More Halloween Madness

Oct. 31st, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

I think the sugar-high is really starting to kick in, you guys.

You can almost hear the insane giggling from behind the counter, am I right?


John thinks these are supposed to be maggots:

I think it's time to scroll down quickly and skip lunch.


Then there's this:


And this:

I've stared at that cookie for ages. Still have no idea what the baker was thinking.


Here's a fun party game:


I would, but there are children present.


Look, I'm not saying "Ouija" is the easiest word to spell, but you'd think they'd at least get it right on the second try:

And for those wondering what possessed [snerk] a bakery to make a Ouija Board display cookie in the first place: I'm not sure, but the fact that they added a "HELP" on the front is less than reassuring.
o.0 Someone wanna go check on them?

("Bring me an old priest, a young priest, a half gallon of milk, and some paper plates!")


And finally, why it must suck to have a Halloween birthday:

Remember, Kailey, you've got your whoooole life ahead of you.
Now, who wants a slice of grave stone?!


Thanks to Patty A., Holly N., Melissa H., Victoria F., Jennifer W., Hollie K., & Nicole P. for reminding us to wReck It Properly.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

Surprise Attack

Credit: DeviantArt / SkylerTrinityRapture

My notes from Sally Shepard‘s talk on Accessibility at iOSDevUK. It was really good, I thought I knew quite a bit about a11y but actually only VoiceOver really, so I learned a lot. Her slides are here.

Passionate about accessibility, accessibility issues in family.


  • Not that many people.
  • Time consuming.
  • Too complicated.
  • Don’t know how to test it.

1 in 7 people have some form of disability. It’s a growing population. This doesn’t include temporary impairments (break an arm, finger). Disabilities can make life extremely difficult. Can use technology to overcome these challenges.


  • Complete blindness.
  • Degeneration.
  • Diabetes.
  • Impairments.

Wide range. how do these people use iOS?


  • Replicates the UI for users who can’t see it.
  • 36 languages.
  • On iOS and OS X, iPod shuffle.
  • Can also extend using braille.
    • Brail displays.
    • Brail keyboards.
  • Makes a device that is completely usable for wide range of people that wouldn’t be able to otherwise.
  • Single tap to hear. Double tap to open.
  • Camera app. Demo – finally understand face detection.
    • Wouldn’t have thought camera could be accessible.
  • Demo Text edit.
  • Demo Flappy bird. Voice over doesn’t see anything on the screen.
    • If an app isn’t accessible, it’s just like a blank screen.

Make Views accessible using isAccessibilityElement. Can also set accessibilityLabel. UIKit uses the title. Image based controls need to specify this! Don’t include the control type.

accessibilityTraits: Combination of traits that best characterise the accessibility element.

accessibilityValue: Used when element has a dynamic value. Like a slider.

AccessibilityHint: Describes outcome of performing an action.

Adding support to xib or storyboard:

  • Enable a11y.
  • Fill out label.
  • Add hint traits.

Adding support programmatically:

  • Set label.
  • Set hint.
  • Set value.
  • Set traits.

Most apps have moved beyond basics. gestures, games. Handle this by finding out if user has voice over on, and if so, present something different.

UIAccessibilityCustomAction: Can add multiple actions to an element. e.g. array of actions on a table cell. In apple’s own apps since iOS 7, now in the API for iOS 8.

UIAccessibilityContainer: Specify the order voiceover should go through the elements.

accessibilityActivate added in iOS7. Gets called when user double taps. Good when gesture is normally used to activate.

DirectInteraction. Have to be careful about how you use it.

A11y notifications. Know if VO is speaking, when it has finished speaking. Can tell it to read things out at specific times.

Two finger double tap. e.g. in camera, will take a picture.

What if not using UIKit? Implement UIAccessibilityContainer protocol. VoiceOver just needs to know the frame of the contents and where they are on screen. Good sample code from WWDC.

Testing VO:

  • Test plans
  • User stories
  • Use cases
  • Do all of these with VO.
  • Simulator good for debugging. Use accessibility inspector.
  • A11y shortcut – triple tap home button. Or tell Siri!
  • Screen curtain. Three finger triple tap on the screen. good way to conserve battery! Makes sure you are not cheating.

User testing:

  • @applevis
  • WWDC labs
  • Charities and local councils
  • Support groups

Motor skills: Maybe can’t perform gestures, or press buttons, or hold a phone. In that case, device is blank screen. Can’t do anything with it.

Assistive touch: Can access things like more fingers, gestures, shaking.

Switch control: In iOS 7. Allows people to use device by using a series of switches. Can be used by hands, feet, head, anything. One switch or multiple switches depending on abilities.

  • Camera with switch control, take a picture.
  • Flappy birds with switch control. not very successful!

Amazing feature, v necessary, glad they added it.

Adding support for switch control:

  • Find elements that have actionable behaviour
  • If you’ve gone through a11y APIs for voiceover, should work.
  • Could make it better, if you did the a11y container protocol, specify a better order.

Have to test on a device. Simulator only gives you inspector.

Go though, same thing, make sure you can do the things you app does.

Contact apple, super happy to help with things like that. Talk to local charities or user groups.

Learning Difficulties

Autism, or cognitive disabilities. iOS can be distracting, because it’s quite an engaging experience. How does someone use it?

Guided accesses. Helps them focus. Parent or care giver can specify what actions shouldn’t be allowed.

UIAccessibilityIsGuidedAccess, new in iOS8

Visual accommodations:

  • Is bold text enabled
  • Reduce transparency
  • Darker system colors
  • Reduce motion

Why add a11y?

Things to do:

  • Push to OSS projects you use
  • Talk about it more – blog about it
  • Get involved
  • Still a LOT to do
  • Even if it seems like only a few people you can make a big diff


  • Spend a whole day with voice over on (very few support it)
  • Take one weekend to do something with a11y.
  • Work with charity to run a hackathon or hack day
  • As a dev it’s up to you to make your app a11y


  • Is a lot of people, 1 in 7
  • Very simple to add
  • No app is too complicated to be a11y
  • Testing is straightforward
[syndicated profile] hypatia_dot_ca_feed

Posted by Leigh Honeywell

I’m pleased to announce that I am joining Mod N Labs, a new security startup accelerator based in San Francisco, as an advisor. I’ll bring my industry experience as well as diversity and inclusion expertise as we help entrepreneurs build the next generation of security companies. I’m still at Heroku as my day job – it continues to be awesome.

If you have a cool security startup idea and would like to work with an amazing community of advisors and investors, please reach out – we want to hear from you. We are particularly interested in hearing from founders who are currently underrepresented in the security industry, including women, people of colour, LGBTQ people, and people with disabilities. We recognize that there is a mountain of research showing that diverse teams perform better, and we’d be remiss in not seeking out founders as diverse as the security landscape we live in.

Chip & PIN vs. Chip & Signature

Oct. 30th, 2014 08:13 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.

Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).

But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature. Check out Flyertalk’s comprehensive Google Docs spreadsheet here for a member-contributed rundown of which banks support chip-and-PIN versus chip-and-signature.

I’ve been getting lots of questions from readers who are curious or upset at the prevalence of chip-and-signature over chip-and-PIN cards here in the United States, and I realized I didn’t know much about the reasons behind the disparity vis-a-vis other nations that have already made the switch to chip cards. So  I reached out to several experts to get their take on it.

Julie Conroy, a fraud analyst with The Aite Group, said that by and large Visa has been pushing chip-and-signature and that MasterCard has been promoting chip-and-PIN. Avivah Litan, an analyst at Gartner Inc., said MasterCard is neutral on the technology. For its part, Visa maintains that it is agnostic on the technology, saying in an emailed statement that the company believes “requiring stakeholders to use just one form of cardholder authentication may unnecessarily complicate the adoption of this important technology.”

BK: A lot of readers seem confused about why more banks wouldn’t adopt chip-and-PIN over chip-and-signature, given that the former protects against more forms of fraud.

Conroy: The PIN only addresses fraud when the card is lost or stolen, and in the U.S. market lost-and-stolen fraud is very small in comparison with counterfeit card fraud. Also, as we looked at other geographies — and our research has substantiated this — as you see these geographies go chip-and-PIN, the lost-and-stolen fraud dips a little bit but then the criminals adjust. So in the UK, the lost-and-stolen fraud is now back above where was before the migration. The criminals there have adjusted. and that increased focus on capturing the PIN gives them more opportunity, because if they do figure out ways to compromise that PIN, then they can perpetrate ATM fraud and get more bang for their buck.

