lay of the political land parallel the reader's discovery of the shape of the plot in a way that lets one absorb Teixcalaanli politics alongside her. Lsel is at the center of the story, but only as part of Teixcalaanli internal maneuvering. It is important to the empire but is not treated as significant or worthy of its own voice, which is a knife-sharp thrust of cultural characterization. And the shadow of Yskandr's prior actions is beautifully handled, leaving both the reader and Mahit wondering whether he was a brilliant strategic genius or in way over his head. Or perhaps both.

This is also a book about empire, colonization, and absorption, about what it's like to delight in the vastness of its culture and history while simultaneously fearful of drowning in it. I've never before read a book that captures the tension of being an ambassador to a larger and more powerful nation: the complex feelings of admiration and fear, and the need to both understand and respect and in some ways crave the culture while still holding oneself apart. Mahit is by turns isolated and accepted, and by turns craves acceptance and inclusion and is wary of it. It's a set of emotions that I rarely see in space opera.

This is one of the best science fiction novels I've read, one that I'll mention in the same breath as Ancillary Justice or Cyteen. It is a thoroughly satisfying story, one that lasted just as long as it should and left me feeling satiated, happy, and eager for the sequel. You will not regret reading this, and I expect to see it on a lot of award lists next year.

Followed by A Desolation Called Peace, which I've already pre-ordered.

Rating: 10 out of 10

Planet DebianAndrew Cater: Cambridge BBQ 2019 - 2

Another day with a garden full of people. A house full of coders, talkers, coffee drinkers and unexpected bread makers - including a huge fresh loaf. Playing "the DebConf card game" for the first time was confusing as anything and a lot of fun. The youngest person there turned out to be one of the toughest players.

Hotter than yesterday - 32 degrees as I've just driven back across country and the sun in my eyes.. Sorry to leave everyone there for tomorrow's end of BBQ but there'll be another opportunity.

Thanks even more to Steve, Jo and everyone there - it's been a fantastic weekend.

Planet DebianAndrew Cater: Cambridge BBQ 2019

Usual friendly Debian family chaos: a garden full of people last night: lots of chat, lots  of catching up and conviviality including a birthday cake. The house was also full: games of cards ensued last thing at night :) Highlights: home made cookies, chilli and cheese bread [and the company as always]. One of the hotter days of the year at 30 degrees.

Now folk are filtering in: coffee machine is getting a workout and breakfast is happening. Lots more folk expected gradually as the morning progresses: it's 0955 UTC as I'm typing. Today is due to be hotter, apparently. Thanks to Steve and Jo for hosting, as always.

Planet DebianMolly de Blanc: Free software activities (July 2019)

Again, much belated with apologies.

Personal

  • Debian AH rebranded to the Debian Community Team (CT) after our sprint back in June. We had meetings, both following up on things that happened at the meeting and covering typical business. We created a draft of a new team mission statement, which was premiered, so to speak, at DebConf19.
  • While I did not attend, I participated remotely in the CT and Outreach BoFs at DC19 remotely. Special thanks to the video team for making this possible.
  • The Outreach team also had a meeting.
  • The OSI had its monthly meeting, and the Standing Committee also had a meeting.
  • The OSI Staffing Committee, of which I am a member, had a meeting.
  • I had a meeting with someone interested in working with the OSI.
  • I had weekly meetings with the General Manager of the OSI.
  • Another instance of someone being mean to me on the internet. I am almost losing count.

Professional

  • I learned a lot about the GNOME ecosystem, and the toolkit that is a necessary part of it, and parts of the project that organizations use even if they’re not using the GNOME desktop environment.
  • I had several fun meetings with people about the work we’re doing at GNOME.
  • I worked on fulfilling sponsorship benefits for GUADEC. This mostly means writing social media posts, blog posts, and working with an awesome volunteer to keep the web site updated.
  • I wrote a Friends of GNOME newsletter.
  • I wrote and published a Meet the GNOMEies interview.
  • I met with the Linux App Summit organizing team concerning sponsorships and fundraising for the event. The CFP is open and you should submit!

Planet DebianRuss Allbery: Review: The Calculating Stars

Review: The Calculating Stars, by Mary Robinette Kowal

Series: Lady Astronaut #1
Publisher: Tor
Copyright: July 2018
ISBN: 1-4668-6124-X
Format: Kindle
Pages: 429

Elma York is a (human) computer, working for the early space program in the National Advisory Committee for Aeronautics in 1952. She and her husband Nathaniel, one of the lead engineers, are on vacation in the Poconos when a massive meteorite hits the Atlantic Ocean just off the coast of Maryland, wiping out Washington D.C. and much of the eastern seaboard.

Elma and Nathaniel make it out of the mountains via their private plane (Elma served as a Women Airforce Service Pilot in World War II) to Wright-Patterson Air Force Base in Ohio, where the government is regrouping. The next few weeks are a chaos of refugees, arguments, and meetings, as Nathaniel attempts to convince the military that there's no way the meteorite could have been a Russian attack. It's in doing calculations to support his argument that Elma and her older brother, a meteorologist, realize that far more could be at stake. The meteorite may have kicked enough water vapor into the air to start runaway global warming, potentially leaving Earth with the climate of Venus. If this is true, humans need to get off the planet and somehow find a way to colonize Mars.

I was not a sympathetic audience for this plot. I'm all in favor of space exploration but highly dubious of colonization justifications. It's hard to imagine an event that would leave Earth less habitable than Mars already is, and Mars appears to be the best case in the solar system. We also know who would make it into such a colony (rich white people) and who would be left behind on Earth to die (everyone else), which gives these lifeboat scenarios a distinctly unappealing odor. To give her credit, Kowal postulates one of the few scenarios that might make living on Mars an attractive alternative, but I'm fairly sure the result would be the end of humanity. On this topic, I'm a pessimistic grinch.

I loved this book.

Some of that is because this book is not about the colonization. It's about the race to reach the Moon in an alternate history in which catastrophe has given that effort an international mandate and an urgency grounded in something other than great-power competition. It's also less about the engineering and the male pilots and more about the computers: Elma's world of brilliant women, many of them experienced WW2 transport pilots, stuffed into the restrictive constraints of 1950s gender roles. It's a fictionalization of Hidden Figures and Rise of the Rocket Girls, told from the perspective of a well-meaning Jewish woman who is both a victim of sexist and religious discrimination and is dealing (unevenly) with her own racism.

But that's not the main reason why I loved this book. The surface plot is about gender roles, the space program, racism, and Elma's determination to be an astronaut. The secondary plot is about anxiety, about what it does to one's life and one's thought processes, and how to manage it and overcome it, and it's taut, suspenseful, tightly observed, and vividly empathetic. This is one of the best treatments of living with a mental illness that I've read.

Elma has clinical anxiety, although she isn't willing to admit it until well into the book. But once I knew to look for it, I saw it everywhere. The institutional sexism she faces makes the reader want to fight and rage, but Elma turns defensively inward and tries to avoid creating conflict. Her main anxiety trigger is being the center of the attention of strangers, fearing their judgment and their reactions. She masks it with southern politeness and deflection and the skill of smoothing over tense situations, until someone makes her angry. And until she finds something that she wants more than she wants to avoid her panic attacks: to be an astronaut, to see space, and to tell others that they can as well.

One of the strengths of this book is Kowal's ability to write a marriage, to hint at what Elma sees in Nathaniel around the extended work hours and quietness. They play silly bedroom games, they rely on each other without a second thought, and Nathaniel knows how anxious she is and is afraid for her and doesn't know what to do. He can't do much, since Elma has to find her own treatment and her own coping mechanisms and her own way of reframing her goals, but he's quietly and carefully supportive in ways that I thought were beautifully portrayed. His side of this story is told in glimmers and moments, and the reader has to do a lot of work to piece together what he's thinking, but he quietly became one of my favorite characters in this book.

I should warn that I read a lot into this book. I hit on the centrality of anxiety to Elma's experience about halfway through and read it backwards and forwards through the book, and I admit I may be doing a lot of heavy lifting for the author. The anxiety thread is subtle, which means there's a risk that I'm manufacturing some pieces of it. Other friends who have read the book didn't notice it the way that I did, so your mileage may vary. But as someone who has some tendencies towards anxiety myself, this spoke to me in ways that made it hard to read at times but glorious in the ending. Everywhere in the book Elma got angry enough to push through her natural tendency to not make a fuss is wonderfully satisfying.

This book is set very much in its time, which means that it is full of casual, assumed institutional sexism. Elma fights it in places, but she more frequently endures it and works around it, which may not be the book that one is in the mood to read. This is a book about feminism, but it's a conditional and careful feminism that tactically cedes a lot of the cultural and conversational space.

There is also quite a lot of racism, to which Elma reacts like a well-intentioned (and somewhat anachronistic) white woman. There's a very fine line between the protagonist using some of their privilege to help others and a white savior narrative, and I'm not sure Kowal walks it successfully throughout the book. Like the sexism, the racism of the setting is deep and structural, Elma is not immune even when she thinks she's adjusting for it, and this book only pushes back against it around the edges. I appreciated the intent to show some of the complexity of intersectional oppression, but I think it lands a bit awkwardly.

But, those warnings aside, this is both a satisfying story of the early space program shifted even earlier to force less reliance on mechanical computers, and a tense and compelling story of navigating anxiety. It tackles the complex and difficult problems of conserving and carefully using one's own energy and fortitude, and of deciding what is worth getting angry about and fighting for. The first-person narrative voice was very effective for me, particularly once I started treating Elma as an unreliable narrator in denial about how much anxiety has shaped her life and started reading between the lines and looking for her coping strategies. I have nowhere near the anxiety issues that Elma has, but I felt seen by this book despite a protagonist who is apparently totally unlike me.

Although I would have ranked Record of a Spaceborn Few higher, The Calculating Stars fully deserves its Hugo, Nebula, and Locus Award wins. Highly recommended, and I will definitely read the sequel.

Followed by The Fated Sky.

Rating: 9 out of 10

,

Planet DebianDirk Eddelbuettel: RcppExamples 0.1.9

A new version of the RcppExamples package is now on CRAN.

The RcppExamples package provides a handful of short examples detailing by concrete working examples how to set up basic R data structures in C++. It also provides a simple example for packaging with Rcpp.

This releases brings a number of small fixes, including two from contributed pull requests (extra thanks for those!), and updates the package in a few spots. The NEWS extract follows:

Changes in RcppExamples version 0.1.9 (2019-08-24)

  • Extended DateExample to use more new Rcpp features

  • Do not print DataFrame result twice (Xikun Han in #3)

  • Missing parenthesis added in man page (Chris Muir in #5)

  • Rewrote StringVectorExample slightly to not run afould the -Wnoexcept-type warning for C++17-related name mangling changes

  • Updated NAMESPACE and RcppExports.cpp to add registration

  • Removed the no-longer-needed #define for new Datetime vectors

Courtesy of CRANberries, there is also a diffstat report for the most recent release.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianSteinar H. Gunderson: Chess article

Last November (!), I was interviewed for a magazine article about computer chess and how it affects human play. Only a few short fragments remain of the hour-long discussion, but the article turned out to be very good nevertheless, and now it's freely available at last. Recommended Sunday read.

Planet DebianThomas Lange: New FAI.me feature

FAI.me, the build service for installation and cloud images has a new feature. When building an installation images, you can enable automatic reboot or shutdown at the end of the installation in the advanced options. This was implemented due to request by users, that are using the service for their VM instances or computers without any keyboard connected.

The FAI.me homepage.

FAI.me

Planet DebianDidier Raboud: miniDebConf19 Vaumarcus – Oct 25-27 2019 – Registration is open

The Vaumarcus miniDebConf19 is happening! Come see the fantastic view from the shores of Lake Neuchâtel, in Switzerland! We’re going to have two-and-a-half days of presentations and hacking in this marvelous venue and anybody interested in Debian development is welcome.

Registration is open

Registration is open now, and free, so go add your name and details on the Debian wiki: Vaumarcus/Registration

We’ll accept registrations until late, but don’t wait too much before making your travel plans! We have you covered with a lot of attendee information already: Vaumarcus.

Sponsors wanted

We’re looking for sponsors willing to help making this event possible; to help making it easier for anyone interested to attend. We have not yet decided upon sponsor categories and benefits, but come talk to us already if you can help!

More hands wanted

Things are on a good track, but we need more help. Specifically, Content, Bar, Sponsoring and Attendee support would benefit from more hands.

Get in touch

We gather on the #debian.ch channel on irc.debian.org and on the debian-switzerland@lists.debian.org list. For more private matters, talk to board@debian.ch!

Looking forward to seeing a lot of you in Vaumarcus!

(This was also sent to debian-devel-announce@l.d.o and debian-events-eu@l.d.o.)

Planet DebianJoachim Breitner: ICFP 2019

ICFP 2019 in Berlin ended yesterday, and it was – as always – a great pleasure. This year was particularly noteworthy for the quite affordable conference hotel and the absolutely amazing food during the coffee breaks.

Since I am no longer a proper academic, I unsurprisingly did not have real research to present. Luckily I found ways to not just be a passive participant this year:

  • At FARM, I presented Kaleidogen, a small game (or toy, some would say) of mine. The room was packed with people, so thanks for all your interest! If you missed it, you can soon see the recording or read the demo abstract.

  • At PLMW, the mentoring workshop for young researchers, I ran the “Social event” together with Niki Vazou. Like last year, we randomly grouped the students and held a little competition where they had to match program listings to languages and algorithms. This was great fun, and we even managed to solve the sudden problem of two ties in a ad-hoc extra quiz.

  • During his “State of GHC” speech, Simon Peyton Jones asked me to speak about the GHC Proposal Process for a few slides.

  • And since that is not enough stage time, I secured two spots in local stand-up comedy open mics on Monday and Friday, and even dragged sizable crowds of ICFP participants to these venues. One was a boat, and the other one a pretty dodgy bar in Neukölln, so that alone was a memorable experience. And the host was visibly surprised when his joke “I couldn’t be a software developers – I can’t commit” was met by such a roaring response…

Anyways, ICFP is over, back to disappear in the churn of every day work, and I hope to see you all next year.

Planet DebianRuss Allbery: Review: Thinking, Fast and Slow

Review: Thinking, Fast and Slow, by Daniel Kahneman

Publisher: Farrar, Straus and Giroux
Copyright: 2011
ISBN: 1-4299-6935-0
Format: Kindle
Pages: 448

Daniel Kahneman is an academic psychologist and the co-winner of the 2002 Nobel Memorial Prize in Economic Sciences for his foundational work on behavioral economics. With his long-time collaborator Amos Tversky, he developed prospect theory, a theory that describes how people chose between probabilistic alternatives involving risk. That collaboration is the subject of Michael Lewis's book The Undoing Project, which I have not yet read but almost certainly will.

This book is not only about Kahneman's own work, although there's a lot of that here. It's a general overview of cognitive biases and errors as explained through an inaccurate but useful simplification: modeling human thought processes as two competing systems with different priorities, advantages, and weaknesses. The book mostly focuses on the contrast between the fast, intuitive System One and the slower, systematic System Two, hence the title, but the last section of the book gets into hedonic psychology (the study of what makes experiences pleasant or unpleasant). That section introduces a separate, if similar, split between the experiencing self and the remembering self.

I read this book for the work book club, although I only got through about a third of it before we met to discuss it. For academic psychology, it's quite readable and jargon-free, but it's still not the sort of book that's easy to read quickly. Kahneman's standard pattern is to describe an oddity in thinking that he noticed, a theory about the possible cause, and the outcome of a set of small experiments he and others developed to test that theory. There are a lot of those small experiments, and all the betting games with various odds and different amounts of money blurred together unless I read slowly and carefully.

Those experiments also raise the elephant in the room, at least for me: how valid are they? Psychology is one of the fields facing a replication crisis. Researchers who try to reproduce famous experiments are able to do so only about half the time. On top of that, many of the experiments Kahneman references here felt artificial. In daily life, people spend very little time making bets of small amounts of money on outcomes with known odds. The bets are more likely to be for more complicated things such as well-being or happiness, and the odds of most real-world situations are endlessly murky. How much does that undermine Kahneman's conclusions? Kahneman himself takes the validity of this type of experiment for granted and seems uninterested in this question, at least in this book. He has a Nobel Prize and I don't, so I'm inclined to trust him, but it does give me some pause.

It didn't help that Kahneman cites the infamous marshmallow experiment approvingly and without caveats, which is a pet peeve of mine and means he fails my normal test for whether a popular psychology writer has taken a sufficiently thoughtful approach to analyzing the validity of experiments.

That caveat aside, this book is fascinating. One of the things that Kahneman does throughout, which is both entertaining and convincing, is show the reader one's brain making mistakes in real time. It's a similar experience to looking at optical illusions (indeed, Kahneman makes that comparison explicitly). Once told what's going on, you can see the right answer, but your brain is still determined to make an error.

Here's an example:

A bat and ball cost $1.10.
The bat costs one dollar more than the ball.
How much does the ball cost?

I've prepped you by talking about cognitive errors, so you will probably figure out that the answer is not 10 cents, but notice how much your brain wants the answer to be 10 cents, and how easy it is to be satisfied with that answer if you don't care that much about the problem, even though it's wrong. The book is full of small examples like this.

Kahneman's explanation for the cognitive mistake in this example is the subject of the first part of the book: two-system thinking. System one is fast, intuitive, pattern-matching, and effortless. It's our default, the system we use to navigate most of our lives. System two is deliberate, slow, methodical, and more accurate, but it's effortful, to a degree that the effort can be detected in a laboratory by looking for telltale signs of concentration. System two applies systematic rules, such as the process for multiplying two-digit numbers together or solving math problems like the above example correctly, but it takes energy to do this, and humans have a limited amount of that energy. System two is therefore lazy; if system one comes up with a plausible answer, system two tends to accept it as good enough.

This in turn provides an explanation for a wealth of cognitive biases that Kahneman discusses in part two, including anchoring, availability, and framing. System one is bad at probability calculations and relies heavily on availability. For example, when asked how common something is, system one will attempt to recall an example of that thing. If an example comes readily to mind, system one will decide that it's common; if it takes a lot of effort to think of an example, system one will decide it's rare. This leads to endless mistakes, such as worrying about memorable "movie plot" threats such as terrorism while downplaying the risks of far more common events such as car accidents and influenza.

The third part of the book is about overconfidence, specifically the prevalent belief that our judgments about the world are more accurate than they are and that the role of chance is less than it actually is. This includes a wonderful personal anecdote from Kahneman's time in the Israeli military evaluating new recruits to determine what roles they would be suited for. Even after receiving clear evidence that their judgments were no better than random chance, everyone involved kept treating the interview process as if it had some validity. (I was pleased by the confirmation of my personal bias that interviewing is often a vast waste of everyone's time.)

One fascinating takeaway from this section is that experts are good at making specific observations of fact that an untrained person would miss, but are bad at weighing those facts intuitively to reach a conclusion. Keeping expert judgment of decision factors but replacing the final decision-making process with a simple algorithm can provide a significant improvement in the quality of judgments. One example Kahneman uses is the Apgar score, now widely used to determine whether a newborn is at risk of a medical problem.

The fourth part of the book discusses prospect theory, and this is where I got a bit lost in the endless small artificial gambles. However, the core idea is simple and quite fascinating: humans tend to make decisions based on the potential value of losses and gains, not the final outcome, and the way losses and gains are evaluated is not symmetric and not mathematical. Humans are loss-avoiding, willing to give up expected value to avoid something framed as a loss, and are willing to pay a premium for certainty. Intuition also breaks down at the extremes; people are very bad at correctly understanding odds like 1%, instead treating it like 0% or more than 5% depending on the framing.

I was impressed that Kahneman describes the decision-making model that preceded prospect theory, explains why it was more desirable because it was simpler and was only abandoned for prospect theory because prospect theory made meaningfully more accurate predictions, and then pivots to pointing out the places where prospect theory is clearly wrong and an even more complicated model would be needed. It's a lovely bit of intellectual rigor and honesty that too often is missing from both popularizations and from people talking about their own work.

Finally, the fifth section of the book is about the difference between life as experienced and life as it is remembered. This includes a fascinating ethical dilemma: the remembering self is highly sensitive to how unpleasant an experience was at its conclusion, but remarkably insensitive to the duration of pain. Experiments will indicate that someone will have a less negative memory of a painful event where the pain gradually decreased at the end, compared to an event where the pain was at its worst at the end. This is true even if the worst moment of pain was the same in both cases and the second event was shorter overall. How should we react to that in choosing medical interventions? The intuitive choice for pain reduction is to minimize the total length of time someone is in pain or reduce the worst moment of pain, both of which are correctly reported as less painful in the moment. But this is not the approach that will be remembered as less painful later. Which of those experiences is more "real"?

There's a lot of stuff in this book, and if you are someone who (unlike me) is capable of reading more than one book at a time, it may be a good book to read slowly in between other things. Reading it straight through, I got tired of the endless descriptions of experimental setup. But the two-system description resonated with me strongly; I recognized a lot of elements of my quick intuition (and my errors in judgment based on how easy it is to recall an example) in the system one description, and Kahneman's description of the laziness of system two was almost too on point. The later chapters were useful primarily as a source of interesting trivia (and perhaps a trick to improve my memory of unpleasant events), but I think being exposed to the two-system model would benefit everyone. It's a quick and convincing way to remember to be wary of whole classes of cognitive errors.

Overall, this was readable, only occasionally dense, and definitely thought-provoking, if quite long. Recommended if any of the topics I've mentioned sound interesting.

Rating: 7 out of 10

,

CryptogramFriday Squid Blogging: Vulnerabilities in Squid Server

It's always nice when I can combine squid and security:

Multiple versions of the Squid web proxy cache server built with Basic Authentication features are currently vulnerable to code execution and denial-of-service (DoS) attacks triggered by the exploitation of a heap buffer overflow security flaw.

The vulnerability present in Squid 4.0.23 through 4.7 is caused by incorrect buffer management which renders vulnerable installations to "a heap overflow and possible remote code execution attack when processing HTTP Authentication credentials."

"When checking Basic Authentication with HttpHeader::getAuth, Squid uses a global buffer to store the decoded data," says MITRE's description of the vulnerability. "Squid does not check that the decoded length isn't greater than the buffer, leading to a heap-based buffer overflow with user controlled data."

The flaw was patched by the web proxy's development team with the release of Squid 4.8 on July 9.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Planet DebianBastian Venthur: Introducing Noir

tl;dr

Noir is a drop-in replacement for Black (the uncompromising code formatter), with the default line length set to PEP-8's preferred 79 characters. If you want to use it, just replace black with noir in your requirements.txt and/or setup.py and you're good to go.

Black is a Python code formatter that reformats your code to make it more PEP-8 compliant. It implements a subset of PEP-8, most notably it deliberately ignores PEP-8's suggestion for a line length of 79 characters and defaults to a length of 88. I find the decision and the reasoning behind that somewhat arbitrary. PEP-8 is a good standard and there's a lot of value in having a style guide that is generally accepted and has a lot of tooling to support it.

When people ask to change Black's default line length to 79, the issue is usually closed with a reference to the reasoning in the README. But Black's developers are at least aware of this controversial decision, as Black's only option that allows to configure the (otherwise uncompromising) code formatter, is in fact the line length.

Apart from that, Black is a good formatter that's gaining more and more popularity. And, of course, the developers have every right to follow their own taste. However, since Black is licensed under the terms of the MIT license, I tried to see what needs to be done in order to fix the line length issue.

Step 1: Changing the Default

This is the easiest part. You only have to change the DEFAULT_LINE_LENGTH value in black.py from 88 to 79, and black works as expected. Bonus points for doing the same in black.vim and pyproject.toml, but not strictly necessary.

Step 2a: Fixing the Tests

Now comes the fun part. Black has an extensive test suite and suddenly a lot of tests are failing because the fixtures that compare the unformatted input with the expected, formatted output were written with a line length of 88 characters in mind. To make it more interesting the expected output comes in two forms: (1) as normal reformatted Python code (which is rather easy to fix) and (2) as a diff between the input and the expected output. The latter was really painful to fix -- although I'm very much used to reading diffs, I don't usually write them.

Step 2b: Fixing the Tests

After all fixtures were updated, some tests were still failing. And it turned out that Black is running itself on its own source code as part of its test suite, making the tests fail if Black's code does not conform to Black's coding standards. While this is a genius idea, it meant that I had to reformat Black's code to match the new 79 characters line length, generating a giant diff, that is functionally unrelated to the fix I wanted to make but now part of the fix anyway. This of course makes the whole patch horrible to maintain if you plan to follow along upstream's master branch.

Step 3: Publish

Since we already got this far, why not publish the fixed version of Black? To my surprise the name noir was still available on PyPi, so I renamed my version of Black to Noir and uploaded it to PyPi.

You can install it via:

$ pip install noir

Since I didn't change anything else, this is literally a drop-in replacement for Black. All you have to do is replace black with noir in your requirements.txt and/or setup.py and you're good to go. The script that executes Black is still called black and the server is still called blackd.

Outlook

While this was a fun exercise, the question remains what to do with it. I'll try to follow upstream and update my patch whenever a new version will come out. As new versions of Black are released only a handful of times a year, this might be feasible.

Depending on how painful it is to maintain the patch for the tests, I might either drop the tests altogether, relying on upstream's tests passing on their side and just maintaining the trivial patch from Step 1: Changing the DEFAULT_LINE_LENGTH. The latter can probably be automated somehow using github actions -- and I'll probably look into that at some point.

Best case scenario, of course, would be if Python changes its recommended line length to 88 and I wouldn't have to maintain noir in the first place :)

Planet DebianIustin Pop: Aftershokz Aeropex first impressions

I couldn’t sleep one evening so I was randomly1 browsing the internet. One thing led to another and I landed on a review of “bone-conducting” headphones, designed for safe listening to music or talking on the phone during sports.

I was intrigued. I’ve written before that proper music really motivates me when doing high-intensity efforts, so this seemed quite interesting. After reading more about it, and after finding that one can buy such things from local shops, I ordered a pair of Aftershokz Aeropex headphones.

To my surprise, they actually work as advertised. I’d say, they work despite the fancy company name :) There is a slight change to the tone of the sound (music) as compared to normal headphones, and the quality is not like one would expect from high-quality over-ear ones, but that’s beside the point - the kind of music that I’d like to listen to while pedalling up a hill doesn’t require very high fidelity2.

And with regards to environment awareness, there is for sure some decrease, but I’d say minimal (especially if you don’t listen on high volume). There is no “closed bubble” effect at all as you get with normal (even open) headphones, and definitely not the one with in-ear ones. So I’d say this kind of headphone is reasonably safe, if you are careful.

So, first test, commute to work and back. On the way to work it was very windy so that’s why I was hearing mostly (especially during cross-winds), but it was still OK. Enjoyed the ride, nothing special.

On the return though… it was quite glorious. Normally (in Garmin speak) I get a small training effect: 0.8-1.0 aerobic, and much less anaerobic, around 0.5. It’s a very short commute, but I try to push as I can. Today however, I got 1.3 aerobic, and 1.6 anaerobic, because I went quite a bit standing on the uphills. Higher anaerobic than aerobic on my commute is very rare… Also the “intensity minutes” that I got for today were ~50% increased compared to usual commute days. Max HR was not really changed, but the average HR was ~10bpm higher, which confirms I was able to motivate myself better. No Strava segments achievements though, since I was on a slow bike, but still, it felt much better than same bike on other days.

I don’t know how the headphones feel when wearing them for a few hours at a time; they might be somewhat unpleasant, especially under the bike helmet, but on my short commute they were OK. But a 2-3-5 hour race is something entirely different.

Anyway, it seems from my first quick test this is an interesting technology. I guess I’ll have to see in a real effort how it helps? And if it doesn’t work well, I can blame the choice of music :)


  1. I was looking for updated Fenix 6 rumours. Either Garmin is having a prank or it (the F6) will be quite cool itself; bigger screen, solar, more battery options, etc. etc.

  2. Rhythm/beat is very important, not so much good voice or high dynamic range. And when tired, most anything that is not soothing.

Valerie AuroraHow to avoid supporting sexual predators

[TW: child sex abuse]

Recently, I received an email from a computer security company asking for more information on why I refuse to work with them. My reason? The company was founded by a registered child sex offender who still serves as its CTO, which I found out during my standard client research process.

My first reaction was, “Do I really need to explain why I won’t work with you???” but as I write this, we’re at the part of the Jeffrey Epstein news cycle where we are learning about the people in computer science who supported Epstein—after Epstein pleaded guilty to two counts of “procuring prostitution with a child under 18,” registered as a sex offender, and paid restitution to dozens of victims. As someone who outed her own father as a serial child molester, I can tell you that it is quite common for people to support and help known sexual predators in this way.

I would like to share how I actively avoid supporting sexual predators, as someone who provides diversity and inclusion training, mostly to software companies:

  1. When a new client approaches me, I find the names of the CEO, CTO, COO, board members, and founders—usually on the “About Us” or “Who We Are” or “Founders” page of the company’s web site. Crunchbase and LinkedIn are also useful for this step.
  2. For each of the CEO, CTO, COO, board members, and/or founders, I search their name plus “allegations,” “sexism,” “sexual assault,” “sexual harassment,” and “women.” I do this for the company name too.
  3. If I find out any executives, board members, or founders have been credibly accused of sexual harassment or assault, I refuse to work with that company.
  4. I look up the funders of the company on Crunchbase. If any of their funders are listed on Sexism and Racism in Venture Capital, I give the company extra scrutiny.
  5. If the company agreed to take funding from a firm (or person) after knowing the lead partner(s) were sexual harassers or predators, I refuse to work with that company.

If you don’t have time to do this personally, I recommend hiring or contracting with someone to do it for you.

That’s just part of my research process (I search for other terms, such as “racism”). This has saved me from agreeing to help make money for a sexual predator or harasser many times. Specifically, I’ve turned down 13 out of 303 potential clients for this reason, or about 4% of clients who approached me. To be sure, it has also cost me money—I’d estimate at least $50,000—but I’d like to believe that my reputation and conscience are worth more than that. If you’re not in a position where you can say no to supporting a sexual predator, you have my sympathy and respect, and I hope you can find a way out sooner or later.

Your research process will look different depending on your situation, but the key elements will be:

  1. Assume that sexual predators exist in your field and you don’t know who all of them are.
  2. When you are asked to work with or support someone new, do research to find out if they are a sexual predator.
  3. When you find out someone is probably a sexual predator, refuse to support them.

What do I do if, say, the CEO has been credibly accused of sexual harassment or assault but the company has taken appropriate steps to make amends and heal the harm done to the victims? I don’t know, because I can’t remember a potential client who did that. I’ve had plenty that published a non-apology, forced victims to sign NDAs for trivial sums of money, or (very rarely) fired the CEO but allowed them to keep all or most of their equity, board seat, voting rights, etc. That’s not enough, because the CEO hasn’t shown remorse, made amends, or removed themselves from positions of power.

I don’t think all sexual predators should be ostracized completely, but I do think everyone has a moral responsibility not to help known sexual predators back into positions of power and influence without strong evidence of reform. Power and influence are privileges which should only be granted to people who are unlikely to abuse them, not rights which certain people “deserve” as long as they claim to have reformed. Someone with a history of sexually predatory behavior should be assumed to be dangerous unless exhaustively proven otherwise. One sign of complete reform is that the former sexual predator will themselves avoid and reject situations in which power and access would make sexual abuse easy to resume.

In this specific case, the CTO of this company maintains a public web site which briefly and vaguely mentions the harm done to victims of sex abuse—and then devotes the majority of the text to passionately advocating for the repeal of sex offender registry laws because of the incredible harm they do to the health and happiness of convicted sex offenders. So, no, I don’t think he has changed meaningfully, he is not a safe person to be around, he should not be the CTO of a computer security company, and I should not help him gain more wealth.

Don’t be the person helping the sexual predator insinuate themself back into a position with easy access to victims. If your first instinct is to feel sorry for the powerful and predatory, you need to do some serious work on your sense of empathy. Plenty of people have shared what it’s like to be the victim of sexual harassment and assault; go read their stories and try to imagine the suffering they’ve been through. Then compare that to the suffering of people who occasionally experience moderate consequences for sexually abusing people with less power than themselves. I hope you will adjust your empathy accordingly.

Sociological ImagesFamily Matters

The ‘power elite’ as we conceive it, also rests upon the similarity of its personnel, and their personal and official relations with one another, upon their social and psychological affinities. In order to grasp the personal and social basis of the power elite’s unity, we have first to remind ourselves of the facts of origin, career, and style of life of each of the types of circle whose members compose the power elite.

— C. Wright Mills. 1956. The Power Elite. Oxford University Press

President John F. Kennedy addresses the Prayer Breakfast in 1961. Wikimedia Commons.

A big question in political sociology is “what keeps leaders working together?” The drive to stay in public office and common business interests can encourage elites to cooperate, but politics is still messy. Different constituent groups and social movements demand that representatives support their interests, and the U.S. political system was originally designed to use this big, diverse set of factions to keep any single person or party from becoming too powerful.

Sociologists know that shared culture, or what Mills calls a “style of life,” is really important among elites. One of my favorite profiles of a style of life is Jeff Sharlet’s The Family, a look at how one religious fellowship has a big influence on the networks behind political power in the modern world. The book is a gripping case of embedded reporting that shows how this elite culture works. It also has a new documentary series:

When we talk about the religious right in politics, it is easy to jump to images of loud, pro-life protests and controversial speakers. What interests me about the Family is how the group has worked so hard to avoid this contentious approach. Instead, everything is geared toward simply getting newcomers to think of themselves as elites, bringing leaders together, and keeping them connected. A major theme in the first episode of the series is just how simple the theology is (“Jesus plus nothing”) and how quiet the group is, even drawing comparisons to the mafia.

Vipassana Meditation in Chiang Mai, Thailand. Source: Matteo, Flickr CC.

Sociologists see similar trends in other elite networks. In research on how mindfulness and meditation caught on in the corporate world, Jaime Kucinskas calls this “unobtrusive organizing.” Both the Family and the mindfulness movement show how leaders draw on core theological ideas in Christianity and Buddhism, but also modify those ideas to support their relationships in business and government. Rather than challenging those institutions, adapting and modifying these traditions creates new opportunities for elites to meet, mingle, and coordinate their work.

When we study politics and culture, it is easy to assume that core beliefs make people do things by giving them an agenda to follow. These cases are important because they show how that’s not always the point; sometimes core beliefs just shape how people do things in the halls of power.

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston. You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

CryptogramLicense Plate "NULL"

There was a DefCon talk by someone with the vanity plate "NULL." The California system assigned him every ticket with no license plate: $12,000.

Although the initial $12,000-worth of fines were removed, the private company that administers the database didn't fix the issue and new NULL tickets are still showing up.

The unanswered question is: now that he has a way to get parking fines removed, can he park anywhere for free?

And this isn't the first time this sort of thing has happened. Wired has a roundup of people whose license places read things like "NOPLATE," "NO TAG," and "XXXXXXX."

Planet DebianKai-Chung Yan: My Open-Source Activities from January to August 2019

Welcome, reader! This is a infrequently updated post series that logs my activities within open-source communities. I do not work on open-source full-time, although I sincerely would love to. Therefore the posts may cover a ridiculously long period (even a whole year).

Debian & Google Summer of Code

Debian is a general-purpose Linux distribution that is widely used on the planet. I am a Debian Developer who works on packages related to Android SDK and the Java ecosystem.

I started a new package in an attempt to build the Android framework android.jar using the upstream build systems involving Ninja, Soong and others. Since the beginning we have been writing our own (very simple) makefiles to build the binaries in AOSP because their build logic tends to be simple and straightforward, until we worked on android.jar. Building it requires digging in so much code that it became incredibly hard to maintain, which is why we still haven’t brought in any newer version since android-framework-23. This is problematic as developers can’t build any apps that target Android 7+.

