Any crafters out there?
Since I spend most of my time working online, I go a little crazy if I don't take time out each week to physically make something. It can be so satisfying working with your hands, and flexing those creative muscles, you know?
So what better theme for this week's Sweets?
(By Fancy Nancy Cakes)
Look at all that cheerful patchwork! Love the colors.
(By Shams D)
D'aww, the little easel with a cupcake painting!
Digging the little paperclips & scissors on the board, too.
Talk about jaw-dropping: look at all that delicate lace, and the hand painting that looks like porcelain!
Not to mention the insanely intricate cross-stitch piping. WOW.
Gotta have baking in here, am I right? And this is so cute, I can hardly stand it. The little measuring spoons! The shaker! And the piping bag - made of cake - which frankly is hurting my brain a little.
I had to look three times to verify that these are, in fact, edible. But I wouldn't mind having a yarn set lined up on my desk right now!
And one more, since I couldn't resist these "crocheted" flowers:
(By Cake Central member Bien)
All made with molds, I believe. Ahh-mazing.
I couldn't decide on this one, either, so you get two! First, a modern machine:
(By Rosebud Cakes)
Which, yes, is ACTUALLY CAKE.
And now a pretty vintage model!
With more of that incredible, edible lace!
(By Imaginarium Cakes)
Another one that blew my mind; if it didn't have "cake" right there in the name you'd never believe it either, right?
(By Sweet Hope)
So many great yarn basket cakes out there now, but this one caught my eye for its cheerful colors, perfect basket weave, and that fun knitted piece on the board.
And finally, for the artists out there:
How funky cool is this?? Gravity-defying tiers, clever faux shavings, pencils going every which way - it's genius, I tell you. GENIUS.
Hope your Sunday is just as Sweet, guys!
Fanboy moved to a different hotel this time, though, and I think that, above all else, is why it went so wrong.
But I'm getting ahead of myself. First, a positive sign:
I'm glad to see even the smaller cons taking a stand against potential harassment. In fact, this was the very first thing you saw at Fanboy, before even making it to ticket sales.
Then I spotted Belle in the midst of a good book:
No, not crowds; the layout. This narrow hallway was extremely long, and was the only way in or out of the con. That wouldn't be a problem, except the staff was also using the hall for the hours-long autograph line (that's all the people against the right wall) PLUS vendor tables squeezed in on the left there. You almost literally couldn't move at times, much less shop at the poor vendors.
The autograph line was so lengthy because Fanboy had snagged both the original Batman, Adam West, AND the original Robin, Burt Ward, as guests. I guess these two rarely appear together, so fans really came out of the woodwork... and Fanboy wasn't expecting the crowds? I guess? That's the only explanation I can come up with.
To give you an idea of the madness, our friend Chris came to Fanboy ONLY to get West's & Ward's autographs, plus a picture with the duo. Just those things took him the entire day.
More insanity: here's the line - on an actual stairwell - for people who were pulled from the autograph line because they didn't have cash. To pay with credit, you had to first wait in this line, then go to the next one.
This stairwell was the only way to get to the panel rooms upstairs. So you could definitely say "traffic flow" was an issue. 0.o
There wasn't much to see or do at Fanboy besides stand in line (every time we found a quiet corner to stand in, someone would ask, "What's this line for?" EVERY TIME. It became a running joke!), so John and I left after just a few hours. The only panel I wanted to see had some Disney voice actors, but the con scheduled it quite early - just an hour after open - so I missed it. (Boops.)
The vendor room was fairly lackluster with only a handful of artists, and several told us nothing was selling. The crowds were apparently spending all their money on the exorbitantly priced Batman & Robin autographs, which were $60 - $100 each. (With much more for photos.)
The costume contest was held upstairs in a tiny cave of a room, so dark that photos were impossible - and no stage, so you couldn't see them anyway.
Topping it all off, I think Fanboy was over-priced, charging $25 for a single day's admission. That's almost MegaCon money, for a convention one quarter of the size!
Ahhh, but I've griped enough, right? Let's get to the cosplay!
I should mention I had some camera problems at Fanboy, and nearly scrapped this whole batch in frustration. Almost all of my shots had varying degrees of blur to them, no matter what I did. Since then John's discovered there's a known focusing issue with the Canon 7D, and he just downloaded a software fix for it. I'm hoping that means my next batch is better!
... which is all a lengthy excuse for why this Moxxi is so blurry.
Such a great show. If you're an Amazon Prime member, you can stream the first season there for free.
Sadly I don't think we'll be returning next year, unless maybe they slash prices and/or change venues again. It would also help if they booked more celebs, though obviously Batman & Robin drew in huge crowds for them. For you locals, I'd definitely choose Tampa Bay Comic-Con instead. It's held the same month (this weekend, in fact), costs just $5 more, and is easily four times the size.
