More Halloween Madness

Oct. 31st, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

I think the sugar-high is really starting to kick in, you guys.

You can almost hear the insane giggling from behind the counter, am I right?

 

John thinks these are supposed to be maggots:

I think it's time to scroll down quickly and skip lunch.

 

Then there's this:

 

And this:

I've stared at that cookie for ages. Still have no idea what the baker was thinking.

 

Here's a fun party game:

CAPTION THIS:

I would, but there are children present.

 

Look, I'm not saying "Ouija" is the easiest word to spell, but you'd think they'd at least get it right on the second try:

And for those wondering what possessed [snerk] a bakery to make a Ouija Board display cookie in the first place: I'm not sure, but the fact that they added a "HELP" on the front is less than reassuring.
o.0 Someone wanna go check on them?

("Bring me an old priest, a young priest, a half gallon of milk, and some paper plates!")

 

And finally, why it must suck to have a Halloween birthday:

Remember, Kailey, you've got your whoooole life ahead of you.
Now, who wants a slice of grave stone?!

 

Thanks to Patty A., Holly N., Melissa H., Victoria F., Jennifer W., Hollie K., & Nicole P. for reminding us to wReck It Properly.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

Surprise Attack

Credit: DeviantArt / SkylerTrinityRapture

My notes from Sally Shepard‘s talk on Accessibility at iOSDevUK. It was really good, I thought I knew quite a bit about a11y but actually only VoiceOver really, so I learned a lot. Her slides are here.

Passionate about accessibility, accessibility issues in family.

Myths:

  • Not that many people.
  • Time consuming.
  • Too complicated.
  • Don’t know how to test it.

1 in 7 people have some form of disability. It’s a growing population. This doesn’t include temporary impairments (break an arm, finger). Disabilities can make life extremely difficult. Can use technology to overcome these challenges.

Vision:

  • Complete blindness.
  • Degeneration.
  • Diabetes.
  • Impairments.

Wide range. how do these people use iOS?

VoiceOver

  • Replicates the UI for users who can’t see it.
  • 36 languages.
  • On iOS and OS X, iPod shuffle.
  • Can also extend using braille.
    • Brail displays.
    • Brail keyboards.
  • Makes a device that is completely usable for wide range of people that wouldn’t be able to otherwise.
  • Single tap to hear. Double tap to open.
  • Camera app. Demo – finally understand face detection.
    • Wouldn’t have thought camera could be accessible.
  • Demo Text edit.
  • Demo Flappy bird. Voice over doesn’t see anything on the screen.
    • If an app isn’t accessible, it’s just like a blank screen.

Make Views accessible using isAccessibilityElement. Can also set accessibilityLabel. UIKit uses the title. Image based controls need to specify this! Don’t include the control type.

accessibilityTraits: Combination of traits that best characterise the accessibility element.

accessibilityValue: Used when element has a dynamic value. Like a slider.

AccessibilityHint: Describes outcome of performing an action.

Adding support to xib or storyboard:

  • Enable a11y.
  • Fill out label.
  • Add hint traits.

Adding support programmatically:

  • Set label.
  • Set hint.
  • Set value.
  • Set traits.

Most apps have moved beyond basics. gestures, games. Handle this by finding out if user has voice over on, and if so, present something different.

UIAccessibilityCustomAction: Can add multiple actions to an element. e.g. array of actions on a table cell. In apple’s own apps since iOS 7, now in the API for iOS 8.

UIAccessibilityContainer: Specify the order voiceover should go through the elements.

accessibilityActivate added in iOS7. Gets called when user double taps. Good when gesture is normally used to activate.

DirectInteraction. Have to be careful about how you use it.

A11y notifications. Know if VO is speaking, when it has finished speaking. Can tell it to read things out at specific times.

Two finger double tap. e.g. in camera, will take a picture.

What if not using UIKit? Implement UIAccessibilityContainer protocol. VoiceOver just needs to know the frame of the contents and where they are on screen. Good sample code from WWDC.

Testing VO:

  • Test plans
  • User stories
  • Use cases
  • Do all of these with VO.
  • Simulator good for debugging. Use accessibility inspector.
  • A11y shortcut – triple tap home button. Or tell Siri!
  • Screen curtain. Three finger triple tap on the screen. good way to conserve battery! Makes sure you are not cheating.

User testing:

  • @applevis
  • WWDC labs
  • Charities and local councils
  • Support groups

Motor skills: Maybe can’t perform gestures, or press buttons, or hold a phone. In that case, device is blank screen. Can’t do anything with it.

Assistive touch: Can access things like more fingers, gestures, shaking.

Switch control: In iOS 7. Allows people to use device by using a series of switches. Can be used by hands, feet, head, anything. One switch or multiple switches depending on abilities.

  • Camera with switch control, take a picture.
  • Flappy birds with switch control. not very successful!

Amazing feature, v necessary, glad they added it.

Adding support for switch control:

  • Find elements that have actionable behaviour
  • If you’ve gone through a11y APIs for voiceover, should work.
  • Could make it better, if you did the a11y container protocol, specify a better order.

Have to test on a device. Simulator only gives you inspector.

Go though, same thing, make sure you can do the things you app does.

Contact apple, super happy to help with things like that. Talk to local charities or user groups.

Learning Difficulties

Autism, or cognitive disabilities. iOS can be distracting, because it’s quite an engaging experience. How does someone use it?

Guided accesses. Helps them focus. Parent or care giver can specify what actions shouldn’t be allowed.

UIAccessibilityIsGuidedAccess, new in iOS8

Visual accommodations:

  • Is bold text enabled
  • Reduce transparency
  • Darker system colors
  • Reduce motion

Why add a11y?

Things to do:

  • Push to OSS projects you use
  • Talk about it more – blog about it
  • Get involved
  • Still a LOT to do
  • Even if it seems like only a few people you can make a big diff

Try:

  • Spend a whole day with voice over on (very few support it)
  • Take one weekend to do something with a11y.
  • Work with charity to run a hackathon or hack day
  • As a dev it’s up to you to make your app a11y

Facts:

  • Is a lot of people, 1 in 7
  • Very simple to add
  • No app is too complicated to be a11y
  • Testing is straightforward
[personal profile] puzzlement posting in [community profile] incrementum
Originally posted to incrementum.puzzling.org. Comment there unless you have a Dreamwidth login.

V, aged almost 13 months (February 2011) asleep on the floor of his childcare centre when I arrived to pick him up:

Childcare pickup

A, aged 9½ months (October 2014), asleep standing up and resting against our (huge) beanbag:

Beanbag snooze

I had been on the phone to Andrew yesterday and everything had gone very, very quiet. She was sleeping so soundly that she only woke briefly to squeak when I picked her up, and I put her down to sleep in her cot with no further wakings.

