[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.

According to the European ATM Security Team (EAST), a nonprofit that represents banks in 29 countries, financial institutions in two countries recently reported ATM attacks in which the card data was compromised internally by “wire-tapping” or “eavesdropping” on the customer transaction. The image below shows some criminal equipment used to perpetrate these eavesdropping attacks.

Equipment used by crooks to conduct "eavesdropping" or "wiretapping" attacks on ATMs.

Equipment used by crooks to conduct “eavesdropping” or “wiretapping” attacks on ATMs. Source: EAST.

“The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
[pictured, bottom right].

Pictured above are what appear to be wires that are fed into the machine with some custom-made rods. It looks like the data is collected by removing the decal, fishing out the wire attached to the ATM’s card reader, and connecting it to a handheld data storage device.

I sought clarification from EAST about how the device works. Most skimmers are card slot overlay devices work by using a built-in component that reads the account data off of the magnetic stripe when the customer inserts the card. But Lachlan Gunn, EAST’s executive director, suggested that this device intercepts the card data from the legitimate card reader on the inside of the ATM. He described the wiretapping device this way:

“It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”

The last report in my ATM skimming series showcased some major innovations in so-called “insert skimmers,” card-skimming devices made to fix snugly and invisibly inside the throat of the card acceptance slot. EAST’s new report includes another, slightly more advanced, insert skimmer that’s being called an “insert transmitter skimmer.”

Like the one pictured below, an insert transmitter skimmer is made up of two steel plates and an internal battery that lasts approximately one to two weeks. “They do not store data, but transmit it directly to a receiving device — probably placed less than 1 meter from the ATM.

An insert transmitter skimmer. Source: EAST.

An insert transmitter skimmer. Source: EAST.

Both of these card skimming technologies rely on hidden cameras to steal customer PIN codes. In a typical skimming attack involving devices that lay directly on top of the card acceptance slot, the hidden camera is a pinhole spy cam that is embedded inside the card slot overlay and angled toward the PIN pad. Just as often, the camera is hidden in a false panel affixed directly above the PIN pan with the pinhole pointed downward.

According to east, the use of false sidebar panels is becoming more prevalent (see image below for an example). It is not unusual for hidden cameras to be obscured inside of phony brochure racks as well.

sidepanels

As this and other insert skimmer attacks show, it’s getting tougher to spot ATM skimming devices. It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots.

Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Are you as fascinated by ATM skimmers as I am? Check out my series on this topic, All About Skimmers.

[syndicated profile] geekfeminism_feed

Posted by Guest Blogger

Warning: this post details sexual violence.

This is a guest post by Kristin Nilsdotter Isaksson. It originally appeared in Swedish and in English on Spelkult. The English translation is by Charlie Charlotta Haldén.

Editor’s note: “larp” is live-action role play.

We’re talking about sexual harassment in the world of larp. Molestation, groping, assault and rape of participants who are asleep or intoxicated, aggravated rape with violent abuse, and even attempted murder.

On June 17, 2014, a new Facebook group was created for Swedish-speaking larpers who identify wholly or partially as women. The group quickly drew many members, and now comprises 580 larpers of varying ages and backgrounds. The idea was to create a sanctuary for discussions about different aspects of being a female larper. There are discussion threads about portraying female antagonists, about dealing with menstruation during larps, about sewing tricks, creating characters, organising larps. Small questions, big questions, and questions of vital importance.

It’s so important that we talk about our experiences. About how common this is, and that it’s not OK. About our right to say no, and that it’s never, ever, acceptable for someone not to listen. Everybody knows a victim, but nobody knows a perpetrator, and it’s time to take a stand now. — anonymous

A lot of times, I am personally skeptical of gender separated forums and arenas. I think spaces that are open for all tend to support a broader sharing of experiences. But I have realised that there are exceptions.

Lately, a darker subject has crept into the discussion threads, and during the past few weeks, a tsunami of voices has swept over us. Post after post, comment after comment, telling stories of painful experiences. We’re talking about sexual assault. At larps, or in larping circles. Over a thousand posts detailing experiences, sharing thoughts, discussing preventive measures, and not least, holding out hands in support.

There are a lot of perpetrators, and a lot of victims. The threads almost exclusively tell of assaults perpetrated by men towards women. There have been instances of sexual harassment, molestation, groping, assault and rape of sleeping or intoxicated larpers, aggravated rape with violent abuse, and even attempted murder. Some of these incidents have been reported, but a large amount of them have not reached the police, or even the larp organisers. Until now.

I was almost completely out of it, and I couldn’t do much of anything to stop it, because I hardly understood what was happening. He raped me, and in the morning I was ashamed and just left the camp, because it felt like it was my own fault. — anonymous

A lot of cases involve young people, 15-16-year-olds who are offered alcohol and harassed by older boys or men, and then things get out of hand during the night. In other cases, the acts are meticulously planned and perpetrated over a long period of time.

I was always supposed to play a submissive role at the larps, a servant to the group, to his friends. I was thrown around like a handbag. But I felt so worthless, so I reckoned I should be happy to get any attention. Then it got worse, the mental stuff turned into physical abuse… — anonymous

Many people ask themselves how this can happen. Shouldn’t larping be a safe arena, with a lot of eyes and ears that can react if something seems to be going wrong?

Most probably, it can happen because the people around let it happen. Partly because larpers are not really any different from other people in society, partly because the setting of a lot of larps actually makes sexual harassment more acceptable. Sociology calls this “habitus”, a series of codes that underlie a person’s behaviour. A lot of larps, especially in the fantasy genre, are stereotypical. Gender roles are clear and coded with different behaviours.

Male players will often choose a warrior character with a macho attitude, an acceptance for sexualising women and literally taking what he wants. This is a behaviour that would not be at all OK in normal society, but one that is seen a lot at different larps.

In the same way, female characters are often coded to be submissive, service-minded, soft, madonna-whores, or defenceless. Given that context, it can seem perfectly reasonable if a male player is upset about new rules suddenly being enforced that forbid playing on rape, since he had planned that his character should be an active rapist during the larp. When female characters are coded as submissive, the more dominant aspects of the male characters are intensified.

I was 13 years old, going to my very first larp together with a friend. None of us had any experience, and we didn’t know anyone except each other. The larp begins, and everything goes pretty well until the second day, when we are handed a note. The note says that the two older men in the tent across from ours want to meet us, because they want to find wives. This made me extremely uncomfortable, and I ended up hiding in the woods for the remaining days. — anonymous

Another contributing factor in several stories is that the victim has been separated from her group and placed in a new situation where she hardly knows the other players. Her safety net is gone.

Note that I didn’t know ONE SINGLE person in Sverok (The Swedish Gaming Federation) then. I had gone there all alone, representing my organisation, and had never met anyone else, so I didn’t have a single person there to talk to or seek support from. — anonymous

Some of the stories shared tell of incidents where larpers have lost their way in the middle of the night and been offered a place to sleep in exchange for sexual favours, or woken up with an unknown person’s hands all over their body. Because the victim has few contacts in the new group, she automatically becomes dependent on the perpetrator, and her scope for action is restricted.

Suddenly, I notice someone lying down next to me and starting to touch me, moving their hands under my clothes. I was really gone, but I realise that it’s the guy from before, and that makes me feel I can’t say no, because he might have thought I wanted to. So I let him keep on, and I just wanted to go to sleep so I didn’t have to experience this. We never talked again, and I never told anyone. — anonymous

In many of the cases, shame or fear of retribution has kept the people involved from telling anyone about the incidents. Moreover, the perpetrator usually has a larger amount of social capital than the victim does. They may be much older and more experienced, perhaps an organiser or someone with a lot of contacts in the larping world – as one person wrote, “someone you could trust”. If the person who was assaulted would report it to the police, or involve an organiser, there is almost always a legitimate fear that she would tarnish more people than the perpetrator – their friends, their network, the larp event – by diminishing the perpetrator’s power and social standing. This very strong group mechanism can often cause many people to initially take the perpetrator’s side and turn against the victim. There may be accusations saying that she put herself in the situation, that she behaved like a slut, that she was drunk and provocative and “corrupted” the perpetrator. There are numerous examples of this. The Bjästa case in Sweden and the Steubenville rape in the US are just two well-known examples outside the larping world.

I walked homewards, ice cold and freezing. It was dark, I couldn’t even see the path. Almost knocked myself out. I just wanted to get home so I could sleep. This guy was friends with the organisers, with my friends, everybody. Nobody would believe me, and that’s why I just kept quiet. — anonymous

This ongoing conversation has already resulted in some practical measures: Several organisers have taken action against alleged perpetrators, and suggestions for preventive efforts have been put forth, such as larps providing safety hosts and safe sleeping quarters. And people are talking, and processing. Some who have not dared go to a larp for several years because of fear have now felt safe enough to sign up again, and many larp organisers are working hard to ensure that larp is not a lawless haven for perpetrators to hide in.