Speaking of which, we're at Tampa Bay Comic-Con at this very moment, so stay tuned for those photos later. Hope to see some of you there!
- Why Women Shouldn’t Have to Act Like Dudes at Work | The Atlantic (July 27): “The reason for women leaving is the absence of feeling valued.” Interview with Barbara Annis, founder of the Gender Intelligence Group, “a consultancy that works with executives at major firms (…) to create strategies to transform their work cultures into ones that are friendly to both men and women.”
- If you think women in tech is just a pipeline problem, you haven’t been paying attention | Medium (July 27): “When researcher Kieran Snyder interviewed 716 women who left tech after an average tenure of 7 years, almost all of them said they liked the work itself, but cited discriminatory environments as their main reason for leaving.”
- Study finds unexpected biases against teen girls’ leadership | EurekAlert! Science News (July 28): “Researchers at the Harvard Graduate School of Education find that not only many teen boys but many teen girls and some parents appear to have biases against teen girls as leaders”
- Why Do People Hate Fangirls? | Laci Green (July 17): “Confession: All the practice I got before my first kiss happened with a giant backstreet boys poster taped to the back of my door in 1999. And I regret nothing!” Laci Green explains what’s wrong with hating fangirls.
- Black Girls Rock: A look at Fierce, Feminist Women in Film | The Mary Sue (July 27): “It’s not enough to be the token friend, or the one Halle Berry in a sea of Regina Kings, or the sassy comic relief like Leslie Jones’s brief appearance in Trainwreck. We are beautiful and unique, and we deserve to be heard. That’s why I put together a list of amazing women in film roles that showcase black women as more than just the limited caricatures we are constantly bombarded with in mainstream media. This is your friendly reminder that black girls rock.”
- Waiting for Captain Marvel is getting old | Feministing (July 28): “When Marvel announced the Black Panther and Captain Marvel movies, I was among those cheering. Finally, a superhero film that centered a person of color and a woman. The reality, however, is that those films aren’t coming until 2018. In the meantime, we have to wait and watch films like Ant-Man invoke some sort of pseudo-feminist-women-are-badass-but-sti
ll-need-protecting message. Frankly, I may not make it until 2018.”
We link to a variety of sources, some of which are personal blogs. If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.
You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).
Thanks to everyone who suggested links.
I'm speaking at an Infoedge event at Bali Hai Golf Club in Las Vegas, at 5 PM on August 5, 2015.
I'm speaking at DefCon 23 on Friday, August 7, 2015.
I'm speaking -- remotely via Skype -- at LinuxCon in Seattle on August 18, 2015.
I'm speaking at CloudSec in Singapore on August 25, 2015.
I'm speaking at MindTheSec in São Paulo, Brazil on August 27, 2015.
I'm speaking on the future of privacy at a public seminar sponsored by the Institute for Future Studies, in Stockholm, Sweden on September 21, 2015.
I'm speaking at Next Generation Threats 2015 in Stockholm, Sweden on September 22, 2015.
I'm speaking at Next Generation Threats 2015 in Gothenburg, Sweden on September 23, 2015.
I'm speaking at Free and Safe in Cyberspace in Brussels on September 24, 2015.
I'll be on a panel at Privacy. Security. Risk. 2015 in Las Vegas on September 30, 2015.
I'm speaking at the Privacy + Security Forum, October 21-23, 2015 at The Marvin Center in Washington, DC.
I'm speaking at the Boston Book Festival on October 24, 2015.
I'm speaking at the 4th Annual Cloud Security Congress EMEA in Berlin on November 17, 2015.
The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.
That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.
Some of my favorite new submissions this week.
It took me entirely too long to realize this IS in English:
Spacing: the Final Frontier of Wreckerating
Judging by the CW Facebook page, I see I've trained you wrecky minions well:
Ahh, THE SNARK IS STRONG WITH THIS ONE.
And just in time for Cheesecake Day (which was yesterday):
(Btw, if it's been a while since you've seen my FB updates, here's a new & easy fix: on the CW page, under "Liked" at the top, click "See First." You'll never miss the wrecky lolz again!)
At first I thought it was a hot dog.
Then maybe a bowel re-section.
Now I just want to stop looking at it:
Somebody help me stop looking at it.
To quote JoAnna, who sent this in, "Mmmm, rope fibers!"
And I agree, JoAnna; the clumps of gold glitter really DO make it extra "beachy."
And finally, while not professional, this made me laugh out loud:
Video game-specific apology cakes? YES, PLEASE.