So, PIN at the end of the day is a static data element, and it only goes so far from a security perspective. And as you weigh that potential for attrition versus the potential to address the relatively small amount of fraud that is lost and stolen fraud, the business case for chip and signature is really a no-brainer.

Litan: Most card issuing banks and Visa don’t want PINs because the PINs can be stolen and used with the magnetic stripe data on the same cards (that also have a chip card) to withdraw cash from ATM machines. Banks eat the ATM fraud costs. This scenario has happened with the roll-out of chip cards with PIN – in Europe and in Canada.

BK: What are some of the things that have pushed more banks in the US toward chip-and-signature?

Conroy: As I talk to the networks and the issuers who have made their decision about where to go, there are a few things that are moving folks toward chip-and-signature. The first is that we are the most competitive market in the world, and so as you look at the business case for chip-and-signature versus chip-and-PIN, no issuer wants to have the card in the wallet that is the most difficult card to use.

BK: Are there recent examples that have spooked some of the banks away from embracing chip-and-PIN?

Conroy: There was a Canadian issuer that — when they did their migration to chip — really botched their chip-and-PIN roll out, and consumers were forgetting their PIN at the point-of-sale. That issuer saw a significant dip in transaction volume as a result. One of the missteps this issuer made was that they sent their PIN mailers out too soon before you could actually do PIN transactions at the point of sale, and consumers forgot. Also, at the time they sent out the cards, [the bank] didn’t have the capability at ATMs or IVRs (automated, phone-based customer service systems) for consumers to reset their PINs to something they could remember.

BK: But the United States has a much more complicated and competitive financial system, so wouldn’t you expect more issuers to be going with chip-and-PIN?

Conroy: With consumers having an average of about 3.3 cards in their wallet, and the US being a far more competitive card market, the issuers are very sensitive to that. As I was doing my chip-and-PIN research earlier this year, there was one issuer that said quite bluntly, “We don’t really think we can teach Americans to do two things at once. So we’re going to start with teaching them how to dip, and if we have another watershed event like the Target breach and consumers start clamoring for PIN, then we’ll adjust.” So the issuers I spoke with wanted to keep it simple: Go to market with plain vanilla, and once we get this working, we can evaluate adding some sprinkles and toppings later.

BK: What about the retailers? I would think more of them are in favor of chip-and-PIN over signature.

Litan: Retailers want PINs because they strengthen the security of the point-of-sale (POS) transaction and lessen the chances of fraud at the POS (which they would have to eat if they don’t have chip-accepting card readers but are presented with a chip card). Also retailers have traditionally been paying lower rates on PIN transactions as opposed to signature transactions, although those rates have more or less converged over time, I hear.

BK: Can you talk about the ability to use these signature cards outside the US? That’s been a sticking point in the past, no?

Conroy: The networks have actually done a good job over the last year to 18 months in pushing the [merchant banks] and terminal manufacturers to include “no cardholder verification method” as one of the options in the terminals. Which means that chip-and-signature cards are increasingly working. There was one issuer I spoke with that had issued chip-and-signature cards already for their traveling customers and they said that those moves by the networks and adjustments overseas meant that their chip-and-signature cards were working 98 percent of the time, even at the unattended kiosks, which were some of the things that were causing problems a lot of the time.

BK: Is there anything special about banks that have chosen to issue chip-and-PIN cards over chip-and-signature?

Conroy: Where we are seeing issuers go with chip-and-PIN, largely it is issuers where consumers have a very compelling reason to pull that particular card out of their wallet. So, we’re talking mostly about merchants who are issuing their own cards and have loyalty points for using that card at that store. That is where we don’t see folks worrying about the attrition risks so much, because they have another point of stickiness for that card.

BK: What did you think about the White House announcement that specifically called out chip-and-PIN as the chip standard the government is endorsing?

Conroy: The White House announcement I thought was pure political window dressing. Especially when they claimed to be taking the lead on credit card security.  Visa, for example, made their initial road map announcement back in 2011. And [the White House is] coming to the table three years later thinking that its going to influence the direction the market is taking when many banks have spent in some cases upwards of a year coding toward these specifications? That just seems ludicrous to me. The chip-card train has been out of the station for a long time. And it seemed like political posturing at its best, or worst, depending on how you look at it.

Litan: I think it is very significant. It’s basically the White House taking the side of the card acceptors and what they prefer. Whatever the government does will definitely help drive trends, so I think it’s a big statement.

BK: So, I guess we should all be grateful that banks and retailers in the United States are finally taking steps to move toward chip cards, but it seems to me that as long as these chip cards still also store cardholder data on a magnetic stripe as a backup, that the thieves can still steal and counterfeit this card data — even from chip cards.

Litan: Yes, that’s the key problem for the next few years. Once mag stripe goes away, chip-and-PIN will be a very strong solution. The estimates are now that by the end of 2015, 50 percent of the cards and terminals will be chip-enabled, but it’s going to be several years before we get closer to full compliance. So, we’re probably looking at about 2018 before we can start making plans to get rid of the magnetic stripe on these cards.

[syndicated profile] cakewrecks_feed

Posted by Jen

Bakeries get a lot of leeway this time of year, since Halloween is supposed to have ugly gross stuff:


But there's raspberry jam soaked zombie faces, and then there's... uh... this:

Took me a solid minute to figure it out:

A banana shooting laser beams.

(I am SO GOOD AT THIS, you guys.)


Yep, bakers are once again trying to collectively punk the world, churning out ridiculous Halloween designs each more baffling than the last:

Aliens? Amoebas?
This guy?


I actually see this design a lot:

The angry toilet paper has sprouted arms, and is pulling itself to freedom.


While this roll vows revenge on airbrushes everywhere:

"I am not 'pretty,' I AM THE TERRIFYING TP! Here to WIPE you out! Mwuah-ha-haaawhy are you laughing?"


Next we have an ice cream swirl wearing a traffic cone about to be impaled by a trident.
Because if THAT doesn't say "Happy Halloween"... then don't worry 'cuz the board does:


For some reason ghost sperm are always a big seller this time of year:

They look kinda confused, though, right?
Like they can't tell if they're coming or going.



Also confused? Me, after looking at this thing:

They managed to get icing absolutely everywhere except on top of the cupcakes.
Now that's scary.


And finally, a possessed stove burner:

Because haunted appliances are SO hot right now.

("It burns. IT BURRRRNS!")


There's a ghost of a chance Brittany D., Carrie, Ginny V., Karen S., Megan S., Karrie T., Jennifer K., Jennifer R., & Shannon T. will be ordering out tonight. You're welcome, ladies!


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

In an era when new consumer data breaches are disclosed daily, fake claims about data leaks are sadly becoming more common. These claims typically come from fame-seeking youngsters who enjoy trolling journalists and corporations, and otherwise wasting everyone’s time. Fortunately, a new analysis of recent bogus breach claims provides some simple tools that anyone can use to quickly identify fake data leak claims.

dataleakThe following scenario plays out far too often. E-fame seekers post a fake database dump to a site like Pastebin and begin messaging journalists on Twitter and other social networks, claiming that the dump is “proof” that a particular company has been hacked. Inevitably, some media outlets will post stories questioning whether the company was indeed hacked, and the damage has been done.

Fortunately, there are some basic steps that companies, journalists and regular folk can take to quickly test whether a claimed data leak is at all valid, while reducing unwarranted damage to reputation caused by media frenzy and public concern. The fact-checking tips come in a paper from Allison Nixon, a researcher with Deloitte who — for nearly the past two years — has been my go-to person for vetting public data breach claims.

According to Nixon, the easiest way to check a leak claim is to run a simple online search for several of its components. As Nixon explains, seeking out unique-looking artifacts — such as odd passwords or email addresses — very often reveals that the supposed leak is in fact little more than a recycled leak from months or years prior. While this may seem like an obvious tip, it’s appalling at how often reporters fail to take even this basic step in fact-checking a breach claim.

