I think the turban is what threw me.
Although sometimes these toppers DO get a little ridiculous:
This one's kinda like an upside down feather duster:
I love the idea of using a colorful lantern on top, though:
Or putting all your action figures to work?
Or your favorite dolls?
I've discovered it is SO much easier to hang your garland this way, vs the traditional horizontal swags:
Not a tree, but this was the coolest table setup there:
Couple of mini-tree cuties:
That crown topper is an awesome idea... but it needs more spriggies. ;)
Here's another crown - plus a giant scepter:
I feel like this should have looked better.
(LOVE the idea of making a crown with ice sprigs, though. So many DIY possibilities!)
Here's another tree that looked super gorgeous in person but falls flat on film:
(No, not the purple people eater. I don't know what's going on back there.)
Oh! Which reminds me:
DON'T DO THIS.
(You know something's gone wrong when your Christmas tree is giving you the finger.)
Sorry, sorry. Here, I'll make it all better with glittery peacock feathers:
And finally, ART:
I can dig it.
Hope you enjoyed our virtual visit together, guys! There are a few more I didn't post here, so if you'd like to see the rest just head over to my Flickr gallery.
It's not new, though. People have been explaining how to evade airport security for years.
Back in 2006, I -- and others -- explained how to print your own boarding pass and evade the photo-ID check, a trick that still seems to work. In 2008, I demonstrated carrying two large bottles of liquid through airport security. Here's a paper about stabbing people with stuff you can take through airport security. And here's a German video of someone building a bomb out of components he snuck through a full-body scanner. There's lots more if you start poking around the Internet.
So, what's the moral here? It's not like the terrorists don't know about these tricks. They're no surprise to the TSA, either. If airport security is so porous, why aren't there more terrorist attacks? Why aren't the terrorists using these, and other, techniques to attack planes every month?
I think the answer is simple: airplane terrorism isn't a big risk. There are very few actual terrorists, and plots are much more difficult to execute than the tactics of the attack itself. It's the same reason why I don't care very much about the various TSA mistakes that are regularly reported.
Hanukkah started on Thanksgiving this year, and yet somehow bakers didn't leap at the opportunity for a yarmulke-topped turkey cake. You have to admire that kind of restraint.
Then again, we all know bakers really only have one go-to Hanukkah design:
Blue and white snowflakes.
It's the kind of design that says, "Hey, I can dig your Jewish Christmas thing, but I prefer to express it in a generic, non-committal way that even those crazy Winter Solstice people might buy."
"Plus I get to make more of my special Halloween spider webs."
And just like real snowflakes, every Generic "Hanukkah"(winkwinknudgenudge) design is completely unique.
Like fingerprints. Or hairballs.
Are you feeling the warm glow of the season yet?
How 'bout now?
Hang on, I have an idea: how do you feel about adding a little extra fiber in your diet?
No, really, there's cake in there. PROOOOMISE.
(Supposedly that's edible paper, not a rain slicker. But I'm not buying it.)
Ok, ok, what would you say if I told you I actually found a cake with both "Happy Hanukkah" and a Star of David on it - and nothing's wonky or misspelled?
You: "It's on plastic, isn't it?"
Me: "Yes. Yes, it is."
And on everyone's favorite traditional Jewish dessert, too!
Oooh, wait, it appears one brave soul actually did attempt to pipe a Star of David!
6,000 years of cultural heritage just went, "BOINK."
But at least it has the right number of sides.
[Foreshadowing? What's that?]
TALK ABOUT MISSING THE POINT.
Thanks to Ami E., Sarah B., Nicole M., Sandy H., Saundra, Rebecca S., Lena C., True B., & Amy K., who are all special snowflakes in my heart. My icy, icy heart.
As more and more media outlets from all over the world continue to report on the Snowden documents, it's harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying.
None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the information back to the compilers.
