Update, 22:30: We've been done for about 30 minutes and haven't seen any issues, so please go ahead and let us know if you notice any problems!
Update, 22:30: We've been done for about 30 minutes and haven't seen any issues, so please go ahead and let us know if you notice any problems!
It's day eight, and on this day of the Newbie Artist Training Grounds, the assignment is: "Draw a pony cooling off/Draw a pony chilling", making this definitely a summer theme. I expect that there's going to be a back to school prompt next. The submitter for this one is here, with the pictures ending up in this gallery here. The official deadline is midnight MDT (3 am EDT).
Here's a partial list of changes that will go live with this push:
- Rename swaps will accept rename tokens purchased on either account.
- OpenID community maintainers will be able to edit tags on community entries.
- Adorable new mood theme called "angelikitten's Big Eyes".
- Username tag support for lj.rossia.org.
- Embedded content support for screen.yahoo.com and zippcast.com.
- Additional space on the user profile page to list your Github username.
And as usual, many tweaks, small bugfixes, and the occasional page source rewrite.
We'll update again to let you know when the code push is in progress!
It's day seven, and on this day of the Newbie Artist Training Grounds, the assignment is: "Draw a pony at the beach/Draw a pony catching rays". The submitter for this one is here, with the pictures ending up in this gallery here. The official deadline is midnight MDT (3 am EDT).
James Mickens, for your amusement. A somewhat random sample:
My point is that security people need to get their priorities straight. The "threat model" section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler (see Figure 1). Basically, you're either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you'll probably be fine if you pick a good password and don't respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they're going to use a drone to replace your cellphone with a piece of uranium that's shaped like a cellphone, and when you die of tumors filled with tumors, they're going to hold a press conference and say "It wasn't us" as they wear t-shirts that say "IT WAS DEFINITELY US," and then they're going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN'T REAL. When it rains, it pours.
The German newspaper Zeit is reporting the BfV, Germany's national intelligence agency, (probably) illegally traded data about Germans to the NSA in exchange for access to XKeyscore. From Ars Technica:
Unlike Germany's foreign intelligence service, the Bundesnachrichtendienst (BND), the domestic-oriented BfV does not employ bulk surveillance of the kind also deployed on a vast scale by the NSA and GCHQ. Instead, it is only allowed to monitor individual suspects in Germany and, even to do that, must obtain the approval of a special parliamentary commission. Because of this targeted approach, BfV surveillance is mainly intended to gather the content of specific conversations, whether in the form of e-mails, telephone exchanges, or even faxes, if anyone still uses them. Inevitably, though, metadata is also gathered, but as Die Zeit explains, "whether the collection of this [meta]data is consistent with the restrictions outlined in Germany's surveillance laws is a question that divides legal experts."
The BfV had no problems convincing itself that it was consistent with Germany's laws to collect metadata, but rarely bothered since -- remarkably -- all analysis was done by hand before 2013, even though metadata by its very nature lends itself to large-scale automated processing. This explains the eagerness of the BfV to obtain the NSA's XKeyscore software after German agents had seen its powerful metadata analysis capabilities in demonstrations.
It may also explain the massive expansion of the BfV that the leaked document published by Netzpolitik had revealed earlier this year. As Die Zeit notes, the classified budget plans "included the information that the BfV intended to create 75 new positions for the 'mass data analysis of Internet content.' Seventy-five new positions is a significant amount for any government agency."
Note that the documents this story is based on seem to have not been provided by Snowden.
Authorities in the United Kingdom this week arrested a half-dozen young males accused of using the Lizard Squad’s Lizard Stresser tool, an online service that allowed paying customers to launch attacks capable of taking Web sites offline for up to eight hours at a time.
The Lizard Stresser came to prominence not long after Christmas Day 2014, when a group of young n’er-do-wells calling itself the Lizard Squad used the tool to knock offline the Sony Playstation and Microsoft Xbox gaming networks. As first reported by KrebsOnSecurity on Jan. 9, the Lizard Stresser drew on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords. The LizardStresser service was hacked just days after that Jan. 9 story, and disappeared shortly after that.
“Those arrested are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous,” reads a statement from the U.K.’s National Crime Agency (NCA). “Organisations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies and a number of online retailers.”
