Current Berkman People and Projects

Keep track of Berkman-related news and conversations by subscribing to this page using your RSS feed reader. This aggregation of blogs relating to the Berkman Center does not necessarily represent the views of the Berkman Center or Harvard University but is provided as a convenient starting point for those who wish to explore the people and projects in Berkman's orbit. As this is a global exercise, times are in UTC.

The list of blogs being aggregated here can be found at the bottom of this page.

August 29, 2016

Ivan Sigal
Aug 29, 2016 @ 10:50 EST

Dear Anton, I have difficulty with the perspective of middle distance. We privilege urgency of detail, the proximate or immediate, or we reflect and abstract, considering scale and distance from a remove. What falls between feels like blindness. It may be the incessant claims of a present-driven Internet, in which even the strongest ideas and images are shoved aside by an effusion of immanence. It may be the narrow, reflex-like seeing of the cyclist, spotting potholes, wet leaves, a deer poised to spring across the road. And then, it may be our need to simplify, to compare and sort, to put to rest the nagging complexities that fill our days. It may be the longing that arises when looking at maps, at globes, at mountain landscapes, at horizon lines. There is the middle ground of a long project, a career, a relationship. Far enough away from the beginning that the origin myth is dim, too far from the conclusion to clearly see its contours. The middle ground is both a description of scenic space in images, an area of compromise, and a logical fallacy, in which we confuse the middle position for the correct answer. If big data is the obsession of every entrepreneur lusting for exponential returns or world-ordering social scientist, there is also the realm of small data, of the designers of human experience, of the granular examination of our intimate patterns, of historians and deep readers. And curiously, the aspect ratio of most photographic lenses privileges precisely this space, for the middle ground is also human terrain. The ubiquitous smartphone lenses that create the distorted faces in our selfies are more suited to capturing theatrical space - from an embrace or a strike, to a conversation, or a dinner party. This morning, I thought to send you an image of crease marks on skin, and then, of the lines of my hand, and then, a photogram of the mottled, late-summer leaves of my dogwood. Instead, I am looking for a limping stride, for an upthrust chin and a turned head, for the grip of a hand on an arm. // #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters. @ivansigal @antonkusters

Dear Anton,

I have difficulty with the perspective of middle distance. We privilege urgency of detail, the proximate or immediate, or we reflect and abstract, considering scale and distance from a remove. What falls between feels like blindness.

It may be the incessant claims of a present-driven Internet, in which even the strongest ideas and images are shoved aside by an effusion of immanence. It may be the narrow, reflex-like seeing of the cyclist, spotting potholes, wet leaves, a deer poised to spring across the road.

And then, it may be our need to simplify, to compare and sort, to put to rest the nagging complexities that fill our days. It may be the longing that arises when looking at maps, at globes, at mountain landscapes, at horizon lines. 

There is the middle ground of a long project, a career, a relationship. Far enough away from the beginning that the origin myth is dim, too far from the conclusion to clearly see its contours. 

The middle ground is both a description of scenic space in images, an area of compromise, and a logical fallacy, in which we confuse the middle position for the correct answer.

If big data is the obsession of every entrepreneur lusting for exponential returns or world-ordering social scientist, there is also the realm of small data, of the designers of human experience, of the granular examination of our intimate patterns, of historians and deep readers. 

And curiously, the aspect ratio of most photographic lenses privileges precisely this space, for the middle ground is also human terrain. The ubiquitous smartphone lenses that create the distorted faces in our selfies are more suited to capturing theatrical space – from an embrace or a strike, to a conversation, or a dinner party.

This morning, I thought to send you an image of crease marks on skin, and then, of the lines of my hand, and then, a photogram of the mottled, late-summer leaves of my dogwood. Instead, I am looking for a limping stride, for an upthrust chin and a turned head, for the grip of a hand on an arm.

/// #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters@ivansigal @antonkusters on Instagram ///

by Ivan Sigal at August 29, 2016 02:50 PM

Bruce Schneier
Apple Patents Collecting Biometric Information Based on Unauthorized Device Use

Apple received a patent earlier this year on collecting biometric information of an unauthorized device user. The obvious application is taking a copy of the fingerprint and photo of someone using as stolen smartphone.

Note that I have no opinion on whether this is a patentable idea or the patent is valid.

by Bruce Schneier at August 29, 2016 11:27 AM

August 28, 2016

Bruce Schneier
The NSA Is Hoarding Vulnerabilities

The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the Internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others' computers. Those vulnerabilities aren't being reported, and aren't getting fixed, making your computers and networks unsafe.

On August 13, a group calling itself the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the Internet. Near as we experts can tell, the NSA network itself wasn't hacked; what probably happened was that a "staging server" for NSA cyberweapons -- that is, a server the NSA was making use of to mask its surveillance activities -- was hacked in 2013.

The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release. The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: "!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?"

Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee -- or other high-profile data breaches -- the Russians will expose NSA exploits in turn.

But what I want to talk about is the data. The sophisticated cyberweapons in the data dump include vulnerabilities and "exploit code" that can be deployed against common Internet security systems. Products targeted include those made by Cisco, Fortinet, TOPSEC, Watchguard, and Juniper -- systems that are used by both private and government organizations around the world. Some of these vulnerabilities have been independently discovered and fixed since 2013, and some had remained unknown until now.

All of them are examples of the NSA -- despite what it and other representatives of the US government say -- prioritizing its ability to conduct surveillance over our security. Here's one example. Security researcher Mustafa al-Bassam found an attack tool codenamed BENIGHCERTAIN that tricks certain Cisco firewalls into exposing some of their memory, including their authentication passwords. Those passwords can then be used to decrypt virtual private network, or VPN, traffic, completely bypassing the firewalls' security. Cisco hasn't sold these firewalls since 2009, but they're still in use today.

Vulnerabilities like that one could have, and should have, been fixed years ago. And they would have been, if the NSA had made good on its word to alert American companies and organizations when it had identified security holes.

Over the past few years, different parts of the US government have repeatedly assured us that the NSA does not hoard "zero days" ­ the term used by security experts for vulnerabilities unknown to software vendors. After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is "a clear national security or law enforcement" use).

Later that year, National Security Council cybersecurity coordinator and special adviser to the president on cybersecurity issues Michael Daniel insisted that US doesn't stockpile zero-days (except for the same narrow exemption). An official statement from the White House in 2014 said the same thing.

The Shadow Brokers data shows this is not true. The NSA hoards vulnerabilities.

Hoarding zero-day vulnerabilities is a bad idea. It means that we're all less secure. When Edward Snowden exposed many of the NSA's surveillance programs, there was considerable discussion about what the agency does with vulnerabilities in common software products that it finds. Inside the US government, the system of figuring out what to do with individual vulnerabilities is called the Vulnerabilities Equities Process (VEP). It's an inter-agency process, and it's complicated.

There is a fundamental tension between attack and defense. The NSA can keep the vulnerability secret and use it to attack other networks. In such a case, we are all at risk of someone else finding and using the same vulnerability. Alternatively, the NSA can disclose the vulnerability to the product vendor and see it gets fixed. In this case, we are all secure against whoever might be using the vulnerability, but the NSA can't use it to attack other systems.

There are probably some overly pedantic word games going on. Last year, the NSA said that it discloses 91 percent of the vulnerabilities it finds. Leaving aside the question of whether that remaining 9 percent represents 1, 10, or 1,000 vulnerabilities, there's the bigger question of what qualifies in the NSA's eyes as a "vulnerability."

Not all vulnerabilities can be turned into exploit code. The NSA loses no attack capabilities by disclosing the vulnerabilities it can't use, and doing so gets its numbers up; it's good PR. The vulnerabilities we care about are the ones in the Shadow Brokers data dump. We care about them because those are the ones whose existence leaves us all vulnerable.

Because everyone uses the same software, hardware, and networking protocols, there is no way to simultaneously secure our systems while attacking their systems ­ whoever "they" are. Either everyone is more secure, or everyone is more vulnerable.

Pretty much uniformly, security experts believe we ought to disclose and fix vulnerabilities. And the NSA continues to say things that appear to reflect that view, too. Recently, the NSA told everyone that it doesn't rely on zero days -- very much, anyway.

Earlier this year at a security conference, Rob Joyce, the head of the NSA's Tailored Access Operations (TAO) organization -- basically the country's chief hacker -- gave a rare public talk, in which he said that credential stealing is a more fruitful method of attack than are zero days: "A lot of people think that nation states are running their operations on zero days, but it's not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive."

The distinction he's referring to is the one between exploiting a technical hole in software and waiting for a human being to, say, get sloppy with a password.

A phrase you often hear in any discussion of the Vulnerabilities Equities Process is NOBUS, which stands for "nobody but us." Basically, when the NSA finds a vulnerability, it tries to figure out if it is unique in its ability to find it, or whether someone else could find it, too. If it believes no one else will find the problem, it may decline to make it public. It's an evaluation prone to both hubris and optimism, and many security experts have cast doubt on the very notion that there is some unique American ability to conduct vulnerability research.

The vulnerabilities in the Shadow Brokers data dump are definitely not NOBUS-level. They are run-of-the-mill vulnerabilities that anyone -- another government, cybercriminals, amateur hackers -- could discover, as evidenced by the fact that many of them were discovered between 2013, when the data was stolen, and this summer, when it was published. They are vulnerabilities in common systems used by people and companies all over the world.

So what are all these vulnerabilities doing in a secret stash of NSA code that was stolen in 2013? Assuming the Russians were the ones who did the stealing, how many US companies did they hack with these vulnerabilities? This is what the Vulnerabilities Equities Process is designed to prevent, and it has clearly failed.

If there are any vulnerabilities that -- according to the standards established by the White House and the NSA -- should have been disclosed and fixed, it's these. That they have not been during the three-plus years that the NSA knew about and exploited them -- despite Joyce's insistence that they're not very important -- demonstrates that the Vulnerable Equities Process is badly broken.

We need to fix this. This is exactly the sort of thing a congressional investigation is for. This whole process needs a lot more transparency, oversight, and accountability. It needs guiding principles that prioritize security over surveillance. A good place to start are the recommendations by Ari Schwartz and Rob Knake in their report: these include a clearly defined and more public process, more oversight by Congress and other independent bodies, and a strong bias toward fixing vulnerabilities instead of exploiting them.