All this may lead to people being named and shamed, and suffering reprisals such as being banned from larps and other social contexts. Whether this is justified or not is, of course, a matter of judgement. There is also a significant risk that those who have now dared to speak out might be accused and called into question.

My blood runs cold when I realise that I probably know several of the guys described here. People I have larped with, had fun with, and maybe been lucky enough not to end up alone with — anonymous

But this can also lead to a much safer larping experience with increased freedom of action for many players. The tolerance for this kind of behaviour may decrease as the spotlight is placed upon it. What might have been silently accepted earlier can now be pulled out into the open and questioned. Together, organisers and players develop new methods to ensure safer play for everyone, and that more women dare take up more space and choose among a broader array of characters.

The issues are now being discussed in other open larp forums too, and several players have called for more male voices in the conversation. Partly because this is not just about women’s experiences. There are not only male perpetrators. There are male victims too, and they may risk invisibility and stigmatisation. But there are also a lot of men who want to do something about this and show support. However, the question is if this massive sharing of experiences would ever have happened at all if the forum had been open to everyone. Most of the members of the Facebook group would probably say a resounding “no” to that question. Those who have been subjected to violations need a sanctuary in order to find the courage to start talking.

Our newsfeeds keep filling up. We keep talking. We discover connections. Someone who has felt desperately alone in her experience discovers, with hope and with horror, that there are many others out there who have been through similar things. This gives strength and breeds courage. The voices are powerful, and they will surely not quieten for a long, long time yet.

Background

The Facebook group referred to in the text is named LWU, Larp Women Unite. The group was started by Karin Edman after Linnea Risinger came up with the idea during the Summer of 2014.

The ”Prata om det” campaign (”Talk about it”, hashtag #prataomdet) was and is a movement consisting of writers, bloggers and tweeters, emanating from a Twitter discussion started by geek feminist Johanna Koljonen in 2010. This concerned sharing stories about grey areas in sexual situations, about when sex becomes violation. This campaign opened doors to conversations that had not previously been had on a larger scale in “geek culture”.

Oh Stuff It

Nov. 26th, 2014 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Unfortunately for us all, turkey cakes are a thing.
I guess I can live with this, but why - WHY - do bakers have to add the stuffing?

"Ahh, the ol' 'Fido's head exploded' design. Nice!

 

But can we add a few blood stains?"

"PERFECT."

 

"Now how about some moldy green bits? And can we make the turkey into a dirty paper bag?"

"PERFECTER."

 

"Next, throw in a weird body cavity that makes everyone vaguely uncomfortable..."

"Oooh, and is that dog food in there? I LIKE. Give me more.

MORE!!"

"Yes, yes, yes! AHAHAHAA!!!"

 

"But now I'm tired of stuffing. Let's go back to making those weird round ball things."

 

 

 

 

(Hey. Waaaiit a second.....)

AHHHHH FOOLED YOU!!

 

Thanks to Karen M., Karen L., Meg, Amy B., Terri W., Jessica C., Laura W., Rebekah, & Cortney of Rock City Cake Co. for guaranteeing I'll never look at a turkey cake the same way again. (And for having a wicked sense of humor!)

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

asynchronous

Credit: Flickr / davidjoyner

I was handling a common occurrence when doing something that takes a noticeable amount of time on iOS.

  1. Show loading UI.
  2. Do work.
  3. Transition to post-work UI.

To make the experience better (so that it doesn’t lock up), I pushed 2 onto the background thread, and then had to push 3 back on to the main thread – this is one of The Rules of iOS, all UI stuff has to happen on the main thread.

And then my tests started failing. Aha! A learning opportunity! (Also known as, super annoying as I had other things to get done that day).

Kind friends directed me to the  XCTest feature of writing tests with asynchronous operations, which seemed a little confusing at first but is essentially:

  1. Create a thing (an “Expectation”).
  2. Include a timeout in your test that will allow it time to happen.
  3. Call “fulfil” on that expectation when your thing has happened.

Create The Thing

In your test class:

XCTestExpectation *expectation = [self expectationWithDescription:@"desc"];

Add The Timeout

After you call the function under test (before asserts, verifying mocks etc):

[self waitForExpectationsWithTimeout:1 handler:nil];

You might want to include a handler in the block, this wasn’t necessary for my purposes.

Calling Fulfil

This code is easy! It’s just:

[expectation fulfill];

The question was, where to put it? The examples seemed to put it in a completion block, but if you look back at my outline above, the end of my test was when the UI changes to the post-activity UI. Specifically, when a new ViewController is pushed on the stack.

So, I used a feature of the mocking framework (OCMock), that I can stub a method and then do something when it is called. So here, I stub the pushViewController method, because it’s the last thing that should get called, and when it is I set my expectation to be fulfilled.

OCMStub([mockNavController pushViewController:[OCMArg any]
                                       animated:YES])
      .andDo(^(NSInvocation *invocation){
          [expectation fulfill];
      });

Voila!

[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • Twine, the Video Game Technology For All | New York Times Magazine: “Although plenty of independent games venture where mainstream games fear to tread, Twine represents something even more radical: the transformation of video games into something that is not only consumed by the masses but also created by them. A result has been one of the most fascinating and diverse scenes in gaming. The very nature of Twine poses a simple but deeply controversial question: Why shouldn’t more people get to be a part of games? Why shouldn’t everybody?”
  • 25 Tips for Diverse Hiring | Model View Culture: “In order to be successful with diverse recruiting, tech companies must invest in analysis and improvement at every stage of the hiring process. In this post, we offer a 101-style guide to top areas of focus, with specific suggestions to improve your hiring process and build more diverse teams.”
  • Ambling Along the Aqueduct: Sexual Harssment and Public Space: “I think that the difference for the second decade of the twenty-first century lies in the stunning, important fact that women are increasingly claiming a place in public space and are consequently transforming public discourse in ways that challenge male entitlement to a serious degree… The implication is that women are in public space on sufferance, as special cases, being given privileges that can be revoked for any one of a number of arbitrary reasons, usually amounting to not in some ways being above rubies.”
  • Casual sexism in scientific journal leads to editor’s note | Retraction Watch: “The Elsevier journal Biological Conservation has put out an apology, but not a retraction, after outcry over a bizarre, misogynistic non sequitur in a book review by Duke conservation biologist Stuart Pimm.”
  • Funding – linux.conf.au 2015 | 12 – 16 Jan | BeAwesome: “Apps close December 9. LCA 2015 and InternetNZ are proud to support diversity. The InternetNZ Diversity Programme is one way we ensure that LCA 2015 continues to be an open and welcoming conference for everyone. Together with InternetNZ this program has been created to assist under-represented delegates who contribute to the Open Source community but, without financial assistance, would not be able to attend LCA 2015.”
  • How Blacks and Latin@s Are Left Out of Tech Hiring by Stephanie Morillo | Model View Culture: “In other words, the qualified CS graduates of color tech claims it cannot find not only exist, but are actually being turned down for jobs in the very industry that says it cannot find them. For Blacks and Latin@s with dreams of going into tech and the social mobility it brings, this means that possessing credentials — and the increased networking opportunities that stem from respected CS programs — are not enough to erase the hidden (and not hidden) biases in tech’s hiring practices. The message that this then sends to younger generations of Blacks and Latin@s is clear: you need not apply.”
  • Barbie Remixed: I Really Can Be a Computer Engineer: “I happen to study remix, so one of my first thoughts upon seeing this was: someone is obviously going to remix this. I figured, why wait? I also have at my disposal my roommate Miranda Parker, a student of Mark Guzdial, who studies computing education and broadening participation in STEM. So with her input, I rewrote the book with a slightly different spin. (I also kept her as a “computer engineer” even though she’s really more of a computer scientist, software developer, etc.)  I hope you like this new narrative better, too!”
  • Engaging With Hateful People in Your Community Lends Legitimacy to Their Presence: “So why do you men get to care about the bigoted arguments and even engage & rebut? Because you’re unlikely to be targeted. They read as ‘abhorrent’ to you, but not as ‘threat to your safety’. Good for you! But for me, the presence of this person is a problem. When I see a male supremacist show up in an online space, the likelihood that I will participate drops to zero.”
  • No Solution | Medium: “If your coworker has chosen to share their story and truth, please respond with empathy and understanding. If empathy isn’t something hard wired into you, here are some tips: Listen as though it’s your only job. Avoid the urge to tune out. Avoid the urge to form counter arguments or move into defensive thinking. Avoid the urge to be “right”. Avoid the urge to critique.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Adobe Pushes Critical Flash Patch

Nov. 25th, 2014 06:23 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

For the second time this month, Adobe has issued a security update for its Flash Player software. New versions are available for Windows, Mac and Linux versions of Flash. The patch provides additional protection on a vulnerability that Adobe fixed earlier this year for which attackers appear to have devised unique and active exploits.

brokenflash-aAdobe recommends users of the Adobe Flash Player desktop runtime for Windows and Macintosh update to v. 15.0.0.239 by visiting the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted. Adobe Flash Player for Linux has been updated to v. 11.2.202.424. 