The NCA says investigators also in the process of visiting 50 addresses linked to individuals registered on the Lizard Stresser Website but who haven’t yet carried out any apparent attacks. The agency notes that one-third of those individuals are below the age of 20, and that its knock-and-talk efforts are part of its wider work to address younger people at risk of entering into serious forms of cybercrime.
According to research published this month, the Lizard Stresser had more than 176 paying subscribers who launched more than 15,000 attacks against 3,907 targets in the two months the service was in operation.
For more information about how to beef up the security your Internet router, check out the “Harden Your Hardware” subsection in the post Tools for a Safer PC.
Heather asked her bakery if they could add a unicorn to her cookie cake.
They said - and this is a direct quote - "Yes."
So just so we're clear: the professional baking people said yes, they could add a unicorn to Heather's cookie cake.
"Little did the princesses know that directly above their heads..."
"... lurked the tragically misunderstood tentacle volcano optometrist.
I hear it ain't easy.
"Hey Sal, this drunk melting blue cat just isn't weird enough, you know? Anything else we can add?"
AHA! Pirate chest hat!
Occasions That Call For Sh*t Balloons:
- Your First Hemorrhoid
- Anniversary of Your First Hemorrhoid
- Someone Else Asked About Your Hemorrhoid
- The Hemorrhoid Cream Worked!
- Your Boss's Birthday
Thanks to Heather C., Marie S., Chris H., Joy J., & Michele A. for the crappy occasions.
And from my other blog, Epbot:
Lots more in his DeviantArt Gallery, but sadly James doesn't sell his art online. Those two are going on the give-away board, though, so at least you can win them here!
In addition to my one wildcard winner, I'll ALSO be choosing 2 winners for these original pieces of art:
So if you like either (or both!) of these, let me know in your comment so I can enter you in the extra drawings.
Winners will be randomly selected in a few days, and internationals are always welcome. Happy commenting!
I've long had a special interest in computer science education. I recently worked as a full time lecturer for two years, and I have been designing and delivering outreach initiatives for more than seven. So when it came time to request interviews with this year's HLF Laureates, John Hopcroft, who created one of the world's first computer science courses, caught my attention.
I began our conversation by introducing my interests in education, and right away Hopcroft pointed out that there is so much talent distributed around the world, but that educational opportunities are not so widely available. This has been in the case in China, for example, where Hopcroft has been working; he says their educational system needs help, and they know it. Of course, improving education everywhere is important. Hopcroft points out that as we move more and more into an intellectual economy, we need to better prepare our workforce.
For me, this means ensuring that we educate everyone with at least the basics of computing. Right now, the field of computer science is not very diverse. For example, in the United States, according to the National Centre for Women & Information Technology, only 18% of computer and information science bachelor degrees went to women in 2013, and women made up only 26% of the computing workforce. Hopcroft suggests that one factor in a rather complicated issue is that women seem to want to help people, while men are satisfied by learning more abstract things. This idea validates my own theory that many men are often happy to primarily learn about the tools of computing (code, hardware, etc) for the sake of it, while women tend to want to know what you can do with these tools.
So what was the diversity like in Hopcroft's very first computer science class? Understandably, he wasn't really aware of diversity at the time. After all, there was enough to worry about, like figuring out how to teach one of the world's first courses on computer science despite having a background in electrical engineering. Ed McCluskey asked Hopcroft to teach the course, and in doing so, Hopcroft found himself becoming one of the world's first computer scientists. This lead him to be at the top of the list whenever anyone needed a computer scientist for, say, an important committee, thus giving him opportunities that for most disciplines wouldn't be possible until close to retirement. Hopcroft admitted he feels lucky for the way things worked out, and credits Ed for making it possible.
After learning that Hopcroft's first courses covered automata theory, I wanted to know what he thought the best computer science teachers do more generally. He told me he went into teaching because of the impact his many world-class teachers had on him at every stage of his education – he wanted to do the same. To be a great educator, he told me, it is not about the content, which anyone can specify. The single most important thing is to make sure your students know you care.
I was curious what Hopcroft thought of recently proposed active learning techniques like peer instruction and flipped classrooms. He said he didn't have any experience with them, so couldn't really comment. However, he did reveal that he still uses the blackboard during lectures – that way, he can change his lecture on the fly according to student needs. I pointed out that this could be considered a form of active learning, as there would be a feedback loop in the classroom. He did point out that techniques like the flipped classroom have some hidden concerns. For example, one must consider the credit hours a course is worth. If you are shifting what was done during lecture into videos or reading ahead of time, are you adding more pressure to the students' time?