A somewhat more advanced test seeks to measure how many of the “leaked” accounts are already registered at the supposedly breached organization. Most online services do not allow two different user accounts to have the same email address, so attempting to sign up for an account using an email address in the claimed leak data is an effective way to test leak claims. If several of the email addresses in the claimed leak list do not already have accounts associated with them at the allegedly breached Web site, the claim is almost certainly bogus.


To determine whether the alleged victim site requires email uniqueness for user accounts, the following test should work: Create two different accounts at the service, each using unique email addresses. Then attempt to change one of the account’s email address to the others. If the site disallows that change, no duplicate emails are allowed, and the analysis can proceed.

Importantly, Nixon notes that these techniques only demonstrate a leak is fake — not that a compromise has or hasn’t occurred. One of the sneakier ways that ne’er-do-wells produce convincing data leak claims is through the use of what’s called a “combolist.” With combolists, miscreants will try to build lists of legitimate credentials from a specific site using public lists of credentials from previous leaks at other sites.

This technique works because a fair percentage of users re-use passwords at multiple sites. Armed with various account-checking programs, e-fame seekers can quickly build a list of working credential pairs for any number of sites, and use that information to back up claims that the site has been hacked.

Account checking tools sold on the cybercriminal underground by one vendor.

Account checking tools sold on the cybercriminal underground by one vendor.

But according to Nixon, there are some basic patterns that appear in lists of credentials that are essentially culled from combolists.

“Very often, you can tell a list of credentials is from a combolist because the list will be nothing more than username and password pairs, instead of password hashes and a whole bunch of other database information,” Nixon said.

A great example of this came earlier this month when multiple media outlets repeated a hacker’s claim that he’d stolen a database of almost seven million Dropbox login credentials. The author of that hoax claimed he would release on Pastebin more snippets of Dropbox account credentials as he received additional donations to his Bitcoin account. Dropbox later put up a blog post stating that the usernames and passwords posted in that “leak” were likely stolen from other services.

Other ways of vetting a claimed leak involve more detailed and time-intensive research, such as researching the online history of the hacker who’s making the leak claims.

“If you look at the motivation, it’s mostly ego-driven,” Nixon said. “They want to be a famous hacker. If they have a handle attached to the claim — a name they’ve used before — that tells me that they want a reputation, but that also means I can check their history to see if they have posted fake leaks in the past. If I see a political manifesto at the top of a list of credentials, that tells me that the suspected leak is more about the message and the ego than any sort of breach disclosure.”

Nixon said while attackers can use the techniques contained in her paper to produce higher quality fake leaks, the awareness provided by the document will provide a greater overall benefit to the public than to the attackers alone.

“For the most part, there are a few fake breaches that get posted over and over again on Pastebin,” she said. “There is just a ton of background noise, and I would say only a tiny percentage of these breach claims are legitimate.”

A full copy of the Deloitte report is available here (PDF).

Happy Halloweenies!

Oct. 29th, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

How do I know these cakes want us to have a happy Halloween?

Why, it's as plain as the dongs on their faces.





My personal favorite:



And finally, ever wonder when your hubby's about to pick up a new nickname for certain regions of his anatomy?



Thanks to Jill P., Katie G., Alyson B., Patrick M., Melissa S., Stephanie F., & Dion H. for ensuring John never calls me 'pumpkin' again.


And now, your Moment of Jen:

The pumpkin face says it all.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

bunny in a bowl

Credit: Flickr / jpockele

When I previously wrote about better testing of view controllers on iOS I alluded briefly to the strategy of breaking the ViewController into a ViewController and a Presenter.

Again, I won’t go into mocking here, but you need a mocking framework and some understanding of what mocking is for this to make sense. Currently, I’m using OCMock. Also, XCTest is not the best documented, but here is a handy list of asserts.

This strategy means that for each ViewController there are two classes, MyViewController and MyViewPresenter. This inherits from top level classes which I have imaginatively named ViewController (inheriting from UIViewController) and Presenter (inheriting from NSObject).


ViewController and Presenter


The aim of the Presenter class is to expose the things that any ViewController might want to access, making it unnecessary for MyViewController to know about the MyViewPresenter class.

Presenter Interface

Presenter Implementation


This class handles setting the presenter, ensuring the navigation buttons are set up properly, and that viewLoaded gets called.

ViewController Interface

ViewController Implementation

Testing ViewController and Presenter

Neither of these classes do very much, but they provide us with a way to create a seam which is how we write unit tests. It might seem unnecessary to write tests for these, but that just means that the tests will be quick and simple. I err on the side of if it exists, test it. Both because it’s normally faster to just test it than decide every time, and also because I am often not as smart as I’d like to think I am, therefore am liable to break things.

I’ve opted to use Strict mocks rather than their more forgiving brethren, because I want to know exactly what is going on. This makes the tests a little more brittle than strictly necessary, but I find it a helpful learning mechanism.



Example: HomeViewController and HomeViewPresenter

This is the home screen for an image app, with a simple UI featuring 3 buttons – take a picture, show the gallery, and “inspire” which is not yet implemented.

HomeViewPresenter Interface

The init method is exposed for testing, but the ViewController is instantiated in the app by calling createViewController.

HomeViewPresenter Implementation

Notice, the view elements are accessed through the views and the actions added to them all call methods in the Presenter itself. The Presenter is also the delegate for the ImagePickerViewController.

HomeViewController Interface

The ViewController exposes the view within it, and a method for launching an ImagePickerViewController.

HomeViewController Implementation

You can see as a result the ViewController has very little code, because all it is doing is presentation.

Testing HomeViewController

The tests for the HomeViewController are very simple.

Testing HomeViewPresenter

The presenter is a little more interesting. Notice how we capture the action added to the UIButton and call it using sendActionsForControlEvents:.

The End

When starting from scratch, this method makes it so easy to write unit tests and doesn’t really increase the amount of code required per ViewController, just splits it in two. It’s harder to retrofit to an existing codebase, but it is possible.

Start with the top level classes, and then choose the simplest ViewControllers in your codebase to split. Add tests for them. Then choose progressively more complicated ones. You may need to add more methods to the top level ViewController and Presenter, depending on the complexity of your app. Often the reason why we don’t add tests for ViewControllers is that we never have, so starting is the hardest part.

Finally, on UIAutomation tests, I don’t see this as a replacement for KIF or other UIAutomation tests. These are great for making sure that every screen on the app loads OK, for example, and I still see apps sometimes (especially as apps have got larger) where some unloved corner of the app means that that what should launch a new screen just crashes. However these kind of tests allow us to get into details with less setup than is required by UIAutomation tests, making them easier and less time-consuming to debug.

A Spirited Similarity

Oct. 28th, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Ever wonder what it'd look like if famous characters came back as wrecky ghost cakes?

Yeah, me neither.

But I guess these bakers did!


A ghost called Jayne:

"All this booing is damaging my calm."


Spy VS Spy:

[mimes dropping a giant bomb on both]



Sounds fishy.





A Pac-Man ghost.

So meta.


A garden slug:
(Just go with it.)

C'mon, bakers. Slugs? Really?


A door mat:

Ok, now we're just getting ridiculous.


A roll of toilet paper:


(Let's not ponder too long what the little ghost on top is.)


And finally,

The Ghosts of Toilet Water Passed:

You could say they've been circling the drain for some time now.

[Ba dum BUM!]


Thanks to Gabrielle H., Katie B., Pam A., Danyell, Vicky B., Creig N., Karen T., & Joe T. for the sweet flush of victory.


Thank you for using our Amazon links to shop! USA, UK, Canada.

Live Tweeting My Own Talk

Oct. 28th, 2014 12:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

collection of tweets from my talk

The other week, I live tweeted one of my own talks. It’s captured here (thanks Kelsey!). I’ve been live tweeting a lot lately, and when I attend talks I take notes and/or live tweet so this became a natural extension. I’ve noticed a couple of other speakers (Kronda and Jo Miller) using tweets as part of their talks, so I wanted to try it.

I picked this talk because it was a small audience, and a last minute invitation so I was okay with being slightly less polished than usual, and because of the topic. I was talking about what happened at Grace Hopper (GHC) and live tweeting things that other people’s talks, so live tweeting my own seemed fair.

