This is a very cool depiction of every space mission over the past 50 years, overlaid on one map of the solar system

Each line traces the path of a different space mission or satellite launch.

Notable missions (including failures) are included, as are those from different countries . . .

>

click for ginormous graph

Original image via National Geographic

http://books.nationalgeographic.com/map/map-day/index

via flickr

Category: Science, Weekend

A Republican-appointed judge and President Obama’s own handpicked Surveillance Review Group both came to the same conclusion last week: The National Security Agency’s controversial phone-records program has been of little real value to American security. Yet its defenders continue to insist that it is necessary, clinging desperately to long-debunked claims about foiled terror plots. Their stubbornness fits a decade-long pattern of fear trumping evidence whenever the word “terrorism” is uttered—a pattern it is time to finally break.

Since the disclosure of the NSA’s massive domestic phone-records database, authorized under a tortured reading of the Patriot Act’s Section 215 authority to obtain business records, intelligence officials and their allies in Congress have claimed it plays a vital role in protecting Americans from “dozens” of terror attacks. But as the expert panel Obama appointed to review the classified facts concluded, in a report released Wednesday, that just isn’t true.

“Our review suggests that the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks,” the report found, “and could readily have been obtained in a timely manner using conventional section 215 orders.” 

In other words, instead of vacuuming up sensitive information about the call patterns of millions of innocent people, the government could have followed the traditional approach of getting orders for specific suspicious numbers. As for those “dozens” of attacks, the review groups found that the NSA program “generated relevant information in only a small number of cases, and there has been no instance in which NSA could say with confidence that the outcome would have been different without the section 215 telephony meta-data program.”

The report came just days after Judge Richard Leon, appointed in 2001 by President George W. Bush, found the telephony program likely violated the Constitution. Leon found the program’s invasion of privacy especially troubling given the “utter lack of evidence that a terrorist attack has ever been prevented because searching the NSA database was faster than other investigative tactics,” and declared himself unconvinced that the program “has ever truly served the purpose of rapidly identifying terrorists in time-sensitive investigations.”

Leon’s opinion cited a thorough report by ProPublica documenting holes in the intelligence community’s talking points, including a “foiled plot” to bomb the New York Stock Exchange that appears to have been largely imaginary. The suspects in that case were never charged with planning an attack: The real “plot” seems to have been to con an American terror sympathizer out of funds his foreign contacts hoped to use to open an appliance store.

This confirms what informed critics of the program have been saying for some time. In an amicus brief recently filed in support of an ACLU lawsuit, several senators with access to the classified details argue that there is “no evidence that the bulk collection of Americans’ phone records has provided any intelligence of value that could not have been gathered through less intrusive means.” 

Even the FBI may not believe its own public rhetoric in support of the program. An exchange reported in Garrett Graff’s book The Threat Matrix quotes former FBI director Robert Mueller describing what appears to be the 215 phone program as a “useless time suck.”

In fact, the very first use of the 215 authority was not to gather up bulk phone records; it was a bit of show for the benefit of Congress. As documented in an exhaustive 2007 report by the Justice Department’s inspector general, the FBI had been relying on another Patriot Act authority to obtain phone records. But by 2003, as one FBI attorney explained to the Inspector General, “there was a recognition that the FBI needed to begin obtaining Section 215 orders because… Congress would be scrutinizing the FBI’s use of the authority in determining whether to renew the authority.” In other words, the power wasn’t used because it was necessary: It was used to convince Congress that it was necessary.

And yet on Thursday, White House Press Secretary Jay Carney stuck to the same discredited talking points, calling the program an “important tool” and falsely claiming that “at least 50 threats that have been averted because of this information, so lives have been saved.”

Unfortunately, Carney’s stubbornness is no aberration, but part of a pattern we’ve seen all too often over the past decade. Just like the NSA, we now have more than enough data to “connect the dots.”

President Bush authorized the NSA to conduct wireless phone wiretaps shortly after September 11 attacks. When The New York Times revealed the program, administration officials insisted it was effective and vitally important. Former NSA Director Michael Hayden claimed that it had “been successful in detecting and preventing attacks inside the United States,” while Vice President Cheney went further, asserting that the program had “saved thousands of lives.”