I quite enjoyed my conversation with Hopcroft, and will leave you with some advice that he gives his students. Don't focus on what your advisors have done in their careers; their work was done in an era where the focus was on making computer systems useful. Look instead to the future, when we will be focussing on doing useful things with computers.
It's day 6, and on this day of the Newbie Artist Training Grounds, the assignment is: "Draw a pony playing games/Draw a pony champion". The submitter for this one is here, with the pictures ending up in this gallery here. The official deadline is midnight MDT (3 am EDT).
The FBI today warned about a significant spike in victims and dollar losses stemming from an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, some 1,198 companies lost a total of $179 million in so-called business e-mail compromise (BEC) scams, also known as “CEO fraud.” The latest figures show a marked 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than $1.2 billion, the FBI said.
“The scam has been reported in all 50 states and in 79 countries,” the FBI’s alert notes. “Fraudulent transfers have been reported going to 72 countries; however, the majority of the transfers are going to Asian banks located within China and Hong Kong.”
CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.
Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.
They do this by scraping employee email addresses and other information from the target’s Web site to help make the missives more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the crooks will scour the victim’s email correspondence for certain words that might reveal whether the company routinely deals with wire transfers — searching for messages with key words like “invoice,” “deposit” and “president.”
On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.
In these cases, the fraudsters will forge the sender’s email address displayed to the recipient, so that the email appears to be coming from example.com. In all cases, however, the “reply-to” address is the spoofed domain (e.g. examp1e.com), ensuring that any replies are sent to the fraudster.
The FBI’s numbers would seem to indicate that the average loss per victim is around $100,000. That may be so, but some of the BEC swindles I’ve written about thus far have involved much higher amounts. Earlier this month, tech firm Ubiquiti Networks disclosed in a quarterly financial report that it suffered a whopping $46.7 million hit because of a BEC scam.
In February, con artists made off with $17.2 million from one of Omaha, Nebraska’s oldest companies — The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.
In March 2015, I posted the story Spoofing the Boss Turns Thieves a Tidy Profit, which recounted the nightmarish experience of an Ohio manufacturing firm that came within a whisker of losing $315,000 after an employee received an email she thought was from her boss asking her to wire the money to China to pay for some raw materials.
The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.
Consumers are not immune from these types of scams. According to a related advisory posted the FBI today, in the three months between April 1, 2015 and June 30, 2015, the agency received 21 complaints from consumers who suffered losses of nearly $700,000 after having their inboxes hijacked or spoofed by thieves. The FBI said it identified approximately $14 million in attempted losses associated with open FBI investigations into such crimes against consumers.
There is nothing worse than being lost in a kitchen. Also, this way you can be like, “Yeah, help yourself to anything, feel free to cook!”
This is also useful if your significant other doesn’t approve/refuses to learn your unorthodox yet totally valid kitchen organizational plan (ahem, David.)
CitizenLab is reporting on Iranian hacking attempts against activists, which include a real-time man-in-the-middle attack against Google's two-factor authentication.
This report describes an elaborate phishing campaign against targets in Iran's diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and "real time" login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi.
The attacks point to extensive knowledge of the targets' activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran. The report includes extra detail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the importance of two-factor authentication.
The report quotes my previous writing on the vulnerabilities of two-factor authentication:
As researchers have observed for at least a decade, a range of attacks are available against 2FA. Bruce Schneier anticipated in 2005, for example, that attackers would develop real time attacks using both man-in-the-middle attacks, and attacks against devices. The"real time" phishing against 2FA that Schneier anticipated were reported at least 9 years ago.
Today, researchers regularly point out the rise of "real-time" 2FA phishing, much of it in the context of online fraud. A 2013 academic article provides a systematic overview of several of these vectors. These attacks can take the form of theft of 2FA credentials from devices (e.g. "Man in the Browser" attacks), or by using 2FA login pages. Some of the malware-based campaigns that target 2FA have been tracked for several years, are highly involved, and involve convincing targets to install separate Android apps to capture one-time passwords. Another category of these attacks works by exploiting phone number changes, SIM card registrations, and badly protected voicemail
Friends, countrypersons, CCC-makers (ptooie!):
I've tried to be reasonable.
