A History of Privacy

Nov. 30th, 2015 12:47 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

This New Yorker article traces the history of privacy from the mid 1800s to today:

As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes too late. The horse is out of the barn. The post office has opened your mail. Your photograph is on Facebook. Google already knows that, notwithstanding your demographic, you hate kale.
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Few schemes for monetizing stolen credit cards are as bold as the fuel theft scam: Crooks embed skimming devices inside fuel station pumps to steal credit card data from customers. Thieves then clone the cards and use them to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners.

Agent Steve Scarince of the U.S. Secret Service heads up a task force in Los Angeles that since 2009 has been combating fuel theft and fuel pump skimming rings. Scarince said the crooks who plant the skimmers and steal the cards from fuel stations usually are separate criminal groups from those who use the cards to steal and resell gas.

External pump skimmers retrieved from LA fuel stations.

An external pump skimmer is attached to the end of this compromised fuel dispenser in Los Angeles (right).

“Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring,” he said. “The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business. They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.'”

Scarince said the skimmer gangs will gain access to the inside of the fuel pumps either secretly or by bribing station attendants. Once inside the pumps, the thieves hook up their skimmer to the gas pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely.

Internal pump skimming device seized from a Los Angeles fuel station.

Internal pump skimming device seized from a Los Angeles fuel station.

Most internal, modern pump skimmers are built to record the card data on a storage device that can transmit the data wirelessly via Bluetooth technology. This way, thieves can drive up with a laptop and fill their tank in the time it takes to suck down the card data that’s been freshly stolen since their last visit.

The Secret Service task force in Los Angels has even found pump skimming devices that send the stolen card data via SMS/text message to the thieves, meaning the crooks don’t ever have to return to the scene of the crime and can receive the stolen cards and PINs anywhere in the world that has mobile phone service.


Scarince said the fuel theft gangs use vans and trucks crudely modified and retrofitted with huge metal and/or plastic “bladders” capable of holding between 250 and 500 gallons of fuel.

“The fuel theft groups will drive a bladder truck from gas station to gas station, using counterfeit cards to fill up the bladder,” he said. “Then they’ll drive back to their compound and pump the fuel into a 4,000 or 5,000 [gallon] container truck.”

A bladder made to look like it's hauling used tires.

A bladder truck made to look like it’s hauling used tires. The wooden panel that was hiding the metal tank exposed here has ben removed in this picture.

The fuel will be delivered to gas station owners with whom the fuel theft ring has previously brokered with on the price per gallon. And it’s always a cash transaction.

“The stations know they’re buying stolen gas,” Scarince said. “They’re fully aware the fuel is not coming from a legitimate source. There’s never any paperwork with the fuel driver, and these transactions are missing all the elements of a normal, legitimate transaction between what would be a refinery and a gas station.”

Fuel theft gangs converted this van into a bladder truck. Image: Secret Service.

Fuel theft gangs converted this van into a bladder truck. Image: Secret Service.

Needless to say, the bladder trucks aren’t exactly road-worthy when they’re filled to the brim with stolen and highly flammable fuel. From time to time, one of the dimmer bladder truck drivers will temporarily forget his cargo and light up a smoke.

“Two or three summers ago we had this one guy who I guess was just jonesing for a cigarette,” Scarince said. “He lit up and that was the last thing he did.”

This bladder truck went up in smoke (literally).

This bladder truck went up in (a) smoke.

Other bladder trucks have spontaneously burst into flames at filling stations while thieves pumped stolen gas.

“There have been other fires that took place during the transfer of fuel, where some static sparked and the whole place caught on fire,” Scarince said. “These vehicles are not road-worthy by any means. Some of the bladder tanks are poorly made, they leak. The trucks are often overweight and can’t handle the load. We see things like transmissions giving out, chassis going out. These things are real hazards just waiting to happen.”

How big are the fuel theft operations in and around Los Angeles? Scarince estimates that at any given time there are 20 to 30 of these deadly bladder trucks trundling down L.A. freeways and side streets.

“And that’s a very conservative guess, just based on what the credit card companies report,” he said.

Aaron Turner, vice president of identity service products at Verifone — a major manufacturer of credit card terminals — leads a team that has been studying many of the skimming devices that the Secret Service has retrieved from compromised filling stations. Turner says there is a huge potential for safety-related issues when it comes to skimmers in a gas-pump environment. 

“Every piece of equipment that is installed by gas station owners in the pump area is approved by reviewed and approved according to industry standards, but these skimmers…not so much,” Turner said. “One of the skimmers that we retrieved was sparking and arcing when we powered it up in our lab. I think it’s safe to say that skimmer manufacturers are not getting UL certifications for their gear.”


With some fuel theft gangs stealing more than $10 million per year, Scarince said financial institutions and credit card issuers have responded with a range of tactics to detect and stop suspicious fuel station transactions.

“A lot more card issuers and merchant processors are really pushing hard on velocity checks,” Scarince said, referring to a fraud detection technique that reviews transactions for repeating patterns within a brief period. “If you buy gas in Washington, D.C. and then 30 minutes gas later gas is being purchased on opposite side of the city in a short period of time. Those are things that are going to start triggering questions about the card. So, more checks like that are being tested and deployed, and banks are getting better at detecting this activity.”

Card issuers also can impose their own artificial spending limits on fuel purchases. Visa, for example, caps fuel purchases at $125.  But thieves often learn to work just under those limits.

“The more intelligent crooks will use only a few cards per station, which keeps them a lower profile,” Scarince said. “They’ll come in a swipe two to three cards and fill up 40-80 gallons and move on down the road to another station. They definitely also have what we determine to be routes. Monday they’ll drive one direction, and Tuesday they’ll go the other way, just to make sure they don’t hit the same stations one day after another.”

Newer credit and debit cards with embedded chip technology should make the cards more costly and difficult to counterfeit. However, the chip cards still have the card data encoded in plain text on the card’s magnetic strip, and most fuel stations won’t have chip-enabled readers for several years to come.