And as long as I'm dreaming, we really need to separate our nation's intelligence-gathering mission from our computer security mission: we should break up the NSA. The agency's mission should be limited to nation state espionage. Individual investigation should be part of the FBI, cyberwar capabilities should be within US Cyber Command, and critical infrastructure defense should be part of DHS's mission.

I doubt we're going to see any congressional investigations this year, but we're going to have to figure this out eventually. In my 2014 book Data and Goliath, I write that "no matter what cybercriminals do, no matter what other countries do, we in the US need to err on the side of security by fixing almost all the vulnerabilities we find..." Our nation's cybersecurity is just too important to let the NSA sacrifice it in order to gain a fleeting advantage over a foreign adversary.

This essay previously appeared on Vox.com.

EDITED TO ADD (8/27): The vulnerabilities were seen in the wild within 24 hours, demonstrating how important they were to disclose and patch.

James Bamford thinks this is the work of an insider. I disagree, but he's right that the TAO catalog was not a Snowden document.

People are looking at the quality of the code. It's not that good.

by Bruce Schneier at August 28, 2016 05:41 AM

August 26, 2016

Bruce Schneier
Friday Squid Blogging: Self-Repairing Fabrics Based on Squid Teeth

Really:

As shown in the video below, researchers at Pennsylvania State University recently developed a polyelectrolyte liquid solution made of bacteria and yeast that automatically mends clothes.

It doesn't have a name yet, but it's almost miraculous. Simply douse two halves of a ripped fabric in the stuff, hold them together under warm water for about 60 seconds, and the fabric closes the gaps and clings together once more. Having a bit of extra fabric on hand does seem to help, as the video mainly focuses on patching holes rather than re-knitting two halves of a torn piece.

The team got the idea by observing how proteins in squid teeth and human hair are able to self-replicate. Then, they recreated the process using more readily available materials. Best of all, it works with almost all natural fabrics.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

by Bruce Schneier at August 26, 2016 09:30 PM

Collision Attacks Against 64-Bit Block Ciphers

We've long known that 64 bits is too small for a block cipher these days. That's why new block ciphers like AES have 128-bit, or larger, block sizes. The insecurity of the smaller block is nicely illustrated by a new attack called "Sweet32." It exploits the ability to find block collisions in Internet protocols to decrypt some traffic, even through the attackers never learn the key.

Paper here. Matthew Green has a nice explanation of the attack. And some news articles. Hacker News thread.

by Bruce Schneier at August 26, 2016 07:19 PM

ProjectVRM
It’s People vs. Advertising, not Publishers vs. Adblockers

By now hundreds of millions of people have gone to the privacy aisles of the pharmacy departments  in their local app stores and chosen a brand of sunblock to protect themselves from unwanted exposure to the harmful rays of advertising online.

There are many choices among potions on those shelves, but basically they do one, two or three of these things:

blockers

The most popular ad blocker, Adblock Plus, is configurable to do all three, but defaults to allow “acceptable”* ads and not to block tracking.

Tracking protection products, such as Baycloud Bouncer, Ghostery, Privacy Badger and RedMorph, are not ad blockers, but can be mistaken for them. (That’s what happens for me when I’m looking at Wired through Privacy Badger on Firefox.)

It is important to recognize these distinctions, for two reasons:

  1. Ad blocking, allowing “acceptable” ads, and tracking protection are different things.
  2. All three of those things answer market demand. They are clear evidence of the marketplace at work.

Meanwhle, nearly all press coverage of what’s going on here defaults to “(name of publisher or website here) vs. ad blockers.”

This  misdirects attention away from what is actually going on: people making choices in the open market to protect themselves from intrusions they do not want.

Ad blocking and tracking protection are effects, not causes. Blame for them should not go to the people protecting themselves, or to those providing them with means for protection, but to the sources and agents of harm. Those are:

  1. Companies producing ads (aka brands)
  2. Companies distributing the ads
  3. Companies publishing the ads
  4. All producers of unwanted tracking

That’s it.

Until we shift discussion to the simple causes and effects of supply and demand, with full respect for individual human beings and the legitimate choices they make in the open marketplace, to protect the sovereign personal spaces in their lives online, we’ll be stuck in war and sports coverage that misses the simple facts underlying the whole damn thing.

Until we get straight what’s going on here, we won’t be able to save those who pay for and benefit from advertising online.

Which I am convinced we can do. I’ve written plenty about that already here.

* These are controversial. I don’t go into that here, however, because I want to shift attention from spin to facts.

 

 

Save

Save

Save

Save

Save

Save

Save

by Doc Searls at August 26, 2016 09:18 AM

August 25, 2016

Justin Reich
A New 21st Century Educational Leadership Curriculum
To help future educational leaders embrace 21st-century learning, this online course models best practices and immerses them in a new learning experience.

by Beth Holland at August 25, 2016 07:57 PM

Bruce Schneier
Confusing Security Risks with Moral Judgments

Interesting research that shows we exaggerate the risks of something when we find it morally objectionable.

From an article about and interview with the researchers:

To get at this question experimentally, Thomas and her collaborators created a series of vignettes in which a parent left a child unattended for some period of time, and participants indicated the risk of harm to the child during that period. For example, in one vignette, a 10-month-old was left alone for 15 minutes, asleep in the car in a cool, underground parking garage. In another vignette, an 8-year-old was left for an hour at a Starbucks, one block away from her parent's location.

To experimentally manipulate participants' moral attitude toward the parent, the experimenters varied the reason the child was left unattended across a set of six experiments with over 1,300 online participants. In some cases, the child was left alone unintentionally (for example, in one case, a mother is hit by a car and knocked unconscious after buckling her child into her car seat, thereby leaving the child unattended in the car seat). In other cases, the child was left unattended so the parent could go to work, do some volunteering, relax or meet a lover.

Not surprisingly, the parent's reason for leaving a child unattended affected participants' judgments of whether the parent had done something immoral: Ratings were over 3 on a 10-point scale even when the child was left unattended unintentionally, but they skyrocketed to nearly 8 when the parent left to meet a lover. Ratings for the other cases fell in between.

The more surprising result was that perceptions of risk followed precisely the same pattern. Although the details of the cases were otherwise the same -­ that is, the age of the child, the duration and location of the unattended period, and so on -­ participants thought children were in significantly greater danger when the parent left to meet a lover than when the child was left alone unintentionally. The ratings for the other cases, once again, fell in between. In other words, participants' factual judgments of how much danger the child was in while the parent was away varied according to the extent of their moral outrage concerning the parent's reason for leaving.

by Bruce Schneier at August 25, 2016 04:48 PM

David Weinberger
Five minutes of hope

What I find most remarkable about this exchange: So few conversations begin with the request for help changing one’s own mind.

The post Five minutes of hope appeared first on Joho the Blog.

by davidw at August 25, 2016 12:59 PM

August 24, 2016

Bruce Schneier
Interesting Internet-Based Investigative Techniques

In this article, detailing the Australian and then worldwide investigation of a particularly heinous child-abuse ring, there are a lot of details of the pedophile security practices and the police investigative techniques. The abusers had a detailed manual on how to scrub metadata and avoid detection, but not everyone was perfect. The police used information from a single camera to narrow down the suspects. They also tracked a particular phrase one person used to find him.

This story shows an increasing sophistication of the police using small technical clues combined with standard detective work to investigate crimes on the Internet. A highly painful read, but interesting nonetheless.

by Bruce Schneier at August 24, 2016 02:30 PM

August 23, 2016

Ivan Sigal
A conversation with a friend

Over the past few months, I’ve been in conversation with the photographer Anton Kusters, on Instagram and on our respective websites, under the hash #image_by_image. The dialogue has taken shape as a curious collaboration, now with some 40 posts and going strong. The posts are public but we have not been actively promoting the work. Our original idea was simply to write to each other in public, with a few constraints, and see what might happen.

image_by_image-1

By Ivan Sigal. Read full post.

Kusters_jun15

By Anton Kusters. Read full post.

We have started to figure out what that might be, and where it is going, and thus are sharing more widely. Anton, in his post on the project, describes the conversation in the following way: “If there ever were a true behind-the-scenes: these are things that actually occupy much of our thoughts and shape our work, without being our work.” An attempt at a description:

#image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters, posted both on Instagram and on the participant’s respective websites. It is an experimental public dialogue that sets simple rules, and allows the trajectory of the discussion to proceed in inductive fashion, image by image, and text by text.

image_by_image is constructed as a weak or fragile narrative, based on associations of word and image, of fragment and concept, of reuse and reflection, of frank acknowledgement of struggle, doubt, skepticism and humility before the power of ideas and the claims of images. It is rooted in philosophies of anti-authoritarianism and a mistrust of grand narratives.

The rules of image_by_image are that each participant posts no more than 1x per day and no less than 1x per week, and that each post have one image and a maximum of 2,200 characters of text. It has emerged that the images are often fragments or details other images, or rephotographed through screens, lightboxes, scrims and other surface textures. The images work at several levels – as notes, as referents, as counterpoints, as punctuations, as divergences.

Our emerging practice with image_by_image is to enliven the consideration of images in social media, explore their meaning in dialogue with concepts and our shifting understanding of them through associations across time and history. It is a rebuttal to the assertion that images in social media are necessarily one-dimensional pictograms. It is also a way of stripping back social media speech to the simple level of the exchange of ideas, rather than the mimicking of self-broadcast through the social media tactics of sensation, self-promotion, and aggressive projection.