I've tried to show you the appetite-killing effects of edible mommy bodies:
I've tried to show you the cannibalistic undertones, the disturbing ramifications, and the flat-out creepiness of neck stumps and booby slices.
I've even shared with you the horror stories of raspberry fillings, plastic baked-in babies, and mock C-sections!
All to no avail.
And now - NOW - bakers are adding an homage to the scariest scene in Ghostbusters. Because that scene with the demon dogs pressing their faces through the door? [sing-song] A-DOR-ABLE!
Quick! GET OUT OF THE ARMCHAIR, DANA!!
Sure, they might have started out small...
"Aw, lookit da cutesy-wootsy lil' foot sticking out! Haha! So sweet!"
...but it wasn't long before bakers were pushing the boundaries of what anyone could stomach.
And because more is ALWAYS better...
"Leeeet ussss ooooouuuut!!"
...it wasn't long before the laws of physics went completely out the window:
Sweet mercy, woman, TELL ME you're getting an epidural.
So I ask you, fellow citizens, are we to stand for this? Or will we put our foot down, stop toeing the line, and kick belly cakes to the curb once and for all?!
Hey, wait a second. You just saved these photos to your "inspiration" folder, didn't you, bakers? YOU'RE NOT EVEN LISTENING TO ME, are you??
Oh, fine. Just send me photos when you're done, and we'll call it even.
Thanks to Amy U., Elizabeth M., Alanna E., Amanda R., Mary V., & Holly T. for today's belly laughs.
And from my other blog, Epbot:
One of ABI's initiatives is called Systers, originally a mailing list for women in systems computing and now a community for all women in technology. Today, Systers donate money to help supportPass-It-On Awards, "intended as means for women established in technological fields to support women seeking their place in the fields of technology." Each award winner has a moral obligation to somehow pass the benefits of the award on, broadening the its impact.
One of this year's Pass-It-On winners is Foghor Tanshi, a Nigerian researcher currently teaching at the Federal University of Petroleum Resources. Tanshi received financial support for travel to this year's Heidelberg Laureate Forum, where she hopes to launch her research career.
I asked Tanshi a few questions about her involvement with computer science, and would like to share some of her answers here.
Gail Carmichael: Why did you get interested in computer science?
Foghor Tanshi: Because it is a field that easily finds application in a variety of other fields of endeavour. This particularly appeals to me because I enjoy applying my knowledge to new challenges.
GC: What is your research area? What made you interested in it?
FT: I have broad interests in machine learning applications in natural language processing and robotic motion and vision. This was inspired by the most basic need for machines – they make work easier. I am therefore interested in these interconnected research areas because they enable the development of collaborative and assistive technologies for humanity, e.g language-based teaching aids, human-robots collaborative manufacturing systems, etc.
GC: You also have an interest in computer science education. Can you tell me more about that?
FT: I am presently a computer science educator and plan to continue for most of my life because I am interested in inspiring – by any available means – more students (especially female Nigerian students) to use its techniques to solve problems. This is because of the fact that computer science tends to play an important role in the achievement of flexible solutions.
GC: What made you want to come to HLF?
FT: As one pursuing a career in research, it promises an opportunity to network and acquire vital information from Laureates in computer science and mathematics that would launch the next stage of my career. It would also provide an opportunity to share my research and meet potential collaborators, partners, mentors and friends.
GC: What was the role of the Systers Pass-It-On award in your ability to attend HLF?
FT: The Systers PIO enabled me make pre-travel and travel arrangements towards attending the forum.
GC: What are you most looking forward to at HLF?
FT: To re-live several years of knowledge and experience through the laureates. This would mean learning as much as possible within a short period of time; wisdom (for navigating a research career) that they acquired in a lifetime.
In the wake of the recent averted mass shooting on the French railroads, officials are realizing that there are just too many potential targets to defend.
The sheer number of militant suspects combined with a widening field of potential targets have presented European officials with what they concede is a nearly insurmountable surveillance task. The scale of the challenge, security experts fear, may leave the Continent entering a new climate of uncertainty, with added risk attached to seemingly mundane endeavors, like taking a train.
The article talks about the impossibility of instituting airport-like security at train stations, but of course even if were feasible to do that, it would only serve to move the threat to some other crowded space.
Our trip to Peru first took us to the cities ofLima and Cusco. We had a wonderful time in both, seeing the local sites and dining at some of their best restaurants. But if I’m honest, we left the most anticipated part of our journey for last, visiting Machu Picchu.