Heck, I think this should become a trend. A few more suggestions:
"Sorry I Played Skyrim For 6 Weeks Straight"
"Sorry I Won't Play Portal Co-Op With You Because You're Better At It And It's Annoying"
"Sorry For Beating Your High Score On Angry Birds"
"Sorry I Woke You Up At 3AM Because BioShock Was Scary"
"Sorry I Keep Talking To Claptrap" (WUB WUB!)
Thanks to Nancy E., Kristen F., Annie B., Ashley R., JoAnna H., & Anony M. for the beat-boxin' giggles.
At the Aspen Security Forum two weeks ago, James Comey (and others) explicitly talked about the "going dark" problem, describing the specific scenario they are concerned about. Maybe others have heard the scenario before, but it was a first for me. It's centers around ISIL operatives abroad and ISIL-inspired terrorists here in the US. The FBI knows who the Americans are, can get a court order to carry out surveillance on their communications, but cannot eavesdrop on the conversations because they are encrypted. They can get the metadata, so they know who is talking to who, but they can't find out what's being said.
"ISIL's M.O. is to broadcast on Twitter, get people to follow them, then move them to Twitter Direct Messaging" to evaluate if they are a legitimate recruit, he said. "Then they'll move them to an encrypted mobile-messaging app so they go dark to us."
The FBI can get court-approved access to Twitter exchanges, but not to encrypted communication, Comey said. Even when the FBI demonstrates probable cause and gets a judicial order to intercept that communication, it cannot break the encryption for technological reasons, according to Comey.
If this is what Comey and the FBI is actually concerned about, they're getting bad advice -- because their proposed solution won't solve the problem. Comey wants communications companies to give them the capability to eavesdrop on conversations without the conversants' knowledge or consent; that's the "back door" we're all talking about. But the problem isn't that most encrypted communications platforms are security encrypted, or even that some are -- the problem is that there exists at least one securely encrypted communications platform on the planet that ISIL can use.
Imagine that Comey got what he wanted. Imagine that iMessage and Facebook and Skype and everything else US-made had his back door. The ISIL operative would tell his potential recruit to use something else, something secure and non-US-made. Maybe an encryption program from Finland, or Switzerland, or Brazil. Maybe Mujahedeen Secrets. Maybe anything. (Sure, some of these will have flaws, and they'll be identifiable by their metadata, but the FBI already has the metadata, and the better software will rise to the top.) As long as there is something that the ISIL operative can move them to, some software that the American can download and install on their phone or computer, or hardware that they can buy from abroad, the FBI still won't be able to eavesdrop.
And by pushing these ISIL operatives to non-US platforms, they lose access to the metadata they otherwise have.
Convincing US companies to install back doors isn't enough; in order to solve this going dark problem the FBI has to ensure that an American can only use back-doored software. And the only way to do that is to prohibit the use of non-back-doored software, which is the sort of thing that the UK's David Cameron said he wanted for his country in January:
But the question is are we going to allow a means of communications which it simply isn't possible to read. My answer to that question is: no, we must not.
For David Cameron's proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you've downloaded hasn't been tampered with.
This, then, is what David Cameron is proposing:
* All Britons' communications must be easy for criminals, voyeurs and foreign spies to intercept.
* Any firms within reach of the UK government must be banned from producing secure software.
* All major code repositories, such as Github and Sourceforge, must be blocked.
* Search engines must not answer queries about web-pages that carry secure software.
* Virtually all academic security work in the UK must cease -- security research must only take place in proprietary research environments where there is no onus to publish one's findings, such as industry R&D and the security services.
* All packets in and out of the country, and within the country, must be subject to Chinese-style deep-packet inspection and any packets that appear to originate from secure software must be dropped.
* Existing walled gardens (like IOs and games consoles) must be ordered to ban their users from installing secure software.
* Anyone visiting the country from abroad must have their smartphones held at the border until they leave.
* Proprietary operating system vendors (Microsoft and Apple) must be ordered to redesign their operating systems as walled gardens that only allow users to run software from an app store, which will not sell or give secure software to Britons.
* Free/open source operating systems -- that power the energy, banking, ecommerce, and infrastructure sectors -- must be banned outright.
As extreme as it reads, without all of that the ISIL operative will be able to communicate securely with his potential American recruit. And all of this is not going to happen.
Last week, former NSA director Mike McConnell, former DHS secretary Michael Chertoff, and former deputy defense secretary William Lynn published a Washington Post op ed opposing back doors in encryption software. They wrote:
Today, with almost everyone carrying a networked device on his or her person, ubiquitous encryption provides essential security. If law enforcement and intelligence organizations face a future without assured access to encrypted communications, they will develop technologies and techniques to meet their legitimate mission goals.
I believe this is true. Already one is being talked about in the academic literature: lawful hacking.