When the intelligence community’s inspectors general finally published an unclassified report on the program, however, it noted that officials “had difficulty citing specific instances where [the program] had directly contributed to counterterrorism successes.” A senior CIA official told NSA historian Matthew Aid: “We spent a ton on the program but got back very little in the way of solid returns. I don’t think it was worth the money.” 

Intelligence officials have hailed “fusion centers”—information-sharing hubs massively funded by the Department of Homeland Security over the past decade—as a “vital, proven tool” and a “centerpiece of our counterterrorism strategy.” Just last year an extensive, bipartisan Senate investigation concluded the centers had produced no useful counterterror intelligence but had risked violating the Privacy Act by generating reports of citizens’ First Amendment protected activities. Various “success stories” invoked to show the usefulness of the centers, the Senate investigation found, did not stand up to scrutiny.

In other cases, rather than claiming bogus success stories, the officials have sought to expand their powers by blaming inadequate surveillance authorities for intelligence failures.

Consider, for example, the “lone wolf” authority approved soon after 9/11, which allows powerful foreign intelligence surveillance tools to be used against terror suspects without any demonstrable link to a foreign group. The need for this never-used power was supposedly illustrated by the case of “20th Hijacker” Zacarias Moussaoui, whose laptop the FBI supposedly failed to search in time to discover the planned attack on the World Trade Center because agents could not show an adequate tie to foreign terrorists.

Yet a very different picture emerged in a scathing 2003 Senate Judiciary Committee report. After the attacks, the report noted, investigators were able to obtain a conventional warrant using the same evidence that had previously been considered inadequate. A warrant hadn’t been obtained earlier because supervisors at FBI Headquarters had failed to link related reports from different field offices, or to pass those reports on to the lawyers tasked with determining when a FISA warrant should be sought, and misunderstood the scope of their own existing legal authorities. "In performing this fairly straightforward task," the report concludes, "FBI headquarters personnel failed miserably."

Then there’s the tale of three captured soldiers in Iraq, invoked in 2007 to show the need for the predecessor to the FISA Amendments Act, basis for the NSA’s PRISM program. The secret Foreign Intelligence Surveillance Court had supposedly ruled that even totally foreign communications could not be intercepted without a warrant if they were picked up as they passed through the United States. As a result, claimed then-Director of National Intelligence Michael McConnell, a time-sensitive effort to wiretap the insurgents believed to be holding the soldiers was delayed for 12 hours.

Only later did it become clear that the delay was due to internal bureaucratic wrangling, not the new court ruling—which had not even taken effect yet, and in any event, would not have required the government to obtain a warrant in such an emergency situation. As James Bamford recounts in his book The Shadow Factory, it turned out that several of the subjects of that wiretap were already under surveillance, but it didn’t matter: The NSA’s primary target was quickly captured by troops in the field, and found to have been uninvolved in the kidnapping.

Perhaps most egregious is the case of Magdy Mahmoud Mostafa el-Nashar, a former acquaintance of the perpetrators of the 2005 London transit-system bombings. Though he was ultimately cleared of any wrongdoing, FBI Director Robert Mueller later told Congress that investigators had been delayed in obtaining the suspect’s education records because they were not covered by the bureau’s National Security Letter authorities—supposedly showing the need for a broader power to demand records without judicial approval. “We should've been able to have a document, an administrative subpoena that we took to the university and got those records immediately,” Mueller testified.

Yet it later came out that an FBI agent had quickly obtained the records under a traditional grand-jury subpoena—then, with the documents in hand, been ordered over the phone to return them and try again with an NSL, even though NSLs clearly didn’t apply to education records. The FBI had, in other words, created its own unnecessary delay, then used the story to claim it needed more power.

While we may sometimes have to trade a bit of privacy for greater security, the Review Group rightly argues that we must demand evidence that we are really getting that security, relying on rigorous cost-benefit analysis rather than dramatic anecdotes. After a decade of bogus claims that intrusive programs are necessary to keep us safe, it is high time for Americans and lawmakers to stop being played for suckers.

Hi, I'm on a plane from SFO to New York, and made something for you. Not even a rap song.