It was a slightly last minute decision, as I was going through my notes I had a thought “what if I do this” and so I didn’t have time to optimise it! I used Jo’s strategy of saving the tweets that I would send out in my drafts folder, and decided to number them at the start (1), (2), etc., so it would be easy for me to see at a glance which one came next. I accidentally tweeted instead of saved one as part of this process, but I quickly copied the text and deleted it so it was OK! I made sure to put my phone on DND mode so that I wouldn’t be distracted by notifications.

The best thing about live tweeting my own talk was that it allowed the reach of that talk to go beyond the small audience in the room. The collection itself has been pretty popular (and it made me very happy that someone had thought my remarks worth collecting!) as well as the individual tweets having good levels of engagement. It’s also nice that the message of this was curated by me – records of women speaking are often imperfect (my friend and amazing speaker coach Denise has been working on this for a long time) and I have been diligent about documenting my own talks in part because of this. One thing that I have done for a while is collect the tweets that happen during my talk into a Storify, it’s always a surprise what people have pulled out, or haven’t. In this case, the people in the room didn’t tweet at all, so if I hadn’t captured it myself there would have been no record, other than my notes (which I will eventually put up in a blogpost).

The drafts section of Twitter for iOS is not really set up well to do this. It was multiple taps to share each tweet. Buffer and “share now” would have been far better, so if I decide to do this again upgrading to Buffer Premium might be a better way to go, or giving my phone to a trusted friend in the audience.

I think I do need to pause more, so I figured taking this time for silence would be a good thing for my audience but I don’t think this worked as I had hoped – rushing to work through the UI to get to the buried drafts folder, scrolling down to the bottom. Not ideal. I know it made me less good at eye contact. It also meant that I was working from two devices – my notes on my iPad, and my tweets on my iPhone. A talk that I’d spent more time preparing and been more familiar with, I could have used the tweets as my prompts and just shared them as I progressed through the talk. I did this talk without slides, and adding those transitions in as well would have been way too much!

The final question that I have to ask myself in a debrief of this – will I do it again? Not in that format, but maybe. I tend to prep a talk really well and reuse it, and I don’t think I would want to live tweet a talk more than once. This particular one was full of tweetable soundbites and timely, my talk on mobile is full of stories and I don’t think it would work as well. Maybe the talks I prep for next year will work better. I’ll either get a friend in the audience to help, or use something like Buffer with a better interface for storing a backlog of tweets and sharing one by one.

[syndicated profile] epbot_feed

Posted by Jen

Squeaking in juuust before Halloween to show off my last crafty creation of the month:

A Haunted Mansion inspired door wreath!

(Yep, my front door is HM purple. I painted it last year around Halloween, so it seemed only fitting to finally make a wreath to match!)

Appropriately enough, this thing was a nightmare to photograph, but I did my best. I think you can see everything Ok, but I do wish the two lighted elements showed better; they're really much brighter in person!

The first light is in the coffin:

The green shining through the cracks looks super cool at night.

It was inspired by this coffin in the Mansion's conservatory:


And the second lit element is little Leota's head - or more specifically, her eyes:

John and I discovered that if you cram a LED inside a porcelain doll's head, the eyes glow. Nifty, huh? (Now imagine all your dolls with red glowing eyes... that only turn on... AT NIGHT. MWUAH-HA-HAA!)

Here's how the wreath looks during the day:
A bit of a glare on the Welcome sign, but otherwise still pretty fun in the light!

I painted the coffin & clock green as an homage to the HM cast costumes:

 The wreath materials were quite cheap, but since almost everything had to be made from scratch, it was pretty labor-intensive. Keep reading if you'd like a quick break down & explanation for of all the parts!

Wreath: An old grape vine wreath, spray-painted black. The lower half is covered with "spooky cloth" - a shreddy fabric from the Dollar Tree that cost - you guessed it! - a dollar.

Crows: $1 each at the Dollar Tree, though I replaced the eyes with red crystals.

Leota: One porcelain doll head, painted all spooky-like, fit inside a clear plastic Christmas ornament. To do this, cut the back third off the ornament with a craft blade, so you can fit the head in through the back:

Testing the fit.

It was a tight squeeze - wish I could have found a larger ornament! - so I had to chop off a lot of hair. The doll I used had bangs, so I removed the wig and turned it around. And it doesn't really show, but after this I also sprayed the hair with watered down white & teal craft paint.

To attach the head to the wreath, wrap a thick wire around the neck stump (there should be a recess there already, where the body attached), and then poke the wire ends straight down into the wreath.

Coffin: Plain wooden coffin ($2.99 from JoAnn's), painted, with a plastic skeleton arm & hand glued inside to hold it open. The little wreath is a sprig from an Autumn flower arrangement, twisted into a circle.
Note the authentic cat's tail. :) Thanks, Lily.

The green LED is held inside the coffin lid with Velcro, and to attach the coffin to the wreath, we drilled two holes in the back side & threaded a wire through.

Demon Clock: Here's the inspiration clock in Disneyland's Haunted Mansion:

The clock is either gray or wood-toned, depending on which Mansion you visit, but I decided to make mine green to fit the wreath's color scheme.

John carved the clock face from pink insulation foam (you can buy big sheets of it at Home Depot or Lowe's for cheap). Just print out the face, glue it on the foam, and carve through the paper. The foam doesn't carve well for little things like this - really rough & snaggy -  but after I painted it, you'd never know!


I also added the tail, cut from thin craft foam. Then we used hot glue to attach a long wire to the back.

Signage: Whipped up in Photoshop (you can download the Haunted Mansion font for free here), printed on gloss paper, and glued to black craft foam for stability. The Welcome sign is attached with wire, and the "Foolish Mortals" chains are attached with hot glue.

Watching eyes: Cut from white craft foam, using this photo as a reference:

Then attached to the wreath cloth with Glue Dots.

Bats: A last-minute addition, since I just got my HM bat ice cube tray in the mail and was desperate to try it out with some casting resin! Here's the painting progression:

After spraying the resin gold (which looks gorgeous on its own), I brushed on a heavy coat of blackish green craft paint, and then quickly wiped it off again. The result is pretty close to the real ride stanchions!

Needless to say, I'll be playing with these resin castings more in the future; I cannot WAIT to make some jewelry with them!

So I think that covers everything on the wreath, but feel free to ask questions in the comments!

And since this is my last Halloween craft, I hope you guys have a spook-tacular Halloween this weekend!
[syndicated profile] cakewrecks_feed

Posted by Jen

My friends, cake decorating can be hard. Why do you think we have so much material? But bakers can make their jobs a lot easier by just knowing their limitations.

For instance, bakers, say someone asks you to make a groom's cake that looks like their BMW:

...but you're just figuring out what "edible markers" are.


In that case, maybe say no.

See how much better that would have been?


Ok, now let's practice together! I'll play the customer.

Hi! Can you make me a cake that looks like this shoe?


Now you say, "No. No, I can't."


I'd really love Maleficent on a cake! Can you do that?


"No. No, I can't."


Aw, then how about Tinkerbell?


"Sure! No probl... I mean, no. No, I can't."



See how easy that is? And hey, being able to say no to orders you can't do will give you more time for the ones you can!

Or you could just fill the donuts.


Thanks to Lesley H., Molly H., Sheyla S., John A., & Michelle R., who advises steering clear of the Stay Puft donuts, since we all know where THAT leads.


Thank you for using our Amazon links to shop! USA, UK, Canada.

Linux Security Summit 2014 Wrap-Up

Oct. 27th, 2014 12:56 pm
[syndicated profile] blog_namei_org_feed

Posted by jamesm

The slides from the 2014 Linux Security Summit in August may be found linked at the schedule.

LWN covered both the James Bottomley keynote, and the SELinux on Android talk by Stephen Smalley.

We had an engaging and productive two days, with strong attendance throughout.  We’ll likely follow a similar format next year at LinuxCon.  I hope we can continue to expand the contributor base beyond mostly kernel developers.  We’re doing ok, but can certainly do better.  We’ll also look at finding a sponsor for food next year.

Thanks to those who contributed and attended, to the program committee, and of course, to the events crew at Linux Foundation, who do all of the heavy lifting logistics-wise.

See you next year!

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

emvblueOver the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — even fraudulent charges disguised as these pseudo-chip transactions.


The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week. The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.

