An unmasked clockwork robot from Doctor Who:
An unmasked clockwork robot from Doctor Who:
In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims.
Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.
According to Proofpoint, the link in the spam campaign led to a page that mimicked the telecom provider. The landing page included code that silently attempted to execute what’s known as a cross-site request forgery attack on known vulnerabilities in two types of routers, UT Starcom and TP-Link. The malicious page would then invoke hidden inline frames (also known as “iframes”) that try to log in to the administration page of the victim’s router using a list of known default credentials built into these devices.
If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS (220.127.116.11). Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting them away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.
The real danger of attacks like these is that they bypass antivirus and other security tools, and they are likely to go undetected by the victim for long periods of time.
“There is virtually no trace of this thing except for an email,” said Kevin Epstein, vice president of advanced security and governance at Proofpoint. “And even if your average user knows to look at his router’s DNS settings, he’s unlikely to notice anything wrong or even know what his normal DNS settings should be.”
Many modern routers have built-in defenses against such attacks (including countermeasures known as CSRF tokens), but new vulnerabilities in existing routers — even recent model routers — are constantly being uncovered. I asked Proofpoint whether such protections — or security improvements built into most modern browsers — would have stopped this attack. Their experts seemed to think not.
In any case, I hope it’s clear by now that leaving the default credentials in place on your router is merely inviting trouble. Last month, I wrote about how the botnet used to take down Sony and Microsoft‘s online gaming networks was built on the backs of hacked home routers that were all running factory-default administrative credentials.
If you haven’t changed the default credentials on your router, it’s time to do that. If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t. Pop on over to routerpasswords.com and look up the make and model of your router.
To see whether your credentials are the default, you’ll need to open up a browser and enter the numeric address of your router’s administration page. For most routers, this will be 192.168.1.1 or 192.168.0.1 (on Apple routers, it’s more likely to be 10.0.1.1). This page lists the default internal address for most routers. If you have no luck, there, here’s a decent tutorial that should help most users find this address. And check out my Tools for a Safer PC primer for more tips on how to beef up the security of your router and your Web browser.
Read more about this attack at Proofpoint’s blog post.
An internationally known community manager, speaker and author, Leslie Hawthorn has spent the past decade creating, cultivating and enabling open source communities. She created the world’s first initiative to involve pre-university students in open source software development, launched Google’s #2 Developer Blog, received an O’Reilly Open Source Award in 2010 and gave a few great talks on many things open source. In August 2013, she joined Elasticsearch as Director of Developer Relations, where she leads community relations efforts.
I’ve known Leslie for years now, and she is forever inspiring me with her ability not only to find visionary ways to improve the world, but also to follow-through with the rabble-rousing, cat herding, paperwork, and everything else that’s needed to take ideas from “wouldn’t it be nice if?” to “this is how we’re going to do it.” I really enjoyed her recent blog post, A Place to Hang Your Hat, and asked Leslie if she had a bit of time for an interview to tell Geek Feminism blog readers a bit more about the idea.
— Dirk Haun (@dirkhaun) February 14, 2015
For people who haven’t read your blog post yet, can you give us the point of “let’s all build a hat rack” in a few sentences?
In open source software projects – and life in general – there are any number of contributions that are underappreciated or go unacknowledged. I’m very aware of how often that underappreciation or lack of acknowledgement is due to socialization around what labor is considered valuable vs. what is largely invisible – we are taught to value and celebrate the accomplishments of white men and minimize the impact of the labor of women, people of color, transpeople, differently abled people, etc.
The let’s all build a hat rack project is a call to acknowledge all the diverse contributors and contributions in our work lives and volunteer projects, with a special emphasis on acknowledging folks who are not like you first. You can do this easily by writing them a recommendation on LinkedIn – which they can decide to approve for inclusion on their profile – or just sending them a thank you note they can use later. Bonus points for sharing your appreciation on social media using hashtag #LABHR.
— webchick (@webchick) February 18, 2015
What inspired the project?
It came about for a few reasons, but first and foremost I want to acknowledge Deb Nicholson for inspiring the phrase “let’s all build a hat rack.” There’s more about Deb’s contributions to my thinking and the open source community in the post, so please check it out.
Beyond that, the project came about largely due to the intersection of two frustrations: the lack of understanding people have for everything I – and friends like Deb – have accomplished, and the seemingly unending cycle of horrible news in the tech industry. While it’s important to have a clear and candid dialog about sexism, racism, ableism, transphobia and other issues impacting the diversity of the technical community, that seems to be all I am reading lately. The news is usually sensationalistic and often depressing.
I wanted to give myself and everyone I know something uplifting and useful to read, to encourage all of us to show gratitude and appreciation, and to make that show of gratitude a useful way for contributors who are usually not acknowledged to get the credit they deserve. Not just because they deserve it, but because that public acknowledgement of their work helps with acquiring jobs, landing their next big project and feeling good about continued contributions.
— Mayhem & Chaos (@MayhemBCN) February 13, 2015
What tips do you have for people struggling to find someone to recommend?
You know, I figured this project would be really easy until I started writing up recommendations. To my earlier point about being socialized to see some labor as invisible or less valuable, I had no trouble thinking up white dudes who had done things I appreciate. I had to push myself harder to think about the women in my life who have made significant contributions, even though they are numerous. I can imagine that some humans, specifically male humans, are having the same issues.
So, to get started, think about things /actions / projects that have meant a great deal to you. Was there a conference you attended where you had an “ah ha” moment? Were you able to solve a problem thanks to great support on a project’s web forum or in their IRC channel? Did you read a blog post that was filled with brilliance and inspired you to be better at your craft? Cool. Were there people involved who were not like you? Great! Not sure exactly what they did? I’d call that an excellent opportunity to find out more about their involvement, thank them for educating you and their contribution, and then use that information to write a recommendation.
I’m not going to lie to anyone – you’re may have to think hard about this at first and it will be uncomfortable. You have to internalize the fact that you’ve been taught to see some very amazing work as non-existent or, at best, mere window dressing. That’s OK, too. The first step toward progress is thinking through that discomfort, then finding the humans to thank at the end of it.
If you’re still having trouble thinking of someone, that’s OK. Talk to your friends or fellow project members for suggestions. Tell them you’re thinking about participating in the #LABHR project, but need help getting started. Friends can help you think of people you’ve missed celebrating, and they may also want to join the experiment and recommend people, too!
— Paul Fenwick (@pjf) February 15, 2015
I’ve always been impressed with your gracious ways of thanking and recommending people, so I feel like you must have some insight into writing good recommendations. Are there any suggestions you have for people who want to write a great ones?
Keep it short and simple. One of the things that makes writing recommendations hard is that we’re trying to encapsulate so many good qualities into a few short sentences. You don’t have to write down everything wonderful about the person you’re recommending, just the 3-5 ways they’ve been most impactful in your project / company / life. In a pinch, concentrate on things employers want to hear about, as that will make your recommendation most useful.