******* geohot(@tomcr00se) presents an evasi0n7 writeup *******

== Intro ==

I was bored, reversed, wrote this write-up, and wanted to do something with it. I tried to sell it to the Chinese for $7 and a trip to the Pizza Hut salad bar, but it turns out all the Pizza Huts in China don't have salad bars anymore, so the deal was called off.

This writeup takes place from the perspective of evasi0n7. Fuck secrets. Note that this writeup doesn't help Apple, I got this by reversing the public evasi0n binary, which they can, and do do. Also note, I found nothing sketchy in my reversing, your phones most likely aren't being backdoored by Chinese. If I ever touch jailbreaking again, which is unlikely(until ARM128 comes out, I only touched the game again for the love of ARM64), no more secrets. Full disclosure time, I was working on a public, free of charge, china not involved, old school jailbreak with a few others. evad3rs released first. That jailbreak overlapped this one 80%, partly due to leaks, but mainly due to the exploits and methodology being the obvious choice(great minds, well you know), meaning the exploits won't be usable next time. No more jailbreaks ever?

Also, for the hell of it, check out the sha hash of "http://geohot.com/mt.jpg" and @tomcr00se. Ok, let's begin, changing voice to ./evasi0n7

== Yay, you clicked on me ==

Hi, first I am going to check if you already jailbroke your device. I'm looking for the file ".evasi0n7_installed" using afc. Recall that afc runs in the "/var/mobile/Media" directory, so the full path is "/var/mobile/Media/.evasi0n7_installed"

Okay, please click "Jailbreak" to begin our journey to root. This journey stops at root for now, since the /evasi0n7 binary is supa obfuscated good.

== Retrieving remote package ==

I need a real codesigned app, for reasons that'll be apparent later. To figure out where to get one, let me grab "http://evasi0n.com/apple-ipa-info.plist", ahh nice, a URL and some cookies. To play at home, run:

curl -b "downloadKey=expires=1387947603~access=/us/r1000/098/Purple/v4/c3/4e/98/c34e989a-8522-fde0-db2d-884dd3b1302d/mzps6036043982514941651.D2.pd.ipa*~md5=dc91b9d5599eb2e135bddbec3ad5dbc2" http://a396.phobos.apple.com/us/r1000/098/Purple/v4/c3/4e/98/c34e989a-8522-fde0-db2d-884dd3b1302d/mzps6036043982514941651.D2.pd.ipa -o wwdc.ipa

This is an app for people at WWDC I assume, I don't know since I just do what the plist says. What I care about is that it's signed.

== Uploading jailbreak data ==

Well, I need something to install. Namely cydia, or, you know, that other app store. Let me push a few files through afc for untarring later. Remember still in "/var/mobile/Media"
"evasi0n-install/packagelist.tar"
"evasi0n-install/Cydia.tar"
"evasi0n-install/extras.tar"

== Injecting evasi0n app (1/2) ==

Okay, so I'm not really going to really install the app yet, but I will upload an unzipped copy to "/var/mobile/Media/Downloads/WWDC.app" through afc. Note that the main app("/var/mobile/Media/Downloads/WWDC.app/WWDC") is not chmodded +x, since afc creates new files 644.

== Injecting evasi0n app (2/2) ==

Let me modify the real app host side a little now, give Info.plist a new ExecutableFile "../../../../../../var/mobile/Media/Downloads/WWDC.app/WWDC". Get it? When the code signature is checked, it passes because that's a real copy of the app. Upload pkg.ipa, run com.apple.mobile.installation_proxy on the ipa, also change the picture to the official evad3rs logo thing. And yay, installd chmods the app +x, and makes a pretty icon appear.

Now the fun begins, I push two more files over afc.
"Downloads/WWDC.app/WWDC" with contents "#!/usr/libexec/afcd -S -d / -p 8888" (the chmod +x stays)
"Downloads/WWDC.app/gameover.dylib"

Get it, the app is just a shebang to run afcd. "-S" so I can access special files, "-d /" so afcd runs in the root, and "-p 8888" to run on port 8888.