[syndicated profile] hypatia_dot_ca_feed

Posted by Leigh Honeywell

I’m pleased to announce that I am joining Mod N Labs, a new security startup accelerator based in San Francisco, as an advisor. I’ll bring my industry experience as well as diversity and inclusion expertise as we help entrepreneurs build the next generation of security companies. I’m still at Heroku as my day job – it continues to be awesome.

If you have a cool security startup idea and would like to work with an amazing community of advisors and investors, please reach out – we want to hear from you. We are particularly interested in hearing from founders who are currently underrepresented in the security industry, including women, people of colour, LGBTQ people, and people with disabilities. We recognize that there is a mountain of research showing that diverse teams perform better, and we’d be remiss in not seeking out founders as diverse as the security landscape we live in.


Flashback Friday: playgrounds

Oct. 31st, 2014 08:40 am
[personal profile] puzzlement posting in [community profile] incrementum
Originally posted to incrementum.puzzling.org. Comment there unless you have a Dreamwidth login.

V, aged 9½ months (November 2010):

Interacting with favourite toy Favourite toy

A, aged 9½ months (October 2014):

Playground toy

There’s a lot of differences at this age, actually. V most likely crawled over to that abacus himself, stood up, and casually leaned on it with one arm and I sure didn’t encourage him to lick the abacus. (Except insofar as I was standing there taking the photo!)

Whereas I put A in that position and moved a couple of the dials and levels so that she got the idea. She does pull up to stand, actually, and quite regularly, but her crawling is not at the point yet where she has realised that she can just go and interact with things that are much out of reach if she wants to. This last weekend I sat her on a picnic blanket and she stayed on it playing for about an hour. She did however at some point manage to eat some dirt. Because she is a baby.

Chip & PIN vs. Chip & Signature

Oct. 30th, 2014 08:13 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.

Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).

But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature. Check out Flyertalk’s comprehensive Google Docs spreadsheet here for a member-contributed rundown of which banks support chip-and-PIN versus chip-and-signature.

I’ve been getting lots of questions from readers who are curious or upset at the prevalence of chip-and-signature over chip-and-PIN cards here in the United States, and I realized I didn’t know much about the reasons behind the disparity vis-a-vis other nations that have already made the switch to chip cards. So  I reached out to several experts to get their take on it.

Julie Conroy, a fraud analyst with The Aite Group, said that by and large Visa has been pushing chip-and-signature and that MasterCard has been promoting chip-and-PIN. Avivah Litan, an analyst at Gartner Inc., said MasterCard is neutral on the technology. For its part, Visa maintains that it is agnostic on the technology, saying in an emailed statement that the company believes “requiring stakeholders to use just one form of cardholder authentication may unnecessarily complicate the adoption of this important technology.”

BK: A lot of readers seem confused about why more banks wouldn’t adopt chip-and-PIN over chip-and-signature, given that the former protects against more forms of fraud.

Conroy: The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud. Also, as we looked at other geographies — and our research has substantiated this — as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit but then the criminals adjust. So in the UK, the lost-and-stolen fraud is now back above where was before the migration. The criminals there have adjusted. and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck.

So, PIN at the end of the day is a static data element, and it only goes so far from a security perspective. And as you weigh that potential for attrition versus the potential to address the relatively small amount of fraud that is lost and stolen fraud, the business case for chip and signature is really a no-brainer.

Litan: Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada.

BK: What are some of the things that have pushed more banks in the US toward chip-and-signature?

Conroy: As I talk to the networks and the issuers who have made their decision about where to go, there are a few things that are moving folks toward chip-and-signature. The first is that we are the most competitive market in the world, and so as you look at the business case for chip-and-signature versus chip-and-PIN, no issuer wants to have the card in the wallet that is the most difficult card to use.

BK: Are there recent examples that have spooked some of the banks away from embracing chip-and-PIN?

Conroy: There was a Canadian issuer that — when they did their migration to chip — really botched their chip-and-PIN roll out, and consumers were forgetting their PIN at the point-of-sale. That issuer saw a significant dip in transaction volume as a result. One of the missteps this issuer made was that they sent their PIN mailers out too soon before you could actually do PIN transactions at the point of sale, and consumers forgot. Also, at the time they sent out the cards, [the bank] didn’t have the capability at ATMs or IVRs (automated, phone-based customer service systems) for consumers to reset their PINs to something they could remember.

BK: But the United States has a much more complicated and competitive financial system, so wouldn’t you expect more issuers to be going with chip-and-PIN?

Conroy: With consumers having an average of about 3.3 cards in their wallet, and the US being a far more competitive card market, the issuers are very sensitive to that. As I was doing my chip-and-PIN research earlier this year, there was one issuer that said quite bluntly, “We don’t really think we can teach Americans to do two things at once. So we’re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we’ll adjust.” So the issuers I spoke with wanted to keep it simple: Go to market with plain vanilla, and once we get this working, we can evaluate adding some sprinkles and toppings later.

BK: What about the retailers? I would think more of them are in favor of chip-and-PIN over signature.

Litan: Retailers want PINs because they strengthen the security of the point-of-sale (POS) transaction and lessen the chances of fraud at the POS (which they would have to eat if they don’t have chip-accepting card readers but are presented with a chip card). Also retailers have traditionally been paying lower rates on PIN transactions as opposed to signature transactions, although those rates have more or less converged over time, I hear.

BK: Can you talk about the ability to use these signature cards outside the US? That’s been a sticking point in the past, no?

Conroy: The networks have actually done a good job over the last year to 18 months in pushing the [merchant banks] and terminal manufacturers to include “no cardholder verification method” as one of the options in the terminals. Which means that chip-and-signature cards are increasingly working. There was one issuer I spoke with that had issued chip-and-signature cards already for their traveling customers and they said that those moves by the networks and adjustments overseas meant that their chip-and-signature cards were working 98 percent of the time, even at the unattended kiosks, which were some of the things that were causing problems a lot of the time.

BK: Is there anything special about banks that have chosen to issue chip-and-PIN cards over chip-and-signature?

Conroy: Where we are seeing issuers go with chip-and-PIN, largely it is issuers where consumers have a very compelling reason to pull that particular card out of their wallet. So, we’re talking mostly about merchants who are issuing their own cards and have loyalty points for using that card at that store. That is where we don’t see folks worrying about the attrition risks so much, because they have another point of stickiness for that card.

BK: What did you think about the White House announcement that specifically called out chip-and-PIN as the chip standard the government is endorsing?

