What's Our Vector, Victor?

Dec. 1st, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Kim H. asked for a bowling themed cake for her son's birthday, but apparently the baker thought she said Boeing.*

How do I know?

Well, I'm just winging it here, but the answer seems pretty plane:

Now, I know what you're thinking:
"Surely you can't be serious!"

Well I am serious, and don't call me Shirley.


Hey Kim H., do you like movies about gladiators?

[*They were near Boeing's manufacturing plant, so I guess it wasn't THAT big of a leap.]


Thank you for using our Amazon links to shop! USA, UK, Canada.

Tracking Someone Using LifeLock

Dec. 1st, 2015 05:41 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

Someone opened a LifeLock account in his ex-wife's name, and used the service to track her bank accounts, credit cards, and other financial activities.

The article is mostly about how appalling LifeLock was about this, but I'm more interested in the surveillance possibilities. Certainly the FBI can use LifeLock to surveil people with a warrant. The FBI/NSA can also collect the financial data of every LifeLock customer with a National Security Letter. But it's interesting how easy it was for an individual to open an account for another individual.

Dreamwidth News: 1 Dec 2015

Dec. 1st, 2015 03:43 am
dw_news: Drawing of newspaper labeled 'The News' with DW logo (Default)
[staff profile] denise posting in [site community profile] dw_news
Hello, Dreamwidth!

It's December, and those of you who have been around for a while know what that means: the December Holiday Points Bonus!

All Dreamwidth Shop orders of paid time or points made (by a logged-in account) between now and midnight UTC on December 31 will get a 10% points bonus for you to save or spend in the future. For instance, if you buy a 12-month paid account (350 points), you'll get another 35 points once the order is complete for you to use on a future order.

This bonus only applies to orders of paid time or points -- bonus icons and rename tokens don't receive points bonuses. If you buy paid time or points for a friend, the bonus points will go to you, not to them.

The holiday points bonus is our way of saying "thank you" for continuing to support Dreamwidth. Our income comes entirely from you -- we have no advertising, no outside investors, and no venture capital, so you know that the decisions we make are always 100% in your best interest. Thank you to everyone who's bought paid time, extra services, or points this year. You make it possible for us to keep the site running for everyone, and we love you for it.

As 2015 draws to a close -- it's hard to believe we're finishing up our sixth year of Dreamwidth! -- we'd like to wish a very happy set of holidays to you, no matter what winter holidays you celebrate. Here's to an awesome 2016.

(EDIT: Also, there was a brief problem with the promotion not properly adding the bonus points to your account -- that's been fixed, and I'm manually applying the bonus points for the accounts/orders that were affected.)

While I have you here, I'd also like to highlight some of the changes we've made over the last few code pushes in case you've missed them:

An incomplete list of the improvements we've made )

We've also had a request for another round of the Great Community Rec-O-Matic! For those who weren't around last time we did this: it's a great way to get recommendations for communities to participate in that you might enjoy.

Here's how it works:

* If you're looking for new communities to join, comment here with a list of some of your interests, and the kind of community you enjoy reading and participating in.

* Or, read through the other comments and see what things other people are listing. If you see someone you think would be a perfect match for a community you admin or participate in, comment back to them and point them at the community!

(Comment notifications may be delayed for up to an hour or two, due to the high volume of notifications generated after an update is posted to [site community profile] dw_news. This was posted at 3:45AM EST (see in your time zone). Please don't worry about delayed notifications until at least two hours after that.)
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime).

Organizations participating in DHS's "Cyber Hygiene" vulnerability scans. Source: DHS

Organizations participating in DHS’s “Cyber Hygiene” vulnerability scans. Source: DHS

KrebsOnSecurity first learned about DHS’s National Cybersecurity Assessment and Technical Services (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.

DHS declined requests for an interview about NCATS, but the agency has published some information about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a “Risk and Vulnerability Assessment,” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.

“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,” DHS spokesperson Sy Lee wrote in an email response to an interview request. “The National Cybersecurity Assessments and Technical Services (NCATS) team focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation. As part of this effort, the NCATS team offers cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost.”

The RVA program reportedly scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.

The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.

The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws.  DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).

Among the findings in that report, which drew information from more than 100 engagements last year:

-Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans);

-More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (4o percent) or “critical” (13 percent).

-RVA phishing emails resulted in a click rate of 25 percent.

Data from NCATS FY 2014 Report.

Data from NCATS FY 2014 Report.


I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners.  According to data provided by DHS, the majority of the program’s private sector participation come from the financial services and energy sectors — typically at regional or smaller institutions.