Perhaps the FBI's reluctance to accept this is based on their belief that all encryption software comes from the US, and therefore is under their influence. Back in the 1990s, during the First Crypto Wars, the US government had a similar belief. To convince them otherwise, George Washington University surveyed the cryptography market in 1999 and found that there were over 500 companies in 70 countries manufacturing or distributing non-US cryptography products. Maybe we need a similar study today.
This essay previously appeared on Lawfare.
We are interested in the application of interactive storytelling to videogames. We want to improve story experiences in open-world adventure and role-playing games. A game that features an open world allows its players to move freely in a large space with few or no artificial barriers, choosing what to do and when. The flexibility of an open world and the fact that adventure and role-playing games tend to have strong story components make these genres an interesting place to explore interactive storytelling techniques.
Our central goal is to support the creation of open-world videogame stories that give players a sense of coherence. To achieve this, we take a structuralist approach and partition stories into two types of scenes inspired by the concept of kernels and satellites. First, a minimal set of fixed scenes form a core story with strong authorial control. A game’s most central plot points become fixed scenes, thus acting like kernels. The rest of the story emerges from a much larger collection of flexible scenes that can appear just about anywhere in story save a small set of preconditions. Most flexible scenes act like satellites: minor plot points, or opportunities to develop story elements like theme.
We want to give players the freedom to explore flexible scenes however they wish as they move through the fixed scenes as designed. A certain level of coherence is guaranteed when the content of the fixed scenes is itself coherent, but a story with few satellite scenes will have minimal aesthetic appeal. The challenge, then, is to maintain coherence no matter how a very large set of flexible scenes is experienced.
Instead of arranging flexible scenes according to a strict definition of causal coherence, we want to create a “sense of” coherence. By this we mean that not all events have to be causally related in explicitly obvious ways, but that players should have the sense that they could figure out the meaning of and relationships between events if they thought hard enough about it.
One of the major ways we achieve a sense of coherence is by managing the story’s progression. We keep track of when certain story elements, such as theme and character, are reflected. We then prioritize which scenes should be made available to players next according to a desired distribution of the story elements. For example, if a particular theme was developed very recently, we want to prioritize scenes that reflect some of the other themes. On the other hand, if it has been a long time since a theme was developed, scenes that reflect that theme strongly should have high priority. A good distribution of elements ensures that story elements don’t feel out of place when developed, and that reminders of previous scenes are made throughout the story.
Another facet of creating a sense of coherence is the emergence of structure at run-time through the use of conditions. Instead of defining causal relationships in a scene graph a priori, we allow authors to define prerequisites for their scenes. Using prerequisites is a common technique, but in our design we push for prerequisites based on story state values in addition to game state. For example, scenes might have prerequisites that only allow them to be seen once a particular theme has been developed sufficiently. Alternatively, a scene might be best suited for the early development of the theme, and should not appear later on. We want authors to think about flexible scenes in terms of how they function in a story’s development without having to worry about how they will fit within a series of causally related events.
In addition to controlling the path players take through a set of fixed and flexible scenes, we can improve the sense of coherence by adjusting the content of scenes. In so doing, we want to give players interpretative agency: they should feel like there are deeper layers in the story not being explicitly told, and they should feel like they can interpret those layers in a reasonable way.
We are exploring three ways of dynamically affecting the content of scenes. In the first, run-time criteria is used to choose a set of scenes that a recurring motif (say, an apple) can be featured in. Observant players will begin to notice the motif over time and assign meaning to why it appears in certain scenes. Eventually, they will expect something in particular to happen when a new scene with the motif begins.
Second, mix-ins give us pre-scripted opportunities to make connections to scenes the player happens to have already seen. As Keith Johnstone points out in the context of improvisation, “feeding something back in from earlier in the story adds ‘point’ and creates structure.” Characters, story elements, and dialog are all examples of source material that could be referred to in future mix-ins.
Finally, we can adjust the presentation of a scene to alter the player’s interpretation of otherwise unchanging events. Choice of lighting, background music, camera angles, and even the weather can all depend on the story’s state at the time a particular scene is reached. Perhaps the heroine of the story returns to the castle with the head of a dragon. The mood evoked during the scene might be bright and cheerful if the player saw the dragon as an evil menace. However, the mood might be more sombre if the player found out that the dragon was simply a loving mother trying to protect her hatchlings. The final event stays the same, but the interpretation of it changes.
In summary, our goal is to give players a sense of coherence when exploring stories in open-world adventure and role-playing games. We structure our stories as a set of fixed and flexible scenes. Players can traverse the set of flexible scenes freely, barring any prerequisites that deem certain scenes inaccessible. Flexible scenes are prioritized so that story elements are well distributed throughout the story. We encourage interpretative agency by dynamically introducing recurring motifs, using mix-ins to make connections to earlier points in the story, and modifying the presentation of a scene to affect interpretation. Through all of this, higher quality open-world stories will emerge while still maintaining a satisfactory level of interactivity.