— Michael Downey (@downey) February 13, 2015
What impact do you hope to have on people’s lives with LABHR?
I’d like this experiment to give the technical community a reason to express more gratitude for all contributions. I especially want to give white male allies a clear, actionable path to improving things for underrepresented groups. Writing a recommendation will take you about 15 minutes, but it can have immeasurable impact on someone’s future career prospects.
I’m really excited to say that I’ve seen 15 permanent recommendations go by and a whole lot of shout-outs under the #LABHR hashtag so far. I hope many more recommendations will come.
— Manrique Lopez (@jsmanrique) February 19, 2015
Want to see more inspirational LABHR entries? Check out the #LABHR hashtag on twitter and then write your own!
Every year I try to channel my inner cowboy and write a little poetry. So sit back, relax, and try not to picture me in a Three Amigos costume*.
[*You're already doing it, aren't you? I knew it.]
Jed was a cowboy who wanted to sing
'Bout huntin' an' fishin' an' bein' right-wing.
As a matter of course
He camo'd his horse
But now he can't find the dang thing
Is that an ear, dear?
Who knows, nose?
But that's an eye, aye?
As I ponder the existential stylings of my empty holster and overflowing chaps
And in the corner,
silent bug-eyed stare
why are you making that face
I hope that's a tail
Poop in the mane
Poop in the maaane!
It don't matter one whit
Where your horse takes a... hit
So long as there's no poop
in the mane.
Thanks to my amigos Emily F., Sandy L., Katie T., Carrie B., & Whitney K., who would definitely say that I have a plethora of poetry-penning talent. (Right? ;))
Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.
On Feb. 23, google.com.vn briefly redirected visitors to a page that read, “Hacked by Lizard Squad, greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas).” The message also included a link to the group’s Twitter page and its Lizard Stresser online attacks-for-hire service.
Today, the group took credit for hacking Lenovo.com, possibly because it was recently revealed that the computer maker was shipping the invasive Superfish adware with
all some new Lenovo notebook PCs (the company has since said Superfish is now disabled on all Lenovo products and that it will no longer pre-load the software).
According to a report in TheVerge.com, the HTML source code for Lenovo.com was changed to read, “the new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey.”
The Verge story notes that both men have been identified as members of the Lizard Squad; to my knowledge this has never been true. In fact, both used to be part of a black hat and now-defunct hacker collective known as Hack The Planet (HTP) along with one of the main current LizardSquad members — Julius “Zeekill” Kivimaki (for more on Julius, see these stories). However, both King (a.k.a “Starfall”) and Godfrey (“KMS”) have been quite publicly working to undermine and expose the group for months.
Reached via instant message, both King and Godfrey said the Lizard Squad used a command injection vulnerability in Webnic.cc to upload a rootkit — a set of hacking tools that hide the intruder’s presence on a compromised system and give the attacker persistent access to that system.
Webnic.cc is currently inaccessible. A woman who answered the phone at the company’s technical operations center in Kuala Lumpur acknowledged the outage but said Webnic doesn’t have any additional information to share at this time. “We’re still in the investigation stage,” said Eevon Soh, a Webnic customer support technician.
It appears the intruders were able to leverage their access at Webnic.cc to alter the domain name system (DNS) records for the Google and Lenovo domains, effectively giving them the ability to redirect the legitimate traffic away from the domains to other servers — including those under the attackers’ control.
King and Godfrey said the Lizard Squad also gained access to Webnic’s store of “auth codes” (also known as “transfer secrets” or “EPP” codes), unique and closely-guarded codes that can be used to transfer any domain to another registrar. As if to prove this level of access, the Lizard Squad tweeted what they claim is one of the codes.
Starfall and KMS say the rootkit has been removed from Webnic’s servers, meaning the Lizard Squad should no longer be able to hijack Webnic domains with the same method they used to redirect Lenovo.com or Google Vietnam.
This is not the first time these actors have messed with Webnic.cc. Web Commerce Communications Ltd. (Webnic) is a popular registrar among hacker forums and underground stores that traffic in stolen credit cards and identity information, and a great number of those sites are registered through Webnic. It was hardly a coincidence that many of these criminal storefronts which have been hacked over the past couple of years — including rescator[dot]so, and ssndob — were registered at Webnic: All of the same players involved this week’s drama were involved in those hacks as well.
One way to understand suspense is that it's the state of having multiple conflicting valid causal models, or not having enough information to even form a single satisfying prediction.
Each protagonist gets impressive moments of awesome competence and agency. But, like levelling up in a game, it's still constrained by the sandbox (which is of course more realistic than the Matrix solution).
The big science fictional twist is that you are far less significant than you had imagined.
But they require less genre expertise than, say, "Four Kinds of Cargo" or the trope review at the start of Anathem.
Case in point: we went to a local craft shop to get two custom mats for some art for the steampunk room. Since we wanted an antique look, we picked fabric-covered mats, which we were told would take over a week to make, and cost over $60.
Now, $30 each may not sound TOO bad... but that's more than we spent on the art being framed! And all for a one-inch decorative border? NUH-UH.
So we canceled the order and headed to the fabric section.
We bought about half a yard of two fabrics that almost exactly matched the original mats we wanted: a faux red velvet and a faux leather. Total cost? Around $8.
Here's the thing: fabric-covered mats - which both look and ARE the most expensive - are actually the easiest to make yourself, since you don't need a mat cutter or special tools. All you need are fabric, mat board (available in huge sheets for less than $10 at any craft shop), a craft blade, and spray adhesive.
I'm sure I've shown this kind of thing before, but here, look how easy:
Caveat: none of this is acid-free, so I wouldn't recommend it for expensive or irreplaceable pieces. Everything else, though? GO NUTS.
And here's a tip for saving crap-tons of money on custom-sized frames: just buy a pre-made frame that's too big, and cut it to size yourself. We found this gorgeous frame for only $13 on a clearance rack over a year ago:
John cut it down to size ["You'll never amount to anything! Your mother was a sod pallet!"] with his miter saw, then re-assembled using a nifty framing strap which you can just see in the top right corner here:
The ratcheting strap holds all four corners at perfect 90 degree angles while the glue dries. (For larger frames make sure you also use pin nails to hold everything in place.) Cool, right? And not so hard? You should totally try this.
Next John painted the frame bright gold and aged it with a little black, so now it looks like this:
And if you want to fool everyone into thinking your art is an original and NOT a print, here's another ridiculously easy trick: just leave out the glass. Glass screams "I'm a print!" even when it's not, and the reflection gets in the way anyway.
That said, since my Elizabeth poster was severely damaged by a hungry cat (grrr), we had to spring for some non-glare glass on her to help hide all the creases and dings. Worked pretty well, too!
This is another frame John cut down and re-sized, since the print is a funky size. We left the finish as-is, though, since it went perfectly with Songbird's head.
