Friday Squid Blogging : Pajama Squid

Feb. 12th, 2016 04:05 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

The Monterey Bay Aquarium has a pajama squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Fitbit Data Reveals Pregnancy

Feb. 12th, 2016 12:16 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

A man learned his wife was pregnant from her Fitbit data.

The details of the story are weird. The man posted the data to Reddit and asked for analysis help. But the point is that the data can reveal pregnancy, and this might not be something a person wants to tell a company who can sell that information for profit.

And remember, retailers want to know if one of their customers is pregnant.

[syndicated profile] epbot_feed

Posted by Jen

If you're looking for a last-minute Valentine for your geekier half, I just found a treasure trove of options over on The Dating Divas:

Even better, you can print all of these at home for free.

The cards are all original creations by TDD's in-house designer, Sameeha, which I really appreciate. (I've found enough "free printables" ripping off independent artists that I've learned to be cautious!)

You can find all the "Talk Nerdy To Me" designs - and download links - here

But wait - at the risk of sounding like a game show host -  there's more! The Dating Divas also has cards for a bunch of different fandoms, including Harry Potter, Star Trek:

...Lord of the Rings, Star Wars:

... and a few superhero options:

My only quibble is that Dating Divas labels all of these valentines "Man-Approved." Hey guys, how about "Geek-Approved" instead? And if you're feeling SUPER generous, some lady superhero - or supervillain - cards for next year would be extra-mega-duper-awesome.

Friday Favs 2/12/16

Feb. 12th, 2016 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

A few of my favorite submissions this week:


You and me both, Tiffany:

You and me both.


Her baby's name is Izzy, but apparently the bakery thought Bonnie was a fan of Japanese cars?


Meanwhile, Laura asked for a "big monogrammed P" on her cake:

I'll be honest, I was kinda hoping that would go a different way.


There is absolutely nothing wrong with this next cake, you guys:

It is glorious and should inspire all your future birthday cakes.



The History Of This Next Cake, Which Is Also My Favorite This Week:

Baker: "Oh wow, these icing roses turned out GORGEOUS!"

[head tilt]

...I should add a bunch of sh*t around them."


Thanks to Tiffany H., Bonnie F., Laura C., Dawna Z., & Mindy H. for helping me give John the best Valentines present: my man LOVES him some poop jokes. YOU'RE WELCOME, BABE.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

My notes from Marco’s talk at @NSConf [video].

Credit: Flickr / Joe The Goat Farmer

Credit: Flickr / Joe The Goat Farmer

Hopefully convince you to consider marketing in apps.

Truly effective marketing is a respectable part of business. As necessary as good engineering, and good design. Refusing to consider is just doing yourself and your apps is a disservice.

Marketing is fine. Even good. We need it. But we need the right kind.

Ensuring your app fits into a viable market, getting people to notice it, and giving them a reason to spread the word.

Waterfall is a widely despised development process.

We think the best products come from collaboration between engineering and design and product. But still expect marketing to be bolted on to the end. But this is not a recipe for quality.

What is your marketing?

A lot of developers think that the app store is your marketing. It will do marketing for us. We just need to put it out there and the app store will make customers flood in and give us money.

Maybe working for the top grossing ones. But chances are we are not going to be in this list. We treat the app store like we are waiting for this to happen to us. This is not going to happen.

We rely on what? Search. Generic search terms are really bad. Overcast is 21 in list for “podcast”, no-one will find it. Especially with so many irrelevant results.

Advertising can be part of marketing, but probably not best channel, especially if you don’t make enough per user.

1% response rate, $4 per user acquisition. Even a $5 app will make a loss. Can’t make it work.

Marketing is part of the process for Apple, part of product design.

Apple doesn’t need to do that much with marketing, because they make products that market themselves.

Marketing helps avoid wasted engineering effort. It doesn’t “just happen”, foreseeable if start thinking about things at the beginning.

Idea to do a podcast app for iOS. Scratching own itch. Most ideas are awful, talk self out of them, but kept going.

Made a demo app, and it works. But knew turning into a full shipping app would be a ton of work.

The lure of a difficult engineering problem is dangerous. Think effort will be rewarded. Reality is that nobody cares.

“The amount of effort you put into something doesn’t ensure it’s value to others”

Marketable foundation of the app has to succeed. Look at what succeeds, many of them take a lot of effort, many do not.

Try and balance developer happiness with success: a few hard things, and a lot of easy things.

Hard things:

Instapaper: text parser, kindle hacking.

Text parser really worth it. Kindle, not so much. Not marketable.

Podcast: custom audio engine.

Not sure marketable, had to make sure the rest of the app was marketable as well.

Started with a basic marketing outline and basic research. Sounds like a business BS term. Probably is. Think of it as a text file full of notes and bullet points.

  • What am I making?
  • Who might use it?
  • How many of these people are there?
  • What else is out there? What is your competition?

If no competition, this is a massive red flag. This is a pretty big world, there are a lot of apps out there. Should ask why you haven’t found it. Or the market is too small, for whatever you are thinking about making.

Big competitor: do they have some massive advantage you can’t compete with? E.g. network effect.

“It’s like popular thing but for X”

Lots of competition for this. Opportunitistic. A lot of people think they have some great idea for something that already exists, with just a tiny change.

E.g. instagram for dogs. Why not just use instagram for your dog pictures?

What you want to see: some small, medium sized apps. Maybe they don’t do it all the way, or don’t do a really great job of it.

Why would someone use my app instead of the alternatives?

The answer to this question is marketing. Big part of it is pricing.

Factors not causing low app prices:

  • Apple
  • no trials
  • no paid upgrades
  • top charts
  • bad search
  • star reviews

We live in a time of over-abundance, every single market is crowded.

So much out there, so easy for new stuff to be ignored.

Paid-up-front-pricing. Appeals because we don’t have to do much. Avoids tricky issues, and tricky coding. Avoids support issues.

Really big downside: Paid upfront prices give a lot of people a reason to ignore your app.

Can still work, but you face this hurdle for every new customer.

If you can make your app look free, that’s better. Will have to compare on other factors, like your merits.

Ideally want to be recognised by name. Avoid a lot of these challenges entirely. Not comparison shopping, they are looking for your app. Avoid so many problems.

How do you do that? This is marketing.

Speading the word

  • Advertise all over eyeballs
  • Blast email all over people
  • Make people connect all over your brand
  • Optimize all over the app store

(Replace prepositions with “all over”, see if still makes uncomfortable. it usually does.)

