[syndicated profile] epbot_feed

Posted by Jen

Oh yes, there's still more.

Let's start off with this epic group of elves from Lord of the Rings:

Just after I took this some little kids jumped in dressed as Bilbo and Gollum, and the reactions were priceless:

Kid Gollum was really into character, and so incredibly creepy that he totally stole the show:

See what I mean??

Here's just the kids later on:

Remember how I said Gollum was really into character? 

It's amazing I ever caught them both standing still!

K, moving on, here's a gender-swapped Jareth from Labyrinth:

And a group of Disney princesses:

Nice to see both Kida and Giselle in there - you don't see them much!

Pretty sure these are both from Mass Effect:

This group, too:

This Sailor Moon Cinderella was actually playing a video game strapped to someone's back (because Dragon Con!), and gave me some fabulously cheesy poses with the controller:

Another great mashup: Halo Kitty. (Get it??)

Check out the light-up whiskers!

Now how about a kitty Ghostbuster?

And can we all stop for a moment to appreciate that Caution sign on his waist? Ha!

Here's another group I took too many pictures of - this time from John's favorite game, Skyrim:

The two on either side are Draugr, undead warriors, which look like this in-game:

 Those glowing eyes are fantastic - and see all the arrows sticking out of him?

The woman in the middle is wearing Nightingale Armor, which looks like this:

Here's a better group shot, this time with an armored knight:

Btw, the two Draugrs are husband and wife, and you can see some amaaazing build photos over on his site, Punished Props.

You see a lot of TARDIS dresses, but this couple went all out and had the guy dress as one, too!

Love her white hair and his hat.

How many cons have both Mary Poppins AND Mrs. Banks out together?

And you see Barf from Space Balls in his regular jumpsuit pretty often, but almost never in the guard uniform from the prison break:

Remember this scene? Ha! Great prop choice. 

A cutie patootie Pinkie Pie:

And you've gotta love vacationing Joker smirking in the background.

Super dark photo, but here's a group of Princess Jedis:

And a fantastic armored Wonder Woman with a Dragon Priest from Skyrim:

I tried to find a Priest pic from the game to show you guys, but there are TONS of different versions, and I couldn't find this one.  >.<

Mad Moxxi and Tiny Tina from Borderlands:

Here's what those two look like in-game:

Not a great photo of the costumes, but I thought this shot was really fun:

The camera flashes across from me ended up looking like the Storm Troopers blaster fire! :D

Ronin and Gamora from Guardians of the Galaxy:

An unmasked clockwork robot from Doctor Who:

And a screenshot from that episode:

Because venetian masks weren't freaky enough, right?

Since I'm guessing most of you haven't watched Soul Eater (though you should!), this is Lord Death from the show:

He talks with a ridiculously high voice, likes to high-five people, and is generally hilarious.

And now. in real life!

And since every DC cosplay post needs a moment of what-the-actual-heck:

Those aren't condoms, they're baby bottle nipples. And he also had a long glowing tail, which is giving off that purple light. 0.o

And finally, let's end with some My Little Mandalorians:


(Mandalorians are the mercenary/bounty hunters of the Star Wars universe, like Boba Fett.)

So Fluttershy is holding a tiny bunny, Pinkie has her confetti cannon (complete with color-changing lights!), and Rainbow Dash is sporting a hank of hair ala Boba Fett... in rainbow. So good.

Ok, guys, we're nearly there! So in next week's final (yes, finally) DC roundup, I'll have pics from the Potter-themed Yule Ball, plus some jaw-dropping cosplay from Book of Life, Once Upon A Time, and lots more. Stay tuned.
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims.

tp-link WDR4300Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users. The emails were made to look like they were sent by Brazil’s largest Internet service provider, alerting recipients about an unpaid bill. In reality, the missives contained a link designed to hack that same ISP’s router equipment.

According to Proofpoint, the link in the spam campaign led to a page that mimicked the telecom provider. The landing page included code that silently attempted to execute what’s known as a cross-site request forgery attack on known vulnerabilities in two types of routers, UT Starcom and TP-Link. The malicious page would then invoke hidden inline frames (also known as “iframes”) that try to log in to the administration page of the victim’s router using a list of known default credentials built into these devices.

If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS ( Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting them away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.

The malicious script used by the spammers in this campaign tries multiple default multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.

The malicious script used by the spammers in this campaign tries multiple default credentials in a bid to hijack routers with factory-default settings. Image: Proofpoint.

The real danger of attacks like these is that they bypass antivirus and other security tools, and they are likely to go undetected by the victim for long periods of time.

“There is virtually no trace of this thing except for an email,” said Kevin Epstein, vice president of advanced security and governance at Proofpoint. “And even if your average user knows to look at his router’s DNS settings, he’s unlikely to notice anything wrong or even know what his normal DNS settings should be.”

Many modern routers have built-in defenses against such attacks (including countermeasures known as CSRF tokens), but new vulnerabilities in existing routers — even recent model routers — are constantly being uncovered. I asked Proofpoint whether such protections — or security improvements built into most modern browsers — would have stopped this attack. Their experts seemed to think not.

“The routers being attacked in our example were not so diligent and so were vulnerable to this attack,” Proofpoint’s lead analyst wrote in an email response to my question. “What you’re likely thinking of is the cross-origin policy, which is designed to prevent attacks similar (but not identical) to this one (it mostly focuses on javascript). In this case, iframes are permitted by default, so modern browsers (by design) will happily participate in the attack we documented.”

In any case, I hope it’s clear by now that leaving the default credentials in place on your router is merely inviting trouble. Last month, I wrote about how the botnet used to take down Sony and Microsoft‘s online gaming networks was built on the backs of hacked home routers that were all running factory-default administrative credentials.

If you haven’t changed the default credentials on your router, it’s time to do that. If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t. Pop on over to routerpasswords.com and look up the make and model of your router.

To see whether your credentials are the default, you’ll need to open up a browser and enter the numeric address of your router’s administration page. For most routers, this will be or (on Apple routers, it’s more likely to be This page lists the default internal address for most routers. If you have no luck, there, here’s a decent tutorial that should help most users find this address. And check out my Tools for a Safer PC primer for more tips on how to beef up the security of your router and your Web browser.

Read more about this attack at Proofpoint’s blog post.

[syndicated profile] geekfeminism_feed

Posted by terriko

An internationally known community manager, speaker and author, Leslie Hawthorn has spent the past decade creating, cultivating and enabling open source communities. She created the world’s first initiative to involve pre-university students in open source software development, launched Google’s #2 Developer Blog, received an O’Reilly Open Source Award in 2010 and gave a few great talks on many things open source. In August 2013, she joined Elasticsearch as Director of Developer Relations, where she leads community relations efforts.

I’ve known Leslie for years now, and she is forever inspiring me with her ability not only to find visionary ways to improve the world, but also to follow-through with the rabble-rousing, cat herding, paperwork, and everything else that’s needed to take ideas from “wouldn’t it be nice if?” to “this is how we’re going to do it.”  I really enjoyed her recent blog post, A Place to Hang Your Hat, and asked Leslie if she had a bit of time for an interview to tell Geek Feminism blog readers a bit more about the idea.

For people who haven’t read your blog post yet, can you give us the point of “let’s all build a hat rack” in a few sentences?

In open source software projects – and life in general – there are any number of contributions that are underappreciated or go unacknowledged. I’m very aware of how often that underappreciation or lack of acknowledgement is due to socialization around what labor is considered valuable vs. what is largely invisible – we are taught to value and celebrate the accomplishments of white men and minimize the impact of the labor of women, people of color, transpeople, differently abled people, etc.

The let’s all build a hat rack project is a call to acknowledge all the diverse contributors and contributions in our work lives and volunteer projects, with a special emphasis on acknowledging folks who are not like you first. You can do this easily by writing them a recommendation on LinkedIn – which they can decide to approve for inclusion on their profile – or just sending them a thank you note they can use later. Bonus points for sharing your appreciation on social media using hashtag #LABHR.

Recommendation on LinkedIn: Holly Ross is, quite simply, amazing. She has completely transformed the Drupal Association into a well-run organization that is able to respond proactively, rather than reactively, to fast-paced changes in the larger Drupal ecosystem. She deeply understands the importance of communicating “early and often,” and has brought an enormous amount of transparency to our organization. She’s also extremely savvy about the unique challenges in an enormous, globally diverse, and largely unpaid community of contributors, and conscientious about how to balance that with the needs of our staff and our sponsors. I’ve never seen her back down from a challenge, and every time I have the pleasure of working with her, we always get tons of stuff done, and have tons of fun in the process.

Today, in the further adventures of #LABHR, a LinkedIn recommendation for the indefatigable @drupalhross! pic.twitter.com/b2ynru6uAa

— webchick (@webchick) February 18, 2015

What inspired the project?

It came about for a few reasons, but first and foremost I want to acknowledge Deb Nicholson for inspiring the phrase “let’s all build a hat rack.” There’s more about Deb’s contributions to my thinking and the open source community in the post, so please check it out.

Beyond that, the project came about largely due to the intersection of two frustrations: the lack of understanding people have for everything I – and friends like Deb – have accomplished, and the seemingly unending cycle of horrible news in the tech industry. While it’s important to have a clear and candid dialog about sexism, racism, ableism, transphobia and other issues impacting the diversity of the technical community, that seems to be all I am reading lately. The news is usually sensationalistic and often depressing.

I wanted to give myself and everyone I know something uplifting and useful to read, to encourage all of us to show gratitude and appreciation, and to make that show of gratitude a useful way for contributors who are usually not acknowledged to get the credit they deserve. Not just because they deserve it, but because that public acknowledgement of their work helps with acquiring jobs, landing their next big project and feeling good about continued contributions.

What tips do you have for people struggling to find someone to recommend?

You know, I figured this project would be really easy until I started writing up recommendations. To my earlier point about being socialized to see some labor as invisible or less valuable, I had no trouble thinking up white dudes who had done things I appreciate. I had to push myself harder to think about the women in my life who have made significant contributions, even though they are numerous. I can imagine that some humans, specifically male humans, are having the same issues.