New paper: "'...no one can hack my mind': Comparing Expert and Non-Expert Security Practices," by Iulia Ion, Rob Reeder, and Sunny Consolvo.
Abstract: The state of advice given to people today on how to stay safe online has plenty of room for improvement. Too many things are asked of them, which may be unrealistic, time consuming, or not really worth the effort. To improve the security advice, our community must find out what practices people use and what recommendations, if messaged well, are likely to bring the highest benefit while being realistic to ask of people. In this paper, we present the results of a study which aims to identify which practices people do that they consider most important at protecting their security on-line. We compare self-reported security practices of non-experts to those of security experts (i.e., participants who reported having five or more years of experience working in computer security). We report on the results of two online surveys -- one with 231 security experts and one with 294 MTurk participants -- on what the practices and attitudes of each group are. Our findings show a discrepancy between the security practices that experts and non-experts report taking. For instance, while experts most frequently report installing software updates, using two-factor authentication and using a password manager to stay safe online, non-experts report using antivirus software, visiting only known websites, and changing passwords frequently.
Joanna H. ordered this cake for her 30th birthday:
The horse shoe is for luck.
BECAUSE SHE'S GONNA NEED IT, AMIRITE?
Here's what Joanna got instead:
Insert "the trots" joke here. BAHAA TOILET HUMOR.
Whitney M. wanted a cake that looked like Neuschwanstein castle for her husband's 30th birthday.
Here's a picture of the castle for reference:
Ha! Come on, now, you'd have to pay someone at least four hundred bucks for a cake like tha...
"I paid $400 for this cake," Whitney writes, "plus $100 for delivery!!!!!!"
Oh. Well, ok, then. Um...
And finally, here's the cake Terrisa K. ordered for her wedding:
So, ya know, that's gonna end well.
She writes: "I didn't see the cake until I was actually walking down the aisle, whispering to my dad, 'is that my f***ing cake?!'"
Yes, Terrisa. Yes, it is.
Thanks to Joanna H., Whitney M., & Terrisa K. for showing us what's black and white and wrecked all over.
It's common wisdom that the NSA was unable to intercept phone calls from Khalid al-Mihdhar in San Diego to Bin Ladin in Yemen because of legal restrictions. This has been used to justify the NSA's massive phone metadata collection programs. James Bamford argues that there were no legal restrictions, and that the NSA screwed up.
It’s been a sad day for many of us in the Geek Feminism community, as we process the news of Nóirín Plunkett’s passing.
Nóirín was a powerful force for positive change. We have lost a tremendous collaborator and friend, and they will be deeply missed.
Words are challenging in the face of a loss like this one; many thanks to those who have written in memoriam of Nóirín thus far.
The Apache Foundation: “Nóirín was an Apache httpd contributor, ASF board member, VP and ApacheCon organizer. Nóirín’s passionate contributions and warm personality will be sorely missed. Many considered Nóirín a friend and viewed Nóirín’s work to improving ‘Women in Technology’ as a great contribution to this cause.”
The Ada Initiative: “Nóirín will be remembered as a leading open source contributor; brilliant and compassionate and welcoming and funny. They were a long time leader in the Apache Software Foundation community, and a gifted speaker and documentation writer. Nóirín was key to the creation of the Ada Initiative in more ways than one. Since then they made invaluable contributions to the Ada Initiative as an advisor since February 2011, and a project manager in 2014. We are more grateful than we can say.”
Sumana Harihareswara: “When I was volunteering on the search for the Ada Initiative’s new Executive Director, I worked closely with Nóirín and could always count on their wisdom, compassion, and diligence. I am so grateful, now, that I had a chance to collaborate with them — I had hoped to work with them again, someday, in some organization or other. One of the last times I saw them, they were crying with happiness over the passage of the Irish same-sex marriage referendum. I don’t want to end this entry because there is no ending that can do justice to them.”
Rich Bowen: “Nóirín’s motto was Festina Lente – Hasten Slowly, and this embodies their approach to life. They considered things carefully, and rushed to get things done, because life is too short to get everything accomplished that we put our minds to. In the end, theirs was far, far too short.”
Our thoughts are with everyone who shares our grief. Farewell, Nóirín.
[updated August 2, 2015: a couple of the linked posts have been updated to reflect Nóirín’s preferred pronouns (they); the quotes from those posts have also been updated here.]
The latest in identification by data:
Webber said a tipster had spotted recent activity from Nunn on the Spotify streaming service and alerted law enforcement. He scoured the Internet for other evidence of Nunn and Barr's movements, eventually filling out 12 search warrants for records at different technology companies. Those searches led him to an IP address that traced Nunn to Cabo San Lucas, Webber said.