On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don’t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.

But those rules don’t apply to fuel stations in the United States until October 2017, and a great many stations won’t meet that deadline, said Verifone’s Turner.

“The petroleum stations and the trade organizations that represent them have been fairly public in their statements that they don’t feel they’re going to hit the 2017 dates,” Turner said. “If you look at the cost of replacing these dispensers and the number of systems that have been touched by qualified, licensed technicians…most of the stations are saying that even if they start this process now they’re going to struggle to meet that October 2017 date.”

Turner said that as chip card readers take hold in more retail establishments, card thieves will begin targeting fuel stations more intensively and systematically.

“We’re moving into this really interesting point of time when I think the criminals are going to focus on the approaches that offer them the greatest return on their investment,” Turner said. “In the future, I think there will be a liability shift specifically for petroleum stations [because] the amount of mag-stripe-facilitated fraud that will happen in that market is going to increase significantly along with chip card deployment.”

Part of the reason Los Angeles is such a hotbed of skimming activity may be related to ethnic Armenian organized crime members that have invested heavily in fuel theft schemes. Last month, the Justice Department announced charges against eight such men accused of planting skimmers in pumps throughout Southern California and Nevada.

Scarince and Turner say there is a great deal of room for the geographic spread of fuel theft scams. Although the bulk of fuel theft activity in the United States is centered around Los Angeles, the organized nature of the crime is slowly spreading to other cities.

“We are seeing pump skimming now shoot across the country,” Scarince said. “Los Angeles is still definitely ground zero, but Florida is now getting hit hard, as are Houston and parts of the midwest. Technology we first saw a couple of years ago in LA we’re now seeing show up in other locations across the country. They’re starting to pick on markets that are probably less aware of what’s going on as far as skimming goes and don’t secure their pumps as well as most stations do here.”


Avoid sketchy-looking stations and those that haven’t started using tamper-evident seals on their pumps.

“The fuel theft gangs certainly scout out the stations beforehand, looking for stations that haven’t upgraded their pump locks and haven’t started using tamper seals,” Scarince said. “If some franchised station decided not to spend the money to upgrade their systems with these security precautions, they’re going to be targeted.”

Scarince says he also tends to use pumps that are closest to the attendants.

“Those are less likely to have skimmers in or on them than street-side pumps,” he said.

Consumers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

The Bakery Order Book IS A LIE

Nov. 30th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

We all know asking a bakery to match a cake photo you brought in is inviting disaster, but what about the photos in their own order book? SURELY they can match those, right?

[poker face]
[lip quiver]


[wiping eyes]

Sorry. I held it together as long as I could, honest.

I want you to pay close attention to that faux wood grain and the rock pattern on this one.


Now, notice how they...

...didn't include any of that.


Aren't the silver screw heads edging this motorcycle design super cool?

Yeah, you will never ever ever ever ever ever get those on your cake.


Also, your flames will look like melty tentacles.


Now here's a SUPER easy one:

Practically everything you see is plastic, so all the baker has to do is add a star and some squiggly lines. THAT'S IT.


Drum roll, please:



Maybe you think ordering an intentionally "messy" design is the answer:

Good plan! And yet...



I do have some good news, though. With another year of Frozen cakes under their belts, bakers are finally starting to improve on that always-disastrous kit design!

Ok, so I lied.

But c'mon, those "mountains" had to be shared with the world.


Thanks to Christian P., Tanis C., Lisa C., Dawn H., & Lavon C., for discovering Olaf also likes warm spuds.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

Al mal tiempo buena cara!

Credit: Flickr / Andrés Nieto Porras

One of my friends died not too long ago and #fuckcancer. But at least I got to say goodbye, and to say what seemed like the most important thing to say. It’s rare that you get that kind of closure.

So I clung to that when I knew the end was near. And I reminded myself of that when I got That Email and cried alone in an airline lounge at 4am. I referred back to it in the days that followed.

And then. Her family released an obituary and I there was something in it where my reaction was like… woah. I did not know that. It wasn’t one of the (many) cool things she did. My friends are generally interesting people who I learn new things about each time we talk. But how she felt about something that I really believed she, of anyone, had figured out.

And I wish I had said, this is how I feel about this thing. And I wish I had heard how she felt about it. And of course now, I won’t.

For me, grief always come with a side of guilt. How can I be sad, when other people will be more sad? I generally find trite the things we “learn” and “realise” when people we care about die. I think we know these things, we just don’t prioritise them.

Of course, though, trite is another word for common, and so I have channelled my feelings into making more of an effort with my friends. Maybe they find me needy and clingy lately. Maybe they attribute it to other reasons. Maybe they like it.

And I have been reflecting on the nature of friendship. I realise that friendship is not linear, recall that people come and go from our lives, and contemplate that I have never been able to predict who will end up being important in my life long term and who will be temporary.

Finally, I feel a deep sense of gratitude for the many wonderful people in my life who I am lucky enough to know and love. The people who adventure with me, inspire me,  support me practically – and emotionally. Who send me adorable animal pictures, call me on my shit, and push me to be a better human. I love y’all.

But seriously, #fuckcancer.

Cryptanalysis of Algebraic Eraser

Nov. 30th, 2015 06:05 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

Algebraic Eraser is a public-key key-agreement protocol that's patented and being pushed by a company for the Internet of Things, primarily because it is efficient on small low-power devices. There's a new cryptanalytic attack.

This is yet another demonstration of why you should not choose proprietary encryption over public algorithms and protocols. The good stuff is not patented.

News article.

This Week

Nov. 29th, 2015 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate


“Tiny Raccoon has no regrets. Medium Sized Hedgehog does not judge.”


Spent the week in New Orleans hanging out with a friend, which has been great. We’ve had a pretty chill time, done some exploring, and it’s been awesome to spend more time with her. Also, I got a haircut.


Last week before things change dramatically. Working on finishing things up – finally made some progress on Show and Hide app store copy!!