So, to get started, think about things /actions / projects that have meant a great deal to you. Was there a conference you attended where you had an “ah ha” moment? Were you able to solve a problem thanks to great support on a project’s web forum or in their IRC channel? Did you read a blog post that was filled with brilliance and inspired you to be better at your craft? Cool. Were there people involved who were not like you? Great! Not sure exactly what they did? I’d call that an excellent opportunity to find out more about their involvement, thank them for educating you and their contribution, and then use that information to write a recommendation.

I’m not going to lie to anyone – you’re may have to think hard about this at first and it will be uncomfortable. You have to internalize the fact that you’ve been taught to see some very amazing work as non-existent or, at best, mere window dressing. That’s OK, too. The first step toward progress is thinking through that discomfort, then finding the humans to thank at the end of it.

If you’re still having trouble thinking of someone, that’s OK. Talk to your friends or fellow project members for suggestions. Tell them you’re thinking about participating in the #LABHR project, but need help getting started. Friends can help you think of people you’ve missed celebrating, and they may also want to join the experiment and recommend people, too!

I’ve always been impressed with your gracious ways of thanking and recommending people, so I feel like you must have some insight into writing good recommendations. Are there any suggestions you have for people who want to write a great ones?

Keep it short and simple. One of the things that makes writing recommendations hard is that we’re trying to encapsulate so many good qualities into a few short sentences. You don’t have to write down everything wonderful about the person you’re recommending, just the 3-5 ways they’ve been most impactful in your project / company / life. In a pinch, concentrate on things employers want to hear about, as that will make your recommendation most useful.

What impact do you hope to have on people’s lives with LABHR?

I’d like this experiment to give the technical community a reason to express more gratitude for all contributions. I especially want to give white male allies a clear, actionable path to improving things for underrepresented groups. Writing a recommendation will take you about 15 minutes, but it can have immeasurable impact on someone’s future career prospects.

I’m really excited to say that I’ve seen 15 permanent recommendations go by and a whole lot of shout-outs under the #LABHR hashtag so far. I hope many more recommendations will come.

Want to see more inspirational LABHR entries? Check out the #LABHR hashtag on twitter and then write your own!

Texas Cowboy Poetry Goes Horse

Feb. 26th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Every year I try to channel my inner cowboy and write a little poetry. So sit back, relax, and try not to picture me in a Three Amigos costume*.

[*You're already doing it, aren't you? I knew it.]


Jed was a cowboy who wanted to sing
'Bout huntin' an' fishin' an' bein' right-wing.
As a matter of course
He camo'd his horse
But now he can't find the dang thing




Is that an ear, dear?
Who knows, nose?
But that's an eye, aye?

Nice roses.



As I ponder the existential stylings of my empty holster and overflowing chaps
Finger guns!
And in the corner,
she smirks.
Stop that



silent bug-eyed stare
why are you making that face
I hope that's a tail



[strumming guitar]

Poop in the mane
Poop in the maaane!
It don't matter one whit
Where your horse takes a... hit
So long as there's no poop
in the mane.


Thanks to my amigos Emily F., Sandy L., Katie T., Carrie B., & Whitney K., who would definitely say that I have a plethora of poetry-penning talent. (Right? ;))


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.

On Feb. 23, google.com.vn briefly redirected visitors to a page that read, “Hacked by Lizard Squad, greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas).” The message also included a link to the group’s Twitter page and its Lizard Stresser online attacks-for-hire service.

Today, the group took credit for hacking Lenovo.com, possibly because it was recently revealed that the computer maker was shipping the invasive Superfish adware with all some new Lenovo notebook PCs (the company has since said Superfish is now disabled on all Lenovo products and that it will no longer pre-load the software).

According to a report in TheVerge.com, the HTML source code for Lenovo.com was changed to read, “the new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey.”

The Verge story notes that both men have been identified as members of the Lizard Squad; to my knowledge this has never been true. In fact, both used to be part of a black hat and now-defunct hacker collective known as Hack The Planet (HTP) along with one of the main current LizardSquad members — Julius “Zeekill” Kivimaki (for more on Julius, see these stories). However, both King (a.k.a “Starfall”) and Godfrey (“KMS”) have been quite publicly working to undermine and expose the group for months.

Reached via instant message, both King and Godfrey said the Lizard Squad used a command injection vulnerability in Webnic.cc to upload a rootkit — a set of hacking tools that hide the intruder’s presence on a compromised system and give the attacker persistent access to that system.

Webnic.cc is currently inaccessible. A woman who answered the phone at the company’s technical operations center in Kuala Lumpur acknowledged the outage but said Webnic doesn’t have any additional information to share at this time. “We’re still in the investigation stage,” said Eevon Soh, a Webnic customer support technician.


It appears the intruders were able to leverage their access at Webnic.cc to alter the domain name system (DNS) records for the Google and Lenovo domains, effectively giving them the ability to redirect the legitimate traffic away from the domains to other servers — including those under the attackers’ control.

King and Godfrey said the Lizard Squad also gained access to Webnic’s store of “auth codes” (also known as “transfer secrets” or “EPP” codes), unique and closely-guarded codes that can be used to transfer any domain to another registrar. As if to prove this level of access, the Lizard Squad tweeted what they claim is one of the codes.

Starfall and KMS say the rootkit has been removed from Webnic’s servers, meaning the Lizard Squad should no longer be able to hijack Webnic domains with the same method they used to redirect Lenovo.com or Google Vietnam.

This is not the first time these actors have messed with Webnic.cc. Web Commerce Communications Ltd. (Webnic) is a popular registrar among hacker forums and underground stores that traffic in stolen credit cards and identity information, and a great number of those sites are registered through Webnic. It was hardly a coincidence that many of these criminal storefronts which have been hacked over the past couple of years — including rescator[dot]so, and ssndob — were registered at Webnic: All of the same players involved this week’s drama were involved in those hacks as well.

Deleted Scenes

Feb. 26th, 2015 02:25 am
[syndicated profile] sumana_feed
A few deleted sentences from a piece I'm drafting:

One way to understand suspense is that it's the state of having multiple conflicting valid causal models, or not having enough information to even form a single satisfying prediction.

Each protagonist gets impressive moments of awesome competence and agency. But, like levelling up in a game, it's still constrained by the sandbox (which is of course more realistic than the Matrix solution).

The big science fictional twist is that you are far less significant than you had imagined.

But they require less genre expertise than, say, "Four Kinds of Cargo" or the trope review at the start of Anathem.

Honey, I Left the Tech Industry

Feb. 25th, 2015 09:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate


Credit: DeviantArt / KineticEcho

Nearly a year ago I wrote The Day I Leave The Tech Industry. That’s not when I published it… I sat on it for months. I worried that I was revealing too much of myself, that I would put it out there and… crickets. That I would feel even more alone that I already did.

That’s not what happened. It still gets traffic but worse (or better? I don’t know) it comes up in conversation. A friend talks about her next career decision, says “I keep thinking about your post”. It gets referenced when someone leaves. Turns out, I captured something that many of us felt. What an amazing thing, as a writer. What a horrifying thing, as an industry.

I think I wrote it on this miserable day, one where I didn’t sleep, got to my desk incredibly early. No-one else was there yet, so when I started to cry no-one saw me. I IM’d with a friend, who convinced me I should just go home.

Some guy was being a jerk. In fact the interesting part of that story is that my manager at the time noticed, and did something about it, and a few days later I actually felt optimistic in a way that I had not considered possible. Of course, there is a vast gap between a colleague who actually respects you and one who is problematic enough that anything actually happens to them. I’ve written about the patterns, about the “nice” undermining, some of which I’ve experienced, others only witnessed.

The thing is, when you have reached that point where you want to leave, it never goes away completely. It’s always there, and you come back to it on days where you don’t see any reason to stay.

I know this because I had first reached that point at least 6 months earlier. I had decided it was time to leave and I had made a plan. I checked off the practical things on that list – I relocated so that I was no longer on a work permit, I took care to get a short lease on my apartment, I consolidated bank accounts from countries I had lived in, I filed my tax returns. I responded to recruiters, trying to get a sense of what was out there, and I worked at building up my profile externally.

Finally, six months ago, I asked myself what I was waiting for? Why was I waiting out my job like it was a prison sentence? Because this had been The Plan I had made a year earlier? I had already given up my apartment, decided what I was going to work on… my fear was no longer what if I left but what if I stayed? What if I got just comfortable enough, but never actually happy?

I printed out my resignation letter. I didn’t bother with headed notepaper. I had a 1:1 scheduled with my manager. Before it, there was a meeting with a recruiter I hadn’t managed to evade, trying to get me to reconsider doing Corporate Feminism (something I had quit around the time that I decided to…quit). She asked me, “if there any way to change your mind?”. I thought about the piece of paper in my pocket, and said “no.”

My manager was nice, he had always been nice. His manager was also nice. I was amazed how well I had concealed my plan to leave. They were generous with my exit contract and by the end of that week… I was gone.

Since then I have been travelling (often to speak), and writing, and working on Show and Hide. I have not found the words to write long-form about the why or the how. I have made short quips about how “I only get mansplained to on twitter now”, or commented on no longer having to answer to a white dude. But short quips cannot capture the complexity of what it has meant to walk away.

The biggest freedom has been the liberation from the cognitive dissonance from a world that told me I had Made It as an engineer when I felt so unhappy. From the cognitive dissonance of an organisation that seemed to believe the problem was entirely a problem of graduation rates whilst I and my friends experienced otherwise. I do not recall when I last cried. I no longer worry that I am going mad.

But, this is what I expected. The unexpected has been vastly more interesting and encouraging.

I am more confident as a developer. I actually feel more capable.

I have rediscovered a joy of programming and engineering and testing and creating that I had forgotten.

I get to embrace the breadth of my interests, Show and Hide combines my love of photography with my obsession with mobile.

It feels like most of what I learned in the last 2 years I learned in the last 6 months.

I feel like what I do know is more appreciated, as I get to share more of what I’m doing technically.

I learned how to have opinions again. I did not realise I had stopped bothering, I guess there was always some dude telling me what I should think, mostly on topics that did not matter enough to fight about. This was weird, and hard, but gradually… liberating.