DHS has taken its lumps over the years for not doing enough to gets its own cybersecurity house in order, let alone helping industry fix its problems. In light of its past cybersecurity foibles, the NCATS program on the surface would seem like a concrete step toward blunting those criticisms.

I wondered how someone in the penetration testing industry would feel about the government throwing its free services into the ring. Dave Aitel is chief technology officer at Immunity Inc., a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product.


Aitel said one of the major benefits for DHS in offering NCATS is that it can use the program learn about real-world vulnerabilities in critical infrastructure companies.

“DHS is a big player in the ‘regulation’ policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,” Aitel said. “The more DHS understands about the realities of information security on the ground – the more it treats American companies as their customers – the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies.”

Of course, the downsides are that sometimes you get what you pay for, and the NCATS offering raises some interesting questions, Aitel said.

“Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,” he said. “Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test – what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability.”

As far as the potential legal ramifications of any mistakes DHS may or may not make in its assessments, the acceptance letter (PDF) that all NCATS customers must sign says DHS provides no warranties of any kind related to the free services. The rules of engagement letter from DHS further lays out ground rules and specifics of the NCATS testing services.

Aitel, a former research scientist at the National Security Agency (NSA), raised another issue: Any vulnerabilities found anywhere within the government — for example, in a piece of third party software — are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations.

But what about previously unknown vulnerabilities found by DHS examiners?

“This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in Microsoft IIS (Web server), that’s not going to the customer – that’s going to the NSA,” Aitel said.

And then there are potential legal issues with the government competing with private industry.

Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training group, isn’t so much concerned about the government competing with the private sector for security audits. But he said DHS is giving away something big with its free assessments: An excuse for the leadership at scanned organizations for not doing anything after the assessment and using the results as a way to actually spend less on security.

“The NCATS program could be an excellent service that does a lot of good but it isn’t,” Paller said. “The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’ They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.”

According to Paller, despite what the NCATS documents say, the testers do not do active penetration tasks against the network. Rather, he said, they are constrained by their rules of engagement.

“Mostly they do architectural assessments and traffic analysis,” he said. “They get a big packet capture and they baseline and profile and do some protocol analysis (wireless).”

Paller said the sort of network architecture review offered by DHS’s scans can only tell you so much, and that the folks doing it do not have deep experience with one of the more arcane aspects of critical infrastructure systems: Industrial control systems of the sort that might be present in an energy firm that turns to NCATS for its cybersecurity assessment.

“In general the architectural reviews are done by younger folks with little real world experience,” Paller said. “The big problem is that the customer is not fully briefed on the limitations of what is being done in their assessment and testing.”

Does your organization have experience with NCATs assessments? Are you part of a critical infrastructure company that might use these services? Would you? Sound off in the comments below.

[syndicated profile] epbot_feed

Posted by Jen

Greetings, fellow Christmas decoration addicts! Now that Thanksgiving is over, it's time for my yearly roundup from Orlando's Festival of Trees!

This event always has the newest designer trends, and is fantastic for inspiration. So let's dive in!

 I'm always most interested in tree toppers, and this year top hats were pretty popular. I like the extra berry sprigs around this one; keeps it from looking too boxy up there.

Now this topper was way over the top... literally:


Ok, so the topper's a bit much, but the theme, "Sweater Weather," was adorable:

 Almost every ornament was made of soft felts and fabric!

This next theme is "Once Upon A Time":

See the little spinning wheel at the base? From that, I'm guessing the wheat stalks on top are an ode to Rumpelstiltskin. 

The ornaments were a mix of keys, crown, fairies, carriages, etc:

» Read More

A History of Privacy

Nov. 30th, 2015 12:47 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

This New Yorker article traces the history of privacy from the mid 1800s to today:

As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes too late. The horse is out of the barn. The post office has opened your mail. Your photograph is on Facebook. Google already knows that, notwithstanding your demographic, you hate kale.
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Few schemes for monetizing stolen credit cards are as bold as the fuel theft scam: Crooks embed skimming devices inside fuel station pumps to steal credit card data from customers. Thieves then clone the cards and use them to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners.

Agent Steve Scarince of the U.S. Secret Service heads up a task force in Los Angeles that since 2009 has been combating fuel theft and fuel pump skimming rings. Scarince said the crooks who plant the skimmers and steal the cards from fuel stations usually are separate criminal groups from those who use the cards to steal and resell gas.

External pump skimmers retrieved from LA fuel stations.

An external pump skimmer is attached to the end of this compromised fuel dispenser in Los Angeles (right).

“Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring,” he said. “The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business. They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.'”

Scarince said the skimmer gangs will gain access to the inside of the fuel pumps either secretly or by bribing station attendants. Once inside the pumps, the thieves hook up their skimmer to the gas pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely.

Internal pump skimming device seized from a Los Angeles fuel station.

Internal pump skimming device seized from a Los Angeles fuel station.

Most internal, modern pump skimmers are built to record the card data on a storage device that can transmit the data wirelessly via Bluetooth technology. This way, thieves can drive up with a laptop and fill their tank in the time it takes to suck down the card data that’s been freshly stolen since their last visit.

The Secret Service task force in Los Angels has even found pump skimming devices that send the stolen card data via SMS/text message to the thieves, meaning the crooks don’t ever have to return to the scene of the crime and can receive the stolen cards and PINs anywhere in the world that has mobile phone service.


Scarince said the fuel theft gangs use vans and trucks crudely modified and retrofitted with huge metal and/or plastic “bladders” capable of holding between 250 and 500 gallons of fuel.

“The fuel theft groups will drive a bladder truck from gas station to gas station, using counterfeit cards to fill up the bladder,” he said. “Then they’ll drive back to their compound and pump the fuel into a 4,000 or 5,000 [gallon] container truck.”

A bladder made to look like it's hauling used tires.

A bladder truck made to look like it’s hauling used tires. The wooden panel that was hiding the metal tank exposed here has ben removed in this picture.

The fuel will be delivered to gas station owners with whom the fuel theft ring has previously brokered with on the price per gallon. And it’s always a cash transaction.

“The stations know they’re buying stolen gas,” Scarince said. “They’re fully aware the fuel is not coming from a legitimate source. There’s never any paperwork with the fuel driver, and these transactions are missing all the elements of a normal, legitimate transaction between what would be a refinery and a gas station.”

Fuel theft gangs converted this van into a bladder truck. Image: Secret Service.

Fuel theft gangs converted this van into a bladder truck. Image: Secret Service.

Needless to say, the bladder trucks aren’t exactly road-worthy when they’re filled to the brim with stolen and highly flammable fuel. From time to time, one of the dimmer bladder truck drivers will temporarily forget his cargo and light up a smoke.

“Two or three summers ago we had this one guy who I guess was just jonesing for a cigarette,” Scarince said. “He lit up and that was the last thing he did.”

This bladder truck went up in smoke (literally).

This bladder truck went up in (a) smoke.

Other bladder trucks have spontaneously burst into flames at filling stations while thieves pumped stolen gas.

“There have been other fires that took place during the transfer of fuel, where some static sparked and the whole place caught on fire,” Scarince said. “These vehicles are not road-worthy by any means. Some of the bladder tanks are poorly made, they leak. The trucks are often overweight and can’t handle the load. We see things like transmissions giving out, chassis going out. These things are real hazards just waiting to happen.”

How big are the fuel theft operations in and around Los Angeles? Scarince estimates that at any given time there are 20 to 30 of these deadly bladder trucks trundling down L.A. freeways and side streets.

“And that’s a very conservative guess, just based on what the credit card companies report,” he said.

Aaron Turner, vice president of identity service products at Verifone — a major manufacturer of credit card terminals — leads a team that has been studying many of the skimming devices that the Secret Service has retrieved from compromised filling stations. Turner says there is a huge potential for safety-related issues when it comes to skimmers in a gas-pump environment. 

“Every piece of equipment that is installed by gas station owners in the pump area is approved by reviewed and approved according to industry standards, but these skimmers…not so much,” Turner said. “One of the skimmers that we retrieved was sparking and arcing when we powered it up in our lab. I think it’s safe to say that skimmer manufacturers are not getting UL certifications for their gear.”


With some fuel theft gangs stealing more than $10 million per year, Scarince said financial institutions and credit card issuers have responded with a range of tactics to detect and stop suspicious fuel station transactions.

“A lot more card issuers and merchant processors are really pushing hard on velocity checks,” Scarince said, referring to a fraud detection technique that reviews transactions for repeating patterns within a brief period. “If you buy gas in Washington, D.C. and then 30 minutes gas later gas is being purchased on opposite side of the city in a short period of time. Those are things that are going to start triggering questions about the card. So, more checks like that are being tested and deployed, and banks are getting better at detecting this activity.”

Card issuers also can impose their own artificial spending limits on fuel purchases. Visa, for example, caps fuel purchases at $125.  But thieves often learn to work just under those limits.