According to Adobe, these updates provide additional hardening against CVE-2014-8439, which was fixed in a Flash patch that the company released in October 2014. The bulletin for this update is here. Finnish security firm F-Secure says it reported the flaw to Adobe after receiving information from independent researcher Kafeine that indicated the vulnerability was being exploited in-the-wild by an exploit kit (malicious software designed to be stitched into hacked Web sites and foist malware on visitors via browser flaws like this one).

To see which version of Flash you have installed, check this link. IE10/IE11 on Windows 8.x and Chrome should auto-update their versions of Flash.

The most recent versions of Flash are available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

adobeflash11-14

[syndicated profile] epbot_feed

Posted by Jen

Last Tuesday Florida had a single day of truly cold weather - we're talking, like, fifty degrees! - so John and I dropped everything and finally - FINALLY - went to Universal.

John's been to Hogsmeade once before, but embarrassingly enough I'd never been to either of the new Harry Potter areas. I've watched tons of walk-through videos online, clicked through every slideshow, listened to the stage shows, read all the ride reviews, drooled over the merchandise and menus, and generally fangirled over every detail. Yet, somehow, I never got the courage to go. I just didn't want to spend all that money to get in when I knew I couldn't go on any rides! So, I put it off.

Now that I'm working on overcoming my agoraphobia, though, I decided It Was Time. And to take the pressure off, John and I bought season passes - which were only $50 more than a 2-park day pass, anyway - so I won't feel so bad skipping the rides for now. 

We started with Hogsmeade at Islands of Adventure, and as we walked towards the Hogwarts Express, with the castle looming so beautifully on the horizon, I realized to my horror that I was so stinking happy I was actually going to cry. ("NoooOOOooo!!") Yep. I'm THAT PERSON now, you guys. I'd built up this visit in my head so much that I was completely overwhelmed, and all I could do was stagger around wide-eyed and sniffling. Gah.

John and I both brought heavy cameras, but they hung around our necks, forgotten, for most of the day. There was just too much. I couldn't take it all in!

As luck would have it the park was practically deserted - at least by Universal standards - so I was able to stagger and sniffle in relative ease. We walked the castle queue - quickly, because urrrg enclosed spaces - and then wandered up and down the street, gawking. Lunch at the Three Broomsticks (rather lackluster, but the Pear cider was nice), a quick Frog Choir concert, and then we were off to Diagon Alley.

I'm not ready for the train yet, so we had to take the looooong way 'round. That means walking all the way out of Islands, over to Universal, and then to the very back of the park. Good exercise.

Diagon Alley was even more of a rush, since Universal really cranked the detail and atmosphere there up to 11. And I thought there was a lot to see in Hogsmeade! WOW.

I finally remembered I had a camera, though, since I think it's park policy that you HAVE to take a picture of the dragon:


We wandered, we shopped, we ate sea salt caramel ice cream (SO GOOD), John went on Gringotts (a 5 minute wait, if you can believe it!), and we stood in the street and giggled & clapped like little kids over the booming roar of the fire-breathing dragon. Late in the day we even went to Ollivanders, where we had an almost private show, with only 4 of us in the audience! (And I was so captivated I didn't even mind being "trapped" in the show room for those few minutes.)

Time zipped by, and since the park closed at 6 we ended with dinner at the Leaky Cauldron, which was WAY better than lunch. (Try the Toad-in-a-Hole. Trust me.) I also had my first official Butter Beer! It tasted like the homemade version some friends made once, but the cream was much thicker; positively buttery. And yes, GOOD. (I heard they're offering hot butter beer now! Next time, I'm totally trying that.)

After dinner we spent our last few minutes watching the dragon:




And clapping for his final roar:


Then we dashed around taking a few more photos in the growing dark. It's so lovely there with all the lights on; it's a shame the park wasn't open later. Most of my pics were terrible, but here are a few that turned out:





And my favorite:
 

This statue is amazing, and just as I got down on one knee for the photo the end-of-night fireworks started, bathing the whole street in red light. Next time I'd love to bring a tripod, for better focus - oooh, and maybe try some HDR? I can see spending ALL the time here, just taking pictures.

But as wonderful as the day was, the best part was this: for the first time in maybe two years, I went on a ride. And better yet, I didn't panic. Sure, it was just The Cat in the Hat, and sure, I experienced real, honest-to-goodness terror getting into that ridiculous little car - but I did it.

I almost didn't, to be honest. I got up to the loading dock and totally choked. But as I hesitated, thinking I couldn't do this, thinking I'd just try again next time, I had another, louder thought. I thought about how proud you guys would be of me. I thought about how proud *I* would be to tell you I did it. And then, dangit, I CLIMBED INTO THAT SILLY SEUSS CAR.



Ok, maybe my victories are kind of ridiculous. But at least they're mine.

And next time, I promise more pictures!

The Great Turkey Uprising

Nov. 25th, 2014 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

My friends, have your past turkey cakes failed to rise to the occasion?

 

Did they fall flat at inopportune moments?

 

Or did the mere sight of your turkeys give guests a sudden headache?

Well, not this year!

This year, bakers are erecting new and improved turkey cakes guaranteed to satisfy!

Your turkey will stand taller:

 

Serve more:

 

And keep those dinner guests coming!

Plus stay extra moist!

 

So forget all those disappointing performances of the past, and get ready to be extra thankful this year:

"Well, howdy, pilgrim."

 

Thanks to Zach C., Sara G., Rene R., Colleen W., Mia M., Mike L., Marty G. & Danny R. for the fowl play.

Important Note to Bakers: Pssst. Guys. Remember to put a face on it, so no one gets suspicious, mmkay? Mmmmkay. Thanks.

 

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] adulting_feed

It is real tough to realize you live in a country where frat boys who gang rape someone have a campus hearing and a Black teenager who may have shoplifted $5 worth of stuff from a convenience store gets shot.

Spam Nation Book Tour Highlights

Nov. 24th, 2014 08:33 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Greetings from sunny Austin, Texas, where I’m getting ready to wrap up a week-long book tour that began in New York City, then blazed through Chicago, San Francisco, and Seattle. I’ve been trying to tweet links to various media interviews about Spam Nation over the past week, but wanted to offer a more comprehensive account and to share some highlights of the tour.

For three days starting last Sunday, I was in New York City — doing a series of back-to-back television and radio interviews. Prior to leaving for New York, I taped television interviews with Jeffrey Brown at the PBS NewsHour; the first segment delves into some of the points touched on in the book, and the second piece is titled “Why it’s harder than you think to go ‘off the grid’.”

cbs-tm

On Monday, I was fortunate to once again be a guest on Terri Gross‘s show Fresh Air, which you can hear at this link. Tuesday morning began with a five-minute appearance on CBS This Morning, which included a sit-down with Charlie Rose, Gayle King and Norah O’Donnell. Later in the day, I was interviewed by the MarketPlace Tech ReportMSNBC’s The Cycle, as well as the Tavis Smiley show. Wednesday was a mercifully light day, with just two interviews: KGO-AM and the Jim Bohannon Radio Show.

Thursday’s round of media appearances began at around sunrise in the single-digit temperature Chicago suburbs. My driver from the hotel to all of these events took me aback at first. Roxanna was a petite blonde from Romania who could have just as easily been a supermodel. I thought for a moment someone was playing a practical joke when I first heard her “Gud mornink Meester Krebs” in a Eastern European accent upon stepping into her Town Car, but Roxanna was a knowledgeable driver who got us everywhere on time and didn’t take any crap from anyone on the road.

wcl-ji The first of those interviews was a television segment for WGN News and a taped interview with TouchVision, followed by my first interview in front of a studio audience at Windy City Live.  The guest who went on right before me was none other than the motivational speaker/life coach Tony Robbins, who is a tough act to follow and was also on the show to promote his new book. At six feet seven inches, Robbins is a larger-than-life guy whose mere presence almost took up half the green room. Anyway Mr. Robbins had quite the security detail, so I took this stealthie of Tony as he was confined to the makeup chair prior to his appearance.

On Thursday afternoon, after an obligatory lunch at the infamous Billy Goat burger joint (the inspiration for the “Cheezborger, cheezborger, cheezborger” Saturday Night Live skit) I visited the Sourcebooks office in Naperville, met many of the folks who worked on Spam Nation, signed a metric ton of books and the company’s author wall.