Ahh, but afcd has a sandbox profile, how can it access anything cool? By injecting gameover.dylib of course

geohot@comet:~/iphone/evasi0n2/extract$ dyldinfo -export gameover.dylib
for arch armv7:
export information (from trie):
[re-export] _SANDBOX_CHECK_NO_REPORT (_kCFBooleanTrue from CoreFoundation)
[re-export] _sandbox_check (_sync from libSystem)
[re-export] _sandbox_extension_consume (_sync from libSystem)
[re-export] _sandbox_extension_issue_file (_sync from libSystem)
[re-export] _sandbox_free_error (_sync from libSystem)
[re-export] _sandbox_init (_sync from libSystem)
[re-export] _sandbox_init_with_parameters (_sync from libSystem)

Hmm, but who signed that dylib. Nobody, absolutely nobody. Exploit, if S_ATTR_LOC_RELOC is set on all the executable sections, the +x is removed from the sections after the header is +x checked, but before +x pages are mapped, triggering codesign.

afcd inits the sandbox from inside the binary, so by overriding the dylib (note that LC_ID_DYLIB of gameover is "/usr/lib/system/libsystem_sandbox.dylib"), the sandbox is never initted and afcd is free to write anywhere.

But how do I convince the dylib to load? Let us configure the system a little, together.

== Configuring system (1/2) ==

Ahh, the first of a needlessly burned exploit. But cute anyway. From afc, remember, this is still a sandboxed afc, I want to access "/tmp", so let's create a symlink. But you see, afc is clever enough to make sure I don't symlink out of it's directory. Never fear.

symlink("../../../../../tmp", "Downloads/a/a/a/a/a/link")

That's cool, right? Still in the sandbox, count the ../

rename("Downloads/a/a/a/a/a/link", "tmp")

Oh snap, it's a relative symlink, let me traverse from "/var/mobile/Media/tmp" like "../(Media)../(mobile)../(var)../(private)../tmp"

So I can access "/tmp", ballin.

== Configuring system (2/2) ==

Let me grab all your cache files, one sec. I'll use "com.apple.mobile.file_relay" and request "Caches". It's a big ass cpio file.

To "/var/mobile/Library/Caches/com.apple.mobile.installation.plist" I'll add the "EnvironmentVariables" to the developer.apple.wwdc-Release app. You know, the most awesome one ever, "DYLD_INSERT_LIBRARIES -> /private/var/mobile/Media/Downloads/WWDC.app/gameover.dylib" Now when the afcd app shebang runs, gameover.dylib is injected.

And now for the second exploit that I could have used mobilebackup for. Apple, want to do a solid and not patch? Don't you think that's fair?

I need to push files elsewhere in /var, but I can't because afc is still in the sandbox. Good thing I have a race condition in installd, exploitable since I can modify "/tmp", as shown before.

For each file in "/var/mobile/Library/Caches/com.apple.mobile.installation.plist", "/var/mobile/Library/Caches/com.apple.LaunchServices-054.csstore" which I zero to force a rebuild, and "/var/mobile/Library/Preferences/com.apple.backboardd.plist", where I add "BKNoWatchdogs"="Yes" to remove the 30 second app startup timeout, I create a "pkg.zip", which I upload to "/var/mobile/Media" with afc.

Then I command installd to install it, which creates a "/tmp/install_staging.XXXXXX/foo_extracted" where I extract the zip. But now fast fast race condition fast fast

symlink("../../..//var/mobile/Library/Caches/", "tmp/install_staging.XXXXXX/foo_extracted.new")
move("tmp/install_staging.XXXXXX/foo_extracted", "tmp/install_staging.XXXXXX/foo_extracted.old")
move("tmp/install_staging.XXXXXX/foo_extracted.new", "tmp/install_staging.XXXXXX/foo_extracted")
installd_extract("/var/mobile/Media/pkg.zip", "tmp/install_staging.XXXXXX/foo_extracted")

Get it? Now when the extract happens to "tmp/install_staging.XXXXXX/foo_extracted", the files go in "/var/mobile/Library/Caches/". Which is cool since installd isn't sandboxed.

== Rebooting ==

Count the reboots, this is 1. Used to get com.apple.mobile.installation.plist to be reloaded.