Stand out from the crowd. Using design. iOS7 visual language much more accessible to developers. Much easier to stand out and be good, because much less cost in doing that.

Have notable features. If you can do that, you can stand out with noticeable features. This does not mean the most features. If you have all the features, very hard to make them stand out.

Knew wasn’t going to have all the features anyway, because other apps had years. Wasn’t going to match it. Concentrated on small number of big features to stand out.

Downloaded all the apps could find. Took pictures of every screen. Used it for a while. Wanted to know what they were good at, what they were not good at. Made an honest pros and cons list.

If you don’t make these comparisons, customers will.

For every advantage, is it compelling enough that people might use your app just for this?

How easy would it be for the competitor to erase this advantage?

Enjoy the big-company strategy umbrella. Apple focuses on the 80%, if you can live on the edge of that, can still be a big market.

Wrote giant marketing bullet list. Before building any of the app, just had the prototype. Before even built the app.

Smart speed – invisible feature. Recipe for a thankless job. The better it works, the less people notice it. Wasn’t first to market, RSS Radio was, but no-one mentioned it. Did a better job of marketing it.

  • Gave it a descriptive but catchy name
  • Made it prominent in the app
  • Show people why it is good

Bring in testers

  • Bring in testers. TestFlight has a 1K user limit. Use as many as you can.
  • Invite the press (gently).
  • If you can’t get more than a few users to try it for free before launch, red flag!

A lot of features look like, here are some options. No explanation. No tooltips on iOS.

Took a nameless feature and branded it.

When was done with the app, marketing was done. Knew how was going to sell the app.

Very simple stuff, if you plan for it from the start.

Here’s what I made, this is why it’s good, try it if it’s good.

Reviews knew what to focus on, reviews knew what to focus on.

Combining not just eng and design from the start, but eng, design, and marketing. Eng and design need each other, marketing ties everything together to make a more successful product.

[syndicated profile] bruce_schneier_feed

Posted by schneier

Interesting research: "CPV: Delay-based Location Verification for the Internet":

Abstract: The number of location-aware services over the Internet continues growing. Some of these require the client's geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g., by faking GPS coordinates or employing a non-local IP address through proxy and virtual private networks. We devise Client Presence Verification (CPV), a delay-based verification technique designed to verify an assertion about a device's presence inside a prescribed geographic region. CPV does not identify devices by their IP addresses. Rather, the device's location is corroborated in a novel way by leveraging geometric properties of triangles, which prevents an adversary from manipulating measured delays. To achieve high accuracy, CPV mitigates Internet path asymmetry using a novel method to deduce one-way application-layer delays to/from the client's participating device, and mines these delays for evidence supporting/refuting the asserted location. We evaluate CPV through detailed experiments on PlanetLab, exploring various factors that affect its efficacy, including the granularity of the verified location, and the verification time. Results highlight the potential of CPV for practical adoption.

News articles.

Worldwide Encryption Products Survey

Feb. 11th, 2016 11:05 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

Today I released my worldwide survey of encryption products.

The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access. It also showed that anyone who wants to avoid US surveillance has over 567 competing products to choose from. These foreign products offer a wide variety of secure applications­ -- voice encryption, text message encryption, file encryption, network-traffic encryption, anonymous currency­ -- providing the same levels of security as US products do today.


  • There are at least 865 hardware or software products incorporating encryption from 55 different countries. This includes 546 encryption products from outside the US, representing two-thirds of the total.

  • The most common non-US country for encryption products is Germany, with 112 products. This is followed by the United Kingdom, Canada, France, and Sweden, in that order.
  • The five most common countries for encryption products­ -- including the US­ -- account for two-thirds of the total. But smaller countries like Algeria, Argentina, Belize, the British Virgin Islands, Chile, Cyprus, Estonia, Iraq, Malaysia, St. Kitts and Nevis, Tanzania, and Thailand each produce at least one encryption product.
  • Of the 546 foreign encryption products we found, 56% are available for sale and 44% are free. 66% are proprietary, and 34% are open source. Some for-sale products also have a free version.
  • At least 587 entities­ -- primarily companies -- ­either sell or give away encryption products. Of those, 374, or about two-thirds, are outside the US.
  • Of the 546 foreign encryption products, 47 are file encryption products, 68 e-mail encryption products, 104 message encryption products, 35 voice encryption products, and 61 virtual private networking products.

The report is here, here, and here. The data, in Excel form, is here.

Press articles are starting to come in. (Here are the previous blog posts on the effort.)

I know the database is incomplete, and I know there are errors. I welcome both additions and corrections, and will be releasing a 1.1 version of this survey in a few weeks.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Scam artists have been using hacked accounts from retailer to order high-priced, bulky merchandise that is then shipped to the victim’s home. While the crooks don’t get the stolen merchandise, the unauthorized purchases rack up valuable credits called “Kohl’s cash” that the thieves quickly redeem at Kohl’s locations for items that can be resold for cash or returned for gift cards.

kohlscashKrebsOnSecurity reader Suzanne Perry, a self-professed “shopaholic” from Gilbert, Penn., said she recently received an email from stating that the email address on her account had been changed. Recognizing this as a common indicator of a compromised account, Perry said she immediately went to — which confirmed her fears that her password had been changed.

On a whim, Perry said she attempted to log in with the “updated” email address (the one the thief used) along with her existing password. Happily, the thieves had been too lazy to change the password.

“Once I was logged in, I checked my order history to determine if any fraudulent orders were placed in the 20 minutes since I received the notification,” she said. “I wasn’t that surprised to see two online orders, totaling almost $700 each, but I was very surprised to see they were being shipped to my house and not some address I never heard of.”

Perry said she then contacted Kohl’s and gave them the two order numbers and the fraudulent email address.

“I explained what happened, and they were very helpful in canceling the orders, updating my email address, and resetting my password,” she said. “I told them I couldn’t understand why someone would hack into my account just to have a bunch of stuff shipped to my own address. I was trying to figure out what the criminal would possibly have to gain from the effort, but the service representative informed me that is actually a very common occurrence for them.”

Turns out, the criminal wasn’t after the merchandise at all. Rather, the purpose of changing her email address was to drain the account’s stored Kohl’s cash, a form of rebate that Kohl’s offers customers — currently $10 for every $50 spent at the store. The two fraudulent orders yielded $220 in Kohls cash total, which is emailed once the order is confirmed (hence the need to change the victim’s email address).