The Spam Nation signing in Naperville, IL.

The Spam Nation signing in Naperville, IL.

After an amazing dinner with my sister and the CEO of Sourcebooks, we headed to my first book signing event just down the street. It was a well-attended event with some passionate readers and fans, including quite a few folks from @BurbsecWest with whom I had beers afterwards.

On Friday, I hopped a plane to San Francisco and sat down for taped interviews with USA Today and Bloomberg News. The book signing that night at Books Inc. drew a nice crowd and also was followed by some after-event celebration.

Departed for Seattle the next morning, and sat down for a studio interview with longtime newsman (and general mensch) Herb Weisbaum at KOMO-AM. The signing in Seattle, at Third Place Books, was the largest turnout of all, and included a very inquisitive crowd that bought up all of the copies of Spam Nation that the store had on hand.

Yours Truly at a book signing in Seattle's Third Place Books.

Book signing at Seattle’s Third Place Books.

If you’re planning to be in Austin tonight — Nov. 24 — consider stopping by B&N Arboretum at 7:00 p.m. and get your copy of Spam Nation signed. I’ll be holding one more signing — 7:00 p.m. in Washington, D.C.’s Politics & Prose on Dec. 4.

For those on the fence about buying Spam Nation, Slate and LinkedIn both ran excerpts of the book. Other reviews and interviews are available at Fortune.com, Yahoo News, and CreditCards.com. Also, I was interviewed at length several times over the past month by CBS’s 60 Minutes, which is doing a segment on retail data breaches. That interview could air as early as Nov. 30. On that note, the Minneapolis Star Tribune ran a lengthy story on Sunday that followed up on some information I first reported a year ago about a Ukrainian man thought to be tied to the Target breach, among others.

[syndicated profile] adulting_feed

I’m not going to lie: hosting houseguests is a beast. Well, that’s not entirely fair, but it is a big undertaking. It’s also an incredibly kind thing to do for someone you love, and you will feel like an amazing, capable grown-up if you take just a few steps ahead of time to make it run smoothly.

Before they arrive:

Food — any houseguest worth their salt will not expect you to provide them with meals morning, noon and night, but it is a really sweet thing to ask ahead of time what they like for breakfast, then stock those things. Even something simple, like having their favorite cereal, is such a pro move. Also, taking their dietary preferences and needs into account a week or so ahead of time when you’re grocery shopping is not strictly necessary, but very sweet.

Linens — wash them, duh. And also, leave a stack of two clean towels either in their room or clearly designated as such in the bathroom.

• It’s nice to have the basic first-aid and over the counter meds on hand. As reader Jennifer pointed out, “Maybe you never need an antacid, you are opposed to using bandages, you take no painkillers for headaches, and you don’t ever take decongestant (and are mercifully not allergic to your cat), but you never know when an overnight or even just dinner/brunch/clothing swap guest will need some of these supplies.”

• Make sure you know exactly when they’re coming, exactly when they’re leaving, and see if they need any rides to or from the airport, train station, whatever. 

• There are lots of small, easy things to do that will make them feel so welcome. In the room where they’re staying (even if it’s just an air mattress on the living room floor), it’s great to make sure they have a reading light, and a little table by the bed. Stack up some funny, universally popular books (Bossypants, for example, or Hyperbole and a Half) that they can flip through. Leave a cute little card with the wifi name and password. Get a cheap-o $5 bouquet and put it on their nightstand.

"I love to make the room look really nice ahead of time," said Chris, my boyfriend’s mom who is also the best hostess ever and is constantly having houseguests. "If you make it obvious that you are really making it nice for them, it just makes them feel really welcome — people are nervous when they’re going to someone else’s house.”

• Get a spare toothbrush or two, and a new bar of soap. “No one else likes someone else’s old bar of soap,” Chris noted.

Shopping list: A spare copy of your key, breakfast food of choice, basic first-aid stuff if you don’t have it, a cheap bouquet, a new bar of soap, and a toothbrush. 

While they’re staying:

• Give them a copy of your key so they can come and go — if you live in an apartment, maybe give your neighbors a heads-up that you have guests so they don’t think someone’s breaking into your house.

• Tell them how to make coffee in the morning, any secrets of operating the shower, and where the extra blankets are. “It’s horrible to be in someone’s house and wake up in the middle of the night and be really cold,” Chris said, and she is so right, that is the worst.

• It’s not only OK but a great thing for you to kind of go about your business while they’re there. No one wants to feel like a burden, and also, just like you don’t want to have to socialize with them 24 hours a day, they probably don’t want to socialize with you 24 hours a day. Don’t feel like you have to wait on them hand and foot, because that’s not comfortable for anyone.

• It is nice, though, to think of a few activities they might be into or want to see while they’re with you. Chris said she also likes to put a recent issue of Portland Monthly or a guide to local hikes nearby, so people can do their own research.

Graciously accept their help, or gifts of gratitude. If they want to take you out to dinner, let them! If they want to help with cooking or the dishes, that is wonderful. It’s a way for your guest to feel like they’re not a total imposition, and accepting things graciously is an excellent skill to have.

Anything I’m missing?

Absolutely Hystorical!

Nov. 24th, 2014 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Sharyn

Cake Wrecks presents:

Famous Wreckerators of the Past!

 

Shakespeare:

To b or not to b, that was the question.

 

Ivan Pavlov:

I don't know the dog's name, but something here is ringing a bell.

 

Count Dracula:

Yes. Yes you do.

 

Pandora:

I haven't even opened the box, and I've already lost hope.

 

Thomas Edison:

It just came to me in a flash.

 

 Schrödinger:

Maybe the cat isn't alive OR dead; it's one of the living dead.

TAKE THAT, SCIENCE.

 

And finally...

Sigmund Freud:

Because sometimes a cigar is just an amputated finger phallus.

 

Thanks to Paula D., Carolyn F., Lyzz H., Elaine T., Carrie S., Suzy F., and Angela Z., who have never felt less cigar envy in their lives. (Right there with ya, ladies.)

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

The Entire Dev Team is Sick

Nov. 24th, 2014 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

IMG_7022

I’m working on an app right now. I’ve been working on it since I escaped my gilded cage, modulo distractions – consulting, travel, talks, writing. It’s fun, working on my idea, and thankfully I met a great designer so it’s not going to be Developer Art. And it’s cool. I’ve had a working demo for a while which people have seemed to like, and now just refining the UX and some horrible bug (relating, I think, to filetypes) remain.

Of course that last 20% takes 80% of the time again. And I’d been making progress, knocking out all the small things, in between running around, but then I got 8 days to focus on it almost exclusively and discovered that past-Cate had left future-Cate, now present-Cate, a bunch of tedious and time-consuming things to do, and also that horrible file-type bug. And present-Cate understood what past-Cate had decided, but that was when being the entire dev team got a little lonely.

It had been really nice, making all the decisions, not having to do code-reviews, or spend time justifying decisions I’d made, because someone else would have made a different choice. I believe in code-review as a process, but so much tech-bro-male-dominance gets played out in them. Some people (men, I find) seem to view it as a making you jump through the hoop, where the hoop is “how I would have done it” and deviations must be justified. “Suggestions”, which seem a lot like orders, which I would resent much less if they worked most, or even half, of the time.

Naturally, it’s easier to live without code review on a platform I’m already pretty expert in, and I expect it will be harder when I move on to Android, where I haven’t already architected and led an app from first check in through to launch.

Really, there are two things I find hard about being the entire dev team.

Firstly, if I’m out for whatever reason – sick? The one day a week I force myself to take away from the computer? Meetings? A deadline for some other project? That’s it, nothing moves forward. It makes it easier to give up on progress that day, because it feels like it’s not going to move the needle anyway. On a team, if I took a day sick, I might still do code reviews for other people, or check in some little things, if I felt a bit better later in the day.

Secondly, when deciding between two alternatives, like the one where the mocks have arrived and that library component won’t do quite what it needs to and should be ripped out and replaced with a custom one, I’m the only person with the context. I think the decision is pretty clear, but I need to talk myself into it and convince myself that I haven’t missed anything. There’s no-one else with that context to have that conversation with. Thankfully a friend with some context, who was nice enough to listen and tell me I was right, but I missed sitting next to someone and being like, argh, you saw these same mocks and you code reviewed that code already and now it needs to change and yes.

I still have no-one to talk to about the filetype bug, but that’s OK. I’ll write more unit tests to understand it. And maybe start talking to myself. Or my plastic ducky.