Conroy: The White House announcement I thought was pure political window dressing. Especially when they claimed to be taking the lead on credit card security.  Visa, for example, made their initial road map announcement back in 2011. And [the White House is] coming to the table three years later thinking that its going to influence the direction the market is taking when many banks have spent in some cases upwards of a year coding toward these specifications? That just seems ludicrous to me. The chip-card train has been out of the station for a long time. And it seemed like political posturing at its best, or worst, depending on how you look at it.

Litan: I think it is very significant. It’s basically the White House taking the side of the card acceptors and what they prefer. Whatever the government does will definitely help drive trends, so I think it’s a big statement.

BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.

Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably looking at about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.

[personal profile] mjg59
I'm not a huge fan of Hacker News[1]. My impression continues to be that it ends up promoting stories that align with the Silicon Valley narrative of meritocracy, technology will fix everything, regulation is the cancer killing agile startups, and discouraging stories that suggest that the world of technology is, broadly speaking, awful and we should all be ashamed of ourselves.

But as a good data-driven person[2], wouldn't it be nice to have numbers rather than just handwaving? In the absence of a good public dataset, I scraped Hacker Slide to get just over two months of data in the form of hourly snapshots of stories, their age, their score and their position. I then applied a trivial test:
  1. If the story is younger than any other story
  2. and the story has a higher score than that other story
  3. and the story has a worse ranking than that other story
  4. and at least one of these two stories is on the front page
then the story is considered to have been penalised.

(note: "penalised" can have several meanings. It may be due to explicit flagging, or it may be due to an automated system deciding that the story is controversial or appears to be supported by a voting ring. There may be other reasons. I haven't attempted to separate them, because for my purposes it doesn't matter. The algorithm is discussed here.)

Now, ideally I'd classify my dataset based on manual analysis and classification of stories, but I'm lazy (see [2]) and so just tried some keyword analysis:
KeywordPenalisedUnpenalised
Women134
Harass20
Female51
Intel23
x8634
ARM34
Airplane12
Startup4626

A few things to note:
  1. Lots of stories are penalised. Of the front page stories in my dataset, I count 3240 stories that have some kind of penalty applied, against 2848 that don't. The default seems to be that some kind of detection will kick in.
  2. Stories containing keywords that suggest they refer to issues around social justice appear more likely to be penalised than stories that refer to technical matters
  3. There are other topics that are also disproportionately likely to be penalised. That's interesting, but not really relevant - I'm not necessarily arguing that social issues are penalised out of an active desire to make them go away, merely that the existing ranking system tends to result in it happening anyway.

This clearly isn't an especially rigorous analysis, and in future I hope to do a better job. But for now the evidence appears consistent with my innate prejudice - the Hacker News ranking algorithm tends to penalise stories that address social issues. An interesting next step would be to attempt to infer whether the reasons for the penalties are similar between different categories of penalised stories[3], but I'm not sure how practical that is with the publicly available data.

(Raw data is here, penalised stories are here, unpenalised stories are here)


[1] Moving to San Francisco has resulted in it making more sense, but really that just makes me even more depressed.
[2] Ha ha like fuck my PhD's in biology
[3] Perhaps stories about startups tend to get penalised because of voter ring detection from people trying to promote their startup, while stories about social issues tend to get penalised because of controversy detection?
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
Just in time for Halloween, the Nightmare Night pony-theme jack-o-lanterns submission deadline is today. The gallery is here, to be posted on Equestria Daily soon. There are some nice ones. ^_^

halloween_2014_flutterbat_by_leadfoot9
Source: http://leadfoot9.deviantart.com/art/Halloween-2014-Flutterbat-490656925

John R wrote: "Done mostly with wood carving tools and an X-Acto knife. The inset is an overhead view of the lid."

midnight_blossom_by_ask_bluehorizon
Source: http://ask-bluehorizon.deviantart.com/art/Pumpkin-Carving-Midnight-Blossom-490946033

...Wow. 0_0

Twilight_by_party_grunt

Party Grunt has three venues: Youtube, Tumblr and DeviantArt.

insert_bad_pumpkin_pun_here_by_largent2005
Source: http://largent2005.deviantart.com/art/Insert-Bad-Pumpkin-Pun-Here-491500665

Largent has a few other line-carved pumpkins in his gallery, including this Princess Twilight all decked out in her robes and regalia.

cutie_mark_crusaders_pumpkins_by_archiveit1
Source: http://archiveit1.deviantart.com/art/Cutie-Mark-Crusaders-Pumpkins-488755356

There are three pumpkins in this image, I cheated and edited the picture to make it tighter. Archiveit1 has a bunch of excellent carved pumpkins in his gallery, including Sunset Shimmer, Zecora and Fluffle Puff.
[syndicated profile] cakewrecks_feed

Posted by Jen

Bakeries get a lot of leeway this time of year, since Halloween is supposed to have ugly gross stuff:

 

But there's raspberry jam soaked zombie faces, and then there's... uh... this:

Took me a solid minute to figure it out:

A banana shooting laser beams.

(I am SO GOOD AT THIS, you guys.)

 

Yep, bakers are once again trying to collectively punk the world, churning out ridiculous Halloween designs each more baffling than the last:

Aliens? Amoebas?
This guy?

 

I actually see this design a lot:

The angry toilet paper has sprouted arms, and is pulling itself to freedom.

 

While this roll vows revenge on airbrushes everywhere:

"I am not 'pretty,' I AM THE TERRIFYING TP! Here to WIPE you out! Mwuah-ha-haaawhy are you laughing?"

 

Next we have an ice cream swirl wearing a traffic cone about to be impaled by a trident.
Because if THAT doesn't say "Happy Halloween"... then don't worry 'cuz the board does:

 

For some reason ghost sperm are always a big seller this time of year:

They look kinda confused, though, right?
Like they can't tell if they're coming or going.

[HEYO.]

 

Also confused? Me, after looking at this thing:

They managed to get icing absolutely everywhere except on top of the cupcakes.
Now that's scary.

 

And finally, a possessed stove burner:

Because haunted appliances are SO hot right now.

("It burns. IT BURRRRNS!")

 

There's a ghost of a chance Brittany D., Carrie, Ginny V., Karen S., Megan S., Karrie T., Jennifer K., Jennifer R., & Shannon T. will be ordering out tonight. You're welcome, ladies!

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

On joining the FSF board

Oct. 29th, 2014 05:01 pm
[personal profile] mjg59
I joined the board of directors of the Free Software Foundation a couple of weeks ago. I've been travelling a bunch since then, so haven't really had time to write about it. But since I'm currently waiting for a test job to finish, why not?

It's impossible to overstate how important free software is. A movement that began with a quest to work around a faulty printer is now our greatest defence against a world full of hostile actors. Without the ability to examine software, we can have no real faith that we haven't been put at risk by backdoors introduced through incompetence or malice. Without the freedom to modify software, we have no chance of updating it to deal with the new challenges that we face on a daily basis. Without the freedom to pass that modified software on to others, we are unable to help people who don't have the technical skills to protect themselves.