After a month of work, this package is finally done. After all its dependencies are packaged in the future, it will be good to upload. This is where the students of Google Summer of Code (GSoC) come in!

This year’s GSoC projects related to Android SDK are:

Thanks to their hard work, we managed to upload these packages to Debian:

Voidbuilder

Voidbuilder is a simple program that mimics pbuilder but uses Docker and requires zero configuration. I have been using it privately and am quite satisfied.

I made some bugfixes and adopted Node.js 12 so that it can make use the latest experimental ES Modules support. Version 1.0.0 and 1.0.1 have been released.

Planet DebianKai-Chung Yan: My Open-Source Activities from April 2017 to March 2018

Because of all the nonsense coming from my current school, I hadn’t been able to spend too much time on open source projects. As a result, this post sums up an entire year of activities after the previous one… Surprised me a bit too. 😰

Personal Projects

Created a repository in GitLab to store some useful scripts and config files that makes up my development environment. It mostly focuses on Debian development, but will add more stuff in other area when the time has come.

The repository contains files that sets up cowbuilder for all officially supported architectures in Debian, and some scripts to update the images, to build a package in all those architectures, and to build a long list of packages, all in parallel using a process pool. Very useful when you are testing reverse-build-dependencies.

Introducing maven-repo-helper-extras

I spent several weeks writing some additional tools for the existing maven-repo-helper. The package now contains 2 tools:

  • mh_shlibdeps: Like dh_shlibdeps but for Maven artifacts, successor to mh_resolve_dependencies
  • mh_genlauncher: Generate simple launcher scripts for Java programs distributed as Maven artifacts.

The package name is likely to be changed, and mh_genlauncher is likely to be replaced by something neater. Still waiting for other core devs in pkg-java team to review it.

Other Activities

Google Summer of Code 2018

I am now a mentor under Debian organization in GSoC 2018, guiding students to contribute to our Android SDK packages.

Worse Than FailureError'd: One Size Fits All

"Multi-platform AND multi-gender! Who knew SSDs could be so accomodating?" Felipe C. wrote.

 

"This is a progress indicator from a certain Australian "Enterprise" ERP vendor. I suspect their sales guys use it to claim that their software updates over 1000% faster than their competitors," Erin D. writes.

 

Bruce W. writes, "I guess LinkedIn wants me to know that I'm not as popular as I think."

 

"According to Icinga's Round Trip Average calculation, one of our servers must have been teleported about a quarter of the way to the center of the Milky Way. The good news is that I have negative packet loss on that route. Guess the packets got bored on the way," Mike T. writes.

 

"From undefined to invalid, this bankruptcy site has it all...or is it nothing?" Pascal writes.

 

 

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

Planet DebianKai-Chung Yan: Attending FOSDEM 2016: First Touch in Open Source Community

alt

FOSDEM 2016 happened at the end of January, but I have been too busy to write my first trip to an open source event.

FOSDEM takes place in Belgium, which is almost ten thousand kilometers from my home. Luckily, Google kindly offered sponsorship for traveling to Belgium and lodging places for former GSoC mentors and students in Debian, which made my travel possible without giving my dad headaches. Thank you Google!

Open source meetings are really fun. Imagine you have been working hard on an exciting project with several colleagues around the world who have never met you, and now you have a chance to meet them and make friends with them, cool! However I am not involved with any project too deeply, so I don’t have too much expectations on this. But I’m still excited when I first saw my mentor Hans-Christoph Steiner! Pity that we forgot to take a picture, as I’m not those kind of people who like to take selfies every day.

One of the most interesting projects I saw during FOSDEM is Ring. Ring is a distributed communication software without central servers. All Ring clients in the world are connected to several others and find a particular user using a distributed hashtable. A Ring client is a key pair, whose public key serves as the ID. Thus, Ring is anti-censorshiping, anti-eavesdropping, which is great for China citizens and feared by the China government. After I got home I knew another similar but older project Tox, which seems to more feature-rich than Ring but still not sufficient for promoting it. There’s a huge disadvantage of both project, which is high battery drainage on Android. Hope someday they will improve it.

At the end of FOSDEM I joined the volunteers to do the clean up. We cleaned all the buildings, restored the rooms and finally shared the dinner at the hall of K Building. I’m not a European so I didn’t talk too much to them, but this is really an unforgettable experience. Hope I can join the next FOSDEM soon.

alt

Planet DebianKai-Chung Yan: Introducing Gradle 1.12 in Debian

alt

After 5 weeks of work, my colleague Komal Sukhani and I succeeded in bringing Gradle 1.12 with other packages into Debian. Here is a brief note of what we’ve done:

Note that both Gradle and Groovy are in experimental distribution because Groovy build-depends on Gradle, and Gradle build-depends on bnd 2.1.0, which is in experimental as well.

Updating these packages takes us an entire month because my summer vacation had not come yet until the day we uploaded Gradle and Groovy, which means we were doing the job in our spare time (Sukhani finished her semester at the beginning though).

Next step is to update Gradle to 2.4 as soon as possible because Sukhani has started her work on the Java part of Android SDK, which requires Gradle 2.2 or above. Before updating Gradle I need to package the Java SDK for AWS, which enables Gradle to access S3 resources. I also need to make gradle-1.12 as a separate package and use it to build gradle_2.4-1.

After that, I will start my work on the C/C++ part of Android SDK, which is far more complicated and messy than I had expected. Yet I enjoy the summer coding. Happy coding, all open source developers!

Finally, feel free to check out my weekly report in Debian’s mailing list:

Planet DebianKai-Chung Yan: Google Summer of Code Started: Packaging Android SDK for Debian

alt

And here it is: I am accepted as a GSoC 2015 student! Actually this has been a while since the result was out in the end of April. When I was applying for this GSoC, I never expected I could be accepted.

So what is Google Summer of Code, in case someone hasn’t heard about it at all? Google Summer of Code is an annual activity hosted by Google which gathers college students around the world to contribute to open source softwares. Every year hundreds of open source organizations join GSoC to provide project ideas and mentors, and thousands of students apply to and choose a project and work on it during the summer, and get well paid by Google if they manage to finish the task. This year we have 1051 students accepted with 49 from China and 2 from Taiwan. You can read more details from this post.

Although it says so from Geography textbooks and my Geography teacher, I had been not believing that India is a software giant, until I saw that India has the most students accepted and my partner on this project is a girl from India!

Project Details

The project we will work on this summer is to package Android SDK into Debian. In addition to that, we wil also update the existing packages that is essential to Android development, e.g. Gradle. Although some may say this project is not quite complicated, it still has lots of work to do, which makes it a rather large project that has two students working on it and a co-mentor. My primary mentor is Hans-Christoph Steiner from The Guardian Project and he also wrote a post about the project.

Why do we need to do this? There are reasons on security, convenience and ideal, but the biggest one for me is that if you use Linux and you write Android apps, or perhaps you are just ready to flash your device a CyanogenMod, there will be no better way than to just type sudo aptitude install adb. More infomation on this project can be found on Debian’s Android Tools Team page.

Problems We Are Facing

Currently (mid May) the offical beginning of coding phase has not yet arrived, but we have made a meeting on IRC and confirmed the largest problems we have so far.

The first problem is the packaging of Gradle. Gradle is a rather new and innovating build automation system, with which most Android apps and the Android SDK tools written in Java are built. It is a building system, so unsurprisingly it is built with itself. In this case, updating Gradle is much harder. Currently Gradle is version 2.4 but the one in Debian is 1.5. In the worst cases, we have to build all versions of Gradle from 1.6 to 2.4 one by one due to its self-dependency.

In reality, building a project with Gradle is way more easier and happier than any other build system because it handles the dependency in a brilliant way by downloading everything it needs, including Gradle itself. Thus it does not matter if you have installed Gradle or even if you are using Linux or Windows. However when building the Debian package, it seems that we have to abandoned the convenience and make it totally offline and rely only on the things in Debian. This is for security and reproducibility but the packaging will be much more complicated since we have to modify lots of code in the build scripts from upstream source. Also in such case, since the building is restricted to rely on the existing things in a Debian system, quite a few plugins that uses softwares that isn’t in Debian yet will be excluded from the Debian version of Gradle, which makes it less usable than simply launching the Gradle wrapper. In that case, I suppose there will be very few people really using the Gradle in Debian repository.

The second problem is how to determine which Git commit we should checkout from the Android SDK repository to build a particular version of the tools. Android SDK does not release its source code in tarball form, so we have to deal with the Git repository. What’s worse, the tools in Android SDK come from different repositories, and they have almost no infomation on the tools’ version number at all. We can’t confirm which commit or tag or branch in the repository corresponds to a particular version. And what’s way worse, Android SDK has 3 parts being SDK-tools, Build-tools and Platform-tools, each of which has defferent version numbers! And what’s way way worse, I have posted the question to various places and no one had answered me.

After our IRC discussion, we have been focusing on Gradle. I am still reading documentations about Debian packaging and using Gradle. All I hope now is that we can finish the project nice and fast and no pity will be left in this summer. Also I hope my GSoC T-shirt will be delivered to my home as soon as possible, it’s really cool!

Do You Want to Join GSoC as Well?

Surprisingly, most students in my school haven’t heard about Google Summer of Code at all, that is why there are only 2 accepted students from Taiwan. But if you know it and you study computer science (or in other ridiculous department related to computer science just like mine), do not hesitate and join the next year’s! Contribute to open source, and get highly paid (5500 USD this year), is it not really cool? Here I am offering you several tips.

Before I applied my proposal, I saw a guy from KDE wrote some tips with a shocking title. Reading that is enough I guess, but I still need to list some points:

  • Contact your potantial mentors even before you are writing your proposal, that really helps.
  • Remember to include a rough schedule in your proposal, it is very important.
  • Be interative to your mentor, ask good questions often.

Have fun in the summer!

Planet DebianHolger Levsen: 20190823-cccamp

Dialing 8874 on the local GSM and DECT networks

Dialing 8874 on the local GSM and DECT networks currently (it's 2:30 in the morning) let's you hear this automatic announcement: "The current temperature of the pool is 36.2 degrees" and said pool is like 15m away, temporarily built beneath a forest illuminated with disco balls...

I <3 cccamp.

,

Krebs on SecurityBreach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards

On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.

Hy-Vee, based in Des Moines, announced on Aug. 14 it was investigating a data breach involving payment processing systems that handle transactions at some Hy-Vee fuel pumps, drive-thru coffee shops and restaurants.

The restaurants affected include Hy-Vee Market Grilles, Market Grille Expresses and Wahlburgers locations that the company owns and operates. Hy-Vee said it was too early to tell when the breach initially began or for how long intruders were inside their payment systems.

But typically, such breaches occur when cybercriminals manage to remotely install malicious software on a retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals. This data can then be used to create counterfeit copies of the cards.

Hy-Vee said it believes the breach does not affect payment card terminals used at its grocery store checkout lanes, pharmacies or convenience stores, as these systems rely on a security technology designed to defeat card-skimming malware.

“These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions,” Hy-Vee said. “This encryption technology protects card data by making it unreadable. Based on our preliminary investigation, we believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved.”

According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name “Solar Energy,” at the infamous Joker’s Stash carding bazaar.

An ad at the Joker’s Stash carding site for “Solar Energy,” a batch of more than 5 million credit and debit cards sources say was stolen from customers of supermarket chain Hy-Vee.

Hy-Vee said the company’s investigation is continuing.

“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” Hy-Vee spokesperson Tina Pothoff said.

The card account records sold by Joker’s Stash, known as “dumps,” apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.

As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).

It’s really not worth spending time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.

Rondam RamblingsFedex: three months and counting

It has now been three months since we shipped a package via Fedex that turned out to be undeliverable (we sent it signature-required, and the recipient, unbeknownst to us, had moved).  We expected that in a situation like that, the package would simply be returned to us, but it wasn't because we paid cash for the original shipment and (again, unbeknownst to us) the shipping cost doesn't include

CryptogramModifying a Tesla to Become a Surveillance Platform

From DefCon:

At the Defcon hacker conference today, security researcher Truman Kain debuted what he calls the Surveillance Detection Scout. The DIY computer fits into the middle console of a Tesla Model S or Model 3, plugs into its dashboard USB port, and turns the car's built-in cameras­ -- the same dash and rearview cameras providing a 360-degree view used for Tesla's Autopilot and Sentry features­ -- into a system that spots, tracks, and stores license plates and faces over time. The tool uses open source image recognition software to automatically put an alert on the Tesla's display and the user's phone if it repeatedly sees the same license plate. When the car is parked, it can track nearby faces to see which ones repeatedly appear. Kain says the intent is to offer a warning that someone might be preparing to steal the car, tamper with it, or break into the driver's nearby home.

Worse Than FailureKeeping Busy

Djungarian Hamster Pearl White run wheel

In 1979, Argle was 18, happy to be working at a large firm specializing in aerospace equipment. There was plenty of opportunity to work with interesting technology and learn from dozens of more senior programs—well, usually. But then came the day when Argle's boss summoned him to his cube for something rather different.

"This is a listing of the code we had prior to the last review," the boss said, pointing to a stack of printed Fortran code that was at least 6 inches thick. "This is what we have now." He gestured to a second printout that was slightly thicker. "I need you to read through this code and, in the old code, mark lines with 'WAS' where there was a change and 'IS' in the new listing to indicate what it was changed to."

Argle frowned at the daunting paper mountains. "I'm sorry, but, why do you need this exactly?"

"It's for FAA compliance," the boss said, waving his hand toward his cubicle's threshold. "Thanks!"

Weighed down with piles of code, Argle returned to his cube with a similarly sinking heart. At this place and time, he'd never even heard of UNIX, and his coworkers weren't likely to know anything about it, either. Their development computer had a TMS9900 CPU, the same one in the TI-99 home computer, and it ran its own proprietary OS from Texas Instruments. There was no diff command or anything like it. The closest analog was a file comparison program, but it only reported whether two files were identical or not.

Back at his cube, Argle stared at the printouts for a while, dreading the weeks of manual, mind-numbing dullness that loomed ahead of him. There was no way he'd avoid errors, no matter how careful he was. There was no way he'd complete this to every stakeholder's satisfaction. He was staring imminent failure in the face.

Was there a better way? If there weren't already a program for this kind of thing, could he write his own?

Argle had never heard of the Hunt–McIlroy algorithm, but he thought he might be able to do line comparisons between files, then hunt ahead in one file or the other until he re-synched again. He asked one of the senior programmers for the files' source code. Within one afternoon of tinkering, he'd written his very own diff program.

The next morning, Argle handed his boss 2 newly printed stacks of code, with "WAS -->" and "IS -->" printed neatly on all the relevant lines. As the boss began flipping through the pages, Argle smiled proudly, anticipating the pleasant surprise and glowing praise to come.

Quite to Argle's surprise, his boss fixed him with a red-faced, accusing glare. "Who said you could write a program?!"

Argle was speechless at first. "I was hired to program!" he finally blurted. "Besides, that's totally error-free! I know I couldn't have gotten everything correct by hand!"

The boss sighed. "I suppose not."

It wasn't until Argle was much older that his boss' reaction made any sense to him. The boss' goal hadn't been "compliance." He simply hadn't had anything constructive for Argle to do, and had thought he'd come up with a brilliant way to keep the new young hire busy and out of his hair for a few weeks.

Writer's note: Through the ages and across time, absolutely nothing has changed. In 2001, I worked at a (paid, thankfully) corporate internship where I was asked to manually browse through a huge network share and write down what every folder contained, all the way through thousands of files and sub-folders. Fortunately, I had heard of the dir command in DOS. Within 30 minutes, I proudly handed my boss the printout of the output—to his bemusement and dismay. —Ellis

[Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

Planet DebianDirk Eddelbuettel: Rcpp now used by 1750 CRAN packages

1751 Rcpp packages

Since this morning, Rcpp stands at just over 1750 reverse-dependencies on CRAN. The graph on the left depicts the growth of Rcpp usage (as measured by Depends, Imports and LinkingTo, but excluding Suggests) over time.

Rcpp was first released in November 2008. It probably cleared 50 packages around three years later in December 2011, 100 packages in January 2013, 200 packages in April 2014, and 300 packages in November 2014. It passed 400 packages in June 2015 (when I tweeted about it), 500 packages in late October 2015, 600 packages in March 2016, 700 packages last July 2016, 800 packages last October 2016, 900 packages early January 2017,
1000 packages in April 2017, 1250 packages in November 2017, and 1500 packages in November 2018. The chart extends to the very beginning via manually compiled data from CRANberries and checked with crandb. The next part uses manually saved entries. The core (and by far largest) part of the data set was generated semi-automatically via a short script appending updates to a small file-based backend. A list of packages using Rcpp is availble too.

Also displayed in the graph is the relative proportion of CRAN packages using Rcpp. The four per-cent hurdle was cleared just before useR! 2014 where I showed a similar graph (as two distinct graphs) in my invited talk. We passed five percent in December of 2014, six percent July of 2015, seven percent just before Christmas 2015, eight percent last summer, nine percent mid-December 2016, cracked ten percent in the summer of 2017 and eleven percent in 2018. We are currently at 11.83 percent: a little over one in nine packages. There is more detail in the chart: how CRAN seems to be pushing back more and removing more aggressively (which my CRANberries tracks but not in as much detail as it could), how the growth of Rcpp seems to be slowing somewhat outright and even more so as a proportion of CRAN – just like one would expect a growth curve to.

1753 Rcpp packages

1750+ user packages is pretty mind-boggling. We can use the progression of CRAN itself compiled by Henrik in a series of posts and emails to the main development mailing list. Not that long ago CRAN itself did not have 1500 packages, and here we are at almost 14810 with Rcpp at 11.84% and still growing (though maybe more slowly). Amazeballs.

The Rcpp team continues to aim for keeping Rcpp as performant and reliable as it has been. A really big shoutout and Thank You! to all users and contributors of Rcpp for help, suggestions, bug reports, documentation or, of course, code.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

,

Cory DoctorowMy MMT Podcast appearance, part 2: monopoly, money, and the power of narrative


Last week, the Modern Monetary Theory Podcast ran part 1 of my interview with co-host Christian Reilly; they’ve just published the second and final half of our chat (MP3), where we talk about the link between corruption and monopoly, how to pitch monetary theory to people who want to abolish money altogether, and how stories shape the future.

If you’re new to MMT, here’s my brief summary of its underlying premises: “Governments spend money into existence and tax it out of existence, and government deficit spending is only inflationary if it’s bidding against the private sector for goods or services, which means that the government could guarantee every unemployed person a job (say, working on the Green New Deal), and which also means that every unemployed person and every unfilled social services role is a political choice, not an economic necessity.”

Planet DebianJoey Hess: releasing two haskell libraries in one day: libmodbus and git-lfs

The first library is a libmodbus binding in haskell.

There are a couple of other haskell modbus libraries, but none that support serial communication out of the box. I've been using a python library to talk to my solar charge controller, but it is not great at dealing with the slightly flakey interface. The libmodbus C library has features that make it more robust, and it also supports fast batched reads.

So a haskell interface to it seemed worth starting while I was doing laundry, and then for some reason it seemed worth writing a whole bunch more FFIs that I may never use, so it covers libmodbus fairly extensively. 660 lines of code all told.

Writing a good binding to a C library has art to it. I've seen ones that are so close you feel you're writing C and not haskell. On the other hand, some are so far removed from the underlying library that its documentation does not carry over at all.

I tried to strike a balance. Same function names so the extensive libmodbus documentation is easy to refer to while using it, but plenty of haskell data types so you won't mix up the parity with the stop bits.

And while it uses a mutable vector under the hood as the buffer for the FFI interface, so it can be just as fast as the C library, I also made functions for reading stuff like registers and coils be polymorphic so easier data types can be used at the expense of a bit of extra allocation.

The big win in this haskell binding is that you can leverage all the nice haskell libraries for dealing with binary data to parse the modbus data, rather than the ad-hoc integer and float conversion stuff from the C library.

For example, the Epever solar charge controller has its own slightly nonstandard way to represent 16 bit and 32 bit floats. Using the binary library to parse its registers in applicative style came out quite nice:

data Epever = Epever
    { pv_array_voltage :: Float
    , pv_array_current :: Float
    , pv_array_power :: Float
    , battery_voltage :: Float
    } deriving (Show)

getEpever :: Get Epever
getEpever = Epever
    <$> epeverfloat  -- register 0x3100
    <*> epeverfloat  -- register 0x3101
    <*> epeverfloat2 -- register 0x3102 (low) and 0x3103 (high)
    <*> epeverfloat  -- register 0x3104
 where
    epeverfloat = decimals 2 <$> getWord16host
    epeverfloat2 = do
        l <- getWord16host
        h <- getWord16host
        return (decimals 2 (l + h*2^16))
    decimals n v = fromIntegral v / (10^n)

The second library is a git-lfs implementation in pure Haskell.

Emphasis on the pure -- there is not a scrap of IO code in this library, just 400+ lines of data types, parsing, and serialization.

I wrote it a couple weeks ago so git-annex can store files in a git-lfs remote. I've also used it as a git-lfs server, mostly while exploring interesting edge cases of git-lfs.


This work was sponsored by Jake Vosloo on Patreon.

Cory DoctorowWhere to catch me at Burning Man!

This is my last day at my desk until Labor Day: tomorrow, we’re driving to Burning Man to get our annual dirtrave fix! If you’re heading to the playa, here’s three places and times you can find me:

Seating is always limited at these things (our living room is big, but it’s not that big!) so come by early!

I hope you have an amazing burn — we always do! This year I’m taking a break from working in the cafe pulling shots in favor of my first-ever Greeter shift, which I’m really looking forward to.

While we’re on the subject, there’s still time to sign up for the Liminal Labs Assassination Game!

Google AdsenseAdditional safeguards to protect the quality of our ad network

Supporting a healthy ads ecosystem that works for publishers, advertisers, and users continues to be a top priority in our effort to sustain a free and open web. As the ecosystem evolves, our ad systems and defenses must adapt as well. Today, we’d like to highlight some of our efforts to protect the quality of our ad network, and the benefits to our publishers and the advertising ecosystem. 


Last year, we introduced a site verification process in AdSense to provide additional safeguards before a publisher can serve ads. This feature allows us to provide more direct feedback to our publishers on the eligibility of their site, while allowing us to communicate issues sooner and lessen the likelihood of future violations. As an added benefit, confirming which websites a publisher intends to monetize allows us to reduce potential misuse of a publisher's ad code, such as when a bad actor tries to claim a website as their own, or when they use a legitimate publisher's ad code to serve ads on bad content in an attempt to demonetize the good website — each day, we now block more than 120 million ad requests with this feature. 


This year, we’re enhancing our defenses even more by improving the systems that identify potentially invalid traffic or high risk activities before ads are served. These defenses allow us to limit ad serving as needed to further protect our advertisers and users, while maximizing revenue opportunities for legitimate publishers. While most publishers will not notice any changes to their ad traffic, we are working on improving the experience for those that may be impacted, by providing more transparency around these actions. Publishers on AdSense and AdMob that are affected will soon be notified of these ad traffic restrictions directly in their Policy Center. This will allow them to understand why they may be experiencing reduced ad serving, and what steps they can take to resolve any issues and continue partnering with us.


We’re excited for what’s to come, and will continue to roll out improvements to these systems with all of our users in mind. Look out for future updates on our ongoing efforts to promote and sustain a healthy ads ecosystem.


Posted by: 
Andres Ferrate - Chief Advocate for Ad Traffic Quality

Krebs on SecurityForced Password Reset? Check Your Assumptions

Almost weekly now I hear from an indignant reader who suspects a data breach at a Web site they frequent that has just asked the reader to reset their password. Further investigation almost invariably reveals that the password reset demand was not the result of a breach but rather the site’s efforts to identify customers who are reusing passwords from other sites that have already been hacked.

But ironically, many companies taking these proactive steps soon discover that their explanation as to why they’re doing it can get misinterpreted as more evidence of lax security. This post attempts to unravel what’s going on here.

Over the weekend, a follower on Twitter included me in a tweet sent to California-based job search site Glassdoor, which had just sent him the following notice:

The Twitter follower expressed concern about this message, because it suggested to him that in order for Glassdoor to have done what it described, the company would have had to be storing its users’ passwords in plain text. I replied that this was in fact not an indication of storing passwords in plain text, and that many companies are now testing their users’ credentials against lists of hacked credentials that have been leaked and made available online.

The reality is Facebook, Netflix and a number of big-name companies are regularly combing through huge data leak troves for credentials that match those of their customers, and then forcing a password reset for those users. Some are even checking for password re-use on all new account signups.

The idea here is to stymie a massively pervasive problem facing all companies that do business online today: Namely, “credential-stuffing attacks,” in which attackers take millions or even billions of email addresses and corresponding cracked passwords from compromised databases and see how many of them work at other online properties.

So how does the defense against this daily deluge of credential stuffing work? A company employing this strategy will first extract from these leaked credential lists any email addresses that correspond to their current user base.

From there, the corresponding cracked (plain text) passwords are fed into the same process that the company relies upon when users log in: That is, the company feeds those plain text passwords through its own password “hashing” or scrambling routine.

Password hashing is designed to be a one-way function which scrambles a plain text password so that it produces a long string of numbers and letters. Not all hashing methods are created equal, and some of the most commonly used methods — MD5 and SHA-1, for example — can be far less secure than others, depending on how they’re implemented (more on that in a moment). Whatever the hashing method used, it’s the hashed output that gets stored, not the password itself.

Back to the process: If a user’s plain text password from a hacked database matches the output of what a company would expect to see after running it through their own internal hashing process, that user is then prompted to change their password to something truly unique.

Now, password hashing methods can be made more secure by amending the password with what’s known as a “salt” — or random data added to the input of a hash function to guarantee a unique output. And many readers of the Twitter thread on Glassdoor’s approach reasoned that the company couldn’t have been doing what it described without also forgoing this additional layer of security.

My tweeted explanatory reply as to why Glassdoor was doing this was (in hindsight) incomplete and in any case not as clear as it should have been. Fortunately, Glassdoor’s chief information officer Anthony Moisant chimed in to the Twitter thread to explain that the salt is in fact added as part of the password testing procedure.

“In our [user] database, we’ve got three columns — username, salt value and scrypt hash,” Moisant explained in an interview with KrebsOnSecurity. “We apply the salt that’s stored in the database and the hash [function] to the plain text password, and that resulting value is then checked against the hash in the database we store. For whatever reason, some people have gotten it into their heads that there’s no possible way to do these checks if you salt, but that’s not true.”

CHECK YOUR ASSUMPTIONS

You — the user — can’t be expected to know or control what password hashing methods a given site uses, if indeed they use them at all. But you can control the quality of the passwords you pick.

I can’t stress this enough: Do not re-use passwords. And don’t recycle them either. Recycling involves rather lame attempts to make a reused password unique by simply adding a digit or changing the capitalization of certain characters. Crooks who specialize in password attacks are wise to this approach as well.

If you have trouble remembering complex passwords (and this describes most people), consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker.

In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember.

According to a recent blog entry by Microsoft group program manager Alex Weinert, none of the above advice about password complexity amounts to a hill of beans from the attacker’s standpoint.

Weinert’s post makes a compelling argument that as long as we’re stuck with passwords, taking full advantage of the most robust form of multi-factor authentication (MFA) offered by a site you frequent is the best way to deter attackers. Twofactorauth.org has a handy list of your options here, broken down by industry.

“Your password doesn’t matter, but MFA does,” Weinert wrote. “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Glassdoor’s Moisant said the company doesn’t currently offer MFA for its users, but that it is planning to roll that out later this year to both consumer and business users.

Password managers also can be useful for those who feel encumbered by having to come up with passphrases or complex passwords. If you’re uncomfortable with entrusting a third-party service or application to handle this process for you, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop or screen or whatever, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe.

Although many readers will no doubt take me to task on that last bit of advice, as in all things security related it’s important not to let the perfect become the enemy of the good. Many people (think moms/dads/grandparents) can’t be bothered to use password managers  — even when you go through the trouble of setting them up on their behalf. Instead, without an easier, non-technical method they will simply revert to reusing or recycling passwords.

CryptogramGoogle Finds 20-Year-Old Microsoft Windows Vulnerability

There's no indication that this vulnerability was ever used in the wild, but the code it was discovered in -- Microsoft's Text Services Framework -- has been around since Windows XP.

Planet DebianRuss Allbery: Review: Trail of Lightning

Review: Trail of Lightning, by Rebecca Roanhorse

Series: The Sixth World #1
Publisher: Saga
Copyright: 2018
ISBN: 1-5344-1351-0
Format: Kindle
Pages: 286

Maggie Hoskie is a monster hunter. Trained and then inexplicably abandoned by Neizghání, an immortal monster-slayer of her people, the Diné (Navajo), she's convinced that she's half-monster herself. Given that she's the sort of monster hunter who also kills victims that she thinks may be turned into monsters themselves, she may have a point. Apart from contracts to kill things, she stays away from nearly everyone except Tah, a medicine man and nearly her only friend.

The monster that she kills at the start of the book is a sign of a larger problem. Tah says that it was created by someone else using witchcraft. Maggie isn't thrilled at the idea of going after the creator alone, given that witchcraft is what Neizghání rescued her from in an event that takes Maggie most of the book to be willing to describe. Tah's solution is a partner: Tah's grandson Kai, a handsome man with a gift for persuasion who has never hunted a monster before.

If you've read any urban fantasy, you have a pretty good idea of where the story goes from there, and that's a problem. The hair-trigger, haunted kick-ass woman with a dark past, the rising threat of monsters, the protagonist's fear that she's a monster herself, and the growing romance with someone who will accept her is old, old territory. I've read versions of this from Laurell K. Hamilton twenty-five years ago to S.L. Huang's ongoing Cas Russell series. To stand out in this very crowded field, a series needs some new twist. Roanhorse's is the deep grounding in Native American culture and mythology. It worked well enough for many people to make it a Hugo, Nebula, and World Fantasy nominee. It didn't work for me.

I partly blame a throw-away line in Mike Kozlowski's review of this book for getting my hopes up. He said in a parenthetical note that "the book is set in Dinétah, a Navajo nation post-apocalyptically resurgent." That sounded great to me; I'd love to read about what sort of society the Diné might build if given the opportunity following an environmental collapse. Unfortunately, there's nothing resurgent about Maggie's community or people in this book. They seem just as poor and nearly as screwed as they are in our world; everyone else has just been knocked down even farther (or killed) and is kept at bay by magical walls. There's no rebuilding of civilization here, just isolated settlements desperate for water, plagued by local warlords and gangs, and facing the added misery of supernatural threats. It's bleak, cruel, and unremittingly hot, which does not make for enjoyable reading.

What Roanhorse does do is make extensive use of Native American mythology to shape the magic system, creatures, and supernatural world view of the book. This is great. We need a wider variety of magic systems in fantasy, and drawing on mythological systems other than Celtic, Greek, Roman, and Norse is a good start. (Roanhorse herself is Ohkay Owingeh Pueblo, not Navajo, but I assume without any personal knowledge that her research here is reasonably good.) But, that said, the way the mythology plays out in this book didn't work for me. It felt scattered and disconnected, and therefore arbitrary.

Some of the difficulty here is inherent in the combination of my unfamiliarity and the challenge of adopting real-world mythological systems for stories. As an SFF reader, one of the things I like from the world-building is structure. I like seeing how the pieces of the magical system fit together to build a coherent set of rules, and how the protagonists manipulate those rules in the story. Real-world traditions are rarely that neat and tidy. If the reader is already familiar with the tradition, they can fill in a lot of the untold back story that makes the mythology feel more coherent. If the author cannot assume that knowledge, they can get stuck between simplifying and restructuring the mythology for easy understanding or showing only scattered and apparently incoherent pieces of a vast system. I think the complaints about the distorted and simplified version of Celtic mythology in a lot of fantasy novels from those familiar with the real thing is the flip-side to this problem; it's worse mythology, but it may be more approachable storytelling.

I'm sure it didn't help that one of the most important mythological figures of this book is Coyote, a trickster god. I have great intellectual appreciation for the role of trickster gods in mythological systems, but this is yet more evidence that I rarely get along with them in stories. Coyote in this story is less of an unreliable friend and more of a straight-up asshole who was not fun to read about.

That brings me to my largest complaint about this novel: I liked exactly one person in the entire story. Grace, the fortified bar owner, is great and I would have happily read a book about her. Everyone else, including Maggie, ranged from irritating to unbearably obnoxious. I was saying the eight deadly words ("I don't care what happens to these people") by page 100.

Here, tastes will differ. Maggie acts the way that she does because she's sitting on a powder keg of unprocessed emotional injury from abuse, made far worse by Neizghání's supposed "friendship." It's realistic that she shuts down, refuses to have meaningful conversations, and lashes out at everyone on a hair trigger. I felt sympathy, but I didn't like her, and liking her is important when the book is written in very immediate present-tense first person. Kai is better, but he's a bit too much of a stereotype, and I have an aversion to supposedly-charming men. I think some of the other characters could have been good if given enough space (Tah, for instance), but Maggie's endless loop of self-hatred doesn't give them any room to breathe.

Add on what I thought were structural and mechanical flaws (the first-person narration is weirdly specific and detail-oriented in a way that felt like first-novel mechanical problems, and the ending is one of the least satisfying and most frustrating endings I have ever read in a book of this sort) and I just didn't like this. Clearly there are a lot of people nominating and voting for awards who think I'm wrong, so your mileage may vary. But I thought it was unoriginal except for the mythology, unsatisfying in the mythology, and full of unlikable characters and unpleasant plot developments. I'm unlikely to read more in this series.

Followed by Storm of Locusts.

Rating: 4 out of 10

,

Planet DebianPhilipp Kern: Alpha: Self-service buildd givebacks

Builds on Debian's build farm sometimes fail transiently. Sometimes those failures are legitimate flakes, for instance when an in-progress build happens to exhaust its resources because of other builds on the same machine. Until now, you always needed to mail the buildd, wanna-build admins or the Release Team directly in order to get the builds re-queued.

As an alpha trial I implemented self-service givebacks as a web script. As SSO for Debian developers is now a thing, it is trivial to add authentication in a way that a role account can use to act on your behalf. While at work this would all be an RPC service, I figured that a little CGI script would do the job just as well. So lo and behold, accessing
https://buildd.debian.org/auth/giveback.cgi?pkg=<package>&suite=<suite>&arch=<arch> with the right parameters set:

You are authenticated as pkern. ✓
Working on package fife, suite sid and architecture mipsel. ✓
Package version 0.4.2-1 in state Build-Attempted, can be given back. ✓
Successfully given back the package. ✓

Note that you need to be a Debian developer with a valid SSO client certificate to access this service.

So why do I say alpha? We still expect Debian developers to act responsibly when looking at build failures. A lot of times there is a legitimate bug in the package and the last thing we would like to see as a project is someone addressing flakiness by continuously retrying a build. Access to this service is logged. Most people coming to us today did their due diligence and tried reproducing the issue on a porterbox. We still expect these things to happen but this aims to cut on the round-trip time until an admin gets around to process your request, which have been longer than necessary recently. We will audit the logs and see if particular packages stand out.

There can also still be bugs. Please file them against buildd.debian.org when you see them. Please include a copy of the output, which includes validation and important debugging information when requests are rejected. Also this all only works for packages in Build-Attempted. If the build has been marked as Failed (which is a manual process), you still need to mail us. And lastly the API can still change. Luckily the state change can only happen once, so it's not much of a problem for the GET request to be retried. But it should likely move to POST anyhow. In that case I will update this post to reflect the new behavior.