Of course it is not all joy. Some days the amount of bitterness I feel makes me sad. The vindication of finding other women with similar stories. The jealousy of those who thrived in a good environment. The inadequacy when something causes me to ask myself “should I just be more resilient”?

Of course the fact that I didn’t need to be more resilient is a huge measure of financial privilege. And I still, rationally, believe that we shouldn’t have to be that resilient. Or brave. As my friend Julie observed, “It’s nice that you think they’re all brave, but they shouldn’t have to be. They’re not going to the frontlines of a war zone. They’re going to write code.”

What does it mean to say I’ve left? Because after all, I still write code. I still speak at tech conferences. In some way I seem to others more in tech, because I am more visible in tech. Now that I no-longer work at a somewhat insular place, fear a PR nightmare around something I said, I can be.

Perhaps the meaning lies in the boundary it creates for me. The way it allows me to emotionally disconnect from things that would otherwise be more upsetting. I don’t have to care, I left. Of course it’s bad, that’s why I left.

And yet I still comment on the tech industry. I was re-reading something that I wrote about calling “male allies” out and empathy and it occurred to me that perhaps the point I wanted to make was that pointing this stuff out is in fact a compliment – it’s taking the time to show someone that you believe that they can do better.

That I still comment on the tech industry is that kind of compliment. I believe you can do better. Some days I even think we will.

Never Buy Custom Mats Again!

Feb. 25th, 2015 01:52 pm
[syndicated profile] epbot_feed

Posted by Jen

Sometimes even John and I forget how much cheaper and easier it can be to just make stuff yourself.

Case in point: we went to a local craft shop to get two custom mats for some art for the steampunk room. Since we wanted an antique look, we picked fabric-covered mats, which we were told would take over a week to make, and cost over $60.

Now, $30 each may not sound TOO bad... but that's more than we spent on the art being framed! And all for a one-inch decorative border? NUH-UH.

So we canceled the order and headed to the fabric section.

We bought about half a yard of two fabrics that almost exactly matched the original mats we wanted: a faux red velvet and a faux leather. Total cost? Around $8.
New art on the wall.

Here's the thing: fabric-covered mats - which both look and ARE the most expensive - are actually the easiest to make yourself, since you don't need a mat cutter or special tools. All you need are fabric, mat board (available in huge sheets for less than $10 at any craft shop), a craft blade, and spray adhesive.

I'm sure I've shown this kind of thing before, but here, look how easy:

 Cut your mat to size using a plain craft blade - no bevel needed.

Spray the mat with spray adhesive and lay your fabric on top. Smooth out any wrinkles.

Trim the edges with scissors.

Flip the mat over and cut a big X in the fabric, making sure the cuts reach all the way to the inside corners.

Fold back each flap, trim the excess, and glue or tape in place.


Caveat: none of this is acid-free, so I wouldn't recommend it for expensive or irreplaceable pieces. Everything else, though? GO NUTS.

And here's a tip for saving crap-tons of money on custom-sized frames: just buy a pre-made frame that's too big, and cut it to size yourself. We found this gorgeous frame for only $13 on a clearance rack over a year ago:

John cut it down to size ["You'll never amount to anything! Your mother was a sod pallet!"] with his miter saw, then re-assembled using a nifty framing strap which you can just see in the top right corner here:

The ratcheting strap holds all four corners at perfect 90 degree angles while the glue dries. (For larger frames make sure you also use pin nails to hold everything in place.) Cool, right? And not so hard? You should totally try this.

Next John painted the frame bright gold and aged it with a little black, so now it looks like this:


And if you want to fool everyone into thinking your art is an original and NOT a print, here's another ridiculously easy trick: just leave out the glass. Glass screams "I'm a print!" even when it's not, and the reflection gets in the way anyway.

See? No glare!

That said, since my Elizabeth poster was severely damaged by a hungry cat (grrr), we had to spring for some non-glare glass on her to help hide all the creases and dings. Worked pretty well, too!

This is another frame John cut down and re-sized, since the print is a funky size. We left the finish as-is, though, since it went perfectly with Songbird's head.


It amused me to line up the glare so Songbird's eye is glowing. :)

If you do need to buy glass, don't worry; the plain stuff is ridiculously cheap. You can even buy it at the hardware store, where they'll cut it for you!

Since we already had spare mat board and used frames we already had, our only costs were the $8 fabric and about $15 for the custom non-glare glass. (Yay coupons!) Plus we had it all done in about a day - no waiting on custom orders!

Hope this helps inspire my fellow art-lovers out there to start making and modifying your own mats and frames! It's always galled me that the framing process is so flippin' expensive that most folks end up just tacking their pretties to the wall. Well, no more! Frame up those pretties, my friends! Frame 'em!
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

The FBI this week announced it is offering a USD $3 million bounty for information leading to the arrest and/or conviction of one Evgeniy Mikhailovich Bogachev, a Russian man the government believes is responsible for building and distributing the ZeuS banking Trojan.

Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts — mainly from small- to mid-sized businesses based in the United States and Europe. Bogachev also is accused of being part of a crime gang that infected tens of millions of computers, harvested huge volumes of sensitive financial data, and rented the compromised systems to other hackers, spammers and online extortionists.

So much of the intelligence gathered about Bogachev and his alleged accomplices has been scattered across various court documents and published reports over the years, but probably just as much on this criminal mastermind and his associates has never seen the light of day. What follows is a compendium of knowledge — a bit of a dossier, if you will — on Bogachev and his trusted associates.

I first became aware of Bogachev by his nickname at the time –“Slavik” — in June 2009, after writing about a $415,000 cyberheist against Bullitt County, Kentucky. I was still working for The Washington Post then, but that story would open the door to sources who were tracking the activities of an organized cybercrime gang that spanned from Ukraine and Russia to the United Kingdom.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. "lucky12345", "slavik", "Pollingsoon". Source: FBI.gov "most wanted, cyber.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. “lucky12345″, “slavik”, “Pollingsoon”. Source: FBI.gov “most wanted, cyber.

Not long after that Bullitt County cyberheist story ran, I heard from a source who’d hacked the Jabber instant message server that these crooks were using to plan and coordinate their cyberheists. The members of this crew quickly became regular readers of my Security Fix blog at The Post after seeing their exploits detailed on the blog.

bullittcar-thumb-250x110They also acknowledged in their chats that they’d been in direct contact with the Zeus author himself — and that the gang had hired the malware author to code a custom version of the Trojan that would latter become known as “Jabberzeus.” The “jabber” part of the name is a reference to a key feature of the malware that would send an Jabber instant message to members of the gang anytime a new victim logged into a bank account that had a high balance.

Here’s a snippet from that chat, translated from Russian. “Aqua” was responsible for recruiting and managing a network of “money mules” to help cash out the payroll accounts that these crooks were hijacking with the help of their custom Jabberzeus malware. “Dimka” is Aqua’s friend, and Aqua explains to him that they hired the ZeuS author to create the custom malware and help them troubleshoot it. But Aqua is unhappy because the ZeuS author declined to help them keep it undetectable by commercial antivirus tools.

dimka: I read about the king of seas, was that your handiwork?

aqua: what are you talking about?

dimka: zeus

aqua: yes, we are using it right now. its developer sits with us on the system

dimka: it seems to be very popular right now

aqua: but that fucker annoyed the hell out of everyone. he refuses to write bypass of [anti-malware] scans, and trojan penetration is only 35-40%. we need better

aqua: http://voices.washingtonpost.com/securityfix read this. here you find almost everything about us

aqua: we’re using this [custom] system. we are the Big Dog. the rest using Zeus are doing piddly crap.

Days later, other members of the Jabberzeus crew  were all jabbering about the Bullitt County cyberheist story. The individual who uses the nickname “tank” in the conversation below managed money mules for the gang and helped coordinate the exchange of stolen banking credentials. Tank begins the conversation by pasting a link to my Washington Post story about the Bullitt County hack.

tank@incomeet.com: That is about us. Only the figures are fairytales. 

haymixer@jabber.ru/dimarikk: This was from your botnet account. Apparently, this is why our hosters in service rejected the old ones. They caused a damn commotion.

tank@incomeet.com: I have already become paranoid over this. Such bullshit as this in the Washington Post.

haymixer@jabber.ru/dimarikk: I almost dreamed of this bullshit at night. He writes about everything that I touch in any manner…Klik Partners, ESTHost, MCCOLO…

tank@incomeet.com: Now you are not alone.  Just 2 weeks before this I contacted him as an expert to find out anything new. It turns out that he wrote this within 3 days. Now we also will dream about him.

In a separate conversation between Tank and the Zeus author (using the nickname “lucky12345″ here), the two complain about news coverage of Zeus:

tank: Are you there?

tank: This is what they damn wrote about me.

tank: [pasting a link to the Washington Post story]

tank: I’ll take a quick look at history

tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court

tank: Well, you got it from that cash-in.

lucky12345: From 200k?

tank: Well, they are not the right amounts and the cash out from that account was shitty.

tank: Levak was written there.

tank: Because now the entire USA knows about Zeus.

tank: :(

lucky12345: It’s fucked.

After the Bullitt County story, my source and I tracked this gang as they hit one small business after another. In the ensuing six months before my departure from The Post, I wrote about this gang’s attacks against more than a dozen companies in the United States.

By this time, Slavik was openly selling the barebones ZeuS Trojan code that Jabberzeus was built on to anyone who could pay several thousand dollars for the crimeware kit. There is evidence he also was using his own botnet kit or at least taking a fee to set up instances of it on behalf of buyers. In late 2009, security researchers had tracked dozens of Zeus control servers that phoned home to domains which bore his nickname, such as slaviki-res1.com, slavik1[dot]com, slavik2[dot]com, slavik3[dot]com, and so on.

On Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –a crook who used the pseudonym “Jim Rogers” — somehow intercepted news I hadn’t shared beyond a few trusted friends at that point: That the Post had eliminated my job in the process of merging the newspaper’s Web site with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted “tank”.

jim_rogers@jabber.org: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation :) Good news expected exactly by the New Year! Besides us no one reads his column :)

tank@incomeet.com: Mr. Fucking Brian Fucking Kerbs!