Free software isn't sufficient for building a trustworthy computing environment, one that not merely protects the user but respects the user. But it is necessary for that, and that's why I continue to evangelise on its behalf at every opportunity.

However.

Free software has a problem. It's natural to write software to satisfy our own needs, but in doing so we write software that doesn't provide as much benefit to people who have different needs. We need to listen to others, improve our knowledge of their requirements and ensure that they are in a position to benefit from the freedoms we espouse. And that means building diverse communities, communities that are inclusive regardless of people's race, gender, sexuality or economic background. Free software that ends up designed primarily to meet the needs of well-off white men is a failure. We do not improve the world by ignoring the majority of people in it. To do that, we need to listen to others. And to do that, we need to ensure that our community is accessible to everybody.

That's not the case right now. We are a community that is disproportionately male, disproportionately white, disproportionately rich. This is made strikingly obvious by looking at the composition of the FSF board, a body made up entirely of white men. In joining the board, I have perpetuated this. I do not bring new experiences. I do not bring an understanding of an entirely different set of problems. I do not serve as an inspiration to groups currently under-represented in our communities. I am, in short, a hypocrite.

So why did I do it? Why have I joined an organisation whose founder I publicly criticised for making sexist jokes in a conference presentation? I'm afraid that my answer may not seem convincing, but in the end it boils down to feeling that I can make more of a difference from within than from outside. I am now in a position to ensure that the board never forgets to consider diversity when making decisions. I am in a position to advocate for programs that build us stronger, more representative communities. I am in a position to take responsibility for our failings and try to do better in future.

People can justifiably conclude that I'm making excuses, and I can make no argument against that other than to be asked to be judged by my actions. I hope to be able to look back at my time with the FSF and believe that I helped make a positive difference. But maybe this is hubris. Maybe I am just perpetuating the status quo. If so, I absolutely deserve criticism for my choices. We'll find out in a few years.
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

In an era when new consumer data breaches are disclosed daily, fake claims about data leaks are sadly becoming more common. These claims typically come from fame-seeking youngsters who enjoy trolling journalists and corporations, and otherwise wasting everyone’s time. Fortunately, a new analysis of recent bogus breach claims provides some simple tools that anyone can use to quickly identify fake data leak claims.

dataleakThe following scenario plays out far too often. E-fame seekers post a fake database dump to a site like Pastebin and begin messaging journalists on Twitter and other social networks, claiming that the dump is “proof” that a particular company has been hacked. Inevitably, some media outlets will post stories questioning whether the company was indeed hacked, and the damage has been done.

Fortunately, there are some basic steps that companies, journalists and regular folk can take to quickly test whether a claimed data leak is at all valid, while reducing unwarranted damage to reputation caused by media frenzy and public concern. The fact-checking tips come in a paper from Allison Nixon, a researcher with Deloitte who — for nearly the past two years — has been my go-to person for vetting public data breach claims.

According to Nixon, the easiest way to check a leak claim is to run a simple online search for several of its components. As Nixon explains, seeking out unique-looking artifacts — such as odd passwords or email addresses — very often reveals that the supposed leak is in fact little more than a recycled leak from months or years prior. While this may seem like an obvious tip, it’s appalling at how often reporters fail to take even this basic step in fact-checking a breach claim.

A somewhat more advanced test seeks to measure how many of the “leaked” accounts are already registered at the supposedly breached organization. Most online services do not allow two different user accounts to have the same email address, so attempting to sign up for an account using an email address in the claimed leak data is an effective way to test leak claims. If several of the email addresses in the claimed leak list do not already have accounts associated with them at the allegedly breached Web site, the claim is almost certainly bogus.

uniquenesstest

To determine whether the alleged victim site requires email uniqueness for user accounts, the following test should work: Create two different accounts at the service, each using unique email addresses. Then attempt to change one of the account’s email address to the others. If the site disallows that change, no duplicate emails are allowed, and the analysis can proceed.

Importantly, Nixon notes that these techniques only demonstrate a leak is fake — not that a compromise has or hasn’t occurred. One of the sneakier ways that ne’er-do-wells produce convincing data leak claims is through the use of what’s called a “combolist.” With combolists, miscreants will try to build lists of legitimate credentials from a specific site using public lists of credentials from previous leaks at other sites.

This technique works because a fair percentage of users re-use passwords at multiple sites. Armed with various account-checking programs, e-fame seekers can quickly build a list of working credential pairs for any number of sites, and use that information to back up claims that the site has been hacked.

Account checking tools sold on the cybercriminal underground by one vendor.

Account checking tools sold on the cybercriminal underground by one vendor.

But according to Nixon, there are some basic patterns that appear in lists of credentials that are essentially culled from combolists.

“Very often, you can tell a list of credentials is from a combolist because the list will be nothing more than username and password pairs, instead of password hashes and a whole bunch of other database information,” Nixon said.

A great example of this came earlier this month when multiple media outlets repeated a hacker’s claim that he’d stolen a database of almost seven million Dropbox login credentials. The author of that hoax claimed he would release on Pastebin more snippets of Dropbox account credentials as he received additional donations to his Bitcoin account. Dropbox later put up a blog post stating that the usernames and passwords posted in that “leak” were likely stolen from other services.

Other ways of vetting a claimed leak involve more detailed and time-intensive research, such as researching the online history of the hacker who’s making the leak claims.

“If you look at the motivation, it’s mostly ego-driven,” Nixon said. “They want to be a famous hacker. If they have a handle attached to the claim — a name they’ve used before — that tells me that they want a reputation, but that also means I can check their history to see if they have posted fake leaks in the past. If I see a political manifesto at the top of a list of credentials, that tells me that the suspected leak is more about the message and the ego than any sort of breach disclosure.”

Nixon said while attackers can use the techniques contained in her paper to produce higher quality fake leaks, the awareness provided by the document will provide a greater overall benefit to the public than to the attackers alone.

“For the most part, there are a few fake breaches that get posted over and over again on Pastebin,” she said. “There is just a ton of background noise, and I would say only a tiny percentage of these breach claims are legitimate.”

A full copy of the Deloitte report is available here (PDF).

Happy Halloweenies!

Oct. 29th, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

How do I know these cakes want us to have a happy Halloween?

Why, it's as plain as the dongs on their faces.

 

 

 

 

My personal favorite:

"GET IT OFF GET IT OFF GET IT... oh."

 

And finally, ever wonder when your hubby's about to pick up a new nickname for certain regions of his anatomy?

HERE'S YOUR SIGN:

 

Thanks to Jill P., Katie G., Alyson B., Patrick M., Melissa S., Stephanie F., & Dion H. for ensuring John never calls me 'pumpkin' again.