The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.”

A chip card. Image: First Data

A chip card. Image: First Data

The New England bank initially considered the possibility that the perpetrators had somehow figured out how to clone chip cards and had encoded the cards with their customers’ card data. In theory, however, it should not be possible to easily clone a chip card. Chip cards are synonymous with a standard called EMV (short for Europay, MasterCard and Visa), a global payment system that has already been adopted by every other G20 nation as a more secure alternative to cards that simply store account holder data on a card’s magnetic stripe. EMV cards contain a secure microchip that is designed to make the card very difficult and expensive to counterfeit.

In addition, there are several checks that banks can use to validate the authenticity of chip card transactions. The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

And this is exactly what has bank fraud fighters scratching their heads: Why would the perpetrators go through all the trouble of taking plain old magnetic stripe cards stolen in the Home Depot breach (and ostensibly purchased in the cybercrime underground) and making those look like EMV transactions? Why wouldn’t the scammers do what fraudsters normally do with this data, which is simply to create counterfeit cards and use the phony cards to buy gift cards and other high-priced merchandise from big box retailers?

More importantly, how were these supposed EMV transactions on non-EMV cards being put through the Visa and MasterCard network as EMV transactions in the first place?

The New England bank said MasterCard initially insisted that the charges were made using physical chip-based cards, but the bank protested that it hadn’t yet issued its customers any chip cards. Furthermore, the bank’s processor hadn’t even yet been certified by MasterCard to handle chip card transactions, so why was MasterCard so sure that the phony transactions were chip-based?


MasterCard did not respond to multiple requests to comment for this story. Visa also declined to comment on the record. But the New England bank told KrebsOnSecurity that in a conversation with MasterCard officials the credit card company said the most likely explanation was that fraudsters were pushing regular magnetic stripe transactions through the card network as EMV purchases using a technique known as a “replay” attack.

According to the bank, MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.

“The bad guys knew that if they encoded these as EMV transactions, the banks would loosen other fraud detection controls,” Litan said. “It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it. Doing EMV correctly is hard, and there are lots of ways to break not the cryptography but to mess with the implementation of EMV.”

The thieves also seem to be messing with the transaction codes and other aspects of the EMV transaction stream. Litan said it’s likely that the perpetrators of this attack had their own payment terminals and were somehow able to manipulate the transaction fields in each charge.

“I remember when I went to Brazil a couple of years ago, their biggest problem was merchants were taking point-of-sale systems home, and then running stolen cards through them,” she said. “I’m sure they could rewire them to do whatever they wanted. That was the biggest issue at the time.”

The New England bank shared with this author a list of the fraudulent transactions pushed through by the scammers in Brazil. The bank said MasterCard is currently in the process of checking with the Brazilian merchants to see whether they had physical transactions that matched transactions shown on paper.

In the meantime, it appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.

Litan said attacks like this one illustrate the importance of banks setting up EMV correctly. She noted that while the New England bank was able to flag the apparent EMV transactions as fraudulent in part because it hadn’t yet begun issuing EMV cards, the outcome might be different for a bank that had issued at least some chip cards.

“There’s going to be a lot of confusion when banks roll out EMV, and one thing I’ve learned from clients is how hard it is to implement properly,” Litan said. “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters. That’s the irony: We think EMV is going to solve all our card fraud problems, but doing it correctly is going to take a lot longer than we thought. It’s not that easy.”

This Week

Oct. 27th, 2014 12:00 am
[syndicated profile] accidentallyincode_feed

Posted by Cate

A young European hedgehog

Credit: Wikipedia


Arrived back from Canada, so jetlagged! Spent a couple of days hiding away and coding, and then had a frantic few days in London. Great to catch up with some friends! Got to trade in my broken Jawbone and now I have a pink one – yay!


Meetings! Time with UX designer working on making the app pretty. Exciting!


Brunch and coworking at the Ace Hotel, I love the String Quartet at Hoi Polloi. Lunch at Ping Pong (BBQ pork buns!) and dinner at Dishoom, finally! I’ve been meaning to go forever, and also at Santore. Staying at the RE Hotel, not the best location but pretty comfortable and close enough, so I got a lot of walking in. Got to check out Shoreditch House – fancy!


Still working on Pioneer Programmer, but for light relief The Corinthian, A Civil Contact, Cotillion (probably my favourite of her books, just for the last couple of chapters), Cousin Kate, and now on False Colours. Back in the gym again – finally! So watching How I Met Your Mother Season 2. Background movies for coding: Bring it On, Wimbledon, The Princess Diaries 1 and 2, and She’s The Man.

Product links Amazon.


On The Internet

[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • Meet the Awesome League of Female Magic: The Gathering Players | bitchmedia (20 October): “Magic: The Gathering is a collectible trading card game published by Wizards of the Coast, the same company responsible for Dungeons and Dragons. Over the last twenty or so years, Magic has gained significant popularity and become a staple of nerd culture. Magic: The Gathering is played in a competitive tournament setting, casually at kitchen tables, while waiting in line at cons, and everything in between. Magic tournaments are not often a welcoming space for women despite the efforts of many within the community so, naturally, Magic horror stories were a popular topic of discussion at Geek Girl Con.”
  • Disney Princesses Are My (Imperfect) Feminist Role Models | boingboing (24 October): “So why not write off these problematic princesses and find better role models? Part of the power of the Disney princess is that she is inescapable. As a massive conglomerate, Disney is able to give its princess line an almost frightening level of cultural ubiquity. Conventional wisdom holds that girls will watch male-driven stories while boys will simply ignore female-driven ones. But it was impossible to ignore Frozen last year just as it was impossible to ignore Snow White, The Little Mermaid, and Beauty And The Beast when they premiered. Stop a few hundred people on the street and they’ll likely be able to name more Disney princesses than American Girl dolls, Baby-Sitters Club members, or Legend Of Korra characters. It’s important to introduce young girls to well-written female characters in niche properties, but it’s equally important to teach young girls that their stories don’t have to be niche.”
  • [infographic] The Gender Divide in Tech-Intensive Industries | Catalyst (23 October): While the leaky pipe metaphor has its flaws, it is one of the many reasons the tech industry is hostile to women.
  •  Anita Sarkeesian speaking at XOXO Conference | Feminist Frequency (7 October): “In September 2014, I was invited to speak at the XOXO conference & festival in Portland. I used the opportunity to talk about two subtle forms of harassment that are commonly used to try and defame, discredit and ultimately silence women online: conspiracy theories and impersonation. (Note: trigger warning early on for examples of rape and death threats as well as blurred images of weaponized pornography).”
  • [warning for discussion and examples of sexual harassment] A Natural A/B Test of Harassment | Kongregate (23 October): “all the questions made me think more deeply about my experience, particularly the low-level harassment I get that I’d taken as a given, normal for a co-founder of a game site. It occurred to me to check with my brother/co-founder Jim, but he said he almost never gets hassled. Most of the harassment I receive is through Kongregate’s messaging system, and looking at my last 25 public messages mixed in with compliments and requests for help there are several harassing/sexual messages. Jim has none.”


  • It’s Not Censorship to Ignore You | NYMag (21 October): “women were merely pointing to a threatening, gender-specific kind of speech, and asking for the tools to avoid it. There’s something obviously illogical about free-speech panic among white Americans in 2014. Thanks to online publishing and social media, the barrier to entry for free public speech is lower than ever.  What I suspect truly bothers free-speech reactionaries is that the same, democratized new media that allows them to publish free-speech rants has opened public discourse up to a lot of people they’re not used to hearing from — women, people of color, and those Gamergate calls “social justice warriors,” in particular. Some of the people who historically controlled the media uncontested might not like what these people have to say, but these newcomers are nonetheless very popular. And when a “social justice warrior” chooses to wield the “block” button against a troll, it’s not his freedom of speech that’s in danger, it’s his entitlement to be heard.”
  •  S4E7 – #GamerGate (Base Assumptions) | (22 October): Critical discussion of Gamergate in terms of base assumptions. “The use of terror tactics, even if only by a minority, has created an environment of fear that all members [who believe gamergate is solely about ethics in games journalism] enjoy the privilege of. When people are unwilling to engage because of fears that they’ll be next, all members [of gamergate] benefit from that person’s silence, even if they were not responsible for that harassment.”
  • [warning for harassment and threats of violence] GamerGate’s Economy Of Harassment And Violence | ravishly (20 October):”You cannot separate violence, any violence, from the context and circumstances of the society in which that violence transpires. Whoever benefits from violence is culpable for that violence. For this reason, every woman who endures harm in the wake of GamerGate’s expansion – whether it’s being forced into hiding or self-harming in the wake of unrelenting pressure and harassment – is a victim of GamerGate.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Sunday Sweets: Boo-tiful Treats!