“Since the orders were being shipped to me, even though they were  above the threshold for what my typical online spending behavior is, no red flags were raised on their end,” Perry said.

More interestingly, virtually all of the merchandise the thieves ordered to build up the account’s Kohl’s cash balance were bulky items: Three baby cribs, a stroller system and car seat, and a baby bath tub, among other items. Perry said Kohl’s told her that the thieves do this because they know bulky items usually take longer to return, and since Kohl’s revokes Kohl’s cash credits earned on items that are later returned, the thieves can spend the stolen Kohl’s credits as long as the owner of the hijacked account doesn’t return the fraudulently ordered items.

“The representative told me when these types of fraudulent transactions occur, the victim usually is unaware of it until the items arrive at their house,” Perry said of her conversation with the Kohl’s representative. “Since the items ordered tend to be large, it generally takes longer for a customer to be able to bring them back for a refund. Had I not questioned the email address change, the items would have shipped to me and the $220 in Kohl’s cash would have been long spent by the criminal before I had the opportunity to take the items back and rectify the situation.”

Perry said she was shocked by the scam’s complexity and sheer gumption.

“The people behind this are clearly making every effort to not only defraud an account, but also to inconvenience the affected customer as much as possible,” she said. “I think Kohl’s handled the situation well over all; the email notification of an account change is more than I get from some other online shopping sites, and they were able to cancel the Kohl’s cash. Still, I’m a bit surprised they aren’t doing anything to promote awareness among their customer base.”

Reached for comment about the apparent fraud trend, Kohl’s spokesperson Jen Johnson said the company “is aware of a limited number of cases where fraudsters have obtained login information from outside sources to make purchases to earn Kohl’s Cash.”

“We are always working to protect our customer shopping experience and will continue to look at ways to make it more difficult for fraudsters in the future,” Johnson wrote in an emailed statement. “Customer service is a top priority for Kohl’s and, as always, we will work with any customer who has had a less than optimal experience. As a best practice, we would encourage customers to regularly change their passwords and to not use the same password for multiple accounts.”

This type of fraud usually stems from customers picking weak passwords, or re-using the same password at multiple sites. However, Perry said she’s still mystified how the thieves were able to get hold of her password, which she said was an 11-character, three-word phrase that she didn’t use on any other site.

It’s unclear how much is lost annually to points and rewards fraud, but the industry is ripe for the picking: Loyalty program experts at estimated in 2011 that some 2.6 billion loyalty memberships generated $48 billion in rewarded points and miles.

Have you experienced similar fraud at merchants that offer rewards points or cash? Sound off in the comments below.

[syndicated profile] cakewrecks_feed

Posted by Jen

Wonky hearts and cupid bows are so predictable.

Why not spice up this Valentines Day with something a little... you know... [eyebrow waggle]



Of course you want to leave some things to the imagination:

As big as WHAT can be, you ask?

Well, now, [WINK] that's up to YOU to... ok, a rainbow. They meant the rainbow. Happy?


There's also the direct approach:

("Bloody L, I can't tell if I should censor this or not!")


But try not to confuse your baker:

For once I'm siding with the seller - 'cuz that shiz is hilarious.


And finally, the best/worst Valentines cake for anyone who loves cake, Tom Selleck, edible chest hair, and, of course, the word "moist."



Thanks to Anony M., Chris T., Linda H., Kim W., & Carley C. for the classic Cake Wrecks throwback.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Microsoft Windows users and those with Adobe Flash Player or Java installed, it’s time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks.

brokenwindowsOne big critical update from Redmond mends more than a dozen security problems with Internet Explorer. Another critical patch addresses flaws Microsoft Edge — including four that appear to share the same vulnerability identifiers (meaning Microsoft re-used the same vulnerable IE code in its newest Edge browser). Security vendor Qualys as usual has a good roundup of the rest of the critical Microsoft updates.

Adobe issued an update for Flash Player that fixes a slew of security problems with Flash, a very powerful yet vulnerable piece of software that is also unfortunately ubiquitous. After all, as Chris Goettl at Shavlik reminds us, fixing Flash on a modern computer can be a complicated affair: “You need to update Adobe Flash for IE, Flash for Google Chrome, and Flash for Firefox to completely plug all of these 22 vulnerabilities.” Thankfully, Chrome and IE should auto-install the latest Flash version on browser restart (I had to manually restart Chrome to get the latest Flash version).

If you decide to update (more on hobbling or uninstalling Flash in a moment), make sure you watch for unwanted add-ons that come pre-checked with Adobe’s Flash updater. The latest version of Flash for most Windows and Mac users will be v. This page will tell you which version of Flash you have installed (if Flash isn’t installed, the page will offer a downloader to install it).

brokenflash-aPatch away, please, but I’d also advise Flash users to figure out how to put the program in a box so that it can’t run unless you want it to. Doing without Flash (or at least without Flash turned on all the time) just makes good security sense, and it isn’t as difficult as you might think: See my post, A Month Without Adobe Flash Player, for tips on how to minimize the risks of having Flash installed.

Finally, Oracle pushed out the second security update (Java SE 8, Update 73) this week for Java JRE. as well as an emergency security update from Oracle for Java — the second patch for Java in a week. This piece explores the back story behind the latest Java update, but the short version is that Oracle is fixing a so-called “DLL side loading bug” that allows malicious applications to hijack Java’s legitimate system processes and avoid having to rely on convincing users double-clicking and executing the malicious file.

This DLL hijacking problem is not unique to Java or Oracle, but I still advise readers to treat Java just like I do Flash: Uninstall the program unless you have an affirmative use for it. If you can’t do that, take steps to unplug it from your browser (or at least from your primary browser).

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

[syndicated profile] female_cs_feed

Posted by Gail Carmichael

For the first time ever, I attended a women-in-computing conference with absolutely no student affiliation whatsoever (I recently de-registered from my PhD for the time being). But that's not what made the first ever Canadian Celebration of Women in Computing special; not exactly. The thing I really, really enjoyed was spending time with my past students and colleagues from my time at Carleton.

I went to the first ever local ACM-W celebration held in Ontario way back in 2010. At the time, it was the Ontario Celebration of Women in Computing. I was doing the student thing full-force at that event, with two posters and one talk that covered both research and our Women in Science and Engineering group. Since then, other local celebrations cropped up around Canada until this year, when they amalgamated into CAN-CWIC.