“The more intelligent crooks will use only a few cards per station, which keeps them a lower profile,” Scarince said. “They’ll come in a swipe two to three cards and fill up 40-80 gallons and move on down the road to another station. They definitely also have what we determine to be routes. Monday they’ll drive one direction, and Tuesday they’ll go the other way, just to make sure they don’t hit the same stations one day after another.”

Newer credit and debit cards with embedded chip technology should make the cards more costly and difficult to counterfeit. However, the chip cards still have the card data encoded in plain text on the card’s magnetic strip, and most fuel stations won’t have chip-enabled readers for several years to come.

On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don’t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.

But those rules don’t apply to fuel stations in the United States until October 2017, and a great many stations won’t meet that deadline, said Verifone’s Turner.

“The petroleum stations and the trade organizations that represent them have been fairly public in their statements that they don’t feel they’re going to hit the 2017 dates,” Turner said. “If you look at the cost of replacing these dispensers and the number of systems that have been touched by qualified, licensed technicians…most of the stations are saying that even if they start this process now they’re going to struggle to meet that October 2017 date.”

Turner said that as chip card readers take hold in more retail establishments, card thieves will begin targeting fuel stations more intensively and systematically.

“We’re moving into this really interesting point of time when I think the criminals are going to focus on the approaches that offer them the greatest return on their investment,” Turner said. “In the future, I think there will be a liability shift specifically for petroleum stations [because] the amount of mag-stripe-facilitated fraud that will happen in that market is going to increase significantly along with chip card deployment.”

Part of the reason Los Angeles is such a hotbed of skimming activity may be related to ethnic Armenian organized crime members that have invested heavily in fuel theft schemes. Last month, the Justice Department announced charges against eight such men accused of planting skimmers in pumps throughout Southern California and Nevada.

Scarince and Turner say there is a great deal of room for the geographic spread of fuel theft scams. Although the bulk of fuel theft activity in the United States is centered around Los Angeles, the organized nature of the crime is slowly spreading to other cities.

“We are seeing pump skimming now shoot across the country,” Scarince said. “Los Angeles is still definitely ground zero, but Florida is now getting hit hard, as are Houston and parts of the midwest. Technology we first saw a couple of years ago in LA we’re now seeing show up in other locations across the country. They’re starting to pick on markets that are probably less aware of what’s going on as far as skimming goes and don’t secure their pumps as well as most stations do here.”


Avoid sketchy-looking stations and those that haven’t started using tamper-evident seals on their pumps.

“The fuel theft gangs certainly scout out the stations beforehand, looking for stations that haven’t upgraded their pump locks and haven’t started using tamper seals,” Scarince said. “If some franchised station decided not to spend the money to upgrade their systems with these security precautions, they’re going to be targeted.”

Scarince says he also tends to use pumps that are closest to the attendants.

“Those are less likely to have skimmers in or on them than street-side pumps,” he said.

Consumers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

The Bakery Order Book IS A LIE

Nov. 30th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

We all know asking a bakery to match a cake photo you brought in is inviting disaster, but what about the photos in their own order book? SURELY they can match those, right?

[poker face]
[lip quiver]


[wiping eyes]

Sorry. I held it together as long as I could, honest.

I want you to pay close attention to that faux wood grain and the rock pattern on this one.


Now, notice how they...

...didn't include any of that.


Aren't the silver screw heads edging this motorcycle design super cool?

Yeah, you will never ever ever ever ever ever get those on your cake.


Also, your flames will look like melty tentacles.


Now here's a SUPER easy one:

Practically everything you see is plastic, so all the baker has to do is add a star and some squiggly lines. THAT'S IT.


Drum roll, please:



Maybe you think ordering an intentionally "messy" design is the answer:

Good plan! And yet...



I do have some good news, though. With another year of Frozen cakes under their belts, bakers are finally starting to improve on that always-disastrous kit design!

Ok, so I lied.

But c'mon, those "mountains" had to be shared with the world.


Thanks to Christian P., Tanis C., Lisa C., Dawn H., & Lavon C., for discovering Olaf also likes warm spuds.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

Al mal tiempo buena cara!

Credit: Flickr / Andrés Nieto Porras

One of my friends died not too long ago and #fuckcancer. But at least I got to say goodbye, and to say what seemed like the most important thing to say. It’s rare that you get that kind of closure.

So I clung to that when I knew the end was near. And I reminded myself of that when I got That Email and cried alone in an airline lounge at 4am. I referred back to it in the days that followed.