Thanks to DSA for making sure that I run the service sensibly using a dedicated role account as well as WSGI and doing the work to set up the necessary bits.

CryptogramSurveillance as a Condition for Humanitarian Aid

Excellent op-ed on the growing trend to tie humanitarian aid to surveillance.

Despite the best intentions, the decision to deploy technology like biometrics is built on a number of unproven assumptions, such as, technology solutions can fix deeply embedded political problems. And that auditing for fraud requires entire populations to be tracked using their personal data. And that experimental technologies will work as planned in a chaotic conflict setting. And last, that the ethics of consent don't apply for people who are starving.

Planet DebianBits from Debian: salsa.debian.org: Postmortem of failed Docker registry move

The Salsa admin team provides the following report about the failed migration of the Docker container registry. The Docker container registry stores Docker images, which are for example used in the Salsa CI toolset. This migration would have moved all data off to Google Cloud Storage (GCS) and would have lowered the used file system space on Debian systems significantly.

The Docker container registry is part of the Docker distribution toolset. This system supports multiple backends for file storage: local, Amazon Simple Storage Service (Amazon S3) and Google Cloud Storage (GCS). As Salsa already uses GCS for data storage, the Salsa admin team decided to move all the Docker registry data off to GCS too.

Migration and rollback

On 2019-08-06 the migration process was started. The migration itself went fine, although it took a bit longer than anticipated. However, as not all parts of the migration had been properly tested, a test of the garbage collection triggered a bug in the software.

On 2019-08-10 the Salsa admins started to see problems with garbage collection. The job running it timed out after one hour. Within this timeframe it not even managed to collect information about all used layers to see what it can cleanup. A source code analysis showed that this design flaw can't be fixed.

On 2019-08-13 the change was rolled back to storing data on the file system.

Docker registry data storage

The Docker registry stores all of the data sans indexing or reverse references in a file system-like structure comprised of 4 separate types of information: Manifests of images and contents, tags for the manifests, deduplicaed layers (or blobs) which store the actual data, and lastly links which show which deduplicated blogs belong to their respective images, all of this does not allow for easy searching within the data.

The file system structure is built as append-only which allows for adding blobs and manifests, addition, modification, or deletion of tags. However cleanup of items other than tags is not achievable within the maintenance tools.

There is a garbage collection process which can be used to clean up unreferenced blobs, however according to the documentation the process can only be used while the registry is set to read-only and unfortunately it cannot be used to clean up unused links.

Docker registry garbage collection on external storage

For the garbage collection the registry tool needs to read a lot of information as there is no indexing of the data. The tool connects to the storage medium and proceeds to download … everything, every single manifest and information about the referenced blobs, which now takes up over 1 second to process a single manifest. This process will take up a significant amount of time, which in the current configuration of external storage would make the clean up nearly impossible.

Leasons learned

The Docker registry is a data storage tool that can only properly be used in append-only mode. If you never cleanup, it works well.

As soon as you want to actually remove data, it goes bad. For Salsa clean up of old data is actually a necessity, as the registry currently grows about 20GB per day.

Next steps

Sadly there is not much that can be done using the existing Docker container registry. Maybe GitLab or someone else would like to contribute a new implementation of a Docker registry, either integrated into GitLab itself or stand-alone?

Planet DebianRaphaël Hertzog: Promoting Debian LTS with stickers, flyers and a video

With the agreement of the Debian LTS contributors funded by Freexian, earlier this year I decided to spend some Freexian money on marketing: we sponsored DebConf 19 as a bronze sponsor and we prepared some stickers and flyers to give out during the event.

The stickers only promote the Debian LTS project with the semi-official logo we have been using and a link to the wiki page. You can see them on the back of a laptop in the picture below. As you can see, we have made two variants with different background colors:

The flyers and the video are meant to introduce the Debian LTS project and to convince companies to sponsor the Debian LTS project through the Freexian offer. Those are short documents and they can’t explain the precise relationship between Debian LTS and Freexian. We try to show that Freexian is just an intermediary between contributors and companies, but some persons will still have the feeling that a commercial entity is organizing Debian LTS.

Check out the video on YouTube:

The inside of the flyer looks like this:

Click on the picture to see it full size

Note that due to some delivery issues, we have left-over flyers and stickers. If you want some to give out during a free software event, feel free to reach out to me.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Planet DebianRaphaël Hertzog: Freexian’s report about Debian Long Term Support, July 2019

A Debian LTS logoLike each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In July, 199 work hours have been dispatched among 13 paid contributors. Their reports are available:

  • Adrian Bunk got 8h assigned but did nothing (plus 10 extra hours from June), thus he is carrying over 18h to August.
  • Ben Hutchings did 18.5 hours (out of 18.5 hours allocated).
  • Brian May did 10 hours (out of 10 hours allocated).
  • Chris Lamb did 18 hours (out of 18 hours allocated).
  • Emilio Pozuelo Monfort did 21 hours (out of 18.5h allocated + 17h remaining, thus keeping 14.5 extra hours for August).
  • Hugo Lefeuvre did 9.75 hours (out of 18.5 hours, thus carrying over 8.75h to Augustq).
  • Jonas Meurer did 19 hours (out of 17 hours allocated plus 2h extra hours June).
  • Markus Koschany did 18.5 hours (out of 18.5 hours allocated).
  • Mike Gabriel did 15.75 hours (out of 18.5 hours allocated plus 7.25 extra hours from June, thus carrying over 10h to August.).
  • Ola Lundqvist did 0.5 hours (out of 8 hours allocated plus 8 extra hours from June, then he gave 7.5h back to the pool, thus he is carrying over 8 extra hours to August).
  • Roberto C. Sanchez did 8 hours (out of 8 hours allocated).
  • Sylvain Beucler did 18.5 hours (out of 18.5 hours allocated).
  • Thorsten Alteholz did 18.5 hours (out of 18.5 hours allocated).

Evolution of the situation

July was different than other months. First, some people have been on actual vacations, while 4 of the above 14 contributors met in Curitiba, Brazil, for DebConf19. There, a talk about LTS (slides, video) was given, followed by a Q&ligA session. Also a new promotional video about Debian LTS, aimed at potential sponsors was shown there for the first time.

DebConf19 was also a success in respect to on-boarding of new contributors, we’ve found three potential new contributors, one of them is already in training.

The security tracker (now for oldoldstable as Buster has been released and thus Jessie became oldoldstable) currently lists 51 packages with a known CVE and the dla-needed.txt file has 35 packages needing an update.

Thanks to our sponsors

New sponsors are in bold.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

Worse Than FailureCodeSOD: I'm Sooooooo Random, LOL

There are some blocks of code that require a preamble, and an explanation of the code and its flow. Often you need to provide some broader context.

Sometimes, you get some code like Wolf found, which needs no explanation:

export function generateRandomId(): string { counter++; return 'id' + counter; }

I mean, I guess that's a slightly better than this solution. Wolf found this because some code downstream was expecting random, unique IDs, and wasn't getting them.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

Planet DebianDirk Eddelbuettel: RcppQuantuccia 0.0.3

A maintenance release of RcppQuantuccia arrived on CRAN earlier today.

RcppQuantuccia brings the Quantuccia header-only subset / variant of QuantLib to R. At the current stage, it mostly offers date and calendaring functions.

This release was triggered by some work CRAN is doing on updating C++ standards for code in the repository. Notably, under C++11 some constructs such ptr_fun, bind1st, bind2nd, … are now deprecated, and CRAN prefers the code base to not issue such warnings (as e.g. now seen under clang++-9). So we updated the corresponding code in a good dozen or so places to the (more current and compliant) code from QuantLib itself.

We also took this opportunity to significantly reduce the footprint of the sources and the installed shared library of RcppQuantuccia. One (unexported) feature was pricing models via Brownian Bridges based on quasi-random Sobol sequences. But the main source file for these sequences comes in at several megabytes in sizes, and allocates a large number of constants. So in this version the file is excluded, making the current build of RcppQuantuccia lighter in size and more suitable for the (simpler, popular and trusted) calendar functions. We also added a new holiday to the US calendar.

The complete list changes follows.

Changes in version 0.0.3 (2019-08-19)

  • Updated Travis CI test file (#8)).

  • Updated US holiday calendar data with G H Bush funeral date (#9).

  • Updated C++ use to not trigger warnings [CRAN request] (#9).

  • Comment-out pragmas to suppress warnings [CRAN Policy] (#9).

  • Change build to exclude Sobol sequence reducing file size for source and shared library, at the cost of excluding market models (#10).

Courtesy of CRANberries, there is also a diffstat report relative to the previous release. More information is on the RcppQuantuccia page. Issues and bugreports should go to the GitHub issue tracker.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Planet DebianJaskaran Singh: GSoC Final Report

Introduction:

The Debian Patch Porting System aims to systematize and partially automate the security patch porting process.

In this Google Summer of Code (2019), I wrote a webcrawler to extract security patches for a given security vulnerability identifier. This webcrawler or patch-finder serves as the first step of the Debian Patch Porting System.

The Patch-finder should recognize numerous vulnerability identifiers. These identifiers can be security advisories (DSA, GLSA, RHSA), vulnerability identifiers (OVAL, CVE), etc. So far, it can identify CVE, DSA (Debian Security Advisory), GLSA (Gentoo Linux Security Advisory) and RHSA (Red Hat Security Advisory).

Each vulnerability identifier has a list of entrypoint URLs associated with it. These URLs are used to initiate the patch finding.

Vulnerabilities that are not CVEs are generic vulnerabilities. If a generic vulnerability is given, its “aliases” (i.e. CVEs that are related to the generic vulnerability) are determined. This method was chosen because CVEs are quite possibly the most widely used security vulnerability and thus would have the most number of patches associated to them. Once the aliases are determined, the entrypoint URLs of the aliases are crawled for the patch-finding.

The Patch-finder is based on the web crawling and scraping framework Scrapy.

What was done:

During these three months, I have:

  • Used Scrapy to implement a spider to collect patch links.
  • Implemented a recursive patch-finding process. Any links that the patch-finder finds on a page (in a certain area of interest, of course) that are not patch links are followed.
  • Implemented a crawler to extract patches from Debian Packages.
  • Implemented a crawler to extract patches from a given GitHub repository.

Here’s a link to the patch-finder’s Github Repository which I have used for GSoC.

TODO:

There is a lot more stuff to be done, from solving small bugs to implementing major features. Some of these issues are on the project’s GitHub issue tracker here. Following is a summary of these issues and a few more ideas:

  • A way to uniquely identify patches. This is so that the same patches are not scraped and collected.
  • A Database, and a corresponding database API.
  • Store patches in the database, along with any other information.
  • Collect not only patches but other information relevant to the vulnerability.
  • Integrate the Github crawler/parser in the crawling process.
  • A way to check the relevancy of the patch to the vulnerability. A naive solution is, of course, to simply check for mention of the vulnerability ID in the patch description.
  • Efficient page filters. Certain links should not be crawled because it is obvious they will not yield any patches, for example homepages.
  • A better way to scrape links, rather than using a URL’s corresponding xpath.
  • A more efficient testing framework.
  • More crawlers/parsers.

Weekly Reports:

Following is a list of weekly reports I sent to the Debian Outreach mailing list during GSoC:

Personal Notes:

Google Summer of Code has been a super comfortable and fun experience for me. I’ve learnt tonnes about Python, Open Source and Software Development. My mentors Luciano Bello and László Böszörményi have been immensely helpful and have guided me through these three months.

I plan to continue working on this project and hopefully develop it to a state where Debian and everyone who needs it can use it conveniently.

,

Cory DoctorowPodcast: A cycle of renewal, broken: How Big Tech and Big Media abuse copyright law to slay competition

In my latest podcast (MP3), I read my essay “A Cycle of Renewal, Broken: How Big Tech and Big Media Abuse Copyright Law to Slay Competition”, published today on EFF’s Deeplinks; it’s the latest in my ongoing series of case-studies of “adversarial interoperability,” where new services unseated the dominant companies by finding ways to plug into existing products against those products’ manufacturers. This week’s installment recounts the history of cable TV, and explains how the legal system in place when cable was born was subsequently extinguished (with the help of the cable companies who benefitted from it!) meaning that no one can do to cable what cable once did to broadcasters.

In 1950, a television salesman named Robert Tarlton put together a consortium of TV merchants in the town of Lansford, Pennsylvania to erect an antenna tall enough to pull down signals from Philadelphia, about 90 miles to the southeast. The antenna connected to a web of cables that the consortium strung up and down the streets of Lansford, bringing big-city TV to their customers — and making TV ownership for Lansfordites far more attractive. Though hobbyists had been jury-rigging their own “community antenna television” networks since 1948, no one had ever tried to go into business with such an operation. The first commercial cable TV company was born.

The rise of cable over the following years kicked off decades of political controversy over whether the cable operators should be allowed to stay in business, seeing as they were retransmitting broadcast signals without payment or permission and collecting money for the service. Broadcasters took a dim view of people using their signals without permission, which is a little rich, given that the broadcasting industry itself owed its existence to the ability to play sound recordings over the air without permission or payment.

The FCC brokered a series of compromises in the years that followed, coming up with complex rules governing which signals a cable operator could retransmit, which ones they must retransmit, and how much all this would cost. The end result was a second way to get TV, one that made peace with—and grew alongside—broadcasters, eventually coming to dominate how we get cable TV in our homes.

By 1976, cable and broadcasters joined forces to fight a new technology: home video recorders, starting with Sony’s Betamax recorders. In the eyes of the cable operators, broadcasters, and movie studios, these were as illegitimate as the playing of records over the air had been, or as retransmitting those broadcasts over cable had been. Lawsuits over the VCR continued for the next eight years. In 1984, the Supreme Court finally weighed in, legalizing the VCR, and finding that new technologies were not illegal under copyright law if they were “capable of substantial noninfringing uses.”

MP3

Planet DebianJonathan Dowland: Shared notes and TODO lists

When it comes to organising myself, I've long been anachronistic. I've relied upon paper notebooks for most of my life. In the last 15 years I've stuck to a particular type of diary/notebook hybrid, with a week-to-view on the left-hand side of pages and lined notebook pages on the right.

This worked well for me for my own personal stuff but obviously didn't work well for family things that need to be shared. Trying to find systems that work for both my wife and I has proven really challenging. The best we've come up with so far is a shared (IMAP) account and Apple's notes apps.

On iOS, Apple's low-frills note-taking app lets you synchronise your notes with a mail account (over IMAP). It stores them individually in HTML format, one email per note page, in a mailbox called "Notes". You can set up note syncing to the same account from multiple devices, and so we have a "family" mailbox set up on both my phone and my wife's. I can also get at the notes using any other mail client if I need to.

This works surprisingly well, but not perfectly. In particular synchronising changes to notes can go wrong if we both have the same note page open at the same time. The failure mode is not the worst: it duplicates the note into two; but it's still a problem.

Can anyone recommend a simple, more robust system for sharing notes — and task lists — between people? For task lists, it would be lovely (but not essential) if we could tick things off. At the moment we manage that just as free-form text.

Planet DebianHolger Levsen: 20190818-cccamp

Home again

Two days ago I finally arrived home again and was greeted with this very nice view when entering the area:

(These images were taken yesterday from inside the venue.)

To give an idea of scale, the Pesthörnchen flag on top is 2m wide :)

Since today, there's also a rainbow flag next to the Pesthörnchen one. I'm very much looking forward to the next days, though buildup is big fun already.

Planet DebianAntoine Beaupré: KNOB attack: Is my Bluetooth device insecure?

A recent attack against Bluetooth, called KNOB, has been making waves last week. In essence, it allows an attacker to downgrade the security of a Bluetooth so much that it's possible for the attacker to break the encryption key and spy on all the traffic. The attack is so devastating that some have described it as the "stop using bluetooth" flaw.

This is my attempt at answering my own lingering questions about "can I still use Bluetooth now?" Disclaimer: I'm not an expert in Bluetooth at all, and just base this analysis on my own (limited) knowledge of the protocol, and some articles (including the paper) I read on the topic.

Is Bluetooth still safe?

It really depends what "safe" means, and what your threat model is. I liked how the Ars Technica article put it:

It's also important to note the hurdles—namely the cost of equipment and a surgical-precision MitM—that kept the researchers from actually carrying out their over-the-air attack in their own laboratory. Had the over-the-air technique been easy, they almost certainly would have done it.

In other words, the active attack is really hard to do, and the researchers didn't actually do one at all! It's a theoretical flaw, at this point, and while it's definitely possible, it's not what the researchers did:

The researchers didn't carry out the man-in-the-middle attack over the air. They did, however, root a Nexus 5 device to perform a firmware attack. Based on the response from the other device—a Motorola G3—the researchers said they believe that both attacks would work.

This led some researchers to (boldy) say they would still use a Bluetooth keyboard:

Dan Guido, a mobile security expert and the CEO of security firm Trail of Bits, said: "This is a bad bug, although it is hard to exploit in practice. It requires local proximity, perfect timing, and a clear signal. You need to fully MitM both peers to change the key size and exploit this bug. I'm going to apply the available patches and continue using my bluetooth keyboard."

So, what's safe and what's not, in my much humbler opinion?

Keyboards: bad

The attack is a real killer for Bluetooth keyboards. If an active attack is leveraged, it's game over: everything you type is visible to the attacker, and that includes, critically, passwords. In theory, one could even input keyboard events into the channel, which allows basically arbitrary code execution on the host.

Some, however, made the argument that it's probably easier to implant a keylogger in the device than actually do that attack, but I disagree: this requires physical access, while the KNOB attack can be done remotely.

How far this can be done, by the way, is still open to debate. The Telegraph claimed "a mile" in a click-bait title, but I think such an attacker would need to be much closer for this to work, more in the range of "meters" than "kilometers". But it still means "a black van sitting outside your house" instead of "a dude breaking into your house", which is a significant difference.

Other input devices: hum

I'm not sure mice and other input devices are such a big deal, however. Extracting useful information from those mice moving around the screen is difficult without seeing what's behind that screen.

So unless you use an on-screen keyboard or have special input devices, I don't think those are such a big deal when spied upon.

They could be leveraged with other attacks to make you "click through" some things an attacker would otherwise not be able to do.

Speakers: okay

I think I'll still keep using my Bluetooth speakers. But that's because I don't have much confidential audio I listen to. I listen to music, movies, and silly cat videos; not confidential interviews with victims of repression that should absolutely have their identities protected. And if I ever come across such material, I now know that I should not trust that speaker..

Otherwise, what's an attacker going to do here: listen to my (ever decreasing) voicemail (which is transmitted in cleartext by email anyways)? Listen to that latest hit? Meh.

Do keep in mind that some speakers have microphones in them as well, so that's not the entire story...

Headsets and microphones: hum

Headsets and microphones are another beast, as they can listen to other things in your environment. I do feel much less comfortable using those devices now. What makes the entire thing really iffy is some speakers do have microphones in them and all of a sudden everything around you can listen on your entire life.

(It seems like a given, with "smart home assistants" these days, but I still like to think my private conversations at home are private, in general. And I generally don't want to be near any of those "smart" devices, to be honest.)

One mitigating circumstance here is that the attack needs to happen during the connection (or pairing? still unclear) negociation, which doesn't happen that often if everything works correctly. Unfortunately, this happens more than often exactly with speakers and headsets. That's because many of those devices stupidly have low limits on the number of devices they can pair with. For example, the Bose Soundlink II can only pair with 8 other devices. If you count three device by person (laptop, workstation, phone), you quickly hit the limit when you move the device around. So I end up repairing that device quite often.

And that would be if the attack takes place during the pairing phase. As it turns out, the attack window is much wider: the attack happens during the connexion stage (see Figure 1, page 1049 in the paper), after devices have paired. This actually happens way more often than just during pairing. Any time your speaker or laptop will go to sleep, it will disconnect. Then to start using the device again, the BT layer will renegociate that keysize, and the attack can happen again.

(I have written the authors of the paper to clarify at which stage the attack happens and will update this post when/if they reply. Update: Daniele Antonioli has confirmed the attack takes place at connect phase.)

Fortunarely, the Bose Soundlink II has no microphone, which I'm thankful of. But my Bluetooth headset does have a microphone, which makes me less comfortable.

File and contact transfers: bad

Bluetooth, finally, is also used to transfer stuff other than audio of course. It's clunky, weird and barely working, but it's possible to send files over Bluetooth, and some headsets and car controllers will ask you permission to list your contacts so that "smart" features like "OK Google, call dad please" will work.

This attack makes it possible for an attacker to steal your contacts, when connecting devices. It can also intercept file transfers and so on.

That's pretty bad, to say the least.

Unfortunately, the "connection phase" mitigation described above is less relevant here. It's less likely you'll be continuously connecting two phones (or your phone and laptop) together for the purpose of file transfers. What's more likely is you'll connect the devices for explicit purpose of the file transfer, and therefore an attacker has a window for attack at every transfer.

I don't really use the "contacts" feature anyways (because it creeps me the hell out in the first place), so that's not a problem for me. But the file transfer problem will certainly give me pause the next time I ever need to feel the pain of transfering files over Bluetooth again, which I hope is "never".

It's interesting to note the parallel between this flaw, which will mostly affect Android file transfers, and the recent disclosure of flaws with Apple's Airdrop protocol which was similarly believed to be secure, even though it was opaque and proprietary. Now, think a bit about how Airdrop uses Bluetooth to negociate part of the protocol, and you can feel like I feel that everything in security just somewhat keeps crashes down and we don't seem to be able to make any progress at all.

Overall: meh

I've always been uncomfortable with Bluetooth devices: the pairing process has no sort of authentication whatsoever. The best you get is to enter a pin, and it's often "all zeros" or some trivially easy thing to bruteforce. So Bluetooth security has always felt like a scam, and I especially never trusted keyboards with passwords, in particular.

Like many branded attacks, I think this one might be somewhat overstated. Yes, it's a powerful attack, but Bluetooth implementations are already mostly proprietary junk that is undecipherable from the opensource world. There are no or very few open hardware implementations, so it's somewhat of expected we find things like this.

I have also found the response from the Bluetooth SIG is particularly alarming:

To remedy the vulnerability, the Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections.

7 octets is 56 bits. That's the equivalent of DES, which was broken in 56 hours back, over 20 years ago. That's far from enough. But what's more disturbing is that this key size negociation protocol might be there "because 'some' governments didn't want other governments to have stronger encryption", ie. it would be a backdoor.

The 7-byte lower bound might also be there because of Apple lobbying. Their AirPods were implemented as not-standards-compliant and already have that lower 7-byte bound, so by fixing the standard to match one Apple implementation, they would reduce the cost of their recall/replacements/upgrades.

Overally, this behavior of the standards body is what should make us suspicious of any Bluetooth device going forward, and question the motivations of the entire Bluetooth standardization process. We can't use 56 bits keys anymore, and I can't believe I need to explicitely say so, but it seems it's where we're at with Bluetooth these days.

Planet DebianJonathan Dowland: NAS upgrade

After 5 years of continuous service, the mainboard in my NAS recently failed (at the worst possible moment). I opted to replace the mainboard with a more modern version of the same idea: ASRock J4105-ITX featuring the Intel J4105, an integrated J-series Celeron CPU, designed to be passively cooled, and I've left the rest of the machine as it was.

In the process of researching which CPU/mainboard to buy, I was pointed at the Odroid-H2: a single-board computer (SBC) designed/marketed at a similar sector to things like the Raspberry PI (but featuring the exact same CPU as the mainboard I eventually settled on). I've always felt that the case I'm using for my NAS is too large, but didn't want to spend much money on a smaller one. The ODroid-H2 has a number of cheap, custom-made cases for different use-cases, including one for NAS-style work, which is in a very small footprint: the "Case 1". Unfortunately this case positions two disk drives flat, one vertically above the other, and both above the SBC. I was too concerned that one drive would be heating the other, and cumulatively both heating the SBC at that orientation. The case is designed with a fan but I want to avoid requiring one. I had too many bad memories of trying to control the heat in my first NAS, the Thecus n2100, which (by default) oriented the drives in the same way (and for some reason it never occurred to me to rotate that device into the "toaster" orientation).

I've mildly revised my NAS page to reflect the change. Interestingly most of the niggles I was experiencing were all about the old mainboard, so I've moved them on a separate page (J1900N-D3V) in case they are useful to someone.

At some point in the future I hope to spend a little bit of time on the software side of things, as some of the features of my set up are no longer working as they should: I can't remote-decrypt the main disk via SSH on boot, and the first run of any backup fails due to some kind of race condition in the systemd unit dependencies. (The first attempt does not correctly mount the backup partition; the second attempt always succeeds).

Krebs on SecurityThe Rise of “Bulletproof” Residential Networks

Cybercrooks increasingly are anonymizing their malicious traffic by routing it through residential broadband and wireless data connections. Traditionally, those connections have been mainly hacked computers, mobile phones, or home routers. But this story is about so-called “bulletproof residential VPN services” that appear to be built by purchasing or otherwise acquiring discrete chunks of Internet addresses from some of the world’s largest ISPs and mobile data providers.

In late April 2019, KrebsOnSecurity received a tip from an online retailer who’d seen an unusual number of suspicious transactions originating from a series of Internet addresses assigned to a relatively new Internet provider based in Maryland called Residential Networking Solutions LLC.

Now, this in itself isn’t unusual; virtually every provider has the occasional customers who abuse their access for fraudulent purposes. But upon closer inspection, several factors caused me to look more carefully at this company, also known as “Resnet.”

An examination of the IP address ranges assigned to Resnet shows that it maintains an impressive stable of IP blocks — totaling almost 70,000 IPv4 addresses — many of which had until quite recently been assigned to someone else.

Most interestingly, about ten percent of those IPs — more than 7,000 of them — had until late 2018 been under the control of AT&T Mobility. Additionally, the WHOIS registration records for each of these mobile data blocks suggest Resnet has been somehow reselling data services for major mobile and broadband providers, including AT&T, Verizon, and Comcast Cable.

The WHOIS records for one of several networks associated with Residential Networking Solutions LLC.

Drilling down into the tracts of IPs assigned to Resnet’s core network indicates those 7,000+ mobile IP addresses under Resnet’s control were given the label  “Service Provider Corporation” — mostly those beginning with IPs in the range 198.228.x.x.

An Internet search reveals this IP range is administered by the Wireless Data Service Provider Corporation (WDSPC), a non-profit formed in the 1990s to manage IP address ranges that could be handed out to various licensed mobile carriers in the United States.

Back when the WDSPC was first created, there were quite a few mobile wireless data companies. But today the vast majority of the IP space managed by the WDSPC is leased by AT&T Mobility and Verizon Wireless — which have gradually acquired most of their competing providers over the years.

A call to the WDSPC revealed the nonprofit hadn’t leased any new wireless data IP space in more than 10 years. That is, until the organization received a communication at the beginning of this year that it believed was from AT&T, which recommended Resnet as a customer who could occupy some of the company’s mobile data IP address blocks.

“I’m afraid we got duped,” said the person answering the phone at the WDSPC, while declining to elaborate on the precise nature of the alleged duping or the medium that was used to convey the recommendation.

AT&T declined to discuss its exact relationship with Resnet  — or if indeed it ever had one to begin with. It responded to multiple questions about Resnet with a short statement that said, “We have taken steps to terminate this company’s services and have referred the matter to law enforcement.”

Why exactly AT&T would forward the matter to law enforcement remains unclear. But it’s not unheard of for hosting providers to forge certain documents in their quest for additional IP space, and anyone caught doing so via email, phone or fax could be charged with wire fraud, which is a federal offense that carries punishments of up to $500,000 in fines and as much as 20 years in prison.

WHAT IS RESNET?

The WHOIS registration records for Resnet’s main Web site, resnetworking[.]com, are hidden behind domain privacy protection. However, a cursory Internet search on that domain turned up plenty of references to it on Hackforums[.]net, a sprawling community that hosts a seemingly never-ending supply of up-and-coming hackers seeking affordable and anonymous ways to monetize various online moneymaking schemes.

One user in particular — a Hackforums member who goes by the nickname “Profitvolt” — has spent several years advertising resnetworking[.]com and a number of related sites and services, including “unlimited” AT&T 4G/LTE data services, and the immediate availability of more than 1 million residential IPs that he suggested were “perfect for botting, shoe buying.”

The Hackforums user “Profitvolt” advertising residential proxies.

Profitvolt advertises his mobile and residential data services as ideal for anyone who wishes to run “various bots,” or “advertising campaigns.” Those services are meant to provide anonymity when customers are doing things such as automating ad clicks on platforms like Google Adsense and Facebook; generating new PayPal accounts; sneaker bot activity; credential stuffing attacks; and different types of social media spam.

For readers unfamiliar with this term, “shoe botting” or “sneaker bots” refers to the use of automated bot programs and services that aid in the rapid acquisition of limited-release, highly sought-after designer shoes that can then be resold at a profit on secondary markets. All too often, it seems, the people who profit the most in this scheme are using multiple sets of compromised credentials from consumer accounts at online retailers, and/or stolen payment card data.

To say shoe botting has become a thorn in the side of online retailers and regular consumers alike would be a major understatement: A recent State of The Internet Security Report (PDF) from Akamai (an advertiser on this site) noted that such automated bot activity now accounts for almost half of the Internet bandwidth directed at online retailers. The prevalance of shoe botting also might help explain Footlocker‘s recent $100 million investment in goat.com, the largest secondary shoe resale market on the Web.

In other discussion threads, Profitvolt advertises he can rent out an “unlimited number” of so-called “residential proxies,” a term that describes home or mobile Internet connections that can be used to anonymously relay Internet traffic for a variety of dodgy deals.

From a ne’er-do-well’s perspective, the beauty of routing one’s traffic through residential IPs is that few online businesses will bother to block malicious or suspicious activity emanating from them.

That’s because in general the pool of IP addresses assigned to residential or mobile wireless connections cycles intermittently from one user to the next, meaning that blacklisting one residential IP for abuse or malicious activity may only serve to then block legitimate traffic (and e-commerce) from the next user who gets assigned that same IP.

A BULLETPROOF PLAN?

In one early post on Hackforums, Profitvolt laments the untimely demise of various “bulletproof” hosting providers over the years, from the Russian Business Network and Atrivo/Intercage, to McColo, 3FN and Troyak, among others.

All of these Internet providers had one thing in common: They specialized in cultivating customers who used their networks for nefarious purposes — from operating botnets and spamming to hosting malware. They were known as “bulletproof” because they generally ignored abuse complaints, or else blamed any reported abuse on a reseller of their services.

In that Hackforums post, Profitvolt bemoans that “mediums which we use to distribute [are] locking us out and making life unnecessarily hard.”

“It’s still sketchy, so I am not going all out to reveal my plans, but currently I am starting off with a 32 GB RAM server with a 1 GB unmetered up-link in a Caribbean country,” Profitvolt told forum members, while asking in different Hackforums posts whether there are any other users from the dual-island Caribbean nation of Trinidad and Tobago on the forum.

“To be quite honest, the purpose of this is to test how far we can stretch the leniency before someone starts asking questions, or we start receiving emails,” Profitvolt continued.

Hackforums user Profitvolt says he plans to build his own “bulletproof” hosting network catering to fellow forum users who might want to rent his services for a variety of dodgy activities.

KrebsOnSecurity started asking questions of Resnet after stumbling upon several indications that this company was enabling different types of online abuse in bite-sized monthly packages. The site resnetworking[.]com appears normal enough on the surface, but a review of the customer packages advertised on it suggests the company has courted a very specific type of client.

“No bullshit, just proxies,” reads one (now hidden or removed) area of the site’s shopping cart. Other promotions advertise the use of residential proxies to promote “growth services” on multiple social media platforms including CraigslistFacebook, Google, Instagram, Spotify, Soundcloud and Twitter.

Resnet also peers with or partners with several other interesting organizations, including:

residential-network[.]com, also known as “IAPS Security Services” (formerly intl-alliance[.]com), which advertises the sale of residential VPNs and mobile 4G/IPv6 proxies aimed at helping customers avoid being blocked while automating different types of activity, from mass-creating social media and email accounts to bulk message sending on platforms like WhatsApp and Facebook.

Laksh Cybersecurity and Defense LLC, which maintains Hexproxy[.]com, another residential proxy service that largely courts customers involved in shoe botting.

-Several chunks of IP space from a Russian provider variously known by the names “SERVERSGET” and “Men Danil Valentinovich,” which has been associated with numerous instances of hijacking vast swaths of IP addresses from other organizations quite recently.

Some of Profitvolt’s discussion threads on Hackforums.

WHO IS RESNET?

Resnetworking[.]com lists on its home page the contact phone number 202-643-8533. That number is tied to the registration records for several domains, including resnetworking[.]com, residentialvpn[.]info, and residentialvpn[.]org. All of those domains also have in their historic WHOIS records the name Joshua Powder and Residential Networking Solutions LLC.

Running a reverse WHOIS lookup via Domaintools.com on “Joshua Powder” turns up almost 60 domain names — most of them tied to the email address joshua.powder@gmail.com. Among those are resnetworking[.]info, resvpn[.]com/net/org/info, tobagospeaks[.]com, tthack[.]com and profitvolt[.]com. Recall that “Profitvolt” is the nickname of the Hackforums user advertising resnetworking[.]com.

The email address josh@tthack.com was used to register an account on the scammer-friendly site blackhatworld[.]com under the nickname “BulletProofWebHost.” Here’s a list of domains registered to this email address.

A search on the Joshua Powder and tthack email addresses at Hyas, a startup that specializes in combining data from a number of sources to provide attribution of cybercrime activity, further associates those to mafiacloud@gmail.com and to the phone number 868-360-9983, which is a mobile number assigned by Digicel Trinidad and Tobago Ltd. A full list of domains tied to that 868- number is here.

Hyas’s service also pointed to this post on the Facebook page of the Prince George’s County Economic Development Corporation in Maryland, which appears to include a 2017 photo of Mr. Powder posing with county officials.

‘A GLORIFIED SOLUTIONS PROVIDER’

Roughly three weeks ago, KrebsOnSecurity called the 202 number listed at the top of resnetworking[.]com. To my surprise, a man speaking in a lovely Caribbean-sounding accent answered the call and identified himself as Josh Powder. When I casually asked from where he’d acquired that accent, Powder said he was a native of New Jersey but allowed that he has family members who now live in Trinidad and Tobago.

Powder said Residential Networking Solutions LLC is “a normal co-location Internet provider” that has been in operation for about three years and employs some 65 people.

“You’re not the first person to call us about residential VPNs,” Powder said. “In the past, we did have clients that did host VPNs, but it’s something that’s been discontinued since 2017. All we are is a glorified solutions provider, and we broker and lease Internet lines from different companies.”

When asked about the various “botting” packages for sale on Resnetworking[.]com, Powder replied that the site hadn’t been updated in a while and that these were inactive offers that resulted from a now-discarded business model.

“When we started back in 2016, we were really inexperienced, and hired some SEO [search engine optimization] firms to do marketing,” he explained. “Eventually we realized that this was creating a shitstorm, because it started to make us look a specific way to certain people. So we had to really go through a process of remodeling. That process isn’t complete, and the entire web site is going to retire in about a week’s time.”

Powder maintains that his company does have a contract with AT&T to resell LTE and 4G data services, and that he has a similar arrangement with Sprint. He also suggested that one of the aforementioned companies which partnered with Resnet — IAPS Security Services — was responsible for much of the dodgy activity that previously brought his company abuse complaints and strange phone calls about VPN services.

“That guy reached out to us and he leased service from us and nearly got us into a lot of trouble,” Powder said. “He was doing a lot of illegal stuff, and I think there is an ongoing matter with him legally. That’s what has caused us to be more vigilant and really look at what we do and change it. It attracted too much nonsense.”