Before I talk about our trip to Machu Picchu, there are a few things worthy of note:
- I love history and ruins
- I’ve been fascinated by Peru since I was a kid
- Going to Machu Picchu has been a dream since I learned it existed
So, even being the world traveler that I am (I’d already been to Asia and Europe this year before going to South America), this was an exceptional trip for me. Growing up our land lord was from Peru, as a friend of his daughters I regularly got to see their home, which was full of Peruvian knickknacks and artifacts. As I dove into history during high school I learned about ancient ruins all over the world, from Egypt to Mexico and of course Machu Picchu in Peru. The mysterious city perched upon a mountaintop always held a special fascination to me. When the opportunity to go to Peru for a conference came up earlier this year, I agreed immediately and began planning. I had originally was going to go alone, but MJ decided to join me once I found a tour I wanted to book with. I’m so glad he did. Getting to share this experience with him meant the world to me.
Our trip from Cusco began very early on Friday morning in order to catch the 6:40AM train to Aguas Calientes, the village below Machu Picchu. Our tickets were for Peru Rail’s Vistadome train, and I was really looking forward to the ride. On the disappointing side, the Cusco half of the trip had foggy windows and the glare on the windows generally made it difficult to take pictures. But as we lowered in elevation my altitude headache went away and so did the condensation from the windows. The glare was still an issue, but as I settled in I just enjoyed the sights and didn’t end up taking many photos. It was probably the most enjoyable train journey I’ve ever been on. At 3 hours it was long enough to feel settled in and relaxed watching the countryside, rivers and mountains go by, but not too long that I got bored. I brought along my Nook but didn’t end up reading at all.
Of course I did take some pictures, here: https://www.flickr.com/photos/pleia2/alb
Once at Aguas Calientes our overnight bags (big suitcases were left at the hotel in Cusco, as is common) were collected and taken to the hotel. We followed the tour guide who met us with several others to take a bus up to Machu Picchu!
Our guide gave us a three hour tour of the site. At a medium pace, he took us to some of the key structures and took time for photo opportunities all around. Of particular interest to him was the Temple of the Sun (“J” shaped building, center of the photo below), which we saw from above and then explored around and below.
The hike up for these amazing views wasn’t very hard, but I was thankful for the stops along the way as he talked about the exploration and scientific discovery of the site in the early 20th century.
And then there were the llamas. Llamas were brought to Machu Picchu in modern times, some say to trim the grass and other say for tourists. It seems to be a mix of the two, and there is still a full staff of groundskeepers to keep tidy what the llamas don’t manage. I managed to get this nice people-free photo of a llama nursing.
There seem to be all kinds of jokes about “selfies with llamas” and I was totally in for that. Though I didn’t get next to a llama like some of my fellow selfie-takers, but I did get my lovely distance selfie with llamas.
Walking through what’s left of Machu Picchu is quite the experience. The tall stone walls, stepped terraces that make up the whole thing. Lots of climbing and walking at various elevations throughout the mountaintop. Even going through the ruins in Mexico didn’t quite prepare me for what it’s like to be on top of a mountain like this. Amazing place.
We really lucked out with the weather, much of the day was clear and sunny, and quite warm (in the 70s). It made for good walking weather as well as fantastic photos. When the afternoon showers did come in, it was just in time for our tour to end and for us to have lunch just outside the gates. When lunch was complete the sun came out again and we were able to go back in to explore a bit more and take more pictures!
I feel like I should write more about Machu Picchu, being such an epic event for me, but it was more of a visual experience much better shared via photos. I uploaded over 200 more photos from our walk through Machu Picchu here: https://www.flickr.com/photos/pleia2/alb
My photos were taken with a nice compact digital camera, but MJ brought along his DSLR camera. I’m really looking forward to seeing what he ended up with.
The park closes at 5PM, so close to that time we caught one of the buses back down to Aguas Calientes. I did a little shopping (went to Machu Picchu, got the t-shirt). We were able to check into our hotel, the Casa Andina Classic, which ended up being my favorite hotel of the trip, it was a shame we were only there for one night! Hot, high pressure shower, comfortable bed, and a lovely view of the river that runs along the village:
I was actually so tired from all our early mornings and late evenings the rest of the trip that after taking a shower at the hotel that evening I collapsed onto the bed and instead of reading, zombied out to some documentaries on the History channel, after figuring out the magical incantation on the remote to switch to English. So much for being selective about the TV I watch! We also decided to take advantage of the dinner that was included with our booking and had a really low key, but enjoyable and satisfying meal there at the hotel.