 

The Desolation of Linkspam

Nov. 23rd, 2014 07:23 pm
[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • Men Explain Technology to Me: On Gender, Ed-Tech, and the Refusal to Be Silent: Hack Education (November 18th): “There’s a problem with the Internet. Largely designed by men from the developed world, it is built for men of the developed world. Men of science. Men of industry. Military men. Venture capitalists. Despite all the hype and hope about revolution and access and opportunity that these new technologies will provide us, they do not negate hierarchy, history, privilege, power. They reflect those. They channel it. They concentrate it, in new ways and in old.”
  • Uber Executive Suggests Digging Up Dirt on Journalists | BuzzFeed (November 17th): “A senior executive at Uber suggested that the company should consider hiring a team of opposition researchers to dig up dirt on its critics in the media — and specifically to spread details of the personal life of a female journalist who has criticized the company.”
  • The moment I learned just how far Uber will go to silence journalists and attack women | PandoDaily (November 17th):  “I have known many of Uber’s key investors and founders personally for six to ten years. Over that time I’ve seen an ever-worsening frat culture where sexist jokes and a blind eye here-or-there have developed into a company where the worst kind of smearing and objectification of women is A-ok.”
  • Gender, Race, and the Supernatural: Appreciating Sleepy Hollow’s Abbie Mills | Ms. Magazine Blog (October 29th): “Still, it’s one of the few shows featuring a black woman character who is not only kicking butt and taking names in her various encounters with demons, sorcerers, ghosts and zombies, but is constantly saving our white male hero and acculturating him into our 21st-century era: including driving automobiles, learning which mobile phone devices are the most up-to-date, and more recently, practicing yoga.”
  • Sweden Considers Special Labels for Sexist Video Games | Time (November 16th): “A government-funded innovation agency in Sweden is considering creating specials label for video games based on whether or not the games’ portrayals of women are sexist.”
  • Update: the following two links criticize Sweet Peach as described by Austen Heinz and Gilad Gome. Founder Audrey Hutchinson says her company, aiming to produce individualised probiotic mixes for vaginal use, was seriously misrepresented (November 23).
    • These Startup Dudes Want to Make Women’s Private Parts Smell Like Fresh Fruit | Inc (November 21): “At the DEMO conference in San Jose, California, on Wednesday afternoon, Heinz and Gome outlined their shared vision and previewed plans for a new probiotic supplement that will enable women to change the way their vaginas smell. Called Sweet Peach, it will be made using Cambrian Genomics’ DNA printing technology and financed through a campaign on the crowdfunding platform Tilt.”
    • How Not to Disrupt Women’s Bodies | Inc (November 21st): “Since time immemorial, beauty and feminine hygiene companies have used the promise of personal empowerment to help sell equally reprehensible, if much more subtle, campaigns based around negging women and then offering the solution to all of their bodily imperfections. Or smells. Especially smells. Poor Sweet Peach, trying to put a “probiotic supplement” gloss on what’s essentially the boring old douche market.”
  • Three Tactics that Block Women from Getting Ahead | Accidentally in Code (November 19th): “There are different kinds of gendered experiences. The outright sexual harassment, versions of “get back in the kitchen” is one, but another is patterns of behaviour that happen over, and over again to women, but much more rarely to men. It’s behaviour that men feel more OK with exhibiting towards women, because subconsciously they know they are much more likely to get away with it.”
  • Meet the Women Challenging the Media and Tech Establishments | Fast Company (November 17): “Not many journalists would leave a high-profile job at one of America’s most storied newspapers to create their own startup. But that’s exactly what former Wall Street Journal reporter Jessica Lessin did last year when she founded the tech news site The Information.”
  • Tech Freedom vs. Feminism | On the Left (November 19): “Several prominent tech freedom organisations choose to align themselves with and refuse to depose these kinds of men, no matter how horrible the shit against them is. The men themselves get away with harassing and abusing women because they are seen as being ‘valuable’ to the movement. Once you’re up on a tech freedom pedestal, it seems like it’s impossible for someone to bring you down.”

 

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Sunday Sweets: Cake of the Doctor

Nov. 23rd, 2014 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Happy Doctor Who Day, everyone! Come get some CAKE!

(By Sweet Dream Cake Company)

Gotta kick things off with the world's most famous blue box, and this one is a whopping four feet tall!

 

I wanted to show off more than just the TARDIS, though, so here are some sweet Who villains to liven up the party:

(By Happy Occasions Cakes)

A Cake Cyberman? Now THAT is an upgrade.

 

But I'd still be willing to exterminate this Dalek...

(By Mike's Amazing Cakes)

...WITH MY MOUTH.

Nomz.

 

If you have to make a cake of the Doctor's most terrifying villain, then I say, turn the Doctor into a bunny rabbit! That way the cute will even out the scary, like so:

(Also by Mike's Amazing Cakes)

Don't blink - 'cuz that bunny Who is too sweet to miss!

 

Careful, though; I think the Weeping Angel is peeking:

0.O

 

Do you believe in delicious irony?

(By Eat the Evidence)

Because eating a cakey adipose is wrong in all the right ways.

 

And not a villain at all, but check out this outstanding Ood!

(By That Little Cake Boutique for Wibbly Wobbly Cakey Bakers)

I hear his translation sphere even lights up!

 

Of course, we can't celebrate Doctor Who without the Time Lord himself:

(By Pink Cake Box)

As dashing as Eleven looks, I can't get over the open TARDIS door. WOW.

 

And here's one with homages to both Ten & Eleven:

(By Un Jeu d'Enfant)

Bow ties and fezzes and 3D glasses, oh my!

 

I love that the good Doctor is popping up in more themed weddings these days. Check out the oh-so-elegant Gallifreyan writing on this beauty:

(By Nom Nom Sweeties)

 

And here's John's favorite: an explosion of color with lots of Whovian surprises!

(By Artisan Cake Company)

I spy an adipose, an angel, and an ambushing Dalek!

 

And for the hardcore fans, let's see how much of this next one you recognize!

(By Delicious Snackies)

I see the fourth Doctor's scarf, a Time Lord's medallion, the crack in time (so cool), roses, Gallifreyan text, and I *think* that's a sonic screwdriver and the Master's pocket watch on top. WOWZA.

(Hit the link for more pics of the bottom tier; did anyone translate it yet?)

 

And finally, a gorgeous pop of classic colors and great design:

(By Cake Central member Emilsmee)

Love that bold red outlining, and the hand-painted tier of the famous Van Gogh "exploding TARDIS" is just perfect!

 

Hope you enjoyed today's Timey Wimey treats, everyone! No go forth, and be wibbly wobbly!

Be sure to check out our Sunday Sweets Directory to see which bakers in your area have been featured here on Sweets!

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

This Week

Nov. 23rd, 2014 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

IMG_7095

Life

Mostly hiding away getting stuff done, and then in London for the weekend where I got to catch up with people. I’d hurt my knee, which sucked because 1) so much pain, and 2) I rely on regular exercise to keep me sane, especially during periods when I’m locked away working alone! But after quite a bit of codeine and a trip to the physio I’m doing much better!

Work

Good! Some good news, and productive meetings, we’ll see if any of them turn into anything, and progress on a project. The app is looking super pretty and so close to done, so I can’t wait to get it out in the world soon!

And! My first piece of paid writing is out in the world! I’m monitoring the stats a tad obsessively. We also sent out the 2nd edition of Technically Speaking.

Media

Got way too into The OC, although thankfully now it is over! Something about having worked for years in open plan offices is not being used to working in peace. Still reading The Ethical Slut, and The Black Swan, neither of which I’m enjoying that much.

Places

Went to Coombe Abbey for tea (fancy), afternoon snack at Prezzo (nice seasonal vegetables). In London, lunch at MeatMission (tasty veggie burger, despite the name!) sushi at K10, brunch at Andina, dinner at Dishoom (yay for weirdly early dinners, and getting a seat in <20 mins).

Staying at the RE Hotel again, which is fine.

Published

Also, my post “We Hire the Best” is in the latest edition of Model View Culture, and a new edition of Technically Speaking is out.

On The Internet

[syndicated profile] epbot_feed

Posted by Jen

Time for more great geek art!

A few weeks ago I found a whole sleeve of art I somehow completely forgot I purchased at Dragon Con, and I'm mortified I missed these in my DC art roundup. 0.O Still, my goof-up is your gain!

So... you're not tired of dancing Groot yet, are you? Because you're gonna love this one by Kendra Stout, aka Miss Beanpants:


I bought that one for the give-away board, but Kendra also has a fabulous full-grown Groot in her Guardians set:


Plus other goodies, like this Luna with a baby thestral:


... and this fantastic Wonder Grrl:



Watch her Facebook page for more, or go check out her Etsy shop, where prints start at just $5!

 
Next up, I'm digging these long skinny prints by Josh D::


Super fun, plus he donated Rapunzel for the board! Check Josh's site and store for more.