Point-of-sale (POS) skimmers — fraud devices made to siphon bank card and PIN data at the cash register — have grown in sophistication over the years: A few months back, this blog spotlighted a professionally made point-of-sale skimmer that involved some serious hacking inside the device. Today’s post examines a comparatively simple but effective POS skimmer that is little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards.
In scams, as with most things in life, there is a certain elegance in simplicity. This is doubly true with ATM and credit card skimmer scams: The more components and electronics involved, the greater the chance that the fraud devices will malfunction, lose juice, or else be detected too quickly. In fact, some of the most elegant skimming attacks I’ve seen to date never even touched the cash machine, and relied on very basic components.
Recently, I encountered a fraudster selling a remarkably simple but brilliant POS skimming device that can be installed and removed in the blink of an eye. This video, which was produced by a fraudster who sells these devices for thousands of dollars on semi-private underground forums, shows a late-model Verifone point-of-sale device retrofitted with a skimmer overlay. The underside of the device (not pictured) includes a tiny battery and flash storage card that allows the fake PIN pad to capture the key presses, and record the data stored on the magnetic stripe of each swiped card.
Such a device would be an enticing buy for a crooked employee at a retail store. It might even be installed surreptitiously by thieves posing as customers at a retail establishment. Last month, this blog featured a story about several fraudsters in Florida who did just that, installing hardware-based register skimmers at Nordstrom department stores while co-conspirators distracted sales personnel.
For more on ATM and POS skimmers, check out my series: All About Skimmers.
One of the things I do is expert witness work in patent litigations. Often, it's defending companies against patent trolls. One of the patents I have worked on for several defendants is owned by a company called TQP Development. The patent owner claims that it covers SSL and RC4, which it does not. The patent owner claims that the patent is novel, which it is not. Despite this, TQP has managed to make $45 million off the patent, almost entirely as a result of private settlements. One company, Newegg, fought and lost -- although they're planning to appeal. The story is here.
I had to finish the whole Enclave series before I could review any it, though, because it's less a trilogy and more one book broken into three parts. There's no resolution whatsoever in the first two, and each successive title picks up at the exact moment the last leaves off. Normally I detest these kind of cliffhanger endings, since they leave me feeling cheated out of a complete book, but having finished it I can say now that Enclave is worth the investment.
Enclave is a gritty post-apocalyptic thriller that starts off underground, in the abandoned subway tunnels and sewers. There, in a small barbaric society divided into Builders, Breeders, and Hunters - and where the average life expectancy is only 25 - we meet Deuce. Deuce is a 15-year-old Huntress, tasked with protecting her people from zombie-like creatures called Freaks - who, of course, like to eat people.
I'll be honest, the first few pages didn't grab me right. The whole society-of-hardened-warrior-children thing came off as just too unbelievable. Then the action started. Next thing I knew I was blinking at the clock and wondering where the last three hours went. (You know how that is?)
If you're going to read Enclave, do yourself a favor and already have Outpost on hand. Like I said, no resolution, and DANG are you going to want to know what happens next. The rotten author (I say with all love and respect) even leaves a major character's life hanging in the balance, so you're not sure if that character lives or dies 'til you get to Outpost. NOT COOL.
In Outpost we get a complete change of scenery, as Deuce has left the underground for the first time and ventured Topside, into the sun and the outside world. (I'm leaving out all the spoilery details, promise.) Here she discovers more pockets of survivors - and Freaks - and starts to unravel the forgotten history of the world's destruction. Throwing in her lot with a small town called Salvation, Deuce again fights to protect the ones she loves.
In Horde, the third and final (yes, we finally DO get a conclusion!) book, Deuce really comes into her own as a leader and warrior. The battles - which are non-stop throughout - get bigger, but at the same time the story hones in on the characters you've come to love and root for, weaving back stories, creating new relationships, and overall just giving this action-thriller a huge amount of heart. Not gonna lie: I cried three or four times during Horde. But at least two of those times were happy tears, so that counts as a wash, right? :) Finishing it reminded me of the first time I finished watching the battle of Helm's Deep in The Two Towers; Aguirre paints war in all its bloody colors, and the ordeal is both exhilarating and exhausting.