Oct. 26th, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Halloween is just five days away! Are you ready to par-tay?

Good. 'Cuz this Sweet stack is making my inner girly ghoul SO HAPPY:

(By Gimme Some Sugar)

The lacing! The candy cauldron! The colorful ruffly bits! And that bright green really makes the whole design "pop."


(By Bellaria Cakes Design)

Ooh la la! So pretty, and I love the vintage vibe on that argyle.


Or maybe you prefer your Halloween treats more on the spooky side:

(By Cake Lovers)

That'll do the trick. o.0


Or maybe some scrumptious spiderwebs?

(By Cakery Creation)

I've seen a few tutorials around for this, and I believe the webbing is made of marshmallow icing!


This Haunted Forest cake has both hand-painting *and* 3D sculpting:

(By My Sweet, Cosette)

SO COOL. And check out the ruins painted off in the distance!


For both extreme creepiness *and* amazing artistry, you just can't beat this steampunk Frankenstein's monster:

(By Crazy Sweets, based on Rick Baker's amazing costume)

WOW. It really looks exactly like Rick Baker's costume! Just amazing.


You can always count on some amazing Halloween wedding cakes every October, and CW reader Eden didn't disappoint:

The groom - now Eden's hubby - actually made the cake himself! I love how it's two cakes in one: the skeleton below, and the more traditional cake balancing on his head above. Plus, check out that insane stringwork! So perfect!


For sheer laugh-out-loud delight, I'm a big fan of Mr. Pumpkin McChompers here:

(By Corinna of Lovin' From the Oven)

That expression! Hee!


And finally, another stellar vintage-inspired design:

(By Dream Day Cakes)

Great colors, cute costumed bears, and a wee spider dangling from the hat tip!

Love it.


Hope you guys have a fabulous Halloween!

Be sure to check out our Sunday Sweets Directory to see which bakers in your area have been featured here on Sweets!


Did you enjoy the post? Do you shop at Amazon? Then please consider clicking through one of my affiliate links to shop. By visiting Amazon through that link, CW will earn a small percentage of what you purchase - and it won't cost you anything. Thanks!
USA, UK, Canada.

[syndicated profile] adulting_feed

This is from Ina Garten, whom I think we can all agree is the best. If you’re having people over for dinner, figure out what time you want to serve dinner, then count backward from there, taking into account how long each component will take.

Then, type it out into a schedule, and voila! No more wondering when you should put the potatoes in. It’s on the ding-dang schedule!

For the record, I’m typing this WHILE watching 30 Rock.

Unbreakable filter

Oct. 24th, 2014 09:13 pm
[syndicated profile] garethheyes_feed

Posted by Gareth Heyes

I was bored so I thought I’d take a look at Ashar’s filters. I noticed he’d done a talk about it at Blackhat Europe which I was quite surprised at. Then I came across the following blog post about the talk which I pretty much agreed with. That blog post links to his filters so you can try them out yourself.

The first one is basically multiple JavaScript regexes which are far too generic to be of any value. For example “hahasrchaha” is considered a valid attack =) because it has “src” in. I’m not joking. The regexes are below.

function test(string) {
var match = /

Call Me Linkspam

Oct. 24th, 2014 08:41 pm
[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • It’s Ada Lovelace Day: Get Angry | Garann Means (October 14): “It’s Ada Lovelace Day and we’re supposed to talk about the women in technology who’ve inspired us. The women who inspire me are those who’ve taken the frightening step of lessening their culpability by decreasing their participation. While it’s courageous to remain in tech/on the internet and try to make it a better place, you can’t get around the compromise in doing so.”
  • When Women Stopped Coding | NPR Planet Money (October 21): “These early personal computers weren’t much more than toys. You could play pong or simple shooting games, maybe do some word processing. And these toys were marketed almost entirely to men and boys. This idea that computers are for boys became a narrative. It became the story we told ourselves about the next computing revolution.”
  • Online Harassment | PEWResearch Internet Project (October 22): “In broad trends, the data show that men are more likely to experience name-calling and embarrassment, while young women are particularly vulnerable to sexual harassment and stalking.”
  • Breaking gender and racial barriers in Netrunner | Gamasutra (October 20): “Netrunner is a lovely and beloved experience for all those reasons, but the game is worth championing for other ideas that go beyond its smart design too. It’s also worth celebrating because Netrunner is one of the most progressive games in terms of gender and minority representation today.”
  • Life and Times of a Tech Feminist Killjoy: The Cuts Leave Scars | Julie Pagano (October 6): “After years of pushing yourself and being stretched too thin, you lose the flexibility you once had to bounce back. You snap more easily. The paper cuts are harder to brush off. You are likely to be punished for this. You will be seen simultaneously as too sensitive and too harsh.”
  • Marvel’s Victoria Alonso wants a female superhero movie, calls for more women in VFX | Variety (October 20th): “You’ve got to get the girls in here, boys. It’s better when it’s 50-50,” she continued. “I have been with you beautiful, handsome, talented, creative men in dark rooms for two decades and I can tell you those rooms are better when there are a few of us in them. So as you take this with you, please remember that it’s OK to allow the ladies in. They’re smart, they’re talented. They bring a balance that you need.”


  • The only thing I have to say about gamer gate | Felicia Day (October 22): “I know it feels good to belong to a group, to feel righteous in belonging to a cause, but causing fear and pushing people away from gaming is not the way to go about doing it. Think through the repercussions of your actions and the people you are aligning yourself with. And think honestly about whether your actions are genuinely going to change gaming life for the better.”
  • Felicia Day’s worst Gamergate fears just came true | The Daily Dot (October 23): “Day wrote of realizing after crossing the street to avoid two gamers she saw in Vancouver that she had allowed Gamergate to enhance her fear of other people within her community. Her post was an attempt to conquer that fear and to urge other women to do the same.But less than an hour after describing her past experiences with stalkers in the post, a commenter showed up to do the one thing she feared would happen.”
  • Why #Gamergate is actually an ed tech issue | Medium (October 20): “It’s not simply the hyper-macho shoot ‘em up games, either. I’ve had girls leave Minecraft because of misogynist threats. Apparently, this isn’t an isolate case. Others have seen the same thing. If we want to talk about integrating games into the classroom, we need to rethink what culture we’re inviting in.”
  • Gamergate goons can scream all they want, but they can’t stop progress | Wired (October 21): “Even more fascinating is how these insecurities have allowed some gamers to consider themselves a downtrodden minority, despite their continued dominance of every meaningful sector of the games industry, from development to publishing to criticism. That demonstrates a strange and seemingly contradictory “overdog” phenomenon: The most powerful members of a culture often perceive an increase in social equality as a form of persecution.”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Friday Favs 10/24/14

Oct. 24th, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Some of my favorite submissions this week:


October is Breast Cancer Awareness Month, so it's nice to see bakers doing their part: make pink ribbons look like ding-a-lings.


You know how they say the most important thing is to just never stop trying?

Please stop trying, bakers.



Mary ordered a cupcake cake (patooie!) in the shape of a number 6 for her daughter, but I guess the baker ran out of cupcakes, so...

This birthday is brought to you by 3/4 of the number 0.

Thanks for nothing.


How Twitter has ruined us all:



And finally, Catherine told the baker her son's name was "Stephen with a PH."

She got this:


Thanks to Amber G., Diana E., Mary G., Meredith N., & Catherine J. for the phweet phurprise.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

My notes from John Reid‘s talk at iOSDevUK.

digital wires

Credit: DeviantArt / LoneWolfAssassin

Barriers to TDD. Two primary:

  • Not knowing what it is. Rejecting it as silly without giving it a try. A good try, as there is a learning curve. It will slow you down at first. If you give up before the payoff then you will say “oh that was stupid”.
  • UI and Networking. On iOS most of what we do is UI and networking, rules out 90% of app, so not really useful.