Finished Yes Please, reading High Output Management.

Product links Amazon.


A new edition of Technically Speaking is out.

On The Internet

[syndicated profile] cakewrecks_feed

Posted by Jen

Confession Time: as much as I love all the Sweets I feature, it's the kids' cakes that thrill me the most.

From favorite childhood characters:

(By Alana Lily Chocolates & Cakes)


...to new ones I've just met and already love:

(By Sugar Top Cakes)


...to squee-inducing cuteness I just want to snuggle:

(By Bake-A-Boo)



Then there are colorful, guitar-rockin' monsters:

(By Phoenix Cake Company)


Dapper little owls:

(By Eunice Cake Designs)


...and the sweetest bees you ever did see:

(By Frosted Indulgence)

Just looking at this makes me happy. :)


When I was very young my parents let me buy a Little Twin Stars stationary set from Epcot, and even though I had no idea who they were, I've loved the pastel pair ever since.

And this is the best Little Twin Stars cake I've ever seen:

(By The Bunny Baker)

Kids' cakes, schmids' cakes. I'll take this one for my next birthday, thx.


Or how about this drop dead gorgeous Tangled tower?

(By Sabz Cakes)


Oooh! Or this little yellow submarine?

(By Über Angel Cakes)

Complete with a cutie-patootie pink seahorse!


And finally, since you all know I have a soft spot for adorable robots:

(By Isabella's Sweet Tooth)


Yep, this grown-up just wants kids' cakes from now on, guys. And I bet I'm not the only one, right?


Happy Sunday!


Thank you for using our Amazon links to shop! USA, UK, Canada.

I link, therefore I spam

Nov. 28th, 2015 06:00 pm
[syndicated profile] geekfeminism_feed

Posted by spam-spam

We link to a variety of sources, some of which are personal blogs.  If you visit other sites linked herein, we ask that you respect the commenting policy and individual culture of those sites.

You can suggest links for future linkspams in comments here, or by using the “geekfeminism” tag on Pinboard, or Diigo; or the “#geekfeminism” tag on Twitter. Please note that we tend to stick to publishing recent links (from the last month or so).

Thanks to everyone who suggested links.

Friday Squid Blogging: Squid Necklace

Nov. 27th, 2015 04:19 pm
[syndicated profile] bruce_schneier_feed

Posted by schneier

She's calling it an octopus, but it's a squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

[syndicated profile] epbot_feed

Posted by Jen

I'm a big fan of MegaCon, Orlando's sci-fi convention that draws even more people than Dragon Con, if you can believe it, so I was pretty psyched when MC's owners announced a new, smaller event called "Fan Days." This 2-day con would offset the larger 4-day MegaCon coming next May.

This was Fan Days' first year, and there wasn't a lot of advance notice to the public, so attendance was a little sparse. Where MegaCon averages over 65,000 attendees, Fan Days was more in the10,000 range. It was held in the same convention center, though, and had a surprisingly great lineup of A-list celebs, artists, and vendors.

So while business was a little slow for the workers, it was near perfection for us attendees. The big panel room for celebs was never more than half full, you could shop the vendor room with ease, and parking has never been faster. That said, there were still plenty of fellow geeks and cosplayers around to keep the atmosphere lively, and just enough crowds to make it feel like a con.

A conga line of Deadpools:

This Wonder Woman later won Best Comic Book Character in the costume contest:

Steampunk Lady Flash:

» Read More

A Process for Writing an Abstract

Nov. 27th, 2015 01:00 pm
[syndicated profile] accidentallyincode_feed

Posted by Cate

spelling danbo

Credit: Flickr / Matt Newfield

As part of the Technically Speaking Anniversary last week I did two mentoring calls. Both of them focused on writing abstracts. This is cool, because one of the things I discovered when Chiu-Ki and I ran our workshop is that Abstract Writing is something of a speciality for me and I actually quite enjoy writing them for other people.

General Comments About Abstracts

  • Your abstract is a pitch for your talk. It’s when you sell the topic.
  • Your bio is where you sell yourself as a good person to speak about the topic.
  • It doesn’t need to be long.
  • Be concrete, but not overly detailed. E.g. specific takeaways are good, the details of how you get to them are unnecessary.

Three Lists

Think about your topic and make three lists.

  1. Why is this topic important.
  2. What things do you want people to take away from it.
  3. What points do you plan to cover.

List #3 is the easiest, but lists #1 and #2 are most useful for writing your abstract.

A Formula

[Strong statement about why this topic is important at a macro level]. [Specific points that tie your more narrow topic to this macro point].

This talk will cover [2-3 most important points], after which you will be able to [concrete audience takeaway].

Leftover Lolz

Nov. 27th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

Mmmmm, turkey leftovers.

Best part about Thanksgiving, am I right?




[wincing] Ooooh.




What the...?!



You know, on second thought, maybe we'll skip leftovers today and just have soup. Yeah. Soup is good.


Thanks to Alia P., Camille C., Cyndi V., Adry, & Sandra W. for pretty much guaranteeing we're about to get banned from Facebook again. I HOPE YOU'RE HAPPY, SANDRA.

Defending against Actual IT Threats

Nov. 27th, 2015 06:45 am
[syndicated profile] bruce_schneier_feed

Posted by schneier

Roger Grimes has written an interesting paper: "Implementing a Data-Driven Computer Security Defense." His thesis is that most organizations don't match their defenses to the actual risks. His paper explains how it got to be this way, and how to fix it.

[syndicated profile] cakewrecks_feed

Posted by Jen

It's Thanksgiving!


Just kidding. I know we're all on our phones, Facebooking about our racist relatives and how many times the smoke alarm's gone off.

Or maybe you don't even live in the U.S., and you're just here for our ridiculous American turkey cakes. [winkwink] [finger guns] AW YEAH.

Well, it just so happens...





With an extra side of:



Pamela thought this display looked familiar. Let's see if you agree:


(Via The Oatmeal)


And for that quintessentially American Thanksgiving experience:

Decapitated Scarecrow Clown!