And then. Her family released an obituary and I there was something in it where my reaction was like… woah. I did not know that. It wasn’t one of the (many) cool things she did. My friends are generally interesting people who I learn new things about each time we talk. But how she felt about something that I really believed she, of anyone, had figured out.

And I wish I had said, this is how I feel about this thing. And I wish I had heard how she felt about it. And of course now, I won’t.

For me, grief always come with a side of guilt. How can I be sad, when other people will be more sad? I generally find trite the things we “learn” and “realise” when people we care about die. I think we know these things, we just don’t prioritise them.

Of course, though, trite is another word for common, and so I have channelled my feelings into making more of an effort with my friends. Maybe they find me needy and clingy lately. Maybe they attribute it to other reasons. Maybe they like it.

And I have been reflecting on the nature of friendship. I realise that friendship is not linear, recall that people come and go from our lives, and contemplate that I have never been able to predict who will end up being important in my life long term and who will be temporary.

Finally, I feel a deep sense of gratitude for the many wonderful people in my life who I am lucky enough to know and love. The people who adventure with me, inspire me,  support me practically – and emotionally. Who send me adorable animal pictures, call me on my shit, and push me to be a better human. I love y’all.

But seriously, #fuckcancer.

Cryptanalysis of Algebraic Eraser

Nov. 30th, 2015 06:05 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

Algebraic Eraser is a public-key key-agreement protocol that's patented and being pushed by a company for the Internet of Things, primarily because it is efficient on small low-power devices. There's a new cryptanalytic attack.

This is yet another demonstration of why you should not choose proprietary encryption over public algorithms and protocols. The good stuff is not patented.

News article.


Nov. 29th, 2015 09:33 pm
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
Source: http://lexx2dot0.deviantart.com/art/Mod-573957823

As you may have noticed from the Pony Countdown clock, it's that time again. The time where one season ends and nopony knows when we shall reach the shore of the next season. We are adrift in the ocean of time. This is the end, the little death, the passage we must endure as we fish out fanfics and artworks of all sorts from the sea of possibilities. So cast those nets! Adorn the night with stars! This ride is what you make it.

What is hacker culture?

Nov. 29th, 2015 12:00 am
[personal profile] mjg59
Eric Raymond, author of The Cathedral and the Bazaar (an important work describing the effectiveness of open collaboration and development), recently wrote a piece calling for "Social Justice Warriors" to be ejected from the hacker community. The primary thrust of his argument is that by calling for a removal of the "cult of meritocracy", these SJWs are attacking the central aspect of hacker culture - that the quality of code is all that matters.

This argument is simply wrong.

Eric's been involved in software development for a long time. In that time he's seen a number of significant changes. We've gone from computers being the playthings of the privileged few to being nearly ubiquitous. We've moved from the internet being something you found in universities to something you carry around in your pocket. You can now own a computer whose CPU executes only free software from the moment you press the power button. And, as Eric wrote almost 20 years ago, we've identified that the "Bazaar" model of open collaborative development works better than the "Cathedral" model of closed centralised development.

These are huge shifts in how computers are used, how available they are, how important they are in people's lives, and, as a consequence, how we develop software. It's not a surprise that the rise of Linux and the victory of the bazaar model coincided with internet access becoming more widely available. As the potential pool of developers grew larger, development methods had to be altered. It was no longer possible to insist that somebody spend a significant period of time winning the trust of the core developers before being permitted to give feedback on code. Communities had to change in order to accept these offers of work, and the communities were better for that change.

The increasing ubiquity of computing has had another outcome. People are much more aware of the role of computing in their lives. They are more likely to understand how proprietary software can restrict them, how not having the freedom to share software can impair people's lives, how not being able to involve themselves in software development means software doesn't meet their needs. The largest triumph of free software has not been amongst people from a traditional software development background - it's been the fact that we've grown our communities to include people from a huge number of different walks of life. Free software has helped bring computing to under-served populations all over the world. It's aided circumvention of censorship. It's inspired people who would never have considered software development as something they could be involved in to develop entire careers in the field. We will not win because we are better developers. We will win because our software meets the needs of many more people, needs the proprietary software industry either can not or will not satisfy. We will win because our software is shaped not only by people who have a university degree and a six figure salary in San Francisco, but because our contributors include people whose native language is spoken by so few people that proprietary operating system vendors won't support it, people who live in a heavily censored regime and rely on free software for free communication, people who rely on free software because they can't otherwise afford the tools they would need to participate in development.

In other words, we will win because free software is accessible to more of society than proprietary software. And for that to be true, it must be possible for our communities to be accessible to anybody who can contribute, regardless of their background.