Since we already had spare mat board and used frames we already had, our only costs were the $8 fabric and about $15 for the custom non-glare glass. (Yay coupons!) Plus we had it all done in about a day - no waiting on custom orders!
Hope this helps inspire my fellow art-lovers out there to start making and modifying your own mats and frames! It's always galled me that the framing process is so flippin' expensive that most folks end up just tacking their pretties to the wall. Well, no more! Frame up those pretties, my friends! Frame 'em!
The FBI this week announced it is offering a USD $3 million bounty for information leading to the arrest and/or conviction of one Evgeniy Mikhailovich Bogachev, a Russian man the government believes is responsible for building and distributing the ZeuS banking Trojan.
Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts — mainly from small- to mid-sized businesses based in the United States and Europe. Bogachev also is accused of being part of a crime gang that infected tens of millions of computers, harvested huge volumes of sensitive financial data, and rented the compromised systems to other hackers, spammers and online extortionists.
So much of the intelligence gathered about Bogachev and his alleged accomplices has been scattered across various court documents and published reports over the years, but probably just as much on this criminal mastermind and his associates has never seen the light of day. What follows is a compendium of knowledge — a bit of a dossier, if you will — on Bogachev and his trusted associates.
I first became aware of Bogachev by his nickname at the time –“Slavik” — in June 2009, after writing about a $415,000 cyberheist against Bullitt County, Kentucky. I was still working for The Washington Post then, but that story would open the door to sources who were tracking the activities of an organized cybercrime gang that spanned from Ukraine and Russia to the United Kingdom.
Not long after that Bullitt County cyberheist story ran, I heard from a source who’d hacked the Jabber instant message server that these crooks were using to plan and coordinate their cyberheists. The members of this crew quickly became regular readers of my Security Fix blog at The Post after seeing their exploits detailed on the blog.
They also acknowledged in their chats that they’d been in direct contact with the Zeus author himself — and that the gang had hired the malware author to code a custom version of the Trojan that would latter become known as “Jabberzeus.” The “jabber” part of the name is a reference to a key feature of the malware that would send an Jabber instant message to members of the gang anytime a new victim logged into a bank account that had a high balance.
Here’s a snippet from that chat, translated from Russian. “Aqua” was responsible for recruiting and managing a network of “money mules” to help cash out the payroll accounts that these crooks were hijacking with the help of their custom Jabberzeus malware. “Dimka” is Aqua’s friend, and Aqua explains to him that they hired the ZeuS author to create the custom malware and help them troubleshoot it. But Aqua is unhappy because the ZeuS author declined to help them keep it undetectable by commercial antivirus tools.
dimka: I read about the king of seas, was that your handiwork?
aqua: what are you talking about?
aqua: yes, we are using it right now. its developer sits with us on the system
dimka: it seems to be very popular right now
aqua: but that fucker annoyed the hell out of everyone. he refuses to write bypass of [anti-malware] scans, and trojan penetration is only 35-40%. we need better
yfix read this. here you find almost everything about us
aqua: we’re using this [custom] system. we are the Big Dog. the rest using Zeus are doing piddly crap.
Days later, other members of the Jabberzeus crew were all jabbering about the Bullitt County cyberheist story. The individual who uses the nickname “tank” in the conversation below managed money mules for the gang and helped coordinate the exchange of stolen banking credentials. Tank begins the conversation by pasting a link to my Washington Post story about the Bullitt County hack.
firstname.lastname@example.org: That is about us. Only the figures are fairytales.
email@example.com/dimarikk: This was from your botnet account. Apparently, this is why our hosters in service rejected the old ones. They caused a damn commotion.
firstname.lastname@example.org: I have already become paranoid over this. Such bullshit as this in the Washington Post.
email@example.com/dimarikk: I almost dreamed of this bullshit at night. He writes about everything that I touch in any manner…Klik Partners, ESTHost, MCCOLO…
firstname.lastname@example.org: Now you are not alone. Just 2 weeks before this I contacted him as an expert to find out anything new. It turns out that he wrote this within 3 days. Now we also will dream about him.
In a separate conversation between Tank and the Zeus author (using the nickname “lucky12345″ here), the two complain about news coverage of Zeus:
tank: Are you there?
tank: This is what they damn wrote about me.
tank: [pasting a link to the Washington Post story]
tank: I’ll take a quick look at history
tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court
tank: Well, you got it from that cash-in.
lucky12345: From 200k?
tank: Well, they are not the right amounts and the cash out from that account was shitty.
tank: Levak was written there.
tank: Because now the entire USA knows about Zeus.
lucky12345: It’s fucked.
After the Bullitt County story, my source and I tracked this gang as they hit one small business after another. In the ensuing six months before my departure from The Post, I wrote about this gang’s attacks against more than a dozen companies in the United States.
By this time, Slavik was openly selling the barebones ZeuS Trojan code that Jabberzeus was built on to anyone who could pay several thousand dollars for the crimeware kit. There is evidence he also was using his own botnet kit or at least taking a fee to set up instances of it on behalf of buyers. In late 2009, security researchers had tracked dozens of Zeus control servers that phoned home to domains which bore his nickname, such as slaviki-res1.com, slavik1[dot]com, slavik2[dot]com, slavik3[dot]com, and so on.
On Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –a crook who used the pseudonym “Jim Rogers” — somehow intercepted news I hadn’t shared beyond a few trusted friends at that point: That the Post had eliminated my job in the process of merging the newspaper’s Web site with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted “tank”.
jabber.org: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation Good news expected exactly by the New Year! Besides us no one reads his column
email@example.com: Mr. Fucking Brian Fucking Kerbs!
I continued to write about new victims of this gang even as I was launching this blog, and in the first year I profiled dozens more companies that were robbed of millions. I only featured victims that had agreed to let me tell their stories. For every story I wrote, there were probably 10-20 victim organizations I spoke with that did not wish to be named.
By January 2010, Slavik was selling access to tens of thousands of hacked PCs to spammers, as well as large email lists from computer systems plundered by his malware. As I wrote in the story, Zeus Trojan Author Ran With Spam Kingpins, Slavik was active on multiple crime forums, not only finding new clients and buyers for his malware, but for the goods harvested by his own botnets powered by ZeuS.
Eight months later, authorities in the United Kingdom arrested 20 individuals connected to the Jabberzeus crime ring, and charged 11 of them with money laundering and conspiracy to defraud, including Yevhen “Jonni” Kulibaba, the ringleader of the gang, and Yuri “JTK” Konovalenko.
In conjunction with that action, five of the gang’s members in Ukraine also were detained, but very soon after released, including the aforementioned Vyacheslav “Tank” Penchukov and a very clever programmer named Ivan “petr0vich” Klepikov. More details about these two and others connected with the Jabberzeus crew is available from this unsealed 2012 complaint (PDF) from the U.S. Justice Department.