Over time, themes have emerged on image_by_image based on the common concerns of the participants. We consider history, memory, memorialization, travel, tensions between narrative and conceptual images, the processes of making art, and the challenges of our respective projects. We traverse the psychological geographies of Nazi Germany, the former Soviet Union, Japan, Europe, and the United States, as well as the tenuous journeys of migrants and personal memoir.

kusters_jul21_2016

By Anton Kusters. Read full post.

aktau-detail-imagebyimage-5

By Ivan Sigal. Read full post.

image_by_image can be found on Instagram at the #image_by_image hash, following @ivansigal and @antonkusters, or at:

http://ivansigal.net/category/image_by_image/

http://antonkusters.com/image-by-image/

by Ivan Sigal at August 23, 2016 11:53 PM

Ethan Zuckerman
Supporting Feyisa Lilesa, a remarkable athlete and protester

At the end of the Rio Olympic men’s marathon, silver medalist Feyisa Lilesa did something extraordinary, important and dangerous. As he crossed the finish line, he crossed his wrists in front of his forehead in a gesture that’s halfway between “hands up, don’t shoot” and “X marks the spot.”

The gesture is sign of defiance that has become a symbol of Ethiopia’s Oromo rights movement. An unprecedented wave of protests in Ethiopia by Oromo and other ethnic rights groups is rocking Ethiopia, which is one of Africa’s most repressive states. By showing support for the protesters in his native Oromia, Lilesa has brought international attention to a movement that’s been violently suppressed by the government, with over 400 civilians killed.

He has also put himself and his family at risk. Defiance of the Ethiopian government can lead to imprisonment or to death. Ethiopian colleagues of mine at Global Voices served eighteen months in prison for the “crime” of learning about digital security, so they could continue to write online about events in their country. Fearing arrest or worse, Lilesa has decided to remain in Brazil, and may seek asylum there or in the US. A GoFundMe campaign has raised almost $100,000 to contribute to his legal and living expenses. But the real challenge may be reuniting Lilesa with his wife and children, who remain in Ethiopia.

The Olympics have an uneasy relationship with protest. While states threaten boycotts of each others’ games – and occasionally follow through on those threats – athletes who bring politics into the arena have been sharply sanctioned. When Tommie Smith and John Carlos raised their fists in a Black Power salute after winning gold and bronze in the 200 meters in 1968, both were suspended from the US Olympic team, expelled from the Olympic village and sent home. (Peter Norman, the Australian silver medalist, who supported their gesture and wore a Olympic Project for Human Rights badge in solidarity, was not sanctioned, but was shunned by his country’s Olympic committee and never raced again.) While the Olympic movement does not appear to be taking action against Lilesa, unfortunately, that’s likely the least of his problems.

I wrote two weeks ago about my fears that attention to the Olympics and the endless US political campaign would distract people from these protests in Ethiopia. I argued that international attention may help protect the lives of Ethiopian activists, as the government will be forced to face the consequences of how they treat their dissenting citizens. Lilesa has helped ensure that the Olympics would include a healthy dose of Oromo rights. Now it’s time to do our part and ensure that Lilesa and his family don’t pay for his actions with their lives.

I gave to support Feyisa Lilesa’s relocation fund, and encourage you to do so as well. Here’s hoping he can return home someday soon to an Ethiopia that makes space for dissent. Unfortunately, that’s not the Ethiopia the world has now.

by Ethan at August 23, 2016 06:58 PM

Ivan Sigal
Aug 23, 2016 @ 16:02 CET

kusters_aug23_2016

Dear Ivan,

Yes, often the cinematic feeling is paramount… and I must confess it’s something I too strive for – even in my still images. And now I’m wondering. I’ve actually never been able to put my finger on it, only being able to recognise being pulled by it. Tokyo Story, The Mirror, Inception. Vastly different films, different eras, different cultures, different industries, different everything, all pulled me in completely.

It feels like there’s more of a bright future for AR and MR than for VR. The key is the mobile phone with the person in real life used as a means to do things. VR kind of diametrically opposes that, it presumes exiting real life, going literally inside a virtual world instead; basically using the technology as “an end” instead of as “a means”. I think that might be why there’ll always be that gap that you described, impossible to bridge. That context has to be broken out of, lest VR were to stay as a too specific – yet extremely immersive – tool.

Since what seems forever I’ve had trouble “thinking about” while experiencing, and I chalk it up to the fact that I’ve always thought I was pretty naive, and therefor easily completely pulled in. Even now still I can – and constantly do – lose myself in good cinema, art, books and what not, often afterwards recalling “being taken along for the ride” more than my critical thinking. So much that I regard my being swept away as a yardstick for success.

Of course I know this holds no ground. But I can’t help myself. Maybe I’m not cynical enough. I’m imagining that “swept away” thing as something elusive that can’t be created directly, instead only by successfully making the elements that it’s composed of, and then intricately balancing them, never fully controlling them. Storytelling. Structure. Narrative. Connections. Depth. Aesthetics. Timing. Relevance.

Imagining this, gives me some solace. And damn, I totally missed that Perseid meteor shower, even though I knew it was coming.

/// #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters@ivansigal and @antonkusters on Instagram ///

by Anton Kusters at August 23, 2016 02:46 PM

PRX
PRX Remix August Picks: Magic skates, a boy genius, and a roundabout

Welcome to the second edition of our PRX Remix picks. This month, I’ve got three totally unique stories for you this month. They’ll take you from a roller rink in Wisconsin, to an improv comedy troupe in Tennessee, to a dangerous intersection in Massachusetts where a controversial road proposal pits local government against townsfolk.

“The Magic Skates” from Where@bouts

This might be the first-ever podcast episode hosted by someone wearing roller skates. Yes, you read that right. The episode begins with the host, so-called “Mad Genius”, roller skating around a rink. From the sound of it, he’s only learning. It’s a fitting way to open a story about the sounds of a roller rink, guided by roller derby star Jeanne Du Snark, a blocker for the Vaudeville Vixens in Madison, Wisconsin.

The story comes into its own when Mad Genius remixes the sounds of the roller rink into a song reflecting Du Snark’s experience. This is the calling card of Where@bouts—exploring a sense of place through found sounds, then remixing those sounds into a song. Mad Genius describes the show as an “art popcast,” but whatever you call it, it’s incredibly unique and well-produced.

PRX Remix pick #1Roller derby is not for the faint of heart

Through song, we learn about how the roller derby offered Du Snark a new kind of challenge and thrill after finishing her Division I soccer career, not to mention a louder, more devoted fanbase. We hear about her intense tryout process just to make the team, and about how she has narcolepsy and feels more awake, literally, while skating than doing anything else. All this is set to an incredibly catchy rhythm, anchored by the sounds of fans chanting and skates scraping the rink. Even Du Snark’s voice somehow feels melodic in the hands of Mad Genius. The remixed composition actually adds to the story. I’m curious to hear more from Mad Genius and Where@bouts in the future.

“The Genius Improviser” from Neighbors

PRX Remix pick #2This dog is a genius

“Genius” is a term thrown around lightly whenever someone does anything intellectually impressive. Michael Kearney, however, is one of the few who actually fits the definition. According to the Guinness Book of World Records, Kearney is the youngest person ever to graduate college, at just 10 years old. But neither Kearney’s genius nor his fame are the crux of this story. No, this is an entertaining and thoughtfully told account of an extraordinary person on a familiar journey—a journey to find community, to feel a sense of belonging, and to figure out what it means to be successful. Kearney isn’t an obvious fit to run his local improv comedy outfit. But it becomes clear as the story progresses, both Kearney and his fellow improvisers are better off because of it.

This episode comes from Nashville Public Radio’s Neighbors podcast, which started out as an independent show from producer Jakob Lewis. Lewis is also the creator of The Heard audio collective. Neighbors was recognized with an award for this episode from the Academy of Podcasters at this year’s Podcast Movement conference in Chicago.

“Driving In Circles” from Martine Powers

Traffic engineering is not typically a topic that inspires much excitement. A proposal to replace a traditional intersection with a roundabout is not an  obviously interesting story. Somehow,  producer Martine Powers has defied all odds and turned a story about traffic engineering into this piece that takes a fascinating look at human psychology. She made a controversy about road design in a small town feel as high-stakes as a Jason Bourne chase scene—more high-stakes, actually, if you consider how terrible the new Jason Bourne movie is.

PRX Remix pick #2Roundabout mock-up

Roundabouts are in vogue these days with local governments and public works departments. There’s data showing they decrease crashes and crash severity,  and they’re cheaper to maintain than traditional intersections. But townsfolk, like the ones at the center of this story, can be reticent to change a system that mostly works fine. The roundabout seems like total chaos, with no signs indicating when to stop and go.

Formerly of The Boston Globe, Martine Powers is now a metro reporter for The Washington Post. According to her bio, she has a self-described knack for “making boring stuff interesting.” I can’t help but agree.

How To Listen to PRX Remix:

Download the PRX Remix app or go to prx.mx and press ‘play’. If you’re a satellite radio listener, check out channel 123 on Sirius XM or XM radio. If you’re a traditionalist and stick to the radio dial, check these listings to find PRX Remix on a station near you.

Josh Swartz is the curator of PRX Remix. Email him at remix@prx.org with questions and suggestions.

The post PRX Remix August Picks: Magic skates, a boy genius, and a roundabout appeared first on PRX.

by Maggie Taylor at August 23, 2016 01:55 PM

Center for Research on Computation and Society (Harvard SEAS)
Nisarg Shah
CRCS Postdoctoral Fellow

I am a post-doctoral fellow at Harvard's Center for Computation and Society (CRCS). Broadly, my research lies …

Nisarg Shah

by Gabriella Fee at August 23, 2016 01:52 PM

Avshalom Elmalech
CRCS Postdoctoral Fellow
Avshalom Elmalech's research interests lie at the intersection of computer science and psychology.
Avshalom Elmalech

by Gabriella Fee at August 23, 2016 01:47 PM

Michael Hughes
IACS Postdoctoral Fellow

Mike studies machine learning, especially latent variable models for time-series or text datasets.

Michael  Hughes

by Gabriella Fee at August 23, 2016 01:37 PM

August 22, 2016

Center for Research on Computation and Society (Harvard SEAS)
Babis Tsourakakis' paper, "Predicting Signed Edges with O(n logn) Queries" has been accepted to Allerton Conference.
August 22, 2016
Postdoctoral Fellow Charalampos "BabisTsourakakis' joint work with Professor Michael Mitzenmacher "Predicting Signed Edges with O(n logn) Queries" has been accepted to the 54th Annual Allerton Conference on Communication, Control, and Computing, to be held September 18-30 in Allerton, Illinois. 

by Gabriella Fee at August 22, 2016 07:28 PM

Berkman Center front page
Announcing the Release of “The Internet and You,” New Educational Resources for Elementary School-Age Students

Teaser

Featuring Ruff Ruffman: Humble Media Genius from PBS, “The Internet and You” provides interactive lesson plans about digital privacy, search engines, online advertising, and the creation of positive online experiences that can be used in schools, after-school programs, and beyond.