 

And now, your Moment of Jen:

The pumpkin face says it all.


*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

bunny in a bowl

Credit: Flickr / jpockele

When I previously wrote about better testing of view controllers on iOS I alluded briefly to the strategy of breaking the ViewController into a ViewController and a Presenter.

Again, I won’t go into mocking here, but you need a mocking framework and some understanding of what mocking is for this to make sense. Currently, I’m using OCMock. Also, XCTest is not the best documented, but here is a handy list of asserts.

This strategy means that for each ViewController there are two classes, MyViewController and MyViewPresenter. This inherits from top level classes which I have imaginatively named ViewController (inheriting from UIViewController) and Presenter (inheriting from NSObject).

 

ViewController and Presenter

Presenter

The aim of the Presenter class is to expose the things that any ViewController might want to access, making it unnecessary for MyViewController to know about the MyViewPresenter class.

Presenter Interface

Presenter Implementation

ViewController

This class handles setting the presenter, ensuring the navigation buttons are set up properly, and that viewLoaded gets called.

ViewController Interface

ViewController Implementation

Testing ViewController and Presenter

Neither of these classes do very much, but they provide us with a way to create a seam which is how we write unit tests. It might seem unnecessary to write tests for these, but that just means that the tests will be quick and simple. I err on the side of if it exists, test it. Both because it’s normally faster to just test it than decide every time, and also because I am often not as smart as I’d like to think I am, therefore am liable to break things.

I’ve opted to use Strict mocks rather than their more forgiving brethren, because I want to know exactly what is going on. This makes the tests a little more brittle than strictly necessary, but I find it a helpful learning mechanism.

PresenterTest

ViewControllerTest

Example: HomeViewController and HomeViewPresenter

This is the home screen for an image app, with a simple UI featuring 3 buttons – take a picture, show the gallery, and “inspire” which is not yet implemented.

HomeViewPresenter Interface

The init method is exposed for testing, but the ViewController is instantiated in the app by calling createViewController.

HomeViewPresenter Implementation

Notice, the view elements are accessed through the views and the actions added to them all call methods in the Presenter itself. The Presenter is also the delegate for the ImagePickerViewController.

HomeViewController Interface

The ViewController exposes the view within it, and a method for launching an ImagePickerViewController.

HomeViewController Implementation

You can see as a result the ViewController has very little code, because all it is doing is presentation.

Testing HomeViewController

The tests for the HomeViewController are very simple.

Testing HomeViewPresenter

The presenter is a little more interesting. Notice how we capture the action added to the UIButton and call it using sendActionsForControlEvents:.

The End

When starting from scratch, this method makes it so easy to write unit tests and doesn’t really increase the amount of code required per ViewController, just splits it in two. It’s harder to retrofit to an existing codebase, but it is possible.

Start with the top level classes, and then choose the simplest ViewControllers in your codebase to split. Add tests for them. Then choose progressively more complicated ones. You may need to add more methods to the top level ViewController and Presenter, depending on the complexity of your app. Often the reason why we don’t add tests for ViewControllers is that we never have, so starting is the hardest part.

Finally, on UIAutomation tests, I don’t see this as a replacement for KIF or other UIAutomation tests. These are great for making sure that every screen on the app loads OK, for example, and I still see apps sometimes (especially as apps have got larger) where some unloved corner of the app means that that what should launch a new screen just crashes. However these kind of tests allow us to get into details with less setup than is required by UIAutomation tests, making them easier and less time-consuming to debug.

In the City of Dreams

Oct. 28th, 2014 07:20 pm
ponyville_trot: Six cartoon ponies in a huddle (Default)
[personal profile] frith posting in [community profile] ponyville_trot
In_the_city_of_Dreams_by_WhiteDiamonds
Source: http://rarijackdaily.tumblr.com/image/101074067618

Quote: Unfinished concept art of Ponydora Prancypants’ fanfiction “The Fruits of Their Labors”.

I like it this way. 8^) White Diamonds is also on DeviantArt.

First extended rear-facing seats

Oct. 29th, 2014 09:51 am
[personal profile] puzzlement posting in [community profile] incrementum
Originally posted to incrementum.puzzling.org. Comment there unless you have a Dreamwidth login.

In car seat news, I see Britax has the Premium SICT ISOFIX Compatible out, with rear-facing until the child is 2 or 3. Sadly, it also has a rear-facing depth of 600mm, more than 8cm greater than our current rear-facing seat. I’d need to rest my feet on the dash to ride in front of a seat that big, and I think it would even be impossible for Andrew. Extended rear-facing advocates (well, some of them) have been telling me for ages that extended rear-facing seats take up, if anything, less room in the car than normal rear-facing infant seats, because the seat doesn’t have to recline as much. If this is any guide… not so much.

Perhaps this will be true when cheaper extended rear-facing seats start to come out (apparently being a tall adult is not a “premium” parenting feature… except when you’re buying prams and strollers, when it totally is). I think it’s likely A will be pushing age 2 by that point anyway, so with any luck, this is the end of my very short career as a car seat blogger!

Disclosures: you can rest assured no one is offering me their giant car seats in return for a review!

beable: (inside of a dog it's too dark too read)
[personal profile] beable
So I phoned my mother 5 minutes ago to ask if she thinks that Annie (her schnauzer) needs a pet Great Dane.

Because this is how my family communicates: by trawling the Humane Society website (or Beagle Paws, or other dog rescue sites) and trying to fob them off on each other.

Actually this does pretty much explain the addition of both Brooke and Dede to their household.

A Spirited Similarity

Oct. 28th, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Ever wonder what it'd look like if famous characters came back as wrecky ghost cakes?

Yeah, me neither.

But I guess these bakers did!

 

A ghost called Jayne:

"All this booing is damaging my calm."

 

Spy VS Spy:

[mimes dropping a giant bomb on both]

 

Aquaman:

Sounds fishy.

 

Pac-Man:

 

 

A Pac-Man ghost.

So meta.

 

A garden slug:
(Just go with it.)

C'mon, bakers. Slugs? Really?

 

A door mat:

Ok, now we're just getting ridiculous.

 

A roll of toilet paper:

Srsly??

(Let's not ponder too long what the little ghost on top is.)

 

And finally,

The Ghosts of Toilet Water Passed:

You could say they've been circling the drain for some time now.

[Ba dum BUM!]

 

Thanks to Gabrielle H., Katie B., Pam A., Danyell, Vicky B., Creig N., Karen T., & Joe T. for the sweet flush of victory.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

Live Tweeting My Own Talk

Oct. 28th, 2014 12:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

collection of tweets from my talk

The other week, I live tweeted one of my own talks. It’s captured here (thanks Kelsey!). I’ve been live tweeting a lot lately, and when I attend talks I take notes and/or live tweet so this became a natural extension. I’ve noticed a couple of other speakers (Kronda and Jo Miller) using tweets as part of their talks, so I wanted to try it.