Like I said, Enclave is a gritty tale. In addition to the non-stop death and gore, it deals with heftier topics like severe post-traumatic stress disorder and a former rape victim rediscovering her own strength and courage. These are handled masterfully, though, and speaking as someone with a low tolerance for such things, I can say nothing is so graphic as to make you uncomfortable. The horrors and trauma are incredibly believable and realistic, but Aguirre describes them with a sensitivity that spares us the explicit details.
On a more positive note, the gender roles in Enclave - with the exception of the town of Salvation - are a wondrous thing. I love how many strong female leaders we get to meet over the course of the story, but also that the ones in more traditional, non-combative roles are shown to be just as strong. There's even a gentle soul who is essentially a stay-at-home-dad, a nice counterpoint to Deuce's warrior nature.
The love triangle in Enclave doesn't even try to fool us with some "who will she pick?" nonsense, but it does add a believable depth, not to mention one of the most interesting villain-turned-heros I've read in ages. (Stalker and Tegan's story will both make and break your heart. Simply amazing.)
There are obvious parallels here to both the Divergent series and The Hunger Games, but I can assure you Enclave finishes much, MUCH stronger than either of those. (I confess I haven't read Allegiant, but only because I know enough of the plot to know I won't like it. And let's face it: Mockingjay sucked.) We finally get a series that ends right, you guys. Can I get a "WAHOO"? It's huge, it's cinematic, it's gut-wrenching, and it will have your heart rate up 'til the last few chapters. It also ENDS ends, ala Harry Potter, leaving no room for tack-ons, and I respect that. I like to have a good story finished.
So, if you've got time for a good 1200 page read, definitely pick up Enclave, Outpost, and Horde. But don't torture yourself by only having Enclave. Trust me. That wait for the next book will be murder. ;)
Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. (We know that antivirus companies have previously done this for corporate malware.)
My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency. My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies. So while the NSA could certainly pressure McAfee or Symantec -- both Silicon Valley companies -- to ignore NSA malware, it could not similarly pressure Kaspersky Labs (Russian), F-Secure (Finnish), or AVAST (Czech). And the governments of Russia, Finland, and the Czech Republic will have comparable problems.
Even so, I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.
Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.
D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers.
The update comes roughly seven weeks after researcher Craig Heffner discovered and blogged about a feature or bug built into at least eight different models of D-Link routers that could allow an attacker to log in as administrator and change the router’s settings. Although the router models affected are fairly old, there are almost certainly plenty of these still in operation, as routers tend to be set-it-and-forget-it devices that rarely get replaced or updated unless they stop working.
According to Heffner, an attacker who identified a vulnerable router would need merely to set his browser’s user agent string as “xmlset_roodkcableoj28840ybtide”, and he could log in to the router’s administrative interface without any authentication. Heffer later updated his blog post with a proof-of-concept illustrating how attackers also could use the bug to upload arbitrary code to the vulnerable devices.
On Nov. 28, D-Link released a series of updates to fix the problem. Updates are available for the following models:
It’s not clear exactly why or how this backdoor found its way into the D-Link routers, but Heffer said a suggestion by fellow researcher Travis Goodspeed points to one likely explanation: ”My guess is that the developers realized that some programs/services [such as dynamic DNS] needed to be able to change the device’s settings automatically,” he wrote. ”Realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change.”
Updating an Internet router can be tricky, and doing so demands careful attention; an errant click or failure to follow closely the installation/updating instructions can turn a router into an oversized paperweight in no time. Normally when it comes to upgrading router firmware, I tend to steer people away from the manufacturer’s firmware toward alternative, open source alternatives, such as DD-WRT or Tomato. Most stock router firmware is fairly clunky and barebones (or includes undocumented “features” like the one discussed in this post); I have long relied on DD-WRT because it comes with comes with all the bells, whistles and options you could ever want in a router firmware, but it generally keeps those features turned off by default unless you switch them on.