Interestingly, when one visits IAPS Security Services’ old domain — intl-alliance[.]com — it now forwards to resvpn[.]com, which is one of the domains registered to Joshua Powder.

Shortly after our conversation, the monthly packages I asked Powder about that were for sale on resnetworking[.]com disappeared from the site, or were hidden behind a login. Also, Resnet’s IPv6 prefixes (a la IAPS Security Services) were removed from the company’s list of addresses. At the same time, a large number of Profitvolt’s posts prior to 2018 were deleted from Hackforums.

EPILOGUE

It appears that the future of low-level abuse targeting some of the most popular Internet destinations is tied to the increasing willingness of the world’s biggest ISPs to resell discrete chunks of their address space to whomever is able to pay for them.

Earlier this week, I had a Skype conversation with an individual who responded to my requests for more information from residential-network[.]com, and this person told me that plenty of mobile and land-line ISPs are more than happy to sell huge amounts of IP addresses to just about anybody.

“Mobile providers also sell mass services,” the person who responded to my Skype request offered. “Rogers in Canada just opened a new package for unlimited 4G data lines and we’re currently in negotiations with them for that service as well. The UK also has 4G providers that have unlimited data lines as well.”

The person responding to my Skype messages said they bought most of their proxies from a reseller at customproxysolutions[.]com, which advertises “the world’s largest network of 4G LTE modems in the United States.”

He added that “Rogers in Canada has a special offer that if you buy more than 50 lines you get a reduced price lower than the $75 Canadian Dollar price tag that they would charge for fewer than 50 lines. So most mobile ISPs want to sell mass lines instead of single lines.”

It remains unclear how much of the Internet address space claimed by these various residential proxy and VPN networks has been acquired legally or through other means. But it seems that Resnet and its business associates are in fact on the cutting edge of what it means to be a bulletproof Internet provider today.

CryptogramInfluence Operations Kill Chain

Influence operations are elusive to define. The Rand Corp.'s definition is as good as any: "the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent." Basically, we know it when we see it, from bots controlled by the Russian Internet Research Agency to Saudi attempts to plant fake stories and manipulate political debate. These operations have been run by Iran against the United States, Russia against Ukraine, China against Taiwan, and probably lots more besides.

Since the 2016 US presidential election, there have been an endless series of ideas about how countries can defend themselves. It's time to pull those together into a comprehensive approach to defending the public sphere and the institutions of democracy.

Influence operations don't come out of nowhere. They exploit a series of predictable weaknesses -- and fixing those holes should be the first step in fighting them. In cybersecurity, this is known as a "kill chain." That can work in fighting influence operations, too­ -- laying out the steps of an attack and building the taxonomy of countermeasures.

In an exploratory blog post, I first laid out a straw man information operations kill chain. I started with the seven commandments, or steps, laid out in a 2018 New York Times opinion video series on "Operation Infektion," a 1980s Russian disinformation campaign. The information landscape has changed since the 1980s, and these operations have changed as well. Based on my own research and feedback from that initial attempt, I have modified those steps to bring them into the present day. I have also changed the name from "information operations" to "influence operations," because the former is traditionally defined by the US Department of Defense in ways that don't really suit these sorts of attacks.

Step 1: Find the cracks in the fabric of society­ -- the social, demographic, economic, and ethnic divisions. For campaigns that just try to weaken collective trust in government's institutions, lots of cracks will do. But for influence operations that are more directly focused on a particular policy outcome, only those related to that issue will be effective.

Countermeasures: There will always be open disagreements in a democratic society, but one defense is to shore up the institutions that make that society possible. Elsewhere I have written about the "common political knowledge" necessary for democracies to function. That shared knowledge has to be strengthened, thereby making it harder to exploit the inevitable cracks. It needs to be made unacceptable -- or at least costly -- for domestic actors to use these same disinformation techniques in their own rhetoric and political maneuvering, and to highlight and encourage cooperation when politicians honestly work across party lines. The public must learn to become reflexively suspicious of information that makes them angry at fellow citizens. These cracks can't be entirely sealed, as they emerge from the diversity that makes democracies strong, but they can be made harder to exploit. Much of the work in "norms" falls here, although this is essentially an unfixable problem. This makes the countermeasures in the later steps even more important.

Step 2: Build audiences, either by directly controlling a platform (like RT) or by cultivating relationships with people who will be receptive to those narratives. In 2016, this consisted of creating social media accounts run either by human operatives or automatically by bots, making them seem legitimate, gathering followers. In the years following, this has gotten subtler. As social media companies have gotten better at deleting these accounts, two separate tactics have emerged. The first is microtargeting, where influence accounts join existing social circles and only engage with a few different people. The other is influencer influencing, where these accounts only try to affect a few proxies (see step 6) -- either journalists or other influencers -- who can carry their message for them.

Countermeasures: This is where social media companies have made all the difference. By allowing groups of like-minded people to find and talk to each other, these companies have given propagandists the ability to find audiences who are receptive to their messages. Social media companies need to detect and delete accounts belonging to propagandists as well as bots and groups run by those propagandists. Troll farms exhibit particular behaviors that the platforms need to be able to recognize. It would be best to delete accounts early, before those accounts have the time to establish themselves.

This might involve normally competitive companies working together, since operations and account names often cross platforms, and cross-platform visibility is an important tool for identifying them. Taking down accounts as early as possible is important, because it takes time to establish the legitimacy and reach of any one account. The NSA and US Cyber Command worked with the FBI and social media companies to take down Russian propaganda accounts during the 2018 midterm elections. It may be necessary to pass laws requiring Internet companies to do this. While many social networking companies have reversed their "we don't care" attitudes since the 2016 election, there's no guarantee that they will continue to remove these accounts -- especially since their profits depend on engagement and not accuracy.

Step 3: Seed distortion by creating alternative narratives. In the 1980s, this was a single "big lie," but today it is more about many contradictory alternative truths -- a "firehose of falsehood" -- that distort the political debate. These can be fake or heavily slanted news stories, extremist blog posts, fake stories on real-looking websites, deepfake videos, and so on.

Countermeasures: Fake news and propaganda are viruses; they spread through otherwise healthy populations. Fake news has to be identified and labeled as such by social media companies and others, including recognizing and identifying manipulated videos known as deepfakes. Facebook is already making moves in this direction. Educators need to teach better digital literacy, as Finland is doing. All of this will help people recognize propaganda campaigns when they occur, so they can inoculate themselves against their effects. This alone cannot solve the problem, as much sharing of fake news is about social signaling, and those who share it care more about how it demonstrates their core beliefs than whether or not it is true. Still, it is part of the solution.

Step 4: Wrap those narratives in kernels of truth. A core of fact makes falsehoods more believable and helps them spread. Releasing stolen emails from Hillary Clinton's campaign chairman John Podesta and the Democratic National Committee, or documents from Emmanuel Macron's campaign in France, were both an example of that kernel of truth. Releasing stolen emails with a few deliberate falsehoods embedded among them is an even more effective tactic.

Countermeasures: Defenses involve exposing the untruths and distortions, but this is also complicated to put into practice. Fake news sows confusion just by being there. Psychologists have demonstrated that an inadvertent effect of debunking a piece of fake news is to amplify the message of that debunked story. Hence, it is essential to replace the fake news with accurate narratives that counter the propaganda. That kernel of truth is part of a larger true narrative. The media needs to learn skepticism about the chain of information and to exercise caution in how they approach debunked stories.

Step 5: Conceal your hand. Make it seem as if the stories came from somewhere else.

Countermeasures: Here the answer is attribution, attribution, attribution. The quicker an influence operation can be pinned on an attacker, the easier it is to defend against it. This will require efforts by both the social media platforms and the intelligence community, not just to detect influence operations and expose them but also to be able to attribute attacks. Social media companies need to be more transparent about how their algorithms work and make source publications more obvious for online articles. Even small measures like the Honest Ads Act, requiring transparency in online political ads, will help. Where companies lack business incentives to do this, regulation will be the only answer.

Step 6: Cultivate proxies who believe and amplify the narratives. Traditionally, these people have been called "useful idiots." Encourage them to take action outside of the Internet, like holding political rallies, and to adopt positions even more extreme than they would otherwise.

Countermeasures: We can mitigate the influence of people who disseminate harmful information, even if they are unaware they are amplifying deliberate propaganda. This does not mean that the government needs to regulate speech; corporate platforms already employ a variety of systems to amplify and diminish particular speakers and messages. Additionally, the antidote to the ignorant people who repeat and amplify propaganda messages is other influencers who respond with the truth -- in the words of one report, we must "make the truth louder." Of course, there will always be true believers for whom no amount of fact-checking or counter-speech will suffice; this is not intended for them. Focus instead on persuading the persuadable.

Step 7: Deny involvement in the propaganda campaign, even if the truth is obvious. Although since one major goal is to convince people that nothing can be trusted, rumors of involvement can be beneficial. The first was Russia's tactic during the 2016 US presidential election; it employed the second during the 2018 midterm elections.

Countermeasures: When attack attribution relies on secret evidence, it is easy for the attacker to deny involvement. Public attribution of information attacks must be accompanied by convincing evidence. This will be difficult when attribution involves classified intelligence information, but there is no alternative. Trusting the government without evidence, as the NSA's Rob Joyce recommended in a 2016 talk, is not enough. Governments will have to disclose.

Step 8: Play the long game. Strive for long-term impact over immediate effects. Engage in multiple operations; most won't be successful, but some will.

Countermeasures: Counterattacks can disrupt the attacker's ability to maintain influence operations, as US Cyber Command did during the 2018 midterm elections. The NSA's new policy of "persistent engagement" (see the article by, and interview with, US Cyber Command Commander Paul Nakasone here) is a strategy to achieve this. So are targeted sanctions and indicting individuals involved in these operations. While there is little hope of bringing them to the United States to stand trial, the possibility of not being able to travel internationally for fear of being arrested will lead some people to refuse to do this kind of work. More generally, we need to better encourage both politicians and social media companies to think beyond the next election cycle or quarterly earnings report.

Permeating all of this is the importance of deterrence. Deterring them will require a different theory. It will require, as the political scientist Henry Farrell and I have postulated, thinking of democracy itself as an information system and understanding "Democracy's Dilemma": how the very tools of a free and open society can be subverted to attack that society. We need to adjust our theories of deterrence to the realities of the information age and the democratization of attackers. If we can mitigate the effectiveness of influence operations, if we can publicly attribute, if we can respond either diplomatically or otherwise -- we can deter these attacks from nation-states.

None of these defensive actions is sufficient on its own. Steps overlap and in some cases can be skipped. Steps can be conducted simultaneously or out of order. A single operation can span multiple targets or be an amalgamation of multiple attacks by multiple actors. Unlike a cyberattack, disrupting will require more than disrupting any particular step. It will require a coordinated effort between government, Internet platforms, the media, and others.

Also, this model is not static, of course. Influence operations have already evolved since the 2016 election and will continue to evolve over time -- especially as countermeasures are deployed and attackers figure out how to evade them. We need to be prepared for wholly different kinds of influencer operations during the 2020 US presidential election. The goal of this kill chain is to be general enough to encompass a panoply of tactics but specific enough to illuminate countermeasures. But even if this particular model doesn't fit every influence operation, it's important to start somewhere.

Others have worked on similar ideas. Anthony Soules, a former NSA employee who now leads cybersecurity strategy for Amgen, presented this concept at a private event. Clint Watts of the Alliance for Securing Democracy is thinking along these lines as well. The Credibility Coalition's Misinfosec Working Group proposed a "misinformation pyramid." The US Justice Department developed a "Malign Foreign Influence Campaign Cycle," with associated countermeasures.

The threat from influence operations is real and important, and it deserves more study. At the same time, there's no reason to panic. Just as overly optimistic technologists were wrong that the Internet was the single technology that was going to overthrow dictators and liberate the planet, so pessimists are also probably wrong that it is going to empower dictators and destroy democracy. If we deploy countermeasures across the entire kill chain, we can defend ourselves from these attacks.

But Russian interference in the 2016 presidential election shows not just that such actions are possible but also that they're surprisingly inexpensive to run. As these tactics continue to be democratized, more people will attempt them. And as more people, and multiple parties, conduct influence operations, they will increasingly be seen as how the game of politics is played in the information age. This means that the line will increasingly blur between influence operations and politics as usual, and that domestic influencers will be using them as part of campaigning. Defending democracy against foreign influence also necessitates making our own political debate healthier.

This essay previously appeared in Foreign Policy.

Worse Than FailureLowest Bidder Squared

Stack of coins 0214

Initech was in dire straits. The website was dog slow, and the budget had been exceeded by a factor of five already trying to fix it. Korbin, today's submitter, was brought in to help in exchange for decent pay and an office in their facility.

He showed up only to find a boxed-up computer and a brand new flat-packed desk, also still in the box. The majority of the space was a video-recording studio that saw maybe 4-6 hours of use a week. After setting up his office, Korbin spent the next day and a half finding his way around the completely undocumented C# code. The third day, there was a carpenter in the studio area. Inexplicably, said carpenter decided he needed to contact-glue carpet to a set of huge risers ... indoors. At least a gallon of contact cement was involved. In minutes, Korbin got a raging headache, and he was essentially gassed out of the building for the rest of the day. Things were not off to a good start.

Upon asking around, Korbin quickly determined that the contractors originally responsible for coding the website had underbid the project by half, then subcontracted the whole thing out to a team in India to do the work on the cheap. The India team had then done the very same thing, subcontracting it out to the most cut-rate individuals they could find. Everything had been written in triplicate for some reason, making it impossible to determine what was actually powering the website and what was dead code. Furthermore, while this was a database-oriented site, there were no stored procedures, and none of the (sub)subcontractors seemed to understand how to use a JOIN command.

In an effort to tease apart what code was actually needed, Korbin turned on profiling. Only ... it was already on in the test version of the site. With a sudden ominous hunch, he checked the live site—and sure enough, profiling was running in production as well. He shut it off, and instantly, the whole site became more responsive.

The next fix was also pretty simple. The site had a bad habit of asking for information it already had, over and over, without any JOINs. Reducing the frequency of database hits improved performance again, bringing it to within an order of magnitude of what one might expect from a website.

While all this was going on, the leaderboard page had begun timing out. Sure enough, it was an N-squared solution: open database, fetch record, close database, repeat, then compare the two records, putting them in order and beginning again. With 500 members, it was doing 250,000 passes each time someone hit the page. Korbin scrapped the whole thing in favor of the site's first stored procedure, then cached it to call only once a day.

The weeks went on, and the site began to take shape, finally getting something like back on track. Thanks to the botched rollout, however, many of the company's endorsements had vanished, and backers were pulling out. The president got on the phone with some VIP about Facebook—because as we all know, the solution to any company's problem is the solution to every company's problems.

"Facebook was written in PHP. He told me it was the best thing out there. So we're going to completely redo the website in PHP," the president confidently announced at the next all-hands meeting. "I want to hear how long everyone thinks this will take to get done."

The only developers left at that point were Korbin and a junior kid just out of college, with one contractor with some experience on the project.

"Two weeks. Maybe three," the kid replied.

They went around the table, and all the non-programmers chimed in with the 2-3 week assessment. Next to last came the experienced contractor. Korbin's jaw nearly dropped when he weighed in at 3-4 weeks.

"None of that is realistic!" Korbin proclaimed. "Even with the existing code as a road map, it's going to take 4-6 months to rewrite. And with the inevitable feature-creep and fixes for things found in testing, it is likely to take even longer."

Korbin was told the next day he could pick up his final check. Seven months later, he ran into the junior kid again, and asked how the rewrite went.

"It's still ongoing," he admitted.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

,

CryptogramFriday Squid Blogging: Robot Squid Propulsion

Interesting research:

The squid robot is powered primarily by compressed air, which it stores in a cylinder in its nose (do squids have noses?). The fins and arms are controlled by pneumatic actuators. When the robot wants to move through the water, it opens a value to release a modest amount of compressed air; releasing the air all at once generates enough thrust to fire the robot squid completely out of the water.

The jumping that you see at the end of the video is preliminary work; we're told that the robot squid can travel between 10 and 20 meters by jumping, whereas using its jet underwater will take it just 10 meters. At the moment, the squid can only fire its jet once, but the researchers plan to replace the compressed air with something a bit denser, like liquid CO2, which will allow for extended operation and multiple jumps. There's also plenty of work to do with using the fins for dynamic control, which the researchers say will "reveal the superiority of the natural flying squid movement."

I can't find the paper online.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramSoftware Vulnerabilities in the Boeing 787

Boeing left its software unprotected, and researchers have analyzed it for vulnerabilities:

At the Black Hat security conference today in Las Vegas, Santamarta, a researcher for security firm IOActive, plans to present his findings, including the details of multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System. The CIS/MS is responsible for applications like maintenance systems and the so-called electronic flight bag, a collection of navigation documents and manuals used by pilots. Santamarta says he found a slew of memory corruption vulnerabilities in that CIS/MS, and he claims that a hacker could use those flaws as a foothold inside a restricted part of a plane's network. An attacker could potentially pivot, Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane's safety-critical systems, including its engine, brakes, and sensors. Boeing maintains that other security barriers in the 787's network architecture would make that progression impossible.

Santamarta admits that he doesn't have enough visibility into the 787's internals to know if those security barriers are circumventable. But he says his research nonetheless represents a significant step toward showing the possibility of an actual plane-hacking technique. "We don't have a 787 to test, so we can't assess the impact," Santamarta says. "We're not saying it's doomsday, or that we can take a plane down. But we can say: This shouldn't happen."

Boeing denies that there's any problem:

In a statement, Boeing said it had investigated IOActive's claims and concluded that they don't represent any real threat of a cyberattack. "IOActive's scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads. "IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we're disappointed in IOActive's irresponsible presentation."

This being Black Hat and Las Vegas, I'll say it this way: I would bet money that Boeing is wrong. I don't have an opinion about whether or not it's lying.

Worse Than FailureError'd: What About the Fish?

"On the one hand, I don't want to know what the fish has to do with Boris Johnson's love life...but on the other hand I have to know!" Mark R. writes.

 

"Not sure if that's a new GDPR rule or the Slack Mailbot's weekend was just that much better then mine," Adam G. writes.

 

Connor W. wrote, "You know what, I think I'll just stay inside."

 

"It's great to see that an attempt at personalization was made, but whatever happened to 'trust but verify'?" writes Rob H.

 

"For a while, I thought that, maybe, I didn't actually know how to use my iPhone's alarm. Instead, I found that it just wasn't working right. So, I contacted Apple Support, and while they were initially skeptical that it was an iOS issue, this morning, I actually have proof!" Markus G. wrote.

 

Tim G. writes, "I guess that's better than an angry error message."

 

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

,

CryptogramBypassing Apple FaceID's Liveness Detection Feature

Apple's FaceID has a liveness detection feature, which prevents someone from unlocking a victim's phone by putting it in front of his face while he's sleeping. That feature has been hacked:

Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim's FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim's face the researchers demonstrated how they could bypass Apple's FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

LongNowAI analyzed 3.3 million scientific abstracts and discovered possible new materials

A new paper shows how AI can accelerate scientific discovery through analyzing millions of scientific abstracts. From the MIT Technology Review:

Natural-language processing has seen major advancements in recent years, thanks to the development of unsupervised machine-learning techniques that are really good at capturing the relationships between words. They count how often and how closely words are used in relation to one another, and map those relationships in a three-dimensional vector space. The patterns can then be used to predict basic analogies like “man is to king as woman is to queen,” or to construct sentences and power things like autocomplete and other predictive text systems.

A group of researchers have now used this technique to munch through 3.3 million scientific abstracts published between 1922 and 2018 in journals that would likely contain materials science research. The resulting word relationships captured fundamental knowledge within the field, including the structure of the periodic table and the way chemicals’ structures relate to their properties. The paper was published in Nature last week.

MIT Technology Review


Worse Than FailureCodeSOD: A Devil With a Date

Jim was adding a feature to the backend. This feature updated a few fields on an object, and then handed the object off as JSON to the front-end.

Adding the feature seemed pretty simple, but when Jim went to check out its behavior in the front-end, he got validation errors. Something in the data getting passed back by his web service was fighting with the front end.

On its surface, that seemed like a reasonable problem, but when looking into it, Jim discovered that it was the record_update_date field which was causing validation issues. The front-end displayed this as a read only field, so there was no reason to do any client-side validation in the first place, and that field was never sent to the backend, so there was even less than no reason to do validation.

Worse, the field had, at least to the eye, a valid date: 2019-07-29T00:00:00.000Z. Even weirder, if Jim changed the backend to just return 2019-07-29, everything worked. He dug into the validation code to see what might be wrong about it:

/**
 * Custom validation
 *
 * This is a callback function for ajv custom keywords
 *
 * @param  {object} wsFormat aiFormat property content
 * @param  {object} data Data (of element type) from document where validation is required
 * @param  {object} itemSchema Schema part from wsValidation keyword
 * @param  {string} dataPath Path to document element
 * @param  {object} parentData Data of parent object
 * @param  {string} key Property name
 * @param  {object} rootData Document data
 */
function wsFormatFunction(wsFormat, data, itemSchema, dataPath, parentData, key, rootData) {

    let valid;
    switch (aiFormat) {
        case 'date': {
            let regex = /^\d\d\d\d-[0-1]\d-[0-3](T00:00:00.000Z)?\d$/;
            valid = regex.test(data);
            break;
        }
        case 'date-time': {
            let regex = /^\d\d\d\d-[0-1]\d-[0-3]\d[t\s](?:[0-2]\d:[0-5]\d:[0-5]\d|23:59:60)(?:\.\d+)?(?:z|[+-]\d\d:\d\d)$/i;
            valid = regex.test(data);
            break;
        }
        case 'time': {
            let regex = /^(0[0-9]|1[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]$/;
            valid = regex.test(data);
            break;
        }
        default: throw 'Unknown wsFormat: ' + wsFormat;
    }

    if (!valid) {
        wsFormatFunction['errors'] = wsFormatFunction['errors'] || [];

        wsFormatFunction['errors'].push({
            keyword: 'wsFormat',
            dataPath: dataPath,
            message: 'should match format "' + wsFormat + '"',
            schema: itemSchema,
            data: data
        });
    }

    return valid;
}

When it starts with “Custom validation” and it involves dates, you know you’re in for a bad time. Worse, it’s custom validation, dates, and regular expressions written by someone who clearly didn’t understand regular expressions.

Let’s take a peek at the branch which was causing Jim’s error, and examine the regex:

/^\d\d\d\d-[0-1]\d-[0-3](T00:00:00.000Z)?\d$/

It should start with four digits, followed by a dash, followed by a value between 0 and 1. Then another digit, then a dash, then a number between 0 and 3, then the time (optionally), then a final digit.

It’s obvious why Jim’s perfectly reasonable date wasn’t working: it needed to be 2019-07-2T00:00:00.000Z9. Or, if Jim just didn’t include the timestamp, not only would 2019-07-29 be a valid date, but so would 2019-19-39, which just so happens to be my birthday. Mark your calendars for the 39th of Undevigintiber.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

,

CryptogramSide-Channel Attack against Electronic Locks

Several high-security electronic locks are vulnerable to side-channel attacks involving power monitoring.

Cory DoctorowMy appearance on the MMT podcast

I’ve been following the Modern Monetary Theory debate for about 18 months, and I’m largely a convert: governments spend money into existence and tax it out of existence, and government deficit spending is only inflationary if it’s bidding against the private sector for goods or services, which means that the government could guarantee every unemployed person a job (say, working on the Green New Deal), and which also means that every unemployed person and every unfilled social services role is a political choice, not an economic necessity.

I was delighted to be invited onto the MMT Podcast to discuss the ways that MMT dovetails with the fight against monopoly and inequality, and how science-fiction storytelling can bring complicated technical subjects (like adversarial interoperability) to life.

We talked so long that they’ve split it into two episodes, the first of which is now live (MP3).

Krebs on SecurityMeet Bluetana, the Scourge of Pump Skimmers

Bluetana,” a new mobile app that looks for Bluetooth-based payment card skimmers hidden inside gas pumps, is helping police and state employees more rapidly and accurately locate compromised fuel stations across the nation, a study released this week suggests. Data collected in the course of the investigation also reveals some fascinating details that may help explain why these pump skimmers are so lucrative and ubiquitous.

The new app, now being used by agencies in several states, is the brainchild of computer scientists from the University of California San Diego and the University of Illinois Urbana-Champaign, who say they developed the software in tandem with technical input from the U.S. Secret Service (the federal agency most commonly called in to investigate pump skimming rings).

The Bluetooth pump skimmer scanner app ‘Bluetana’ in action.

Gas pumps are a perennial target of skimmer thieves for several reasons. They are usually unattended, and in too many cases a handful of master keys will open a great many pumps at a variety of filling stations.

The skimming devices can then be attached to electronics inside the pumps in a matter of seconds, and because they’re also wired to the pump’s internal power supply the skimmers can operate indefinitely without the need of short-lived batteries.

And increasingly, these pump skimmers are fashioned to relay stolen card data and PINs via Bluetooth wireless technology, meaning the thieves who install them can periodically download stolen card data just by pulling up to a compromised pump and remotely connecting to it from a Bluetooth-enabled mobile device or laptop.

According to the study, some 44 volunteers  — mostly law enforcement officials and state employees — were equipped with Bluetana over a year-long experiment to test the effectiveness of the scanning app.

The researchers said their volunteers collected Bluetooth scans at 1,185 gas stations across six states, and that Bluetana detected a total of 64 skimmers across four of those states. All of the skimmers were later collected by law enforcement, including two that were reportedly missed in manual safety inspections of the pumps six months earlier.

While several other Android-based apps designed to find pump skimmers are already available, the researchers said Bluetana was developed with an eye toward eliminating false-positives that some of these other apps can fail to distinguish.

“Bluetooth technology used in these skimmers are also used for legitimate products commonly seen at and near gas stations such as speed-limit signs, weather sensors and fleet tracking systems,” said Nishant Bhaskar, UC San Diego Ph.D. student and principal author of the study. “These products can be mistaken for skimmers by existing detection apps.”

BLACK MARKET VALUE

The fuel skimmer study also helps explain how quickly these hidden devices can generate huge profits for the organized gangs that typically deploy them. The researchers found the skimmers their app found collected data from roughly 20 -25 payment cards each day — evenly distributed between debit and credit cards (although they note estimates from payment fraud prevention companies and the Secret Service that put the average figure closer to 50-100 cards daily per compromised machine).

The academics also studied court documents which revealed that skimmer scammers often are only able to “cashout” stolen cards — either through selling them on the black market or using them for fraudulent purchases — a little less than half of the time. This can result from the skimmers sometimes incorrectly reading card data, daily withdrawal limits, or fraud alerts at the issuing bank.

“Based on the prior figures, we estimate the range of per-day revenue from a skimmer is $4,253 (25 cards per day, cashout of $362 per card, and 47% cashout success rate), and our high end estimate is $63,638 (100 cards per day per day, $1,354 cashout per card, and cashout success rate of 47%),” the study notes.

Not a bad haul either way, considering these skimmers typically cost about $25 to produce.

Those earnings estimates assume an even distribution of credit and debit card use among customers of a compromised pump: The more customers pay with a debit card, the more profitable the whole criminal scheme may become. Armed with your PIN and debit card data, skimmer thieves or those who purchase stolen cards can clone your card and pull money out of your account at an ATM.

“Availability of a PIN code with a stolen debit card in particular, can increase its value five-fold on the black market,” the researchers wrote.

This highlights a warning that KrebsOnSecurity has relayed to readers in many previous stories on pump skimming attacks: Using a debit card at the pump can be way riskier than paying with cash or a credit card.

The black market value, impact to consumers and banks, and liability associated with different types of card fraud.

And as the above graphic from the report illustrates, there are different legal protections for fraudulent transactions on debit vs. credit cards. With a credit card, your maximum loss on any transactions you report as fraud is $50; with a debit card, that protection only extends for within two days of the unauthorized transaction. After that, the maximum consumer liability can increase to $500 within 60 days, and to an unlimited amount after 60 days.

In practice, your bank or debit card issuer may still waive additional liabilities, and many do. But even then, having your checking account emptied of cash while your bank sorts out the situation can still be a huge hassle and create secondary problems (bounced checks, for instance).

Interestingly, this advice against using debit cards at the pump often runs counter to the messaging pushed by fuel station owners themselves, many of whom offer lower prices for cash or debit card transactions. That’s because credit card transactions typically are more expensive to process.

For all its skimmer-skewering prowess, Bluetana will not be released to the public. The researchers said the primary reason for this is highlighted in the core findings of the study.

“There are many legitimate devices near gas stations that look exactly like skimmers do in Bluetooth scans,” said UCSD Assistant Professor Aaron Schulman, in an email to KrebsOnSecurity. “Flagging suspicious devices in Bluetana is a only a way of notifying inspectors that they need to gather more data around the gas station to determine if the Bluetooth transmissions appear to be emanating from a device inside of of the pumps. If it does, they can then open the pump door and confirm that the signal strength rises, and begin their visual inspection for the skimmer.”

One of the best tips for avoiding fuel card skimmers is to favor filling stations that have updated security features, such as custom keys for each pump, better compartmentalization of individual components within the machine, and tamper protections that physically shut down a pump if the machine is improperly accessed.

How can you spot a gas station with these updated features, you ask? As noted in last summer’s story, How to Avoid Card Skimmers at the Pumps, these newer-model machines typically feature a horizontal card acceptance slot along with a raised metallic keypad. In contrast, older, less secure pumps usually have a vertical card reader a flat, membrane-based keypad.

Newer, more tamper-resistant fuel pumps include pump-specific key locks, raised metallic keypads, and horizontal card readers.

The researchers will present their work on Bluetana later today at the USENIX Security 2019 conference in Santa Clara, Calif. A copy of their paper is available here (PDF).

If you enjoyed this story, check out my series on all things skimmer-related: All About Skimmers. Looking for more information on fuel pump skimming? Have a look at some of these stories.

CryptogramExploiting GDPR to Get Private Information

A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

  • a UK hotel chain that shared a complete record of his partner's overnight stays

  • two UK rail companies that provided records of all the journeys she had taken with them over several years

  • a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

CryptogramAttorney General Barr and Encryption

Last month, Attorney General William Barr gave a major speech on encryption policy足what is commonly known as "going dark." Speaking at Fordham University in New York, he admitted that adding backdoors decreases security but that it is worth it.

Some hold this view dogmatically, claiming that it is technologically impossible to provide lawful access without weakening security against unlawful access. But, in the world of cybersecurity, we do not deal in absolute guarantees but in relative risks. All systems fall short of optimality and have some residual risk of vulnerability -- a point which the tech community acknowledges when they propose that law enforcement can satisfy its requirements by exploiting vulnerabilities in their products. The real question is whether the residual risk of vulnerability resulting from incorporating a lawful access mechanism is materially greater than those already in the unmodified product. The Department does not believe this can be demonstrated.

Moreover, even if there was, in theory, a slight risk differential, its significance should not be judged solely by the extent to which it falls short of theoretical optimality. Particularly with respect to encryption marketed to consumers, the significance of the risk should be assessed based on its practical effect on consumer cybersecurity, as well as its relation to the net risks that offering the product poses for society. After all, we are not talking about protecting the Nation's nuclear launch codes. Nor are we necessarily talking about the customized encryption used by large business enterprises to protect their operations. We are talking about consumer products and services such as messaging, smart phones, e-mail, and voice and data applications. If one already has an effective level of security say, by way of illustration, one that protects against 99 percent of foreseeable threats -- is it reasonable to incur massive further costs to move slightly closer to optimality and attain a 99.5 percent level of protection? A company would not make that expenditure; nor should society. Here, some argue that, to achieve at best a slight incremental improvement in security, it is worth imposing a massive cost on society in the form of degraded safety. This is untenable. If the choice is between a world where we can achieve a 99 percent assurance against cyber threats to consumers, while still providing law enforcement 80 percent of the access it might seek; or a world, on the other hand, where we have boosted our cybersecurity to 99.5 percent but at a cost reducing law enforcements [sic] access to zero percent the choice for society is clear.

I think this is a major change in government position. Previously, the FBI, the Justice Department and so on had claimed that backdoors for law enforcement could be added without any loss of security. They maintained that technologists just need to figure out how足 -- an approach we have derisively named "nerd harder."

With this change, we can finally have a sensible policy conversation. Yes, adding a backdoor increases our collective security because it allows law enforcement to eavesdrop on the bad guys. But adding that backdoor also decreases our collective security because the bad guys can eavesdrop on everyone. This is exactly the policy debate we should be having -- not the fake one about whether or not we can have both security and surveillance.

Barr makes the point that this is about "consumer cybersecurity" and not "nuclear launch codes." This is true, but it ignores the huge amount of national security-related communications between those two poles. The same consumer communications and computing devices are used by our lawmakers, CEOs, legislators, law enforcement officers, nuclear power plant operators, election officials and so on. There's no longer a difference between consumer tech and government tech -- it's all the same tech.

Barr also says:

Further, the burden is not as onerous as some make it out to be. I served for many years as the general counsel of a large telecommunications concern. During my tenure, we dealt with these issues and lived through the passage and implementation of CALEA the Communications Assistance for Law Enforcement Act. CALEA imposes a statutory duty on telecommunications carriers to maintain the capability to provide lawful access to communications over their facilities. Companies bear the cost of compliance but have some flexibility in how they achieve it, and the system has by and large worked. I therefore reserve a heavy dose of skepticism for those who claim that maintaining a mechanism for lawful access would impose an unreasonable burden on tech firms especially the big ones. It is absurd to think that we would preserve lawful access by mandating that physical telecommunications facilities be accessible to law enforcement for the purpose of obtaining content, while allowing tech providers to block law enforcement from obtaining that very content.

That telecommunications company was GTE -- which became Verizon. Barr conveniently ignores that CALEA-enabled phone switches were used to spy on government officials in Greece in 2003 -- which seems to have been a National Security Agency operation -- and on a variety of people in Italy in 2006. Moreover, in 2012 every CALEA-enabled switch sold to the Defense Department had security vulnerabilities. (I wrote about all this, and more, in 2013.)

The final thing I noticed about the speech is that it is not about iPhones and data at rest. It is about communications足 -- data in transit. The "going dark" debate has bounced back and forth between those two aspects for decades. It seems to be bouncing once again.

I hope that Barr's latest speech signals that we can finally move on from the fake security vs. privacy debate, and to the real security vs. security debate. I know where I stand on that: As computers continue to permeate every aspect of our lives, society, and critical infrastructure, it is much more important to ensure that they are secure from everybody -- even at the cost of law enforcement access足 -- than it is to allow access at the cost of security. Barr is wrong, it kind of is like these systems are protecting nuclear launch codes.

This essay previously appeared on Lawfare.com.

Worse Than FailureCodeSOD: A Loop in the String

Robert was browsing through a little JavaScript used at his organization, and found this gem of type conversion.

//use only for small numbers
function StringToInteger (str) {
    var int = -1;
    for (var i=0; i<=100; i++) {
        if (i+"" == str) {
            int = i;
            break;
        }
    }
    return int;
}

So, this takes our input str, which is presumably a string, and it starts counting from 0 to 100. i+"" coerces the integer value to a string, which we compare against our string. If it’s a match, we’ll store that value and break out of the loop.

Obviously, this has a glaring flaw: the 100 is hardcoded. So what we really need to do is add a search_low and search_high parameter, so we can write the for loop as i = search_low; i <= search_high; i++ instead. Because that’s the only glaring flaw in this code. I can’t think of any possible better way of converting strings to integers. Not a one.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

,

CryptogramPhone Pharming for Ad Fraud

Interesting article on people using banks of smartphones to commit ad fraud for profit.

No one knows how prevalent ad fraud is on the Internet. I believe it is surprisingly high -- here's an article that places losses between $6.5 and $19 billion annually -- and something companies like Google and Facebook would prefer remain unresearched.