I picked this talk because it was a small audience, and a last minute invitation so I was okay with being slightly less polished than usual, and because of the topic. I was talking about what happened at Grace Hopper (GHC) and live tweeting things that other people’s talks, so live tweeting my own seemed fair.

It was a slightly last minute decision, as I was going through my notes I had a thought “what if I do this” and so I didn’t have time to optimise it! I used Jo’s strategy of saving the tweets that I would send out in my drafts folder, and decided to number them at the start (1), (2), etc., so it would be easy for me to see at a glance which one came next. I accidentally tweeted instead of saved one as part of this process, but I quickly copied the text and deleted it so it was OK! I made sure to put my phone on DND mode so that I wouldn’t be distracted by notifications.

The best thing about live tweeting my own talk was that it allowed the reach of that talk to go beyond the small audience in the room. The collection itself has been pretty popular (and it made me very happy that someone had thought my remarks worth collecting!) as well as the individual tweets having good levels of engagement. It’s also nice that the message of this was curated by me – records of women speaking are often imperfect (my friend and amazing speaker coach Denise has been working on this for a long time) and I have been diligent about documenting my own talks in part because of this. One thing that I have done for a while is collect the tweets that happen during my talk into a Storify, it’s always a surprise what people have pulled out, or haven’t. In this case, the people in the room didn’t tweet at all, so if I hadn’t captured it myself there would have been no record, other than my notes (which I will eventually put up in a blogpost).

The drafts section of Twitter for iOS is not really set up well to do this. It was multiple taps to share each tweet. Buffer and “share now” would have been far better, so if I decide to do this again upgrading to Buffer Premium might be a better way to go, or giving my phone to a trusted friend in the audience.

I think I do need to pause more, so I figured taking this time for silence would be a good thing for my audience but I don’t think this worked as I had hoped – rushing to work through the UI to get to the buried drafts folder, scrolling down to the bottom. Not ideal. I know it made me less good at eye contact. It also meant that I was working from two devices – my notes on my iPad, and my tweets on my iPhone. A talk that I’d spent more time preparing and been more familiar with, I could have used the tweets as my prompts and just shared them as I progressed through the talk. I did this talk without slides, and adding those transitions in as well would have been way too much!

The final question that I have to ask myself in a debrief of this – will I do it again? Not in that format, but maybe. I tend to prep a talk really well and reuse it, and I don’t think I would want to live tweet a talk more than once. This particular one was full of tweetable soundbites and timely, my talk on mobile is full of stories and I don’t think it would work as well. Maybe the talks I prep for next year will work better. I’ll either get a friend in the audience to help, or use something like Buffer with a better interface for storing a backlog of tweets and sharing one by one.

[syndicated profile] epbot_feed

Posted by Jen

Squeaking in juuust before Halloween to show off my last crafty creation of the month:


A Haunted Mansion inspired door wreath!

(Yep, my front door is HM purple. I painted it last year around Halloween, so it seemed only fitting to finally make a wreath to match!)

Appropriately enough, this thing was a nightmare to photograph, but I did my best. I think you can see everything Ok, but I do wish the two lighted elements showed better; they're really much brighter in person!

The first light is in the coffin:

The green shining through the cracks looks super cool at night.

It was inspired by this coffin in the Mansion's conservatory:

 via

And the second lit element is little Leota's head - or more specifically, her eyes:


John and I discovered that if you cram a LED inside a porcelain doll's head, the eyes glow. Nifty, huh? (Now imagine all your dolls with red glowing eyes... that only turn on... AT NIGHT. MWUAH-HA-HAA!)


Here's how the wreath looks during the day:
A bit of a glare on the Welcome sign, but otherwise still pretty fun in the light!

I painted the coffin & clock green as an homage to the HM cast costumes:


 The wreath materials were quite cheap, but since almost everything had to be made from scratch, it was pretty labor-intensive. Keep reading if you'd like a quick break down & explanation for of all the parts!


Wreath: An old grape vine wreath, spray-painted black. The lower half is covered with "spooky cloth" - a shreddy fabric from the Dollar Tree that cost - you guessed it! - a dollar.

Crows: $1 each at the Dollar Tree, though I replaced the eyes with red crystals.

Leota: One porcelain doll head, painted all spooky-like, fit inside a clear plastic Christmas ornament. To do this, cut the back third off the ornament with a craft blade, so you can fit the head in through the back:

Testing the fit.

It was a tight squeeze - wish I could have found a larger ornament! - so I had to chop off a lot of hair. The doll I used had bangs, so I removed the wig and turned it around. And it doesn't really show, but after this I also sprayed the hair with watered down white & teal craft paint.

To attach the head to the wreath, wrap a thick wire around the neck stump (there should be a recess there already, where the body attached), and then poke the wire ends straight down into the wreath.


Coffin: Plain wooden coffin ($2.99 from JoAnn's), painted, with a plastic skeleton arm & hand glued inside to hold it open. The little wreath is a sprig from an Autumn flower arrangement, twisted into a circle.
 
Note the authentic cat's tail. :) Thanks, Lily.

The green LED is held inside the coffin lid with Velcro, and to attach the coffin to the wreath, we drilled two holes in the back side & threaded a wire through.

Demon Clock: Here's the inspiration clock in Disneyland's Haunted Mansion:

The clock is either gray or wood-toned, depending on which Mansion you visit, but I decided to make mine green to fit the wreath's color scheme.

John carved the clock face from pink insulation foam (you can buy big sheets of it at Home Depot or Lowe's for cheap). Just print out the face, glue it on the foam, and carve through the paper. The foam doesn't carve well for little things like this - really rough & snaggy -  but after I painted it, you'd never know!

 

I also added the tail, cut from thin craft foam. Then we used hot glue to attach a long wire to the back.


Signage: Whipped up in Photoshop (you can download the Haunted Mansion font for free here), printed on gloss paper, and glued to black craft foam for stability. The Welcome sign is attached with wire, and the "Foolish Mortals" chains are attached with hot glue.

Watching eyes: Cut from white craft foam, using this photo as a reference:


Then attached to the wreath cloth with Glue Dots.


Bats: A last-minute addition, since I just got my HM bat ice cube tray in the mail and was desperate to try it out with some casting resin! Here's the painting progression:


After spraying the resin gold (which looks gorgeous on its own), I brushed on a heavy coat of blackish green craft paint, and then quickly wiped it off again. The result is pretty close to the real ride stanchions!


Needless to say, I'll be playing with these resin castings more in the future; I cannot WAIT to make some jewelry with them!