The next morning we took things slow and did some walking around the village before lunch. Aguas Calientes is very small, it’s quite possible that we saw almost all of it. I took the opportunity to also buy some post cards to send to my mother and sisters, plus find stamps for them. Finding stamps is always an interesting adventure. Our hotel couldn’t post them for me (or sell me stamps) and being a Saturday we struck out at the actual post office, but found a corner tourist goodie shop that sold them and a mailbox nearby to so I could send them off.
For lunch we made our way past all the restaurants who were trying to get us in their doors by telling us about their deals and pushing menus our way until we found what we were looking for, a strange little place called Indio Feliz. I found it first in the tour book I’d been lugging around, typical tourist that I am, and followed up with some online recommendations. The decor is straight up Caribbean pirate themed (what?) and with a French owner, they specialize in Franco-Peruvian cuisine. We did the fixed menu where you pick an appetizer, entree and dessert, though it was probably too much for lunch! They also had the best beer menu I had yet seen in Peru, finally far from the altitude headache in Cusco I had a Duvel and MJ went with a Chimay Red. Food-wise I began with an amazing avocado and papaya in lemon sauce. Entree was an exceptional skewer of beef with an orange sauce, and my meal concluded with coffee and apple pie that came with both custard and ice cream. While there we got to chat with some fellow diners from the US, they had just concluded the 4 day Inca Trail hike and regaled us with stories of rain and exhaustion as we swapped small talk about the work we do.
More photos from Aguas Calientes here: https://www.flickr.com/photos/pleia2/alb
After our leisurely lunch, it was off to the train station. We were back on the wonderful Vistadome train, and on the way back to Cusco there was some culturally-tuned entertainment as well as a “fashion show” featuring local clothing they were selling, mostly of alpaca wool. It was a fun touch, as the ride back was longer (going up the mountains) and being wintertime the last hour or so of the ride was in the dark.
We had our final night in Cusco, and Sunday was all travel. A quick flight from Cusco to Lima, where we had 7 hours before our next flight and took the opportunity to have one last meal in Lima. Unfortunately the timing of our stay meant that most restaurants were in their “closed between lunch and dinner” time, so we ended up at Larcomar, a shopping complex built into an oceanside cliff in Miraflores. We ate at Tanta, where we had a satisfying lunch with a wonderful ocean view!
Our late lunch concluded our trip, from there we went back to Lima airport and began our journey back home via Miami. I was truly sad to see the trip come to an end. Often times I am eager to get home after such an adventurey vacation (particularly when it’s attached to a conference!), but I will miss Peru. The sights, the foods, the llamas and alpacas! It’s a beautiful country that I hope to visit again.
Strawberries! It's the fifth day of the madness that is the Newbie Artist Training Grounds on Equestria Daily! This time the assignment is: "Drawing a pony in disguise/Draw a pony faker". The submitter for this one is here, with the pictures ending up in this gallery here. The submitter jumped to 116 because 115 is another art challenge -- draw a scene based on the leaked titles to the future episodes. The official deadline is still midnight MDT (3 am EDT).
Thanks to all of those who participated, and to all the events folk at Linux Foundation, who handle the logistics for us each year, so we can focus on the event itself.
As with the previous year, we followed a two-day format, with most of the refereed presentations on the first day, with more of a developer focus on the second day. We had good attendance, and also this year had participants from a wider field than the more typical kernel security developer group. We hope to continue expanding the scope of participation next year, as it’s a good opportunity for people from different areas of security, and FOSS, to get together and learn from each other. This was the first year, for example, that we had a presentation on Incident Response, thanks to Sean Gillespie who presented on GRR, a live remote forensics tool initially developed at Google.
Overall, it seems the adoption of Linux kernel security features is increasing rapidly, especially via mobile devices and IoT, where we now have billions of Linux deployments out there, connected to everything else. It’s interesting to see SELinux increasingly play a role here, on the Android platform, in protecting user privacy, as highlighted in Jeffrey Vander Stoep’s presentation on whitelisting ioctls. Apparently, some major corporate app vendors, who were not named, have been secretly tracking users via hardware MAC addresses, obtained via ioctl.