Unfortunately, none of the models listed above appear to be compatible with either firmware. Also, some of these routers are old enough that they don’t support the more secure wireless encryption protocols, such as WPA-2; others may even require users to administer the router using Internet Explorer (not much of an option for Mac users).
For these reasons, I would suggest that anyone with a vulnerable router consider upgrading to a newer device. Asus, Buffalo and Linksys make many routers that are broadly compatible with DD-WRT and Tomato, but you may want to check their respective compatibility pages (linked in this sentence) prior to purchasing a new one.
Ever since I first saw "Despicable Me," I've been telling everyone that what I really need are minions.
(And that unicorn. He's so fluffy I'm gonna DIE!)
Well, apparently I'm not the only one who thinks a few minions would make everything work a whole lot better.
Maybe it's time the minions stepped out of their subordinate roles and fulfilled their true destinies!
For example, I think minions would make great superheroes. I mean, look at these guys:
Aren't they marvels?
(You'd have to be totally Loki to take them on.)
Besides, minions are naturally flea-resistant:
(By Tessa Tina Cakes)
... so ol' Wolverinion there would be a lot less likely to get itchy at an awkward moment and accidentally give himself a close shave.
Seriously. Don't you agree we need more minions fighting for truth, justice and the American way?
Super. (Hey, we don't know where minions came from. It could have been Krypton.)
I've always considered minions alien in origin, so it really wouldn't be that big a surprise to find they have a few intergalactic cousins:
(By Wooden Heart Cakes)
The farce is strong in this one.
Or maybe they took the Police Box and went on a little planetary road trip.
(By The Bunny Baker)
Go ahead and blink -- I'm pretty sure you'll be fine.
(Did anyone else blink away a few tears during the 50th Anniversary special? Uh, me neither... *sniff*)
They might have even visited the Monster's Inc. world.
Not that I'm trying to sully anyone's reputation...
Of course, they could be plain old earth creatures who got hit with a minion ray or had a strand of DNA go out of whack. They could just be regular -- well, relatively regular -- guys with regular jobs.
(By My Sweet Obsession)
Somebody has to make sure the trains run on time.
Heck, a few minions working at Disney could make it a Whole New World.
To start with, there'd be a lot more songs featuring banana karaoke.
A little minion DNA might even make Cartman more iconic.
(By Ivy Jane's Bakery)
Of course, it might also give him access to Gru's arsenal.
You know, I'm feeling pretty good about all the ways minions could be integrated into my life.
What about you guys?
(By My Sweet Obsession)
Heeeyyy. How you doin'?
Curious which bakers in your area have been featured here on Sweets? Then check out our Sunday Sweets Directory!
How to Rebrand Feminism and Get Women Fired in the Process | Red Light Politics - “When a campaign to ‘rebrand feminism’ is constructed in a way that can potentially hurt the most vulnerable among us, I have to ask the obvious, who needs this rebranding and who is supposed to benefit from it?”
The Problem With ‘Brogrammers’ | In These Times - “In These Times talked about the ways that racism, sexism and classism are coded in the tech sector with Kat Calvin, founder of Blerdology, a network for African Americans in tech; Ashe Dryden, a tech diversity educator and consultant; Kate Losse, author of The Boy Kings, a memoir about working at Facebook; and Telle Whitney, president and CEO of the Anita Borg Institute for Women and Technology.”
Silicon Chasm | The Weekly Standard - “The extreme economic and social inequality that characterizes Silicon Valley is not exactly the way it was supposed to be.”
Open Source Interns Outperform Industry Heavyweights in Linux Kernel Contributions | 01.ORG - “The seven interns with the Outreach Program for Women (OPW) working on the Linux kernel as part of development projects at Intel and other companies had 230 changesets accepted upstream into the latest kernel revision. Of the 200 companies that contributed to kernel release 3.11, the OPW interns contributed the eleventh highest amount, ahead of companies such as Google, Oracle, ARM, and Cisco.”