Nunn, he said, had been avidly streaming television shows and children's programs on various online services, giving the sheriff's department a hint to the couple's location.
This is a terrible thing and I am still shocked and saddened to learn of their death. (Per their profile, please follow their pronoun preferences and use "they".)
Some things to know about them:
Their bold honesty about being sexually assaulted at an open source software event moved us to action; it helped spark the creation of the Ada Initiative.
They had just started a new role at Simply Secure, one that combined their open tech expertise with their writing and coordinating skills and their judgment and perspective.
When I was volunteering on the search for the Ada Initiative's new Executive Director, I worked closely with Nóirín and could always count on their wisdom, compassion, and diligence. I am so grateful, now, that I had a chance to collaborate with them -- I had hoped to work with them again, someday, in some organization or other.
One of the last times I saw them, they were crying with happiness over the passage of the Irish same-sex marriage referendum.
I don't want to end this entry because there is no ending that can do justice to them.
Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default prompt to you share access to WiFi networks to which you connect with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends.
This brilliant new feature, which Microsoft has dubbed Wi-Fi Sense, doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).
I first read about this over at The Register, which noted that Microsoft’s Wi-Fi Sense FAQ seeks to reassure would-be Windows 10 users that the Wi-Fi password will be sent encrypted and stored encrypted — on a Microsoft server. According to PCGamer, if you use Windows 10’s “Express” settings during installation, Wi-Fi Sense is enabled by default.
“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” the FAQ reads.
The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.
Update, July 30, 12:35 p.m. ET: Ed Bott over at ZDNet takes issue with the experience described in the stories referenced above, stating that while Wi-Fi Sense is turned on by default, users still have to explicitly choose to share a network. “When you first connect to a password-protected Wi-Fi network, you choose if you want to share access to that network with your contacts,” Bott writes. Nevertheless, many users are conditioned to click “yes” to these prompts, and shared networks will be shared to all Facebook, Outlook, and Skype contacts (users can’t pick individual contacts; the access is shared with all contacts on a social network). Updated the lead to clarify that users are prompted to share.
El Reg says it well here:
That sounds wise – but we’re not convinced how it will be practically enforced: if a computer is connected to a protected Wi-Fi network, it must know the key. And if the computer knows the key, a determined user or hacker will be able to find it within the system and use it to log into the network with full access.
In theory, someone who wanted access to your company network could befriend an employee or two, and drive into the office car park to be in range, and then gain access to the wireless network. Some basic protections, specifically ones that safeguard against people sharing their passwords, should prevent this.
I should point out that Wi-Fi networks which use the centralized 802.1x Wi-Fi authentication — and these are generally tech-savvy large organizations — won’t have their Wi-Fi credentials shared by this new feature.
Microsoft’s solution for those concerned requires users to change the name (a.k.a. “SSID“) of their Wi-Fi network to include the text “_optout” somewhere in the network name (for example, “oldnetworknamehere_optout”).
It’s interesting to contrast Microsoft’s approach here with that of Apple, who offer an opt-in service called iCloud Keychain; this service allows users who decide to use the service to sync WiFi access information, email passwords, and other stored credentials amongst their own personal constellation of Apple computers and iDevices via Apple’s iCloud service, but which does not share this information with other users. Apple’s iCloud Keychain service encrypts the credentials prior to sharing them, as does Microsoft’s Wi-Fi Sense service; the difference is that it’s opt-in and that it only shares the credentials with your own devices.
Wi-Fi Sense has of course been a part of the latest Windows Phone for some time, yet it’s been less of a concern previously because Windows Phone has nowhere near the market share of mobile devices powered by Google’s Android or Apple’s iOS. But embedding this feature in an upgrade version of Windows makes it a serious concern for much of the planet.
Why? For starters, despite years of advice to the contrary, many people tend to re-use the same password for everything. Also, lots of people write down their passwords. And, as The Reg notes, if you personally share your Wi-Fi password with a friend — by telling it to them or perhaps accidentally leaving it on a sticky note on your fridge — and your friend enters the password into his phone, the friends of your friend now have access to the network.
An article in Ars Technica suggests the concern over this new feature is much ado about nothing. That story states: “First, a bit of anti-scaremongering. Despite what you may have read elsewhere, you should not be mortally afraid of Wi-Fi Sense. By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you’ll be asked if you want to share it with your friends/social networks.”
To my way of reading that, if I’m running Windows 10 in the default configuration and a contact of mine connects to my Wi-Fi network and say yes to sharing, Windows shares access to that network: The contact gets access automatically, because I’m running Windows 10 and we’re social media contacts. True, that contact doesn’t get to see my Wi-Fi password, but he can nonetheless connect to my network.