The format of CAN-CWIC was similar to what ONCWIC did years ago: dinner, keynote, and social on Friday night with various talks and workshops on Saturday. At this year's banquet, I sat with an awesome group of mostly Carleton students and one lonely uOttawa student. And it was so nice. I loved catching up with everyone, and even had opportunities to give mentor-oriented advice.

The time I spent with my own former students made me realize that in fact most of the attendees were students. I would really love to see more industry representation, and not just to stand behind recruiting booths. I feel like more balance would meet provide more mentors and role models for the large student contingent. What could CAN-CWIC do to attract more industry professionals? Maybe looking at Grace Hopper's career tracks would give some ideas.

This year's tracks at the conference were interesting nonetheless. The speakers I saw were quite good. I particularly enjoyed Amber Simpson's talk on medical computing (more specifically, how image analysis can help with cancer diagnosis). It was also great to see Jennifer Flanagan, CEO of the Canadian STEM outreach non-profit Actua, talk about Actua's involvement in computing outreach. I'm really pumped about trying to team up and contribute to bringing computing education to all K-12 across Canada.

I do have some nitpicks about the conference location this year, the main one being that the space was too small and segmented. Hopefully next year's event can be in a larger, more thoughtfully laid out space. But my concerns are small in comparison to the impact conferences like this have. I hope CAN-CWIC continues to grow, and that it's somewhere awesome next year so I'll be enticed to go again. ;)

AT&T Does Not Care about Your Privacy

Feb. 10th, 2016 01:59 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

AT&T's CEO believes that the company should not offer robust security to its customers:

But tech company leaders aren't all joining the fight against the deliberate weakening of encryption. AT&T CEO Randall Stephenson said this week that AT&T, Apple, and other tech companies shouldn't have any say in the debate.

"I don't think it is Silicon Valley's decision to make about whether encryption is the right thing to do," Stephenson said in an interview with The Wall Street Journal. "I understand [Apple CEO] Tim Cook's decision, but I don't think it's his decision to make."

His position is extreme in its disregard for the privacy of his customers. If he doesn't believe that companies should have any say in what levels of privacy they offer their customers, you can be sure that AT&T won't offer any robust privacy or security to you.

Does he have any clue what an anti-market position this is? He says that it is not the business of Silicon Valley companies to offer product features that might annoy the government. The "debate" about what features commercial products should have should happen elsewhere -- presumably within the government. I thought we all agreed that state-controlled economies just don't work.

My guess is that he doesn't realize what an extreme position he's taking by saying that product design isn't the decision of companies to make. My guess is that AT&T is so deep in bed with the NSA and FBI that he's just saying things he believes justifies his position.

Here's the original, behind a paywall.

[syndicated profile] cakewrecks_feed

Posted by Jen

And now, as a service to our readers' dieting endeavors:

7 MORE Things That Should Never Be On Cake


7. Anything that looks like a spleen

Also, why is the spleen the go-to organ for icky descriptions? You never hear someone say, "Hey, that organesque thing sure looks like a gallbladder!" Which begs the questions: is "organesque" a word? 'Cuz if not, it totally should be.


6. Shrimp

Because shrimp.


5. Nipples

Hey, don't get me wrong; nipples are great. Heck, I even have one myself. But cake should not have nipples. It just shouldn't. And the fact that I had to bring that sentence into the world makes me seriously question the direction this country is going.


4. Ants

Because anything I spend time and money trying to kill should not be something I have to pick off my cake.


3. Actual Feathers Plucked From Actual Birds

Let me get this straight: you jammed real feathers into the icing you expect me to eat?

So how about I fetch a beaver pelt and throw that sucker on there, too? Because if there's one thing we've learned about cake decorating, it's that animal outsides are both appetizing and completely sanitary!


2. Mold



1. Back hair

Actually, this is kind of hilarious.

Assuming those are chocolate shavings, of course.




Thanks to wreckporters Kathryn B., Kerrigan W., Ashlee, Kelly G., Rocky J., Tami F., & Anony M. for the inspiration to just have a salad today.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

two raccoons fighting

Credit: Flickr / Tambako The Jaguar

We know technical interviewing is a problem but rather than asking interviewers to do better, a lot of suggested solutions push that problem off onto people we interview rather than those who are doing the interviewing.

This comes up a lot because the hiring process is the second most popular place to improve “diversity” after teaching children to code; the hiring process is the end of the pipeline.

Bad hiring processes disproportionately affect people who don’t pattern match. Better hiring processes benefit everyone, although people who usually pattern match may disagree. I’ve seen a number of white dudes react angrily when it’s explicitly stated that diversity is valued – they take it a sign that they are unwelcome. The way the use of words like “hackers” and “rockstar”, while calling attention to pool table and the beer keg and amid endless reference to “he” and “guys” have made people who aren’t white dudes like them feel so unwelcome for so long. Except to them “unwelcome” seems to mean “not centred”.

I have made these points general where I can, but some of them highlight the effects of seeking “diversity” without first understanding inclusion or the broader problems arising in a homogenous, often insular environment.

Internships Rather than Full-Time Jobs

Whether hiring new grads or for “returnships”, I understand why companies would like to have a three-month job interview rather than a single-day interview. But consider this: when you onboard a new full-time engineer into a team, they have a manager who (hopefully) has some experience and some training. Interns, on the other hand, tend to be assigned “mentors” who might have gone to some one-hour training sessions where nothing substantial had been covered. If companies are serious about internships like this, they need to set interns up to succeed. A big part of that would be to stop using the word “mentor”, start using the word “manager”, and to train, incentivise, and hold accountable accordingly.

Take-Home Assignments

I understand the appeal of take-home assignments from both sides: candidates get time to think and code without being watched, and companies can ask them to solve a bigger problem (and don’t have to allocate engineering time to watching someone solve it). The earlier take-home assignments are in the process, the less I like them. (Some well known companies have people complete an assignment before they’re given the chance to speak to an engineer at all).

My reservation with take-home assignments is that you end up asking for the most work from the people who you’re least likely to hire. An assignment that may take an average person two hours may take a super star one hour. Someone who really doesn’t have the experience for the role might find themselves spending all weekend on it. (In comparison, at least technical interviews are time-boxed.)

I worry that companies avoid training and incentivising their engineers to interview candidates well, and that they’re instead reducing engineers having to talk to potential colleagues. If your selection process is riddled with bias (and it is), the solution is to reduce your bias, not shove it onto other people with strategies like “have every $diversePerson who applies do the take-home assignment”.