Different Internets: How Online Sexism and Misogyny Impact Women in Tech - “It seems likely that women are actually LESS represented in the online tech community than in the workforce, and that their ability to access and benefit from the professional network represented by these spaces is severely restricted.”
Silicon Valley Isn’t a Meritocracy. And It’s Dangerous to Hero-Worship Entrepreneurs | Wired - “The myths of authenticity, meritocracy, and entrepreneurialism do have some basis in fact. But they are powerful because they reinforce ideals of the tech scene that shore up its power structures and privileges. Believing that the tech scene is a meritocracy implies that those who obtain great wealth deserve it, and that those who don’t succeed do not. The undue emphasis placed on entrepreneurship, combined with a limited view of who “counts” as an entrepreneur, function to exclude entire categories of people from ascending to the upper echelon of the industry. And the ideal of authenticity privileges a particular type of self-presentation that encourages people to strategically apply business logics to the way they see themselves and others.”
White Hot Rage | The American Prospect - “But Kimmel’s explanation for the men’s rights movement—a bit of economic disenfranchisement here, a bit of unfair divorce law there, mixed with the disinhibiting effects of the Internet—is cobbled together and unconvincing. Ironically, he’s got a pretty good explanation of the men’s rights movement hiding in his insightful and disturbing chapter on domestic abusers.”
GoldieBlox and Three Feminism Follow-up Points | Shakesville - “The answer to how to get more women in STEM isn’t to make more women interested via Cool Toys, but to make the atmosphere in STEM fields more welcoming to the women who are interested. And that means, among other things, targeting men to fix things, not little girls.”
Rebooting the Ada Lovelace Mythos | The Ada Initiative - “In the end, all the popular versions of the Ada Lovelace mythos – world’s first computer programmer, Lord Byron’s daughter, delusional mentally ill gambler – are incomplete and often perpetuate harmful stereotypes about women in STEM. The talk ends with some proposals for new, more complex stories we could tell about Ada Lovelace, as a brilliant and flawed human being with variety of interests, who happened to see farther into the future of computing than anyone else for the next hundred years.”
#libtechgender – a Post in Two Parts | ACRL Tech Connect Blog - “On October 28th Sarah Houghton, the director of the San Rafael Public Library, moderated a panel on gender in library technology at the Internet Librarian conference. In today’s post I’d like to share my small contributions to the panel discussion that day and also to share how my understanding of the issues changed after the discussion there. It is my hope that more conversations—more talking and more listening—about gender issue in library technology will be sparked from this start.”
We link to a variety of sources, some of which are personal blogs. If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.
You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on pinboard.in or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).
Thanks to everyone who suggested links.
IIIIIT'S TURKEY DAY!!!
And just in time, too, 'cuz the gang's all here! Here, lemme introduce you.
Daddy Long Legs:
Danny Double D:
(aka "The Smothered Brother")
"All right, all right; just one wafer-thin mint."
...and, last but definitely not least, Mr. Hurkey:
They're here to wish you a very:
Or, if you prefer past tense:
Now get out there, my friends, and:
Sooo... chop chop!
Thanks given to Ashley K., Bonnie C., Caitlin D., Carina B., Allie S., Lauren M., Rachel S., Tammy P., Maggie W., Judith R., Courtney, Daniel L., & Leslie M. for making "ham" a verb.
Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet's smaller and simpler attack routine -- the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But the second and "forgotten" routine is about an order of magnitude more complex and stealthy. It qualifies as a nightmare for those who understand industrial control system security. And strangely, this more sophisticated attack came first. The simpler, more familiar routine followed only years later -- and was discovered in comparatively short order.