Now get back out there and gooble, my friends.

Gooble 'til ya wooble.


Thanks given to Amandalyn V., Anony M., Jeanmarie D., Pamela R., Marsha H., & Izzy for their excellent wreckporting.


Thank you for using our Amazon links to shop! USA, UK, Canada.

Turkey Soup

Nov. 26th, 2015 05:11 am
[syndicated profile] hypatia_dot_ca_feed

Posted by Leigh Honeywell

Lots of folks will be roasting turkeys tomorrow, and while there are a zillion recipes out there for turkey soup, this is the one I grew up with. My mum always said that it was better than the turkey itself, and while I’m a big fan of her perfectly brined birds, this soup really is sublime.



Save the bones if you’ve eaten the drumsticks etc. Once the pandemonium of the main meal is over, take all the leftover meat off the carcass and put it to one side – you’ll use some of it later.

Cover the carcass in water in a big pot. Add:

  • a couple of onions, peeled and cut in quarters
  • some celery (mainly the leaves for the stock-making process, you’ll use the stems later)
  • salt, pepper
  • a couple of tablespoons of thyme

Simmer for 2-3 hours. While it’s simmering, cook up about 3 cups of rice (more or less depending on how big a bird you’re working with). Mum uses plain white rice but last year I used 2 cups of basmati and one cup of wild rice and it was delicious, so be adventurous! Put the rice aside for later.

Once the stock has simmered adequately, strain it – carefully! Toss the bones and other solid parts.

There are two ways to de-fat your stock: chill the strained stock and skim the fat off the top of the gelled stock, or use a fat separator (I love my OXO Good Grips 4-Cup Fat Separator, which looks like a weirdly shaped measuring cup). You can skip this step but the soup will be a little greasier. It will still be delicious, don’t worry.

If you did the chilling step, bring soup back to boil. Either way, add:

  • the cooked rice
  • chopped celery
  • chopped turkey
  • salt and pepper to taste

Simmer for about another half an hour, then enjoy with rustic crackers, French bread, or other delicious carbs. A bit of Tabasco goes nicely too.

The soup freezes really well, so don’t be afraid to make lots!

If you enjoyed this recipe, you may also enjoy my mother’s English Bread Sauce recipe, which I posted a few years back.

Happy holidays!

Thursday 26 November 2015

Nov. 26th, 2015 01:32 am
[syndicated profile] lecta_feed

Posted by Mary

My main goal in being unemployed right now is to not launch entire new projects or businesses and so far I’m being very successful in restricting myself to a zine and maybe a eventually forthcoming short series of podcasts. But the zine — a very small run for a group of friends — was fun and not very hard. I like this trend of fun and not very hard. Next in fun and not very hard is my Christmas cards.

Zero businesses launched and not counting!

We’re building up to Australia’s all-in summer, compressing what the US, say, has to spend three periods (Thanksgiving, Christmas/late December, and their summer) on into six weeks beginning mid-December. We finally made it to Wet’n’Wild for the first time this summer. We picked a grey mild day for it, which was a good decision in most respects but it turns out there’s a downside to smaller crowds. Andrew took A home after a few hours to nap, and I discovered that no queuing means riding waterslides over and over and over and over, which means getting motion sick. Especially since Wet’n’Wild, in the parent-child scenario, makes the parent ride the raft facing backwards. But once I convinced a sceptical V to give me a break on the relentless stair climbing, raft-hauling, and being ill on slides, I had more fun. Wet’n’Wild is a two parent experience for sure. Liking speed and getting motion sick is my curse.

For better or for worse I’ve reached the age where my expat friends don’t come home for summer any more. So in the next few weeks we merely have a trip to my family, an extended family gathering, a friend’s annual houseparty, birthday drinks, the Google party for children, and carols. Also, hoping to squeeze a few beach trips in there. We are also rushing up on V’s last weeks at his current school, with three weeks to go yesterday. He is fortunately fairly excited if anything to go to a new, larger, school with children whom he knows from the neighbourhood. I still feel bad that he also won’t get the experience I longed for, of going to the same damn school for the whole primary years. A big part of my attraction to buying a house — in Sydney! — was to have access to that for them, so fingers crossed from here on in.

[syndicated profile] epbot_feed

Posted by Jen

My parents have been visiting this past week, so John and I took them out to Disney Springs (formerly Downtown Disney) to wander and see the newest additions. 

Chief on that list was Jock Lindsey's Hanger Bar, which really knocked my socks off with its incredible theming and fun atmosphere.

To give you an idea where my expectations were, I didn't even bring my camera. (Boops.) Here's hoping these shots from my iPhone will do!

As you walk up you'll see this nifty gear-driven crane holding the Hangar sign, already half obscured by nearby trees.

 The building itself is already decked out for Christmas, with colorful travel postcards tucked into the garlands and wreaths.

In case you need a refresher (as I did): Jock Lindsey was Indiana Jones' pilot in Raiders of the Lost Ark. As such, his bar is filled with exotic treasures and fun Easter eggs for fans to find.

 If you walk around the outside corner of the Bar, you'll see the wrap-around deck with unique "patio" seating:

And here's your first Easter egg: the boat is named after Jock's pet snake, Reggie.

Now let's go in!

Here's the view from the entry way:


After gawping at those gorgeous roof beams, I zeroed in on the diving bell chamber in the back right... which you can sit in.
» Read More
[syndicated profile] geekfeminism_feed

Posted by Tiara

Most of this post is repurposed from a Metafilter Front Page Post made by the author of this GF post.

The Organization for Transformative Works, a fan-run organization that hosts significant fandom-culture projects including Archive of Our Own, one of the biggest fanfiction archives around, fandom history wiki FanLore, and peer-reviewed academic/aca-fan journal Transformative Works and Cultures, just had their 2015 Board elections, the first since 2011 – and, like its predecessor, was very contentious before, during, and after the election.