I continued to write about new victims of this gang even as I was launching this blog, and in the first year I profiled dozens more companies that were robbed of millions. I only featured victims that had agreed to let me tell their stories. For every story I wrote, there were probably 10-20 victim organizations I spoke with that did not wish to be named.

By January 2010, Slavik was selling access to tens of thousands of hacked PCs to spammers, as well as large email lists from computer systems plundered by his malware. As I wrote in the story, Zeus Trojan Author Ran With Spam Kingpins, Slavik was active on multiple crime forums, not only finding new clients and buyers for his malware, but for the goods harvested by his own botnets powered by ZeuS.

jabberzeuscrewEight months later, authorities in the United Kingdom arrested 20 individuals connected to the Jabberzeus crime ring, and charged 11 of them with money laundering and conspiracy to defraud, including Yevhen “Jonni” Kulibaba, the ringleader of the gang, and Yuri “JTK” Konovalenko.

In conjunction with that action, five of the gang’s members in Ukraine also were detained, but very soon after released, including the aforementioned Vyacheslav “Tank” Penchukov and a very clever programmer named Ivan “petr0vich” Klepikov.  More details about these two and others connected with the Jabberzeus crew is available from this unsealed 2012 complaint (PDF) from the U.S. Justice Department.

Unsurprisingly, not long after the global law enforcement crackdown, Slavik would announce he was bowing out of the business, handing over the source code for Zeus to a hacker named “”Harderman” (a.k.a. “Gribodemon”), the author of a competing crimeware kit called SpyEye (25-year-old Russian man Alexsander Panin pleaded guilty last year to authoring SpyEye).

Near as I can tell, Slavik didn’t quit developing Zeus after the code merger with SpyEye, he just stopped selling it publicly. Rather, it appears he began developing a more robust and private version of Zeus.

Ivan "petr0vich" Klepikov, in an undated photo from his LiveJournal blog.

Ivan “petr0vich” Klepikov, in an undated photo from his LiveJournal blog.

By late 2011, businesses in the United States and Europe were being hit with a new variant of Zeus called “Gameover” Zeus, which used the collective, global power of the PCs infected with Gameover Zeus to launch crippling distributed denial-of-service (DDoS) attacks against victims and their banks shortly after they were robbed.

In late March 2012, Microsoft announced it had orchestrated a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye. In so doing, the company incurred the wrath of many security researchers when it published in court documents the nicknames, email addresses and other identifying information on the Jabberzeus gang and the Zeus author.

A few months later, the Justice Department officially charged nine men in the Jabberzeus conspiracy, including most of the above named actors and two others — a money mover named Alexey Dmitrievich Bron (a.k.a.”TheHead”) and Alexey “Kusanagi” Tikonov, a programmer from Tomsk, Russia. Chat records intercepted from the incomeet.com server that this crew used for its Jabber instant message communications strongly suggest that Bron and Penchukov (“Tank”) were co-workers in Donetsk, Ukraine, possibly even in the same building.

In June 2014, the U.S. Justice Department joined authorities in many other countries and a large number of security firms in taking down the Gameover ZeuS botnet, which at the time was estimated to have infected more than a million PCs.

It’s nice that the Justice Department has put up such a large bounty for a man responsible for so much financial ruin and cybercrime. Kulibaba (“Jonni”) and his buddy Konovalenko (“Jtk0″) were extradited to the United States. Unfortunately, the rest of the Jabberzeus crew will likely remain free as long as they stick within the borders of Ukraine and/or Russia.


Cakes Only A Mother Could Love

Feb. 25th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by number1

I think the following cakes are really special. Like seeing a beautiful newborn for the first time, these baby shower cakes leave me… well, speechless.

What a coincidence! E.T. was on my TV today, too!

Ethan... phone home...

(and tell your parents Jersey Shore called. They want their tan back.)


"Hi, bakery? I have a baby shower coming up. Do you make cupcakes?"

"Baby shower CUP cakes? Yeah. We can 'handle' that."

If you squint your eyes, it’s actually not a baby at all, but a bronzed, muscular man in a tank top popping out of the cup. See it? See it? Let’s call him Joe. He must be posing for his mug-shot. Just look at those eyes! He really knows how to espresso himself, doesn't he?


Thanks to Dawn M. for finding these little bundles of joy. It's been a latte fun!


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] sumana_feed
I have been rereading Dave Barry's Dave Barry In Cyberspace (published in 1996), which has held up about as well as Neal Stephenson's In The Beginning Was The Command Line (1999).

On the software you'll need for your personal computer:

First off, you need an operating system, which is the "Godfather" program that operates behind the scenes, telling all the other programs what to do, making sure they cooperate, and if necessary leaving the heads of horses in their beds. The most popular operating system in world history as of 10:30 A.M. today is Windows 95, but there are many other options, including Windows 3.1, Windows 3.11, Windows 3.111, Windows for Workgroups, Windows for Groups That Mainly Just Screw Around, Windows for Repeat Offenders, Lo-Fat Windows, and The Artist Formerly Known as Windows. There is also the old "MS-DOS" operating system, which is actually written on parchment and is rarely used on computers manufactured after the French and Indian War. And there is "OS/2," which was developed at enormous expense by IBM and marketed as a Windows alternative, and which has won a loyal following of thousands of people, an estimated three of whom do not work for IBM. And of course there is the Apple operating system, or "Apple operating system," for your hippie beatnik weirdo loner narcotics-ingesting communistic types of Apple-owning individuals who are frankly too wussy to handle the challenge of hand-to-hand combat with computer systems specifically designed to thwart them.

On the internet:

... I had managed to send this hideously embarrassing message to everybody in the world except the person who was supposed to read it.

Yes, thanks to the awesome communications capabilities of the Internet, I was able to make an intergalactic fool of myself, and there's no reason why you can't do the same.

Prefiguring Clay Shirky's cognitive surplus arguments:

So go ahead! Get on the Web! In my opinion, it's WAY more fun than television, and what harm can it do?

OK, it can kill brain cells by the billions. But you don't need brain cells. You have a computer.

The origin of Bill Gates's wealth: "versions."

How much should your new computer cost? "About $350 less than you will actually pay."

Also, I am gonna avoid G7e rage and not quote the entire section, but check out the Comdex chapter for Barry's thoughts on the limited range of stories and game mechanics available in games written by and for men in 1996, and his speculation on what more diversity would look like.

The fiction short story that appears in two parts at the end of the book causes disproportionate feels in me, because it's about falling in love with a stranger via America OnLine chat, and I read it around the same time I fell in love with a guy I met on Usenet, via a Dave Barry fan group. Oh dear I just looked him up and he has a freaking beard. I don't know why that detail gets to me, but I was not prepared for that. At this moment I am under a blanket on my couch in New York City with midmorning light bouncing off brick and fire escapes outside, but I am also in hand-me-down tee shirt and shorts in front of a 486, easily remembering how to turn the audible modem volume all the way down so Mom and Dad don't hear me dialing in, the mousepad the only clear area on my dad's desk that's cluttered with printouts and Post-Its and boxes of 5-and-a-quarter floppies, navigating to HoTMaiL, California night outside the blinds. And now I'm remembering all those other local maxima and minima of my teenage life, and how intense things felt. He sent me a photo and I printed it out in black and white and took it into my AP US History test. That printout is probably still in a box somewhere. He dumped me, and we never met, and I wonder whether either of us still has a copy of that email.

And now the only Dave Barry book I own is Dave Barry in Cyberspace. It's still funny and it still has a barb in it. I am genuinely curious whether people ten years younger than me would enjoy it, since clearly part of what I'm getting out of it is nostalgia. And now I'm thinking about setting a reminder to myself to read current tech humor by Rose Ames and James Mickens in 2035.

The War on Baby Showers

Feb. 24th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

With all the scary C-section and jelly-soaked vagina cakes out there, I think we've lost track of what a baby shower cake SHOULD be.

No, this isn't it.


C'mon, guys, what's wrong with a sweet, heartfelt sentiment?



Or a cutesy character?


(On the plus side, it's nice seeing chocolate curls used for something other than "down there hair." [shudder])


Ok, how about some baby accessories? You know, bottles and bows, pacifiers and... uh...

...pee sticks.

Of course pee sticks.


Guess that beats putting the real thing on there, though - which, oh yes, people keep doing:

Thanks for not jamming the business end into the icing, I guess.



Ok, fine. Go back to your belly and butt and vajayjay cakes, people. BUT KNOW THIS: someday you, too, could be told, "There's cake in the break room!" like poor Lynds here, only to find that THIS is what someone actually brought in to work:

Clean up on aisle 3. Bring lots of brain bleach.


Thanks to Amanda S., Anony S., Rebekah D., Colleen F., Beka K., Corey, Nellie C., & Lynds for ensuring I will never eat a chocolate-sprinkled raspberry donut ever again.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] female_cs_feed

Posted by Gail Carmichael

Earlier this month, our Education Development Centre hosted a teaching round table on the flipped classroom.  At the session, engineering instructor Shermeen Nizami shared her philosophy for flipping her own fourth year undergraduate class.

Nizami began by sharing Rogers' diffusion of innovation theory.  She found this after her first flipped course was over, but felt it correlated well with that happened in class.  As shown in the below diagram, there are innovators, early adopters, the early majority, the late majority, and the laggards.  The distribution of these groups is shown in blue, while market share of an innovation is shown in yellow.  A question Nizami asked herself was who is in the chasm? Why do some students feel like the flipped classroom teacher is not doing her job? ("I want you to lecture to me!") For any classroom innovation to be successful, we need buy-in from students.

Why flip in the first place? In any given class, 30% of learners are apparently blocked; they can't be reached.  60% might be described as passive learners, and only 10% as active learners.  Could flipping help bring more students into the active segment? Is it worth it? It is if you believe that more students fail a lecture-based class than an active class, and that the rates of retention claimed in the learning pyramid are even close to accurate.

How do you flip? Nizimi says teachers need to look through the eyes of a student, and help students see themselves as their own teachers.  The mindset of both the student and the teacher need to be flipped. The teacher needs to be careful to keep students at the points of maximal learning: at the edge of their comfort zone, but not quite into the panic zone.