Stuxnet also provided a useful blueprint to future attackers by highlighting the royal road to infiltration of hard targets. Rather than trying to infiltrate directly by crawling through 15 firewalls, three data diodes, and an intrusion detection system, the attackers acted indirectly by infecting soft targets with legitimate access to ground zero: contractors. However seriously these contractors took their cybersecurity, it certainly was not on par with the protections at the Natanz fuel-enrichment facility. Getting the malware on the contractors' mobile devices and USB sticks proved good enough, as sooner or later they physically carried those on-site and connected them to Natanz's most critical systems, unchallenged by any guards.
Any follow-up attacker will explore this infiltration method when thinking about hitting hard targets. The sober reality is that at a global scale, pretty much every single industrial or military facility that uses industrial control systems at some scale is dependent on its network of contractors, many of which are very good at narrowly defined engineering tasks, but lousy at cybersecurity. While experts in industrial control system security had discussed the insider threat for many years, insiders who unwittingly helped deploy a cyberweapon had been completely off the radar. Until Stuxnet.
And while Stuxnet was clearly the work of a nation-state -- requiring vast resources and considerable intelligence -- future attacks on industrial control and other so-called "cyber-physical" systems may not be. Stuxnet was particularly costly because of the attackers' self-imposed constraints. Damage was to be disguised as reliability problems. I estimate that well over 50 percent of Stuxnet's development cost went into efforts to hide the attack, with the bulk of that cost dedicated to the overpressure attack which represents the ultimate in disguise -- at the cost of having to build a fully-functional mockup IR-1 centrifuge cascade operating with real uranium hexafluoride. Stuxnet-inspired attackers will not necessarily place the same emphasis on disguise; they may want victims to know that they are under cyberattack and perhaps even want to publicly claim credit for it.
THIS JUST IN from WREX-TV:
A toxic icing spill at an area shopping mall has left locals traumatized, confused, and a little peckish:
However, it was in the bakery that results were most devastating, particularly among the turkey cakes.
Some burst into flames:
...others complained of being a bit chilly:
"I'll give you a heads up when it's warmer, guys."
And a few even found themselves on the new literal reality show, "Face Off."
"This punches you in the face with how bad it sucks."
"I liked it!"
"Nobody asked you, Ve."
This guy was spotted rolling down the bread aisle:
He looks fierce, but turned out to be a big cream puff.
(Now he's toast.)
Sadly, the largest percentage of cakes turned into something experts call "poo wangs."
And once a bakery is infested with poo wangs, it's really hard to flush them out.
In the mean time, though, the bakery is having a sale on the classic English dessert, "spotted dick."
So it looks like this situation might have a happy ending, after all.
Thanks to Jayson G., MK, Sara G., Lisa P., Judi I., Nat B., Wendy C., & Laurence R. for the spot of English culture.
I don’t have the hard data at hand, but my impression of the field of computer science that I did my graduate work in and continue to apply in my career — programming languages — is that it’s unusually homogeneous, even for computer science. I’ve written before on this blog about some of the consequences of gender inequality in programming languages research; things are not much less dire with respect to racial and cultural diversity.
One upcoming opportunity to get help with getting started in the field, for both graduate students and serious undergraduate students, is the Programming Languages Mentoring Workshop (PLMW). In 2014, PLMW will be co-located with POPL (the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages), in San Diego, California, USA in January. The deadline to register for PLMW is December 10, and the ACM is making some funding available for students to attend PLMW and POPL, including travel costs.
POPL is probably the most prestigious conference on programming language theory, and I can say from experience that many (if not most) of the talks at POPL tend to be not exactly geared to a novice audience. When I attended POPL 2008 in San Francisco, one of the custodians at the hotel where the conference was taking place asked me, out of the blue, “What’s this conference about? With most conferences that happen here, I can figure out what they’re talking about, but with this one I have no idea.”
So attending PLMW looks like a great opportunity to be reminded that you’re not the only one who doesn’t already know everything. I just wish it had existed back in the early 2000s when I could have benefited a lot from it!
And since you KNOW I'm here to help - and to enable your glitter addiction - here are my 10 favorite wreaths from Orlando's Festival of Trees. (Yes, wreaths. I'm starting you off small!)