OTW had faced years of complaints about poor management, particularly with finances. This motivated 6 active OTW volunteers who’d never served on the board before – Matty Bowers, Aline Carrão, Atiya Hakeem, Katarina Harju, Alex Tisher, and Daniel Lamsonto run on a campaign of reform, better management, and greater transparency.

The other two nominees, Andrea Horbinski and Nikisha Sanders, were incumbent Board members – until Sanders was suddenly declared ineligible because of her resignation from staff roles at OTW. Sanders refutes the allegations, saying that she did notresign from all roles but was instead dismissed by the Board. Lemson withdrew his nomination soon after (while he was a friend of Sanders, it is unclear how much of his withdrawal was motivated by recent events), and the remaining nominees, minus Horbinski,condemned the Board’s actions, citing a significant conflict of interest.

Hakeem and Bowers won the top two spots in the election, and thus were elected into the two available seats on the Board. In an unexpected public meeting, and with no advance notice, the Board near-unanimously voted to appoint Horbinski to the previously-unavailable third chair of the Board. One member abstained, one was not present, and Horbinski voted on her appointment without declaring conflict of interest. There was significant outcry about this decision, with the OTW Elections committee pointing out that Horbinski had come in dead last in the elections and that this move was breaking precedent, and a vote of no confidence was called.

Very recently, the entire current board has resigned, with only Hakeem and Bowers remaining. They have pledged to maintain operations and publish a budget (one of the membership’s most significant demands) as soon as possible.

While Archive of Our Own has stated that operations will not be affected by current events at its parent organization, fans are understandably worried about the state of their fanwork and are calling on their fellow fans to back up their work. Daily Dot reporter Aja Romano, who had previously served on a committee at OTW, remarks that their caution about instability is not entirely unfounded, drawing parallels with the shutdown of the Ada Initiative soon after the departure of their Executive Director. (Interestingly, Horbinski was also on the Board of Directors for the Ada Initiative).

Fanfic writer M draws a comparison to arts non-profits: [content warning: potential ableist language]

I’ve always glossed it as “arts people are crazy”, or various more specific subclassifications (theatre people are crazy, musicians are crazy, opera people are crazy . . . ), with the full understanding that I am classing myself as an arts person. The really funny thing about arts people is that we can be totally sane in other areas of our lives, but then get crazy again when we move into the arts area. You can literally see people whose day jobs are administration for a major company and who are good at that, who suddenly do spectacularly unbelievably badly behaved things when they get into their arts life. I tend to consider this as coming from the fact that creative spaces make you vulnerable, which can throw you off your normal expectations about how the world works, what interactions are fair or not fair, and even what appropriate interpersonal behaviour is: the experience of singing with someone or acting with someone can be so viscerally intimate that you forget these are coworkers, not roommates, and professional behaviour standards apply. […] And the OTW is an arts org. It’s run for, and by, creatives and those who want to immerse themselves in the fruits of creativity. […]

Which is to say, while the OTW board fuckery is totally unacceptable and needs to be dealt with, nothing as yet is in any way out of my expectations for how fucking batshit, echo-chambery, cliquey, vindictive, flouncy, juvenile and simply ridiculous people running an arts org can get, particularly if they started out or are reinforced by being a clique external to that organisation as well. All their behaviour appears to have totally lost track of reality, but that’s totally within my expectation. (Which is why frankly my take on the whole board flouncing is that it’s a gift. Yes, it’ll make everything chaos and uproar for a while, but no seriously, gift. Do not waste it!)

Meanwhile, Metafilter commenter ErisLordFreedom notes these issues are relatively unsurprising, particularly around the budget:

The budget issue is a longstanding thing, and comes naturally from the growth out of “we have an awesome idea–let’s make an archive and other fun fannish things! Um, give us money for this!” and, as Franzi said at one point, “AO3 is Magic Mike and fandom’s been making it rain money.” At first, there was no budget because there was no plan–there were a bunch of fans who wanted an archive they owned, not subject to LJ’s caving to special interest groups or bogus Hollywood DMCA takedown notices. They had some practice with archive coding, with server software and hardware, and–rare among nonprofits–a legal team.

There was no point in making a budget before they ran into expenses, though; they didn’t want to spend another couple of years running financial plans and learning how nonprofits worked–they had talented people and people willing to throw money at them (with substantial overlap), and so decided to just do it–make an org, start an archive, and so on.

They knew that whatever plan they came up with, wouldn’t scale well, and there’d need to be org-wide adjustments as they grew. They’ve now hit that point. […]

Now they have more money, all their rough initial goals have been met […] and… they have to decide on specific goals with deadlines next. Is hard, switching from, “let us make ALL THE AWESOME!” to “we shall make X features on the archive by Y date.”


I think the lack of transparency comes from a belief that “this is complicated; the random-teenage tumblr fanbase wouldn’t understand, and we don’t want to deal with a bunch of stupid drama accusations every time we spend money on something some fan doesn’t think is necessary.” I think it’s likely there’s a tiny bit of shady dealing with the money–rounding up on expenses and all that, approvals given after the fact, etc.–but not at a level that hurts any of the org’s actual workings.

But it *will* be at that level if it doesn’t change, because they’ve gotten big enough to need an actual administrative infrastructure, instead of “we’ll record the chat meetings and someone will make notes.” And that shift is a big change, and not fun (and even less fun to explain to the public), and I understand why they were dragging their feet–and even why they wanted to keep the people they know and trust involved with the process.

Further links to discussion can be found in this round-up post, and this unofficial blog has served as a useful resource on the elections.

[syndicated profile] female_cs_feed

Posted by Gail Carmichael

When I started at Shopify in the summer, the only Ruby I knew was from reviewing a children's book, and I didn't know any Rails at all. So I needed to get up to speed, and fast. Michael Hartl's Ruby on Rails Tutorial was my first, and still my favourite, go-to resource.