Up until this point, I don't think I've made any controversial claims. In fact, I suspect that Eric would agree. He would argue that because hacker culture defines itself through the quality of contributions, the background of the contributor is irrelevant. On the internet, nobody knows that you're contributing from a basement in an active warzone, or from a refuge shelter after escaping an abusive relationship, or with the aid of assistive technology. If you can write the code, you can participate.

Of course, this kind of viewpoint is overly naive. Humans are wonderful at noticing indications of "otherness". Eric even wrote about his struggle to stop having a viscerally negative reaction to people of a particular race. This happened within the past few years, so before then we can assume that he was less aware of the issue. If Eric received a patch from someone whose name indicated membership of this group, would there have been part of his subconscious that reacted negatively? Would he have rationalised this into a more critical analysis of the patch, increasing the probability of rejection? We don't know, and it's unlikely that Eric does either.

Hacker culture has long been concerned with good design, and a core concept of good design is that code should fail safe - ie, if something unexpected happens or an assumption turns out to be untrue, the desirable outcome is the one that does least harm. A command that fails to receive a filename as an argument shouldn't assume that it should modify all files. A network transfer that fails a checksum shouldn't be permitted to overwrite the existing data. An authentication server that receives an unexpected error shouldn't default to granting access. And a development process that may be subject to unconscious bias should have processes in place that make it less likely that said bias will result in the rejection of useful contributions.

When people criticise meritocracy, they're not criticising the concept of treating contributions based on their merit. They're criticising the idea that humans are sufficiently self-aware that they will be able to identify and reject every subconscious prejudice that will affect their treatment of others. It's not a criticism of a desirable goal, it's a criticism of a flawed implementation. There's evidence that organisations that claim to embody meritocratic principles are more likely to reward men than women even when everything else is equal. The "cult of meritocracy" isn't the belief that meritocracy is a good thing, it's the belief that a project founded on meritocracy will automatically be free of bias.

Projects like the Contributor Covenant that Eric finds so objectionable exist to help create processes that (at least partially) compensate for our flaws. Review of our processes to determine whether we're making poor social decisions is just as important as review of our code to determine whether we're making poor technical decisions. Just as the bazaar overtook the cathedral by making it easier for developers to be involved, inclusive communities will overtake "pure meritocracies" because, in the long run, these communities will produce better output - not just in terms of the quality of the code, but also in terms of the ability of the project to meet the needs of a wider range of people.

The fight between the cathedral and the bazaar came from people who were outside the cathedral. Those fighting against the assumption that meritocracies work may be outside what Eric considers to be hacker culture, but they're already part of our communities, already making contributions to our projects, already bringing free software to more people than ever before. This time it's Eric building a cathedral and decrying the decadent hordes in their bazaar, Eric who's failed to notice the shift in the culture that surrounds him. And, like those who continued building their cathedrals in the 90s, it's Eric who's now irrelevant to hacker culture.

(Edited to add: for two quite different perspectives on why Eric's wrong, see Tim's and Coraline's posts)

This Week

Nov. 29th, 2015 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate


“Tiny Raccoon has no regrets. Medium Sized Hedgehog does not judge.”


Spent the week in New Orleans hanging out with a friend, which has been great. We’ve had a pretty chill time, done some exploring, and it’s been awesome to spend more time with her. Also, I got a haircut.


Last week before things change dramatically. Working on finishing things up – finally made some progress on Show and Hide app store copy!!


Finished Yes Please, reading High Output Management.

Product links Amazon.


A new edition of Technically Speaking is out.

On The Internet

[syndicated profile] cakewrecks_feed

Posted by Jen

Confession Time: as much as I love all the Sweets I feature, it's the kids' cakes that thrill me the most.

From favorite childhood characters:

(By Alana Lily Chocolates & Cakes)


...to new ones I've just met and already love:

(By Sugar Top Cakes)


...to squee-inducing cuteness I just want to snuggle:

(By Bake-A-Boo)



Then there are colorful, guitar-rockin' monsters:

(By Phoenix Cake Company)


Dapper little owls:

(By Eunice Cake Designs)


...and the sweetest bees you ever did see:

(By Frosted Indulgence)

Just looking at this makes me happy. :)


When I was very young my parents let me buy a Little Twin Stars stationary set from Epcot, and even though I had no idea who they were, I've loved the pastel pair ever since.

And this is the best Little Twin Stars cake I've ever seen:

(By The Bunny Baker)

Kids' cakes, schmids' cakes. I'll take this one for my next birthday, thx.


Or how about this drop dead gorgeous Tangled tower?