== To continue, please unlock your device and tap the new 'evasi0n 7' icon. ==

Finally, when you click the app I run "#!/usr/libexec/afcd -S -d / -p 8888" with gameover.dylib killing the afc sandbox, but still as mobile. Let me just do two quick things in var, as mobile, outside the sandbox.

symlink("../../../../../dev/rdisk0s1s1", "/var/mobile/Library/Logs/AppleSupport")

Leaving "/var/mobile/Library/Logs/AppleSupport" -> "../../../../../dev/rdisk0s1s1". Exploit, this file is chowned mobile:mobile on reboot by CrashHousekeeping, and since chown goes through symlinks...

And tell "/var/mobile/Library/BackBoard/applicationState.plist" to restart the evasi0n app automatically on next reboot, which I'll do now.

== Rebooting ==

This is 2. "/dev/rdisk0s1s1" is being chowned to mobile:mobile as we speak.

== Modifying rootfs... ==

afc is running, outside the sandbox. "/dev/rdisk0s1s1" is mobile:mobile, time to write the block device.

Note that the kernel no longer allows the rootfs to be remounted rw. So I just write directly to the underlying block device. haxx. This is cool since afcd has the "-S" option.

Files written:
"/evasi0n7" -- the main binary which does the kernel exploit.
"/evasi0n7-installed" -- just a blank file
"/System/Library/LaunchDaemons/com.evad3rs.evasi0n7.untether.plist" -- touched to make launchd load this
"/System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib" -- the new home of the LaunchDaemons, codesign haxx
"/System/Library/Caches/com.apple.dyld/enable-dylibs-to-override-cache" -- convinces the system to look on the filesystem before the dyld_cache
"/usr/lib/libmis.dylib" -- overrides the symbols in amfid to make the signature check return 0, with above codesign trick
You know, [re-export] _MISValidateSignature (_CFEqual from CoreFoundation)

"xpcd_cache.dylib" contains a plist with just two launchdaemons, com.apple.MobileFileIntegrity, which starts with the signature free libmis.dylib, and com.evad3rs.evasi0n7.untether, which is the unsigned untether.

Note that DYLD_INSERT_LIBRARIES won't work on amfid, since it has a "__RESTRICT" segment. Hence the above trick. Replacing the real library.

== Rebooting ==

This is 3. Need to flush the changes I made in the block device to the filesystem.

== Running /evasi0n7, as root, on the device ==

Now you see the splash screen. Away into obfuscation land of kernels and untarring. Who wants to write up that part?

***************

With transparency, love, and rap songs from
  ~geohot

Hacker News is one of the bigger technology news and discussion forums, with a decided Silicon Valley / startup bent. It was started and is hosted by Y Combinator, a Mountain-View-based company / investment fund that provides seed funding, advice, and networking for new startups.

Due to these affiliations, it's often seen as in some sense geographically located in Silicon Valley. But I found myself noticing that many of the prolific contributors, both those who were and weren't involved in tech startups, did not seem to be based there: one runs a security company in Chicago, another runs an encrypted-backup company in Canada, and there are more than a few Europeans, too. And many don't seem to fit the stereotype of the twenty-something startup founder either; quite a few contributors are considerably older than that. (The stereotype that posters are mostly male does seem accurate, however.) For these and other reasons of personal curiosity, I decided to put together a little directory of the prolific contributors who have chosen to post under their real names (I didn't do any sleuthing to "out" people who post under pseudonyms).

For convenience, and because it makes a reasonable proxy, by "prolific contributors" I mean those with the most "karma". That's simply the number of times something they've posted has had the up-arrow next to it clicked, minus the times someone has clicked a down-arrow or "flag" button. So it's some mixture of how frequently they contribute, for how long they've been contributing, how appreciated their posts are, and how visible their contributions are (posts in high-traffic discussions garner more karma). Therefore, it's a vaguely reasonable measure of high-profile users of the site, at least if we don't take the precise number or ranking too seriously.