Unsurprisingly, not long after the global law enforcement crackdown, Slavik would announce he was bowing out of the business, handing over the source code for Zeus to a hacker named “”Harderman” (a.k.a. “Gribodemon”), the author of a competing crimeware kit called SpyEye (25-year-old Russian man Alexsander Panin pleaded guilty last year to authoring SpyEye).
Near as I can tell, Slavik didn’t quit developing Zeus after the code merger with SpyEye, he just stopped selling it publicly. Rather, it appears he began developing a more robust and private version of Zeus.
By late 2011, businesses in the United States and Europe were being hit with a new variant of Zeus called “Gameover” Zeus, which used the collective, global power of the PCs infected with Gameover Zeus to launch crippling distributed denial-of-service (DDoS) attacks against victims and their banks shortly after they were robbed.
In late March 2012, Microsoft announced it had orchestrated a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye. In so doing, the company incurred the wrath of many security researchers when it published in court documents the nicknames, email addresses and other identifying information on the Jabberzeus gang and the Zeus author.
A few months later, the Justice Department officially charged nine men in the Jabberzeus conspiracy, including most of the above named actors and two others — a money mover named Alexey Dmitrievich Bron (a.k.a.”TheHead”) and Alexey “Kusanagi” Tikonov, a programmer from Tomsk, Russia. Chat records intercepted from the incomeet.com server that this crew used for its Jabber instant message communications strongly suggest that Bron and Penchukov (“Tank”) were co-workers in Donetsk, Ukraine, possibly even in the same building.
In June 2014, the U.S. Justice Department joined authorities in many other countries and a large number of security firms in taking down the Gameover ZeuS botnet, which at the time was estimated to have infected more than a million PCs.
It’s nice that the Justice Department has put up such a large bounty for a man responsible for so much financial ruin and cybercrime. Kulibaba (“Jonni”) and his buddy Konovalenko (“Jtk0″) were extradited to the United States. Unfortunately, the rest of the Jabberzeus crew will likely remain free as long as they stick within the borders of Ukraine and/or Russia.
I think the following cakes are really special. Like seeing a beautiful newborn for the first time, these baby shower cakes leave me… well, speechless.
What a coincidence! E.T. was on my TV today, too!
Ethan... phone home...
(and tell your parents Jersey Shore called. They want their tan back.)
"Hi, bakery? I have a baby shower coming up. Do you make cupcakes?"
"Baby shower CUP cakes? Yeah. We can 'handle' that."
If you squint your eyes, it’s actually not a baby at all, but a bronzed, muscular man in a tank top popping out of the cup. See it? See it? Let’s call him Joe. He must be posing for his mug-shot. Just look at those eyes! He really knows how to espresso himself, doesn't he?
Thanks to Dawn M. for finding these little bundles of joy. It's been a latte fun!
On the software you'll need for your personal computer:
First off, you need an operating system, which is the "Godfather" program that operates behind the scenes, telling all the other programs what to do, making sure they cooperate, and if necessary leaving the heads of horses in their beds. The most popular operating system in world history as of 10:30 A.M. today is Windows 95☺, but there are many other options, including Windows 3.1☺, Windows 3.11☺, Windows 3.111☺, Windows for Workgroups☺, Windows for Groups That Mainly Just Screw Around☺, Windows for Repeat Offenders☺, Lo-Fat Windows☺, and The Artist Formerly Known as Windows☺. There is also the old "MS-DOS" operating system, which is actually written on parchment and is rarely used on computers manufactured after the French and Indian War. And there is "OS/2," which was developed at enormous expense by IBM and marketed as a Windows alternative, and which has won a loyal following of thousands of people, an estimated three of whom do not work for IBM. And of course there is the Apple operating system, or "Apple operating system," for your hippie beatnik weirdo loner narcotics-ingesting communistic types of Apple-owning individuals who are frankly too wussy to handle the challenge of hand-to-hand combat with computer systems specifically designed to thwart them.
On the internet:
... I had managed to send this hideously embarrassing message to everybody in the world except the person who was supposed to read it.
Yes, thanks to the awesome communications capabilities of the Internet, I was able to make an intergalactic fool of myself, and there's no reason why you can't do the same.
Prefiguring Clay Shirky's cognitive surplus arguments:
So go ahead! Get on the Web! In my opinion, it's WAY more fun than television, and what harm can it do?The origin of Bill Gates's wealth: "versions."
OK, it can kill brain cells by the billions. But you don't need brain cells. You have a computer.
How much should your new computer cost? "About $350 less than you will actually pay."
Also, I am gonna avoid G7e rage and not quote the entire section, but check out the Comdex chapter for Barry's thoughts on the limited range of stories and game mechanics available in games written by and for men in 1996, and his speculation on what more diversity would look like.
The fiction short story that appears in two parts at the end of the book causes disproportionate feels in me, because it's about falling in love with a stranger via America OnLine chat, and I read it around the same time I fell in love with a guy I met on Usenet, via a Dave Barry fan group. Oh dear I just looked him up and he has a freaking beard. I don't know why that detail gets to me, but I was not prepared for that. At this moment I am under a blanket on my couch in New York City with midmorning light bouncing off brick and fire escapes outside, but I am also in hand-me-down tee shirt and shorts in front of a 486, easily remembering how to turn the audible modem volume all the way down so Mom and Dad don't hear me dialing in, the mousepad the only clear area on my dad's desk that's cluttered with printouts and Post-Its and boxes of 5-and-a-quarter floppies, navigating to HoTMaiL, California night outside the blinds. And now I'm remembering all those other local maxima and minima of my teenage life, and how intense things felt. He sent me a photo and I printed it out in black and white and took it into my AP US History test. That printout is probably still in a box somewhere. He dumped me, and we never met, and I wonder whether either of us still has a copy of that email.
And now the only Dave Barry book I own is Dave Barry in Cyberspace. It's still funny and it still has a barb in it. I am genuinely curious whether people ten years younger than me would enjoy it, since clearly part of what I'm getting out of it is nostalgia. And now I'm thinking about setting a reminder to myself to read current tech humor by Rose Ames and James Mickens in 2035.
No, this isn't it.
C'mon, guys, what's wrong with a sweet, heartfelt sentiment?
Or a cutesy character?
(On the plus side, it's nice seeing chocolate curls used for something other than "down there hair." [shudder])
Ok, how about some baby accessories? You know, bottles and bows, pacifiers and... uh...
Of course pee sticks.
Guess that beats putting the real thing on there, though - which, oh yes, people keep doing:
Thanks for not jamming the business end into the icing, I guess.
Ok, fine. Go back to your belly and butt and vajayjay cakes, people. BUT KNOW THIS: someday you, too, could be told, "There's cake in the break room!" like poor Lynds here, only to find that THIS is what someone actually brought in to work:
Clean up on aisle 3. Bring lots of brain bleach.