Thumbnail Image: 

The Berkman Klein Center for Internet & Society at Harvard University is excited to share the release of The Internet and You: Curricular Materials for Educators Grades 1-3, developed by the Youth and Media team in collaboration with the New York Public Library and WGBH.

 

Featuring Ruff Ruffman: Humble Media Genius from PBS, “The Internet and You” provides interactive lesson plans about digital privacy, search engines, online advertising, and the creation of positive online experiences that can be used in schools, after-school programs, and beyond.

 

This free resource for educators, which includes worksheets kids can do at home with their parents or other caregivers, is now available on our Digital Literacy Resource Platform (DLRP), thanks to generous support from the Digital Media and Learning (DML) Trust Challenge grant.

“Young learners today are surrounded by digital technologies, but often they haven’t had the guidance in basic best practices that can help keep their online experiences positive,” said Berkman Klein Fellow and “The Internet and You” author Leah Plunkett. “Our new materials aim to support educators with the right tools to empower students to better navigate the digital space.”

These new curricular materials for elementary school age youth are part of an ever-growing set of educational resources for a diverse audience of youth (elementary, middle, and high school age), teachers, parents, and school administrators. Hosted on the DLRP, these resources provide guidance on online privacy, safety, information quality, and creative expression, and can be used both in school and out-of-school contexts. Currently, the DLRP also contains free curricular resources for middle and high school age youth on topics of online privacy, reputation, and respect and boundarieswith more topics for these age groups coming soon!

We invite you to explore these building blocks of “The Internet and You” with young learners, and welcome your reflections and questions. Please contact Berkman Klein Fellow Leah Plunkett with any feedback at lplunkett@cyber.law.harvard.edu.

About the DLRP
The Digital Literacy Resources Platform is a website prototype that hosts an evolving collection of freely accessible educational resources for a diverse audience of teachers, kids and teens, parents, and school administrators. These resources include curricular modules, guides, videos, infographics, podcasts, and research papers related to the themes of online safety, privacy, creative expression, and information quality. The DLRP is designed and maintained by the Berkman Klein Center for Internet & Society at Harvard University, with support from the MacArthur Foundation’s Digital Media Literacy Trust Challenge Competition.

Categories: 

by gweber at August 22, 2016 06:47 PM

David Weinberger
Why do so many baby words start with B?

What’s wrong with English? So many of the words for things in a baby’s environment start with B so when she says “buh,” — or, as our grandchild prefers, “bep” — you don’t know if she is talking about a banana, bunny, boat, bread, bath, bubble, ball, bum, burp, bird, belly, or bathysphere.

This is not how you design a language for easy learning. You don’t hear soldiers speaking into their walkie talkies about being at position “Buh buh buh buh.” No, they say something like, “Bravo Victor Mike November.” Those words were picked precisely because they are so hard to mistake for one another. Now that’s how you design a language! (It’s also possible that research at Harvard during WWII that led to the development of the NATO phonetic alphabet influenced the development of Information Theory what with that theory’s differentiating of signal from noise.)

This problem in English probably helps explain why we spend so much time teaching our children how to say animal sounds: animals have the common sense not to sound like one another. That may also be why some of the sounds we teach our children have little to do with the noises animals actually make: Dogs don’t actually say “Woof,” but that sound is hard to confused with the threadbare imitation we can manage of the sound a tiger makes.

Being a baby is tough. You’ve got little flabby fingers that can’t do anything you want except hold onto a measly Cheerio and even then they can’t tell the difference between your mouth and your nose. Plus you can’t get anywhere except by hitching a ride with an adult whose path is as senseless as a three-legged drunk’s. Then when you want nothing more than a bite of buttery brie, the stupid freaking adult brings you a big blue blanket and then gets annoyed when you kick it off.

The least we could do for our babies is give them some words that don’t sound like every other word they care about.

The post Why do so many baby words start with B? appeared first on Joho the Blog.

by davidw at August 22, 2016 12:11 PM

Bruce Schneier
Research on the Timing of Security Warnings

fMRI experiments show that we are more likely to ignore security warnings when they interrupt other tasks.

A new study from BYU, in collaboration with Google Chrome engineers, finds the status quo of warning messages appearing haphazardly­ -- while people are typing, watching a video, uploading files, etc.­ -- results in up to 90 percent of users disregarding them.

Researchers found these times are less effective because of "dual task interference," a neural limitation where even simple tasks can't be simultaneously performed without significant performance loss. Or, in human terms, multitasking.

"We found that the brain can't handle multitasking very well," said study coauthor and BYU information systems professor Anthony Vance. "Software developers categorically present these messages without any regard to what the user is doing. They interrupt us constantly and our research shows there's a high penalty that comes by presenting these messages at random times."

[...]

For part of the study, researchers had participants complete computer tasks while an fMRI scanner measured their brain activity. The experiment showed neural activity was substantially reduced when security messages interrupted a task, as compared to when a user responded to the security message itself.

The BYU researchers used the functional MRI data as they collaborated with a team of Google Chrome security engineers to identify better times to display security messages during the browsing experience.

Research paper. News article.

by Bruce Schneier at August 22, 2016 12:03 PM

Terrorist False Alarm at JFK Airport Demonstrates How Unprepared We Really Are

The detailed accounts of the terrorist-shooter false-alarm at Kennedy Airport in New York last week illustrate how completely and totally unprepared the airport authorities are for any real such event.

I have two reactions to this. On the one hand, this is a movie-plot threat -- the sort of overly specific terrorist scenario that doesn't make sense to defend against. On the other hand, police around the world need training in these types of scenarios in general. Panic can easily cause more deaths than terrorists themselves, and we need to think about what responsibilities police and other security guards have in these situations.

by Bruce Schneier at August 22, 2016 11:40 AM

August 20, 2016

Bruce Schneier
Major NSA/Equation Group Leak

The NSA was badly hacked in 2013, and we're just now learning about it.

A group of hackers called "The Shadow Brokers" claim to have hacked the NSA, and are posting data to prove it. The data is source code from "The Equation Group," which is a sophisticated piece of malware exposed last year and attributed to the NSA. Some details:

The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools. They publicized the dump on Saturday, tweeting a link to the manifesto to a series of media companies.

The dumped files mostly contain installation scripts, configurations for command and control servers, and exploits targeted to specific routers and firewalls. The names of some of the tools correspond with names used in Snowden documents, such as "BANANAGLEE" or "EPICBANANA."

Nicholas Weaver has analyzed the data and believes it real:

But the proof itself, appear to be very real. The proof file is 134 MB of data compressed, expanding out to a 301 MB archive. This archive appears to contain a large fraction of the NSA's implant framework for firewalls, including what appears to be several versions of different implants, server side utility scripts, and eight apparent exploits for a variety of targets.

The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I've found in either the exploits or elsewhere is newer than 2013.

Because of the sheer volume and quality, it is overwhelmingly likely this data is authentic. And it does not appear to be information taken from comprised systems. Instead the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code­ -- the kind that probably never leaves the NSA.

I agree with him. This just isn't something that can be faked in this way. (Good proof would be for The Intercept to run the code names in the new leak against their database, and confirm that some of the previously unpublished ones are legitimate.)

This is definitely not Snowden stuff. This isn't the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider...probably a government.

Weaver again:

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps­ -- which are easy to modify­ -- the most likely date of acquisition was June 11, 2013. That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks as the NSA furiously ran down possibly sources, it may have accidentally or deliberately eliminated this adversary's access.

Okay, so let's think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."

They claim to be auctioning off the rest of the data to the highest bidder. I think that's PR nonsense. More likely, that second file is random nonsense, and this is all we're going to get. It's a lot, though. Yesterday was a very bad day for the NSA.

EDITED TO ADD: Snowden's comments. He thinks it's an "NSA malware staging server" that was hacked.

EDITED TO ADD (8/18): Dave Aitel also thinks it's Russia.

EDITED TO ADD (8/19): Two news articles.

Cisco has analyzed the vulnerabilities for their products found in the data. They found several that they patched years ago, and one new one they didn't know about yet. See also this about the vulnerabilities.

EDITED TO ADD (8/20): More about the vulnerabilities found in the data.

Previously unreleased material from the Snowden archive proves that this data dump is real, and that the Equation Group is the NSA.

by Bruce Schneier at August 20, 2016 08:16 PM

August 19, 2016

Bruce Schneier
Friday Squid Blogging: Stubby Squid

Photo of the cutest squid ever.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

by Bruce Schneier at August 19, 2016 09:08 PM

Unintentional DOS Attack against Car-Door Openers

Radio noise from a nearby neon-sign transformer made it impossible for people to unlock their cars remotely.

by Bruce Schneier at August 19, 2016 06:32 PM

More on Election Security

Andrew Appel has a good two-part essay on securing elections.