I've featured Josh's better half, Kate Carleton, here before, but LOOKIE:

"Disney Villains" 6 X16 print, $15

I'm such a sucker for the noses on her "Doodlez" style.

And Kate very sweetly donated this Doctor print for the board:

Oh. MIGOSH. Ha!
Kate has a few prints in her Etsy shop, and some cute shirt designs like this Toothless over on TeePublic:


She's in the process of revamping her website, so watch her Facebook page for more!


Also for the give-away board, I bought this DC exclusive poster print by Drew Blank:

 (I couldn't find it online, so please excuse the crappy cellphone pic.)

Drew's Hero Squares are too cute for words, and there are SO MANY to choose from!



 Most of his 8.5 inch prints are $5, and his bigger posters like this are just $10:

 Awesome Rocketeer/Fett mashup!


And the last of my lost Dragon Con purchases, which I'm going to need your help IDing:

This artist didn't have a card, so I think he wrote his name on a post-it for me... which I no longer have. HELP. Does anyone recognize either of these prints?

Update: Aha! Thanks, guys; these are by Drew Green. I don't see an online store, but hit the link to see more of his work on DeviantArt.

I love love LOVE the bright crisp colors - so much better in person - and fun graphic style. I was sorely tempted to keep them, even though I've never played Sonic the Hedgehog or seen Sailor Moon! (Though I'd like to!)

Moving on from Dragon Con...

Unfortunately you can't buy this squee-inducing BioShock: Infinite art, but, ah! SO GOOD:

"Library Tea Party" by DevianArt member Sivcova, aka Julie
Songbird is my favorite video game character ever, so seeing him have tea with little Elizabeth gives me all the feelz. Oh, and click to embiggen for all the amazing details! How many game-related easter eggs can YOU find?

Another we can't buy, since the prints are sold out, but I can't stop staring at this Totoro optical illusion by Guillaume Morellec:

 So clever!

I stumbled across a 1984 themed art show online, and fell for all the happy colors in this one by Carlos Lerma:


Only $35? I'm amazed there are any left!


And because we can never - NEVER - get enough art nouveau Disney Princesses, check out these beauties by Hannah Alexander of Never Bird Designs:

You can get the entire set of twelve 8X12 prints for about $65, or your choice of 3 for $25, at Hannah's Etsy shop.

And while you're there, check out her watercolors of Ariel & Merida!

 Just stunning. 

(If you're quick, you can snag the original painting of Merida for about $73!)

And speaking of originals, how about this ink-on-wood Alice in Wonderland by Sze Jones?

 The original is $380 here, but I don't see any prints available. (Boo!) However, over on Sze's website I saw she made the same design for the cartoon version, and it's really cool to contrast the two!

 Again, I sadly see no prints, but check Sze's site for more of her work!


K, I think that does it for this month, guys! As always, comment below for your chance to win your choice of free art from my Pinterest Art Give-Away Board. I'll ship anywhere, so internationals are welcome, and I'll announce the randomly selected winner in a few days.

Good luck, and happy commenting!

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

In April 2014, this blog featured a story about Lance Ealy, an Ohio man arrested last year for buying Social Security numbers and banking information from an underground identity theft service that relied in part on data obtained through a company owned by big-three credit bureau Experian. Earlier this week, Ealy was convicted of using the data to fraudulently claim tax refunds with the IRS in the names of more than 175 U.S. citizens, but not before he snipped his monitoring anklet and skipped town.

Lance Ealy, in self-portrait he uploaded to twitter before absconding.

Lance Ealy, in selfie he uploaded to Twitter before absconding.

On Nov. 18, a jury in Ohio convicted Ealy, 28, on all 46 charges, including aggravated identity theft, and wire and mail fraud. Government prosecutors presented evidence that Ealy had purchased Social Security numbers and financial data on hundreds of consumers, using an identity theft service called Superget.info (later renamed Findget.me). The jury found that Ealy used that information to fraudulently file at least 179 tax refund requests with the Internal Revenue Service, and to open up bank accounts in other victims’ names — accounts he set up to receive and withdraw tens of thousand of dollars in refund payments from the IRS.

The identity theft service that Ealy used was dismantled in 2013, after investigators with the U.S. Secret Service arrested its proprietor and began tracking and finding many of his customers. Investigators later discovered that the service’s owner had obtained much of the consumer data from data brokers by posing as a private investigator based in the United States.

In reality, the owner of Superget.info was a Vietnamese man paying for his accounts at data brokers using cash wire transfers from a bank in Singapore. Among the companies that Ngo signed up with was Court Ventures, a California company that was bought by credit bureau Experian nine months before the government shut down Superget.info.

Court records show that Ealy went to great lengths to delay his trial, and even reached out to this reporter hoping that I would write about his allegations that everyone from his lawyer to the judge in the case was somehow biased against him or unfit to participate in his trial. Early on, Ealy fired his attorney, and opted to represent himself. When the court appointed him a public defender, Ealy again choose to represent himself.

“Mr. Ealy’s motions were in a lot of respects common delay tactics that defendants use to try to avoid the inevitability of a trial,” said Alex Sistla, an assistant U.S. attorney in Ohio who helped prosecute the case.

Ealy also continued to steal peoples’ identities while he was on trial (although no longer buying from Superget.info), according to the government. His bail was revoked for several months, but in October the judge in the case ordered him released on a surety bond.

It is said that a man who represents himself in court has a fool for a client, and this seems doubly true when facing criminal charges by the U.S. government. Ealy’s trial lasted 11 days, and involved more than 70 witnesses — many of the ID theft victims. His last appearance in court was on Friday. When investigators checked in on Ealy at his home over the weekend, they found his electronic monitoring bracelet but not Ealy.

Ealy faces up to 10 years in prison on each count of possessing 15 or more unauthorized access devices with intent to defraud and using unauthorized access devices to obtain items of $1,000 or more in value; up to five years in prison on each count of filing false claims for income tax refunds with the IRS; up to 20 years in prison on each count of wire fraud and each count of mail fraud; and mandatory two-year sentences on each count of aggravated identity theft that must run consecutive to whatever sentence may ultimately be handed down. Each count of conviction also carries a fine of up to $250,000.

I hope they find Mr. Ealy soon and lock him up for a very long time. Unfortunately, he is one of countless fraudsters perpetrating this costly and disruptive form of identity theft. In 2014, both my sister and I were the victims of tax ID theft, learning that unknown fraudsters had already filed tax refunds in our names when we each filed our taxes with the IRS.

I would advise all U.S. readers to request a tax filing PIN from the IRS (sadly, it turns out that I applied for mine in Feburary, only days after the thieves filed my tax return). If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

To read more about other ID thieves who were customers of Superget.info that the Secret Service has nabbed and put on trial, check out the stories in this series. Ealy’s account on Twitter is an also an eye-opener.

[syndicated profile] valerie_fenwick_blog_feed

Posted by Valerie Fenwick

Sonu Shankar, Software Engineer, Cisco Systems
Alicia Squires, Manager, Global Certifications Team, Cisco
Ashit Vora, Lab Director and Co-Fonder, Acumen Security


When you're evaluating entropy your process has to be scalable, repeatable and comprehensive... well, comprehensive in a way that doesn't outweigh the assurance level you're going for. Ideally, the method used for the evaluation would be valid for FIPS-140 and Common Criteria.

Could we have the concept of a "module" certificate for entropy sources?

Let's think about the process for how we'd get here. we'd have to look at the Entropy Source: covering min-entropy estimation, review of built-in health tests, built-in oversampling, and a high-level design review.

There are several schemes that cover entropy and how to test it. You need to have a well documented description of the entropy source design, and leverage tools for providing statistical analysis of raw entropy.  It would be good to add statistical testing and heuristic analysis - but will vendors have the expertise to do this correctly?

How do you test for this?  First, you have to collect from raw entropy - disabling all of the conditioners (no hashing, LFSR, etc) - not always possible, as many chips also do the conditioning, so you cannot get the raw entropy. If you can't get the raw entropy, then it's not worth testing - as long as you've got good conditioning, it will  look like good entropy.

In order to run this test, you need to have at least one file of entropy contiaing 1 million symbols and the file has to be in binary format.

When it comes time to look at the results, the main metric is min-entropy.

You need to be careful, though, to not over sample from your entropy source and drain it. You need to be aware of how much entropy it can provide and use it appropriately. [* Not sure if I caught this correctly, as what I heard and saw didn't quite sync, and the slide moved away too quickly]

When it comes to reviewing noise source health test - need to catch catastrophic errors and reductions in entropy quality This is your first line of defense against side channel attacks. This may be implemented in software pre-DRBG or built-in to source.

Ideally, these entropy generators could have their own certificate, so that 3rd parties could use someone else's hardware for an entropy source - w/out having to worry difficult vendor NDA issues.