While you’re at it, consider keeping Google off your Wi-Fi network as well. It’s unclear whether the Wi-Fi Sense opt-out kludge will also let users opt-out of having their wireless network name indexed by Google, which requires the inclusion of the phrase “_nomap” in the Wi-Fi network name. The Register seems to think Windows 10 upgraders can avoid each by including both “_nomap” and “_optout” in the Wi-Fi network name, but this article at How-To Geek says users will need to choose the lesser of two evils.
Either way, Wi-Fi Sense combined with integrated Google mapping tells people where you live (and/or where your business is), meaning that they now know where to congregate to jump onto your Wi-Fi network without your permission.
- Prior to upgrade to Windows 10, change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout”.
- After the upgrade is complete, change the privacy settings in Windows to disable Wi-Fi Sense sharing.
- If you haven’t already done so, consider additional steps to harden the security of your Wi-Fi network.
If you're not one of the people complaining about the heat right now, then you're one of the people complaining about the people complaining about the heat.
Either way, we all have the same problem:
Bad bikini cakes.
Yep, this heat wave has clearly addled bakers' brains, my friends, and the results simply aren't pretty.
Unless maybe you're looking for two trees in a Seuss-ian landscape.
Whoah. It's like I can't even see the tomato soup skin!
[singing] The hills are ALIIIIVE...
With butterfly CENsor dots!
No, wait. I have a better song.
(Ahem hem hem.)
From the MOUNT-ains,
To the VAL-leys,
To the OH-shoot!
Is that a THOOOOONG?
GOOOOOD bless America!
Oooohhh soooo wroooong!
Thanks to Heather R., Melissa D., Heather H., Ellen G., & Ginny, who will never look at a heart cookie the same way again.
This is a story of a very high-tech kidnapping:
FBI court filings unsealed last week showed how Denise Huskins' kidnappers used anonymous remailers, image sharing sites, Tor, and other people's Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending. They tried to use computer spyware and a DropCam to monitor the aftermath of the abduction and had a Parrot radio-controlled drone standing by to pick up the ransom by remote control.
The story also demonstrates just how effective the FBI is tracing cell phone usage these days. They had a blocked call from the kidnappers to the victim's cell phone. First they used an search warrant to AT&T to get the actual calling number. After learning that it was an AT&T prepaid Trakfone, they called AT&T to find out where the burner was bought, what the serial numbers were, and the location where the calls were made from.
The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe.
Here's the criminal complaint. It borders on surreal. Were it an episode of CSI:Cyber, you would never believe it.
- TODO Group And Open Source Codes of Conduct | Model View Culture: “We’ve come up with some pretty great resources and tools, put them into practice, tested and iterated, and built community consensus. Yet TODO swoops in to erase and replace all of this work: without our consent or input, a group of massive companies with practically unlimited funds are branding and pushing a code of conduct that suits their needs, not ours.”
- That time the Internet sent a SWAT team to my mom’s house | Boing Boing: “As the reporter recounted all of this to me, I was living my research in real time. I was well-versed in the mechanics of a prank like this, but that didn’t abate the anxiety attacks I was having.”
- Managers beware of gender faultlines | EurekAlert! Science News: “In addition to gender divisions, the authors looked at a more benign kind of faultline: Those created by cliques centered on job types (that is, when people with similar job duties share not only that trait but other demographic qualities such as gender, age and time served.) When the diversity environment was positive, that kind of group identity actually led to stronger feelings of loyalty toward the firm. But the positive effect of job-function cliques disappeared when the diversity climate was unsatisfactory.”
We link to a variety of sources, some of which are personal blogs. If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.
You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).
Thanks to everyone who suggested links.
Earlier this year, I read Marie Kondo‘s bestselling book, “The Life-Changing Magic of Tidying Up” after reading a review in the New York Times. Her fantastic “KonMari” decluttering / home organization methodology was, for me and many others I know who’ve read it, life-changing. Asking yourself whether an item “sparks joy” and then thanking it for its service if you choose to discard it has had a transformative effect on how I think about the stuff in my space, and has been particularly useful as I whittle down my 1-bedroom-apartment’s worth of stuff into a more reasonable amount for my current studio.
Throughout the book, she directs the reader to embark on their tidying effort “all at once” and “in one go.” I found this extremely intimidating! I have a lot of crap from a decade of mostly living on my own, and there are many ~feels~ associated with said crap. Processing those feels is a lot of work – as Kondo puts it, “The question of what you want to own is actually the question of how you want to live your life.” So “all at once” felt, at times, super overwhelming to read.