Design thinking gave Nizimi an useful model with which to approach her classroom:
  • Empathize: validate the level of difficulty students face in class
  • Define: gain students' confidence that you are on their side and not trying to trick them
  • Ideate: involve students and come up with creative solutions
  • Prototype: create opportunities for students to try out the proposed solutions
  • Test: solicit student feedback; be brave
The round table ended before we got a chance to get into the meat of what Nizimi's students were actually asked to do before and during class, but I did appreciate the constant reminder that we should involve students in the learning process as much as possible.  Whether I get the opportunity to formally flip or not, I hope to keep that thought in mind in all my teaching practice.

Leave Blank Space, Baby

Feb. 23rd, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Sharyn

I figure the only way I'm going to get rid of this earworm is by giving it to you guys. So...

Hit it!


So, it's gonna be forever


Or it's gonna go down in flames.


You can tell me when it's over,


If the high was worth the pain.


Got a long list of ex-lovers!


They'll tell you...

I'm insaaaane.


But I got a blank space, baby...


And I'll write your name!


Toe-tapping thanks to Lindsay W., Meredith G., Daisy S., Telitha G., Sheri T., Geneva W., Christine S., and Elisabeth T. You know I'll love you guys forever, don't you?


Thank you for using our Amazon links to shop! USA, UK, Canada.

Meta: This Week

Feb. 23rd, 2015 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

Screen Shot 2015-02-22 at 8.36.00 pm

My latest this week post is numbered #64. Which is a long time to have kept that up; I did not think I would be so successful at it. I especially did not think that I would see other people using this format to reflect on their life!

What I love about it:

  • It’s a commitment to 30-60 minutes every weekend to think about what the previous week has been like. This helps me think about what I have achieved and what was great about it.
  • It helps me collect my pictures (I take a lot of pictures, I tweet most of them, but this feels more permanent).
  • I share a lot of content on Twitter and this is also a place to capture things that I found interesting.
  • It reminds me to update more static pages, like my speaking or elsewhere pages.
  • I do it purely for me and expected people to skip over it, but periodically someone tells me they appreciated some aspect about it.

My process:

  • Start a post with the same headings as usual, from memory.
  • Fill in “published”.
  • Take a first pass at “work” and “life”.
  • Re-read last week’s post and reflect on what has happened since.
  • Fill in things I realise as a result.
  • Scroll back through Twitter to where the links from last week end off.
  • Manually cut and paste tweets over. I could automate this, but I value seeing what I thought was important, and often tweets without links capture things that I add to the longer form sections.
  • Fill in any “achievements” like things published not on my blog, or conference announcements, as I find them.
  • Add media (if I’ve been reading a lot I have to look this up on my Kindle).
  • Fill in places I went with the help of my Foursquare history.

The Weekly Writing Update

Feb. 23rd, 2015 12:30 pm
[syndicated profile] hawthornlandings_feed

Posted by Leslie Hawthorn

A bit late, but better late than never.

I didn’t get any writing done for this blog last week, but I did complete an interview for the Geek Feminism Blog on the #LABHR experiment and on Getting Started in Open Source for the Anita Borg Institute. Both posts are forthcoming, and I believe the Getting Started post will run on the Systers blog.

If anyone has suggestions for topics I ought to address, I’d be grateful. Leave a note in the comments section or ping me on Twitter.

In other news, I’ve been really excited about how many expressions of appreciation and gratitude I’ve seen go by on Twitter under the LABHR hashtag. I’ve also counted 15+ “permanent recommendations,” meaning posts on LinkedIn or individual’s blogs. The Twitter shout outs are absolutely amazing, but its my firm hope that we’ll all produce referenceable posts of appreciation that can help folks in their careers in addition to brightening their day.

Here’s a few of my favorite #LABHR recommendations so far:

Many thanks to everyone who has participated in the #LABHR experiment to date. Please keep those recommendations and expressions of gratitude coming!

[syndicated profile] geekfeminism_feed

Posted by spam-spam

  • DiversityMediocrityIllusion | Martin Fowler (January 13): “A common argument against pushing for greater diversity is that it will lower standards, raising the spectre of a diverse but mediocre group.” Martin Fowler explains why that’s nonsense.
  • On the Wadhwa Within, and Leaving | Medium (February): “That’s why I’m wary of the villainization of Vivek Wadhwa. For all that he is cartoonishly bad, going after him full force has the effect of drawing a bright line between Good People who see and crow over the error of Wadhwa’s ways and Bad People like Vivek. “
  • Q&A: Gillian Jacobs On Directing Her First Film And The Myth Of The Male Computer Geek | FiveThirtyEight (January 30): “This week, FiveThirtyEight launched its documentary film about Grace Hopper, a rear admiral in the U.S. Navy and the driving force behind the first compiled programming language.”
  • Video Games’ Blackness Problem | Evan Narcisse on Kotaku (February 19): “I decided to email with several prominent black critics and game developers to start a conversation. What is the source of video gaming’s blackness problem? What is to be done? I enlisted games researcher and critic Austin Walker, Treachery in Beatdown City developer Shawn Alexander Allen, Joylancer developer TJ Thomas and SoulForm developer and Brooklyn Gamery co-founder Catt Small to talk about what we all thought.”
  • I Pretended to Be a Male Gamer to Avoid Harassment | Daily Life (December 11): “Things went along smoothly until I started playing at the top level of WoW (World of Warcraft). To participate, you have to join a ‘guild’ — a large group of people who can commit to playing for long sessions. Being allowed into a guild is like a job interview, and as part of that process (like proving I had access to voice chat) I had to reveal that I was a girl.”
  • “Lean the f*** away from me”: Jessica Williams, “impostor syndrome” and the many ways we serially doubt women | Salon.com (February 18): “After a week of intense speculation about who would be taking over “The Daily Show,” Jessica Williams addressed the rumors that she was (or at least should be) the heir apparent for host. In a series of tweets, Williams thanked people for the support, but said she wouldn’t be sitting behind the anchor desk any time soon. (…) A little while later, a writer for the Billfold responded to Williams’ announcement with a piece that claimed she was a “victim” of impostor syndrome, and that she needed to “lean in.” “
  • Feminist writers are so besieged by online abuse that some have begun to retire | The Washington Post (February 20): “Jessica Valenti is one of the most successful and visible feminists of her generation. As a columnist for the Guardian, her face regularly appears on the site’s front page. She has written five books, one of which was adapted into a documentary, since founding the blog Feministing.com. She gives speeches all over the country. And she tells me that, because of the nonstop harassment that feminist writers face online, if she could start over, she might prefer to be completely anonymous.”
  • Research suggests that the pipeline of science talent may leak for men and women at the same rate | Inside Higher Ed (February 18): “For years, experts on the academic and scientific workforce have talked about a “leaky pipeline” in which women with talent in science and technology fields are less likely than men to pursue doctorates and potentially become faculty members. A study published Tuesday in the journal Frontiers in Psychology says that the pipeline may no longer be leaking more women than men.”
  • Life Hacks for the Marginalized | Medium (February 16): “Being human is hard! It’s even harder when your humanity is brought into question on a daily basis. But don’t let that get you down! So you’re not white/straight/male/abled/cisgendered/thin/rich — that doesn’t mean your life is over! It just means it’s much, much, much, much, much, much harder.
    Luckily, we have some time-saving tips that can help! By “help,” we mean “mildly mitigate your problems.” To solve them completely, try building a time machine and either engineering a whole new history that gives your people more power, or fast-forwarding to a post-patriarchy utopia.”
  • Like it or not, Supanova, popular culture is political | The Drum (Australian Broadcasting Corporation) (February 18): “Online protesters have urged Supanova to reconsider Baldwin’s attendance given the inflammatory and offensive comments he regularly makes on social media, particularly about women, transgender people and gay people. But when the expo released a statement saying it would be proceeding as planned, it showed it didn’t care about creating a safe and inclusive environment for attendees.”
  • The War for the Soul of Geek Culture | moviepilot.com (February 16): “The irony is that while externally, geeks are being accepted as a whole, internally, the story is much different. There’s an ugly core of nastiness coming from a very vocal minority, and as geek culture continues to expand, they only grow louder. And while the nastier moments of that ugly minority are starting to be recognized and picked up by mainstream media, it’s still largely our problem. Simply put, there is a war being waged right now for the soul of geek culture. And it’s a hell of a lot uglier than you realize.”
  • Binary Coeds | BackStory with the American History Guys (February 6): “The idea [of] the male programmer may be a stereotype, but having a male-heavy workforce is a real issue for the industry. Companies see a big gender disparity when they look at their technical workforce, and many are asking themselves how to get more women into computer science. But when you look at the history of computer programming, the question actually looks a little different. It’s less about how to get women into computer science than about how to get women back into computing.”
  • How To Talk To Girls On Twitter Without Coming Off Like A Creepy Rando | Adequate Man (February 17): “So, here you are, my friend, following a lot of brilliant women on Twitter (I hope). It’s so fun, and the best part of Twitter is connecting with people, so you want to reply to some of her great tweets with your own great opinions and jokes! Cool, cool, but here are some things to keep in mind.”
  • Art+Feminism Is Hosting Its Second Ever Wikipedia Edit-a-thon To Promote Gender Equality | The Mary Sue (February 18): ” In 2011, a survey conducted by the Wikimedia Foundation found that less than 10% of Wikipedia editors identified as female, to say nothing of recent clashes between editors in the Gamergate article that resulted in several women being banned from writing about gender at all. But just talking about the problem isn’t going to create more female editors—training women who are interested will.”
  • #ScienceWoman Special Project | Amy Poehler’s Smart Girls (February 16): “Amy Poehler’s Smart Girls is teaming up with the hit PBS Digital Studios science YouTube show It’s Okay To Be Smart to celebrate amazing women in science. We’ve got a special project planned for the beginning of March, but we can’t do it without YOU!”