[syndicated profile] valerie_fenwick_blog_feed

Posted by Valerie Fenwick

Gary Granger, AT&E Technical Director, Leidos

Random vlues ae required for applications using cryptography (such as for crypto keys, nonces, etc)

There are two basic strategies for generating random bits - non deterministic random bit generator (NDRBG) and deterministic random bit generator (DRBG) .  Both strategies depend on unpredictability.

Entropy source is covered in NIST SP 800-90B (design and testing requirements).  Entropy source model: Noise source, conditioning component, and health tests.

How do we measure entropy? A noise source sample represents a discrete random variable. There are several measures of entropy based on a random variable's probability distribution line Shannon Entropy or Min-Entropy.  NIST SP 800-90B specifies requirements using min-entropy (conservative estimate that facilitates entropy estimation).
 
FIPS has additional implications for RNG in their implementation guidance, specifically IG 7.11. It defines non-deterministic random number generators (NDRNG), identifies FIPS 140 requirements for tests, etc.

IG 7.13 covers cryptographic key strength modified by an entropy estimate  For example, the entropy has to have at least 112 bits of security strength or the associated algorithm and key shall not be used in the approved mode of operation.

But the basic problem - entropy standards and test methods do not yet exist. How can a vendor determine and document estimate of their entropy? How do we back up our claims?

There are also different concerns to consider if you are using an internal (to your boundary) source of entropy or an external (to your boundary) source for entropy.


[syndicated profile] valerie_fenwick_blog_feed

Posted by Valerie Fenwick

Juan Gonzalez Nieto, Technical Manger, BAE Systems Applied Inteligence

FIS 140-2 and its Annexes do not cover protocol security, but the goal of this standard (and the organizations controlling it) is to provide better crypto implementations.  If the protocol around the crypto has issues, your crypto cannot protect you.

Mr. Nieto's problematic protocol example is TLS - he showed us a slide with just the vulns of the last 5 years... it ran off of the page (and the font was not that large....).

One of the issues is the complexity of the protocol. From a cryptographer's point of view, it's simple: RSA key transport or signed Diffie -Hellman + encryption. In reality, it's a huge collection of RFCs that is difficult to put together.

TLS/SSL has been around since 1995, with major revisions every few years (TLS 1.3 is currently in draft).  The basics of TLS are a handshake protocol and a record layer.  Sounds simple, but there are so many moving parts. Key exchange + Signature + Encryption + MAC... and all of those have many possible options.  When you combine all of those permutations, you end up with a horrifyingly long and complicated list (entertainingly cramped slide results) .:)

But where are the vulnerabities showing up?  Answer: everywhere (another hilarious slide ensues). Negotiation protocol, applications, libraries, key exchange, etc... all the places.

Many of the TLS/SSL cipher suites contain primitives that are vulnerable to a cryptanalytic attacks that re not allowed by FIPS 140-2, like DES, MD5, SHA1 (for signing), RC2, RC4, GOST, SkipJack.....

The RSA  key transport is happening with RSA PKCS#1 v 1.5 - but that's not allowed by FIPS 140-2, except for key transport. (See Bleichbaker 1998).

There are mitigations for the Bleichbaker, but as of this summer's USENIX Security conf... not great anymore. So, really, do not use static RSA transport (as proposed in TLS 1.3 draft). Recommendation: FIPS 140 should not allow PKCS#1 v 1.5 for key transport.  People should use RSA-OAEP for key transport (which is already approved).

Implementation issues, such as a predictable IV in AES-CBC mode, can expose plaintext recovery attacks. When the protocol is updated to mitigate, such as the fix in TLS 1.1/1.2 for Vaudanay's (2002) padding oracle attack, often something else comes along to take advantage of the fix (Lucky 13, a timing based attack).

Sometimes FIPS 140-2 just can't help us - for example, with he POODLE (2014) attack on SSL 3.0 (mitigation: disable SSL 3.0), FIPS 140-2 wouldn't have helped. Authenticated encryption protocols are out of scope.  Compression attacks like CRIME(2012)? Out of scope for FIPS 140-2.

Since Heartbleed, the CMVP has started asking labs to test known vulnerabilities. But, perhaps CMVP should address other well-known vulns?

Alas, most vulnerabilities occur outside of the cryptographic boundayr of the module, so it is out of scope.  The bigger the boundary, the more complex testing becomes.  FIPS 140-2's implicit assumption that if the crypto primitives are correct, then the protocols will likely be correct is flawed.

Perhaps we need a new approach for validation of cryptography that includes approved protocols and protocol testing?

In my personal opinion, I would like to see some of that expanded - but WITHOUT including the protocols in the boundary. As FIPS 140-2 does not have any concept of flaw remediation, if something like Heartbleed had been inside the boundary (and missed by the testers) - vendors would have found them, but had to break their validation in order to fix it.

Friday Favs 11/21/14

Nov. 21st, 2014 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

(Warning: Mildly naughty stuff ahead)

Some of my favorite new submissions this week:

 

For Lori's 30th birthday her friends thought it would be cute to get her a "2nd quinceañera" cake - quinceañera being the popular Latin American celebration of a girl's 15th birthday.

Now, Lori's baker may not know how to spell "quinceañera," but darned if she isn't a wiz with Hooked on Phonics:

Go on. Read it aloud.

RIGHT??

See, now I want to call up this bakery and order something in Klingon, just to see what I get.

****

 

The trouble with naming your child Clint:

O.0

****

 

Never fear, Faith's clown hat is here!

****

 

I know it's not even Thanksgiving yet, but some bakeries are already gearing up for the most politically correct time of the year:

Peace on earth. Goodwill toward non-gender-specific beings.

 

Oh! But you know what's NOT genderless?

This soccer team's cake:

Q: What's that shooting out from the tip?

A: I dunno, but I do know this:

"He shoots, he scooooores!!"

 

Thanks to Lori B., Ryan C., Ben W., Lori M., & Amanda M. for a real blast.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

Book: How to Deliver a TED Talk

Nov. 21st, 2014 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

how to deliver a TED talkHow to Deliver a TED Talk (Amazon) is packed with some solid and fairly standard public speaking advice, which was good, but the most interesting parts for me were the deconstructions of TED talks. When prepping talks personally, I think a lot about my narrative, and taking notes during other peoples helps me see theirs better, although this guy takes it to a whole other level!

All in all I thought it was worth a read. From the perspective of a public speaking nerd and as a speaker (although less so the latter).

[syndicated profile] valerie_fenwick_blog_feed

Posted by Valerie Fenwick

Carolyn French, Manager, CMVP, CSEC
Randall Easter, NIST, Security Testing Validation and Management Group

Partial Cryptographic Accelerators

Draft IG 1.9: Hybrid Module is crypto software module that takes advantage of "Security Relevant Components" on a chip.

But, that doesn't cover modern processors like Oracle's SPARC T4 and Intel's AES-NI - so there is a new IG (1.X): Processor Algorithm Accelerators (PAA).  If the software module relies on the instructions provided by the PAA (Mathematical construct and not the comlete algorithm as defined in NIST standards), and ccannot act independently - it's still a hybrid.  If there are issues with the hardware and the software could work on it's own (or on other platforms), then it is NOT a hybrid. (YAY for clarification!)

Sub-Chip Modules

What is this? A complete implementation of a defined cryptograpic module is implemented on part of a chip substrate.  This is different than when a partial implemenation of a defined cryptographic module is implemented on part of a chip substrate (see above).

A sub-chip has a logical soft core. The cryptographic module has  a contiguous and defined logical boundary with all crypto contained within. Durign physical placement, the crypto gates are scattered. Testing at the logical soft core voundary does not verify correct operation after synthesis and placement.

There are a lot of requirements in play here for these sub-chip modules. There is a physical boundary and a logical boundary. The physical boundary is around a single chip. The logical boundary will represent the collection of physical circuitry that was synthesized from the high level VHDL soft core cryptographic models.

Porting is a bit more difficult here - the soft core cna be re-used, unchanged, and embedded in other single-chip constructs - this requires Operational Regression testing.  This can be done at all levels, as long as other requirements are met.

If you have multiple disjoint sub-chip crypto... you can still do this, but it will result in two separate cryptographic modules/boundaries.

What if there are seveal soft cores, and they want to talk to each other? If I have several different disjoint software modules that are both validated and on the same physical device, we allow them to exchange keys in the clear. So, why not? As long as they are being directly transferred, and not outside of the trip through an intermediary.

As chip densities increase, we're going to see more of these cores on one chip.