We’re also seeing a lot of deployment activity around platform Integrity, including TPMs, secure boot and other integrity management schemes. It’s gratifying to see the work our community has been doing in the kernel security/ tree being used in so many different ways to help solve large scale security and privacy problems. Many of us have been working for 10 years or more on our various projects — it seems to take about that long for a major security feature to mature.
One area, though, that I feel we need significantly more work, is in kernel self-protection, to harden the kernel against coding flaws from being exploited. I’m hoping that we can find ways to work with the security research community on incorporating more hardening into the mainline kernel. I’ve proposed this as a topic for the upcoming Kernel Summit, as we need buy-in from core kernel developers. I hope we’ll have topics to cover on this, then, at next year’s LSS.
The committee would appreciate feedback on the event, so we can make it even better for next year. We may be contacted via email per the contact info at the bottom of the event page.
AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.
It was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.
Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.
I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.
After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.
On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.
The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”
I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?
Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”
A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.
WHO IS THADEUS ZU?
As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).
Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media accounts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.
A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.
Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.
That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here. Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).
Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.
Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).
Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.
Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu tweeted:
“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange
A month later, on Feb. 7, 2014, Zu offered this tidbit of info:
“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”
To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.
But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations. People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.
Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.
It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.
KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has published some additional thoughts on this post over at Medium.
It sounds like the start to a bad joke, but yesterday John and I had some bad bologna. Within minutes of our first bites, we were hit with nausea, migraines, and - in my case - recurring heart palpitations.
I spent the rest of the day and into the night alternating between clutching my head and my stomach, and those blasted heart palpitations kept bounding in to do a little dub step (WUB WUB) every hour or so.
In the past, a single heart skip was usually enough to trigger a full-on panic attack for me, so it is with mixed pride and misery that I tell you I've weathered at least 3 dozen in the last day and a half, and though my palms are sweaty as I type this, so far I've avoided a full-blown attack. Low-level anxiety, sure, but I'm doing my breathing exercises and taking long, slow strolls on the treadmill desk and trying to stay busy... and I've been having the most curious sensation through it all.
It's a kind of... expectant hope. A delayed-reaction relief. I can SEE the end of the tunnel, and though each new heart skip tells me I'm not there yet, I know I'm just a little bit closer. I know I'm not dying. I know it's going to get better. And that knowledge makes me - to borrow a phrase from the Bloggess - furiously happy.
Sometimes it's true that we need the dark to appreciate the light. We need our inner wars to fully cherish the times of peace. I hate this feeling right now. I hate it. But I'm learning that even this hate will - sometime soon, I hope - be transformed into gratitude. I won't always feel like this. I'm going to be steady and strong and serene again. And when that time comes, be it another few hours, days, or even weeks, I'm going to remember this terrible, fear-fueled hate, and I am going to love the ever-living CRAP out of my life.
I can almost feel it, you guys. I can almost taste it. And that almost-feeling is getting me through the consuming feelings of fear and pain and awfulness.
So I guess for now, "almost" is enough.
P.S. It's possible this can't all be blamed on bad bologna, of course, since my doctor upped my thyroid meds last month. Rest assured, I'll be dialing those down again, starting tomorrow.
It's National Dog Day, wrecky minions!
Now, I realize it can be difficult to celebrate dogs when cats are so OBVIOUSLY superior, but hear me out:
1) Dogs are people, too.
Specifically, a kind of mutant Sheep People.
2) Today is the PERFECT day to show your dog-loving friends that you respect their life choices, and that you, too, can appreciate a wet nose in the crotch from time to time.*
"LET US AT IT."
[*Kidding, no one appreciates that. But don't tell the dog people.]
And thirthly, and most importantly, without dogs we would never have these cakes:
(Wow, they really DO poop everywhere.)
Though to be fair, I'm pretty sure most of these bakers have never actually SEEN a dog.
For example: bakers, I'm preeetty sure the legs don't go there:
THIS IS YOUR DOG:
THIS IS YOUR DOG ON DRUGS:
And finally, is that a real dog biscuit??
'Cuz judging by Sunglasses' smug smile, I'm betting it is.
Well, thanks to Celia M., Steff, Julie, Natalie S., Julie D., Lisa, Kimberly & Lindsay N. for proving once again that even cat CAKES are bet... uh...
Happy Dog Day, everybody.