Krebs on SecurityPatch Tuesday, August 2019 Edition

Most Microsoft Windows (ab)users probably welcome the monthly ritual of applying security updates about as much as they look forward to going to the dentist: It always seems like you were there just yesterday, and you never quite know how it’s all going to turn out. Fortunately, this month’s patch batch from Redmond is mercifully light, at least compared to last month.

Okay, maybe a trip to the dentist’s office is still preferable. In any case, today is the second Tuesday of the month, which means it’s once again Patch Tuesday (or — depending on your setup and when you’re reading this post — Reboot Wednesday). Microsoft today released patches to fix some 93 vulnerabilities in Windows and related software, 35 of which affect various Server versions of Windows, and another 70 that apply to the Windows 10 operating system.

Although there don’t appear to be any zero-day vulnerabilities fixed this month — i.e. those that get exploited by cybercriminals before an official patch is available — there are several issues that merit attention.

Chief among those are patches to address four moderately terrifying flaws in Microsoft’s Remote Desktop Service, a feature which allows users to remotely access and administer a Windows computer as if they were actually seated in front of the remote computer. Security vendor Qualys says two of these weaknesses can be exploited remotely without any authentication or user interaction.

“According to Microsoft, at least two of these vulnerabilities (CVE-2019-1181 and CVE-2019-1182) can be considered ‘wormable’ and [can be equated] to BlueKeep,” referring to a dangerous bug patched earlier this year that Microsoft warned could be used to spread another WannaCry-like ransomware outbreak. “It is highly likely that at least one of these vulnerabilities will be quickly weaponized, and patching should be prioritized for all Windows systems.”

Fortunately, Remote Desktop is disabled by default in Windows 10, and as such these flaws are more likely to be a threat for enterprises that have enabled the application for various purposes. For those keeping score, this is the fourth time in 2019 Microsoft has had to fix critical security issues with its Remote Desktop service.

For all you Microsoft Edge and Internet Exploiter Explorer users, Microsoft has issued the usual panoply of updates for flaws that could be exploited to install malware after a user merely visits a hacked or booby-trapped Web site. Other equally serious flaws patched in Windows this month could be used to compromise the operating system just by convincing the user to open a malicious file (regardless of which browser the user is running).

As crazy as it may seem, this is the second month in a row that Adobe hasn’t issued a security update for its Flash Player browser plugin, which is bundled in IE/Edge and Chrome (although now hobbled by default in Chrome). However, Adobe did release important updates for its Acrobat and free PDF reader products.

If the tone of this post sounds a wee bit cantankerous, it might be because at least one of the updates I installed last month totally hosed my Windows 10 machine. I consider myself an equal OS abuser, and maintain multiple computers powered by a variety of operating systems, including Windows, Linux and MacOS.

Nevertheless, it is frustrating when being diligent about applying patches introduces so many unfixable problems that you’re forced to completely reinstall the OS and all of the programs that ride on top of it. On the bright side, my newly-refreshed Windows computer is a bit more responsive than it was before crash hell.

So, three words of advice. First off, don’t let Microsoft decide when to apply patches and reboot your computer. On the one hand, it’s nice Microsoft gives us a predictable schedule when it’s going to release patches. On the other, Windows 10 will by default download and install patches whenever it pleases, and then reboot the computer.

Unless you change that setting. Here’s a tutorial on how to do that. For all other Windows OS users, if you’d rather be alerted to new updates when they’re available so you can choose when to install them, there’s a setting for that in Windows Update.

Secondly, it doesn’t hurt to wait a few days to apply updates.  Very often fixes released on Patch Tuesday have glitches that cause problems for an indeterminate number of Windows systems. When this happens, Microsoft then patches their patches to minimize the same problems for users who haven’t yet applied the updates, but it sometimes takes a few days for Redmond to iron out the kinks.

Finally, please have some kind of system for backing up your files before applying any updates. You can use third-party software for this, or just the options built into Windows 10. At some level, it doesn’t matter. Just make sure you’re backing up your files, preferably following the 3-2-1 backup rule. Thankfully, I’m vigilant about backing up my files.

And, as ever, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there’s a good chance other readers have experienced the same and may even chime in here with some helpful tips.

Cory DoctorowPodcast: Interoperability and Privacy: Squaring the Circle

In my latest podcast (MP3), I read my essay “Interoperability and Privacy: Squaring the Circle, published today on EFF’s Deeplinks; it’s another in the series of “adversarial interoperability” explainers, this one focused on how privacy and adversarial interoperability relate to each other.

Even if we do manage to impose interoperability on Facebook in ways that allow for meaningful competition, in the absence of robust anti-monopoly rules, the ecosystem that grows up around that new standard is likely to view everything that’s not a standard interoperable component as a competitive advantage, something that no competitor should be allowed to make incursions upon, on pain of a lawsuit for violating terms of service or infringing a patent or reverse-engineering a copyright lock or even more nebulous claims like “tortious interference with contract.”

In other words, the risk of trusting competition to an interoperability mandate is that it will create a new ecosystem where everything that’s not forbidden is mandatory, freezing in place the current situation, in which Facebook and the other giants dominate and new entrants are faced with onerous compliance burdens that make it more difficult to start a new service, and limit those new services to interoperating in ways that are carefully designed to prevent any kind of competitive challenge.

Standards should be the floor on interoperability, but adversarial interoperability should be the ceiling. Adversarial interoperability takes place when a new company designs a product or service that works with another company’s existing products or services, without seeking permission to do so.

MP3

Worse Than FailureCodeSOD: Nullable Knowledge

You’ve got a decimal value- maybe. It could be nothing at all, and you need to handle that null gracefully. Fortunately for you, C# has “nullable types”, which make this task easy.

Ian P’s co-worker made this straightforward application of nullable types.

public static decimal ValidateDecimal(decimal? value)
{
if (value == null) return 0;
decimal returnValue = 0;
Decimal.TryParse(value.ToString(), out returnValue);
return returnValue;
}

The lack of indentation was in the original.

The obvious facepalm is the Decimal.TryParse call. If our decimal has a value, we could just return it, but no, instead, we convert it to a string then convert that string back into a Decimal.

But the real problem here is someone who doesn’t understand what .NET’s nullable types offer. For starters, one could make the argument that value.HasValue() is more readable than value == null, though that’s clearly debatable. That’s not really the problem though.

The purpose of ValidateDecimal is to return the input value, unless the input value was null, in which case we want to return 0. Nullable types have a lovely GetValueOrDefault() method, which returns the value, or a reasonable default. What is the default for any built in numeric type?

0.

This method doesn’t need to exist, it’s already built in to the decimal? type. Of course, the built-in method almost certainly doesn’t do a string conversion to get its value, so the one with a string is better, is it knot?

[Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

,

Krebs on SecuritySEC Investigating Data Leak at First American Financial Corp.

The U.S. Securities and Exchange Commission (SEC) is investigating a security failure on the Web site of real estate title insurance giant First American Financial Corp. that exposed more than 885 million personal and financial records tied to mortgage deals going back to 2003, KrebsOnSecurity has learned.

First American Financial Corp.

In May, KrebsOnSecurity broke the news that the Web site for Santa Ana, Calif.-based First American [NYSE:FAFexposed some 885 million documents related to real estate closings over the past 16 years, including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images. No authentication was required to view the documents.

The initial tip on that story came from Ben Shoval, a real estate developer based in Seattle. Shoval said he recently received a letter from the SEC’s enforcement division which stated the agency was investigating the data exposure to determine if First American had violated federal securities laws.

In its letter, the SEC asked Shoval to preserve and share any documents or evidence he had related to the data exposure.

“This investigation is a non-public, fact-finding inquiry,” the letter explained. “The investigation does not mean that we have concluded that anyone has violated the law.”

The SEC declined to comment for this story.

Word of the SEC investigation comes weeks after regulators in New York said they were investigating the company in what could turn out to be the first test of the state’s strict new cybersecurity regulation, which requires financial companies to periodically audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful. First American also is now the target of a class action lawsuit that alleges it “failed to implement even rudimentary security measures.”

First American has issued a series of statements over the past few months that seem to downplay the severity of the data exposure, which the company said was the result of a “design defect” in its Web site.

On June 18, First American said a review of system logs by an outside forensic firm, “based on guidance from the company, identified 484 files that likely were accessed by individuals without authorization. The company has reviewed 211 of these files to date and determined that only 14 (or 6.6%) of those files contain non-public personal information. The company is in the process of notifying the affected consumers and will offer them complimentary credit monitoring services.”

In a statement on July 16, First American said its now-completed investigation identified just 32 consumers whose non-public personal information likely was accessed without authorization.

“These 32 consumers have been notified and offered complimentary credit monitoring services,” the company said.

First American has not responded to questions about how long this “design defect” persisted on its site, how far back it maintained access logs, or how far back in those access logs the company’s review extended.

Updated, Aug, 13, 8:40 a.m.: Added “no comment” from the SEC.

CryptogramEvaluating the NSA's Telephony Metadata Program

Interesting analysis: "Examining the Anomalies, Explaining the Value: Should the USA FREEDOM Act's Metadata Program be Extended?" by Susan Landau and Asaf Lubin.

Abstract: The telephony metadata program which was authorized under Section 215 of the PATRIOT Act, remains one of the most controversial programs launched by the U.S. Intelligence Community (IC) in the wake of the 9/11 attacks. Under the program major U.S. carriers were ordered to provide NSA with daily Call Detail Records (CDRs) for all communications to, from, or within the United States. The Snowden disclosures and the public controversy that followed led Congress in 2015 to end bulk collection and amend the CDR authorities with the adoption of the USA FREEDOM Act (UFA).

For a time, the new program seemed to be functioning well. Nonetheless, three issues emerged around the program. The first concern was over high numbers: in both 2016 and 2017, the Foreign Intelligence Surveillance Court issued 40 orders for collection, but the NSA collected hundreds of millions of CDRs, and the agency provided little clarification for the high numbers. The second emerged in June 2018 when the NSA announced the purging of three years' worth of CDR records for "technical irregularities." Finally, in March 2019 it was reported that the NSA had decided to completely abandon the program and not seek its renewal as it is due to sunset in late 2019.

This paper sheds significant light on all three of these concerns. First, we carefully analyze the numbers, showing how forty orders might lead to the collection of several million CDRs, thus offering a model to assist in understanding Intelligence Community transparency reporting across its surveillance programs. Second, we show how the architecture of modern telephone communications might cause collection errors that fit the reported reasons for the 2018 purge. Finally, we show how changes in the terrorist threat environment as well as in the technology and communication methods they employ ­ in particular the deployment of asynchronous encrypted IP-based communications ­ has made the telephony metadata program far less beneficial over time. We further provide policy recommendations for Congress to increase effective intelligence oversight.

Worse Than FailureInternship of Things

Mindy was pretty excited to start her internship with Initech's Internet-of-Things division. She'd been hearing at every job fair how IoT was still going to be blowing up in a few years, and how important it would be for her career to have some background in it.

It was a pretty standard internship. Mindy went to meetings, shadowed developers, did some light-but-heavily-supervised changes to the website for controlling your thermostat/camera/refrigerator all in one device.

As part of testing, Mindy created a customer account on the QA environment for the site. She chucked a junk password at it, only to get a message: "Your password must be at least 8 characters long, contain at least three digits, not in sequence, four symbols, at least one space, and end with a letter, and not be more than 10 characters."

"Um, that's quite the password rule," Mindy said to her mentor, Bob.

"Well, you know how it is, most people use one password for every site, and we don't want them to do that here. That way, when our database leaks again, it minimizes the harm."

"Right, but it's not like you're storing the passwords anyway, right?" Mindy said. She knew that even leaked hashes could be dangerous, but good salting/hashing would go a long way.

"Of course we are," Bob said. "We're selling web connected thermostats to what can be charitably called 'twelve-o-clock flashers'. You know what those are, right? Every clock in their house is flashing twelve?" Bob sneered. "They can't figure out the site, so we often have to log into their account to fix the things they break."

A few days later, Initech was ready to push a firmware update to all of the Model Q baby monitor cameras. Mindy was invited to watch the process so she could understand their workflow. It started off pretty reasonable: their CI/CD system had a verified build, signed off, ready to deploy.

"So, we've got a deployment farm running in the cloud," Bob explained. "There are thousands of these devices, right? So we start by putting the binary up in an S3 bucket." Bob typed a few commands to upload the binary. "What's really important for our process is that it follows this naming convention. Because the next thing we're going to do is spin up a half dozen EC2 instances- virtual servers in the cloud."

A few more commands later, and then Bob had six sessions open to cloud servers in tmux. "Now, these servers are 'clean instances', so the very first thing I have to do is upload our SSH keys." Bob ran an ssh-copy-id command to copy the SSH key from his computer up to the six cloud VMs.

"Wait, you're using your personal SSH keys?"

"No, that'd be crazy!" Bob said. "There's one global key for every one of our Model Q cameras. We've all got a copy of it on our laptops."

"All… the developers?"

"Everybody on the team," Bob said. "Developers to management."

"On their laptops?"

"Well, we were worried about storing something so sensitive on the network."

Bob continued the process, which involved launching a script that would query a webservice to see which Model Q cameras were online, then sshing into them, having them curl down the latest firmware, and then self-update. "For the first few days, we leave all six VMs running, but once most of them have gotten the update, we'll just leave one cloud service running," Bob explained. "Helps us manage costs."

It's safe to say Mindy learned a lot during her internship. Mostly, she learned, "don't buy anything from Initech."

[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!

,

CryptogramFriday Squid Blogging: Sinuous Asperoteuthis Mangoldae Squid

Great video of the Sinuous Asperoteuthis Mangoldae Squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Krebs on SecurityiNSYNQ Ransom Attack Began With Phishing Email

A ransomware outbreak that hit QuickBooks cloud hosting firm iNSYNQ in mid-July appears to have started with an email phishing attack that snared an employee working in sales for the company, KrebsOnSecurity has learned. It also looks like the intruders spent roughly ten days rooting around iNSYNQ’s internal network to properly stage things before unleashing the ransomware. iNSYNQ ultimately declined to pay the ransom demand, and it is still working to completely restore customer access to files.

Some of this detail came in a virtual “town hall” meeting held August 8, in which iNSYNQ chief executive Elliot Luchansky briefed customers on how it all went down, and what the company is doing to prevent such outages in the future.

A great many iNSYNQ’s customers are accountants, and when the company took its network offline on July 16 in response to the ransomware outbreak, some of those customers took to social media to complain that iNSYNQ was stonewalling them.

“We could definitely have been better prepared, and it’s totally unacceptable,” Luchansky told customers. “I take full responsibility for this. People waiting ridiculous amounts of time for a response is unacceptable.”

By way of explaining iNSYNQ’s initial reluctance to share information about the particulars of the attack early on, Luchansky told customers the company had to assume the intruders were watching and listening to everything iNSYNQ was doing to recover operations and data in the wake of the ransomware outbreak.

“That was done strategically for a good reason,” he said. “There were human beings involved with [carrying out] this attack in real time, and we had to assume they were monitoring everything we could say. And that posed risks based on what we did say publicly while the ransom negotiations were going on. It could have been used in a way that would have exposed customers even more. That put us in a really tough bind, because transparency is something we take very seriously. But we decided it was in our customers’ best interests to not do that.”

A paid ad that comes up prominently when one searches for “insynq” in Google.

Luchansky did not say how much the intruders were demanding, but he mentioned two key factors that informed the company’s decision not to pay up.

“It was a very substantial amount, but we had the money wired and were ready to pay it in cryptocurrency in the case that it made sense to do so,” he told customers. “But we also understood [that paying] would put a target on our heads in the future, and even if we actually received the decryption key, that wasn’t really the main issue here. Because of the quick reaction we had, we were able to contain the encryption part” to roughly 50 percent of customer systems, he said.

Luchansky said the intruders seeded its internal network with MegaCortex, a potent new ransomware strain first spotted just a couple of months ago that is being used in targeted attacks on enterprises. He said the attack appears to have been carefully planned out in advance and executed “with human intervention all the way through.”

“They decided they were coming after us,” he said. “It’s one thing to prepare for these sorts of events but it’s an entirely different experience to deal with first hand.”

According to an analysis of MegaCortex published this week by Accenture iDefense, the crooks behind this ransomware strain are targeting businesses — not home users — and demanding ransom payments in the range of two to 600 bitcoins, which is roughly $20,000 to $5.8 million.

“We are working for profit,” reads the ransom note left behind by the latest version of MegaCortex. “The core of this criminal business is to give back your valuable data in the original form (for ransom of course).”

A portion of the ransom note left behind by the latest version of MegaCortex. Image: Accenture iDefense.

Luchansky did not mention in the town hall meeting exactly when the initial phishing attack was thought to have occurred, noting that iNSYNQ is still working with California-based CrowdStrike to gain a more complete picture of the attack.

But Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security, showed KrebsOnSecurity information obtained from monitoring dark web communications which suggested the problem started on July 6, after an employee in iNSYNQ’s sales division fell for a targeted phishing email.

“This shows that even after the initial infection, if companies act promptly they can still detect and stop the ransomware,” Holden said. “For these infections hackers take sometimes days, weeks, or even months to encrypt your data.”

iNSYNQ did not respond to requests for comment on Hold Security’s findings.

Asked whether the company had backups of customer data and — if so — why iNSYNQ decided not to restore from those, Luchansky said there were backups but that some of those were also infected.

“The backup system is backing up the primary system, and that by definition entails some level of integration,” Luchansky explained. “The way our system was architected, the malware had spread into the backups as well, at least a little bit. So [by] just turning the backups back on, there was a good chance the the virus would then start to spread through the backup system more. So we had to treat the backups similarly to how we were treating the primary systems.”

Luchansky said their backup system has since been overhauled, and that if a similar attack happened in the future it would take days instead of weeks to recover. However, he declined to get into specifics about exactly what had changed, which is too bad because in every ransomware attack story I’ve written this seems to be the detail most readers are interested in and arguing about.

The CEO added that iNSYNQ also will be partnering with a company that helps firms detect and block targeted phishing attacks, and that it envisioned being able to offer this to its customers at a discounted rate. It wasn’t clear from Luchansky’s responses to questions whether the cloud hosting firm was also considering any kind of employee anti-phishing education and/or testing service.

Luchansky said iNSYNQ was able to restore access to more than 90 percent of customer files by Aug. 2 — roughly two weeks after the ransomware outbreak — and that the company would be offering customers a two month credit as a result of the outage.

Sociological ImagesData Science Needs Social Science

What do college graduates do with a sociology major? We just got an updated look from Phil Cohen this week:

These are all great career fields for our students, but as I was reading the list I realized there is a huge industry missing: data science and analytics. From Netflix to national policy, many interesting and lucrative jobs today are focused on properly observing, understanding, and trying to predict human behavior. With more sociology graduate programs training their students in computational social science, there is a big opportunity to bring those skills to teaching undergraduates as well.

Of course, data science has its challenges. Social scientists have observed that the booming field has some big problems with bias and inequality, but this is sociology’s bread and butter! When we talk about these issues, we usually go straight to very important conversations about equity, inclusion, and justice, and rightfully so; it is easy to design algorithms that seem like they make better decisions, but really just develop their own biases from watching us.

We can also tackle these questions by talking about research methods–another place where sociologists shine! We spend a lot of time thinking about whether our methods for observing people are valid and reliable. Are we just watching talk, or action? Do people change when researchers watch them? Once we get good measures and a strong analytic approach, can we do a better job explaining how and why bias happens to prevent it in the future?

Sociologists are well-positioned to help make sense of big questions in data science, and the field needs them. According to a recent industry report, only 5% of data scientists come out of the social sciences! While other areas of study may provide more of the technical skills to work in analytics, there is only so much that the technology can do before companies and research centers need to start making sense of social behavior. 

Source: Burtch Works Executive Recruiting. 2018. “Salaries of Data Scientists.” Emphasis Mine

So, if students or parents start up the refrain of “what can you do with a sociology major” this fall, consider showing them the social side of data science!

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston. You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

Worse Than FailureError'd: Intentionally Obtuse

"Normally I do pretty well on the Super Quiz, but then they decided to do it in Latin," writes Mike S.

 

"Uh oh, this month's AWS costs are going to be so much higher than last month's!" Ben H. writes.

 

Amanda C. wrote, "Oh, neat, Azure has some recommendations...wait...no...'just kidding' I guess?"

 

"Here I never thought that SQL Server log space could go negative, and yet, here we are," Michael writes.

 

"I love the form factor on this motherboard, but I'm not sure what case to buy with it," Todd C. writes, "Perhaps, if it isn't working, I can just give it a little kick?"

 

Maarten C. writes, "Next time, I'll name my spreadsheets with dog puns...maybe that'll make things less ruff."

 

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

,

CryptogramSupply-Chain Attack against the Electron Development Platform

Electron is a cross-platform development system for many popular communications apps, including Skype, Slack, and WhatsApp. Security vulnerabilities in the update system allows someone to silently inject malicious code into applications. From a news article:

At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack Electron ASAR archive files and inject new code into Electron's JavaScript libraries and built-in Chrome browser extensions. The vulnerability is not part of the applications themselves but of the underlying Electron framework -- ­and that vulnerability allows malicious activities to be hidden within processes that appear to be benign. Tsakalidis said that he had contacted Electron about the vulnerability but that he had gotten no response -- ­and the vulnerability remains.

While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Those modifications can create new event-based "features" that can access the file system, activate a Web cam, and exfiltrate information from systems using the functionality of trusted applications­ -- including user credentials and sensitive data. In his demonstration, Tsakalidis showed a backdoored version of Microsoft Visual Studio Code that sent the contents of every code tab opened to a remote website.

Basically, the Electron ASAR files aren't signed or encrypted, so modifying them is easy.

Note that this attack requires local access to the computer, which means that an attacker that could do this could do much more damaging things as well. But once an app has been modified, it can be distributed to other users. It's not a big deal attack, but it's a vulnerability that should be closed.

CryptogramAT&T Employees Took Bribes to Unlock Smartphones

This wasn't a small operation:

A Pakistani man bribed AT&T call-center employees to install malware and unauthorized hardware as part of a scheme to fraudulently unlock cell phones, according to the US Department of Justice. Muhammad Fahd, 34, was extradited from Hong Kong to the US on Friday and is being detained pending trial.

An indictment alleges that "Fahd recruited and paid AT&T insiders to use their computer credentials and access to disable AT&T's proprietary locking software that prevented ineligible phones from being removed from AT&T's network," a DOJ announcement yesterday said. "The scheme resulted in millions of phones being removed from AT&T service and/or payment plans, costing the company millions of dollars. Fahd allegedly paid the insiders hundreds of thousands of dollars­ -- paying one co-conspirator $428,500 over the five-year scheme."

In all, AT&T insiders received more than $1 million in bribes from Fahd and his co-conspirators, who fraudulently unlocked more than 2 million cell phones, the government alleged. Three former AT&T customer service reps from a call center in Bothell, Washington, already pleaded guilty and agreed to pay the money back to AT&T.

Worse Than FailureCodeSOD: Swimming Downstream

When Java added their streams API, they brought the power and richness of functional programming styles to the JVM, if we ignore all the other non-Java JVM languages that already did this. Snark aside, streams were a great addition to the language, especially if we want to use them absolutely wrong.

Like this code Miles found.

See, every object in the application needs to have a unique identifier. So, for every object, there’s a method much like this one:

/**
     * Get next priceId
     *
     * @return next priceId
     */
    public String createPriceId() {
        List<String> ids = this.prices.stream().map(m -> m.getOfferPriceId()).collect(Collectors.toList());
        for (Integer i = 0; i < ids.size(); i++) {
            ids.set(i, ids.get(i).split("PR")[1]);
        }
        try {
            List<Integer> intIds = ids.stream().map(id -> Integer.parseInt(id)).collect(Collectors.toList());
            Integer max = intIds.stream().mapToInt(id -> id).max().orElse(0);
            return "PR" + (max + 1);
        } catch (Exception e) {
            return "PR" + 1;
        }
    }

The point of a stream is that you can build a processing pipeline: starting with a list, you can perform a series of operations but only touch each item in the stream once. That, of course, isn’t what we do here.

First, we map the prices to extract the offerPriceId and convert it into a list. Now, this list is a set of strings, so we iterate across that list of IDs, to break the "PR" prefix off. Then, we’ll map that list of IDs again, to parse the strings into integers. Then, we’ll cycle across that new list one more time, to find the max value. Then we can return a new ID.

And if anything goes wrong in this process, we won’t complain. We just return an ID that’s likely incorrect- "PR1". That’ll probably cause an error later, right? They can deal with it then.

Everything here is just wrong. This is the wrong way to use streams- the whole point is this could have been a single chain of function calls that only needed to iterate across the input data once. It’s also the wrong way to handle exceptions. And it’s also the wrong way to generate IDs.

Worse, a largely copy/pasted version of this code, with the names and prefixes changed, exists in nearly every model class. And these are database model classes, according to Miles, so one has to wonder if there might be a better way to generate IDs…

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

Valerie AuroraGoth fashion tips for Ehlers-Danlos Syndrome

A woman wearing a dramatic black hooded jacket typing on a laptop
Skingraft hoodie, INC shirt, Fisherman’s Wharf fingerless gloves

My ideal style could perhaps be best described as “goth chic”—a lot of structured black somewhere on the border between couture and business casual—but because I have Ehlers-Danlos Syndrome, I more often end up wearing “sport goth”: a lot of stretchy black layers in washable fabrics with flat shoes. With great effort, I’ve nudged my style back towards “goth chic,” at least on good days. Enough people have asked me about my gear that I figured I’d share what I’ve learned with other EDS goths (or people who just like being comfortable and also wearing a lot of black).

Here are the constraints I’m operating under:

  • Flat shoes with thin soles to prevent ankle sprains and foot and back pain
  • Stretchy/soft shoes without pressure points to prevent blisters on soft skin
  • Can’t show sweat because POTS causes excessive sweating, also I walk a lot
  • Layers because POTS, walking, and San Francisco weather means I need to adjust my temperature a lot
  • Little or no weight on shoulders due to hypermobile shoulders
  • No tight clothes on abdomen due to pain (many EDS folks don’t have this problem but I do)
  • Soft fabric only touching skin due to sensitive easily irritated skin
  • Warm wrists to prevent hands from losing circulation due to Reynaud’s or POTS

On the other hand, I have a few things that make fashion easier for me. For starters, I can afford a four-figure annual clothing budget. I still shop a lot at thrift stores, discount stores like Ross, or discount versions of more expensive stores like Nordstrom Rack but I can afford a few expensive pieces at full price. Many of the items on this page can be found used on Poshmark, eBay, and other online used clothing marketplaces. I also recommend doing the math for “cost per wear” to figure out if you would save money if you wore a more expensive but more durable piece for a longer period of time. I usually keep clothing and shoes for several years and repair as necessary.

I currently fit within the “standard” size ranges of most clothing and shoe brands, but many of the brands I recommend here have a wider range of sizes. I’ve included the size range where relevant.

Finally, as a cis woman with an extremely femme body type, I can wear a wide range of masculine and feminine styles without being hassled in public for being gender-nonconforming (I still get hassled in public for being a woman, yay). Most of the links here are to women’s styles, but many brands also have men’s styles. (None of these brands have unisex styles that I know of.)

Shoes and socks

Shoes are my favorite part of fashion! I spend much more money on shoes than I used to because more expensive shoes are less likely to give me blisters. If I resole/reheel/polish them regularly, they can last for several years instead of a few months, so they cost the same per wear. Functional shoes are notoriously hard for EDS people to find, so the less often I have to search for new shoes, the better. I nearly always wear my shoes until they can no longer be repaired. If this post does nothing other than convince you that it is economical and wise to spend more money on shoes, I have succeeded.

Woman wearing two coats and holding two rolling bags
Via Spiga trench, Mossimo hoodie, VANELi flats, Aimee Kestenberg rolling laptop bag, Travelpro rolling bag

Smartwool black socks – My poor tender feet need cushiony socks that don’t sag or rub. Smartwool socks are expensive but last forever, and you can get them in 100% black so that you can wash them with your black clothes without covering them in little white balls. I wear mostly the men’s Walk Light Crew and City Slicker, with occasional women’s Hide and Seek No Show.

Skechers Cleo flats – These are a line of flats in a stretchy sweater-like material. The heel can be a little scratchy, but I sewed ribbon over the seam and it was fine. The BOBS line of Skechers is also extremely comfortable. Sizes 5 – 11.

VANELi flats – The sportier versions of these shoes are obscenely comfortable and also on the higher end of fashion. I wore my first pair until they had holes in the soles, and then I kept wearing them another year. I’m currently wearing out this pair. You can get them majorly discounted at DSW and similar places. Sizes 5 – 12.

Stuart Weitzman 5050 boots – These over-the-knee boots are the crown jewel of any EDS goth wardrobe. First, they are almost totally flat and roomy in the toe. Second, the elastic in the boot shaft acts like compression socks, helping with POTS. Third, they look amazing. Charlize Theron wore them in “Atomic Blonde” while performing martial arts. Angelina Jolie wears these in real life. The downside is the price, but there is absolutely no reason to pay full price. I regularly find them in Saks Off 5th for 30% off. Also, they last forever: with reheeling, my first pair lasted around three years of heavy use. Stuart Weitzman makes several other flat boots with elastic shafts which are also worth checking out, but they have been making the 5050 for around 25 years so this style should always be available. Sizes 4 – 12, runs about a half size large.

Pants/leggings/skirts

A woman wearing black leggings and a black sweater
Patty Boutik sweater, Demobaza leggings, VANELi flats

Satina high-waisted leggings – I wear these extremely cheap leggings probably five days a week under skirts or dresses. Available in two sizes, S – L and XL – XXXL. If you can wear tight clothing, you might want to check out the Spanx line of leggings (e.g. the Moto Legging) which I would totally wear if I could.

Toad & Co. Women’s Chaka skirt – I wear this skirt probably three days a week. Ridiculously comfortable and only middling expensive. Sizes XS – L.

NYDJ jeans/leggings – These are pushing it for me in terms of tightness, but I can wear them if I’m standing or walking most of the day. Expensive, but they look professional and last forever. Sizes 00 – 28, including petites, and  they run at least a size large.

Demobaza leggings – The leggings made mostly of stretch material are amazingly comfortable, but also obscenely expensive. They also last forever. Sizes XS – L.

Tops

Patty Boutik – This strange little label makes comfortable tops with long long sleeves and long long bodies, and it keeps making the same styles for years. Unfortunately, they tend to sell out of the solid black versions of my favorite tops on a regular basis. I order two or three of my favorite styles whenever they are in stock as they are reasonably cheap. I’ve been wearing the 3/4 sleeve boat neck shirt at least once a week for about 5 years now. Sizes XS – XL, tend to run a size small.

14th and Union – This label makes very simple pieces out of the most comfortable fabrics I’ve ever worn for not very much money. I wear this turtleneck long sleeve tee about once a week. I also like their skirts. Sizes XS to XL, standard and petite.

Macy’s INC – This label is a reliable source of stretchy black clothing at Macy’s prices. It often edges towards club wear but keeps the simplicity I prefer.

Coats

Mossimo hoodie – Ugh, I love this thing. It’s the perfect cheap fashion staple. I often wear it underneath other coats. Not sure about sizes since it is only available on resale sites.

Skingraft Royal Hoodie – A vastly more expensive version of the black hoodie, but still comfortable, stretchy, and washable. And oh so dramatic. Sizes XS – L.

3/4 length hooded black trench coat – Really any brand will do, but I’ve mostly recently worn out a Calvin Klein and am currently wearing a Via Spiga.

Accessories

A woman wearing all black with a fanny pack
Mossimo hoodie, Toad & Co. skirt, T Tahari fanny pack, Satina leggings, VANELi flats

Fingerless gloves – The cheaper, the better! I buy these from the tourist shops at Fisherman’s Wharf in San Francisco for under $10. I am considering these gloves from Demobaza.

Medline folding cane – Another cheap fashion staple for the EDS goth! Sturdy, adjustable, folding black cane with clean sleek lines.

T Tahari Logo Fanny Pack – I stopped being able to carry a purse right about the time fanny packs came back into style! Ross currently has an entire fanny pack section, most of which are under $13. If I’m using a backpack or the rolling laptop bag, I usually keep my wallet, phone, keys, and lipstick in the fanny pack for easy access.

Duluth Child’s Pack, Envelope style – A bit expensive, but another simple fashion staple. I used to carry the larger roll-top canvas backpack until I realized I was packing it full of stuff and aggravating my shoulders. The child’s pack barely fits a small laptop and a few accessories.

Aimee Kestenberg rolling laptop bag – For the days when I need more than I can fit in my tiny backpack and fanny pack. It has a strap to fit on to the handle of a rolling luggage bag, which is great for air travel.

Apple Watch – The easiest way to diagnose POTS! (Look up “poor man’s tilt table test.”) A great way to track your heart rate and your exercise, two things I am very focused on as someone with EDS. When your first watch band wears out, go ahead and buy a random cheap one off the Internet.

That’s my EDS goth fashion tips! If you have more, please share them in the comments.

,

Krebs on SecurityWho Owns Your Wireless Service? Crooks Do.

Incessantly annoying and fraudulent robocalls. Corrupt wireless company employees taking hundreds of thousands of dollars in bribes to unlock and hijack mobile phone service. Wireless providers selling real-time customer location data, despite repeated promises to the contrary. A noticeable uptick in SIM-swapping attacks that lead to multi-million dollar cyberheists.

If you are somehow under the impression that you — the customer — are in control over the security, privacy and integrity of your mobile phone service, think again. And you’d be forgiven if you assumed the major wireless carriers or federal regulators had their hands firmly on the wheel.

No, a series of recent court cases and unfortunate developments highlight the sad reality that the wireless industry today has all but ceded control over this vital national resource to cybercriminals, scammers, corrupt employees and plain old corporate greed.

On Tuesday, Google announced that an unceasing deluge of automated robocalls had doomed a feature of its Google Voice service that sends transcripts of voicemails via text message.

Google said “certain carriers” are blocking the delivery of these messages because all too often the transcripts resulted from unsolicited robocalls, and that as a result the feature would be discontinued by Aug. 9. This is especially rich given that one big reason people use Google Voice in the first place is to screen unwanted communications from robocalls, mainly because the major wireless carriers have shown themselves incapable or else unwilling to do much to stem the tide of robocalls targeting their customers.

AT&T in particular has had a rough month. In July, the Electronic Frontier Foundation (EFF) filed a class action lawsuit on behalf of AT&T customers in California to stop the telecom giant and two data location aggregators from allowing numerous entities — including bounty hunters, car dealerships, landlords and stalkers — to access wireless customers’ real-time locations without authorization.

And on Monday, the U.S. Justice Department revealed that a Pakistani man was arrested and extradited to the United States to face charges of bribing numerous AT&T call-center employees to install malicious software and unauthorized hardware as part of a scheme to fraudulently unlock cell phones.

Ars Technica reports the scam resulted in millions of phones being removed from AT&T service and/or payment plans, and that the accused allegedly paid insiders hundreds of thousands of dollars to assist in the process.

We should all probably be thankful that the defendant in this case wasn’t using his considerable access to aid criminals who specialize in conducting unauthorized SIM swaps, an extraordinarily invasive form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Late last month, a federal judge in New York rejected a request by AT&T to dismiss a $224 million lawsuit over a SIM-swapping incident that led to $24 million in stolen cryptocurrency.

The defendant in that case, 21-year-old Manhattan resident Nicholas Truglia, is alleged to have stolen more than $80 million from victims of SIM swapping, but he is only one of many individuals involved in this incredibly easy, increasingly common and lucrative scheme. The plaintiff in that case alleges that he was SIM-swapped on two different occasions, both allegedly involving crooked or else clueless employees at AT&T wireless stores.