The other benefit of technical interviews is that they force some to decide whether a candidate is worth spending the most valuable resource your engineering team has – time. This is powerful from the perspective of the candidate—a take home assignment can feel impersonal. But also because it forces you to consider if it’s worth your spending time to continue the process. In my opinion, there’s a lot to be said for a fast, respectful no. Giving someone a chance that isn’t really a chance is a waste of everyone’s time.

I want to be very clear about what this means: if you’re confident that someone doesn’t have the skills or experience that you need, it’s better to cut things off sooner rather than later. But where does that confidence come from? The more objective you can be, the better. Is it a vague feeling? That’s likely your bias talking. Or is there a concrete skill that you’ve identified you need, that you have given them the opportunity to demonstrate—or asked specifically about—and the answer was no?

Whose Job Is It, Anyway?

A little past the hiring process, but the other thing that I worry about is seeing junior engineers (particularly women) being given the burden of fixing the process that they just went through. Rather than hiring junior women and expecting them to do the thankless emotional labour of fixing your hiring process, first consider why there isn’t a woman who’s senior (and interested) enough that doing so might be part of her actual job.

The answer might tell you a lot about your culture and what people are rewarded for.

Competitive Advantage

People throw around “diversity is a competitive advantage”, but it’s not clear that they know what that means. Here’s the reasoning I embrace: Inclusivity is a competitive advantage because it yields a diversity of ideas and insights at all levels within an organisation.

A better hiring process is necessary but not sufficient in building an inclusive workplace. The hiring process is actually the least of it. I can accept that interviewing for jobs is inherently awful, and that as an interviewer or hiring manager I may only be able to make it less awful. But what I no longer accept is that being an engineer whilst female is inherently awful.

So with that caveat, here are some ways that you can create a competitive advantage in hiring:

  • Check and reduce bias (for all interviewers).
  • Be transparent about your hiring process (and for startups, that’s especially true if you’re still defining what that process is).
  • Treat interviewees time with the respect it deserves. (Paying people to interview is one strategy, and it’s a good one.)
  • Be clear about what’s important to you—what kind of person do you need?
    • If you’re hiring to fill fewer, more specialist openings, be very clear about what kind of skills and experience you’re looking for. Importantly, ensure they’re realistic—does that kind of person even exist? And will they work within your constraints of geography and salary?
    • If you’re hiring “smart generalists” this is much fuzzier prospect, so define what you care about. Be mindful of what kind of criteria you use to assess what a “smart generalist” looks like, and what kind of problems you present to evaluate them.

Structural and Individual

I used to work at a place where I interviewed mostly women. There was no incentive for me to be a good interviewer, but I worked on that anyway. A bad move for my career at that company. But a good move as a human being. Not a rational decision, then. A moral one.

Hiring processes are structural and individual. We design a process structurally—influenced by our bias to create a process we’d do well in—but interactions are individual, typically one-on-one. There’s no structure that eliminates the need for one-on-one interactions because we’re hiring humans—not building robots—and because the hiring process is a two-way evaluation where candidates learn about the company while the company learns about them. The people you hire aren’t going to work under the thumb of an automated computer evaluation system—they’re going to work with other human beings.

If you design a hiring process that ignores the individual side of the equation, you’re just shifting the part of your process that’s broken. And if you consider the structure without the individual, then your theory will fail at the first interaction with someone who operates rationally rather than according to a moral code.


Thanks to Ashley, Camille, Cristina and Jo for reading and giving feedback.

[syndicated profile] epbot_feed

Posted by Jen

Let me start by saying I honest-to-goodness set out to make something super cute for Valentines Day.

But instead, I made this!


Actually, I still think this little guy is hella cute - but it's been pointed out to me that I have an abnormally high tolerance for creepy dolls.

Plus, can I just say? Making a "cute" baby mandrake root is DARN NEAR IMPOSSIBLE. Kindly ignore all the adorable examples on Etsy and Pinterest while I'm trying to make this point.

If you haven't run screaming from your monitor yet, allow me to show you it's not THAT bad... from a distance and before you add water:


And you don't *have* to add water, of course. I just like that it adds to the realism. (Or you can splurge and fill the vase with resin!)

The water distorts and magnifies, which is actually really cool. And, er, really creepy:

Hopefully I'm hitting just the right note of horrifying sweetness for some of you Potter heads out there. If so, keep reading; I'll show you how to make your own Mandrake bouquet for less than $10.

» Read More
[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • the problem of language | b. binaohan on Medium (February 8): “All of this, at the end, has me thinking about instruction, leaky pipelines, and diversity in tech. In a lot of ways, I represent a perfect example of the convergence of socio-economic factors that make pipes leaky. Based on my age and interests, I *could’ve* been one of those “I taught myself how to code as a teen and spent two years in college then dropped out to make lots of money” types. But I was poor, trans, gay, not-white-enough, and life got in the way”
  • Meet Marvel’s Newest Comic Series About a Badass Superhero You Already Love | PopSugar (February 8): “”I have an 11-year-old daughter. She is a huge comics nerd,” said Cain. “There are a ton of girls her age who read comics. But the industry loses a lot of them in middle school. Maybe because they’re generally mortified. Or maybe they catch on that there’s not as much for them as they thought there was.” Hopefully Mockingbird is just what they need to retain their love of comics.”
  • FilterScout | Civic Workbench: “FilterScout is a browser extension allows User to set rules for content display, muting unwanted content on the Web, including social media websites. Twitter, Facebook, Reddit, newspapers, blogs can be filtered.”… “We’re mitigating one vector for abuse so that people can continue to engage with communities and (we hope) build communities where abuse isn’t normal.”
  • Library publishing and diversity values | College and Research Libraries News (February): “What are the consequences of this lack of diversity in publishing, librarianship, and faculty? We know already that privilege can bias access to material, which is part of why the open access movement exists, to alleviate the barriers that cost can create for researchers. However, one possible consequence is a feedback loop in scholarship that privileges and publishes the majority voice, which is often white and male.”
  • An R update | Adventures in Data (February 2): “what I need is the confidence that the system will work not just forme, who knows some of the R Foundation and Core folks in a passing way, but for people who don’t. That we actually have a way of handling these kinds of problems in the future, that is scalable and generalisable and not based on who you know.”
  • When life gives you lemons, make science | Adventures in Data (February 5): “If you’re going to harass people for science bear in mind that they may science your harassment. Happy browsing to all. And remember, kids: nobody likes total strangers offering their very important opinion about how you are totally wrong. So, please: don’t be that stranger.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

The 2016 National Threat Assessment

Feb. 9th, 2016 03:25 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

It's National Threat Assessment Day. Published annually by the Director of National Intelligence, the "Worldwide Threat Assessment of the US Intelligence Community" is the US intelligence community's one time to publicly talk about the threats in general. The document is the results of weeks of work and input from lots of people. For Clapper, it's his chance to shape the dialog, set up priorities, and prepare Congress for budget requests. The document is an unclassified summary of a much longer classified document. And the day also includes Clapper testifying before the Senate Armed Service Committee. (You'll remember his now-famous lie to the committee in 2013.)