Thanks to Amanda S., Anony S., Rebekah D., Colleen F., Beka K., Corey, Nellie C., & Lynds for ensuring I will never eat a chocolate-sprinkled raspberry donut ever again.
Nizami began by sharing Rogers' diffusion of innovation theory. She found this after her first flipped course was over, but felt it correlated well with that happened in class. As shown in the below diagram, there are innovators, early adopters, the early majority, the late majority, and the laggards. The distribution of these groups is shown in blue, while market share of an innovation is shown in yellow. A question Nizami asked herself was who is in the chasm? Why do some students feel like the flipped classroom teacher is not doing her job? ("I want you to lecture to me!") For any classroom innovation to be successful, we need buy-in from students.
Design thinking gave Nizimi an useful model with which to approach her classroom:
- Empathize: validate the level of difficulty students face in class
- Define: gain students' confidence that you are on their side and not trying to trick them
- Ideate: involve students and come up with creative solutions
- Prototype: create opportunities for students to try out the proposed solutions
- Test: solicit student feedback; be brave
I figure the only way I'm going to get rid of this earworm is by giving it to you guys. So...
So, it's gonna be forever
Or it's gonna go down in flames.
You can tell me when it's over,
If the high was worth the pain.
Got a long list of ex-lovers!
They'll tell you...
But I got a blank space, baby...
And I'll write your name!
Toe-tapping thanks to Lindsay W., Meredith G., Daisy S., Telitha G., Sheri T., Geneva W., Christine S., and Elisabeth T. You know I'll love you guys forever, don't you?
A bit late, but better late than never.
I didn’t get any writing done for this blog last week, but I did complete an interview for the Geek Feminism Blog on the #LABHR experiment and on Getting Started in Open Source for the Anita Borg Institute. Both posts are forthcoming, and I believe the Getting Started post will run on the Systers blog.
If anyone has suggestions for topics I ought to address, I’d be grateful. Leave a note in the comments section or ping me on Twitter.
In other news, I’ve been really excited about how many expressions of appreciation and gratitude I’ve seen go by on Twitter under the LABHR hashtag. I’ve also counted 15+ “permanent recommendations,” meaning posts on LinkedIn or individual’s blogs. The Twitter shout outs are absolutely amazing, but its my firm hope that we’ll all produce referenceable posts of appreciation that can help folks in their careers in addition to brightening their day.
Here’s a few of my favorite #LABHR recommendations so far:
Many thanks to everyone who has participated in the #LABHR experiment to date. Please keep those recommendations and expressions of gratitude coming!
- DiversityMediocrityIllusion | Martin Fowler (January 13): “A common argument against pushing for greater diversity is that it will lower standards, raising the spectre of a diverse but mediocre group.” Martin Fowler explains why that’s nonsense.
- On the Wadhwa Within, and Leaving | Medium (February): “That’s why I’m wary of the villainization of Vivek Wadhwa. For all that he is cartoonishly bad, going after him full force has the effect of drawing a bright line between Good People who see and crow over the error of Wadhwa’s ways and Bad People like Vivek. “
- Q&A: Gillian Jacobs On Directing Her First Film And The Myth Of The Male Computer Geek | FiveThirtyEight (January 30): “This week, FiveThirtyEight launched its documentary film about Grace Hopper, a rear admiral in the U.S. Navy and the driving force behind the first compiled programming language.”
- Video Games’ Blackness Problem | Evan Narcisse on Kotaku (February 19): “I decided to email with several prominent black critics and game developers to start a conversation. What is the source of video gaming’s blackness problem? What is to be done? I enlisted games researcher and critic Austin Walker, Treachery in Beatdown City developer Shawn Alexander Allen, Joylancer developer TJ Thomas and SoulForm developer and Brooklyn Gamery co-founder Catt Small to talk about what we all thought.”
- I Pretended to Be a Male Gamer to Avoid Harassment | Daily Life (December 11): “Things went along smoothly until I started playing at the top level of WoW (World of Warcraft). To participate, you have to join a ‘guild’ — a large group of people who can commit to playing for long sessions. Being allowed into a guild is like a job interview, and as part of that process (like proving I had access to voice chat) I had to reveal that I was a girl.”
- “Lean the f*** away from me”: Jessica Williams, “impostor syndrome” and the many ways we serially doubt women | Salon.com (February 18): “After a week of intense speculation about who would be taking over “The Daily Show,” Jessica Williams addressed the rumors that she was (or at least should be) the heir apparent for host. In a series of tweets, Williams thanked people for the support, but said she wouldn’t be sitting behind the anchor desk any time soon. (…) A little while later, a writer for the Billfold responded to Williams’ announcement with a piece that claimed she was a “victim” of impostor syndrome, and that she needed to “lean in.” “
- Feminist writers are so besieged by online abuse that some have begun to retire | The Washington Post (February 20): “Jessica Valenti is one of the most successful and visible feminists of her generation. As a columnist for the Guardian, her face regularly appears on the site’s front page. She has written five books, one of which was adapted into a documentary, since founding the blog Feministing.com. She gives speeches all over the country. And she tells me that, because of the nonstop harassment that feminist writers face online, if she could start over, she might prefer to be completely anonymous.”
- Research suggests that the pipeline of science talent may leak for men and women at the same rate | Inside Higher Ed (February 18): “For years, experts on the academic and scientific workforce have talked about a “leaky pipeline” in which women with talent in science and technology fields are less likely than men to pursue doctorates and potentially become faculty members. A study published Tuesday in the journal Frontiers in Psychology says that the pipeline may no longer be leaking more women than men.”
- Life Hacks for the Marginalized | Medium (February 16): “Being human is hard! It’s even harder when your humanity is brought into question on a daily basis. But don’t let that get you down! So you’re not white/straight/male/abled/cisgendered/th
in/rich — that doesn’t mean your life is over! It just means it’s much, much, much, much, much, much harder.
Luckily, we have some time-saving tips that can help! By “help,” we mean “mildly mitigate your problems.” To solve them completely, try building a time machine and either engineering a whole new history that gives your people more power, or fast-forwarding to a post-patriarchy utopia.”
- Like it or not, Supanova, popular culture is political | The Drum (Australian Broadcasting Corporation) (February 18): “Online protesters have urged Supanova to reconsider Baldwin’s attendance given the inflammatory and offensive comments he regularly makes on social media, particularly about women, transgender people and gay people. But when the expo released a statement saying it would be proceeding as planned, it showed it didn’t care about creating a safe and inclusive environment for attendees.”
- The War for the Soul of Geek Culture | moviepilot.com (February 16): “The irony is that while externally, geeks are being accepted as a whole, internally, the story is much different. There’s an ugly core of nastiness coming from a very vocal minority, and as geek culture continues to expand, they only grow louder. And while the nastier moments of that ugly minority are starting to be recognized and picked up by mainstream media, it’s still largely our problem. Simply put, there is a war being waged right now for the soul of geek culture. And it’s a hell of a lot uglier than you realize.”