(By Sabz Cakes)


Oooh! Or this little yellow submarine?

(By Über Angel Cakes)

Complete with a cutie-patootie pink seahorse!


And finally, since you all know I have a soft spot for adorable robots:

(By Isabella's Sweet Tooth)


Yep, this grown-up just wants kids' cakes from now on, guys. And I bet I'm not the only one, right?


Happy Sunday!


Thank you for using our Amazon links to shop! USA, UK, Canada.

I link, therefore I spam

Nov. 28th, 2015 06:00 pm
[syndicated profile] geekfeminism_feed

Posted by spam-spam

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot

In the interest of Being Excellent and considerate of those who have yet to watch this episode (like Schnee!), all references to the content of this episode are stashed under the cut and will remain so hidden for at least a month. Someponies like to watch MLP:FIM in herds and it can be a while before they get all their ponies together. 8^) As spoilers are also likely to be in any comments: don't read if you haven't yet seen the episode unless you like being spoiled. When you're ready, drop in a comment and say what you thought of this episode!

After a month, I hope Episode Discuss posts will be so far off the top page that it'll probably take the tag to find them, so about a month after posting the cut will be removed. 8^) Sometimes I go back and drop in little extras into the posts, like comics and links to the music.

This time the broadcast will be an hour long and start at 11:00 am Eastern Standard Time, which should work out to 3:00 pm UTC, 8:00 am PST and about 2:00 AM Down Under. Confused? Look at the PonyCountdown widget on the community page! At the moment there's about an hour left to go.

Written by ?

For you rare bird "live-tweet" twitterers, Meghan McCarthy is a good possibility, and other twits in the early morning chorus may include the likes of Jayson Thiessen (Supervising Director of MLP:FIM) and Big Jim (storyboard work, voice of Troubleshoes and Director of MLP:FIM). The hashtag to watch is #MLPseason5.

Here we are. The final feast of the season. Drink it all in for we know not when or how next we shall see the likes of another season of MLP:FIM. Winter is coming.

Review for episode 25 & 26, The Cutie Re-Mark Parts 1 & 2 below the cut. )

Catch the show and throw in your two bits in the comments! Copy/paste your reviews into the comments, spread the wealth!

Watch The Cutie Re-Mark Parts 1 & 2 on Youtube: both parts in one go in 480p and on DailyMotion: part one and part two.

Download link for The Cutie Re-Mark Parts 1 & 2 (later, maybe even today!

Read all the transcripts, including that of The Cutie Re-Mark Parts 1 & 2 over here on the MLP wiki of transcripts.

The links to official channels and purchasing DVD's and episodes are now in the community sticky.

Friday Squid Blogging: Squid Necklace

Nov. 27th, 2015 04:19 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

She's calling it an octopus, but it's a squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

[syndicated profile] epbot_feed

Posted by Jen

I'm a big fan of MegaCon, Orlando's sci-fi convention that draws even more people than Dragon Con, if you can believe it, so I was pretty psyched when MC's owners announced a new, smaller event called "Fan Days." This 2-day con would offset the larger 4-day MegaCon coming next May.

This was Fan Days' first year, and there wasn't a lot of advance notice to the public, so attendance was a little sparse. Where MegaCon averages over 65,000 attendees, Fan Days was more in the10,000 range. It was held in the same convention center, though, and had a surprisingly great lineup of A-list celebs, artists, and vendors.

So while business was a little slow for the workers, it was near perfection for us attendees. The big panel room for celebs was never more than half full, you could shop the vendor room with ease, and parking has never been faster. That said, there were still plenty of fellow geeks and cosplayers around to keep the atmosphere lively, and just enough crowds to make it feel like a con.

A conga line of Deadpools:

This Wonder Woman later won Best Comic Book Character in the costume contest:

Steampunk Lady Flash:

» Read More

A Process for Writing an Abstract

Nov. 27th, 2015 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

spelling danbo

Credit: Flickr / Matt Newfield

As part of the Technically Speaking Anniversary last week I did two mentoring calls. Both of them focused on writing abstracts. This is cool, because one of the things I discovered when Chiu-Ki and I ran our workshop is that Abstract Writing is something of a speciality for me and I actually quite enjoy writing them for other people.

General Comments About Abstracts

  • Your abstract is a pitch for your talk. It’s when you sell the topic.
  • Your bio is where you sell yourself as a good person to speak about the topic.
  • It doesn’t need to be long.
  • Be concrete, but not overly detailed. E.g. specific takeaways are good, the details of how you get to them are unnecessary.

Three Lists

Think about your topic and make three lists.