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, Delicious or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Two former security employees at Intuit — the makers of the popular tax preparation software and service TurboTax – allege that the company has made millions of dollars knowingly processing state and federal tax refunds filed by cybercriminals. Intuit says it leads the industry in voluntarily reporting suspicious returns, and that ultimately it is up to the Internal Revenue Service to develop industry-wide requirements for tax preparation firms to follow in their fight against the multi-billion dollar problem of tax refund fraud.

Last week, KrebsOnSecurity published an exclusive interview with Indu Kodukula, Intuit’s chief information security officer. Kodukula explained that customer password re-use was a major cause of a spike this tax season in fraudulent state tax refund requests. The increase in phony state refund requests prompted several state revenue departments to complain to their state attorneys general. In response, TurboTax temporarily halted all state filings while it investigated claims of a possible breach. The company resumed state filing shortly after that pause, saying it could find no evidence that customers’ TurboTax credentials had been stolen from its network.

Kodukula noted that although the incidence of hijacked, existing TurboTax accounts was rapidly growing, the majority of refund scams the company has to deal with stem from “stolen identity refund fraud” or SIRF. In SIRF, the thieves gather pieces of data about taxpayers from outside means — through phishing attacks or identity theft services in the underground, for example — then create accounts at TurboTax in the victims’ names and file fraudulent tax refund claims with the IRS.

Kodukula cast Intuit as an industry leader in helping the IRS identify and ultimately deny suspicious tax returns. But that portrayal only tells part of the story, according to two former Intuit employees who until recently each held crucial security positions helping the company identify and fight tax fraud. Both individuals described a company that has intentionally dialed back efforts to crack down on SIRF so as not to lose market share when fraudsters began shifting their business to Intuit’s competitors.

Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014, said he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.

But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.

“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.

The allegations surface just days after Senate Finance Committee Chairman Orrin Hatch (R., Utah) said his panel will be holding hearings on reports about a spike in fraudulent filings through TurboTax and elsewhere. The House Ways and Means Committee is reportedly looking into the matter and has held bipartisan staff-level discussions with the IRS and Intuit.

The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.

According to a recent report (PDF) from the U.S. Government Accountability Office (GAO), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013.  Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.


Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.

But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.

“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”

Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.

“We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.

Lee said that early on, the reports on returns that Intuit’s fraud teams flagged as bogus were sent immediately to the IRS.

“Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”

KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.

“As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”

That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.

“Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”


For its part, Intuit maintains that it is well out in front of its competitors in voluntarily reporting to the IRS refund requests that the company has flagged as suspicious. The company also stresses that it has done so even though the IRS still has not promulgated rules that require TurboTax and its competitors to report suspicious returns  — or even how to report such activity. Intuit executives say they went to the IRS three years ago to request specific authority to share that information. The IRS did not respond to requests for comment.

Intuit officials declined to address Lyons’ recorded comments specifically, although they did confirm that a company attorney led an employee WebEx meeting on the date the recording was made. But David Williams, Intuit’s chief tax officer, said what’s missing from the recorded conversation excerpted above is that Intuit has been at the forefront of asking the IRS to propose industry standards that every industry player can follow — requests that have so far gone unheeded.

“We have led the industry in making suspicious activity reports, and I’d venture to say that virtually all of the returns that Mr. Lee is quoted as referring to appear in our suspicious activity reports and are stopped by the IRS,” Williams said. “Whatever else Mr. Lee may have seen, I’m not buying the premise that somehow there was a profit motive in it for us.”

Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.

“Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”

Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.

“We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”

Earlier this month, Intuit CEO Brad Smith sent a letter to the commissioner of the IRS,  noting that while Intuit sends reports to the IRS when it sees patterns of suspicious behavior, the government has been limited in the types of information it can share with parties, including tax-preparation firms.

“The IRS could be the convener to bring the States together to help drive common standards adoption,” Smith wrote, offering the assistance of Intuit staff members “to work directly with the IRS and the States in whatever ways may be of assistance…as the fight against fraud goes forward.”


Lee and MacDougall both said Intuit’s official approach to fighting fraud is guided by a policy of zero tolerance for so-called “false positives” — the problem of incorrectly flagging a legitimate customer refund request as suspicious, and possibly incurring the double whammy of a delay in the customer’s refund and an inquiry by the IRS. This is supported by audio recordings of conference calls between Intuit’s senior executives that were shared with KrebsOnSecurity.

“We protect the sanctity of the customer experience and hold it as inviolate,” Intuit’s General
Counsel Michael Lyons can be heard saying on a recorded October 2014 internal conference call. “We do everything we can to organize the best screening program we can, but we avoid false positives at all costs. Because getting a legitimate taxpayer ensnared in the ‘you’re a bad guy’ area with the IRS is hell. Once your return gets flagged as suspicious, rejected and the IRS starts investigating, you’re not in a good place. More than 50 percent of people out there are living paycheck to paycheck, and when this is the biggest paycheck of the year for them, they can’t afford to get erroneously flagged as fraud and have to prove to the IRS who they are so that they can get that legitimate refund that they were expecting months ago.”

On the same conference call, MacDougall can be heard asking Lyons why the company wouldn’t want to use security as a way to set the company apart from its competitors in the online tax preparation industry.

“We don’t use security as a marketing tactic for Intuit,” Lyons explained. “We declared that this was one of our principles. It is always possible for Intuit to build a better mousetrap. But because it doesn’t solve the systemic problem of bad guys doing this, all it really does is shoot us in the foot and make it slightly easier for IRS to continue to kick the can down the road. What it does do is artificially harm our numbers and artificially inflate the competitive numbers associated with digital tax returns.”

Intuit’s Lanesey confirmed Lee’s claim that Intuit adds a delay — it is currently three weeks — from the time a customer files a refund claim and the time it transmits “scoring” data to the IRS intended to communicate which returns the company believes are suspicious. Lanesey said the delay was added specifically to avoid false positives.

“The reason we did that was that when we started this reporting, we weren’t accurate, and were ensnaring legitimate taxpayers in that process,” Lanesey said. “We slowed down and spent more time to review to make sure we could get more accurate and we have in fact done exactly that. The match rates between what the IRS rejects and what we send are now measurably higher today with the new reporting than they were then.”

Unfortunately, three weeks is about how long the IRS takes to decide whether to reject or approve tax refund requests. In an August 2014 report to Congress on the tax refund fraud epidemic, the GAO said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.

Williams said Intuit is open to shortening its reporting delay.

“As we’ve gotten better at this and the IRS has gotten better at this, we can certainly look at shortening the timeframes,” he said. “Given the fact that over the past few years we’ve improved our speed, processes and techniques for reporting accurately, we can certainly explore whether they are able to take the data we give them and we are able to provide it to them in a way that is more useful.”


The scourge of tax fraud is hardly a problem confined to TurboTax, but with nearly 29 million customers last year TurboTax is by far the biggest player in the market. In contrast, H&R Block and TaxAct each handled seven million prepared returns last year, according to figures collected by The Wall Street Journal.

Both Lee and MacDougall said they wanted to go public with their concerns because TurboTax and the rest of the industry  have for so long put off implementing stronger account security measures. MacDougall said he filed the whistleblower complaint with the SEC because he witnessed a pattern of activity within Intuit’s management that suggested the firm was not interested in stopping fraud if it meant throttling profits when none of its competitors were doing the same.

MacDougall said that about a year ago he had a meeting with the head of Intuit’s security division wherein security team members were asked to pitch their projects for the year. MacDougall said he thought his idea was certain to generate an enthusiastic response from higher-ups at the company: Build a fraud ‘honeypot.’

In information security terminology, a honeypot is a virtual holding area to which known or suspected fraudsters are redirected, so that their actions and activities can be monitored and mined for patterns that potentially aid in better identifying fraudulent activity. Honeypots also serve a more cathartic — albeit potentially just as useful — purpose: They tie up the time and attention of the fraudsters and cause them to waste tons of resources on fruitless activity.

“My project was going to be a fraud honeypot,” MacDougall recalled. “My pitch was that we would create a honeypot in TurboTax so that every time a fraudster came in and we figured it out, we’d switch them over to the honeypot version of the site so that we could waste their time, exhaust their resources, and at the end of the day they wouldn’t know they’d been scammed for several weeks, when they finally realized that none of their fraudulent returns had even been filed.”

But MacDougall said he was stunned when his boss emphatically rejected his idea for use on TurboTax accounts. Instead, she brought up the fraud-as-a-balloon analogy, MacDougall said.

“She said ‘You can use this on any other product except TurboTax’,” MacDougall said. “I asked why we wouldn’t want to use this on our flagship product, and her answer was that this was an industry problem and not just a TurboTax problem.”

whattodo copyOnly after Intuit was forced to temporarily suspend state filings earlier this month did the company’s chief executive announce plans to beef up the security of customer accounts. Intuit now says it plans to start requiring customers to validate their accounts, either via email, text message or by answering questions about their financial history relayed through the service by big-three credit bureau Experian.

Lee says those requirements are long overdue, but that they don’t go nearly far enough considering how much sensitive information Intuit holds about tens of millions of taxpayers.

“Tax preparers ought to apply similar ‘know your customer’ practices that we see in the financial markets,” he said. “When you give your most sensitive data and that of your family’s to a company, that company should offer you more security than you can get at Facebook or World of Warcraft,” Lee said, referring to two popular online businesses that have long offered the type of multi-factor authentication that Intuit just announced this month.

At a minimum, Lee said, tax preparation companies should require users to prove they have access to the phone number and email address that they assign to their account, and should bar multiple accounts from using the same phone number or email address. TurboTax and others also should allow only one account per Social Security number, he said.

“The point here is not to shame Intuit, but to educate the American public about what’s going on,” Lee said. “The industry as a whole, not just Intuit, needs to grow up and tackle this fraud problem seriously.”

Intuit’s David Williams said the company is focused on remedying some of the account issues raised by Lee and others.

“To be fair, our recent experience with the states has been a wake-up call that we are going to be more aggressive than anybody going forward, even if we were just acting consistently [with the rest of the industry] in the past,” he said. “That’s why we always talk about our anti-fraud efforts as evolving. We don’t have every great idea in the world, but we’re always looking at improving.”