And let’s not forget about all the times various hackers figured out ways to remotely use a carrier’s own internal systems for looking up personal and account information on wireless subscribers.

So what the fresh hell is going on here? And is there any hope that lawmakers or regulators will do anything about these persistent problems? Gigi Sohn, a distinguished fellow at the Georgetown Institute for Technology Law and Policy, said the answer — at least in this administration — is probably a big “no.”

“The takeaway here is the complete and total abdication of any oversight of the mobile wireless industry,” Sohn told KrebsOnSecurity. “Our enforcement agencies aren’t doing anything on these topics right now, and we have a complete and total breakdown of oversight of these incredibly powerful and important companies.”

Aaron Mackey, a staff attorney at the EFF, said that on the location data-sharing issue, federal law already bars the wireless carriers from sharing this with third parties without the expressed consent of consumers.

“What we’ve seen is the Federal Communications Commission (FCC) is well aware of this ongoing behavior about location data sales,” Mackey said. “The FCC has said it’s under investigation, but there has been no public action taken yet and this has been going on for more than a year. The major wireless carriers are not only violating federal law, but they’re also putting people in harm’s way. There are countless stories of folks being able to pretend to be law enforcement and gaining access to information they can use to assault and harass people based on the carriers making location data available to a host of third parties.”

On the issue of illegal SIM swaps, Wired recently ran a column pointing to a solution that many carriers in Africa have implemented which makes it much more difficult for SIM swap thieves to ply their craft.

“The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer,” wrote Wired’s Andy Greenberg in April. “If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time let them report the crime before fraudsters could take advantage.”

For its part, AT&T says it is now offering a solution to help diminish the fallout from unauthorized SIM swaps, and that the company is planning on publishing a consumer blog on this soon. Here are some excerpts from what they sent on that front:

“Our AT&T Authentication and Verification Service, or AAVS. AAVS offers a new method to help businesses determine that you are, in fact, you,” AT&T said in a statement. “This is how it works. If a business or company builds the AAVS capability into its website or mobile app, it can automatically connect with us when you attempt to log-in. Through that connection, the number and the phone are matched to confirm the log-in. If it detects something fishy, like the SIM card not in the right device, the transaction won’t go through without further authorization.”

“It’s like an automatic background check on your phone’s history, but with no personal information changing hands, and it all happens in a flash without you knowing. Think about how you do business with companies on your mobile device now. You typically log into an online account or a mobile app using a password or fingerprint. Some tasks might require you to receive a PIN from your institution for additional security, but once you have access, you complete your transactions. With AAVS, the process is more secure, and nothing changes for you. By creating an additional layer of security without adding any steps for the consumer, we can take larger strides in helping businesses and their customers better protect their data and prevent fraud. Even if it is designed to go unnoticed, we want you to know that extra layer of protection exists.   In fact, we’re offering it to dozens of financial institutions.”

“We are working with several leading banks to roll out this service to protect their customers accessing online accounts and mobile apps in the coming months, with more to follow. By directly working with those banks, we can help to better protect your information.”

In terms of combating the deluge of robocalls, Sohn says we already have a workable approach to arresting these nuisance calls: It’s an authentication procedure known as “SHAKEN/STIR,” and it is premised on the idea that every phone has a certificate of authenticity attached to it that can be used to validate if the call is indeed originating from the number it appears to be calling from.

Under a SHAKEN/STIR regime, anyone who is spoofing their number (and most of these robocalls are spoofed to appear as though they come from a number that is in the same prefix as yours) gets automatically blocked.

“The FCC could make the carriers provide robocall apps for free to customers, but they’re not,” Sohn said. “The carriers instead are turning around and charging customers extra for this service. There was a fairly strong anti-robocalls bill that passed the House, but it’s now stuck in the legislative graveyard that is the Senate.”

AT&T said it and the other major carriers in the US are adopting SHAKEN/STIR and do not plan to charge for it. The company said it is working on building this feature into its Call Protect app, which is free and is meant to help customers block unwanted calls.

What about the prospects of any kind of major overhaul to the privacy laws in this country that might give consumers more say over who can access their private data and what recourse they may have when companies entrusted with that information screw up?

Sohn said there are few signs that anyone in Congress is seriously championing consumer privacy as a major legislative issue. Most of the nascent efforts to bring privacy laws in the United States into the 21st Century she said are interminably bogged down on two sticky issues: Federal preemption of stronger state laws, and the ability of consumers to bring a private right of civil action in the courts against companies that violate those provisions.

“It’s way past time we had a federal privacy bill,” Sohn said. “Companies like Facebook and others are practically begging for some type of regulatory framework on consumer privacy, yet this congress can’t manage to put something together. To me it’s incredible we don’t even have a discussion draft yet. There’s not even a bill that’s being discussed and debated. That is really pitiful, and the closer we get to elections, the less likely it becomes because nobody wants to do anything that upsets their corporate contributions. And, frankly, that’s shameful.”

Update, Aug. 8, 2:05 p.m. ET: Added statements and responses from AT&T.

CryptogramBrazilian Cell Phone Hack

I know there's a lot of politics associated with this story, but concentrate on the cybersecurity aspect for a moment. The cell phones of a thousand Brazilians, including senior government officials, were hacked -- seemingly by actors much less sophisticated than rival governments.

Brazil's federal police arrested four people for allegedly hacking 1,000 cellphones belonging to various government officials, including that of President Jair Bolsonaro.

Police detective João Vianey Xavier Filho said the group hacked into the messaging apps of around 1,000 different cellphone numbers, but provided little additional information at a news conference in Brasilia on Wednesday. Cellphones used by Bolsonaro were among those attacked by the group, the justice ministry said in a statement on Thursday, adding that the president was informed of the security breach.

[...]

In the court order determining the arrest of the four suspects, Judge Vallisney de Souza Oliveira wrote that the hackers had accessed Moro's Telegram messaging app, along with those of two judges and two federal police officers.

When I say that smartphone security equals national security, this is the kind of thing I am talking about.

Worse Than FailureCodeSOD: Seven First Dates

Your programming language is PHP, which represents datetimes as milliseconds since the epoch. Your database, on the other hand, represents datetimes as seconds past the epoch. Now, your database driver certainly has methods to handle this, but can you really trust that?

Nancy found some code which simply needs to check: for the past week, how many customers arrived each day?

$customerCount = array();
$result2 = array();
$result3 = array();
$result4 = array();

$min = 20;
$max = 80;

for ( $i = $date; $i < $date + $days7 + $day; $i += $day ) {

	$first_datetime = date('Y-m-d H:i',substr($i - $day,0,-3));
	$second_datetime = date('Y-m-d H:i',substr($i,0,-3));

	$sql = $mydb ->prepare("SELECT 
								COUNT(DISTINCT Customer.ID) 'Customer'
				            FROM Customer
				                WHERE Timestamp BETWEEN %s AND %s",$first_datetime,$second_datetime);
	$output = $mydb->get_row($sql);
	array_push( $customerCount, $output->Customer == null ? 0 : $output->Customer);
}

array_push( $result4, $customerCount );
array_push( $result4, $result2 );
array_push( $result4, $result3 );

return $result4;

If you have a number of milliseconds and you wish to convert it to seconds, you might do something silly and divide by 1,000, but here we have a more obvious solution: substr the last three digits off to create our $first_datetime and $second_datetime.

Using that, we can prepare a separate query for each day, looping across them to populate $customerCount.

Once we’ve collected all the counts in $customerCount, we then push that into $result4. And then we push the empty $result2 into $result4, followed by the equally empty $result3, at which point we can finally return $result4.

There’s no $result1, but it looks like $customerCount was a renamed version of that, just by the sequence of declarations. And then $min and $max are initialized but never used, and from that, it’s very easy to understand what happened here.

The original developer copied some sample code from a tutorial, but they didn’t understand it. They knew they had a goal, and they knew that their goal was similar to the tutorial, so they just blundered about changing things until they got the results they expected.

Nancy threw all this out and replaced it with a GROUP BY query.

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

,

Worse Than FailureCodeSOD: Bunny Bunny

When you deploy any sort of complicated architecture, like microservices, you also end up needing to deploy some way to route messages between all the various bits and bobs in your application. You could build this yourself, but you’ll usually use an off-the-shelf product, like Kafka or RabbitMQ.

This is the world Tina lives in. They have a microservice-based architecture, glued together with a RabbitMQ server. The various microservices need to connect to the RabbitMQ, and thus, they need to be able to check if that connection were successful.

Now, as you can imagine, that would be a built-in library method for pretty much any MQ client library, but if people used the built-in methods for common tasks, we’d have far fewer articles to write.

Tina’s co-worker solved the “am I connected?” problem thus:

def are_we_connected_to_rabbitmq():
    our_node_ip = get_server_ip_address()
    consumer_connected = False
    response = requests.get("http://{0}:{1}@{2}:15672/api/queues/{3}/{4}".format(
        self.username,
        self.password,
        self.rabbitmq_host,
        self.vhost,
        self.queue))

    if response and response.status_code == 200:
        js_response = json.loads(response.content)
        consumer_details = js_response.get('consumer_details', [])
        for consumer in consumer_details:
            peer_host = consumer.get('channel_details', {}).get(
                'peer_host')
            if peer_host == our_node_ip:
                consumer_connected = True
                break

    return consumer_connected

To check if our queue consumer has successfully connected to the queue, we send an HTTP request to one of RabbitMQ’s restful endpoints to find a list of all of the connected consumers. Then we check to see if any of those consumers has our IP address. If one does, that must be us, so we must be connected!

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

,

Cory DoctorowPodcast: “IBM PC Compatible”: how adversarial interoperability saved PCs from monopolization

In my latest podcast (MP3), I read my essay “IBM PC Compatible”: how adversarial interoperability saved PCs from monopolization, published today on EFF’s Deeplinks; it’s another installment in my series about “adversarial interoperability,” and the role it has historically played in keeping tech open and competitive. This time, I relate the origin story of the “PC compatible” computer, with help from Tom Jennings (inventor of FidoNet!) who played a key role in the story.

All that changed in 1981, when IBM entered the PC market with its first personal computer, which quickly became the de facto standard for PC hardware. There are many reasons that IBM came to dominate the fragmented PC market: they had the name recognition (“No one ever got fired for buying IBM,” as the saying went) and the manufacturing experience to produce reliable products.

Equally important was IBM’s departure from its usual business practice of pursuing advantage by manufacturing entire systems, down to the subcomponents. Instead, IBM decided to go with an “open” design that incorporated the same commodity parts that the existing PC vendors were using, including MS-DOS and Intel’s 8086 chip. To accompany this open hardware, IBM published exhaustive technical documentation that covered every pin on every chip, every way that programmers could interact with IBM’s firmware (analogous to today’s “APIs”), as well as all the non-standard specifications for its proprietary ROM chip, which included things like the addresses where IBM had stored the fonts it bundled with the system.

Once IBM’s PC became the standard, rival hardware manufacturers realized that they had to create systems that were compatible with IBM’s systems. The software vendors were tired of supporting a lot of idiosyncratic hardware configurations, and IT managers didn’t want to have to juggle multiple versions of the software they relied on. Unless non-IBM PCs could run software optimized for IBM’s systems, the market for those systems would dwindle and wither.

MP3

CryptogramRegulating International Trade in Commercial Spyware

Siena Anstis, Ronald J. Deibert, and John Scott-Railton of Citizen Lab published an editorial calling for regulating the international trade in commercial surveillance systems until we can figure out how to curb human rights abuses.

Any regime of rigorous human rights safeguards that would make a meaningful change to this marketplace would require many elements, for instance, compliance with the U.N. Guiding Principles on Business and Human Rights. Corporate tokenism in this space is unacceptable; companies will have to affirmatively choose human rights concerns over growing profits and hiding behind the veneer of national security. Considering the lies that have emerged from within the surveillance industry, self-reported compliance is insufficient; compliance will have to be independently audited and verified and accept robust measures of outside scrutiny.

The purchase of surveillance technology by law enforcement in any state must be transparent and subject to public debate. Further, its use must comply with frameworks setting out the lawful scope of interference with fundamental rights under international human rights law and applicable national laws, such as the "Necessary and Proportionate" principles on the application of human rights to surveillance. Spyware companies like NSO Group have relied on rubber stamp approvals by government agencies whose permission is required to export their technologies abroad. To prevent abuse, export control systems must instead prioritize a reform agenda that focuses on minimizing the negative human rights impacts of surveillance technology and that ensures -- with clear and immediate consequences for those who fail -- that companies operate in an accountable and transparent environment.

Finally, and critically, states must fulfill their duty to protect individuals against third-party interference with their fundamental rights. With the growth of digital authoritarianism and the alarming consequences that it may hold for the protection of civil liberties around the world, rights-respecting countries need to establish legal regimes that hold companies and states accountable for the deployment of surveillance technology within their borders. Law enforcement and other organizations that seek to protect refugees or other vulnerable persons coming from abroad will also need to take digital threats seriously.

Krebs on SecurityThe Risk of Weak Online Banking Passwords

If you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial aggregation services like Mint, PlaidYodlee, YNAB and others to surveil and drain consumer accounts online.

Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.

A screenshot of a password-checking tool being used to target Chase Bank customers who re-use passwords from other sites. Image: Hold Security.

From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators which help users track their balances, budgets and spending across multiple banks.

A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor. That’s according to Brian Costello, vice president of data strategy at Yodlee, one of the largest financial aggregator platforms.

Costello said while some banks have implemented processes which pass through multi-factor authentication (MFA) prompts when consumers wish to link aggregation services, many have not.

“Because we have become something of a known quantity with the banks, we’ve set up turning off MFA with many of them,” Costello said.  “Many of them are substituting coming from a Yodlee IP or agent as a factor because banks have historically been relying on our security posture to help them out.”

Such reconnaissance helps lay the groundwork for further attacks: If the thieves are able to access a bank account via an aggregator service or API, they can view the customer’s balance(s) and decide which customers are worthy of further targeting.

This targeting can occur in at least one of two ways. The first involves spear phishing attacks to gain access to that second authentication factor, which can be made much more convincing once the attackers have access to specific details about the customer’s account — such as recent transactions or account numbers (even partial account numbers).

The second is through an unauthorized SIM swap, a form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

But beyond targeting customers for outright account takeovers, the data available via financial aggregators enables a far more insidious type of fraud: The ability to link the target’s bank account(s) to other accounts that the attackers control.

That’s because PayPal, Zelle, and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits. For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits  — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.

Alex Holden is founder and chief technology officer of Hold Security, a Milwaukee-based security consultancy. Holden and his team closely monitor the cybercrime forums, and he said the company has seen a number of cybercriminals discussing how the financial aggregators are useful for targeting potential victims.

Holden said it’s not uncommon for thieves in these communities to resell access to bank account balance and transaction information to other crooks who specialize in cashing out such information.

“The price for these details is often very cheap, just a fraction of the monetary value in the account, because they’re not selling ‘final’ access to the account,” Holden said. “If the account is active, hackers then can go to the next stage for 2FA phishing or social engineering, or linking the accounts with another.”

Currently, the major aggregators and/or applications that use those platforms store bank logins and interactively log in to consumer accounts to periodically sync transaction data. But most of the financial aggregator platforms are slowly shifting toward using the OAuth standard for logins, which can give banks a greater ability to enforce their own fraud detection and transaction scoring systems when aggregator systems and apps are initially linked to a bank account.

That’s according to Don Cardinal, managing director of the Financial Data Exchange (FDX), which is seeking to unite the financial industry around a common, interoperable, and royalty-free standard for secure consumer and business access to their financial data.

“This is where we’re going,” Cardinal said. “The way it works today, you the aggregator or app stores the credentials encrypted and presents them to the bank. What we’re moving to is [an account linking process] that interactively loads the bank’s Web site, you login there, and the site gives the aggregator an OAuth token. In that token granting process, all the bank’s fraud controls are then direct to the consumer.”

Alissa Knight, a senior analyst with the Aite Group, a financial and technology analyst firm, said such attacks highlight the need to get rid of passwords altogether. But until such time, she said, more consumers should take full advantage of the strongest multi-factor authentication option offered by their bank(s), and consider using a password manager, which helps users pick and remember strong and unique passwords for each Web site.

“This is just more empirical data around the fact that passwords just need to go away,” Knight said. “For now, all the standard precautions we’ve been giving consumers for years still stand: Pick strong passwords, avoid re-using passwords, and get a password manager.”

Some of the most popular password managers include 1Password, Dashlane, LastPass and Keepass. Wired.com recently published a worthwhile writeup which breaks down each of these based on price, features and usability.

CryptogramWanted: Cybersecurity Imagery

Eli Sugarman of the Hewlettt Foundation laments about the sorry state of cybersecurity imagery:

The state of cybersecurity imagery is, in a word, abysmal. A simple Google Image search for the term proves the point: It's all white men in hoodies hovering menacingly over keyboards, green "Matrix"-style 1s and 0s, glowing locks and server racks, or some random combination of those elements -- sometimes the hoodie-clad men even wear burglar masks. Each of these images fails to convey anything about either the importance or the complexity of the topic­ -- or the huge stakes for governments, industry and ordinary people alike inherent in topics like encryption, surveillance and cyber conflict.

I agree that this is a problem. It's not something I noticed until recently. I work in words. I think in words. I don't use PowerPoint (or anything similar) when I give presentations. I don't need visuals.

But recently, I started teaching at the Harvard Kennedy School, and I constantly use visuals in my class. I made those same image searches, and I came up with similarly unacceptable results.

But unlike me, Hewlett is doing something about it. You can help: participate in the Cybersecurity Visuals Challenge.

EDITED TO ADD (8/5): News article. Slashdot thread.

Worse Than FailureCodeSOD: A Truly Painful Exchange

Java has a boolean type, and of course it also has a parseBoolean method, which works about how you'd expect. It's worth noting that a string "true" (ignoring capitalization) is the only thing which is considered true, and all other inputs are false. This does mean that you might not always get the results you want, depending on your inputs, so you might need to make your own boolean parser.

Adam H has received the gift of legacy code. In this case, the code was written circa 2002, and the process has been largely untouched since. An outside vendor uploads an Excel spreadsheet to an FTP site. And yes, it must be FTP, as the vendor's tool won't do anything more modern, and it must be Excel because how else do you ship tables of data between two businesses?

The Excel sheet has some columns which are filled with "TRUE" and "FALSE". This means their process needs to parse those values in as booleans. Or does it…

public class BooleanParseUtil { private static final String TRUE = "TRUE"; private static final String FALSE = "FALSE"; private BooleanParseUtil() { //private because class should not be instantiated } public static String parseBoolean(String paramString) { String result = null; if (paramString != null) { String s = paramString.toUpperCase().trim(); if (ParseUtilHelper.isPositive(s)) { result = TRUE; } else if (ParseUtilHelper.isNegative(s)) { result = FALSE; } } else { result = FALSE; } return result; } //snip }

Note the signature of parseBoolean: it takes a string and it returns a string. If we trace through the logic: a null input is false, a not-null input that isPositive is "TRUE", one that isNegative is "FALSE", and anything else returns null. I'm actually pretty sure that's a mistake, and is exactly the kind of thing that happens when you follow the "single return rule"- where each method has only one return statement. This likely is a source of heisenbugs and failed processing runs.

But wait a second, isPositive sure sounds like it means "greater than or equal to zero". But that can't be what it means, right? What are isPositive and isNegative actually doing?

public class ParseUtilHelper { private static final String TRUE = "TRUE"; private static final String FALSE = "FALSE"; private static final Set<String> positiveValues = new HashSet<>( Arrays.asList(TRUE, "YES", "ON", "OK", "ENABLED", "ACTIVE", "CHECKED", "REPORTING", "ON ALL", "ALLOW") ); private static final Set<String> negativeValues = new HashSet<>( Arrays.asList(FALSE, "NO", "OFF", "DISABLED", "INACTIVE", "UNCHECKED", "DO NOT DISPLAY", "NOT REPORTING", "N/A", "NONE", "SCHIMELPFENIG") ); private ParseUtilHelper() { //private constructor because class should not be instantiated } public static boolean isPositive(String v) { return positiveValues.contains(v); } public static boolean isNegative(String v) { return negativeValues.contains(v) || v.contains("DEFERRED"); } //snip }

For starters, we redefine constants that exist over in our BooleanParseUtil, which, I mean, maybe we could use different strings for TRUE and FALSE in this object, because that wouldn't be confusing at all.

But the real takeaway is that we have absolutely ALL of the boolean values. TRUE, YES, OK, DO NOT DISPLAY, and even SCHIMELPFENIG, the falsest of false values. That said, I can't help but think there's one missing.

In truth, this is exactly the sort of code that happens when you have a cross-organization data integration task with no schema. And while I'm sure the end users are quite happy to continue doing this in Excel, the only tool they care about using, there are many, many other possible ways to send that data around. I suppose we should just be happy that the process wasn't built using XML? I'm kidding, of course, even XML would be an improvement.

[Advertisement] ProGet can centralize your organization's software applications and components to provide uniform access to developers and servers. Check it out!

,

CryptogramMore on Backdooring (or Not) WhatsApp

Yesterday, I blogged about a Facebook plan to backdoor WhatsApp by adding client-side scanning and filtering. It seems that I was wrong, and there are no such plans.

The only source for that post was a Forbes essay by Kalev Leetaru, which links to a previous Forbes essay by him, which links to a video presentation from a Facebook developers conference.

Leetaru extrapolated a lot out of very little. I watched the video (the relevant section is at the 23:00 mark), and it doesn't talk about client-side scanning of messages. It doesn't talk about messaging apps at all. It discusses using AI techniques to find bad content on Facebook, and the difficulties that arise from dynamic content:

So far, we have been keeping this fight [against bad actors and harmful content] on familiar grounds. And that is, we have been training our AI models on the server and making inferences on the server when all the data are flooding into our data centers.

While this works for most scenarios, it is not the ideal setup for some unique integrity challenges. URL masking is one such problem which is very hard to do. We have the traditional way of server-side inference. What is URL masking? Let us imagine that a user sees a link on the app and decides to click on it. When they click on it, Facebook actually logs the URL to crawl it at a later date. But...the publisher can dynamically change the content of the webpage to make it look more legitimate [to Facebook]. But then our users click on the same link, they see something completely different -- oftentimes it is disturbing; oftentimes it violates our policy standards. Of course, this creates a bad experience for our community that we would like to avoid. This and similar integrity problems are best solved with AI on the device.

That might be true, but it also would hand whatever secret-AI sauce Facebook has to every one of its users to reverse engineer -- which means it's probably not going to happen. And it is a dumb idea, for reasons Steve Bellovin has pointed out.

Facebook's first published response was a comment on the Hacker News website from a user named "wcathcart," which Cardozo assures me is Will Cathcart, the vice president of WhatsApp. (I have no reason to doubt his identity, but surely there is a more official news channel that Facebook could have chosen to use if they wanted to.) Cathcart wrote:

We haven't added a backdoor to WhatsApp. The Forbes contributor referred to a technical talk about client side AI in general to conclude that we might do client side scanning of content on WhatsApp for anti-abuse purposes.

To be crystal clear, we have not done this, have zero plans to do so, and if we ever did it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise which is why we are opposed to it.

Facebook's second published response was a comment on my original blog post, which has been confirmed to me by the WhatsApp people as authentic. It's more of the same.

So, this was a false alarm. And, to be fair, Alec Muffet called foul on the first Forbes piece:

So, here's my pre-emptive finger wag: Civil Society's pack mentality can make us our own worst enemies. If we go around repeating one man's Germanic conspiracy theory, we may doom ourselves to precisely what we fear. Instead, we should ­ we must ­ take steps to constructively demand what we actually want: End to End Encryption which is worthy of the name.

Blame accepted. But in general, this is the sort of thing we need to watch for. End-to-end encryption only secures data in transit. The data has to be in the clear on the device where it is created, and it has to be in the clear on the device where it is consumed. Those are the obvious places for an eavesdropper to get a copy.

This has been a long process. Facebook desperately wanted to convince me to correct the record, while at the same time not wanting to write something on their own letterhead (just a couple of comments, so far). I spoke at length with Privacy Policy Manager Nate Cardozo, whom Facebook hired last December from EFF. (Back then, I remember thinking of him -- and the two other new privacy hires -- as basically human warrant canaries. If they ever leave Facebook under non-obvious circumstances, we know that things are bad.) He basically leveraged his historical reputation to assure me that WhatsApp, and Facebook in general, would never do something like this. I am trusting him, while also reminding everyone that Facebook has broken so many privacy promises that they really can't be trusted.

Final note: If they want to be trusted, Adam Shostack and I gave them a road map.

Hacker News thread.

EDITED TO ADD (8/4): SlashDot covered my retraction.

,

Krebs on SecurityWhat We Can Learn from the Capital One Hack

On Monday, a former Amazon employee was arrested and charged with stealing more than 100 million consumer applications for credit from Capital One. Since then, many have speculated the breach was perhaps the result of a previously unknown “zero-day” flaw, or an “insider” attack in which the accused took advantage of access surreptitiously obtained from her former employer. But new information indicates the methods she deployed have been well understood for years.

What follows is based on interviews with almost a dozen security experts, including one who is privy to details about the ongoing breach investigation. Because this incident deals with somewhat jargon-laced and esoteric concepts, much of what is described below has been dramatically simplified. Anyone seeking a more technical explanation of the basic concepts referenced here should explore some of the many links included in this story.

According to a source with direct knowledge of the breach investigation, the problem stemmed in part from a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its operations hosted in the cloud with Amazon Web Services (AWS).

Known as “ModSecurity,” this WAF is deployed along with the open-source Apache Web server to provide protections against several classes of vulnerabilities that attackers most commonly use to compromise the security of Web-based applications.

The misconfiguration of the WAF allowed the intruder to trick the firewall into relaying requests to a key back-end resource on the AWS platform. This resource, known as the “metadata” service, is responsible for handing out temporary information to a cloud server, including current credentials sent from a security service to access any resource in the cloud to which that server has access.

In AWS, exactly what those credentials can be used for hinges on the permissions assigned to the resource that is requesting them. In Capital One’s case, the misconfigured WAF for whatever reason was assigned too many permissions, i.e. it was allowed to list all of the files in any buckets of data, and to read the contents of each of those files.

The type of vulnerability exploited by the intruder in the Capital One hack is a well-known method called a “Server Side Request Forgery” (SSRF) attack, in which a server (in this case, CapOne’s WAF) can be tricked into running commands that it should never have been permitted to run, including those that allow it to talk to the metadata service.

Evan Johnson, manager of the product security team at Cloudflare, recently penned an easily digestible column on the Capital One hack and the challenges of detecting and blocking SSRF attacks targeting cloud services. Johnson said it’s worth noting that SSRF attacks are not among the dozen or so attack methods for which detection rules are shipped by default in the WAF exploited as part of the Capital One intrusion.

“SSRF has become the most serious vulnerability facing organizations that use public clouds,” Johnson wrote. “The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it. The problem is common and well-known, but hard to prevent and does not have any mitigations built into the AWS platform.”

Johnson said AWS could address this shortcoming by including extra identifying information in any request sent to the metadata service, as Google has already done with its cloud hosting platform. He also acknowledged that doing so could break a lot of backwards compatibility within AWS.

“There’s a lot of specialized knowledge that comes with operating a service within AWS, and to someone without specialized knowledge of AWS, [SSRF attacks are] not something that would show up on any critical configuration guide,” Johnson said in an interview with KrebsOnSecurity.

“You have to learn how EC2 works, understand Amazon’s Identity and Access Management (IAM) system, and how to authenticate with other AWS services,” he continued. “A lot of people using AWS will interface with dozens of AWS services and write software that orchestrates and automates new services, but in the end people really lean into AWS a ton, and with that comes a lot of specialized knowledge that is hard to learn and hard to get right.”

In a statement provided to KrebsOnSecurity, Amazon said it is inaccurate to argue that the Capital One breach was caused by AWS IAM, the instance metadata service, or the AWS WAF in any way.

“The intrusion was caused by a misconfiguration of a web application firewall and not the underlying infrastructure or the location of the infrastructure,” the statement reads. “AWS is constantly delivering services and functionality to anticipate new threats at scale, offering more security capabilities and layers than customers can find anywhere else including within their own datacenters, and when broadly used, properly configured and monitored, offer unmatched security—and the track record for customers over 13+ years in securely using AWS provides unambiguous proof that these layers work.”

Amazon pointed to several (mostly a la carte) services it offers AWS customers to help mitigate many of the threats that were key factors in this breach, including:

Access Advisor, which helps identify and scope down AWS roles that may have more permissions than they need;
GuardDuty, designed to raise alarms when someone is scanning for potentially vulnerable systems or moving unusually large amounts of data to or from unexpected places;
The AWS WAF, which Amazon says can detect common exploitation techniques, including SSRF attacks;
Amazon Macie, designed to automatically discover, classify and protect sensitive data stored in AWS.

William Bengston, formerly a senior security engineer at Netflix, wrote a series of blog posts last year on how Netflix built its own systems for detecting and preventing credential compromises in AWS. Interestingly, Bengston was hired roughly two months ago to be director of cloud security for Capital One. My guess is Capital One now wishes they had somehow managed to lure him away sooner.

Rich Mogull is founder and chief technology officer with DisruptOPS, a firm that helps companies secure their cloud infrastructure. Mogull said one major challenge for companies moving their operations from sprawling, expensive physical data centers to the cloud is that very often the employees responsible for handling that transition are application and software developers who may not be as steeped as they should in security.

“There is a basic skills and knowledge gap that everyone in the industry is fighting to deal with right now,” Mogull said. “For these big companies making that move, they have to learn all this new stuff while maintaining their old stuff. I can get you more secure in the cloud more easily than on-premise at a physical data center, but there’s going to be a transition period as you’re acquiring that new knowledge.”

Image: Capital One

Since news of the Capital One breach broke on Monday, KrebsOnSecurity has received numerous emails and phone calls from security executives who are desperate for more information about how they can avoid falling prey to the missteps that led to this colossal breach (indeed, those requests were part of the impetus behind this story).

Some of those people included executives at big competing banks that haven’t yet taken the plunge into the cloud quite as deeply as Capital One has. But it’s probably not much of a stretch to say they’re all lining up in front of the diving board.

It’s been interesting to watch over the past couple of years how various cloud providers have responded to major outages on their platforms — very often soon after publishing detailed post-mortems on the underlying causes of the outage and what they are doing to prevent such occurrences in the future. In the same vein, it would be wonderful if this kind of public accounting extended to other big companies in the wake of a massive breach.

I’m not holding out much hope that we will get such detail officially from Capital One, which declined to comment on the record and referred me to their statement on the breach and to the Justice Department’s complaint against the hacker. That’s probably to be expected, seeing as the company is already facing a class action lawsuit over the breach and is likely to be targeted by more lawsuits going forward.

But as long as the public and private response to data breaches remains orchestrated primarily by attorneys (which is certainly the case now at most major corporations), everyone else will continue to lack the benefit of being able to learn from and avoid those same mistakes.

CryptogramFriday Squid Blogging: Piglet Squid Video

Really neat.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

CryptogramDisabling Security Cameras with Lasers

There's a really interesting video of protesters in Hong Kong using some sort of laser to disable security cameras. I know nothing more about the technologies involved.

CryptogramFacebook Plans on Backdooring WhatsApp

This article points out that Facebook's planned content moderation scheme will result in an encryption backdoor into WhatsApp:

In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.

The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service.

Facebook's model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.

Once this is in place, it's easy for the government to demand that Facebook add another filter -- one that searches for communications that they care about -- and alert them when it gets triggered.

Of course alternatives like Signal will exist for those who don't want to be subject to Facebook's content moderation, but what happens when this filtering technology is built into operating systems?

The problem is that if Facebook's model succeeds, it will only be a matter of time before device manufacturers and mobile operating system developers embed similar tools directly into devices themselves, making them impossible to escape. Embedding content scanning tools directly into phones would make it possible to scan all apps, including ones like Signal, effectively ending the era of encrypted communications.

I don't think this will happen -- why does AT&T care about content moderation -- but it is something to watch?

EDITED TO ADD (8/2): This story is wrong. Read my correction.

CryptogramHow Privacy Laws Hurt Defendants

Rebecca Wexler has an interesting op-ed about an inadvertent harm that privacy laws can cause: while law enforcement can often access third-party data to aid in prosecution, the accused don't have the same level of access to aid in their defense:

The proposed privacy laws would make this situation worse. Lawmakers may not have set out to make the criminal process even more unfair, but the unjust result is not surprising. When lawmakers propose privacy bills to protect sensitive information, law enforcement agencies lobby for exceptions so they can continue to access the information. Few lobby for the accused to have similar rights. Just as the privacy interests of poor, minority and heavily policed communities are often ignored in the lawmaking process, so too are the interests of criminal defendants, many from those same communities.

In criminal cases, both the prosecution and the accused have a right to subpoena evidence so that juries can hear both sides of the case. The new privacy bills need to ensure that law enforcement and defense investigators operate under the same rules when they subpoena digital data. If lawmakers believe otherwise, they should have to explain and justify that view.

For more detail, see her paper.

Worse Than FailureError'd: Choice is but an Illusion

"If you choose not to decide which button to press, you still have made a choice," Rob H. wrote.

 

"If you have a large breed cat, or small dog, the name doesn't matter, it just has to get the job done," writes Bryan.

 

Mike R. wrote, "Thanks Dropbox. Becuase your survey can't add, I missed out on my chance to win a gift card. Way to go guys..."

 

"There was a magnitude 7.1 earthquake near Ridgecrest, CA on 7/5/2019 at 8:25PM PDT. I visited the USGS earthquakes page, clicked on the earthquake link, and clickedd on the 'Did you feel it?' link, because we DID feel it here in Sacramento, CA, 290 miles away," Ken M. wrote, "Based on what I'm seeing though, I think they may call it a 'bat-quake' instead."

 

Benjamin writes, "Apparently Verizon is trying to cast a spell on me because I used too much data."

 

Daniel writes, "German telekom's customer center site is making iFrames sexy again."

 

[Advertisement] Forget logs. Next time you're struggling to replicate error, crash and performance issues in your apps - Think Raygun! Installs in minutes. Learn more.

,

Cory DoctorowPaul Di Filippo on Radicalized: “Upton-Sinclairish muckraking, and Dickensian-Hugonian ashcan realism”

I was incredibly gratified and excited to read Paul Di Filippo’s Locus review of my latest book, Radicalized; Di Filippo is a superb writer, one of the original, Mirrorshades cyberpunks, and he is a superb and insightful literary critic, so when I read his superlative-laden review of my book today, it was an absolute thrill (I haven’t been this excited about a review since Bruce Sterling reviewed Walkaway).


There’s so much to be delighted by in this review, not least a comparison to Rod Serling (!). Below, a couple paras of especial note.

His latest, a collection of four novellas, subtitled “Four Tales of Our Present Moment”, fits the template perfectly, and extends his vision further into a realm where impassioned advocacy, Upton-Sinclairish muckraking, and Dickensian-Hugonian ashcan realism drives a kind of partisan or Cassandran science fiction seen before mostly during the post-WWII atomic bomb panic (think On the Beach) and 1960s New Wave-Age of Aquarius agitation (think Bug Jack Barron). Those earlier troubled eras resonate with our current quandary, but the “present moment” under Doctorow’s microscope – or is that a sniper’s crosshairs? – has its own unique features that he seeks to elucidate. These stories walk a razor’s edge between literature and propaganda, aesthetics and bludgeoning, subtlety and stridency, rant and revelation. The only guaranteed outcome after reading is that no one can be indifferent to them…

…The Radicalized collection strikes me in some sense as an episode of a primo TV anthology series – Night Gallery in the classical mode, or maybe in a more modern version, Philip K. Dick’s Electric Dreams. It gives us polymath Cory Doctorow as talented Rod Serling – himself both a dreamer and a social crusader – telling us that he’s going to show us, as vividly as he can, several nightmares or future hells, but that somehow the human spirit and soul will emerge intact and even triumphant.