You can buy a copy of Hartl's tutorial, or read it for free online. If you buy it, you can also get supplementary learning material like solution manuals and screencasts. So far, I've just been working through the online version and skipping the exercises found at the end of each chapter (though I think the exercises are worthwhile, especially if you are not using Rails at work in parallel to learning it).

The coolest thing about this tutorial is the partnership that Hartl set up with Cloud9, a cloud-based development environment. When you're just getting started with something new, it is very helpful to avoid the headaches that inevitably come with setting up your own machine for development. Instead, you can use the tutorial-specific, preconfigured workspace on Cloud9 that leaves out only exactly what Hartl wants to walk you through. It's also really easy to deploy to Heroku from Cloud9, allowing you to easily test your website in production.

The structure of the book is well thought out. You get to make a fully functioning, if simplistic, web app in the first chapter using the automation tools available in Rails.  In the next couple of chapters, some of the key concepts of Rails are introduced and you learn to create static pages.  Chapter 4 delves into some Ruby-specific programming concepts. I'm not sure how well a beginner would be able to program after reading a single chapter, but then again, I'm not sure how good at programming you even have to be to write a small, straightforward Rails app anyway.

After the introductory chapters, the rest of the book is devoted to creating a Twitter-like micro-post website. A lot of the initial focus is on users, which makes sense pedagogically: it allows the learner to focus on the key concepts surrounding information stored in a database with a single model, which makes it a lot less confusing. The downside is that you don't get to the actual micro-posts, the meat of this particular application, until chapter 11. I found myself losing interest by then.

Overall, though, this is a great way to learn Rails, especially if you have some programming background, and probably even without any. The language is clear, direct, simple, and friendly. The examples are carefully designed to introduce as few concepts at a time as possible. Highly recommended.

Breach at IT Automation Firm LANDESK

Nov. 25th, 2015 03:59 pm
[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

LANDESK, a company that sells software to help organizations securely and remotely manage their fleets of desktop computers, servers and mobile devices, alerted employees last week that a data breach may have exposed their personal information. But LANDESK employees contacted by this author say the breach may go far deeper for the company and its customers.

landeskThe South Jordan, Utah-based LANDESK makes and markets software that helps organizations manage all users, platforms and devices from a single digital dashboard. The company’s software specializes in automating and integrating IT systems management, endpoint security management, service management, IT asset management, and mobile device management.

On Nov. 18, 2015, LANDESK sent a letter to current and former employees warning of an intrusion, stating that “it is possible that, through this compromise, hackers obtained personal information, including names and Social Security numbers, of some LANDESK employees and former Wavelink employees.”

LANDESK declined to answer questions for this story. But the company did share a written statement that mirrors much of the text in the letter sent to affected employees:

“We recently became aware of some unusual activity on our systems and immediately initiated safeguards as a precaution and began an investigation. As part of our ongoing investigation in partnership with a leading computer forensics firm, we recently learned that a small amount of personally identifiable information for a limited number of our employees may have been accessible during the breach. While no data compromises of personally identifiable information are confirmed at this point, we have reached out with information and security resources to individuals who may have been affected. The security of our networks is our top priority and we are acting accordingly.”

“The few employees who may have been affected were notified promptly, and at this point the impact appears to be quite small.”

According to a LANDESK employee who spoke on condition of anonymity, the breach was discovered quite recently, but system logs show the attackers first broke into LANDESK’s network 17 months ago, in June 2014.

The employee, we’ll call him “John,” said the company only noticed the intrusion when several co-workers started complaining of slow Internet speeds. A LANDESK software developer later found that someone in the IT department had been logging into his build server, so he asked them about it. The IT department said it knew nothing of the issue.

John said further investigation showed that the attackers were able to compromise the passwords of the global IT director in Utah and another domain administrator from China.

“LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,” John said. “They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK’s web servers, and downloading it.”

The implications are potentially far reaching. This breach happened more than a year and a half ago, during which time several versions and fixes of LANDESK software have been released. LANDESK has thousands of customers in all areas of commerce. By compromising LANDESK and embedding a back door directly in their source code, the attackers could have access to large number of computers and servers worldwide.

The wholesale theft of LANDESK source code also could make it easier for malware and exploit developers to find security vulnerabilities in the company’s software.

A LANDESK spokesperson would neither confirm nor deny the date of the breach or the source code theft, saying only that the investigation into the breach is ongoing and that the company “won’t comment on speculation.”

Update, 6:51 p.m. ET: Landesk just posted a statement on its support site. The relevant bit is here: “Given the recent online speculation about the security of our product, we want to reassure you about the security of our products and provide some best practices to help you increase your security posture if needed.  We can’t comment on the specifics of the investigation, but based on the information we know so far, we have not confirmed a risk to our customers’ environments, and there are no known primary attack vectors using LANDESK software.”

Wrecks of Plenty

Nov. 25th, 2015 02:00 pm
[syndicated profile] cakewrecks_feed

Posted by Jen

According to Wikipedia, the cornucopia - or "horn of plenty" - is typically a hollow, horn-shaped wicker basket filled with various kinds of festive fruit and vegetables.

According to Wreckerators, this is a cornucopia:

Where "festive fruit and vegetables" = "neon holographic plastic flotsam bits."


And this:

"Is that a vomiting tornado in your cart, or are you just sorry to see me?"


I refuse to believe this next one is anything other than a pile of tiny Wizard hats:

How many tiny Gandalfs had to die for this cookie cornucopia cake, huh? HOW MANY??


Fortunately, some of you knew better than to order a cornucopia cake. You ordered one of these lovely turkey ice cream cakes, instead:

So at least you have that to look forward to.

Heh. Aheh.

[keep scrolling]



Oh, I'm sorry, do you still have an appetite? Here, let me help you with that:

Just think, "Charred and slimey." Thaaat oughta do it.


So in conclusion, tomorrow, remember to:

"Goble Goble,"



But only one. Times are tough these days.


A very special "thank" to Diana T., Pam M., Sarah H., Tracy B., Sarah B., Linda S., & Emily G. (You guys will have to share.)