Oh, and I'm telling you now, guys, the trendiest trend this year is definitely peacock feathers. I thought they were big last year, but from what I've seen at the Festival and stores around town, this year is going to be drowning in teal, green and purple feathers.
Not that I'm complaining, mind you; I'll be proudly decorating my steampunk tree with plenty o' peacock goodness again this year. :)
It doesn't show well on film, but this wreath was especially stunning in person:
(And if you're new here: yes, I have two Christmas trees each year. DON'T JUDGE. :p)
I bet you can guess why I love this next one:
I'm also a big fan of using large accent pieces like those reindeer. Really gives the wreath a few key focal points. (You see that a lot more with designer trees, too: the bigger, the better.)
Here's a sweet option for bakers:
Again, one big accent piece really makes the whole wreath. You could use a wall plaque, lightweight statue, or even a favorite stuffed animal. Then buy a few coordinating ornaments & ribbon, and you're good to go! (The cookie cutters are a nice themed touch. I've seen baking themes with those pretty copper bundt pans & cutters, too.)
Not a wreath, but glamorous enough that I hope you'll forgive me:
I keep seeing cheap glass vases like this at Ross and HomeGoods - usually around $15. So let's see: fill it with mini ornaments or beads, stick a few big strands of pine garland in the top along with some spriggies and bigger ornaments...? Eh? Play your cards right, and I bet you could make your own for $30 or $40 - less, if you use stuff you already have.
Ok, back to wreaths:
LOVE that top hat. Together with the plaid ribbons and rustic burlap and berry touches, it's got a fun Dickens vibe to it.
(I'm torn on burlap: I love the rustic look, but I also love glitter. Like, I NEED THE SPARKLIES, you know? Hm. Maybe if I dipped burlap in glitter...)
Check it: MOAR PEACOCK:
This would make a fun New Year's wreath, assuming anyone actually makes such a thing:
From classic to colorful:
I still love lime green, teal, and fuchsia. They're just so cheerful together. (Any of you playing with that new mesh garland stuff that's all the rage? Because it is awesome. The perfect filler, and easy to mold, too. I want to find some in copper next for the steampunk tree.)
And finally, a wreath with no greenery at all:
Red, bronze, and gold. YESSS. (This was the other wreath to convince me to change my color scheme this year.) And the little bird perched in the middle is perfection itself. LOVE IT.
And FINALLY finally, if any of you Whovians have an Old Time Pottery near you, go buy this bell:
I hope you got some ideas here for your own decorating endeavors, guys! Now if you'll excuse me, I'm off to fluff my tree, IF you know what I mean.
(It got a little smooshed in the garage. What?)
PS - Last call for Betty Martin, one of my art-giveaway winners! Please e-mail me, Betty, to claim your prize!
Safeplug is an easy-to-use Tor appliance. I like that it can also act as a Tor exit node.
EDITED TO ADD: I know nothing about this appliance, nor do I endorse it. In fact, I would like it to be independently audited before we start trusting it. But it's a fascinating proof-of-concept of encapsulating security so that normal Internet users can use it.
When we looked closer at the shelf, John and I decided OTP really needs better proof-readers:
Those are pretty simple mistakes, I guess, but this one just confuses me:
After we had our giggles, John decided to buy the "dime" one. Which gave me an idea.
Later that night, after a little Dremel surgery and some E-6000:
Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also “test buys” from security researchers, law enforcement and other meddlers.
One anti-fraud measure commonly used in e-commerce is the address verification service (AVS), which seeks to verify the address of a person claiming to own a credit card. Some business employ additional “geo-IP” checks, which try to determine the geographical location of Website visitors based on their Internet addresses, and then match that with the billing address provided by the customer.