- Binary Coeds | BackStory with the American History Guys (February 6): “The idea [of] the male programmer may be a stereotype, but having a male-heavy workforce is a real issue for the industry. Companies see a big gender disparity when they look at their technical workforce, and many are asking themselves how to get more women into computer science. But when you look at the history of computer programming, the question actually looks a little different. It’s less about how to get women into computer science than about how to get women back into computing.”
- How To Talk To Girls On Twitter Without Coming Off Like A Creepy Rando | Adequate Man (February 17): “So, here you are, my friend, following a lot of brilliant women on Twitter (I hope). It’s so fun, and the best part of Twitter is connecting with people, so you want to reply to some of her great tweets with your own great opinions and jokes! Cool, cool, but here are some things to keep in mind.”
- Art+Feminism Is Hosting Its Second Ever Wikipedia Edit-a-thon To Promote Gender Equality | The Mary Sue (February 18): ” In 2011, a survey conducted by the Wikimedia Foundation found that less than 10% of Wikipedia editors identified as female, to say nothing of recent clashes between editors in the Gamergate article that resulted in several women being banned from writing about gender at all. But just talking about the problem isn’t going to create more female editors—training women who are interested will.”
- #ScienceWoman Special Project | Amy Poehler’s Smart Girls (February 16): “Amy Poehler’s Smart Girls is teaming up with the hit PBS Digital Studios science YouTube show It’s Okay To Be Smart to celebrate amazing women in science. We’ve got a special project planned for the beginning of March, but we can’t do it without YOU!”
We link to a variety of sources, some of which are personal blogs. If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.
You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).
Thanks to everyone who suggested links.
Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax – allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their fight against the multi-billion dollar problem of tax refund fraud.
Last week, KrebsOnSecurity published an exclusive interview with Indu Kodukula, Intuit’s chief information security officer. Kodukula explained that customer password re-use was a major cause of a spike this tax season in fraudulent state tax refund requests. The increase in phony state refund requests prompted several state revenue departments to complain to their state attorneys general. In response, TurboTax temporarily halted all state filings while it investigated claims of a possible breach. The company resumed state filing shortly after that pause, saying it could find no evidence that customers’ TurboTax credentials had been stolen from its network.
Kodukula noted that although the incidence of hijacked, existing TurboTax accounts was rapidly growing, the majority of refund scams the company has to deal with stem from “stolen identity refund fraud” or SIRF. In SIRF, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.
Kodukula cast Intuit as an industry leader in helping the IRS identify and ultimately deny suspicious tax returns. But that portrayal only tells part of the story, according to two former Intuit employees who until recently each held crucial security positions helping the company identify and fight tax fraud. Both individuals described a company that has intentionally dialed back efforts to crack down on SIRF so as not to lose market share when fraudsters began shifting their business to Intuit’s competitors.
Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.
But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”
The allegations surface just days after Senate Finance Committee Chairman Orrin Hatch (R., Utah) said his panel will be holding hearings on reports about a spike in fraudulent filings through TurboTax and elsewhere. The House Ways and Means Committee is reportedly looking into the matter and has held bipartisan staff-level discussions with the IRS and Intuit.
The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.
According to a recent report (PDF) from the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013. Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.
SQUEEZING THE BALLOON
Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.
But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.
“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”
Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.
“We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.”
Lee said that early on, the reports on returns that Intuit’s fraud teams flagged as bogus were sent immediately to the IRS.
“Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”
KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.
“As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”
That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.
“Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”
NO RULES OF THE ROAD
For its part, Intuit maintains that it is well out in front of its competitors in voluntarily reporting to the IRS refund requests that the company has flagged as suspicious. The company also stresses that it has done so even though the IRS still has not promulgated rules that require TurboTax and its competitors to report suspicious returns — or even how to report such activity. Intuit executives say they went to the IRS three years ago to request specific authority to share that information. The IRS did not respond to requests for comment.
Intuit officials declined to address Lyons’ recorded comments specifically, although they did confirm that a company attorney led an employee WebEx meeting on the date the recording was made. But David Williams, Intuit’s chief tax officer, said what’s missing from the recorded conversation excerpted above is that Intuit has been at the forefront of asking the IRS to propose industry standards that every industry player can follow — requests that have so far gone unheeded.
“We have led the industry in making suspicious activity reports, and I’d venture to say that virtually all of the returns that Mr. Lee is quoted as referring to appear in our suspicious activity reports and are stopped by the IRS,” Williams said. “Whatever else Mr. Lee may have seen, I’m not buying the premise that somehow there was a profit motive in it for us.”
Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.
“Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”
Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.
“We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”
Earlier this month, Intuit CEO Brad Smith sent a letter to the commissioner of the IRS, noting that while Intuit sends reports to the IRS when it sees patterns of suspicious behavior, the government has been limited in the types of information it can share with parties, including tax-preparation firms.
“The IRS could be the convener to bring the States together to help drive common standards adoption,” Smith wrote, offering the assistance of Intuit staff members “to work directly with the IRS and the States in whatever ways may be of assistance…as the fight against fraud goes forward.”
ZERO FALSE POSITIVES
Lee and MacDougall both said Intuit’s official approach to fighting fraud is guided by a policy of zero tolerance for so-called “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious, and possibly incurring the double whammy of a delay in the customer’s refund and an inquiry by the IRS. This is supported by audio recordings of conference calls between Intuit’s senior executives that were shared with KrebsOnSecurity.
“We protect the sanctity of the customer experience and hold it as inviolate,” Intuit’s General
Counsel Michael Lyons can be heard saying on a recorded October 2014 internal conference call. “We do everything we can to organize the best screening program we can, but we avoid false positives at all costs. Because getting a legitimate taxpayer ensnared in the ‘you’re a bad guy’ area with the IRS is hell. Once your return gets flagged as suspicious, rejected and the IRS starts investigating, you’re not in a good place. More than 50 percent of people out there are living paycheck to paycheck, and when this is the biggest paycheck of the year for them, they can’t afford to get erroneously flagged as fraud and have to prove to the IRS who they are so that they can get that legitimate refund that they were expecting months ago.”
On the same conference call, MacDougall can be heard asking Lyons why the company wouldn’t want to use security as a way to set the company apart from its competitors in the online tax preparation industry.
“We don’t use security as a marketing tactic for Intuit,” Lyons explained. “We declared that this was one of our principles. It is always possible for Intuit to build a better mousetrap. But because it doesn’t solve the systemic problem of bad guys doing this, all it really does is shoot us in the foot and make it slightly easier for IRS to continue to kick the can down the road. What it does do is artificially harm our numbers and artificially inflate the competitive numbers associated with digital tax returns.”