And three organizations -- Verified Voting, EPIC, and Common Cause -- have published a report on the risks of Internet voting. The report is primarily concerned with privacy, and the threats to a secret ballot.

by Bruce Schneier at August 19, 2016 10:15 AM

August 18, 2016

Ivan Sigal
Aug 18, 2016 @ 10:52 EST

Dear Anton, Virtual reality has been a persistent idea underlying our conversation - an image field that completely covers our sight, and all sound and movement, functioning as a totalizing force over our perceptions. As with your images of blue skies, or our color fields, lensless eyes and cameras. The current version of VR we’re offered by the market, it seems to me, asks us to surrender our awareness, to allow our senses to be occupied by the apparatus. It’s a delicate moment, or should be, because we are required to place trust in the device and in the producers. Most recent VR experiences I’ve seen try to exploit the functions of the technology to expand control over the user. I have yet to see one that seeks to hack the technology, to expose some critical distance between giving up sensory control to the apparatus, and how we think about what’s happening to us while we’re enveloped. Instead, the critical thought, if there is one, comes sequentially, with reflection after the experience. This gap we can term the conceptual gaze. It is, in short, the difference between what we are looking at, and what we are seeing. There is something either naive or manipulative in the push to make sensation the primary measure of a filmic experience. In aspiring to make looking and seeing the same thing. The end game is a sensory deprivation tank, or a cell for solitary confinement. And indeed, someone has already made a solitary confinement VR - which is either the height of manipulation, or perhaps, if done properly, the conceptual gap that we seek. I spent last week on Lake Michigan, and some time lying on my back on a dock in a lake, the water below me casting an underglow onto the sky above. For a moment, or a while, I felt as if I were floating unmoored in a field of blue, and I lost my sense of time. Later that night, in the same position, I searched the sky for traces of the Perseid meteor shower, for the light that reportedly comes from 1079, 1479, 1862, those burning bits of rock, our evidence of time. /// #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters. @ivansigal @antonkusters on Instagram ///

Dear Anton,

Virtual reality has been a persistent idea underlying our conversation – an image field that completely covers our sight, and all sound and movement, functioning as a totalizing force over our perceptions. As with your images of blue skies, or our color fields, lensless eyes and cameras. The current version of VR we’re offered by the market, it seems to me, asks us to surrender our awareness, to allow our senses to be occupied by the apparatus. It’s a delicate moment, or should be, because we are required to place trust in the device and in the producers.

Most recent VR experiences I’ve seen try to exploit the functions of the technology to expand control over the user. I have yet to see one that seeks to hack the technology, to expose some critical distance between giving up sensory control to the apparatus, and how we think about what’s happening to us while we’re enveloped. Instead, the critical thought, if there is one, comes sequentially, with reflection after the experience.

This gap we can term the conceptual gaze. It is, in short, the difference between what we are looking at, and what we are seeing. There is something either naive or manipulative in the push to make sensation the primary measure of a filmic experience, in aspiring to make looking and seeing the same thing. The end game is a sensory deprivation tank, or a cell for solitary confinement. And indeed, someone has already made a solitary confinement VR – which is either the height of manipulation, or perhaps, if done properly, the conceptual gap that we seek.

I spent last week on Lake Michigan, and some time lying on my back on a dock in a lake, the water below me casting an underglow onto the sky above. For a moment, or a while, I felt as if I were floating unmoored in a field of blue, and I lost my sense of time. Later that night, in the same position, I searched the sky for traces of the Perseid meteor shower, for the light that reportedly comes from 1079, 1479, 1862, those burning bits of rock, our evidence of time. 

/// #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters.@ivansigal and @antonkusters on Instagram ///

by Ivan Sigal at August 18, 2016 02:52 PM

Bruce Schneier
Prisoner's Dilemma Experiment Illustrates Four Basic Phenotypes

If you've read my book Liars and Outliers, you know I like the prisoner's dilemma as a way to think about trust and security. There is an enormous amount of research -- both theoretical and experimental -- about the dilemma, which is why I found this new research so interesting. Here's a decent summary:

The question is not just how people play these games­ -- there are hundreds of research papers on that­ -- but instead whether people fall into behavioral types that explain their behavior across different games. Using standard statistical methods, the researchers identified four such player types: optimists (20 percent), who always go for the highest payoff, hoping the other player will coordinate to achieve that goal; pessimists (30 percent), who act according to the opposite assumption; the envious (21 percent), who try to score more points than their partners; and the trustful (17 percent), who always cooperate. The remaining 12 percent appeared to make their choices completely at random.

by Bruce Schneier at August 18, 2016 10:36 AM

Friday Squid Blogging: Squid Not Killing New Zealand Sea Lions

Experts are blaming bacteria, not squid nets.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

by Bruce Schneier at August 18, 2016 10:02 AM

ProjectVRM
At last, a protocol to connect VRM and CRM

person-entity

We’ve been waiting a long time for a protocol to connect VRM (customers’ Vendor Relationship Management) with CRM (vendors’ Customer Relationship Management).

Now we have one. It’s called JLINC, and it’s from JLINC Labs. It’s also open source. You’ll find it at Github, here. It’s still early, at v.0.3. So there’s lots of opportunity for developers and constructive hackers of all kinds to get involved.

Specifically, JLINC is a protocol for sharing data protected by the terms under which it is shared, such as those under development by Customer Commons and the Consent and Information Sharing Working Group (CISWG) at Kantara.

The sharing instance is permanently recorded in a distributed ledger (such as a blockchain) so that both sharer and recipient have a permanent record of what was agreed to. Additionally, both parties can build up an aggregated view of their information sharing over time, so they (or their systems) can learn from and optimize it.

The central concept in JLINC is an Information Sharing Agreement (ISA). This allows for—

  1. the schema related to the data being shared so that the data can be understood by the recipient without prior agreement
  2. the terms associated with the data being shared so that they can be understood by the recipient without prior negotiation
  3. the sharing instance, and any subsequent onward sharing under the same terms, to be permanently recorded on a distributed ledger of subsequent use (compliance and analytics)

To test and demonstrate how this works, JLINC built a demonstrator to bring these three scenarios to life. The first one tackled is Intentcasting , a long-awaited promise of VRM. With an Intencast, the customer advertises her intention to buy something, essentially becoming a qualified lead. (Here are all the ProjectVRM blog posts here with the Intentcasting tag.)

Obviously, the customer can’t blab her buying intention out to the whole world, or marketers would swarm her like flies, suck up her exposed data, spam her with offers, and sell or give away her data to countless other parties.

With JLINC, intention data is made available only when the customer’s terms are signed. Those terms specify permitted uses. Here is one such set (written for site visiting, rather than intentcasting):

UserSubmittedTerms2ndDraft

These say the person’s (first party’s) data is being shared exclusively with the second party (the site), for no limit in time, for the site’s use only, provided the site also obey the customer’s Do Not Track signal. I’m showing it because it lays out one way terms can work in a familiar setting

For JLINC’s intentcasting demonstration, terms were limited to second party use only, and a duration of thirty days. But here’s the important part: the intentcast spoke to a Salesforce CRM system, which was able to—

  1. accept or reject the terms, and
  2. respond to the intentcast with an offer,
  3. while the handshake between the two was recorded in a blockchain both parties could access

This means that JLINC is not only a working protocol, but that there are ways for VRM tools and systems to use JLINC to engage CRM systems. It also means there are countless new development opportunities on both sides, working together or separately.

Here’s another cool thing:  the two biggest CRM companies, Salesforce and Oracle, will hold their big annual gatherings in the next few weeks. This means JLINC and VRM+CRM can be the subjects of both conversation and hacking at either or both events. Specifically, here are the dates:

  1. Oracle’s OpenWorld 2016 will be September 18-22.
  2. Salesforce’s Dreamforce 2016  will be October 4-7.

Both will be at the Moscone Center in San Francisco.

Conveniently, the next VRM Day and IIW will both also happen, as usual, at the end of October:

  1. VRM Day will be October 24.
  2. Internet Identity Workshop (IIW’s XXIIIth) will be October 25-27.

Both will take place at the Computer History Museum, in downtown Silicon Valley. And JLINC, which was launched at the last VRM Day, is sure to be a main topic of discussion, starting at VRM Day and continuing through IIW, which I consider the most leveraged conference in the world, especially for the price.

If all goes well, we’ll have some examples of VRM+(Oracle and/or Salesforce) CRM to show off at Demo Day at IIW.

Love to see other CRM vendors show up too. You listening, SugarCRM? (I spoke about VRM+CRM at SugarCon in 2011. Here’s my deck from that talk. What we lacked then, and since, was a protocol for that “+”. Now we have it. )

Big HT to Iain Henderson of both JLINC Labs and Customer Commons, for guiding this post, as well as conducting the test that showed, hey, it can be done!

 

 

 

 

Save

Save

Save

Save

Save

by Doc Searls at August 18, 2016 05:58 AM

August 16, 2016

Bruce Schneier
Powerful Bit-Flipping Attack

New research: "Flip Feng Shui: Hammering a Needle in the Software Stack," by Kaveh Razavi, Ben Gras, Erik Bosman Bart Preneel, Cristiano Giuffrida, and Herbert Bos.

Abstract: We introduce Flip Feng Shui (FFS), a new exploitation vector which allows an attacker to induce bit flips over arbitrary physical memory in a fully controlled way. FFS relies on hardware bugs to induce bit flips over memory and on the ability to surgically control the physical memory layout to corrupt attacker-targeted data anywhere in the software stack. We show FFS is possible today with very few constraints on the target data, by implementing an instance using the Rowhammer bug and memory deduplication (an OS feature widely deployed in production). Memory deduplication allows an attacker to reverse-map any physical page into a virtual page she owns as long as the page's contents are known. Rowhammer, in turn, allows an attacker to flip bits in controlled (initially unknown) locations in the target page.

We show FFS is extremely powerful: a malicious VM in a practical cloud setting can gain unauthorized access to a co-hosted victim VM running OpenSSH. Using FFS, we exemplify end-to-end attacks breaking OpenSSH public-key authentication, and forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian update mechanism. We conclude by discussing mitigations and future directions for FFS attacks.

by Bruce Schneier at August 16, 2016 12:09 PM

August 15, 2016

Justin Reich
Use Design Thinking to Develop Critical Skills for a Global Economy
Engaging in Design Thinking allows students to overcome cognitive bias, develop empathy, and engage in the problem-seeking behaviors that they need to be effective global citizens.

by Beth Holland at August 15, 2016 07:31 PM

Project-Based Learning and Politics: Join #MyParty16
The #MyParty16 project-based Learning initiative presents students with an opportunity to form their own political parties and engage in the electoral process.

by Beth Holland at August 15, 2016 07:28 PM

Bruce Schneier
Yet Another Government-Sponsored Malware

Both Kaspersky and Symantec have uncovered another piece of malware that seems to be a government design:

The malware -- known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec -- has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes.

[...]

Part of what makes ProjectSauron so impressive is its ability to collect data from computers considered so sensitive by their operators that they have no Internet connection. To do this, the malware uses specially prepared USB storage drives that have a virtual file system that isn't viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the "air-gapped" machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.