The trouble with these services is that they can get pricey in a hurry, and they’re often sold by the very companies that spammers are trying to outsmart. Enter services like fraudcheck[dot]cc: This service, run by an established spammer on a semi-private cybercrime forum, performs a multitude of checks on each transaction, apparently drawing on accounts from different, legitimate anti-fraud services. It accepts payment solely via WebMoney, a virtual currency that is popular in Russia and Eastern Europe.
This fraudster-friendly antifraud service does the following analysis:
- Queries the geo-IP location from four distinct sources;
- Calculates the billing ZIP code distance from the customer’s geo-IP coordinates;
- Checks the customer’s Internet address against lists of known proxies that are used to mask an Internet user’s true location, and assigns a “risk score” of zero to 4.2 (the higher the number, the greater the certainty that the purchase was made via a proxy).
- Generates a “fraud score” from 0-100 to rate the riskiness of the transaction (100 being the riskiest)
The bulk of the fraud checks appear to be conducted through [hijacked?] accounts at MaxMind.com, a Waltham, Mass. company that screens more than 45 million online transactions per month for 7,000 companies. MaxMind sells a suite of legitimate anti-fraud solutions, including two specifically called out in the screen shot above (minFraud and GeoIP).
As detailed in this white paper (PDF), MaxMind’s minFraud service checks for a number of potential risk factors, such as whether the customer is using a free Webmail account, or there is a mismatch in the shipping and billing address. It also looks to see whether the customer is paying with a card from a known bank. Failure to identify a “bank identification number” (BIN) — the first six digits of any card — may indicate the customer is paying with a prepaid card and thus trying to mask their identity or location.
Based on the combined results of these tests, MaxMind’s service will assign a “fraud score” from 0 to 100, indicating the service’s best guess about whether the transaction should be allowed or declined. In the example from the screenshot above, it’s not clear why the service assigned such a high fraud score (96.84) to the transaction in question — perhaps because the service could not identify the bank that issued the card used in the transaction and determined that it was a prepaid card.
Prepaid cards are a favorite investigative tool of academic researchers and fraud investigators working on behalf of brands whose trademarks are often abused in spam-advertised goods (think pirated software, designer goods and knockoff name-brand prescription drugs). As such, dodgy businesses that sell products advertised via spam tend to look askew at transactions made with prepaids.
At least, that was one conclusion of an outstanding academic paper, Priceless: The Role of Payments in Abuse-Advertised Goods (PDF), an exhaustive analysis of the payment processing systems deployed by spammers. According to that research, spammers place a huge emphasis on blocking “undercover buys” from researchers and investigators.
“In particular, if they can prevent an undercover buy from producing an authorization then there is no way to tie a Web site selling brand-infringing goods to the merchant account (and hence bank) normally used to process its payments,” the researchers noted.
The researchers, from George Mason University, the University of California, San Diego, and the International Computer Science Institute, found a number of shops that filtered out IP addresses used on previously unsuccessful orders, as well as spam-advertised shops that refuse to process payments on credit cards with particular BINs.
“Similarly, we have identified distressed programs that use IP geo-location to specialize payment options,” to weed out purchase from certain countries, the researchers found. “All of these techniques raise the stakes for undercover purchasing since it again creates an increased “cover burden” for IP diversity, geographic diversity, BIN diversity, name diversity, etc.”
Damon McCoy, an assistant professor of computer science at GMU and one of the authors of the study, said fraudcheck.cc is indicative of a trend in underground businesses.
“We have seen a growing trend from these underground shops indicating that they are likely investing in increasingly sophisticated fraud checking systems and also employing a second line of defense by hiring people to manually check suspicious orders,” McCoy said. “They are becoming more willing to turn away some real customers to limit their risk of accepting a test purchase that might result in large fines.”
Fraudcheck[dot]cc is yet another example of a fraudster-friendly service that appears to be built on the back of compromised accounts at legitimate information services. Other examples include reshipping schemes that take advantage of carded and hijacked accounts at postage vendors; mass domain name registration services; money mule scams that find new hires using hijacked employer accounts at major job search sites; and identity theft services that pull data directly from major consumer data aggregators.