This Week

Feb. 23rd, 2015 01:00 am
[syndicated profile] accidentallyincode_feed

Posted by Cate

Click to view slideshow.


I feel like I’m running out of time in Berlin. This week has been defined by that – frantic socialisation with people I’m sad to leave, drama-in-my-head about things that wouldn’t matter or be so pressing if I didn’t feel so strongly that time is running out.

I’ve loved it here. Maybe I’ll even come back… but for now, it’s nearly time to move on.


I gave my Distractedly Intimate talk at Etsy (un-retired it just for the office manager at Etsy Berlin, because she is the nicest). It was pretty great to hang out there, I’m really inspired by the number of technical women I know at Etsy and how they are thriving.

Other than that, focusing on the workshop for Unit Testing iOS UI code (which was the first to be fully booked! Yay!) Wow prepping these things is a lot of work. I’m excited about it though.


My usual haunts: Roamers, Tabibito, Reisschale,

Also Rembrandt Burger (they have tiny burgers which are awesome), Melbourne Canteen (yummy brunch, with aussie friends), hot chocolate at MelroRon Telesky Canadian PizzaManouche (crepes!), Chaapa (tasty thai food and some kind of lychee drink that I got tipsy on), Nest (this weeks sandwich wasn’t as good), Gaia (German food, heavy but amazing deserts), Bruch (meh brunch), Beuster (cocktails), Martins Place (cake).

Went to the Computerspielemuseum which was super fun! It’s a museum of video games, and they have some really classic ones. We played lemmings for… quite a while. They also have a machine that shocks you when you lose.


Watching Drop Dead Diva Season 6, actually the last one! I’m kind of sad that it is really going to be over, but have to acknowledge 6 seasons is about right. And I can always watch it again from the beginning…

Finished Fen and Pip, same critique of some of her other books – homophobic in what I hope is a product of it’s time way. I do admire the way the set of books complement each other, they take place in the same time period and reference each other without spoiling.


The article Karen and I wrote, Tech’s Male ‘Feminists’ Aren’t Helping, is referenced in this TLDR episode.

A new edition of Technically Speaking is out, and we published a follow up to our webinar.

On the Internet

[syndicated profile] epbot_feed

Posted by Jen

Check out this beautiful photo:

That's Anita, daughter of Epbot reader Kendra, dressed as a Princess Padawan and staring down Lord Vader like a total Jedi Master. LOVE IT.

And here's one from Jennifer H., who writes, "This is what a snow day looks like with my 4-year-old daughter."


And finally, if you've been with Epbot for the long haul then I'm sure you remember "Star Wars Katie," and the book we put together for her. Well, last month I got this tweet from her mom, Carrie:

I know a lot of us can relate to those tough times at school - some of which can leave life-long scars -  but I'm so glad Katie has all of your comments with her, cheering her on.

I know she didn't set out to do it, but Katie has been such an inspiration to me these past 4 years. Not only did she show what young girls can achieve when they're not afraid to share their passions, she also proved just how staggeringly kind this community can be when we pull together for one of our own.

All good things, and things I want to remind both myself and everyone else of more often. So thanks, Katie. Sending lots of virtual hugs your way!

Sunday Sweets: Story Time Sweets

Feb. 22nd, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Sharyn

Once Upon a Time...

...in the Kingdom of Zuu,

(By Artisan Cake Company)

lived a helpful young owl his Mom had named Huu.


Huu danced with Petunia when she did ballet,

(By Dinky Doodle)


and untangled Sloth when bars got in the way.

(By Conjurer's Kitchen)


He always had time to tie Sally's red bows,

(By Planet Cake)


and if Hedgie asked, Huu would polish his nose.

(By Debbie Does Cakes)


When Flamingos ran errands, he'd stay with their chicks,

(By Mike's Amazing Cakes)


and he made sure that George ate the greens, not the sticks.

(By Planet Cake)


Huu'd help Raffi up when he fell in a heap,

(By Sprinkles Cakes)


and he sang lullabies, to help Flo go to sleep.

(By Little Cherry Cake Co. for Cake Bomb)


He prattled with penguins,

(By Janet MacPherson Cake Craft)


he combed all the llamas,

(By Viva la Cake)


he even helped meerkats put on clean pajamas.

(By Dootsy Dora)

And after all that, our Huu still wasn't through.

On Sunday, he shared all of his Sweets with you.


Happy Sunday!


Thank you for using our Amazon links to shop! USA, UK, Canada.

New Loves And New Joys

Feb. 21st, 2015 04:37 pm
[syndicated profile] sumana_feed
Two papercraft pieces I madeOver the last several years I've started getting into hobbies, skills, or activities that I had assumed I would not like or wouldn't get, or that I had dismissed due to initial impressions, such as romance novels, functional programming, watching sports on television, sewing, hiking, pop music, makeup, clothing, the Marvel Cinematic Universe, and console-type video games. I've also deepened my general cinephilia and started regularly attending a guided mindfulness meditation group. Many of these communities or artifacts are pretty bad at some things I care about, but they are also pretty good at other things that my pre-existing milieu* doesn't excel at, and thus provide me with a richer variety of kinds of experiences. I want to look at what those things are; this is an incomplete start.

Certainly I can more easily achieve rapport with a wider variety of people if I can make conversation about, for instance, good NYC-area hikes you can get to without a car. And on my English Coast-to-Coast walks, I consistently found other hikers were sociable and supportive and friendly, taking time out of their rambles to help me and my companions wayfind, learn to use our tools, and swap stories.

In pop music, romance, makeup, clothing, sewing, hiking, film and Marvel fandom, I find a willingness to emphasize the sensual and the aesthetic experience. And we can talk about being overwhelmed emotionally by experience, which is also something appealing about sports fandom, that if we talk about our stomachs lurching with fear or happiness, or we ALLCAPS about how yes, breakups are super emotional so songs about them might be too, other people allcaps with us. We unapologetically get at the numinous. No one needs to write essays reminding us that people who read romance novels have emotions and that it's undesirable and impossible to eradicate those emotions.

In functional programming, film, clothing, and music, I've found new abstractions, new perspectives on things that already exist, that make me clutch my head as my brain changes configuration. I do already get that sometimes from my pre-existing milieu, but diversity of perspectives means I get it more if I am in more and more different kinds of communities.

Several papercraft pieces I madeAnd most of the communities I'm getting into have more gender diversity and far greater ethnic diversity than most of the communities I was previously paying attention to. (Please do pay attention to my disclaimers there instead of going #notallfans or similar.) I see and interact with people of more widely varying demographics, and I see the work of diverse people praised and discussed. And this is clearly something I need to improve in my life, because, for example, here I am in a world where Beyoncé Knowles is a global superstar, a critically important black artist and one of the most prominent feminists in the world, and I have barely been hearing or hearing about her work. I heard about a French gender-switch satirical film (Majorité Opprimée) just after it came out, but it's taken me six years to hear about Beyoncé's "If I Were A Boy" (via Arthur Chu's piece on white mediocrity and black excellence). I hear about all that Dove beauty stuff all the time, but only today did I watch Beyoncé's "Pretty Hurts" video. Clearly I need to up my game.

I've added a couple of photos in this post, pictures of some bits of papercraft I made. In December, I raised some money for Wikimedia by wrapping gifts at Astoria Bookshop; gift-wrapping was free, but if customers wanted to give a tip, the volunteer doing gift-wrapping could choose a charity where that tip went. During the slow periods, I cut up the leftover scraps of wrapping paper to make little decorative snowflakes and whatnot, and then I tied them to the ribbons when I finished wrapping up a book. They were pretty, and they didn't scale, and I tried out lots of different variations, and I gave them away, and I liked it. Maybe one more thing I see more in my new communities than in my old ones is the idea that it's okay to enjoy an experience without really understanding it. I'm gonna try that.

* One tip that fundraising consultants give you is that you should think of your communities, past and present, so you can further list people you know through those communities whom you could ask to give money to your cause. I started a list for that exercise, and now see that since about 2002 my communities have included: my blood family, Leonard's family, Wikimedia, Open Source Bridge/Stumptown Syndicate, the MS in Tech Management cohort from Columbia University, the University of California at Berkeley, GNOME, Maemo/MeeGo, AltLaw, the Participatory Culture Foundation, Hacker School, New York City tech in general, Geek Feminism, the Ada Initiative/AdaCamp, WisCon, Foolscap, Making Light, MetaFilter, ImpactHub NYC, the Acetarium, OpenHatch, Growstuff, Collabora, Fog Creek Software, Behavior, Salon.com, Cody's Books, Yuletide Treasure, the Coast-to-Coast walk, Strange Horizons, Slightly Known People fandom, Breaking Bad fandom, Mike Daisey fandom, Star Trek fandom, The Colbert Report fandom, Midtown Comics, the Outer Alliance, Python, Software Carpentry, Mozilla, MetaFilter, LWN, Crooked Timber, Systers, OpenITP/TechnoActivism Third Monday, my Twitter followees/followers, my Identi.ca circle, REI, Dreamwidth, code4lib and #libtechwomen/#libtechgender, Hackers on Planet Earth, the Professional IT Community Conference/LOPSA, Women in Free Software India, the New York Tech Meetup, Subdrift NYC, a few now-defunct private email lists, Google Summer of Code, Outreachy, Foo Campers, Empowermentors, the Unitarian Universalist church, Debian-NYC, Metrics-grimoire, Mailman, NYC storyreading, the Museum of the Moving Image, my local meditation class, and probably more stuff. That wasn't in any real order, in case you couldn't tell, and I claim zero consistency in my participation level. Patterns include: lots of geekiness and lots of online interaction.

[syndicated profile] adulting_feed

(click to zoom)

At least 87 percent of casual, small-talk conversations last too long. The problem here is twofold:

• People are afraid to end the conversation and;
• “It’s time to end this talk” hints are ignored.

A solution to the first problem after the jump …

This is something lots of people struggle with, so don’t feel bad.First, do not fear the conversational reaper. All things begin and all things end, including this conversation you are engaged in. 

And really, chances are that the other person doesn’t want this to go on forever, either. Can you imagine spending your entire life right there, in that living room, talking talking talking to this person about sports or Occupy or whatever, both of you growing old and grey and still the conversation flows dully on? No one wants that.