Kaspersky researchers still aren't sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn't in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.

"Once installed, the main Project Sauron modules start working as 'sleeper cells,' displaying no activity of their own and waiting for 'wake-up' commands in the incoming network traffic," Kaspersky researchers wrote in a separate blog post. "This method of operation ensures Project Sauron's extended persistence on the servers of targeted organizations."

We don't know who designed this, but it certainly seems likely to be a country with a serious cyberespionage budget.

EDITED TO ADD (8/15): Nicholas Weaver comment on the malware and what it means.

by Bruce Schneier at August 15, 2016 06:43 PM

Microsoft Accidentally Leaks Key to Windows Backdoor

In a cautionary tale to those who favor government-mandated backdoors to security systems, Microsoft accidentally leaked the key protecting its UEFI Secure boot feature.

As we all know, the problems with backdoors are less the cryptography and more the systems surrounding the cryptography.

by Bruce Schneier at August 15, 2016 11:27 AM

August 14, 2016

David Weinberger
The World According to TED

Here’s some info about the 2,200 TED Talks based largely on the tags that TED supplies on its Web site; the data are a few months old. Keep in mind that I am grossly incompetent at this, so I’ve included the SQL queries I used to derive this information so you can see how wrong I’ve gone and can laugh and laugh.

Number of unique tags

378 of ’em

SELECT count( DISTINCT(tag) ) FROM tags

Most popular tags

# of talks tagged

Tags

628 technology
481 science
472 culture
454 global issues
368 design
363 TEDx
308 business
286 entertainment
201 arts
175 education
165 health
164 politics
164 creativity
141 art
130 economics
127 medicine
125 biology
122 music
122 TED Fellows
118 brain
111 social change
108 invention
106 storytelling
105 environment
105 cities
103 innovation
103 future
101 activism
93 children
92 history
92 health care
91 collaboration
91 war
90 communication
88 psychology
86 women
83 photography
81 animals
80 Africa
78 society
78 humor
76 performance
74 computers
72 exploration
72 life
69 architecture
67 nature
66 humanity
64 oceans
63 community
59 sustainability
59 Internet
58 film



SELECT count(tag),tag
FROM tags GROUP BY tag ORDER BY count(tag) desc;

Tags used only once or twice

1 Criminal Justice
1 refugees
1 South America
1 farming
1 Moon
1 Addiction
1 testing
1 3d printing
1 vulnerability
1 grammar
1 augmented reality
1 Themes
1 Speakers
1 cloud
1t skateboarding
1 HIV
2 painting
2 mining
2 origami
2 evil
2 nuclear weapons
2 pandemic
2 conservation
2 funny
2 television
2 urban

SELECT COUNT( tag ) , tag
FROM tags
GROUP BY tag
ORDER BY COUNT( tag ) ASC

Most viewed talks

Quite possibly wrong.

999910   A new kind of job market
999152   How to grow a tiny forest anywhere
998939   I believe we evolved from aquatic apes
998234   Is anatomy destiny?
998218   Get your next eye exam on a smartphone
997791   How Mr. Condom made Thailand a better place for li…
997437   Anatomy of a New Yorker cartoon
997409   How butterflies self-medicate
996048   A powerful poem about what it feels like to be tra…
995980   A Magna Carta for the web
995836   Seas of plastic
995023   How synchronized hammer strikes could generate nu…
994892   The lost art of democratic debate
994208   My wish: Protect our oceans
993977   Be passionate. Be courageous. Be your best.
993519   The sound the universe makes
991659   Creative houses from reclaimed stuff
991413   Our century’s greatest injustice
991107   How to read the genome and build a human being
990965   Watson, Jeopardy and me, the obsolete know-it-all
990621   The birth of Wikipedia
989093   Institutions vs. collaboration
989009   Are we ready for neo-evolution?
988772   How art, technology and design inform creative lea…
988724   The shrimp with a kick!
988671   How we cut youth violence in Boston by 79 percent
988000   Design for people, not awards
98784   Let’s bridge the digital divide!
985947   A mouse. A laser beam. A manipulated memory.
985910   Augmented reality, techno-magic

select times_seen,title from talks
order by times_seen desc;

Tags of the most popular talks

.

There’s a very good chance I got the sql wrong on this.

Tag

Total times viewed

culture 838422406
technology 786923853
science 643447348
business 502015257
global issues 496430414
TEDx 455208451
entertainment 454656101
design 438630037
education 300884017
psychology 254105678
creativity 253564686
brain 247466263
arts 237680317
health 229849451
economics 170768562
politics 167696727
music 156026971
happiness 152902998
storytelling 152901475
art 150698303
biology 150041947
medicine 148259678
children 145085756
humor 135238512
TED Fellows 132508655
innovation 131199988
invention 131005556
work 128498631
social change 126931374
performance 126748070
communication 123383482
photography 117563973
women 112713285
TED Brain Trust 112432190
society 110938282
future 107266930
leadership 105273096
environment 105248603
activism 102566309
life 101140951
cities 101137670
demo 99763884
history 99190820
animals 97888183
evolution 96694769
computers 96482674
collaboration 95467954
health care 89321143
humanity 86872761
writing 83887498
war 82927410
nature 82570058
success 82167936

SELECT DISTINCT tags.tag , sum(talks.times_seen) FROM tags
INNER JOIN talks ON tags.talkid = talks.talkid
GROUP BY tags.tag
ORDER BY SUM( talks.times_seen ) DESC
LIMIT 3,53;

Tags of least popular talks

HIV 425898
refugees 600837
skateboarding 636577
chautauqua 685869
South America 750182
grammar 798075
cello 1067130
vulnerability 1161544
Criminal Justice 1169914
augmented reality 1173622
vocals 1294926
painting 1458681
3d printing 1533524
Moon 1648828
cloud 1722064
nuclear weapons 1770997
oil 1881325
pandemic 1916790
One Laptop Per Child 2041228
glacier 2152056
conservation 2292578
urban 2298278
origami 2356218
television 2400358
microfinance 2473192
mining 2548989
charter for compassion 2820656
street art 3166364
TED-Ed 3192662
wind energy 3235963
epidemiology 3266959
ants 3295524
state-building 3479554
solar 3548619
Guns 3575760
apes 3595746
Addiction 4216103
mobility 4229741
code 4428049
geology 4581536
New York 4614232
Brand 4661846
rocket science 4669955
cyborg 4689850
capitalism 4745782
primates 4771987
machine learning 4915396
natural disaster 4990286
nuclear energy 5001603
meme 5066551
novel 5120690
immigration 5350061
Vaccines 5374354

same as above, but ascending

The post The World According to TED appeared first on Joho the Blog.

by davidw at August 14, 2016 03:26 PM

Coinstar's list of unacceptable items seems to have been written by Tim Burton

Coinstar makes vending machines into which you drop coins and from which you get bills or gift cards. Its list of unacceptable items is quite odd, presumably intentionally.

unacceptable items

I’d think that this is based on things people have actually tried to shove into Coinstar slots, except I don’t see “fishing line with gum at its end” or “your dick”on the list.

(Tip o’ the hat to my brother Andy who definitely was not trying to “redeem” 70,000 #6 steel washers.)

The post Coinstar's list of unacceptable items seems to have been written by Tim Burton appeared first on Joho the Blog.

by davidw at August 14, 2016 02:10 PM

ProjectVRM
If it weren’t for retargeting, we might not have ad blocking

jblflip2This is a shopping vs. advertising story that starts with the JBP Flip 2 portable speaker I bought last year, when Radio Shack was going bankrupt and unloading gear in “Everything Must Go!” sales. I got it half-off for $50, choosing it over competing units on the same half-bare shelves, mostly because of the JBL name, which I’ve respected for decades. Before that I’d never even listened to one.

The battery life wasn’t great, but the sound it produced was much better than anything my laptop, phone or tablet put out. It was also small, about the size of a  beer can, so I could easily take it with me on the road. Which I did. A lot.

Alas, like too many other small devices, the Flip 2’s power jack was USB micro-b. That’s the tiny flat one that all but requires a magnifying glass to see which side is up, and tends to damage the socket if you don’t slip it in exactly right, or if you force it somehow. While micro-b jacks are all design-flawed that way, the one in my Flip 2 was so awful that it took great concentration to make sure the plug jacked in without buggering the socket.

Which happened anyway. One day, at an AirBnB in Maine, the Flip 2’s USB socket finally failed. The charger cable would fit into the socket, but the socket was loose, and the speaker wouldn’t take a charge. After efforts at resuscitation failed, I declared the Flip 2 dead.

But I was still open to buying another one. So, to replace it, I did what most of us do: I went to Amazon. Naturally, there were plenty of choices, including JBL Flip 2s and newer Flip 3s, at attractive prices. But Consumer Reports told me the best of the bunch was the Bose Soundlink Color, for $116.

So I bought a white Bose, because my wife liked that better than the red JBL.

The Bose filled Consumer Reports’ promise. While it isn’t stereo, it sounds much better than the JBL (voice quality and bass notes are remarkable). It’s also about the same size (though with a boxy rather than a cylindrical shape), has better battery life, and a better user interface. I hate that it  charges through a micro-b jack, but at least this one is easier to plug and unplug than the Flip 2 had been. So that story had a happy beginning, at least for me and Bose.

It was not happy, however, for me and Amazon.

Remember when Amazon product pages were no longer than they needed to be? Those days are gone. Now pages for every product seem to get longer and longer, and can take forever to load. Worse, Amazon’s index page is now encrusted with promotional jive. Seems like nearly everything “above the fold” (before you scroll down) is now a promo for Amazon Fashion, the latest Kindle, Amazon Prime, or the company credit card—plus rows of stuff “inspired by your shopping trends” and “related to items you’ve viewed.”

But at least that stuff risks being useful. What happens when you leave the site, however, isn’t. That’s because, unless you’re running an ad blocker or tracking protection, Amazon ads for stuff you just viewed, or put in your shopping cart, follow you from one ad-supported site to another, barking at you like a crazed dog. For example:

amazon1

I lost count of how many times, and in how many places, I saw this Amazon ad, or one like it, for one speaker, the other, or both, after I finished shopping and put the Bose speaker in my cart.