To give an idea of what types of people make up the prominent contributors, I've written small capsule bios of the top 20 publicly identified prolific contributors below (ordered alphabetically). I often find this approach to understanding a population—a sequence of brief descriptions—more useful than a "data" based approach that gives tallies of occupation and the like. This way, at least to me, gives a richer glimpse into who people are and what they do. Following the bios, I have however summarized people into numbers on one aspect, giving the geographical location of the top 100.

Bio blurbs

(Apologies if I've mis- or insufficiently represented anyone!)

Reginald Braithwaite is a Canadian programmer. He's written two books on Javascript, JavaScript Allongé and JavaScript Spessore (both 2013). The former is Freely licensed; among other freedoms, this gives you the freedom to pay $30. He writes a number of technical and non-technical essays. He works at Github, and lives in Toronto.

Karl M. Bunday is an education-reform activist. Since the 1990s, he maintains learninfreedom.org, an information resource for homeschooling parents and self-teaching learners. He is also a founding director and math coach for the nonprofit Edina Center for Academic Excellence, which teaches weekend and summer mathematics courses. He has four kids of ages eight through nineteen, and lives in Minnetonka, Minnesota; he has also in the past lived for a considerable time in Taiwan.

Max Countryman is a developer at litl, and maintains a number of extensions to the web-development framework Flask, among other things. He lives in San Francisco.

Shawn Dumas is a front-end engineer at Yahoo. He's been a web developer at various companies since the 1990s, and is based in Boca Raton, Florida.

Michael Fogus is best known for his books on programming languages. He's the co-author of The Joy of Clojure: Thinking the Clojure Way (2011) and author of Functional JavaScript: Introducing Functional Programming with Underscore.js (2013). He also gives talks about programming languages, and lives in the Washington, D.C. area.

Paul Graham is the site's owner. After earning a PhD in applied science, and studying painting for a bit, he became known in the Lisp community for writing two books, On Lisp (1993) and ANSI Common Lisp (1995); the former is still particularly liked as an explanation of idiomatic use of macros in Common Lisp. He then gained fortune by selling an online storefront company, Viaweb, to Yahoo in 1998. Subsequently, he used some of the proceeds from that sale to found Y Combinator. He also writes a number of essays, some of which were collected into a 2004 book. He is based in Mountain View, California.

John Graham-Cumming is a British technologist and author. He wrote the POPFile mail filter, successfully initiated the 2009 campaign for a British government apology to Alan Turing, and founded an organization that aims to build Charles Babbage's Analytical Engine. He's been involved with companies including Scriptics, Interwoven, Electric Cloud, and CloudFlare. Things he's written include a PhD thesis, Guardian articles, a column on GNU Make collected into a book (2008), a blog, and another book, the more popularly oriented The Geek Atlas: 128 Places Where Science and Technology Come Alive (2009). He lives in London, UK.

George Grellas is a lawyer focusing on technology startups as clients, as a partner in Grellas Shah LLP. He writes a "Startup Law 101" series, and frequently comments with lengthy analyses of legal issues that the community is discussing. He is based in Cupertino, California.

Daniel Markham writes his own capsule bio: "A hands-on Agile Coach, Daniel has worked for dozens of companies both large and small. He's a startup junkie, father of four, instrument-rated pilot, and avid hiker/photographer. He's worked with C, C++, Java, C#, BASIC, COBOL. He’s lately been using F# and OCAML and is having fun coding with it on Mono. He also runs several dozen small websites and knows most all of the web-facing technologies in use today: Javascript, JQuery, HTML5, CSS3, microcodes, Twitter Bootstrap, webhooks, etc." He writes a person blog and a libertarian news/commentary blog, an Agile blog, used to write atechnical column, and wrote abook on Scrum (2012). He lives in southern Virginia.

Jacques Mattheij is a Dutch technologist. An excerpt from his own bio blurb: "Born in 1965, just in time for the PC revolution to get underway, I've been playing with technology since I was old enough to hold a screwdriver ... First it was mechanical stuff, then electrical, then electronics, and pretty soon thereafter software. I'm a life-long tinkerer, love technology very much, and try to understand 'what’s in the box' as much as that is possible. From vacuum tubes to VLSI, and everything in between. My main occupations are being owner/operator of ww.com, which pioneered streaming webcam technology, and working as a consultant to do technical due diligence."