Except that when she says “all at once,” she means six months. She only says this once in the whole book:
To achieve a sudden change like this, you need to use the most efficient method of tidying. Otherwise, before you know it, the day will be gone and you will have made no headway. The more time it takes, the more tired you feel, and the more likely you are to give up when you’re only halfway through. When things pile up again, you will be caught in a downward spiral. From my experience with private individual lessons, “quickly” means about half a year. That may seem like a long time, but it is only six months out of your entire life. Once the process is complete and you’ve experienced what it’s like to be perfectly tidy, you will have been freed forever from the mistaken assumption that you’re no good at tidying. (kindle link)
When I got to this passage I breathed a sigh of relief, and I wanted to share it in the hopes that it will encourage others to read her book and go a little easier on themselves in doing so. Here’s to sparking joy!
New research: "All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS," by Mathy Vanhoef and Frank Piessens:
Abstract: We present new biases in RC4, break the Wi-Fi Protected Access Temporal Key Integrity Protocol (WPA-TKIP), and design a practical plaintext recovery attack against the Transport Layer Security (TLS) protocol. To empirically find new biases in the RC4 keystream we use statistical hypothesis tests. This reveals many new biases in the initial keystream bytes, as well as several new long-term biases. Our fixed-plaintext recovery algorithms are capable of using multiple types of biases, and return a list of plaintext candidates in decreasing likelihood.
To break WPA-TKIP we introduce a method to generate a large number of identical packets. This packet is decrypted by generating its plaintext candidate list, and using redundant packet structure to prune bad candidates. From the decrypted packet we derive the TKIP MIC key, which can be used to inject and decrypt packets. In practice the attack can be executed within an hour. We also attack TLS as used by HTTPS, where we show how to decrypt a secure cookie with a success rate of 94% using 9*227 ciphertexts. This is done by injecting known data around the cookie, abusing this using Mantin's ABSAB bias, and brute-forcing the cookie by traversing the plaintext candidates. Using our traffic generation technique, we are able to execute the attack in merely 75 hours.
We need to deprecate the algorithm already.
Parents, are the kids making too much noise? Need to quiet them down a bit? Maybe get them rocking themselves in the fetal position for the next few hours, followed by a life-long enrollment in therapy?
THEN DO WE HAVE THE CAKES FOR YOU!!
"Hey, kids, that's not sunburn - it's pulverized entrails! Ho-ho!"
"My name's Murders-A-Lot, and I like warm hugs!
"... followed by murder."
"We're gonna wreck... [clap!]... YOU UP."
I know I usually blur out bakery labels to protect the guilty, but what the actual heck, Baskin Robbins:
Sleep sweet, kiddos.
Thanks to Sarah H., Tom S., Sarah Y., Erica K., & Carol V. for finding a cake that mirrors all of our faces right now.
The Stagefright vulnerability for Android phones is a bad one. It's exploitable via a text message (details depend on auto downloading of the particular phone), it runs at an elevated privilege (again, the severity depends on the particular phone -- on some phones it's full privilege), and it's trivial to weaponize. Imagine a worm that infects a phone and then immediately sends a copy of itself to everyone on that phone's contact list.
The worst part of this is that it's an Android exploit, so most phones won't be patched anytime soon -- if ever. (The people who discovered the bug alerted Google in April. Google has sent patches to its phone manufacturer partners, but most of them have not sent the patch to Android phone users.)
But hey, enough about Tonks.
Actually, it's time to announce this month's Art winners!
So, the winner of the Batman & Batgirl set is Chiana
The winner of Link & Wonder Woman set is Erin Schleif
And my wild-card winner, who gets to choose from anything off the Give-Away Board, is Raum!
Congrats, winners, and please e-mail me your mailing addresses!
P.S. Kaitlyn Nielson, Blogger kept eating my reply to your comment - though I tried many times! - so please e-mail me your choice from the board, too, k? Or message me on Twitter or FB, since your first one didn't go through.
My slides are up, as is demonstration code, from "HTTP Can Do That?!", my talk at Open Source Bridge last month. I am pleased to report that something like a hundred people crowded into the room to view that talk and that I've received lots of positive feedback about it. Thanks for help in preparing that talk, or inspiring it, to Leonard Richardson, Greg Hendershott, Zack Weinberg, the Recurse Center, Clay Hallock, Paul Tagliamonte, Julia Evans, Allison Kaptur, Amy Hanlon, and Katie Silverio.
Video is not yet up. Once the video recording is available, I'll probably get it transcribed and posted on the OSBridge session notes wiki page.
I've also taken this opportunity to update my talks and presentations page -- for instance, I've belatedly posted some rough facilitator's notes that I made when leading an Ada Initiative-created impostor syndrome training at AdaCamp Bangalore last year.