And from my other blog, Epbot:
Marte Løge, a 2015 graduate of the Norwegian University of Science and Technology, recently collected and analyzed almost 4,000 ALPs as part of her master's thesis. She found that a large percentage of them -- 44 percent -- started in the top left-most node of the screen. A full 77 percent of them started in one of the four corners. The average number of nodes was about five, meaning there were fewer than 9,000 possible pattern combinations. A significant percentage of patterns had just four nodes, shrinking the pool of available combinations to 1,624. More often than not, patterns moved from left to right and top to bottom, another factor that makes guessing easier.
We started our Peruvian adventures in Lima. On Wednesday morning we too a very early flight to Cusco. The tour company had recommended an early flight so we could take a nap upon arrival to help adjust to the altitude, indeed, with Cusco over 2 miles high in elevation I did find myself with a slight headache during our visit there. After our nap we met up with our fellow travelers for our city tour of Cusco.
The tour began by going up for a view of all of Cusco from the hillside, where I got my first selfie with an alpaca. We also visited San Pedro’s Market, a large market complex that had everything from tourist goodies to everyday produce, meats, cheeses and breads.
From there we made our way to Qurikancha, said to be the most important temple in the Inca Empire. When the Spanish arrived they built their Church of Santo Domingo on top of it, so only the foundation and some of the rooms remain. I was happy that the tour focused on the Inca aspects and largely ignored the Church, aside from some of the famous religious paintings contained within.
More photos from Qurikancha here: https://www.flickr.com/photos/pleia2/set
We then went to the Plaza de Armas where the Cusco Cathedral lords over the square. No photos were allowed inside, but the Cathedral is notable for the Señor de los Temblores, a Jesus statue that is believed to have halted an earthquake in 1650 and a huge, captivating painting by Marcos Zapata of a localized Last Supper where participants are dining on guinea pig and chicha morada!
That evening we had the most exceptional dinner in Cusco, at MAP Café. It’s located inside Museo Arqueologico Peruano (MAP) which is run in association with the fantastic Museo Larco that we visited in Lima. Since this museum also had late hours, we had a wonderful time browsing their collection before dinner. Dinner itself was concluded with some amazing desserts, including a deconstructed lemon meringue pie accompanied by caramel ice cream.
More photos from the museum and dinner here: https://www.flickr.com/photos/pleia2/set
Thursday started off bright and early with a tour of a series of ruins outside of Cusco, in Saksaywaman. This was the first collection of ruins in Cusco we really got to properly climb, so with our tiny group of just four we were able to explore the citadel of Saksaywaman with a guide and then for a half hour on our own. In addition to the easy incline we took with the tour guide to walk on the main part of the ruins, which afforded our best view of Cusco, we walked up a multi-story staircase on the other side to get great panoramic views of the ruins. Plus, there were alpacas.
Beyond the main Saksaywaman sites, we visited other sites inside the park, seeing the fountains featured at Tambomachay, the amazing views from a quick stop at Puka Pukara and a near natural formation that had been carved for sacrifices at Q’enqo. The tour concluded by stopping at a local factory shop specializing in alpaca clothing.
More photos from throughout the morning here: https://www.flickr.com/photos/pleia2/alb
We were on our own for the afternoon, so we began by finally visiting a Chifa (Peruvian-inspired Chinese) restaurant. I enjoyed their take on Sweet and Sour Chicken. We then did some browsing at local shops before finally ending up at the Center for Traditional Textiles. They featured a small museum sharing details about the types and procedures for creating traditional Peruvian textiles, as well as live demonstration from master craftswomen and young trainees of the techniques involved. While there we fell in love with a pair of pieces that we took home with us, a finely woven tapestry and a small blanket that we’ll need to get framed soon.
Our time in Cusco concluded with a meal at Senzo, which had been really hyped but didn’t quite live up to our expectations, especially after the meal we had the previous night at MAP Café, but it was still an enjoyable evening. We’d have one last night in Cusco following our trip to Machu Picchu where we dined at Marcelo Batata, but the altitude sickness had hit me upon our return and I could only really enjoy the chicken soup, but as a ginger, mint & lemongrass soup, it was the perfect match for my queasy stomach (even if it didn’t manage to cure me of it).
More photos from Cusco here: https://www.flickr.com/photos/pleia2/set
The next brought an early morning train to Aguas Calientes and Machu Picchu!