Why would Amazon advertise something at me that I’ve already bought, along with a competing product I obviously chose not to buy? Why would Amazon think it’s okay to follow me around when I’m not in their store? And why would they think that kind of harassment is required, or even okay, especially when the target has been a devoted customer for more than two decades, and sure to return and buy all kinds of stuff anyway?  Jeez, they have my business!

And why would they go out of their way to appear both stupid and robotic?

The answers, whatever they are, are sure to be both fully rationalized and psychotic, meaning disconnected from reality, which is the marketplace where real customers live, and get pissed off.

And Amazon is hardly alone at this. In fact the practice is so common that it became an Onion story in October 2018: Woman Stalked Across 8 Websites By Obsessed Shoe Advertisement.

The ad industry’s calls this kind of stalking “retargeting,” and it is the most obvious evidence that we are being tracked on the Net. The manners behind this are completely at odds with those in the physical world, where no store would place a tracking beacon on your body and use it to follow you everywhere you go after you leave. But doing exactly that is pro forma for marketing in the digital world.

When you click on that little triangular symbol in the corner of the ad, you can see how the “interactive” wing of the advertising business, generally called adtech, rationalizes surveillance:

adchoices1The program is called AdChoices, and it’s a creation of those entities in the lower right corner. The delusional conceits behind AdChoices are many:

  1. That Ad Choices is “yours.” It’s not. It’s theirs.
  2. That “right ads” exist, and that we want them to find us, at all times.
  3. That making the choices they provide actually gives us control of advertising online.
  4. That our personal agency—the power to act with full effect in the world—is a grace of marketers, and not of our own independent selves.

Not long after I did that little bit of shopping on Amazon, I also did a friend the favor of looking for clothes washers, since the one in her basement crapped out and she’s one of those few people who don’t use the Internet and never will. Again I consulted Consumer Reports, which recommended a certain LG washer in my friend’s price range. I looked for it on the Web and found the best price was at Home Depot. So I told her about it, and that was that.

For me that should have been the end of it. But it wasn’t, because now I was being followed by Home Depot ads for the same LG washer and other products I wasn’t going to buy, from Home Depot or anybody else. Here’s one:

homedepot1

Needless to say, this didn’t endear me to Home Depot, to LG, or to any of the sites where I got hit with these ads.

All these parties failed not only in their mission to sell me something, but to enhance their own brands. Instead they subtracted value for everybody in the supply chain of unwelcome tracking and unwanted message targeting. They also explain (as Don Marti does here) why ad blocking has grown exactly in pace with growth in retargeting.

I subjected myself to all this by experimentally turning off tracking protection and ad blockers on one of my browsers, so I could see how the commercial Web works for the shrinking percentage of people who don’t protect themselves from this kind of abuse. I do a lot of that, as part of my work with ProjectVRM. I also experiment a lot with different kinds of tracking protection and ad blocking, because the developers of those tools are encouraged by that same work here.

For those new to the project, VRM stands for Vendor Relationship Management, the customer-side counterpart of Customer Relationship Management, the many-$billion business by which companies manage their dealings with customers—or try to.

Our purpose with ProjectVRM is to encourage development of tools that give us both independence from the companies we engage with, and better ways of engaging than CRM alone provides: ways of engaging that we own, and are under our control. And relate to the CRM systems of the world as well. Our goal is VRM+CRM, not VRM vs. CRM.

Ad blocking and tracking protection are today at the leading edge of VRM development, because they are popular and give us independence. Engagement, however, isn’t here yet—at least not at the same level of popularity. And it probably won’t get here until we finish curing business of the brain cancer that adtech has become.

Save

Save

by Doc Searls at August 14, 2016 05:01 AM

August 12, 2016

Ivan Sigal
Aug 12, 2016 @ 09:38 CET

kusters_aug12_2016

Dear Ivan,

I stood at Flossenburg recording the silence at the grounds of the former concentration camp, like I’ve slowly been doing all along. After I was done, in the distance, I heard the sound of children playing. I didn’t make much of it, until I realised that many post war houses are built literally on the former camp grounds here. Families. Life going on. The camp is of course monument, remembrance, as it should be. But those houses are maybe the single most powerful statement to be made in light of this all: here is life, and it chooses to go on. The simple act of living being the deepest ‘acte de défi’ possible to what this camp represented: the act of destructing life.

But indeed, on to lighter thoughts.

As per your advice I started reading “Tokyo Year Zero” by David Peace, and – the heavy topic aside – I’m very much taken by the style in which he writes. He seems to capture things that I’ve encountered many times on my travels to Japan, in a very unique and refreshing way. His novel also made me think of Watabe Yukichi’s wonderful book “A criminal investigation”, which verses the same subtleties of post-war Japan, but through images.

And of course, my mind now makes connections between the two… How can I not see Yukichi’s investigator as Peace’s detective Minami. Both set in Tokyo. Both about a criminal investigation in post war times. Both are crucial to better understanding a reality. That relentless inner voice.

Understanding becomes vividly different when actually immersed in the reality of what one wants to understand. And oddly enough, virtual reality is an incredible tool for this. How it feels to stand in a refugee camp with no context other than you’re running from a war. How it feels to be led into a concentration camp to be worked to death without hope. How it feels to walk through the ruins of a firebombed city in search of sanity.

Most probably I myself can’t help categorising either. But maybe simply knowing I’m doing this is enough?

/// #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters.@ivansigal and @antonkusters on Instagram ///

by Anton Kusters at August 12, 2016 01:56 PM

Bruce Schneier
Hacking Electronic Safes

Nice attack against electronic safes:

Plore used side-channel attacks to pull it off. These are ways of exploiting physical indicators from a cryptographic system to get around its protections. Here, all Plore had to do was monitor power consumption in the case of one safe, and the amount of time operations took in other, and voila, he was able to figure out the keycodes for locks that are designated by independent third-party testing company Underwriter's Laboratory as Type 1 High Security. These aren't the most robust locks on the market by any means, but they are known to be pretty secure. Safes with these locks are the kind of thing you might have in your house.

by Bruce Schneier at August 12, 2016 11:52 AM

Scott Atran on Why People Become Terrorists

Scott Atran has done some really interesting research on why ordinary people become terrorists.

Academics who study warfare and terrorism typically don't conduct research just kilometers from the front lines of battle. But taking the laboratory to the fight is crucial for figuring out what impels people to make the ultimate sacrifice to, for example, impose Islamic law on others, says Atran, who is affiliated with the National Center for Scientific Research in Paris.

Atran's war zone research over the last few years, and interviews during the last decade with members of various groups engaged in militant jihad (or holy war in the name of Islamic law), give him a gritty perspective on this issue. He rejects popular assumptions that people frequently join up, fight and die for terrorist groups due to mental problems, poverty, brainwashing or savvy recruitment efforts by jihadist organizations.

Instead, he argues, young people adrift in a globalized world find their own way to ISIS, looking to don a social identity that gives their lives significance. Groups of dissatisfied young adult friends around the world ­ often with little knowledge of Islam but yearning for lives of profound meaning and glory ­ typically choose to become volunteers in the Islamic State army in Syria and Iraq, Atran contends. Many of these individuals connect via the internet and social media to form a global community of alienated youth seeking heroic sacrifice, he proposes.

Preliminary experimental evidence suggests that not only global terrorism, but also festering state and ethnic conflicts, revolutions and even human rights movements -- think of the U.S. civil rights movement in the 1960s -- depend on what Atran refers to as devoted actors. These individuals, he argues, will sacrifice themselves, their families and anyone or anything else when a volatile mix of conditions are in play. First, devoted actors adopt values they regard as sacred and nonnegotiable, to be defended at all costs. Then, when they join a like-minded group of nonkin that feels like a family ­ a band of brothers ­ a collective sense of invincibility and special destiny overwhelms feelings of individuality. As members of a tightly bound group that perceives its sacred values under attack, devoted actors will kill and die for each other.

Paper.

EDITED TO ADD (8/13): Related paper, also by Atran.

by Bruce Schneier at August 12, 2016 07:26 AM

August 11, 2016

Ethan Zuckerman
When attention matters: Ethiopia crushes dissent in Oromia

As an advocate for Americans to pay more attention to international news, I often get the question, “Why bother? What can I do?”

It’s a good question. Most of the time, there’s very little actionable in international news. Understanding the impeachment of Dilma Rousseff might be useful if you’re an investor in emerging markets, but it’s unlikely that your attention can change the shape of events in Brazil.

That might not be the case in Ethiopia.

Ethiopia is Africa’s third most populous nation, and is near the top of the league table in repression as well, with at least ten journalists in prison for exercising their rights to report freely. The former prime minister, Meles Zenawi, ruled from 1995 to his death in 2012, and his successor, Hailemariam Desalegn, looks awfully secure in his job as the ruling EPRDF and its allies won all 546 parliamentary seats in the last election.

Oromo protesters in Addis Ababa, Ethiopia

While Ethiopia is populated by dozens of ethnic groups, most senior members of the ruling party are of Tigray origin, a group that represents about 6% of the population, but which led the guerrilla war that defeated the Derg, the communist military junta that ran Ethiopia from 1975 to 1991. Many Oromo (34% of the population) and Amhara (27% of the population) feel marginalized by the Tigrayan government, a situation that has grown more tense as the government has announced plans to expand the capital Addis Ababa into traditional Oromo lands and farmers feared their lands would be seized.

Protests have been ongoing since November, but they turned bloody this weekend as the Ethiopian security forces used live ammunition to disperse crowds, killing as many as 100. (This, unfortunately, is standard procedure in Ethiopian crowd control – sadly, I’ve been writing about it for more than a decade.) Human Rights Watch reports that up to 400 have been killed by the government and tens of thousands arrested in protests thus far.