Intuit’s Lanesey confirmed Lee’s claim that Intuit adds a delay — it is currently three weeks — from the time a customer files a refund claim and the time it transmits “scoring” data to the IRS intended to communicate which returns the company believes are suspicious. Lanesey said the delay was added specifically to avoid false positives.
“The reason we did that was that when we started this reporting, we weren’t accurate, and were ensnaring legitimate taxpayers in that process,” Lanesey said. “We slowed down and spent more time to review to make sure we could get more accurate and we have in fact done exactly that. The match rates between what the IRS rejects and what we send are now measurably higher today with the new reporting than they were then.”
Unfortunately, three weeks is about how long the IRS takes to decide whether to reject or approve tax refund requests. In an August 2014 report to Congress on the tax refund fraud epidemic, the GAO said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.
Williams said Intuit is open to shortening its reporting delay.
“As we’ve gotten better at this and the IRS has gotten better at this, we can certainly look at shortening the timeframes,” he said. “Given the fact that over the past few years we’ve improved our speed, processes and techniques for reporting accurately, we can certainly explore whether they are able to take the data we give them and we are able to provide it to them in a way that is more useful.”
BUILDING A BETTER MOUSETRAP
The scourge of tax fraud is hardly a problem confined to TurboTax, but with nearly 29 million customers last year TurboTax is by far the biggest player in the market. In contrast, H&R Block and TaxAct each handled seven million prepared returns last year, according to figures collected by The Wall Street Journal.
Both Lee and MacDougall said they wanted to go public with their concerns because TurboTax and the rest of the industry have for so long put off implementing stronger account security measures. MacDougall said he filed the whistleblower complaint with the SEC because he witnessed a pattern of activity within Intuit’s management that suggested the firm was not interested in stopping fraud if it meant throttling profits when none of its competitors were doing the same.
MacDougall said that about a year ago he had a meeting with the head of Intuit’s security division wherein security team members were asked to pitch their projects for the year. MacDougall said he thought his idea was certain to generate an enthusiastic response from higher-ups at the company: Build a fraud ‘honeypot.’
In information security terminology, a honeypot is a virtual holding area to which known or suspected fraudsters are redirected, so that their actions and activities can be monitored and mined for patterns that potentially aid in better identifying fraudulent activity. Honeypots also serve a more cathartic — albeit potentially just as useful — purpose: They tie up the time and attention of the fraudsters and cause them to waste tons of resources on fruitless activity.
“My project was going to be a fraud honeypot,” MacDougall recalled. “My pitch was that we would create a honeypot in TurboTax so that every time a fraudster came in and we figured it out, we’d switch them over to the honeypot version of the site so that we could waste their time, exhaust their resources, and at the end of the day they wouldn’t know they’d been scammed for several weeks, when they finally realized that none of their fraudulent returns had even been filed.”
But MacDougall said he was stunned when his boss emphatically rejected his idea for use on TurboTax accounts. Instead, she brought up the fraud-as-a-balloon analogy, MacDougall said.
“She said ‘You can use this on any other product except TurboTax’,” MacDougall said. “I asked why we wouldn’t want to use this on our flagship product, and her answer was that this was an industry problem and not just a TurboTax problem.”
Only after Intuit was forced to temporarily suspend state filings earlier this month did the company’s chief executive announce plans to beef up the security of customer accounts. Intuit now says it plans to start requiring customers to validate their accounts, either via email, text message or by answering questions about their financial history relayed through the service by big-three credit bureau Experian.
Lee says those requirements are long overdue, but that they don’t go nearly far enough considering how much sensitive information Intuit holds about tens of millions of taxpayers.
“Tax preparers ought to apply similar ‘know your customer’ practices that we see in the financial markets,” he said. “When you give your most sensitive data and that of your family’s to a company, that company should offer you more security than you can get at Facebook or World of Warcraft,” Lee said, referring to two popular online businesses that have long offered the type of multi-factor authentication that Intuit just announced this month.
At a minimum, Lee said, tax preparation companies should require users to prove they have access to the phone number and email address that they assign to their account, and should bar multiple accounts from using the same phone number or email address. TurboTax and others also should allow only one account per Social Security number, he said.
“The point here is not to shame Intuit, but to educate the American public about what’s going on,” Lee said. “The industry as a whole, not just Intuit, needs to grow up and tackle this fraud problem seriously.”
Intuit’s David Williams said the company is focused on remedying some of the account issues raised by Lee and others.
“To be fair, our recent experience with the states has been a wake-up call that we are going to be more aggressive than anybody going forward, even if we were just acting consistently [with the rest of the industry] in the past,” he said. “That’s why we always talk about our anti-fraud efforts as evolving. We don’t have every great idea in the world, but we’re always looking at improving.”
I know a lot of us can relate to those tough times at school - some of which can leave life-long scars - but I'm so glad Katie has all of your comments with her, cheering her on.
I know she didn't set out to do it, but Katie has been such an inspiration to me these past 4 years. Not only did she show what young girls can achieve when they're not afraid to share their passions, she also proved just how staggeringly kind this community can be when we pull together for one of our own.
All good things, and things I want to remind both myself and everyone else of more often. So thanks, Katie. Sending lots of virtual hugs your way!
Once Upon a Time...
...in the Kingdom of Zuu,
(By Artisan Cake Company)
lived a helpful young owl his Mom had named Huu.
Huu danced with Petunia when she did ballet,
(By Dinky Doodle)
and untangled Sloth when bars got in the way.
(By Conjurer's Kitchen)
He always had time to tie Sally's red bows,
(By Planet Cake)
and if Hedgie asked, Huu would polish his nose.
(By Debbie Does Cakes)
When Flamingos ran errands, he'd stay with their chicks,
(By Mike's Amazing Cakes)
and he made sure that George ate the greens, not the sticks.
(By Planet Cake)
Huu'd help Raffi up when he fell in a heap,
(By Sprinkles Cakes)
and he sang lullabies, to help Flo go to sleep.
He prattled with penguins,
he combed all the llamas,
(By Viva la Cake)
he even helped meerkats put on clean pajamas.
(By Dootsy Dora)
And after all that, our Huu still wasn't through.
On Sunday, he shared all of his Sweets with you.
Certainly I can more easily achieve rapport with a wider variety of people if I can make conversation about, for instance, good NYC-area hikes you can get to without a car. And on my English Coast-to-Coast walks, I consistently found other hikers were sociable and supportive and friendly, taking time out of their rambles to help me and my companions wayfind, learn to use our tools, and swap stories.
In pop music, romance, makeup, clothing, sewing, hiking, film and Marvel fandom, I find a willingness to emphasize the sensual and the aesthetic experience. And we can talk about being overwhelmed emotionally by experience, which is also something appealing about sports fandom, that if we talk about our stomachs lurching with fear or happiness, or we ALLCAPS about how yes, breakups are super emotional so songs about them might be too, other people allcaps with us. We unapologetically get at the numinous. No one needs to write essays reminding us that people who read romance novels have emotions and that it's undesirable and impossible to eradicate those emotions.