Paul Di Filippo Reviews Radicalized by Cory Doctorow [Paul Di Filippo/Locus]

Worse Than FailureCodeSOD: Close to the Point

Lena inherited some C++ code which had issues regarding a timeout. While skimming through the code, one block in particular leapt out. This was production code which had been running in this state for some time.

if((pFile) && (pFile != (FILE *)(0xcdcdcdcd))) {
    fclose(pFile);
    pFile = NULL;
}

The purpose of this code is, as you might gather from the call to fclose, to close a file handle represented by pFile, a pointer to the handle. This code mostly is fine, but with one, big, glaring “hunh?” and it’s this bit here: (pFile != (FILE *)(0xcdcdcdcd))

(FILE *)(0xcdcdcdcd) casts the number 0xcdcdcdcd to a file pointer- essentially it creates a pointer pointing at memory address 0xcdcdcdcd. If pFile points to that address, we won’t close pFile. Is there a reason for this? Not that Lena could determine from the code. Did the 0xcdcdcdcd come from anywhere specific? Probably a previous developer trying to track down a bug and dumping addresses from the debugger. How did it get into production code? How long had it been there? It was impossible to tell. It was also impossible to tell if it was secretly doing something important, so Lena made a note to dig into it later, but focused on solving the timeout bug which had started this endeavor.

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

,

CryptogramAnother Attack Against Driverless Cars

In this piece of research, attackers successfully attack a driverless car system -- Renault Captur's "Level 0" autopilot (Level 0 systems advise human drivers but do not directly operate cars) -- by following them with drones that project images of fake road signs in 100ms bursts. The time is too short for human perception, but long enough to fool the autopilot's sensors.

Boing Boing post.

Worse Than FailureCodeSOD: What a Happy Date

As is the case with pretty much any language these days, Python comes with robust date handling functionality. If you want to know something like what the day of the month is? datetime.now().day will tell you. Simple, easy, and of course, just an invitation for someone to invent their own.

Jan was witness to a little date-time related office politics. This particular political battle started during a code review. Klaus had written some date mangling code, relying heavily on strftime to parse dates out to strings and then parse them back in as integers. Richard, quite reasonably, pointed out that Klaus was taking the long way around, and maybe Klaus should possibly think about doing it in a simpler fashion.

“So, you don’t understand the code?” Klaus asked.

“No, I understand it,” Richard replied. “But it’s far too complicated. You’re doing a simple task- getting the day of the month! The code should be simple.”

“Ah, so it’s too complicated, so you can’t understand it.”

“Just… write it the simple way. Use the built-in accessor.”

So, Klaus made his revisions, and merged the revised code.

import datetime
# ...
now = datetime.datetime.now()  # Richard
date = now.strftime("%d")  # Richard, this is a string over here
date_int = int(date)  # day number, int("08") = 8, so no problem here
hour = now.hour  # Richard :)))))
hour_int = int(hour)  # int hour, e.g. if it's 22:36 then hour = 22

Richard did not have a big :))))) on his face when he saw that in the master branch.

[Advertisement] Ensure your software is built only once and then deployed consistently across environments, by packaging your applications and components. Learn how today!

TEDStages of Life: Notes from Session 5 of TEDSummit 2019

Yilian Cañizares rocks the TED stage with a jubilant performance of her signature blend of classic jazz and Cuban rhythms. She performs at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

The penultimate session of TEDSummit 2019 had a bit of everything — new thoughts on aging, loneliness and happiness as well as breakthrough science, music and even a bit of comedy.

The event: TEDSummit 2019, Session 5: Stages of Life, hosted by Kelly Stoetzel and Alex Moura

When and where: Wednesday, July 24, 2019, 5pm BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Nicola Sturgeon, Sonia Livingstone, Howard Taylor, Sara-Jane Dunn, Fay Bound Alberti, Carl Honoré

Opening: Raconteur Mackenzie Dalrymple telling the story of the Goodman of Ballengeich

Music: Yilian Cañizares and her band, rocking the TED stage with a jubilant performance that blends classic jazz and Cuban rhythms

Comedy: Amidst a head-spinning program of big (and often heavy) ideas, a welcomed break from comedian Omid Djalili, who lightens the session with a little self-deprecation and a few barbed cultural observations

The talks in brief:

“In the world we live in today, with growing divides and inequalities, with disaffection and alienation, it is more important than ever that we … promote a vision of society that has well-being, not just wealth, at its very heart,” says Nicola Sturgeon, First Minister of Scotland. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Nicola Sturgeon, First Minister of Scotland

Big idea: It’s time to challenge the monolithic importance of GDP as a quality-of-life metric — and paint a broader picture that also encompasses well-being.

How? In 2018, Scotland, Iceland and New Zealand established the Wellbeing Economy Governments group to challenge the supremacy of GDP. The leaders of these countries — who are, incidentally, all women — believe policies that promote happiness (including equal pay, childcare and paternity rights) could help decrease alienation in its citizens and, in turn, build resolve to confront global challenges like inequality and climate change.

Quote of the talk: “Growth in GDP should not be pursued at any and all cost … The goal of economic policy should be collective well-being: how happy and healthy a population is, not just how wealthy a population is.”


Sonia Livingstone, social psychologist

Big idea: Parents often view technology as either a beacon of hope or a developmental poison, but the biggest influence on their children’s life choices is how they help them navigate this unavoidable digital landscape. Society as a whole can positively impact these efforts.

How? Sonia Livingstone’s own childhood was relatively analog, but her research has been focused on how families embrace new technology today. Changes abound in the past few decades — whether it’s intensified educational pressures, migration, or rising inequality — yet it’s the digital revolution that remains the focus of our collective apprehension. Livingstone’s research suggests that policing screen time isn’t the answer to raising a well-rounded child, especially at a time when parents are trying to live more democratically with their children by sharing decision-making around activities like gaming and exploring the internet. Leaders and institutions alike can support a positive digital future for children by partnering with parents to guide activities within and outside of the home. Instead of criticizing families for their digital activities, Livingstone thinks we should identify what real-world challenges they’re facing, what options are available to them and how we can support them better.

Quote of the talk: “Screen time advice is causing conflict in the family, and there’s no solid evidence that more screen time increases childhood problems — especially compared with socio-economic or psychological factors. Restricting children breeds resistance, while guiding them builds judgment.”


Howard Taylor, child safety advocate

Big idea: Violence against children is an endemic issue worldwide, with rates of reported incidence increasing in some countries. We are at a historical moment that presents us with a unique opportunity to end the epidemic, and some countries are already leading the way.

How? Howard Taylor draws attention to Sweden and Uganda, two very different countries that share an explicit commitment to ending violence against children. Through high-level political buy-in, data-driven strategy and tactical legislative initiatives, the two countries have already made progress on. These solutions and others are all part of INSPIRE, a set of strategies created by an alliance of global organizations as a roadmap to eliminating the problem. If we put in the work, Taylor says, a new normal will emerge: generations whose paths in life will be shaped by what they do — not what was done to them.

Quote of the talk: “What would it really mean if we actually end violence against children? Multiply the social, cultural and economic benefits of this change by every family, every community, village, town, city and country, and suddenly you have a new normal emerging. A generation would grow up without experiencing violence.”


“The first half of this century is going to be transformed by a new software revolution: the living software revolution. Its impact will be so enormous that it will make the first software revolution pale in comparison,” says computational biologist Sara-Jane Dunn. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Sara-Jane Dunn, computational biologist

Big idea: In the 20th century, computer scientists inscribed machine-readable instructions on tiny silicon chips, completely revolutionizing our lives and workplaces. Today, a “living software” revolution centered around organisms built from programmable cells is poised to transform medicine, agriculture and energy in ways we can scarcely predict.

How? By studying how embryonic stem cells “decide” to become neurons, lung cells, bone cells or anything else in the body, Sara-Jane Dunn seeks to uncover the biological code that dictates cellular behavior. Using mathematical models, Dunn and her team analyze the expected function of a cellular system to determine the “genetic program” that leads to that result. While they’re still a long way from compiling living software, they’ve taken a crucial early step.

Quote of the talk: “We are at the beginning of a technological revolution. Understanding this ancient type of biological computation is the critical first step. And if we can realize this, we would enter into the era of an operating system that runs living software.”


Fay Bound Alberti, cultural historian

Big idea: We need to recognize the complexity of loneliness and its ever-transforming history. It’s not just an individual and psychological problem — it’s a social and physical one.

Why? Loneliness is a modern-day epidemic, with a history that’s often recognized solely as a product of the mind. Fay Bound Alberti believes that interpretation is limiting. “We’ve neglected [loneliness’s] physical effects — and loneliness is physical,” she says. She points to how crucial touch, smell, sound, human interaction and even nostalgic memories of sensory experiences are to coping with loneliness, making people feel important, seen and helping to produce endorphins. By reframing our perspective on this feeling of isolation, we can better understand how to heal it.

Quote of talk: “I am suggesting we need to turn to the physical body, we need to understand the physical and emotional experiences of loneliness to be able to tackle a modern epidemic. After all, it’s through our bodies, our sensory bodies, that we engage with the world.”

Fun fact: “Before 1800 there was no word for loneliness in the English language. There was something called: ‘oneliness’ and there were ‘lonely places,’ but both simply meant the state of being alone. There was no corresponding emotional lack and no modern state of loneliness.”


“Whatever age you are: own it — and then go out there and show the world what you can do!” says Carl Honoré. He speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Carl Honoré, writer, thinker and activist

Big idea: Stop the lazy thinking around age and the “cult of youth” — it’s not all downhill from 40.

How? We need to debunk the myths and stereotypes surrounding age — beliefs like “older people can’t learn new things” and “creativity belongs to the young.” There are plenty of trailblazers and changemakers who came into their own later in life, from artists and musicians to physicists and business leaders. Studies show that people who fear and feel bad about aging are more likely to suffer physical effects as if age is an actual affliction rather than just a number. The first step to getting past that is by creating new, more positive societal narratives. Honoré offers a set of simple solutions — the two most important being: check your language and own your age. Embrace aging as an adventure, a process of opening rather than closing doors. We need to feel better about aging in order to age better.

Quote of the talk: “Whatever age you are: own it — and then go out there and show the world what you can do!”

TEDWhat Brexit means for Scotland: A Q&A with First Minister Nicola Sturgeon

First Minister of Scotland Nicola Sturgeon spoke at TEDSummit on Wednesday in Edinburgh about her vision for making collective well-being the main aim of public policy and the economy. (Watch her full talk on TED.com.) That same morning, Boris Johnson assumed office as Prime Minister of the United Kingdom, the latest episode of the Brexit drama that has engulfed UK politics. During the 2016 referendum, Scotland voted against Brexit.

After her talk, Chris Anderson, the Head of TED, joined Sturgeon, who’s been vocally critical of Johnson, to ask a few questions about the current political landscape. Watch their exchange below.

,

Cory DoctorowHoustonites! Come see Hank Green and me in conversation tomorrow night!

Hank Green and I are doing a double act tomorrow night, July 31, as part of the tour for the paperback of his debut novel, An Absolutely Remarkable Thing. It’s a ticketed event (admission includes a copy of Hank’s book), and we’re presenting at 7PM at Spring Forest Middle School in association with Blue Willow Bookshop. Hope to see you there!

Krebs on SecurityCapital One Data Theft Impacts 106M People

Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp. Incredibly, much of this breach played out publicly over several months on social media and other open online platforms. What follows is a closer look at the accused, and what this incident may mean for consumers and businesses.

Paige “erratic” Thompson, in an undated photo posted to her Slack channel.

On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.

That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.

“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised,” Capital One said in a statement posted to its site.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the statement continues. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”

The FBI says Capital One learned about the theft from a tip sent via email on July 17, which alerted the company that some of its leaked data was being stored out in the open on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson.

The tip that alerted Capital One to its data breach.

The complaint doesn’t explicitly name the cloud hosting provider from which the Capital One credit data was taken, but it does say the accused’s resume states that she worked as a systems engineer at the provider between 2015 and 2016. That resume, available on Gitlab here, reveals Thompson’s most recent employer was Amazon Inc.

Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances.

The Twitter user “erratic” posting about tools and processes used to access various Amazon cloud instances.

According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited others to join a Slack channel named “Netcrave Communications.”

KrebsOnSecurity was able to join this open Slack channel Monday evening and review many months of postings apparently made by Erratic about her personal life, interests and online explorations. One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances.

That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:

According to Erratic’s posts on Slack, the two items in the list above beginning with “ISRM-WAF” belong to Capital One.

Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were. Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites — often surreptitiously — designed to mine cryptocurrencies.

None of Erratic’s postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances she was able to access. But it seems likely that at least some of that data could have been obtained by others who may have followed her activities on different social media platforms.

Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contains the hallmarks of many other modern data breaches.

“The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats,” Watson said. “She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.”

“The good news, however, is that Capital One Incidence Response was able to move quickly once they were informed of a possible breach via their Responsible Disclosure program, which is something a lot of other companies struggle with,” he continued.

In Capital One’s statement about the breach, company chairman and CEO Richard D. Fairbank said the financial institution fixed the configuration vulnerability that led to the data theft and promptly began working with federal law enforcement.

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” Fairbank said. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.

Bloomberg reports that in court on Monday, Thompson broke down and laid her head on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Thompson will be held in custody until her bail hearing, which is set for August 1.

A copy of the complaint against Thompson is available here.

Update, 3:38 p.m. ET: I’ve reached out to several companies that appear to be listed in the last screenshot above. Infoblox [an advertiser on this site] responded with the following statement:

“Infoblox is aware of the pending investigation of the Capital One hacking attack, and that Infoblox is among the companies referenced in the suspected hacker’s alleged online communications. Infoblox is continuing to investigate the matter, but at this time there is no indication that Infoblox was in any way involved with the reported Capital One breach. Additionally, there is no indication of an intrusion or data breach involving Infoblox causing any customer data to be exposed.”

,

TEDIt’s not about privacy — it’s about power: Carole Cadwalladr speaks at TEDSummit 2019

Three months after her landmark talk, Carole Cadwalladr is back at TED. In conversation with curator Bruno Giussani, Cadwalladr discusses the latest on her reporting on the Facebook-Cambridge Analytica scandal and what we still don’t know about the transatlantic links between Brexit and the 2016 US presidential election.

“Who has the information, who has the data about you, that is where power now lies,” Cadwalladr says.

Cadwalladr appears in The Great Hack, a documentary by Karim Amer and TED Prize winner Jehane Noujaim that explores how Cambridge Analytica has come to symbolize the dark side of social media. The documentary was screened for TEDSummit participants today. Watch it in select theaters and on Netflix starting July 24.

Learn more about how you can support Cadwalladr’s investigation into data, disinformation and democracy.

TEDNot All Is Broken: Notes from Session 6 of TEDSummit 2019

Raconteur Mackenzie Dalrymple regales the TEDSummit audience with a classic Scottish story. He speaks at TEDSummit: A Community Beyond Borders, July 25, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

In the final session of TEDSummit 2019, the themes from the week — our search for belonging and community, our digital future, our inextricable connection to the environment — ring out with clarity and insight. From the mysterious ways our emotions impact our biological hearts, to a tour-de-force talk on the languages we all speak, it’s a fitting close to a week of revelation, laughter, tears and wonder.

The event: TEDSummit 2019, Session 6: Not All Is Broken, hosted by Chris Anderson and Bruno Giussani

When and where: Thursday, July 25, 2019, 9am BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Johann Hari, Sandeep Jauhar, Anna Piperal, Eli Pariser, Poet Ali

Interlude: Mackenzie Dalrymple sharing the tale of an uncle and nephew competing to become Lord of the Isles

Music: Djazia Satour, blending 1950s Chaabi (a genre of North African folk music) with modern grooves

The talks in brief:

Johann Hari, journalist

Big idea: The cultural narrative and definitions of depression and anxiety need to change.

Why? We need to talk less about chemical imbalances and more about imbalances in the way we live. Johann Hari met with experts around the world, boiling down his research into a surprisingly simple thesis: all humans have physical needs (food, shelter, water) as well as psychological needs (feeling that you belong, that your life has meaning and purpose). Though antidepressant drugs work for some, biology isn’t the whole picture, and any treatment must be paired with a social approach. Our best bet is to listen to the signals of our bodies, instead of dismissing them as signs of weakness madness. If we take time to investigate our red flags of depression and anxiety — and take the time to reevaluate how we build meaning and purpose, especially through social connections — we can start to heal in a society deemed the loneliest in human history.

Quote of the talk: “If you’re depressed, if you’re anxious — you’re not weak. You’re not crazy. You’re not a machine with broken parts. You’re a human being with unmet needs.”


“Even if emotions are not contained inside our hearts, the emotional heart overlaps its biological counterpart in surprising and mysterious ways,” says cardiologist Sandeep Jauhar. He speaks at TEDSummit: A Community Beyond Borders, July 21-25, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Sandeep Jauhar, cardiologist

Big Idea: Emotional stress can be a matter of life and death. Let’s factor that into how we care for our hearts.

How? “The heart may not originate our feelings, but it is highly responsive to them,” says Sandeep Jauhar. In his practice as a cardiologist, he has seen extensive evidence of this: grief and fear can cause profound cardiac injury. “Takotsubo cardiomyopathy,” or broken heart syndrome, has been found to occur when the heart weakens after the death of a loved one or the stress of a large-scale natural disaster. It comes with none of the other usual symptoms of heart disease, and it can resolve in just a few weeks. But it can also prove fatal. In response, Jauhar says that we need a new paradigm of care, one that considers the heart as more than “a machine that can be manipulated and controlled” — and recognizes that emotional stress is as important as cholesterol.

Quote of the talk: “Even if emotions are not contained inside our hearts, the emotional heart overlaps its biological counterpart in surprising and mysterious ways.”


“In most countries, people don’t trust their governments, and the governments don’t trust them back. All the complicated paper-based formal procedures are supposed to solve that problem. Except that they don’t. They just make life more complicated,” says e-governance expert Anna Piperal. She speaks at TEDSummit: A Community Beyond Borders, July 25, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Anna Piperal, e-governance expert 

Big idea: Bureaucracy can be eradicated by going digital — but we’ll need to build in commitment and trust.

How? Estonia is one of the most digital societies on earth. After gaining independence 30 years ago, and subsequently building itself up from scratch, the country decided not only to digitize existing bureaucracy but also to create an entirely new system. Now citizens can conduct everything online, from running a business to voting and managing their healthcare records, and only need to show up in person for literally three things: to claim their identity card, marry or divorce, or sell a property. Anna Piperal explains how, using a form of blockchain technology, e-Estonia builds trust through the “once-only” principle, through which the state cannot ask for information more than once nor store it in more than one place. The country is working to redefine bureaucracy by making it more efficient, granting citizens full ownership of their data — and serving as a model for the rest of the world to do the same.

Quote of the talk: “In most countries, people don’t trust their governments, and the governments don’t trust them back. All the complicated paper-based formal procedures are supposed to solve that problem. Except that they don’t. They just make life more complicated.”


Eli Pariser, CEO of Upworthy

Big idea: We can find ways to make our online spaces civil and safe, much like our best cities.

How? Social media is a chaotic and sometimes dangerous place. With its trolls, criminals and segregated spaces, it’s a lot like New York City in the 1970s. But like New York City, it’s also a vibrant space in which people can innovate and find new ideas. So Eli Pariser asks: What if we design social media like we design cities, taking cues from social scientists and urban planners like Jane Jacobs? Built around empowered communities, one-on-one interactions and public censure for those who act out, platforms could encourage trust and discourse, discourage antisocial behavior and diminish the sense of chaos that leads some to embrace authoritarianism.

Quote of the talk: “If online digital spaces are going to be our new home, let’s make them a comfortable, beautiful place to live — a place we all feel not just included, but actually some ownership of. A place we get to know each other. A place you’d actually want not just to visit, but to bring your kids.”


“Every language we learn is a portal by which we can access another language. The more you know, the more you can speak. … That’s why languages are so important, because they give us access to new worlds,” says Poet Ali. He speaks at at TEDSummit: A Community Beyond Borders, July 25, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Poet Ali, architect of human connection

Big idea: You speak far more languages than you realize, with each language representing a gateway to understanding different societies, cultures and experiences.

How? Whether it’s the recognized tongue of your country or profession, or the social norms of your community, every “language” you speak is more than a lexicon of words: it also encompasses feelings like laughter, solidarity, even a sense of being left out. These latter languages are universal, and the more we embrace their commonality — and acknowledge our fluency in them — the more we can empathize with our fellow humans, regardless of our differences.

Quote of the talk: “Every language we learn is a portal by which we can access another language. The more you know, the more you can speak. … That’s why languages are so important, because they give us access to new worlds.”

TEDBusiness Unusual: Notes from Session 4 of TEDSummit 2019

ELEW and Marcus Miller blend jazz improvisation with rock in a musical cocktail of “rock-jazz.” They perform at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

To keep pace with our ever-changing world, we need out-of-the-box ideas that are bigger and more imaginative than ever. The speakers and performers from this session explore these possibilities, challenging us to think harder about the notions we’ve come to accept.

The event: TEDSummit 2019, Session 4: Business Unusual, hosted by Whitney Pennington Rodgers and Cloe Shasha

When and where: Wednesday, July 24, 2019, 9am BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Margaret Heffernan, Bob Langert, Rose Mutiso, Mariana Mazzucato, Diego Prilusky

Music: A virtuosic violin performance by Min Kym, and a closing performance by ELEW featuring Marcus Miller, blending jazz improvisation with rock in a musical cocktail of “rock-jazz.”

The talks in brief:

“The more we let machines think for us, the less we can think for ourselves,” says Margaret Heffernan. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

Margaret Heffernan, entrepreneur, former CEO and writer 

Big idea: The more we rely on technology to make us efficient, the fewer skills we have to confront the unexpected. That’s why we must start practicing “just-in-case” management — anticipating the events (climate catastrophes, epidemics, financial crises) that will almost certainly happen but are ambiguous in timing, scale and specifics. 

Why? In our complex, unpredictable world, changes can occur out of the blue and have outsize impacts. When governments, businesses and individuals prioritize efficiency above all else, it keeps them from responding quickly, effectively and creatively. That’s why we all need to focus on cultivating what Heffernan calls our “unpredictable, messy human skills.” These include exercising our social abilities to build strong relationships and coalitions; humility to admit we don’t have all the answers; imagination to dream up never-before-seen solutions; and bravery to keep experimenting.

Quote of the talk: “The harder, deeper truth is that the future is uncharted, that we can’t map it until we get there. But that’s OK because we have so much capacity for imagination — if we use it. We have deep talents for inventiveness and exploration — if we apply them. We are brave enough to invent things we’ve never seen before. Lose these skills and we are adrift. But hone and develop them, and we can make any future we choose.”


Bob Langert, sustainability expert and VP of sustainability at McDonald’s

Big idea: Adversaries can be your best allies.

How? Three simple steps: reach out, listen and learn. As a “corporate suit” (his words), Bob Langert collaborates with his company’s strongest critics to find business-friendly solutions for society. Instead of denying and pushing back, he tries to embrace their perspectives and suggestions. He encourages others in positions of power to do the same, driven by this mindset: assume the best intentions of your critics; focus on the truth, the science and facts; and be open and transparent in order to turn critics into allies. The worst-case scenario? You’ll become better, your organization will become better — and you might make some friends along the way.

Fun fact: After working with NGOs in the 1990s, McDonald’s reduced 300 million pounds of waste over 10 years.


“When we talk about providing energy for growth, it is not just about innovating the technology: it’s the slow and hard work of improving governance, institutions and a broader macro-environment,” says Rose Mutiso. She speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

Rose Mutiso, energy scientist

Big Idea: In order to grow out of poverty, African countries need a steady supply of abundant and affordable electricity.

Why? Energy poverty, or the lack of access to electricity and other basic energy services, affects nearly two-thirds of Sub-Saharan Africa. As the region’s population continues to grow, we have the opportunity to build a new energy system — from scratch — to grow with it, says Rose Mutiso. It starts with naming the systemic holes that current solutions (solar, LED and battery technology) overlook: we don’t have a clear consensus on what energy poverty is; there’s too much reliance on quick fixes; and we’re misdirecting our climate change concerns. What we need, Mutiso says, is nuanced, large-scale solutions with a diverse range of energy sources. For instance, the region has significant hydroelectric potential, yet less than 10 percent of this potential is currently being utilized. If we work hard to find new solutions to our energy deficits now, everybody benefits.

Quote of talk:Countries cannot grow out of poverty without access to a steady supply of abundant, affordable and reliable energy to power these productive sectors — what I call energy for growth.”


Mariana Mazzucato, economist and policy influencer

Big idea: We’ve forgotten how to tell the difference between the value extractors in the C-suites and finance sectors and the value producers, the workers and taxpayers who actually fuel innovation and productivity. And recently we’ve neglected the importance of even questioning what the difference between the two.

How? Economists must redefine and recognize true value creators, envisioning a system that rewards them just as much as CEOs, investors and bankers. We need to rethink how we value education, childcare and other “free” services — which don’t have a price but clearly contribute to sustaining our economies. We need to make sure that our entire society not only shares risks but also rewards.

Quote of the talk: “[During the bank bailouts] we didn’t hear the taxpayers bragging that they were value creators. But, obviously, having bailed out the biggest ‘value-creating’ productive companies, perhaps they should have.”


Diego Prilusky demos his immersive storytelling technology, bringing Grease to the TED stage. He speaks at TEDSummit: A Community Beyond Borders, July 24, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Diego Prilusky, video pioneer

Big idea: Get ready for the next revolution in visual storytelling: volumetric video, which aims to do nothing less than recreate reality as a cinematic experience.

How? Movies have been around for more than 100 years, but we’re still making (and watching) them in basically the same way. Can movies exist beyond the flat screen? Yes, says Diego Prilusky, but we’ll first need to completely rethink how they’re made. With his team at Intel Studios, Prilusky is pioneering volumetric video, a data-intensive medium powered by hundreds of sensors that capture light and motion from every possible direction. The result is like being inside a movie, which you could explore from different perspectives (or even through a character’s own eyes). In a live tech demo, Prilusky takes us inside a reshoot of an iconic dance number from the 1978 hit Grease. As actors twirl and sing “You’re the One That I Want,” he positions and repositions his perspective on the scene — moving, around, in front of and in between the performers. Film buffs can rest easy, though: the aim isn’t to replace traditional movies, he says, but to empower creators to tell stories in new ways, across multiple vantage points.

Quote of the talk: “We’re opening the gates for new possibilities of immersive storytelling.”

TEDThe Big Rethink: Notes from Session 3 of TEDSummit 2019

Marco Tempest and his quadcopters perform a mind-bending display that feels equal parts science and magic at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

In an incredible session, speakers and performers laid out the biggest problems facing the world — from political and economic catastrophe to rising violence and deepfakes — and some new thinking on solutions.

The event: TEDSummit 2019, Session 3: The Big Rethink, hosted by Corey Hajim and Cyndi Stivers

When and where: Tuesday, July 23, 2019, 5pm BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: George Monbiot, Nick Hanauer, Raghuram Rajan, Marco Tempest, Rachel Kleinfeld, Danielle Citron, Patrick Chappatte

Music: KT Tunstall sharing how she found her signature sound and playing her hits “Miniature Disasters,” “Black Horse and the Cherry Tree” and “Suddenly I See.”

The talks in brief:

“We are a society of altruists, but we are governed by psychopaths,” says George Monbiot. He speaks at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

George Monbiot, investigative journalist and self-described “professional troublemaker”

Big idea: To get out of the political mess we’re in, we need a new story that captures the minds of people across fault lines.

Why? “Welcome to neoliberalism, the zombie doctrine that never seems to die,” says George Monbiot. We have been induced by politicians and economists into accepting an ideology of extreme competition and individualism, weakening the social bonds that make our lives worth living. And despite the 2008 financial crisis, which exposed the blatant shortcomings of neoliberalism, it still dominates our lives. Why? We haven’t yet produced a new story to replace it — a new narrative to help us make sense of the present and guide the future. So, Monbiot proposes his own: the “politics of belonging,” founded on the belief that most people are fundamentally altruistic, empathetic and socially minded. If we can tap into our fundamental urge to cooperate — namely, by building generous, inclusive communities around the shared sphere of the commons — we can build a better world. With a new story to light the way, we just might make it there.

Quote of the talk: “We are a society of altruists, but we are governed by psychopaths.”


Nick Hanauer, entrepreneur and venture capitalist.

Big idea: Economics has ceased to be a rational science in the service of the “greater good” of society. It’s time to ditch neoliberal economics and create tools that address inequality and injustice.

How? Today, under the banner of unfettered growth through lower taxes, fewer regulations, and lower wages, economics has become a tool that enforces the growing gap between the rich and poor. Nick Hanauer thinks that we must recognize that our society functions not because it’s a ruthless competition between its economically fittest members but because cooperation between people and institutions produces innovation. Competition shouldn’t be between the powerful at the expense of everyone else but between ideas battling it out in a well-managed marketplace in which everyone can participate.

Quote of the talk: “Successful economies are not jungles, they’re gardens — which is to say that markets, like gardens, must be tended … Unconstrained by social norms or democratic regulation, markets inevitably create more problems than they solve.”


Raghuram Rajan shares his idea for “inclusive localism” — giving communities the tools to turn themselves around while establishing standards tp prevent discrimination and corruption — at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Raghuram Rajan, economist and former Governor of the Reserve Bank of India

Big idea: As markets grow and governments focus on solving economic problems from the top-down, small communities and neighborhoods are losing their voices — and their livelihoods. But if nations lack the tools to address local problems, it’s time to turn to grass-roots communities for solutions.

How? Raghuram Rajan believes that nations must exercise “inclusive localism”: giving communities the tools to turn themselves around while establishing standards tp prevent discrimination and corruption. As local leaders step forward, citizens become active, and communities receive needed resources from philanthropists and through economic incentives, neighborhoods will thrive and rebuild their social fabric.

Quote of the talk: “What we really need [are] bottom-up policies devised by the community itself to repair the links between the local community and the national — as well as thriving international — economies.”


Marco Tempest, cyber illusionist

Big idea: Illusions that set our imaginations soaring are created when magic and science come together.

Why? “Is it possible to create illusions in a world where technology makes anything possible?” asks techno-magician Marco Tempest, as he interacts with his group of small flying machines called quadcopters. The drones dance around him, reacting buoyantly to his gestures and making it easy to anthropomorphize or attribute personality traits. Tempest’s buzzing buddies swerve, hover and pause, moving in formation as he orchestrates them. His mind-bending display will have you asking yourself: Was that science or magic? Maybe it’s both.

Quote to remember: “Magicians are interesting, their illusions accomplish what technology cannot, but what happens when the technology of today seems almost magical?”


Rachel Kleinfeld, democracy advisor and author

Big idea: It’s possible to quell violence — in the wider world and in our own backyards — with democracy and a lot of political TLC.

How? Compassion-concentrated action. We need to dispel the idea that some people deserve violence because of where they live, the communities they’re a part of or their socio-economic background. Kleinfeld calls this particular, inequality-based vein of violence “privilege violence,” explaining how it evolves in stages and the ways we can eradicate it. By deprogramming how we view violence and its origins and victims, we can move forward and build safer, more secure societies.

Quote of the talk: “The most important thing we can do is abandon the notion that some lives are just worth less than others.”


“Not only do we believe fakes, we are starting to doubt the truth,” says Danielle Citron, revealing the threat deepfakes pose to the truth and democracy. She speaks at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Danielle Citron, professor of law and deepfake scholar

Big idea: Deepfakes — machine learning technology used to manipulate or fabricate audio and video content — can cause significant harm to individuals and society. We need a comprehensive legislative and educational approach to the problem.

How? The use of deepfake technology to manipulate video and audio for malicious purposes — whether it’s to stoke violence against minorities or to defame politicians and journalists — is becoming ubiquitous. With tools being made more accessible and their products more realistic, what becomes of that key ingredient for democratic processes: the truth? As Danielle Citron points out, “Not only do we believe fakes, we are starting to doubt the truth.” The fix, she suggests, cannot be merely technological. Legislation worldwide must be tailored to fighting digital impersonations that invade privacy and ruin lives. Educational initiatives are needed to teach the media how to identify fakes, persuade law enforcement that the perpetrators are worth prosecuting and convince the public at large that the future of democracy really is at stake.

Quote of the talk: “Technologists expect that advances in AI will soon make it impossible to distinguish a fake video and a real one. How can truths emerge in a deepfake ridden ‘marketplace of ideas?’ Will we take the path of least resistance and just believe what we want to believe, truth be damned?”


“Freedom of expression is not incompatible with dialogue and listening to each other, but it is incompatible with intolerance,” says editorial cartoonist Patrick Chappatte. He speaks at TEDSummit: A Community Beyond Borders, July 23, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Patrick Chappatte, editorial cartoonist and graphic journalist

Big idea: We need humor like we need the air we breathe. We shouldn’t risk compromising our freedom of speech by censoring ourselves in the name of political correctness.

How? Our social media-saturated world is both a blessing and a curse for political cartoonists like Patrick Chappatte, whose satirical work can go viral while also making them, and the publications they work for, a target. Be it a prison sentence, firing or the outright dissolution of cartoon features in newspapers, editorial cartoonists worldwide are increasingly penalized for their art. Chappatte emphasizes the importance of the art form in political discourse by guiding us through 20 years of editorial cartoons that are equal parts humorous and caustic. In an age where social media platforms often provide places for fury instead of debate, he suggests that traditional media shouldn’t shy away from these online kingdoms, and neither should we. Now is the time to resist preventative self-censorship; if we don’t, we risk waking up in a sanitized world without freedom of expression.

Quote of the talk: “Freedom of expression is not incompatible with dialogue and listening to each other, but it is incompatible with intolerance.”

TEDAnthropo Impact: Notes from Session 2 of TEDSummit 2019

Radio Science Orchestra performs the musical odyssey “Prelude, Landing, Legacy” in celebration of the 50th anniversary of the Apollo 11 moon landing at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Session 2 of TEDSummit 2019 is all about impact: the actions we can take to solve humanity’s toughest challenges. Speakers and performers explore the perils — from melting glaciers to air pollution — along with some potential fixes — like ocean-going seaweed farms and radical proposals for how we can build the future.

The event: TEDSummit 2019, Session 2: Anthropo Impact, hosted by David Biello and Chee Pearlman

When and where: Monday, July 22, 2019, 5pm BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Tshering Tobgay, María Neira, Tim Flannery, Kelly Wanser, Anthony Veneziale, Nicola Jones, Marwa Al-Sabouni, Ma Yansong

Music: Radio Science Orchestra, performing the musical odyssey “Prelude, Landing, Legacy” in celebration of the 50th anniversary of the Apollo 11 moon landing (and the 100th anniversary of the theremin’s invention)

… and something completely different: Improv maestro Anthony Veneziale, delivering a made-up-on-the-spot TED Talk based on a deck of slides he’d never seen and an audience-suggested topic: “the power of potatoes.” The result was … surprisingly profound.

The talks in brief:

Tshering Tobgay, politician, environmentalist and former Prime Minister of Bhutan

Big idea: We must save the Hindu Kush Himalayan glaciers from melting — or else face dire, irreversible consequences for one-fifth of the global population.