So when you notice the drop-off in the mutual enthusiasm level to below say 50 percent, start to convey your intent for things to end by issuing a somewhat final-sounding statement on the topic at hand, followed by “anyway.” For example: “Yes, I mean, I guess I’m just glad that someone is willing to agitate on my behalf even though I’m not the camping type. Anyway,” and here, you will adopt an expression that conveys many things — sadness that this conversation is coming to an end, gladness that you have met this person, resignation to the finality of what you are about to say — “It has been just wonderful chatting with you.” 

You don’t really need to announce your new destination because chances are it will sound awkward anyway. And then let them acknowledge that they have enjoyed chatting with you, and then say goodbye brightly. 

New Invention: Frexting

Feb. 20th, 2015 11:50 am
[syndicated profile] adulting_feed


Essentially, instead of sexting that random person (who might not appreciate it OR might share it with the world) send them to a close friend, who will tell you you look hot. Only send PG or PG-13 rated pics, obviously. 

Frexting etiquette includes replying with positive emojis, including but not limited to the little fire, a cat with hearts for eyes and clapping.

This is a surprisingly fun and empowering thing to do.


Friday Favs, 2/20/15

Feb. 20th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Some of my favorite new submission this week:

Tara wanted rock n' roll:


...but what she got was wreck n' woe:

Aww. Play us the song of your people, little wreck!

["Wa wa WA waaaaaaaah!"]

Ok, you can stop now.


This next one inspired me to write a little verse:


Hoping            and such

                               Jo you s



And speaking of proper spacing:

That's pretty memorable.

(Give it a second.)
(Theeere it is.)


You know how some bakers like to keep an eye on their cakes?

Well, that reminded me of this older wreck:

THIS CHANGES... well, nothing.

But I thought it was funny.


Q: What's worse than using giant plastic ribbon all over the cake?

A: Not using enough.

What we have here is a basic misunderstanding of how ribbon works.


And finally, since I just realized I haven't shared a fan-made wreck in ages, here's a fun homage from Kimberly:

The best part? I give it a month before this starts popping up in "cake fail" slideshows all across the web, since the FailBuzzLOL sites never bother to read the posts they're ripping off, and keep putting up intentional fan wrecks from our archives. :D


I bet Steven's is safe, though - and yep, he actually asked the baker to write this:

That's definitely a "darned if you do, darned if you don't" situation, bakers.


[evil grin]


Thanks to Tara M., Jenna R., Mark O., Terri C., Tabatha G., Julia E., Kimberly S., & Steven B. for finally finding a wreck no one else will steal. AWWW YEAAAAAH.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate


Credit: Flickr / sⓘndy°

My notes from a talk Alex Harms gave at Oredev.

People skills are seen as easy, we call them “soft skills”. Going to talk about the hardest things, as honestly as can.

I don’t know any version of people skills that will make you not a colossal jerk. I am a colossal jerk, and I suspect that the person come up as “enlightened” like Oprah or Ekhart Tole, suspect they can be colossal jerks as well. Don’t imagine even the Dali Llama is perfect and never acts like an idiot, never gets afraid and yells at the people he loves.

Part of being human, not about being beatific. People we program with and have to work with every day are humans.

“Humans” – produced before the invention of women (“or clothes”).

Humans have things in common, want certain things: connection, be creative, experiment and learn things.

“Before you can love another you must first love yourself” – appears on inspirational calendars. Comes across as sappy, meaningless advice, but think it’s actually key.

Heard: “use I statements”

What do we want with people skills?

  • Communicate better – to collaborate and get things done.

Comes from a  good place, “10 ways to improve your people skills” blog posts. If you think people skills can get you off the hook, it’s not gonna get you off the hook. Going for human connection, hear them, be heard by them.

Talk about your own experience – a lot easier for them to hear you. We make up stuff in our mind, create judgement.

I statement and request: “I feel kind of scared when I hear you yelling… could you not do this”. Not phrase whatever you want with the word “I” at the beginning.

Heard: Express Appreciation.

E.g. shit sandwich. This is inauthentic appreciation. Totally useless. Might get your way for a while, but then form distrust. If project only a week long you can get away with “people skills”, then people learn what you are like.

Try actually appreciating. Listen to how you are feeling, and express it, with gratitude.

Not intended to manipulate.

Heard: Ask powerful questions.

Powerful questions create disconnect from people… response “in the absence of curiosity”. But in the absence of curiosity, maybe you should go and get some curiosity.

If you leave with that, ability to get curious about another person, will at least change your day.

Follow your curiosity. Care about their experience. Ask questions to draw it out.

Heard: be a good listener.

Make eye contact. Don’t interrupt. Wait your turn.

People who when they listen, the whole world disappears.

Learn to listen with your whole self. Be curious. Check your understanding. Ask questions that serve them.

Heard: Assume good intentions.

Not sure you can assume good intentions. Some people surprised to hear that. There are people who want to hurt you, cut you down, make you feel small because it makes them feel big.

Always a way to look beneath what is going on and find a way that we are the same.

Come to see everyone’s behaviour as some kind of need that can understand.

Bully is scared, trying to feel safe. Trying to feel good enough. Get that.

Don’t get that if “assume good intentions”, saying “don’t think they meant anything by that” means “I don’t need to deal with their pain”.

Heard: Smile

Week long, maybe you can get by with that. Smiling interesting. People who smile a lot, feel safe around them, then something is happening, or they are mad, ask “what would it take to make you not smile”.

Want to know what is going on.

Try being vulnerable.

If you do that, when you’re smiling people know you are feeling kind of joy. Can trust you.

People much more willing to put up with non-smiling at work.

Develop trust that allows for full person to be present. Valuable.

Heard: “If you can’t say something nice, don’t say anything at all”

A lot like smiling. There’s a way to distinguish authenticity from attack.

If you can figure out what is going on in your heart, and express that, you can find a way to be heard. If making up stories in your head…

If you learn to say the real thing.

Heard: ask permission.

Before giving people advice. Ask permission gets taken as “get permission” then you can do what you want. Because you did the “polite thing”.

“You’re not asking permission unless the person can say no.”

Police say “it’s okay if I come in” – not asking for permission.

Politeness pattern. Sales people will say things to cause you to say yes.

Ask permission, be curious, actually mean it. Let them say no. Real connection.

Hard Stuff

What do People Want? …what do you want?

Want to belong.

Want to be happy.

Want to contribute.

Profluence. Sense of making some progress before a goal. Thing that developers don’t have when you make them go to meetings all the time.


Freedom from fear. Shame.

Talking about these things in a room full of geeks who maybe don’t talk about those things very often. Stuff we all have in common.

The obnoxious jerk on your team, they want those things too.

People who can’t step into a session like this one, who also want these kind of things.


Ability to see in the other person what is the same as in you. See past what is driving them, into what is really going on.

Always things that are going on that don’t know about. See commonalities. Make an actual connection.

What do I actually want?

To not be a jerk.

To not have to deal with jerks.

Unfortunately: we’re all jerks. We all get scared. We all get angry.

Learn to make a connection when we have created distance. People are beautiful things, don’t like stomping on them.

Went on a quest to discover the power of love. 

Has to come from inside, you gotta be the one that brings it. If you want to be more compassionate, you have to be more compassionate.

Question everything. If you want to get good at compassion and empathy, start questioning everything.

WTF means “I am curious about what is going on here”. People think it is an attack. Make that flip from judgement to curiosity. Then you can find on what’s happening.

Distinguish what’s happening from you’re idea’s about what’s happening.

What part is real? What are you making up?

Making up wall between you and the other person, not finding out who they really are. Everyone has a story.

Notice how your emotions vary with those ideas.

“Out beyond ideas of wrongdoing and right doing, there is a field. I will meet you there.”

First thought WTF, makes no sense. Realised creating ideas of right and wrong in head find another place to go to.

Which is hard. It’s not easy. If it was easy, it’d be like “10 people skills”. But that doesn’t work. Because people.

So what do you do when you’re angry? Think of anger as a secondary emotion that protects us from other things. 

Before you can love another, you must first love yourself.

The scariest thing. If going to be empathetic and not judge people around you. Some people who seem to be good, some people seem to be not good. There’s one person about whom I know everything.

When holding people up to those standards, know everything that I do. If holding people up to those standards and not empathise, I will be the first one to go down.

Or can be delusional and just judge everyone else. Only works until you spend time with yourself.

If going to empathise with people have to start with yourself.

Gratitude. Figure out what you’re actually grateful for, what you’re actually joyful.

“Trade your expectation for appreciation, and the world changes instantly.”

Congruence – the state of being who you are in the world, instead of allowing yourself to be someone else. Being fully you.

Carl Rogers: “3 conditions for therapeutic change: Congruence, empathy and unconditional positive regard.”

Brene Brown: “… vulnerability is the first thing I look for in you, and the last thing I’m willing to show you…”

Marshall Rosenberg: “When we understand the needs that motivate our own and other’s behaviour, we have no enemies”.

Courage is curiosity. Open yourself up to what is really happening.

Pema Chödrön: “Maitri – loving-kindness – has to go very deep because when you practise it, you’re going to see everything about yourself.”

Make mistakes. Risk being seen. Forgive (yourself, too). make yourself into a living, breathing antidote to shame. Make some real connections.

Another XSS auditor bypass

Feb. 19th, 2015 07:50 pm
[syndicated profile] garethheyes_feed

Posted by Gareth Heyes

This bug is similar to the last one I posted but executes in a different context. It requires an existing script after the injection because we use it to close the injected script. It’s a shame chrome doesn’t support self closing scripts in HTML or within a SVG element because I’m pretty sure I could bypass it without using an existing script. Anyway the injection uses a data url with a script. In order to bypass the filter we need to concat the string with the quote from the attribute or use html entities such as &sol;&sol;. The HTML parser doesn’t care how much junk is between the opening and closing script since we are using a src attribute.



terriko: (Default)

February 2015

1 234567
8 91011121314
15 161718192021
22 232425262728

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Feb. 27th, 2015 01:06 pm
Powered by Dreamwidth Studios