The document covers a wide variety of threats, from terrorism to organized crime, from energy politics to climate change. Although the document clearly says "The order of the topics presented in this statement does not necessarily indicate the relative importance or magnitude of the threat in the view of the Intelligence Community," it does. And like 2015 and 2014, cyber threats are #1 -- although this year it's called "Cyber and Technology."

The consequences of innovation and increased reliance on information technology in the next few years on both our society's way of life in general and how we in the Intelligence Community specifically perform our mission will probably be far greater in scope and impact than ever. Devices, designed and fielded with minimal security requirements and testing, and an ever -- increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and US Government systems. These developments will pose challenges to our cyber defenses and operational tradecraft but also create new opportunities for our own intelligence collectors.

Especially note that last clause. The FBI might hate encryption, but the intelligence community is not going dark.

The document then calls out a few specifics like the Internet of Things and Artificial Intelligence -- so surprise, considering other recent statements from government officials. This is the "...and Technology" part of the category.

More specifically:

Future cyber operations will almost certainly include an increased emphasis on changing or manipulating data to compromise its integrity (i.e., accuracy and reliability) to affect decisionmaking, reduce trust in systems, or cause adverse physical effects. Broader adoption of IoT devices and AI ­-- in settings such as public utilities and health care -- will only exacerbate these potential effects. Russian cyber actors, who post disinformation on commercial websites, might seek to alter online media as a means to influence public discourse and create confusion. Chinese military doctrine outlines the use of cyber deception operations to conceal intentions, modify stored data, transmit false data, manipulate the flow of information, or influence public sentiments -­ all to induce errors and miscalculation in decisionmaking.

Russia is the number one threat, followed by China, Iran, North Korea, and non-state actors:

Russia is assuming a more assertive cyber posture based on its willingness to target critical infrastructure systems and conduct espionage operations even when detected and under increased public scrutiny. Russian cyber operations are likely to target US interests to support several strategic objectives: intelligence gathering to support Russian decisionmaking in the Ukraine and Syrian crises, influence operations to support military and political objectives, and continuing preparation of the cyber environment for future contingencies.

Comments on China refer to the cybersecurity agreement from last September:

China continues to have success in cyber espionage against the US Government, our allies, and US companies. Beijing also selectively uses cyberattacks against targets it believes threaten Chinese domestic stability or regime legitimacy. We will monitor compliance with China's September 2015 commitment to refrain from conducting or knowingly supporting cyber -- enabled theft of intellectual property with the intent of providing competitive advantage to companies or commercial sectors. Private -- sector security experts have identified limited ongoing cyber activity from China but have not verified state sponsorship or the use of exfiltrated data for commercial gain.

Also interesting are the comments on non-state actors, which discuss both propaganda campaigns from ISIL, criminal ransomware, and hacker tools.

Skimmers Hijack ATM Network Cables

Feb. 9th, 2016 03:55 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data.

Two network cable card skimming devices, as found attached to this ATM.

Two network cable card skimming devices, as found attached to this ATM.

In an alert sent to customers Feb. 8, NCR said it received reliable reports of NCR and Diebold ATMs being attacked through the use of external skimming devices that hijack the cash machine’s phone or Internet jack.

“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” NCR warned. “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”

The ATM maker believes these attacks represent a continuation of the trend where criminals are finding alternative methods to skim magnetic strip cards. Such alternative methods avoid placing the skimmer on the ATM card entry bezel, which is where most anti-skimming technology is located.

NCR said cash machine operators must consider all points where card data may be accessible — in addition to the traditional point of vulnerability at the card entry bezel — and that having ATM network communications cables and connections exposed in publicly accessible locations only invites trouble.

A closer look at the two network cable card skimming devices that were attached to the stand-alone ATM pictured at the top of this story.

A closer look at the two network cable card skimming devices that were attached to the stand-alone ATM pictured at the top of this story.

If something doesn’t look right about an ATM, don’t use it and move on to the next one. It’s not worth the hassle and risk associated with having your checking account emptied of cash. Also, it’s best to favor ATMs that are installed inside of a building or wall as opposed to free-standing machines, which may be more vulnerable to tampering.

[syndicated profile] cakewrecks_feed

Posted by Jen

Now that we've all had a day to recover, let's review:

The Panters:


played the Bronchos:

(Dangit, now I want brownie nachos.)


in the annual:

Poopy Party!!


That, or maybe the Bronco's
played the Phanters:


At the Super Bwol:

Which makes me want to play the Princess Bride "Mawwaige" speech again.


There were some... interesting... predictions:


And plenty of questionable advice:

(Pfft. Everyone knows you dribble at Football, bakers. I mean, COME ON.)


And though the [INSERT WINNING TEAM] prevailed in the end, the important thing is that both sides had terrible, terrible cakes.



And also that puppymonkeybaby has scarred us all for life. [shudder]


Now, let's get back to celebrating some real milestones, mmkay?

There's the spirit.


Thanks to Stephanie H., Jodi A., Howard G., Anna F., Beverly M., Brew C., Beth P., Chas C., Elizabeth L., & Amy K. for the home runs.


Thank you for using our Amazon links to shop! USA, UK, Canada.

Large-Scale FBI Hacking

Feb. 9th, 2016 06:25 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

As part of a child pornography investigation, the FBI hacked into over 1,300 computers.

But after Playpen was seized, it wasn't immediately closed down, unlike previous dark web sites that have been shuttered" by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency's term for a hacking tool.

While Playpen was being run out of a server in Virginia, and the hacking tool was infecting targets, "approximately 1300 true internet protocol (IP) addresses were identified during this time," according to the same complaint.