Why? The Hindu Kush Himalayan glaciers are the pulse of the planet: their rivers alone supply water to 1.6 billion people, and their melting would massively impact the 240 million people across eight countries within their reach. Think in extremes — more intense rains, flash floods and landslides along with unimaginable destruction and millions of climate refugees. Tshering Togbay telegraphs the future we’re headed towards unless we act fast, calling for a new intergovernmental agency: the Third Pole Council. This council would be tasked with monitoring the glaciers’ health, implementing policies to protect them and, by proxy, the billions of who depend of them.

Fun fact: The Hindu Kush Himalayan glaciers are the world’s third-largest repository of ice (after the North and South poles). They’re known as the “Third Pole” and the “Water Towers of Asia.”


Air pollution isn’t just bad for the environment — it’s also bad for our brains, says María Neira. She speaks at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

María Neira, public health leader

Big idea: Air pollution isn’t just bad for our lungs — it’s bad for our brains, too.

Why? Globally, poor air quality causes seven million premature deaths per year. And all this pollution isn’t just affecting our lungs, says María Neira. An emerging field of research is shedding a light on the link between air pollution and our central nervous systems. The fine particulate matter in air pollution travels through our bloodstreams to our major organs, including the brain — which can slow down neurological development in kids and speed up cognitive decline in adults. In short: air pollution is making us less intelligent. We all have a role to play in curbing air pollution — and we can start by reducing traffic in cities, investing in clean energy and changing the way we consume.

Quote of the talk: “We need to exercise our rights and put pressure on politicians to make sure they will tackle the causes of air pollution. This is the first thing we need to do to protect our health and our beautiful brains.”


Tim Flannery, environmentalist, explorer and professor

Big idea: Seaweed could help us drawdown atmospheric carbon and curb global warming.

How? You know the story: the blanket of CO2 above our heads is driving adverse climate changes and will continue to do so until we get it out of the air (a process known as “drawdown”). Tim Flannery thinks seaweed could help: it grows fast, is made out of productive, photosynthetic tissue and, when sunk more than a kilometer deep into the ocean, can lock up carbon long-term. If we cover nine percent of the ocean surface in seaweed farms, for instance, we could sequester the same amount of CO2 we currently put into the atmosphere. There’s still a lot to figure, Flannery notes —  like how growing seaweed at scale on the ocean surface will affect biodiversity down below — but the drawdown potential is too great to allow uncertainty to stymie progress.

Fun fact: Seaweed is the most ancient multicellular life known, with more genetic diversity than all other multicellular life combined.


Could cloud brightening help curb global warming? Kelly Wanser speaks at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. Photo: Bret Hartman / TED

Kelly Wanser, geoengineering expert and executive director of SilverLining

Big idea: The practice of cloud brightening — seeding clouds with sea salt or other particulates to reflect sunshine back into space — could partially offset global warming, giving us crucial time while we figure out game-changing, long-term solutions.

How: Starting in 2020, new global regulations will require ships to cut emissions by 85 percent. This is a good thing, right? Not entirely, says Kelly Wanser. It turns out that when particulate emissions (like those from ships) mix with clouds, they make the clouds brighter — enabling them to reflect sunshine into space and temporarily cool our climate. (Think of it as the ibuprofen for our fevered climate.) Wanser’s team and others are coming up with experiments to see if “cloud-brightening” proves safe and effective; some scientists believe increasing the atmosphere’s reflectivity by one or two percent could offset the two degrees celsius of warming that’s been forecasted for earth. As with other climate interventions, there’s much yet to learn, but the potential benefits make those efforts worth it. 

An encouraging fact: The global community has rallied to pull off this kind of atmospheric intervention in the past, with the 1989 Montreal Protocol.


Nicola Jones, science journalist

Big idea: Noise in our oceans — from boat motors to seismic surveys — is an acute threat to underwater life. Unless we quiet down, we will irreparably damage marine ecosystems and may even drive some species to extinction.

How? We usually think of noise pollution as a problem in big cities on dry land. But ocean noise may be the culprit behind marine disruptions like whale strandings, fish kills and drops in plankton populations. Fortunately, compared to other climate change solutions, it’s relatively quick and easy to dial down our noise levels and keep our oceans quiet. Better ship propellor design, speed limits near harbors and quieter methods for oil and gas prospecting will all help humans restore peace and quiet to our neighbors in the sea.

Quote of the talk: “Sonar can be as loud as, or nearly as loud as, an underwater volcano. A supertanker can be as loud as the call of a blue whale.”


TED curator Chee Pearlman (left) speaks with architect Marwa Al-Sabouni at TEDSummit: A Community Beyond Borders. July 22, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Marwa Al-Sabouni, architect, interviewed by TED curator Chee Pearlman

Big idea: Architecture can exacerbate the social disruptions that lead to armed conflict.

How? Since the time of the French Mandate, officials in Syria have shrunk the communal spaces that traditionally united citizens of varying backgrounds. This contributed to a sense of alienation and rootlessness — a volatile cocktail that built conditions for unrest and, eventually, war. Marwa Al-Sabouni, a resident of Homs, Syria, saw firsthand how this unraveled social fabric helped reduce the city to rubble during the civil war. Now, she’s taking part in the city’s slow reconstruction — conducted by citizens with little or no government aid. As she explains in her book The Battle for Home, architects have the power (and the responsibility) to connect a city’s residents to a shared urban identity, rather than to opposing sectarian groups.

Quote of the talk: “Syria had a very unfortunate destiny, but it should be a lesson for the rest of the world: to take notice of how our cities are making us very alienated from each other, and from the place we used to call home.”


“Architecture is no longer a function or a machine for living. It also reflects the nature around us. It also reflects our soul and the spirit,” says Ma Yansong. He speaks at TEDSummit: A Community Beyond Borders. July 22, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Ma Yansong, architect and artist

Big Idea: By creating architecture that blends with nature, we can break free from the “matchbox” sameness of many city buildings.

How? Ma Yansong paints a vivid image of what happens when nature collides with architecture — from a pair of curvy skyscrapers that “dance” with each other to buildings that burst out of a village’s mountains like contour lines. Yansong embraces the shapes of nature — which never repeat themselves, he notes — and the randomness of hand-sketched designs, creating a kind of “emotional scenery.” When we think beyond the boxy geometry of modern cities, he says, the results can be breathtaking.

Quote of talk: “Architecture is no longer a function or a machine for living. It also reflects the nature around us. It also reflects our soul and the spirit.”

TED10 years of TED Fellows: Notes from the Fellows Session of TEDSummit 2019

TED Fellows celebrate the 10-year anniversary of the program at TEDSummit: A Community Beyond Borders, July 22, 2019 in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

The event: TEDSummit 2019, Fellows Session, hosted by Shoham Arad and Lily Whitsitt

When and where: Monday, July 22, 2019, 9am BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Carl Joshua Ncube, Suzanne Lee, Sonaar Luthra, Jon Lowenstein, Alicia Eggert, Lauren Sallan, Laura Boykin

Opening: A quick, witty performance from Carl Joshua Ncube, one of Zimbabwe’s best-known comedians, who uses humor to approach culturally taboo topics from his home country.

Music: An opening from visual artist and cellist Paul Rucker of the hauntingly beautiful “Criminalization of Survival,” a piece he created to explore issues related to mass incarceration, racially motivated violence, police brutality and the impact of slavery in the US.

And a dynamic closing from hip-hop artist and filmmaker Blitz Bazawule and his band, who tells stories of the polyphonic African diaspora.

The talks in brief:

Laura Boykin, computational biologist at the University of Western Australia

Big idea: If we’re going to solve the world’s toughest challenges — like food scarcity for millions of people living in extreme poverty — science needs to be more diverse and inclusive. 

How? Collaborating with smallholder farmers in sub-Saharan Africa, Laura Boykin uses genomics and supercomputing to help control whiteflies and viruses, which cause devastation to cassava crops. Cassava is a staple food that feeds more than 500 million people in East Africa and 800 million people globally. Boykin’s work transforms farmers’ lives, taking them from being unable to feed their families to having enough crops to sell and enough income to thrive. 

Quote of the talk: “I never dreamt the best science I would ever do would be sitting on a blanket under a tree in East Africa, using the highest tech genomics gadgets. Our team imagined a world where farmers could detect crop viruses in three hours instead of six months — and then we did it.”


Lauren Sallan, paleobiologist at the University of Pennsylvania

Big idea: Paleontology is about so much more than dinosaurs.

How? The history of life on earth is rich, varied and … entirely too focused on dinosaurs, according to Lauren Sallan. The fossil record shows that earth has a dramatic past, with four mass extinctions occurring before dinosaurs even came along. From fish with fingers to galloping crocodiles and armored squid, the variety of life that has lived on our changing planet can teach us more about how we got here, and what the future holds, if we take the time to look.

Quote of the talk: “We have learned a lot about dinosaurs, but there’s so much left to learn from the other 99.9 percent of things that have ever lived, and that’s paleontology.”


“If we applied the same energy we currently do suppressing forms of life towards cultivating life, we’d turn the negative image of the urban jungle into one that literally embodies a thriving, living ecosystem,” says Suzanne Lee. She speaks at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Suzanne Lee, designer, biofabricator

Big idea: What if we could grow bricks, furniture and even ready-made fabric for clothes?

How? Suzanne Lee is a fashion designer turned biofabrication pioneer who is part of a global community of innovators who are figuring how to grow their own materials. By utilizing living microbial organisms like bacteria and fungi, we can replace plastic, cement and other waste-generating materials with alternatives that can help reduce pollution.

Quote of the talk: If we applied the same energy we currently do suppressing forms of life towards cultivating life, we’d turn the negative image of the urban jungle into one that literally embodies a thriving, living ecosystem.”


Sonaar Luthra, founder and CEO of Water Canary

Big idea: We need to get better at monitoring the world’s water supplies — and we need to do it fast.

How? Building a global weather service for water would help governments, businesses and communities manage 21st-century water risk. Sonaar Luthra’s company Water Canary aims to develop technologies that more efficiently monitor water quality and availability around the world, avoiding the unforecasted shortages that happen now. Businesses and governments must also invest more in water, he says, and the largest polluters and misusers of water must be held accountable.

Quote of the talk: “It is in the public interest to measure and to share everything we can discover and learn about the risks we face in water. Reality doesn’t exist until it’s measured. It doesn’t just take technology to measure it — it takes our collective will.”


Jon Lowenstein shares photos from the migrant journey in Latin America at TEDSummit: A Community Beyond Borders. July 22, 2019, in Edinburgh, Scotland. (Photo: Dian Lofton / TED)

Jon Lowenstein, documentary photographer, filmmaker and visual artist

Big idea: We need to care about the humanity of migrants in order to understand the desperate journeys they’re making across borders.

How? For the past two decades, Jon Lowenstein has captured the experiences of undocumented Latin Americans living in the United States to show the real stories of the men and women who make up the largest transnational migration in world history. Lowenstein specializes in long-term, in-depth documentary explorations that confront power, poverty and violence. 

Quote of the talk: “With these photographs, I place you squarely in the middle of these moments and ask you to think about [the people in them] as if you knew them. This body of work is a historical document — a time capsule — that can teach us not only about migration, but about society and ourselves.”


Alicia Eggert’s art asks us to recognize where we are now as individuals and as a society, and to identify where we want to be in the future. She speaks at TEDSummit: A Community Beyond Borders, July 22, 2019, in Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Alicia Eggert, interdisciplinary artist

Big idea: A brighter, more equitable future depends upon our ability to imagine it.  

How? Alicia Eggert creates art that explores how light travels across space and time, revealing the relationship between reality and possibility. Her work has been installed on rooftops in Philadelphia, bridges in Amsterdam and uninhabited islands in Maine. Like navigational signs, Eggert’s artwork asks us to recognize where we are now as individuals and as a society, to identify where we want to be in the future — and to imagine the routes we can take to get there.

Quote of the talk: “Signs often help to orient us in the world by telling us where we are now and what’s happening in the present moment. But they can also help us zoom out, shift our perspective and get a sense of the bigger picture.”

TEDWeaving Community: Notes from Session 1 of TEDSummit 2019

Hosts Bruno Giussani and Helen Walters open Session 1: Weaving Community on July 21, 2019, Edinburgh, Scotland. (Photo: Bret Hartman / TED)

The stage is set for TEDSummit 2019: A Community Beyond Borders! During the opening session, speakers and performers explored themes of competition, political engagement and longing — and celebrated the TED communities (representing 84 countries) gathered in Edinburgh, Scotland to forge TED’s next chapter.

The event: TEDSummit 2019, Session 1: Weaving Community, hosted by Bruno Giussani and Helen Walters

When and where: Sunday, July 21, 2019, 5pm BST, at the Edinburgh Convention Centre in Edinburgh, Scotland

Speakers: Pico Iyer, Jochen Wegner, Hajer Sharief, Mariana Lin, Carole Cadwalladr, Susan Cain with Min Kym

Opening: A warm Scottish welcome from raconteur Mackenzie Dalrymple

Music: Findlay Napier and Gillian Frame performing selections from The Ledger, a series of Scottish folk songs

The talks in brief:

“Seeming happiness can stand in the way of true joy even more than misery does,” says writer Pico Iyer. (Photo: Ryan Lash / TED)

Pico Iyer, novelist and nonfiction author

Big idea: The opposite of winning isn’t losing; it’s failing to see the larger picture.

Why? As a child in England, Iyer believed the point of competition was to win, to vanquish one’s opponent. Now, some 50 years later and a resident of Japan, he’s realized that competition can be “more like an act of love.” A few times a week, he plays ping-pong at his local health club. Games are played as doubles, and partners are changed every five minutes. As a result, nobody ends up winning — or losing — for long. Iyer has found liberation and wisdom in this approach. Just as in a choir, he says, “Your only job is to play your small part perfectly, to hit your notes with feeling and by so doing help to create a beautiful harmony that’s much greater than the sum of its parts.”

Quote of the talk: “Seeming happiness can stand in the way of true joy even more than misery does.”


Jochen Wegner, journalist and editor of Zeit Online

Big idea: The spectrum of belief is as multifaceted as humanity itself. As social media segments us according to our interests, and as algorithms deliver us increasingly homogenous content that reinforces our beliefs, we become resistant to any ideas — or even facts — that contradict our worldview. The more we sequester ourselves, the more divided we become. How can we learn to bridge our differences?

How? Inspired by research showing that one-on-one conversations are a powerful tool for helping people learn to trust each other, Zeit Online built Germany Talks, a “Tinder for politics” that facilitates “political arguments” and face-to-face meetings between users in an attempt to bridge their points-of-view on issues ranging from immigration to same-sex marriage. With Germany Talks (and now My Country Talks and Europe Talks) Zeit has facilitated conversations between thousands of Europeans from 33 countries.

Quote of the talk: “What matters here is not the numbers, obviously. What matters here is whenever two people meet to talk in person for hours, without anyone else listening, they change — and so do our societies. They change, little by little, discussion by discussion.”


“The systems we have nowadays for political decision-making are not from the people for the people — they have been established by the few, for the few,” says activist Hajer Sharief. She speaks at TEDSummit: A Community Beyond Borders, July 21, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Hajer Sharief, activist and cofounder of the Together We Build It Foundation

Big Idea: People of all genders, ages, races, beliefs and socioeconomic statuses should participate in politics.

Why? Hajer Sharief’s native Libya is recovering from 40 years of authoritarian rule and civil war. She sheds light on the way politics are involved in every aspect of life: “By not participating in it, you are literally allowing other people to decide what you can eat, wear, if you can have access to healthcare, free education, how much tax you pay, when can you retire, what is your pension,” she says. “Other people are also deciding whether your race is enough to consider you a criminal, or if your religion or nationality are enough to put you on a terrorist list.” When Sharief was growing up, her family held weekly meetings to discuss family issues, abiding by certain rules to ensured everyone was respectful and felt free to voice their thoughts. She recounts a meeting that went badly for her 10-year-old self, resulting in her boycotting them altogether for many years — until an issue came about which forced her to participate again. Rejoining the meetings was a political assertion, and it helped her realize an important lesson: you are never too young to use your voice — but you need to be present for it to work.

Quote of talk: “Politics is not only activism — it’s awareness, it’s keeping ourselves informed, it’s caring for facts. When it’s possible, it is casting a vote. Politics is the tool through which we structure ourselves as groups and societies.”


Mariana Lin, AI character designer and principal writer for Siri

Big idea: Let’s inject AI personalities with the essence of life: creativity, weirdness, curiosity, fun.

Why? Tech companies are going in two different directions when it comes to creating AI personas: they’re either building systems that are safe, flat, stripped of quirks and humor — or, worse, they’re building ones that are fully customizable, programmed to say just what you want to hear, just how you like to hear it. While this might sound nice at first, we’re losing part of what makes us human in the process: the friction and discomfort of relating with others, the hard work of building trusting relationships. Mariana Lin calls for tech companies to try harder to truly bring AI to life — in all its messy, complicated, uncomfortable glory. For starters, she says, companies can hire a diverse range of writers, creatives, artists and social thinkers to work on AI teams. If the people creating these personalities are as diverse as the people using it — from poets and philosophers to bankers and beekeepers — then the future of AI looks bright.

Quote of the talk: “If we do away with the discomfort of relating with others not exactly like us, with views not exactly like ours — we do away with what makes us human.”


In 2018, Carole Cadwalladr exposed Cambridge Analytica’s attempt to influence the UK Brexit vote and the 2016 US presidential election via personal data on Facebook. She’s still working to sound the alarm. She speaks at TEDSummit: A Community Beyond Borders, July 21, 2019, in Edinburgh, Scotland. (Photo: Bret Hartman / TED)

Carole Cadwalladr, investigative journalist, interviewed by TED curator Bruno Giussani

Big idea: Companies that collect and hoard our information, like Facebook, have become unthinkably powerful global players — perhaps more powerful than governments. It’s time for the public hold them accountable.

How? Tech companies with offices in different countries must obey the laws of those nations. It’s up to leaders to make sure those laws are enforced — and it’s up to citizens to pressure lawmakers to further tighten protections. Despite legal and personal threats from her adversaries, Carole Cadwalladr continues to explore the ways in which corporations and politicians manipulate data to consolidate their power.

Quote to remember: “In Britain, Brexit is this thing which is reported on as this British phenomenon, that’s all about what’s happening in Westminster. The fact that actually we are part of something which is happening globally — this rise of populism and authoritarianism — that’s just completely overlooked. These transatlantic links between what is going on in Trump’s America are very, very closely linked to what is going on in Britain.”


Susan Cain meditates on how the feeling of longing can guide us to a deeper understanding of ourselves, accompanied by Min Kym on violin, at TEDSummit: A Community Beyond Borders. July 21, 2019, Edinburgh, Scotland. (Photo: Ryan Lash / TED)

Susan Cain, quiet revolutionary, with violinist Min Kym

Big idea: Life is steeped in sublime magic that you can tap into, opening a whole world filled with passion and delight.

How? By forgoing constant positivity for a state of mind more exquisite and fleeting — a place where light (joy) and darkness (sorrow) meet, known to us all as longing. Susan Cain weaves her journey in search for the sublime with the splendid sounds of Min Kym on violin, sharing how the feeling of yearning connects us to each other and helps us to better understand what moves us deep down.

Quote of the talk: “Follow your longing where it’s telling you to go, and may it carry you straight to the beating heart of the perfect and beautiful world.”

,

Sociological ImagesHappy Birthday, SocImages!

This month, Sociological Images turns twelve! It has been a busy year with some big changes backstage, so today I’m rounding up a dozen of our top posts as we look forward to a new academic year.

The biggest news is that the blog has a new home. It still lives on my computer (and The Society Pages’ network), but that home has moved east as I start as an assistant professor at UMass Boston Sociology. It’s a great department with wonderful colleagues who share a commitment to publicly-oriented scholarship, and I am excited to see what we can build in Boston! 

This year, readers loved the recent discovery that many of the players on the US Women’s National Team were sociology majors and a look at the the sociology of streetwear. We covered high-class hoaxes in the wake of the Fyre Festival documentaries, looked at who gets to win board games on TV, and followed the spooky side of science for the 200th anniversary of FrankensteinGender reveal parties were literally booming, unfortunately.

We also had a bunch of stellar guest posts this year, tackling all kinds of big questions like why people freaked out about fast food at the White House, why Green Book was a weird Oscar win, why people sometimes collect racist memorabilia, and why we often avoid reading the news. My personal favorites included a research roundup on women’s expertise and a look at the boom in bisexual identification in the United States. Please keep sending in guest posts! I want to feature your work. Guidelines are here, and you can always reach out via email or Twitter DM.

Finally, big thanks to all of you who read the blog actively, pass along posts to friends and family, and bring it into your classes. We keep this blog running on a zero-dollar budget, Creative Commons licensing, and a heavy dose of the sociological imagination that comes with your support. Happy reading!

Evan Stewart is an assistant professor of sociology at University of Massachusetts Boston. You can follow him on Twitter.

(View original at https://thesocietypages.org/socimages)

,

TEDA new mission to mobilize 2 million women in US politics … and more TED news

TED2019 may be past, but the TED community is busy as ever. Below, a few highlights.

Amplifying 2 million women across the U.S. Activist Ai-jen Poo, Black Lives Matter co-founder Alicia Garza and Planned Parenthood past president Cecile Richards have joined forces to launch Supermajority, which aims to train 2 million women in the United States to become activists and political leaders. To scale, the political hub plans to partner with local nonprofits across the country; as a first step, the co-founders will embark on a nationwide listening tour this summer. (Watch Poo’s, Garza’s and Richards’ TED Talks.)

Sneaker reseller set to break billion-dollar record. Sneakerheads, rejoice! StockX, the sneaker-reselling digital marketplace led by data expert Josh Luber, will soon become the first company of its kind with a billion-dollar valuation, thanks to a new round of venture funding.  StockX — a platform where collectible and limited-edition sneakers are bought and exchanged through real-time bidding — is an evolution of Campless, Luber’s site that collected data on rare sneakers. In an interview with The New York Times, Luber said that StockX pulls in around $2 million in gross sales every day. (Watch Luber’s TED Talk.)

A move to protect iconic African-American photo archives. Investment expert Mellody Hobson and her husband, filmmaker George Lucas, filed a motion to acquire the rich photo archives of iconic African-American lifestyle magazines Ebony and Jet. The archives are owned by the recently bankrupt Johnson Publishing Company; Hobson and Lucas intend to gain control over them through their company, Capital Holdings V. The collections include over 5 million photos of notable events and people in African American history, particularly during the Civil Rights Movement. In a statement, Capital Holdings V said: “The Johnson Publishing archives are an essential part of American history and have been critical in telling the extraordinary stories of African-American culture for decades. We want to be sure the archives are protected for generations to come.” (Watch Hobson’s TED Talk.)

10 TED speakers chosen for the TIME100. TIME’s annual round-up of the 100 most influential people in the world include climate activist Greta Thunberg, primatologist and environmentalist Jane Goodall, astrophysicist Sheperd Doeleman and educational entrepreneur Fred Swaniker — also Nancy Pelosi, the Pope, Leana Wen, Michelle Obama, Gayle King (who interviewed Serena Williams and now co-hosts CBS This Morning home to TED segment), and Jeanne Gang. Thunberg was honored for her work igniting climate change activism among teenagers across the world; Goodall for her extraordinary life work of research into the natural world and her steadfast environmentalism; Doeleman for his contribution to the Harvard team of astronomers who took the first photo of a black hole; and Swaniker for the work he’s done to educate and cultivate the next generation of African leaders. Bonus: TIME100 luminaries are introduced in short, sharp essays, and this year many of them came from TEDsters including JR, Shonda Rhimes, Bill Gates, Jennifer Doudna, Dolores Huerta, Hans Ulrich Obrest, Tarana Burke, Kai-Fu Lee, Ian Bremmer, Stacey Abrams, Madeleine Albright, Anna Deavere Smith and Margarethe Vestager. (Watch Thunberg’s, Goodall’s, Doeleman’s, Pelosi’s, Pope Francis’, Wen’s, Obama’s, King’s, Gang’s and Swaniker’s TED Talks.)

Meet Sports Illustrated’s first hijab-wearing model. Model and activist Halima Aden will be the first hijab-wearing model featured in Sports Illustrated’s annual swimsuit issue, debuting May 8. Aden will wear two custom burkinis, modestly designed swimsuits. “Being in Sports Illustrated is so much bigger than me,” Aden said in a statement, “It’s sending a message to my community and the world that women of all different backgrounds, looks, upbringings can stand together and be celebrated.” (Watch Aden’s TED Talk.)

Scotland post-surgical deaths drop by a third, and checklists are to thank. A study indicated a 37 percent decrease in post-surgical deaths in Scotland since 2008, which it attributed to the implementation of a safety checklist. The 19-item list created by the World Health Organization is supposed to encourage teamwork and communication during operations. The death rate fell to 0.46 per 100 procedures between 2000 and 2014, analysis of 6.8 million operations showed. Dr. Atul Gawande, who introduced the checklist and co-authored the study, published in the British Journal of Surgery, said to the BBC: “Scotland’s health system is to be congratulated for a multi-year effort that has produced some of the largest population-wide reductions in surgical deaths ever documented.” (Watch Gawanda’s TED Talk.) — BG

And finally … After the actor Luke Perry died unexpectedly of a stroke in February, he was buried according to his wishes: on his Tennessee family farm, wearing a suit embedded with spores that will help his body decompose naturally and return to the earth. His Infinity Burial Suit was made by Coeio, led by designer, artist and TED Fellow Jae Rhim Lee. Back in 2011, Lee demo’ed the mushroom burial suit onstage at TEDGlobal; now she’s focused on testing and creating suits for more people. On April 13, Lee spoke at Perry’s memorial service, held at Warner Bros. Studios in Burbank; Perry’s daughter revealed his story in a thoughtful instagram post this past weekend. (Watch Lee’s TED Talk.) — EM

,

TEDGetting ready for TEDSummit 2019: Photo gallery

TEDSummit banners are hung at the entrance of the Edinburgh Convention Centre, our home for the week. (Photo: Bret Hartman / TED)

TEDSummit 2019 officially kicks off today! Members of the TED community from 84 countries — TEDx’ers, TED Translators, TED Fellows, TED-Ed Educators, past speakers and more — have gathered in Edinburgh, Scotland to dream up what’s next for TED. Over the next week, the community will share adventures around the city, more than 100 Discovery Sessions and, of course, seven sessions of TED Talks.

Below, check out some photo highlights from the lead-up to TEDSummit and pre-conference activities. (And view our full photostream here.)

It takes a small (and mighty) army to get the theater ready for TED Talks.

(Photo: Bret Hartman / TED)

(Photo: Ryan Lash / TED)

(Photo: Bret Hartman / TED)

TED Translators get the week started with a trip to Edinburgh Castle, complete with high tea in the Queen Anne Tea Room, and a welcome reception.

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

A bit of Scottish rain couldn’t stop the TED Fellows from enjoying a hike up Arthur’s Seat. Weather wasn’t a problem at a welcome dinner.

(Photo: Ryan Lash / TED)

(Photo: Ryan Lash / TED)

(Photo: Ryan Lash / TED)

TEDx’ers kick off the week with workshops, panel discussions and a welcome reception.

(Photo: Dian Lofton / TED)

(Photo: Dian Lofton / TED)

(Photo: Ryan Lash / TED)

It’s all sun and blue skies for the speaker community’s trip to Edinburgh Castle and reception at the Playfair Library.

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

(Photo: Bret Hartman / TED)

Cheers to an amazing week ahead!

(Photo: Ryan Lash / TED)

TEDA first glimpse at the TEDSummit 2019 speaker lineup

At TEDSummit 2019, more than 1,000 members of the TED community will gather for five days of performances, workshops, brainstorming, outdoor activities, future-focused discussions and, of course, an eclectic program of TED Talks — curated by TED Global curator Bruno Giussani, pictured above. (Photo: Marla Aufmuth / TED)

With TEDSummit 2019 just two months away, it’s time to unveil the first group of speakers that will take to the stage in Edinburgh, Scotland, from July 21-25.

Three years ago, more than 1,000 members of the TED global community convened in Banff, Canada, for the first-ever TEDSummit. We talked about the fracturing state of the world, the impact of technology and the accelerating urgency of climate change. And we drew wisdom and inspiration from the speakers — and from each other.

These themes are equally pressing today, and we’ll bring them to the stage in novel, more developed ways in Edinburgh. We’ll also address a wide range of additional topics that demand attention — looking not only for analysis but also antidotes and solutions. To catalyze this process, half of the TEDSummit conference program will take place outside the theatre, as experts host an array of Discovery Sessions in the form of hands-on workshops, activities, debates and conversations.

Check out a glimpse of the lineup of speakers who will share their future-focused ideas below. Some are past TED speakers returning to give new talks; others will step onto the red circle for the first time. All will help us understand the world we currently live in.

Here we go! (More will be added in the coming weeks):

Anna Piperal, digital country expert

Bob Langert, corporate changemaker

Carl Honoré, author

Carole Cadwalladr, investigative journalist

Diego Prilusky, immersive media technologist

Eli Pariser, organizer and author

Fay Bound Alberti, historian

George Monbiot, thinker and author

Hajer Sharief, youth inclusion activist

Howard Taylor, children safety advocate

Jochen Wegner, editor and dialogue creator

Kelly Wanser, geoengineering expert

Ma Yansong, architect

Marco Tempest, technology magician

Margaret Heffernan, business thinker

María Neira, global public health official

Mariana Lin, AI personalities writer

Mariana Mazzucato, economist

Marwa Al-Sabouni, architect

Nick Hanauer, capitalism redesigner

Nicola Jones, science writer

Nicola Sturgeon, First Minister of Scotland

Omid Djalili, comedian

Patrick Chappatte, editorial cartoonist

Pico Iyer, global author

Poet Ali, Philosopher, poet

Rachel Kleinfeld, violence scholar

Raghuram Rajan, former central banker

Rose Mutiso, energy for Africa activist

Sandeep Jauhar, cardiologist

Sara-Jane Dunn, computational biologist

Sheperd Doeleman, black hole scientist

Sonia Livingstone, social psychologist

Susan Cain, quiet revolutionary

Tim Flannery, carbon-negative tech scholar

Tshering Tobgay, former Prime Minister of Bhutan

 

With them, a number of artists will also join us at TEDSummit, including:

Djazia Satour, singer

ELEW, pianist and DJ

KT Tunstall, singer and songwriter

Min Kym, virtuoso violinist

Radio Science Orchestra, space-music orchestra

Yilian Cañizares, singer and songwriter

 

Registration for TEDSummit is open for active members of our various communities: TED conference members, Fellows, past TED speakers, TEDx organizers, Educators, Partners, Translators and more. If you’re part of one of these communities and would like to attend, please visit the TEDSummit website.

TED7 things you can do in Edinburgh and nowhere else

Edinburgh, Scotland will host TEDSummit this summer, from July 21-25. The city was selected because of its special blend of history, culture and beauty, and for its significance to the TED community (TEDGlobal 2011, 2012 and 2013 were all held there). We asked longtime TEDster Ellen Maloney to share some of her favorite activities that showcase Edinburgh’s unique flavor.

 

From the Castle that dominates the skyline to Arthur’s Seat, an extinct volcano with hiking trails offering panoramic views of the city. Having lived here for most of my adult life, I am still discovering captivating and quirky places to explore. You probably won’t find the sites listed below on the typical “top things to do in Edinburgh” rundowns, but I recommend them to people coming for the upcoming TEDSummit 2019 who love the idea of experiencing this lovely city through a different lens.

St. Cecilia’s Hall and Music Museum

Originally built in 1762 by the University of Edinburgh’s Music Society, this was Scotland’s first venue intentionally built to be a concert hall. Its Music Museum has an impressive collection of musical instruments from around the globe, and it’s claimed to be the only place in the world where you can listen to 18th-century instruments played in an 18th-century setting — some of its ancient harpsichords are indeed playable. Learn how keyboards were once status symbols, and how technology has changed the devices that humans use to make sounds. The museum is open to the public, and the hall regularly hosts concerts and other events.

Innocent Railway Tunnel

This 19th-century former railway tunnel runs beneath the city for 1,696 feet (about 520 meters). One of the first railway tunnels in the United Kingdom and part of the first public railway tunnel in Scotland, it was in use from 1831 until 1968. Today it’s open to walkers and cyclists and connects to a lovely outdoor cycleway. The origin of its name is a mystery, but one theory is that it alludes to the fact that no fatal accidents occurred during its construction. Visitors, however, will find that walking through the tunnel doesn’t feel quite so benign — it’s cold and the wind whistles through.

The Library of Mistakes

This free library dedicated to one subject and one subject only: the human behavior and historical patterns that led to world-shaking financial mistakes. It contains research materials, photos and relics that tell the stories of the bad decisions that shaped our world. Yes, you can read about well-known wrongdoers such Charles Ponzi, but there are plenty of lesser-known schemes and people to discover. For instance, you can learn about the story behind the line “bought and sold for English gold” from the poem by Scotsman Robert Burns. While the library is free and open to the public, viewing is strictly by appointment so you’ll need to book ahead.

Blair Street Vaults

Just off the Royal Mile is Blair Street, which leads to an underground world of 19 cavernous vaults. These lie beneath the bridge that was built in 1788 to connect the Southside of the city with the university area. The archways were once home to a bustling marketplace of cobblers, milliners and other vendors. But it was taken over by less salubrious forces. Its darkness made it an attractive place for anyone who didn’t want to be seen, including thieves and 19th-century murderers William Burke and William Hare, who hid corpses there — there was a convenient opening that led directly to the medical school where they sold the bodies for dissection. Sometime in the 19th century, the vaults were declared too dangerous for use and the entryway was bricked up. Today they can be visited by tour. A warning that paranormal activity has been reported there.  

Sanctuary Stones and Holyrood Abbey

At the foot of the Royal Mile lies Abbey Strand, which leads down to the gates of Holyrood Palace (the Queen’s primary royal residence in Scotland). Look carefully on the road at Abbey Strand, and you will see three stones marked with a golden “S” on them. These stones mark part of what used to be a five-mile radius known as Abbey Sanctuary, where criminals could seek refuge from civil law under the auspices of Holyrood Abbey. In the 16th century, when land came under royal control, sanctuary was reserved for financial debtors. In 1880, a change in law meant debtors could no longer be jailed, so the sanctuary was no longer needed. As you walk the Royal Mile, be sure to appreciate these remnants of Scotland’s history. The Abbey, now a scenic ruin, can be accessed through Holyrood Palace.

White Stuff fitting rooms

This may look like an ordinary store — and yes, you can purchase clothes, home goods and gifts here —  until you head upstairs to the 10 fitting rooms. Open the door to your cubicle and instead of the usual unflattering mirror and bad lighting, you’ll find individually themed rooms. From a 1940s kitchen pantry stocked with cans of gravy and marrowfat peas to a room filled with cuddly toys, these are fitting rooms that you’ll actually want to spend time in (there is room for you to try on clothes). Most of the rooms were designed by AMD Interior Architects, but a few were winning designs from a school competition. The crafty should take a break in the “meet and make” area where they can enjoy arts and crafts while sipping tea from vintage teacups.

Jupiter Artland

Just 10 miles outside of Edinburgh, Jupiter Artland is a sculpture park set among hundreds of acres of gardens and woodlands. It’s located on the grounds of Bonnington House, a 17th-century Jacobean Manor house. While visitors are provided with a map of different artworks, there is no set route to follow. Turn left, turn right, go backwards, go forwards. Look out for the peacocks and geese. Be amazed, be delighted, be stunned. A visit to Jupiter Artland is a mini-adventure in itself.

TEDSummit is a celebration of the different communities and people that make up TED and help spread its world-changing ideas. Learn more about TEDSummit 2019. And to find even more to do in Edinburgh and Scotland, visit Scotland.org.