Of course, it’s hard to know what’s actually going on in Ethiopia. As protests have heated up, Ethiopia shut down the internet in provinces where people have taken to the streets, hoping to disrupt organizers. (This isn’t hard, as there’s one ISP and one telephone company in Ethiopia.) A shutdown earlier this year, which coincided with protests spreading into the north of the country, was evidently done for the benefit of university students, to keep them from cheating on exams. Given the government’s tendency to arrest reporters or bloggers and imprison them for years (Ethiopian bloggers affiliated with Global Voices were held for 18 months in prison), the exact details of what’s happening in Ethiopia can be very hard to pin down.

So here’s where you ask, “So what? What can I do?”

Well, international opinion actually matters to Ethiopia. Ethiopia is a military ally of the United States, and we send nearly a billion dollars in aid, mostly development and food aid per year. Shamefully, Addis Ababa is the diplomatic capital of Africa, home to the African Union. As human rights abuses get out of hand in Ethiopia, the US has limited aid in the past, and the AU occasionally threatens to grow a spine. The UN is now asking to put observers in Ethiopia, which the government is resisting.

The biggest help the world can give the Ethiopian government is ignoring what’s going on. It’s summer, it’s hot, the Olympics are on, and Trump says something insane every other day. There’s not a lot of space in the daily newspaper for a crackdown in Ethiopia. But international attention is one of the few ways to keep Ethiopia’s insanely repressive government in check.

So please follow what’s going on in Ethiopia. We’re writing lots about it on Global Voices. OPride offers moment to moment updates on protests in Oromia. NPR, BBC and Al Jazeera are all actively covering the story, even if most US media has adopted the “all Trump, all the time” format. Reward their stories with your attention, talk about Ethiopia on social media and help other people pay attention to this story. There’s not much you can do to prevent Ethiopia from crushing a rebellion, but you can make it hard for them to do it silently, unwitnessed by the rest of the world.


Global Voices author Endalk is mapping protest deaths in Oromia on this interactive map. Warning, some of the images are disturbing.

by Ethan at August 11, 2016 06:58 PM

Bruce Schneier
Hacking Your Computer Monitor

Here's an interesting hack against a computer's monitor:

A group of researchers has found a way to hack directly into the tiny computer that controls your monitor without getting into your actual computer, and both see the pixels displayed on the monitor -- effectively spying on you -- and also manipulate the pixels to display different images.

I've written a lot about the Internet of Things, and how everything is now a computer. But while it's true for cars and refrigerators and thermostats, it's also true for all the parts of your computer. Your keyboard, hard drives, and monitor are all individual computers, and what you think of as your computer is actually a collection of computers working together. So just as the NSA directly attacks the computer that is the hard drive, this attack targets the computer that is your monitor.

by Bruce Schneier at August 11, 2016 06:09 PM

Bruce Schneier
Hackers Stealing Cars

We're seeing car thefts in the wild accomplished through hacking:

Houston police have arrested two men for a string of high-tech thefts of trucks and SUVs in the Houston area. The Houston Chronicle reports that Michael Armando Arce and Jesse Irvin Zelaya were charged on August 4th, and are believed to be responsible for more than 100 auto thefts. Police said Arce and Zelaya were shuttling the stolen vehicles across the Mexican border.

[...]

The July video shows the thief connecting a laptop to the Jeep before driving away in it. A Fiat-Chrysler spokesman told ABC News that the thieves used software intended to be used by dealers and locksmiths to reprogram the vehicle's keyless entry and ignition system.

by Bruce Schneier at August 11, 2016 11:32 AM

August 09, 2016

Ethan Zuckerman
Protected: The village of peace… and of coca leaves

This content is password protected. To view it please enter your password below:

by Ethan at August 09, 2016 10:45 PM

Bruce Schneier
Malware from Kazakhstan

EFF has the story of malware from the Kazakhstan government against "journalists and political activists critical of Kazakhstan's authoritarian government, along with their family members, lawyers, and associates."

by Bruce Schneier at August 09, 2016 07:14 PM

Center for Research on Computation and Society (Harvard SEAS)
Engineering and Entrepreneurship: The Internet of Things

Engineering and Entrepreneurship: The Internet of Things

Friday, September 30, 2016

8:30am - 2:30pm

by kmavon at August 09, 2016 02:13 PM

Bruce Schneier
How the Iranian Government Hacks Dissidents

Citizen Lab has a new report on an Iranian government hacking program that targets dissidents. From a Washington Post op-ed by Ron Deibert:

Al-Ameer is a net savvy activist, and so when she received a legitimate looking email containing a PowerPoint attachment addressed to her and purporting to detail "Assad Crimes," she could easily have opened it. Instead, she shared it with us at the Citizen Lab.

As we detail in a new report, the attachment led our researchers to uncover an elaborate cyberespionage campaign operating out of Iran. Among the malware was a malicious spyware, including a remote access tool called "Droidjack," that allows attackers to silently control a mobile device. When Droidjack is installed, a remote user can turn on the microphone and camera, remove files, read encrypted messages, and send spoofed instant messages and emails. Had she opened it, she could have put herself, her friends, her family and her associates back in Syria in mortal danger.

Here's the report. And a news article.

by Bruce Schneier at August 09, 2016 10:26 AM

August 08, 2016

Ivan Sigal
Aug 08, 2016 @ 09:03 EST

Dear Anton, It’s probably not a good idea to read about the Holocaust before bed. I had thought to shift to a lighter topic today, but I dozed off reading the following passage (Snyder again), and it’s too relevant to your last note not to share: "Our contemporary culture of commemoration takes for granted that memory prevents murder…The dead are remembered, but the dead do not remember. Someone else had the power, and someone else decided how they died. Later on, someone else still decides why. When meaning is drawn from killing, the risk is that more killing would bring more meaning." Not to say that your project, which is clearly about memory, is making any kind of definitive claim to commemoration, If anything it’s contesting standard representations: war museums, statuary, and their uses as instruments of history. And I like that you are noting, as you travel, the narrow particulars of place, the gravel underfoot, a painted metal picnic table outside the highway rest stop, the yellow flowers in the car park. This morning I woke thinking about categories and why we make them, about how they were used to such devastating effect by the Nazis, and by the Soviets. Stalin both insisted on classifications of individuals within society, and continually shifted and blurred the lines between those categories. Affiliation with a class or later on, an ethnicity became both profoundly important and dangerous, for too great an attachment to one form would condemn you at the next phase shift, when you suddenly found yourself cast out of a protected class, or when your class was simply exterminated. As to why that’s relevant: I suppose I’m wondering how it is that categories sit so uneasily with us. That you are cutting across genres and practices with this work. Affiliation with a category still poses mortal threats for many in this time, as for others in the recent past. /// #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters. @ivansigal @antonkusters on Instagram ///

Dear Anton,

It’s probably not a good idea to read about the Holocaust before bed. I had thought to shift to a lighter topic today, but I dozed off reading the following passage (Snyder again), and it’s too relevant to your last note not to share: “Our contemporary culture of commemoration takes for granted that memory prevents murder…The dead are remembered, but the dead do not remember. Someone else had the power, and someone else decided how they died. Later on, someone else still decides why. When meaning is drawn from killing, the risk is that more killing would bring more meaning.”

Not to say that your project, which is clearly about memory, is making any kind of definitive claim to commemoration. If anything it’s contesting standard representations: war museums, statuary, and their uses as instruments of history. And I like that you are noting, as you travel, the narrow particulars of place, the gravel underfoot, a painted metal picnic table outside the highway rest stop, the yellow flowers in the car park.

This morning I woke thinking about categories and why we make them, about how they were used to such devastating effect by the Nazis, and by the Soviets. Stalin both insisted on classifications of individuals within society, and continually shifted and blurred the lines between those categories. Affiliation with a class or later on, an ethnicity became both profoundly important and dangerous, for too great an attachment to one form would condemn you at the next phase shift, when you suddenly found yourself cast out of a protected class, or when your class was simply exterminated.

As to why that’s relevant: I suppose I’m wondering how it is that categories sit so uneasily with us. That you are cutting across genres and practices with this work. Affiliation with a category still poses mortal threats for many in this time, as for others in the recent past. 

/// #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters.@ivansigal and @antonkusters on Instagram ///

by Ivan Sigal at August 08, 2016 01:03 PM

August 06, 2016

Ivan Sigal
Aug 06, 2016 @ 22:46 CET

kusters_aug6_2016

Dear Ivan,

Yet again in a lone hotel room on my travels. Glad they exist of course, but sometimes one longs for a little change.

I started The Blue Skies Project to try and understand. I went to Auschwitz four years ago, trying to comprehend what my grandfather would have faced if he wouldn’t have escaped the SS raiding his house that night. There in Oświęcim that winter morning between the camp barracks, the snow barely covering the earth below, a thin veil not hiding, a thin cloak not sheltering, I looked up at a cold blue sky.

Many must have looked up at that same sky, without hope. But what if the perished were still up there. What if I photographed that sky, full of them, what would the chance be that I’d have literally photographed every single victim? Impossible, of course. Yet I already felt their presence.

Since then, I’ve been traveling. Experiencing the reality down here, the memorials, the houses, the streets, the fields, the forests. 1075 camps. The life that goes on below. And every time I look up, standing on that very ground, and look directly at every victim. Tiptoeing and reaching does not bring me closer, yet I catch myself doing it, every time. Days of silence.

We have the benefit of hindsight, of course. That’s why the film “Son of Saul” is so gripping to me. Choosing that particular camera point of view, over-the-shoulder, extremely narrow, exactly as it was for the deported: nobody could understand the broader context of what was happening. László Nemes powerfully makes that clear to us, forces us to look and understand as the victims did. Without hope.

I bought a chair yesterday. A chair to take with me, so that when I see a place with a distance I can stop, sit, and stare into it. Sitting and staring into the distance once in a while, is a good thing to do. I think I’d like to sit and stare into one of your sunflower fields someday.

/// #image_by_image is an ongoing conversation between photographers Ivan Sigal and Anton Kusters. @ivansigal and @antonkusters on Instagram ///

by Anton Kusters at August 06, 2016 09:01 PM

August 05, 2016

Bruce Schneier
Friday Squid Blogging: Squid Ink Soda

You can order a cocktail made with squid ink soda at Hank's Oyster Bar in Washington, DC.

by Bruce Schneier at August 05, 2016 09:22 PM

Feeds In This Planet