The FBI seems to have obtained a single warrant, but it's hard to believe that a legal warrant could allow the police to hack 1,300 different computers. We do know that the FBI is very vague about the extent of its operations in warrant applications. And surely we need actual public debate about this sort of technique.

Also, "Playpen" is a super-creepy name for a child porn site. I feel icky just typing it.

[syndicated profile] bruce_schneier_feed

Posted by schneier

Today, Data and Goliath is being published in paperback.

Everyone tells me that the paperback version sells better than the hardcover, even though it's a year later. I can't really imagine that there are tens of thousands of people who wouldn't spend $28 on a hardcover but are happy to spend $18 on the paperback, but we'll see. (Amazon has the hardcover for $19, the paperback for $11.70, and the Kindle edition for $14.60, plus shipping, if any. I am still selling signed hardcovers for $28 including domestic shipping -- more for international.)

I got a box of paperbacks from my publisher last week. They look good. Not as good as the hardcover, but good for a trade paperback.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Before purchasing an “Internet of things” (IoT) device — a thermostat, camera or appliance made to be remotely accessed and/or controlled over the Internet — consider whether you can realistically care for and feed the security needs of yet another IoT thing. After all, there is a good chance your newly adopted IoT puppy will be:

-chewing holes in your network defenses;
-gnawing open new critical security weaknesses;
-bred by a vendor that seldom and belatedly patches;
-tough to wrangle down and patch

In April 2014, researchers at Cisco alerted HVAC vendor Trane about three separate critical vulnerabilities in their ComfortLink II line of Internet-connected thermostats. These thermostats feature large color LCD screens and a Busybox-based computer that connects directly to your wireless network, allowing the device to display not just the temperature in your home but also personal photo collections, the local weather forecast, and live weather radar maps, among other things.

Trane ComfortLink II thermostat.

Trane ComfortLink II thermostat.

Cisco researchers found that the ComfortLink devices allow attackers to gain remote access and also use these devices as a jumping off point to access the rest of a user’s network. Trane has not yet responded to requests for comment.

One big problem is that the ComfortLink thermostats come with credentials that have hardcoded passwords, Cisco found. By default, the accounts can be used to remotely log in to the system over “SSH,” an encrypted communications tunnel that many users allow through their firewall.

The two other bugs Cisco reported to Trane would allow attackers to install their own malicious software on vulnerable Trane devices, and use those systems to maintain a persistent presence on the victim’s local network.

On January 26, 2016, Trane patched the more serious of the flaws (the hardcoded credentials). According to Cisco, Trane patched the other two bugs part of a standard update released back in May 2015, but apparently without providing customers any indication that the update was critical to their protection efforts.

What does this mean for the average user?

“Compromising IoT devices allow unfettered access though the network to any other devices on the network,” said Craig Williams, security outreach manager at Cisco. “To make matters worse almost no one has access to their thermostat at an [operating system] layer to notice that it has been compromised. No one wakes up and thinks, ‘Hey, it’s time to update my thermostats firmware.’ Typically once someone compromises these devices they will stay compromised until replaced. Basically it gives an attacker a perfect foothold to move laterally though a network.”

Hidden accounts and insecure defaults are not unusual for IoT devices. What’s more, patching vulnerable devices can be complicated, if not impossible, for the average user or for those who are not technically savvy. Trane’s instructions for applying the latest update are here.

“For organizations that maintain large amounts of IoT devices on their network, there may not be a way to update a device that scales, creating a nightmare scenario,” Williams wrote in an email explaining the research. “I suspect as we start seeing more IoT devices that require security updates this is going to become a common problem as the lifetime of IoT devices greatly exceed what would be thought of as the typical software lifetime (2 years vs 10 years).”

If these IoT vulnerabilities sound like something straight out of a Hollywood hacker movie script, that’s not far from the truth. In the first season of the outstanding television series Mr. Robot, the main character [SPOILER ALERT] plots to destroy data on backup tapes stored at an Iron Mountain facility by exploiting a vulnerability in an HVAC system to raise the ambient temperature at the targeted facility.

Cisco’s writeup on its findings is here; it includes a link to a new Metasploit module the researchers developed to help system administrators find and secure exploitable systems on a network. It also can be used by bad guys to exploit vulnerable systems, so if you use one of these ComfortLink systems, consider updating soon before this turns into a Trane wreck (sorry, couldn’t help it).

[syndicated profile] cakewrecks_feed

Posted by Jen

Since I started this blog I've seen my share of cakes crammed onto real live ladies. Here's a croquembouche dress:



Here's a cupcake skirt:

(I'd eat that.)


And here's an edible wedding dress guaranteed to make you never want an edible wedding dress:


[slowly backing away in horror]


But all of that pales in comparison to whatever the heck is happening in this photo:


Now, I know there's a lot of crazy to take in up there, but keep your eyes on the bananas.

See them?


Now you can scroll down:


Ok, so, a few things:

1) There are now bananas artfully draped on the womens' shoulders. I bet you never thought someone could artfully drape a banana. Or that someone would consider a conjoined torso cake with real live ladies sticking out of either end an appetizing idea. BUT THERE THEY BOTH ARE.

2) The candles. Why? Is this a birthday party?

3) WAIT. Is it Beetlejuice's birthday? THAT WOULD EXPLAIN... well, at least the stripey parts.

4) Now I want shrimp cocktail.

5) You Beetlejuice fans got that one. You're welcome.


Thanks to Amy, Evelyn D., Jessica S., & Jemma S. for sending in those pics with absolutely no explanation. I mean, it's just more fun to imagine all the many, MANY reasons why this is a thing that happened.


I'll, uh, come up with one eventually, I'm sure.


Thank you for using our Amazon links to shop! USA, UK, Canada.

Exploiting Google Maps for Fraud

Feb. 8th, 2016 06:52 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

The New York Times has a long article on fraudulent locksmiths. The scam is a basic one: quote a low price on the phone, but charge much more once you show up and do the work. But the method by which the scammers get victims is new. They exploit Google's crowdsourced system for identifying businesses on their maps. The scammers convince Google that they have a local address, which Google displays to its users who are searching for local businesses.

But they involve chicanery with two platforms: Google My Business, essentially the company's version of the Yellow Pages, and Map Maker, which is Google's crowdsourced online map of the world. The latter allows people around the planet to log in to the system and input data about streets, companies and points of interest.