Patrick McKenzie is an entrepreneur known for running web-based small businesses, especially Bingo Card Creator. He blogs extensively on the marketing and business aspects of running a one-person small business online. He lives in Gifu, Japan.

Dan Nguyen is a journalist, programmer, photographer, and writer. He used to work at the Sacramento Bee and ProPublica, and now works at Skift. He's taught a course at NYU-SCPS on "small data journalism". Writings include a New York Photoblog, another blog, and free online books on Ruby, photography, and regular expressions. He lives in New York City.

Thomas H. Ptacek is a computer-security researcher, and co-founder of Matasano, a computer-security consultancy based in Chicago (since 2012, a subsidiary of NCC Group). In addition to their regular work, they have a somewhat famous Crypto Challenge, a 48-exercise course (of sorts) that they administer, advertised as an alternative way to learn cryptography (and probably be hired, if one completes it).

Daniel Ribeiro is a Brazilian software developer. He was formerly CTO of a mobile-game startup, and now works for PagerDuty in San Francisco. He keeps a technical blog, and contributes to a variety of projects.

Jonathan Rockway is a programmer who currently works at Google. He's been active in the Perl community for some years (although presumably not at Google, who afaik don't use any Perl). Among other things, he's a core developer of the Catalyst Perl web framework, and wrote a book about it. He lives in the New York City area.

Stephen Sclafani is a security researcher. He maintains a security-related blog (see link) and is founder of a not-yet-public startup, Play To Win. He lives in the New York City area.

Daniel Tenner is a British entrepreneur, cofounder of GrantTree and Woobius. He also runs a fairly popular blog with startup advice. He lives in London, UK.

Ed Weissman is an American programmer who is locally famous in large part for his postings on Hacker News, which he later compiled into a free ebook (PDF). He describes himself like so: "My name is Ed Weissman and I've been programming professionally for 32 years. I've done work for many companies, both enterprises and small/medium businesses. I've functioned as an employee, a contractor, and a vendor. I've worked in many industries, almost always on business systems. I started out on IBM mainframes, moved to mini-computers, then to PCs, and finally to web-based technologies. I've started three businesses, two with partners and one alone, selling both services and products." He used to have a blog at edweissman.com, but it seems to have died along with its host, Posterous. He has a new one (not including archives) at Wordpress.

David Welton is a programmer and small businessman who runs DedaSys. He's been involved in a wide range of free-software projects, including as a Debian developer since the '90s, a maintainer of Apache Tcl, and co-creator of Hecl. Among other writings and side projects are some articles and langpop.com. From Oregon, USA, he now lives in Padova, Italy.

Colin Wright describes himself pretty concisely: "I'm a PhD in Pure Maths (Combinatorics and Graph Theory) from the University of Cambridge. My BSc(Hons) was in Pure maths from Monash University, Australia. I work in industry as a director of Innovation and Research, helping to create equipment that does the maritime equivalent of Air-Traffic Control. Basically, we provide kit to help people stop 30,000 tonne oil tankers from crashing into nuclear submarines. In what's laughingly called my free time I travel around the world giving talks on why maths is useful, fun, and occasionally exciting. My most popular talk is on the theory of juggling. I speak about 100 times a year, mostly in the UK, but recently in New York, Boston, Atlanta, Finland, Ireland, and Jersey." He lives in Wirral, UK.

Locations

Of the top 100 contributors, 81 either disclose their location in their profiles, or else post under their real names and give their location in some other obviously public location (website, Twitter, GitHub, etc.). The San Francisco Bay Area is indeed the single most common location, with 17 out of those 81. The majority (64/81) are scattered elsewhere around the world—but mostly elsewhere around the United States.