EBay Fashion app. All test driven.

3 Types of Unit test:

  • Return value test
  • State test
  • Interaction test

Patterns of testing. The Design Patterns book, the Gang of Four never intended it to be the beginning and end of design patterns.

Not going to be rocket since. About getting through the barrier. Writing unit tests after if necessary, but ideally before.

Return Value Test:

  • Arrange: set up object.
  • Act: Call method that returns a value.
  • Assert: Compare against expected value.

With this alone, you should be able to get a very far distance. Onboarding engineers at Facebook, teach them not to be shy about extracting stand alone functions. Helps overcome that barrier.

State test:

  • Arrange: Set up object.
  • Act: Call method.
  • Assert: Compare against expected value.

Since interested in a side effect, just need an additional call to verify state. Should be able to write quite a few tests with these two techniques.

Interaction Test:

Don’t need to be isolated units. They can be connected, as long as they are fast. Check that the system under test (SUT) is communicating correctly to something else.

Don’t want to talk to the real thing:

  • Takes too long.
  • Might not be there.
  • May not have everything (don’t want to use things up).
  • Might want to test the failure (normal end to end tests).

Want a fake thing that the test can control. Need dependency injection, if the middle thing is creating the end thing, it’s hard to test.

Dependency Injection:

  • Extract and Override.
  • Method injection.
  • Property injection.
  • Constructor injection.

Difference between having a singleton, and a single way to access a singleton. E.g. NSUserDefaults. Don’t want to access it in this way.

Extract and Override: read “Working Effectively with Legacy Code” (Amazon).

TDD was working for me in a greenfield project, but how many of us get to stay in such a place?


Make a cut – subclass, override “userDefaults”, do what you want. Very powerful. Very effective with legacy code. Very dangerous. Like a drug. But will end up with the bane of testing code, fragile tests, because tests are coupled to implementation.

For getting started, especially with legacy code – good technique.

Method Injection

Better for other things, like calling “[NSDate date]” – will cause havoc with tests. Can swizzle, or just pass in what time you want. Now you will have a method that does more, now it’s tied to any time, not the current time. Helpful as context for injected object is very small. When spans across method, probably want to hang on to it as a property.

Test can inject the fake thing. But what about production code? Can end up with nil. Objective C will be like “whatever”.

Create custom getter with lazy eval. If no value, get the default value.

Inject in constructor – workhorse of dependency injection. Biggest benefit, makes everything explicit.

Can be annoying to have everything explicit. Long chain of dependencies is a code smell – you have too many dependencies.

Even then, you can simplify that, by using a Builder. Builder pattern creates the object you want according to however it is set. Set in any order, or not set and have it have defaults.

Constructor injection is the main one.

Ambient Context. Change something globally. Swizzling is an example of this. You can, sometimes helpful. But dangerous. Have to have your test restore the pre-test condition.

Let’s learn some good things from other people in other disciplines. There are plenty of smart people who are not using Obj-C

Interaction Test

Types of Fakes: The Art of Unit Testing

  • Stub: Fake that provides a pre-canned answer.
  • Mock: Recording how it is called by the SUT, so that it can assert.
  • Difference is which way the test is pointing to make it’s assertion.

Don’t need a DI framework in order to do DI as a concept.

Mocking, if never mocked before don’t use OCMock or OCMockito at first. Use them eventually. Meanwhile, you can make your own fake. Subclass and override all methods. Test Driven iOS development, means don’t have to do that in Obj-C. Dynamic language, supports DuckTyping.

Subclass NSObject. Put the method in. Use a simple property to record the number of calls. Have a fake return value (if unspecified is nil). Capture arguments.

Interesting thing about doing by hand, answers question of “what do we do in swift”. No introspection available to us. Do it by hand, laborious, might cry a little bit, but nothing stopping us.

Now we have a mock, use it. Start writing some tests.

[syndicated profile] epbot_feed

Posted by Jen

I hope you guys are ready for a LOT of amazing new geek art this month, because I, uh, kind of got carried away.  o.0


Let's kick things off with some Never Ending Story goodness:

 "Neverending" 8X12 print, $12

Those colors! YES.

I had a terrible time picking my favorites over at CocoMilla's Etsy store; there are WAY too many awesome choices:

Her watercolor prints start at $15 for 6X8 prints, and she has larger sizes available, too. Go see the rest; from Disney to gaming, she's got a little of everything!

Michael Banks of Suger Fueled makes adorably creepy big-eyed art, and even better, his ACEO prints are only $4!

He also has a huge selection of 8X12 prints for $12 each:

And since it IS October, how about this cutie from Sydey Hanson?
"Little Bat" 8X10 print, $12

Not quite as Halloweeny, but I'm totally smitten with Sydney's bumble bee:

"Bumblebee" 8X10 print, $12

D'awww. I'm actually terrified of anything that stings, but this guy I want to snuggle.

From Love Ashley Designs, a perfectly Wicked piece:
"Are You A Good Witch Or A Bad Witch?" 10X10 print, $25

Tempted to get this one for John, since he's forever singing "Popular." Which is hilarious.

Artist Wisesnail, aka Namecchan, has some amaaazing Guardians of the Galaxy prints:

WOW. And the 8X10s are only $15! (She has larger sizes, too.)

I'm also REALLY digging her Jim Moriarty:

7X10 print, $15

Love how the background looks like smokey flames!

Epbot reader Candace happens to be married to a Pixar animator, Victor Navone, and he generously donated this sweet Wall-E print for the give-away board:

The white surround is much larger than this, but that's all that would fit in my scanner. :) 

And speaking of the give-away board, here are some more of my new additions:

"I Am Who," by my buddy Charlie Thurston.
(You can buy it at the link for $10)

"Iron Giant Superman #1" by Matthew Waite

That's a mash-up of Iron Giant with the first Superman Comic, btw, which is brilliant if you know the movie.  Since Waite only sells at conventions, I picked this one up for the board. Check out the rest of his work over on DeviantArt or Tumblr.

From another of my good friends, Bianca Roman-Stumpff:


 (Groot is the new darling of Artist Alleys everywhere, and I am definitely not complaining.)

Most of Bianca's work still isn't available online (HINT HINT BIANCA), so she donated that one for the board!

She's also been churning out new Puff Monsters, which you *can* buy online through her Facebook page or sometimes her Etsy shop.

 The pumpkin one! Ah! And I ended up buying the blue & white one clapping in the middle.

Bianca also has a few prints available over on Society6, so you can check over there for more.

Remember Tampa Fanboy Expo, the convention last month where I fangirled over James Hance? Well, right next to him was Andrew "Drone" Cosson, and I FLIPPED over his baby Groot:

I've had this hanging in my office for over a month now, and I JUST NOW realized it looks like he's flipping us the bird. Which somehow makes him even cuter.

Andrew told me he'd just sold the companion Rocket Raccoon painting, and even worse, HE DIDN'T TAKE A PHOTO! Nooo!
So to console myself, I also bought these two original ink drawings from him:

Who else wants Andrew to make a Doctor Who coloring book now?

Andrew doesn't have a website or even an online portfolio, which is downright criminal. He directed me to his personal Facebook page, but I don't think he has everything there. I also can't believe he doesn't scan his original paintings to make prints! Arg! So Andrew, if you see this, please, GET THEE TO ETSY. Or Society6. Or DeviantArt. Or something.


Also at Tampa Fanboy, there was the delightful duo of Jennipho, who sculpts 3D sweetness like this:

... and Victoria, who paints & draws sweetness like this:

Her prints start at just $7!

John had to drag me away from their booth, since I kept going back to chat. They're both super friendly and uber talented, so definitely check out both sites!

And finally, since this is too perfect to show off right before Halloween, check out what John just got for his game room:


John says he either wants a picture of me in it, looking appropriately terrified, or a drawing of a uvula. I'm lobbying for the uvula.

The artist, Myrcury's Toybox, was at a local street show event here in Orlando last week, and we couldn't stop giggling over her tiny monster frames. Check out her Etsy shop for more, plus fun skull & monster eye hair clips, original art, and painted coffin boxes like these:

K, guys, that does it for this month's roundup! Now, you know the drill: comment below for a chance to win your choice of art from my Pinterest Art Give-Away Board! I'll ship anywhere, so international comments are welcome! (Last month I sent art to Africa and Australia. SO COOL. And expensive. But mostly cool.)