Both Google My Business and Map Maker are a bit like Wikipedia, insofar as they are largely built and maintained by millions of contributors. Keeping the system open, with verification, gives countless businesses an invaluable online presence. Google officials say that the system is so good that many local companies do not bother building their own websites. Anyone who has ever navigated using Google Maps knows the service is a technological wonder.

But the very quality that makes Google's systems accessible to companies that want to be listed makes them vulnerable to pernicious meddling.

"This is what you get when you rely on crowdsourcing for all your 'up to date' and 'relevant' local business content," Mr. Seely said. "You get people who contribute meaningful content, and you get people who abuse the system."

The scam is growing:

Lead gens have their deepest roots in locksmithing, but the model has migrated to an array of services, including garage door repair, carpet cleaning, moving and home security. Basically, they surface in any business where consumers need someone in the vicinity to swing by and clean, fix, relocate or install something.

What's interesting to me are the economic incentives involved:

Only Google, it seems, can fix Google. The company is trying, its representatives say, by, among other things, removing fake information quickly and providing a "Report a Problem" tool on the maps. After looking over the fake Locksmith Force building, a bunch of other lead-gen advertisers in Phoenix and that Mountain View operation with more than 800 websites, Google took action.

Not only has the fake Locksmith Force building vanished from Google Maps, but the company no longer turns up in a "locksmith Phoenix" search. At least not in the first 20 pages. Nearly all the other spammy locksmiths pointed out to Google have disappeared from results, too.

"We're in a constant arms race with local business spammers who, unfortunately, use all sorts of tricks to try to game our system and who've been a thorn in the Internet's side for over a decade," a Google spokesman wrote in an email. "As spammers change their techniques, we're continually working on new, better ways to keep them off Google Search and Maps. There's work to do, and we want to keep doing better."

There was no mention of a stronger verification system or a beefed-up spam team at Google. Without such systemic solutions, Google's critics say, the change to local results will not rise even to the level of superficial.

And that's Google's best option, really. It's not the one losing money from these scammers, so it's not motivated to fix the problem. Unless the problem rises to the level of affecting user trust in the entire system, it's just going to do superficial things.

This is exactly the sort of market failure that government regulation needs to fix.

[syndicated profile] accidentallyincode_feed

Posted by Cate

Tiny Raccon perches on a pillow on a business class airline seat. Below sits a passport, in a case that says "without this I'm nothing"

Tiny Raccoon would like to always travel in style. One day.

About a year ago I wrote about how I get myself uninvited from unflattering speaking invitations (TL;DR I use them as negotiation practise). And last August I wrote about the different options that speakers have when it comes to travel costs – including not going.

I was pretty public about not speaking if there was no real code of conduct, and I shared my costs for becoming a “public speaker” in 2014, but the thing I didn’t directly address last year was how I approached the money aspect.

My general rule last year was no travel, no Cate. I made a couple of exceptions and accepted accommodation-only where it worked for me (basically I wanted to go somewhere anyway, and if I gave a talk, I could make a case to write the flights off against tax), and covered my own very minimal costs to get to a local event that I loved the year before.

I said no to some things, but mostly just didn’t apply to things – I also find it useful that Technically Speaking highlights what travel costs are covered. And a big part of the reason why we do that is because we think it’s an inclusivity issue. This post covers it really well.

Anyway I learned some things last year about speaking and travel and what I was and wasn’t OK with. For example taking 4 flights because the conference had a limited budget. Turns out I’m not willing to spend one of my limited 24 hour days taking extra planes just because. We eventually found a compromise, but I learned something important about conferences that agree to cover international flights – check how much they think an international flight costs, especially if you are not flying from a major hub. Because you might expect max 1 change on the airline you have status with and they might think 3 changes $random_airline is acceptable.

This year I’m limiting myself to 6 talks, and getting more invitations, which means more opportunities for negotiation practise. But also, I can ask work to pay for travel, which also changes things.

However I’m not changing my policy, really. Because even if I don’t necessarily need my travel covered, I don’t want to speak at or attend events where only speakers who can have their companies cover travel can speak.

So in 2016:

  • For more community events, especially where I know the organisers, I’m willing to ask work to cover my travel in exchange for being listed as a sponsor if there is also provision for other speakers to have their travel covered. In one instance me doing this meant that the organiser could invite another woman speaker. Amazing.
  • For corporate events (I have a definition of this in my head, but it  lacks diplomacy and seems unwise to share it), I want travel / accomodation covered. Star Alliance, minimum connections.

I’m not a diva. Well OK, I’m not that much of a diva. But my time is valuable, and to me this is an extension of the Code of Conduct thing – I only want to speak at or be associated with events that make an effort for inclusivity, and I believe that travel costs are an inclusivity issue.

Two years ago, I didn’t know what I was doing and frankly as an unknown couldn’t afford to be that hardline about it. I’ve worked (and paid my own way to speak) to get to this place of privilege where I can say “this is what I want” and where I don’t feel like I’m missing out if I can’t get an agreement. I hope being public about it encourages other people (who also have this privilege) to as well.

This Week

Feb. 7th, 2016 09:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

Click to view slideshow.


Getting used to the altitude and trying to find a rhythm where I swim in the evening. Went to the spa which I really needed. Trying to be better about one day a week no computer, and getting back to reading a novel a week. Last weekend I went to the Botanical Gardens.

I bought myself some flowers which is nice – been a long time since I was still for long enough to have flowers, and jam (approaching Peak Domestication here), and also a new swim suit and a bunch of stuff from Clinique.


Great! My boss or I will do a call with anyone underrepresented in tech working on mobile this month who wants one [tweet], I did my first one already and it was awesome.

We reopened sales of Technically Speaking tshirts, available until February 24th.

I’m speaking at Self.Conference in Detroit in May! Super excited about this.


Went to In Situ restaurant at the Botanical Gardens, which was nice, and La Provincia which was a lovely way to follow the spa. Had brunch at Ganso and Castor, which was lovely, and where I found the jam.


Still reading One Strategy, watching How I Met Your Mother season 5. Read All The Difference (loved this – about how one choice changes things, or doesn’t), and The One That Got Away (I liked this, until it got to the woman didn’t believe in man who had previously behaved badly, had to make up for it).

Product links Amazon.


A new edition of Technically Speaking is out.

On the Internet


terriko: (Default)

February 2016

7 8 910111213

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Feb. 13th, 2016 08:42 am
Powered by Dreamwidth Studios