[syndicated profile] valerie_fenwick_blog_feed

Posted by Valerie Fenwick

Apostol Vassilev, Cybersecurity Expert, Computer Security Division, NIST, Staff Member, CMVP

Why did we come up with IG 9.10 [Power On Self Tests]? There were many open quetions about how software libraries fit into the standard.  In particular, CMVP did not allow static libraries - but they existed. We needed to come up with reasons to rationalize our decision, so we could spend time doing things other than ddebating.

Related to this are IG 1.7 (Muliple Approved Modes of Operation) and IG 9.5 (Module Initialization during Power-Up).

The standard is clear in this case - the power-up self tests SHALL be initiated automatically and SHALL not require operator intervention.  For a software module implemented as a library, an operator action/intervention is any action taken on the library by an application linking to it.

Let's look a the execution control flow to understand this problem. When the library is loaded by the OS loader, execution control is not with the library UNLESS special provisions are taken. Static libraries are embedded into the object code and behave differently.

How do we instrument a library? Default entry points are well-known mechanism for operator-indeendent transfer of execution control to the library  This has been available for over 30 years, and exist for all types of libraries: static, shared, dynamic.

There are alternative instrumentation - in languages like C++, C# and Java you an leverage things like static constructors that are executed automatically upon loading the library containing them when it is loaded.

What if the OS does not provide a DEP mechanism and the module is in a procedural language like C?  You can consider switching to C++ or using a a C++ wrapper, so that you can get this functionality.  Lucky for my team, Solaris supports _init() functions. :)

Implementation Guidance 9.5 and 9.10 live in harmony - you need to understand and implement both correctly.

Static libraries can now be validated with the new guidance.

[syndicated profile] valerie_fenwick_blog_feed

Posted by Valerie Fenwick

Sharon Keller, Director CAVP, NIST
Steve (?), CAVP, NIST

The CAVP takes over after NIST picks a new algorithm, the CAVP takes over and figures out how to test it.  They need to evaluate the algorithm from top to bottom - identify the mathematical formulas, components, etc.

The CAVP develop and implement the algorithm valdiation test suite. Which requirements  are addressable at this level? They develop the test metrics for the algorithm and exercise all mathematical elements of the algorithm. If something fails - why?  Is there an error in the algorithm, or an intentional failure - or is there an error in the test?

The next stop is to develop user documentaion and guidance, called validation system document (VS), documents test suite and provides instructions o implementing validation tests.  There is cross validation, and make sure that both teams come up with the same answers - a good way to check their own work.

The basic tests are Known Answer Tests (KAT) , Multi-block Message Test (MMT), and Monte Carlo Tests.  KATs are designed to verify the components  to algorithms. MMT will test algorithms where there may be chaining of information from one block to the next and make sure it still works. The Monte Carlo Tests are exhaustive, checking for flaws in the UI or race conditions.

Additionally need to test the boundaries - what happens if you encrypt the empty string?  What if we send in negative inputs?

There are many documents for validation testing - one for each algorithm or algorithm mode.

The goals of all these tests? Cover all the nooks and crannies - prevent hackers from taking advantage of poorly written code.

Currently, the CAVP is working on tests for SP 800-56C, SP 800-132 and SP800-56A (Rev2).

In the future, there will be tests for SP 800-56B (rev1), SP 800-106 and SP800-38A.  Which ones of these is more important for you to get these tests completed?

Upcoming algorithms that are still in draft, FIPS 202 (Draft) for SHA3, SP800-90A (Rev2) for DRBG, SP800-90B for Entropy Sources and SP 800-90C for construction of RBGS. Ms. Keller has learned the hard way - her team cannot write tests for algorithms until they are a published standard.


Use Less, Wreck More

Nov. 20th, 2014 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Today is Use Less Stuff Day - a time to push back against rampant materialism, reflect on life goals, and really ask ourselves the tough questions.

Like:

Do Snow White and the Dwarves really NEED a helicopter?

I mean, maybe they're Ok with just a monster truck, motorcycle, jeep, Lightning McQueen, and an airplane:

Or if not, Hulk could just throw them really hard.

 

And while we're cutting back, how many choking hazards do you REALLY need for a one-year-old?

 

Or for your cupcakes?

 

And why does Hilary Duff need so many Barbie accessories?

(Hey look, it's the pink boot we all lost when we were six! [No? Just me?])

 

My point is, why waste so much plastic flotsam when a single, well-placed element can be just as...
uh....

 

That is, I mean, sometimes it only takes ONE to... er...

Huh.

 

Well, maybe if we just put our heads together...

Perfect.

 

Thanks to Mike & Marja, Joyce W., Anony M., Nelly R., Melanie L., Mary V., & Susan S. for showing us how to get a head without paying an arm and a leg.

*****

Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] valerie_fenwick_blog_feed

Posted by Valerie Fenwick

Mary Ann Davidson, Chief Security Officer, Oracle Corporation

A tongue in cheek title... of course we're hoping nobody is listening!  While Ms. Davidson is not a lobbyist, she does spend time reading a lot of legislation - and tries not to pull out all of her hair.

There are business concerns around this legislation - we have to worry about how we comply, doing it right, etc.  Getting it right is very important at Oracle - that's why we don't let our engineers write their own crytpo [1] - we leverage known good cryptographic libraries.  Related to that, validations are critical to show we're doing this right. There should not be exceptions.

Security vulnerabilities... the last 6 months have been exhausting. What is going on?  We all are leveraging opensource we think is safe.

We would've loved if we could've said that we knew where all of our OpenSSL libraries were when we heard about Heartbleed. But, we didn't - it took us about 3 weeks to find them all! We all need to do better: better at tracking, better at awareness, better at getting the fixes out.

It could be worse - old source code doesn't go away, it just becomes unsupportable.  Nobody's customer wants to hear, "Sorry, we can't patch your system because that software is so old."

Most frustrating?  Everyone is too excited to tell the world about the vulnerability they found - it doesn't give vendors time to address this before EVERYONE knows how to attack the vulnerability. Please use responsible disclosure.

This isn't religion - this is a business problem! We need reliable and responsible disclosures. We need to have good patching processes in place in advance so we are prepared.We need our opensource code analyzed - don't assume there's "a thousand eyes" looking at it.

Ms. Davidson joked about her ethical hacking team. What does that mean? When they hack into our payroll system, they can only change her title - not her pay scale. How do you think she got to be CSO? ;-)

Customers are too hesitant to upgrade - but newer really is better! We are smarter now than we used to be, and sorry we just cannot patch you thousand year old system. We can't - you need to upgrade! The algorithms are better, the software is more secure - we've learned and you need to upgrade to reap those benefits.

But we need everyone to work with us - we cannot have software sitting in someone's queue for 6 months (or more) to get our validation done.  That diminishes our value of return - 6 months is a large chunk of a product's life cycle. Customers are stuck on these old versions of software, waiting for our new software to get its gold star. Six weeks? Sure - we can do that. Six months? No.

Ms. Davidson is not a lobbyist, but she's willing to go to Capital Hill to get more money for NIST. Time has real money value. How do we fix this?

What's a moral hazard? Think about the housing market - people were making bad investments, buying houses they couldn't afford to try to flip houses and it didn't work out. We rewarded those people, but not those who bought what they could afford (or didn't buy at all) - we rewarded their bad risk taking.

Can we talk with each other?  NIST says "poTAHto", NIAP says "poTAHto" - why aren't they talking?  FIPS 140-2 requires Common Criteria validations for the underlying OS for higher levels of validations - but NIAP said they don't want to do validations

We need consistency in order to do our jobs. Running around trying to satisfy the Nights Who Say Ni is not a good use of time.

And... The entropy of ... entropy requirements.  These are not specific, this is not "I know it when I see it". And why is NIAP getting into entropy business? That's the realm of NIST/FIPS.

Ms. Davidson ends with a modest proposal: Don't outsource your core mission.  Consultants are not neutral - and she's disturbed by all of the consultants she's seeing on The Hill.  They are not neutral - they will act in their own economic interest. How many times can they charge you for coming back and asking for clarification? Be aware of that.

She also requests that we promote the private-public partnership.  We need to figure out what the government is actually worried about - how is telling them the names of every individual that worked on code help with their mission? It's a great onus on business, and we're international companies - other countries won't like us sharing data about their citizens. Think about what we're trying to accomplish, and what is feasible for business to handle.

Finally, let's have "one security world order" - this is so much better than the Balkanization of security.  This ISO standard (ISO 19790) is a step in the right direction. Let's work together on the right solutions.

[1] Unless you're one of the teams at Oracle, like mine, who's job it is to write the cryptographic libraries for use by the rest of the organization. But even then, we do NOT invent our own algorithms. That would just be plain silly. 

Profile

terriko: (Default)
terriko

November 2014

S M T W T F S
      1
2345678
9 101112131415
16171819202122
23242526272829
30      

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Nov. 27th, 2014 02:07 pm
Powered by Dreamwidth Studios