I'll announce my randomly-selected winner sometime next week. Happy commenting, everyone, and happy weekend!
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

In the interests of full disclosure: Sourcebooks – the company that on Nov. 18 is publishing my upcoming book about organized cybercrime — disclosed last week that a breach of its Web site shopping cart software may have exposed customer credit card and personal information.

Fortunately, this breach does not affect readers who have pre-ordered Spam Nation through the retailers I’ve been recommending — Amazon, Barnes & Noble, and Politics & Prose.  I mention this breach mainly to get out in front of it, and because of the irony and timing of this unfortunate incident.

From Sourcebooks’ disclosure (PDF) with the California Attorney General’s office:

“Sourcebooks recently learned that there was a breach of the shopping cart software that supports several of our websites on April 16, 2014 – June 19, 2014 and unauthorized parties were able to gain access to customer credit card information. The credit card information included card number, expiration date, cardholder name and card verification value (CVV2). The billing account information included first name, last name, email address, phone number, and address. In some cases, shipping information was included as first name, last name, phone number, and address. In some cases, account password was obtained too. To our knowledge, the data accessed did not include any Track Data, PIN Number, Printed Card Verification Data (CVD). We are currently in the process of having a third-party forensic audit done to determine the extent of this breach.”

So again, if you have pre-ordered the book from somewhere other than Sourcebook’s site (and that is probably 99.9999 percent of you who have already pre-ordered), you are unaffected.

I think there are some hard but important lessons here about the wisdom of smaller online merchants handling credit card transactions. According to Sourcebooks founder Dominique Raccah, the breach affected approximately 5,100 people who ordered from the company’s Web site between mid-April and mid-June of this year. Raccah said the breach occurred after hackers found a security vulnerability in the site’s shopping cart software.

Shopping-Cart-iconExperts say tens of thousands of businesses that rely on shopping cart software are a major target for malicious hackers, mainly because shopping cart software is generally hard to do well.

“Shopping cart software is extremely complicated and tricky to get right from a security perspective,” said Jeremiah Grossman, founder and chief technology officer for WhiteHat Security, a company that gets paid to test the security of Web sites.  “In fact, no one in my experience gets it right their first time out. That software must undergo serious battlefield testing.”

Grossman suggests that smaller merchants consider outsourcing the handling of credit cards to a solid and reputable third-party. Sourcebooks’ Raccah said the company is in the process of doing just that.

“Make securing credit cards someone else’s problem,” Grossman said. “Yes, you take a little bit of a margin hit, but in contrast to the effort of do-it-yourself [approaches] and breach costs, it’s worth it.”

What’s more, as an increasing number of banks begin issuing more secure chip-based cards  — and by extension more main street merchants in the United States make the switch to requiring chip cards at checkout counters — fraudsters will begin to focus more of their attention on attacking online stores. The United States is the last of the G20 nations to move to chip cards, and in virtually every country that’s made the transition the fraud on credit cards didn’t go away, it just went somewhere else. And that somewhere else in each case manifested itself as increased attacks against e-commerce merchants.

If you haven’t pre-ordered Spam Nation yet, remember that all pre-ordered copies will ship signed by Yours Truly. Also, the first 1,000 customers to order two or more copies of the book (including any combination of digital, audio or print editions) will also get a Krebs On Security-branded ZeusGard. So far, approximately 400 readers have taken us up on this offer! Please make sure that if you do pre-order, that you forward a proof-of-purchase (receipt, screen shot of your Kindle order, etc.) to

Pre-order two or more copies of Spam Nation and get this "Krebs Edition" branded ZeusGard.

Pre-order two or more copies of Spam Nation and get this “Krebs Edition” branded ZeusGard.

[syndicated profile] geekfeminism_feed

Posted by Annalee

Content warning: stalking, harassment, threats, violence–GamerGate, basically.

Geek Feminism’s lack of a statement about the GamerGate hate campaign has felt conspicuous to me. We’re a community dedicated to promoting justice and equality within geek communities. Documenting harassment and abuse in geek communities is one of our biggest projects. GamerGate is on our beat.

But while our fabulous team of linkspammers has been on top of the story, we haven’t put up a statement.

I spoke to some of our other bloggers about ways we could respond. The conversation we had was pretty illustrative.

Here are the ideas we had, and why we discarded them:

1: A “Seriously, Fuck GamerGate” Post

Why we didn’t:

“Fuck GamerGate” is a fairly obvious statement from us. It might be satisfying to say, but it adds little to the conversation.

And women who’ve said it before us have been stalked, harassed, doxxed, and threatened–some to the point of fleeing their homes.

2. A statement of support for GamerGate’s victims

Why we didn’t:

Telling folks we support them is nice, but it doesn’t provide the victims of these terror campaigns with the practical support they need to protect themselves. Talking about them has a very high chance of exposing them to even more abusers. When you’re the target of an organized campaign of terror, the last thing you need is more attention.

And women who’ve made statements of support have been stalked, harassed, doxxed, and threatened–some to the point of fleeing their homes.

3. An Ada Lovelace-style celebration of women in gaming, where we encourage folks to blog about games they love by women, and women in gaming who inspire them.

Why we didn’t:

We didn’t want to paint a target on anyone’s back.

Women in gaming who’ve gotten positive attention have been stalked, harassed, doxxed, and threatened–some to the point of fleeing their homes.

4. Present an iron hide and dare them to bring it.

Some of us feel guilty for not telling GamerGaters exactly where they can shove the horseshit they have the temerity to present as discourse.

Why we didn’t:

We want to live in a world where terror campaigns like this are ineffective; where that which does not kill us makes us stronger; where good triumphs over obtuse, selfish, cowardly evil. But wanting to live in that world doesn’t make that world real. In this world, oppression and injustice have built a system whereby that which does not kill us often leaves us personally and professionally damaged.

The fantasy that bravado would win the day is appealing, but daring abusers to come for us won’t do anything constructive. As much as we might want to put ourselves between GamerGate and its victims, we can’t. There are too many of them to successfully draw their fire.

We’d just end up getting stalked, harassed, doxxed, and threatened–possibly to the point of fleeing our homes.

By now, you’ve surely noticed the theme here.

It’s tempting to offer cheap platitudes to the women who’ve been the focus of these abuse campaigns, or those who might become them. To tell them to be brave, to speak their truth, to not let violent assholes scare them.

Platitudes won’t keep the cesspits of the internet from backflowing into their homes and workplaces. Platitudes won’t secure their computers and personal information; protect their families from detailed, sexually-explicit death threats; walk their kids to school; or stay at home to protect their pets while they’re at work. Platitudes won’t explain to their bosses why their companies’ websites are being DDOSed. Platitudes won’t stop bullets.

So before you lament how terrible it is to ‘let them win’ by being silent, please stop and think of a better way to phrase “I want to live in a world where the victims of abuse campaigns have a winning move.” Don’t ask women to sacrifice their names, careers, and safety to the fantasy that life is fair.

Telling women to be brave and speak up is telling them to face a violent horde unarmed. We don’t have an effective defense against these terror campaigns. We desperately need one. We’re going to follow up and see if we can develop any effective strategies.

In the meantime, I’ve already painted the target on my back, so I might as well say it.

Fuck GamerGate.

Wedding Wrecks, Vol. 345

Oct. 23rd, 2014 01:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

They wanted bubbles:


They got sprinkles.

Mm, crunchy.


They wanted this:


They got... this:

("Hang on, you can still see some icing. BRING MORE FLOWERS!")


And finally,

Jessica wanted this:

... but what she got was so bad that her photographer decided it'd be too much to have the whole cake in frame, and so focused on some guy in the background checking his phone instead:

Good job, Jessica's photographer.


Thanks to Anony M., Sonya J., & Jessica K., who like to think that guy is reading Cake Wrecks, because, dude, SO META.


Thank you for using our Amazon links to shop! USA, UK, Canada.


terriko: (Default)

October 2014

5678 91011
1920 2122232425

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Oct. 31st, 2014 02:51 pm
Powered by Dreamwidth Studios