In functional programming, film, clothing, and music, I've found new abstractions, new perspectives on things that already exist, that make me clutch my head as my brain changes configuration. I do already get that sometimes from my pre-existing milieu, but diversity of perspectives means I get it more if I am in more and more different kinds of communities.
And most of the communities I'm getting into have more gender diversity and far greater ethnic diversity than most of the communities I was previously paying attention to. (Please do pay attention to my disclaimers there instead of going #notallfans or similar.) I see and interact with people of more widely varying demographics, and I see the work of diverse people praised and discussed. And this is clearly something I need to improve in my life, because, for example, here I am in a world where Beyoncé Knowles is a global superstar, a critically important black artist and one of the most prominent feminists in the world, and I have barely been hearing or hearing about her work. I heard about a French gender-switch satirical film (Majorité Opprimée) just after it came out, but it's taken me six years to hear about Beyoncé's "If I Were A Boy" (via Arthur Chu's piece on white mediocrity and black excellence). I hear about all that Dove beauty stuff all the time, but only today did I watch Beyoncé's "Pretty Hurts" video. Clearly I need to up my game.
I've added a couple of photos in this post, pictures of some bits of papercraft I made. In December, I raised some money for Wikimedia by wrapping gifts at Astoria Bookshop; gift-wrapping was free, but if customers wanted to give a tip, the volunteer doing gift-wrapping could choose a charity where that tip went. During the slow periods, I cut up the leftover scraps of wrapping paper to make little decorative snowflakes and whatnot, and then I tied them to the ribbons when I finished wrapping up a book. They were pretty, and they didn't scale, and I tried out lots of different variations, and I gave them away, and I liked it. Maybe one more thing I see more in my new communities than in my old ones is the idea that it's okay to enjoy an experience without really understanding it. I'm gonna try that.
* One tip that fundraising consultants give you is that you should think of your communities, past and present, so you can further list people you know through those communities whom you could ask to give money to your cause. I started a list for that exercise, and now see that since about 2002 my communities have included: my blood family, Leonard's family, Wikimedia, Open Source Bridge/Stumptown Syndicate, the MS in Tech Management cohort from Columbia University, the University of California at Berkeley, GNOME, Maemo/MeeGo, AltLaw, the Participatory Culture Foundation, Hacker School, New York City tech in general, Geek Feminism, the Ada Initiative/AdaCamp, WisCon, Foolscap, Making Light, MetaFilter, ImpactHub NYC, the Acetarium, OpenHatch, Growstuff, Collabora, Fog Creek Software, Behavior, Salon.com, Cody's Books, Yuletide Treasure, the Coast-to-Coast walk, Strange Horizons, Slightly Known People fandom, Breaking Bad fandom, Mike Daisey fandom, Star Trek fandom, The Colbert Report fandom, Midtown Comics, the Outer Alliance, Python, Software Carpentry, Mozilla, MetaFilter, LWN, Crooked Timber, Systers, OpenITP/TechnoActivism Third Monday, my Twitter followees/followers, my Identi.ca circle, REI, Dreamwidth, code4lib and #libtechwomen/#libtechgender, Hackers on Planet Earth, the Professional IT Community Conference/LOPSA, Women in Free Software India, the New York Tech Meetup, Subdrift NYC, a few now-defunct private email lists, Google Summer of Code, Outreachy, Foo Campers, Empowermentors, the Unitarian Universalist church, Debian-NYC, Metrics-grimoire, Mailman, NYC storyreading, the Museum of the Moving Image, my local meditation class, and probably more stuff. That wasn't in any real order, in case you couldn't tell, and I claim zero consistency in my participation level. Patterns include: lots of geekiness and lots of online interaction.
(click to zoom)
At least 87 percent of casual, small-talk conversations last too long. The problem here is twofold:
• People are afraid to end the conversation and;
• “It’s time to end this talk” hints are ignored.
A solution to the first problem after the jump …
This is something lots of people struggle with, so don’t feel bad.First, do not fear the conversational reaper. All things begin and all things end, including this conversation you are engaged in.
And really, chances are that the other person doesn’t want this to go on forever, either. Can you imagine spending your entire life right there, in that living room, talking talking talking to this person about sports or Occupy or whatever, both of you growing old and grey and still the conversation flows dully on? No one wants that.
So when you notice the drop-off in the mutual enthusiasm level to below say 50 percent, start to convey your intent for things to end by issuing a somewhat final-sounding statement on the topic at hand, followed by “anyway.” For example: “Yes, I mean, I guess I’m just glad that someone is willing to agitate on my behalf even though I’m not the camping type. Anyway,” and here, you will adopt an expression that conveys many things — sadness that this conversation is coming to an end, gladness that you have met this person, resignation to the finality of what you are about to say — “It has been just wonderful chatting with you.”
You don’t really need to announce your new destination because chances are it will sound awkward anyway. And then let them acknowledge that they have enjoyed chatting with you, and then say goodbye brightly.
Essentially, instead of sexting that random person (who might not appreciate it OR might share it with the world) send them to a close friend, who will tell you you look hot. Only send PG or PG-13 rated pics, obviously.
Frexting etiquette includes replying with positive emojis, including but not limited to the little fire, a cat with hearts for eyes and clapping.
This is a surprisingly fun and empowering thing to do.
Some of my favorite new submission this week:
Tara wanted rock n' roll:
...but what she got was wreck n' woe:
Aww. Play us the song of your people, little wreck!
["Wa wa WA waaaaaaaah!"]
Ok, you can stop now.
This next one inspired me to write a little verse:
Hoping and such
Jo you s
And speaking of proper spacing:
That's pretty memorable.
(Give it a second.)
(Theeere it is.)
You know how some bakers like to keep an eye on their cakes?
Well, that reminded me of this older wreck:
THIS CHANGES... well, nothing.
But I thought it was funny.
Q: What's worse than using giant plastic ribbon all over the cake?
A: Not using enough.
What we have here is a basic misunderstanding of how ribbon works.
And finally, since I just realized I haven't shared a fan-made wreck in ages, here's a fun homage from Kimberly:
The best part? I give it a month before this starts popping up in "cake fail" slideshows all across the web, since the FailBuzzLOL sites never bother to read the posts they're ripping off, and keep putting up intentional fan wrecks from our archives. :D
I bet Steven's is safe, though - and yep, he actually asked the baker to write this:
That's definitely a "darned if you do, darned if you don't" situation, bakers.
BUT I'M NOT SORRY.
Thanks to Tara M., Jenna R., Mark O., Terri C., Tabatha G., Julia E., Kimberly S., & Steven B. for finally finding a wreck no one else will steal. AWWW YEAAAAAH.
This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as
//. The HTML parser doesn’t care how much junk is between the opening and closing script since we are using a src attribute.