So I think that covers everything on the wreath, but feel free to ask questions in the comments!



And since this is my last Halloween craft, I hope you guys have a spook-tacular Halloween this weekend!

V and A go to a party

Oct. 28th, 2014 10:18 am
[personal profile] puzzlement posting in [community profile] incrementum
Originally posted to incrementum.puzzling.org. Comment there unless you have a Dreamwidth login.

Dressed up Vincent Family moment Lexi the irreverent

[syndicated profile] cakewrecks_feed

Posted by Jen

My friends, cake decorating can be hard. Why do you think we have so much material? But bakers can make their jobs a lot easier by just knowing their limitations.

For instance, bakers, say someone asks you to make a groom's cake that looks like their BMW:

...but you're just figuring out what "edible markers" are.

 

In that case, maybe say no.

See how much better that would have been?

 

Ok, now let's practice together! I'll play the customer.

Hi! Can you make me a cake that looks like this shoe?

 

Now you say, "No. No, I can't."

 

I'd really love Maleficent on a cake! Can you do that?

 

"No. No, I can't."

 

Aw, then how about Tinkerbell?

 

"Sure! No probl... I mean, no. No, I can't."

 

 

See how easy that is? And hey, being able to say no to orders you can't do will give you more time for the ones you can!

Or you could just fill the donuts.

 

Thanks to Lesley H., Molly H., Sheyla S., John A., & Michelle R., who advises steering clear of the Stay Puft donuts, since we all know where THAT leads.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

Linux Security Summit 2014 Wrap-Up

Oct. 27th, 2014 12:56 pm
[syndicated profile] blog_namei_org_feed

Posted by jamesm

The slides from the 2014 Linux Security Summit in August may be found linked at the schedule.

LWN covered both the James Bottomley keynote, and the SELinux on Android talk by Stephen Smalley.

We had an engaging and productive two days, with strong attendance throughout.  We’ll likely follow a similar format next year at LinuxCon.  I hope we can continue to expand the contributor base beyond mostly kernel developers.  We’re doing ok, but can certainly do better.  We’ll also look at finding a sponsor for food next year.

Thanks to those who contributed and attended, to the program committee, and of course, to the events crew at Linux Foundation, who do all of the heavy lifting logistics-wise.

See you next year!

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

emvblueOver the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.

CLONED CHIP CARDS, OR CLONED TRANSACTIONS?

The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week. The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.

The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.”

A chip card. Image: First Data

A chip card. Image: First Data

The New England bank initially considered the possibility that the perpetrators had somehow figured out how to clone chip cards and had encoded the cards with their customers’ card data. In theory, however, it should not be possible to easily clone a chip card. Chip cards are synonymous with a standard called EMV (short for Europay, MasterCard and Visa), a global payment system that has already been adopted by every other G20 nation as a more secure alternative to cards that simply store account holder data on a card’s magnetic stripe. EMV cards contain a secure microchip that is designed to make the card very difficult and expensive to counterfeit.

In addition, there are several checks that banks can use to validate the authenticity of chip card transactions. The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

And this is exactly what has bank fraud fighters scratching their heads: Why would the perpetrators go through all the trouble of taking plain old magnetic stripe cards stolen in the Home Depot breach (and ostensibly purchased in the cybercrime underground) and making those look like EMV transactions? Why wouldn’t the scammers do what fraudsters normally do with this data, which is simply to create counterfeit cards and use the phony cards to buy gift cards and other high-priced merchandise from big box retailers?

More importantly, how were these supposed EMV transactions on non-EMV cards being put through the Visa and MasterCard network as EMV transactions in the first place?

The New England bank said MasterCard initially insisted that the charges were made using physical chip-based cards, but the bank protested that it hadn’t yet issued its customers any chip cards. Furthermore, the bank’s processor hadn’t even yet been certified by MasterCard to handle chip card transactions, so why was MasterCard so sure that the phony transactions were chip-based?

EMV ‘REPLAY’ ATTACKS?

MasterCard did not respond to multiple requests to comment for this story. Visa also declined to comment on the record. But the New England bank told KrebsOnSecurity that in a conversation with MasterCard officials the credit card company said the most likely explanation was that fraudsters were pushing regular magnetic stripe transactions through the card network as EMV purchases using a technique known as a “replay” attack.

According to the bank, MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.

“The bad guys knew that if they encoded these as EMV transactions, the banks would loosen other fraud detection controls,” Litan said. “It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it. Doing EMV correctly is hard, and there are lots of ways to break not the cryptography but to mess with the implementation of EMV.”

The thieves also seem to be messing with the transaction codes and other aspects of the EMV transaction stream. Litan said it’s likely that the perpetrators of this attack had their own payment terminals and were somehow able to manipulate the transaction fields in each charge.

“I remember when I went to Brazil a couple of years ago, their biggest problem was merchants were taking point-of-sale systems home, and then running stolen cards through them,” she said. “I’m sure they could rewire them to do whatever they wanted. That was the biggest issue at the time.”

The New England bank shared with this author a list of the fraudulent transactions pushed through by the scammers in Brazil. The bank said MasterCard is currently in the process of checking with the Brazilian merchants to see whether they had physical transactions that matched transactions shown on paper.

In the meantime, it appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.

Litan said attacks like this one illustrate the importance of banks setting up EMV correctly. She noted that while the New England bank was able to flag the apparent EMV transactions as fraudulent in part because it hadn’t yet begun issuing EMV cards, the outcome might be different for a bank that had issued at least some chip cards.

“There’s going to be a lot of confusion when banks roll out EMV, and one thing I’ve learned from clients is how hard it is to implement properly,” Litan said. “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters. That’s the irony: We think EMV is going to solve all our card fraud problems, but doing it correctly is going to take a lot longer than we thought. It’s not that easy.”

shadowspar: An angry anime swordswoman, looking as though about to smash something (sabre - angry face)
[personal profile] shadowspar

Ever feel so strongly about the non-existence of a given image macro that the world just seemed out of balance until you went and made it yourself?

Yeah, uh, me neither. ^_^;;

Well, actually, images are under the cut )

This Week

Oct. 27th, 2014 12:00 am
[syndicated profile] accidentallyincode_feed

Posted by Cate

A young European hedgehog

Credit: Wikipedia

Life

Arrived back from Canada, so jetlagged! Spent a couple of days hiding away and coding, and then had a frantic few days in London. Great to catch up with some friends! Got to trade in my broken Jawbone and now I have a pink one – yay!

Work

Meetings! Time with UX designer working on making the app pretty. Exciting!

Places

Brunch and coworking at the Ace Hotel, I love the String Quartet at Hoi Polloi. Lunch at Ping Pong (BBQ pork buns!) and dinner at Dishoom, finally! I’ve been meaning to go forever, and also at Santore. Staying at the RE Hotel, not the best location but pretty comfortable and close enough, so I got a lot of walking in. Got to check out Shoreditch House – fancy!