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] accidentallyincode_feed

Posted by Cate

Danbo want to use my smart phone

Credit: Wikimedia

I suspect one of my limitations as a programmer is that I don’t hack. I don’t beat away at something until it works. I read things, and I reason about it, and I write a lot of tests.

This makes me very effective on platforms I’m familiar with, but I worry I’m as a result not as effective when I’m picking new things up as someone who will just hack away. I’m searching for the moment when things start to make sense.

I’ve done some Android over the past few years. I really wanted to learn it, but when I started working on it, it really wasn’t that fun. It was an over-engineered codebase, and as I tried to find my way in it, the feedback I got in code review was often of the “I would have done it differently” variety. Often that way didn’t even work, so that was… rewarding.

The first breakthrough was that a lot of stuff is just more work than iOS. For instance, if you want to take a photo on iOS you just like… launch the camera and implement the delegate.

If you want to take a photo on Android, you mount the hard drive, allocate space for the photo, launch the intent, and handle it returning. I always thought managing hardware and memory was a job for the Operating System, but what do I know about Operating System design, anyway.

Aside: as I learned this lesson one of the guys I worked with told me that I must be wrong about how annoying it is to take a photo on Android. Then – once I had got it working – sent me a code review of his from a previous project and said (I paraphrase) “that is the right way to do it actually, because that’s how I did it too”.

So I returned to Android this year with a degree of trepidation. I really wanted to be better at it, but based on what I’d learned so far about it, mainly I was happy in Java and I’d learned maybe how not to do some things, but as I’ve commented before, that doesn’t always teach you that much.

Last week was the ~2nd week this year where I was able to focus on Android and things finally started to click. It was so exciting, because now I feel like I can pick up small bugs here and there, whereas before I felt I needed minimum 2 days to make progress. It’s like going from navigating with a compass to having a compass AND a (slightly fuzzy) map.

The big thing that clicked was understanding the ways in which the platform encourages bad design.

On iOS, that thing is mixing View Code and Control Code. The more tools I add to my arsenal to handle that, the better architected my iOS apps became. There’s another area of mixing model and persistence code. Really on iOS the design problem is mixing things that would be better separated. Learn that, make an effort to keep things apart, and everything seems more possible.

On Android things are very separated. This is not a problem you run into. The view is defined in xml. Any background processing work needs to live in a “service”. In fact on Android separation of things goes so far the other way, that the problem is state. When you rotate your phone, the activity gets recreated. So if you have anything with state, you need to save that state. If you have anything that might be happening in the background, you need to handle getting the same service.

This means:

  • I don’t even know how you would get a stateful Android app working without Dependency Injection (luckily I had Chiu-Ki to help me with this, because it’s tricky).
  • This encourages the use of Singletons (ai!) because it’s an easy way to make sure you get the same service when the phone is rotated.
  • Automated dependency injection is nice and good for testing, but it can allow you to have very complex object relationships. I don’t see it as some panacea for good design, more as a something that obfuscates bizarre things you have done.

This is an app I’ve been porting over from iOS and it’s fascinating to me what’s different. Some things were easier, and some things were harder. But, Android makes a lot more sense, and I got things working enough to send out a beta, so that is exciting.

[syndicated profile] bruce_schneier_feed

Posted by schneier

Newly declassified: "A History of U.S. Communications Security (Volumes I and II)," the David G. Boak Lectures, National Security Agency (NSA), 1973. (The document was initially declassified in 2008. We just got a whole bunch of additional material declassified. Both versions are in the document, so you can compare and see what was kept secret seven years ago.)

[syndicated profile] krebsonsecurity_feed

Posted by BrianKrebs

Two months after KrebsOnSecurity first reported that multiple banks suspected a credit card breach at Hilton Hotel properties across the country, Hilton has acknowledged an intrusion involving malicious software found on some point-of-sale systems.

hiltonAccording to a statement released after markets closed on Tuesday, the breach persisted over a 17-week period from Nov. 18, 2014 to Dec. 5, 2014, or April 21 to July 27, 2015.

“Hilton Worldwide (NYSE: HLT) has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems,” the company said. “Hilton immediately launched an investigation and has further strengthened its systems.”

Hilton said the data stolen includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).

The company did not say how many Hilton locations or brands were impacted, or whether the breach was limited to compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties — as previously reported here.

The announcement from Hilton comes just five days after Starwood Hotel & Resorts Worldwide — including some 50 Sheraton and Westin locations — was hit by a similar breach that lasted nearly six months.

Starwood and Hilton join several other major hotel brands in announcing a malware-driven credit card data breach over the past year. In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.

In March, upscale hotel chain Mandarin Oriental acknowledged a similar breach. The following month, hotel franchising firm White Lodging allowed that — for the second time in 12 months — card processing systems at several of its locations were breached by hackers.

Readers should remember that they are not liable for unauthorized debit or credit card charges, but with one big caveat: the onus is on the cardholder to spot and report any unauthorized charges. Keep a close eye on your monthly statements and report any bogus activity immediately. Many card issuers now let customers receive text alerts for each card purchase and/or for any account changes. Take a moment to review the notification options available to you from your bank or card issuer.

[syndicated profile] bruce_schneier_feed

Posted by schneier

In 2001, the Bush administration authorized -- almost certainly illegally -- the NSA to conduct bulk electronic surveillance on Americans: phone calls, e-mails, financial information, and so on. We learned a lot about the bulk phone metadata collection program from the documents provided by Edward Snowden, and it was the focus of debate surrounding the USA FREEDOM Act. E-mail metadata surveillance, however, wasn't part of that law. We learned the name of the program -- STELLAR WIND -- when it was leaked in 2004. But supposedly the NSA stopped collecting that data in 2011, because it wasn't cost-effective.

"The internet metadata collection program authorized by the FISA court was discontinued in 2011 for operational and resource reasons and has not been restarted," Shawn Turner, the Obama administration's director of communications for National Intelligence, said in a statement to the Guardian."