  1. Why is this topic important.
  2. What things do you want people to take away from it.
  3. What points do you plan to cover.

List #3 is the easiest, but lists #1 and #2 are most useful for writing your abstract.

A Formula

[Strong statement about why this topic is important at a macro level]. [Specific points that tie your more narrow topic to this macro point].

This talk will cover [2-3 most important points], after which you will be able to [concrete audience takeaway].

Leftover Lolz

Nov. 27th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Mmmmm, turkey leftovers.

Best part about Thanksgiving, am I right?




[wincing] Ooooh.




What the...?!



You know, on second thought, maybe we'll skip leftovers today and just have soup. Yeah. Soup is good.


Thanks to Alia P., Camille C., Cyndi V., Adry, & Sandra W. for pretty much guaranteeing we're about to get banned from Facebook again. I HOPE YOU'RE HAPPY, SANDRA.

Defending against Actual IT Threats

Nov. 27th, 2015 06:45 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

Roger Grimes has written an interesting paper: "Implementing a Data-Driven Computer Security Defense." His thesis is that most organizations don't match their defenses to the actual risks. His paper explains how it got to be this way, and how to fix it.

Anything You Can Do

Nov. 26th, 2015 10:08 pm
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot

Source: https://www.youtube.com/watch?v=5yIccPnhvy0

Ah ha ha ha! This is very cute. This song by Irving Berlin is from Annie Get Your Gun (1946 Broadway musical) and it is sung by here by Bernadette Peters and Tom Wopat, recorded in 1999. Get it here on CD.
[syndicated profile] cakewrecks_feed

Posted by Jen

It's Thanksgiving!


Just kidding. I know we're all on our phones, Facebooking about our racist relatives and how many times the smoke alarm's gone off.

Or maybe you don't even live in the U.S., and you're just here for our ridiculous American turkey cakes. [winkwink] [finger guns] AW YEAH.

Well, it just so happens...





With an extra side of:



Pamela thought this display looked familiar. Let's see if you agree:


(Via The Oatmeal)


And for that quintessentially American Thanksgiving experience:

Decapitated Scarecrow Clown!


Now get back out there and gooble, my friends.

Gooble 'til ya wooble.


Thanks given to Amandalyn V., Anony M., Jeanmarie D., Pamela R., Marsha H., & Izzy for their excellent wreckporting.


Thank you for using our Amazon links to shop! USA, UK, Canada.

Turkey Soup

Nov. 26th, 2015 05:11 am
[syndicated profile] hypatia_dot_ca_feed

Posted by Leigh Honeywell

Lots of folks will be roasting turkeys tomorrow, and while there are a zillion recipes out there for turkey soup, this is the one I grew up with. My mum always said that it was better than the turkey itself, and while I’m a big fan of her perfectly brined birds, this soup really is sublime.



Save the bones if you’ve eaten the drumsticks etc. Once the pandemonium of the main meal is over, take all the leftover meat off the carcass and put it to one side – you’ll use some of it later.

Cover the carcass in water in a big pot. Add:

  • a couple of onions, peeled and cut in quarters
  • some celery (mainly the leaves for the stock-making process, you’ll use the stems later)
  • salt, pepper
  • a couple of tablespoons of thyme

Simmer for 2-3 hours. While it’s simmering, cook up about 3 cups of rice (more or less depending on how big a bird you’re working with). Mum uses plain white rice but last year I used 2 cups of basmati and one cup of wild rice and it was delicious, so be adventurous! Put the rice aside for later.

Once the stock has simmered adequately, strain it – carefully! Toss the bones and other solid parts.

There are two ways to de-fat your stock: chill the strained stock and skim the fat off the top of the gelled stock, or use a fat separator (I love my OXO Good Grips 4-Cup Fat Separator, which looks like a weirdly shaped measuring cup). You can skip this step but the soup will be a little greasier. It will still be delicious, don’t worry.

If you did the chilling step, bring soup back to boil. Either way, add:

  • the cooked rice
  • chopped celery
  • chopped turkey
  • salt and pepper to taste

Simmer for about another half an hour, then enjoy with rustic crackers, French bread, or other delicious carbs. A bit of Tabasco goes nicely too.

The soup freezes really well, so don’t be afraid to make lots!

If you enjoyed this recipe, you may also enjoy my mother’s English Bread Sauce recipe, which I posted a few years back.

Happy holidays!


terriko: (Default)

November 2015

8 9 10 11 12 1314
15 161718 192021
29 30     

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Dec. 1st, 2015 06:15 pm
Powered by Dreamwidth Studios