Media

Still working on Pioneer Programmer, but for light relief The Corinthian, A Civil Contact, Cotillion (probably my favourite of her books, just for the last couple of chapters), Cousin Kate, and now on False Colours. Back in the gym again – finally! So watching How I Met Your Mother Season 2. Background movies for coding: Bring it On, Wimbledon, The Princess Diaries 1 and 2, and She’s The Man.

Product links Amazon.

Published

On The Internet

Bike riding continued

Oct. 27th, 2014 09:45 am
[personal profile] puzzlement posting in [community profile] incrementum
Originally posted to incrementum.puzzling.org. Comment there unless you have a Dreamwidth login.

We took V to a playground in Singleton to ride. He still needs a push start, we’re working on it:

Starting off Go free!

He’s also working on cornering still, rather than falling off the bike, walking it around the corner, and wanting a push start again.

Turning

He corners like a fearless demon on his balance bike (which he now only barely fits on), so it’s some combination of the hefty weight of the larger bike and coordinating pedalling with it all.

To top it all off, he really wanted to be riding his bike in the skate park, which is where the above shot was taken. Not really the place for a kid who needs to get off the bike all the time and be push started, as some of the teenagers in the skate park pointed out among themselves. V decided that the issue was that he needs a scooter rather than a bike, as many of the teenagers had. (It looks like scooters are the new skateboard, although you do sometimes still see a skateboard.) It would be easier, if our goal was for him to be really proficient in a skate park. But our goal is actually family bike rides. Once he’s solid on the bike and, especially, can reliably stop and start it, perhaps then it might be scooter time.

Here’s a video too, sorry about the zoom level and resulting shake:


V rides

When he got too frustrated with bike riding though, it was time to relax by going really fast on the spinner:

On the spinner On the spinner

Not the funnest for me though. The theory of those things is that even the pushing person is supposed to fly through the air on the up-side, dangling off the handles. I can actually just touch the ground all the way around, but having my arms way up above my head while bearing the weight of V and the spinner is the canonical position to dislocate my weak shoulder in. So I stuck with big pushes on the down-side, and next time I’ll restart the bike and Andrew can push the spinner!

[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • Meet the Awesome League of Female Magic: The Gathering Players | bitchmedia (20 October): “Magic: The Gathering is a collectible trading card game published by Wizards of the Coast, the same company responsible for Dungeons and Dragons. Over the last twenty or so years, Magic has gained significant popularity and become a staple of nerd culture. Magic: The Gathering is played in a competitive tournament setting, casually at kitchen tables, while waiting in line at cons, and everything in between. Magic tournaments are not often a welcoming space for women despite the efforts of many within the community so, naturally, Magic horror stories were a popular topic of discussion at Geek Girl Con.”
  • Disney Princesses Are My (Imperfect) Feminist Role Models | boingboing (24 October): “So why not write off these problematic princesses and find better role models? Part of the power of the Disney princess is that she is inescapable. As a massive conglomerate, Disney is able to give its princess line an almost frightening level of cultural ubiquity. Conventional wisdom holds that girls will watch male-driven stories while boys will simply ignore female-driven ones. But it was impossible to ignore Frozen last year just as it was impossible to ignore Snow White, The Little Mermaid, and Beauty And The Beast when they premiered. Stop a few hundred people on the street and they’ll likely be able to name more Disney princesses than American Girl dolls, Baby-Sitters Club members, or Legend Of Korra characters. It’s important to introduce young girls to well-written female characters in niche properties, but it’s equally important to teach young girls that their stories don’t have to be niche.”
  • [infographic] The Gender Divide in Tech-Intensive Industries | Catalyst (23 October): While the leaky pipe metaphor has its flaws, it is one of the many reasons the tech industry is hostile to women.
  •  Anita Sarkeesian speaking at XOXO Conference | Feminist Frequency (7 October): “In September 2014, I was invited to speak at the XOXO conference & festival in Portland. I used the opportunity to talk about two subtle forms of harassment that are commonly used to try and defame, discredit and ultimately silence women online: conspiracy theories and impersonation. (Note: trigger warning early on for examples of rape and death threats as well as blurred images of weaponized pornography).”
  • [warning for discussion and examples of sexual harassment] A Natural A/B Test of Harassment | Kongregate (23 October): “all the questions made me think more deeply about my experience, particularly the low-level harassment I get that I’d taken as a given, normal for a co-founder of a game site. It occurred to me to check with my brother/co-founder Jim, but he said he almost never gets hassled. Most of the harassment I receive is through Kongregate’s messaging system, and looking at my last 25 public messages mixed in with compliments and requests for help there are several harassing/sexual messages. Jim has none.”

#Gamergate

  • It’s Not Censorship to Ignore You | NYMag (21 October): “women were merely pointing to a threatening, gender-specific kind of speech, and asking for the tools to avoid it. There’s something obviously illogical about free-speech panic among white Americans in 2014. Thanks to online publishing and social media, the barrier to entry for free public speech is lower than ever.  What I suspect truly bothers free-speech reactionaries is that the same, democratized new media that allows them to publish free-speech rants has opened public discourse up to a lot of people they’re not used to hearing from — women, people of color, and those Gamergate calls “social justice warriors,” in particular. Some of the people who historically controlled the media uncontested might not like what these people have to say, but these newcomers are nonetheless very popular. And when a “social justice warrior” chooses to wield the “block” button against a troll, it’s not his freedom of speech that’s in danger, it’s his entitlement to be heard.”
  •  S4E7 – #GamerGate (Base Assumptions) | blip.tv (22 October): Critical discussion of Gamergate in terms of base assumptions. “The use of terror tactics, even if only by a minority, has created an environment of fear that all members [who believe gamergate is solely about ethics in games journalism] enjoy the privilege of. When people are unwilling to engage because of fears that they’ll be next, all members [of gamergate] benefit from that person’s silence, even if they were not responsible for that harassment.”
  • [warning for harassment and threats of violence] GamerGate’s Economy Of Harassment And Violence | ravishly (20 October):”You cannot separate violence, any violence, from the context and circumstances of the society in which that violence transpires. Whoever benefits from violence is culpable for that violence. For this reason, every woman who endures harm in the wake of GamerGate’s expansion – whether it’s being forced into hiding or self-harming in the wake of unrelenting pressure and harassment – is a victim of GamerGate.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Profile

terriko: (Default)
terriko

October 2014

S M T W T F S
   1234
5678 91011
12131415161718
1920 2122232425
262728293031 

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Oct. 31st, 2014 01:25 pm
Powered by Dreamwidth Studios