When Turner said that in 2013, we knew from the Snowden documents that the NSA was still collecting some Americans' Internet metadata from communications links between the US and abroad. Now we have more proof. It turns out that the NSA never stopped collecting e-mail metadata on Americans. They just cancelled one particular program and changed the legal authority under which they collected it.

The report explained that there were two other legal ways to get such data. One was the collection of bulk data that had been gathered in other countries, where the N.S.A.'s activities are largely not subject to regulation by the Foreign Intelligence Surveillance Act and oversight by the intelligence court.


The N.S.A. had long barred analysts from using Americans' data that had been swept up abroad, but in November 2010 it changed that rule, documents leaked by Edward J. Snowden have shown. The inspector general report cited that change to the N.S.A.'s internal procedures.

The other replacement source for the data was collection under the FISA Amendments Act of 2008, which permits warrantless surveillance on domestic soil that targets specific noncitizens abroad, including their new or stored emails to or from Americans.

In Data and Goliath, I wrote:

Some members of Congress are trying to impose limits on the NSA, and some of their proposals have real teeth and might make a difference. Even so, I don't have any hope of meaningful congressional reform right now, because all of the proposals focus on specific programs and authorities: the telephone metadata collection program under Section 215, bulk records collection under Section 702, and so on. It's a piecemeal approach that can't work. We are now beyond the stage where simple legal interventions can make a difference. There's just too much secrecy, and too much shifting of programs amongst different legal justifications.

The NSA continually plays this shell game with Congressional overseers. Whenever an intelligence-community official testifies that something is not being done under this particular program, or this particular authority, you can be sure that it's being done under some other program or some other authority. In particular, the NSA regularly uses rules that allow them to conduct bulk surveillance outside the US -- rules that largely evade both Congressional and Judicial oversight -- to conduct bulk surveillance on Americans. Effective oversight of the NSA is impossible in the face of this level of misdirection and deception.

[syndicated profile] cakewrecks_feed

Posted by john (the hubby of Jen)

And now...

Cats Reacting To Simple Misspellings












And finally:



Thanys to Sariah S., Kristi W., Erica S., Iryna S., Ginny M., Kelly R., & Kelsey K. for giving us some bunny to love.


Thank you for using our Amazon links to shop! USA, UK, Canada.

[syndicated profile] bruce_schneier_feed

Posted by schneier

In 2013, in the early days of the Snowden leaks, Harvard Law School professor and former Assistant Attorney General Jack Goldsmith reflected on the increase in NSA surveillance post 9/11. He wrote:

Two important lessons of the last dozen years are (1) the government will increase its powers to meet the national security threat fully (because the People demand it), and (2) the enhanced powers will be accompanied by novel systems of review and transparency that seem to those in the Executive branch to be intrusive and antagonistic to the traditional national security mission, but that in the end are key legitimating factors for the expanded authorities.

Goldsmith is right, and I think about this quote as I read news articles about surveillance policies with headlines like "Political winds shifting on surveillance after Paris attacks?"

The politics of surveillance are the politics of fear. As long as the people are afraid of terrorism -- regardless of how realistic their fears are -- they will demand that the government keep them safe. And if the government can convince them that it needs this or that power in order to keep the people safe, the people will willingly grant them those powers. That's Goldsmith's first point.

Today, in the wake of the horrific and devastating Paris terror attacks, we're at a pivotal moment. People are scared, and already Western governments are lining up to authorize more invasive surveillance powers. The US want to back-door encryption products in some vain hope that the bad guys are 1) naive enough to use those products for their own communications instead of more secure ones, and 2) too stupid to use the back doors against the rest of us. The UK is trying to rush the passage of legislation that legalizes a whole bunch of surveillance activities that GCHQ has already been doing to its own citizens. France just gave its police a bunch of new powers. It doesn't matter that mass surveillance isn't an effective anti-terrorist tool: a scared populace wants to be reassured.

And politicians want to reassure. It's smart politics to exaggerate the threat. It's smart politics to do something, even if that something isn't effective at mitigating the threat. The surveillance apparatus has the ear of the politicians, and the primary tool in its box is more surveillance. There's minimal political will to push back on those ideas, especially when people are scared.

Writing about our country's reaction to the Paris attacks, Tom Engelhardt wrote:

...the officials of that security state have bet the farm on the preeminence of the terrorist 'threat,' which has, not so surprisingly, left them eerily reliant on the Islamic State and other such organizations for the perpetuation of their way of life, their career opportunities, their growing powers, and their relative freedom to infringe on basic rights, as well as for that comfortably all-embracing blanket of secrecy that envelops their activities.

Goldsmith's second point is more subtle: when these power increases are made in public, they're legitimized through bureaucracy. Together, the scared populace and their scared elected officials serve to make the expanded national security and law enforcement powers normal.

Terrorism is singularly designed to push our fear buttons in ways completely out of proportion to the actual threat. And as long as people are scared of terrorism, they'll give their governments all sorts of new powers of surveillance, arrest, detention, and so on, regardless of whether those powers actual combat the actual threat. This means that those who want those powers need a steady stream of terrorist attacks to enact their agenda. It's not that these people are actively rooting for the terrorists, but they know a good opportunity when they see it.

We know that the PATRIOT Act was largely written before the 9/11 terrorist attacks, and that the political climate was right for its introduction and passage. More recently:

Although "the legislative environment is very hostile today," the intelligence community's top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, "it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement."

The Paris attacks could very well be that event.

I am very worried that the Obama administration has already secretly told the NSA to increase its surveillance inside the US. And I am worried that there will be new legislation legitimizing that surveillance and granting other invasive powers to law enforcement. As Goldsmith says, these powers will be accompanied by novel systems of review and transparency. But I have no faith that those systems will be effective in limiting abuse any more than they have been over the last couple of decades.


terriko: (Default)

November 2015

8 9 10 11 12 1314
15 161718 192021
29 30     

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Nov. 30th, 2015 08:37 pm
Powered by Dreamwidth Studios