By country:

• USA: 54
• UK: 8
• Canada: 5
• Australia: 2
• China: 2
• Denmark: 2
• Germany: 2
• Brazil: 1
• France: 1
• India: 1
• Italy: 1
• Japan: 1
• Netherlands: 1

• San Francisco Bay Area: 17
• New York City area: 7
• London area: 5
• Boston area: 4
• Seattle area: 4
• Chicago area: 3
• Los Angeles area: 2
• Berlin: 2
• Copenhagen: 2
• Toronto area: 2

Yesterday RapGenius posted the following announcement on their Facebook page:

As a contributor to various blogs and an endearing fan of RapGenius, I took a special interest in this opportunity. So, I emailed Mahbod for more details:

Mahbod quickly responded:

What you see here is the beginning of a potential growth hack for RapGenius. To understand this growth hack, you must be aware of the business of RapGenius, and why Bieber is important to their growth.

The Business of RapGenius

RapGenius makes its business off music lyrics. Millions of people search the lyrics to their favorite songs daily. RapGenius wants to be the first result that people click on when people are searching for any lyric.

Their business depends on their search engine ranking position (SERP’s) on Google. Hyperlinks connect the web and determine SERP’s. Thus, the most powerful weapon RapGenius can deploy is a series of powerful hyperlinks. You can see in Mahbod’s email that he is asking for hyperlinks from high-page rank sites (personal blogs) with anchor text that mentions tracks from Bieber’s most recent album.

Furthermore, the 80-20 rule applied to RapGenius’s business indicates that 80% of their traffic comes from only a select 20% of their lyrics database. According to Alexa.com, “Get Lucky” and “Holy Grail” were the top traffic drivers to RapGenius for most of 2013. However, music is highly cyclical, and the traffic from previous winners will eventually fade. Looking forward into 2014, it’s only logical that RapGenius would hope for Bieber’s new songs to refer them enormous traffic.

Why Bieber Is Important to the Growth of RapGenius

Justin Bieber just released his new album “Journals” last night; Beliebers will be searching for the lyrics to his new tracks repeatedly in the upcoming months. To demonstrate the magnitude of the Beliebers, check out this graphic: Justin Bieber and Miley Cyrus were the most searched musicians in 2013, but Bieber is consistently the most searched person over time.

High SERP’s for Bieber are the top prize for RapGenius, assuming they want to continue to dramatically increase their traffic.

Summary

• RapGenius wants to grow quickly.
• In order to grow quickly, they need to rank well on Google searches for Justin Biebers new songs.
• In order to rank well, they need backlinks with anchor text that specifically mention Bieber’s songs.
• They are reaching out to their friends asking for backlinks in exchange for a tweet.

It’s surprising to me that RapGenius, a company with $15 million in financing, would openly execute such a frugal strategy for their link-building efforts. There are many consulting firms and savvy internet marketers that specialize in this work. We’ll see what Google decides for their efforts.

Update: Just added these links. Let’s see what happens to the SERP’s…

1. Justin Bieber – Heartbreaker Lyrics
2. Justin Bieber – All That Matters Lyrics
3. Justin Bieber – Hold Tight Lyrics
4. Justin Bieber – Recovery Lyrics
5. Justin Bieber – Bad Day Lyrics
6. Justin Bieber – All Bad Lyrics
7. Justin Bieber – PYD Lyrics
8. Justin Bieber – Roller Coaster Lyrics
9. Justin Bieber – Change Me Lyrics
10. Justin Bieber – Confident Lyrics
11. Justin Bieber – Memphis Lyrics
12. Justin Bieber – One Life Lyrics
13. Justin Bieber – What’s Hatnin’ Lyrics
14. Justin Bieber – Backpack Lyrics
15. Justin Bieber – Swap it Out Lyrics
Justin Bieber – Journals Tracklist Lyrics

I’ve been a Wordpress user and developer for a long long time but lately this nagging idea kept crawling in the back of my head, why not switch my website to a statically generated one? Well, a 3 hour train journey and a lot of boredom finally pushed me to just make the switch and to write a short post about it.

Why bother switching?

reStructuredText

I could write my articles as simple flat files using the reStructuredText format, goodbye storing of articles in a database. Having the articles as simple text files would allow me to easily edit them using my editor of choice, sublime text, so no more editing of text in a form on a web page, copy/pasting code snippets in it and painfully adjusting the indentation. Just take a look at the source of this article and see how easy it is to embed different code snippets, it feels just like editing a source file. I would also have syntax highlighting powered by the excellent pygments syntax highlighter.

#include <stdio.h>intmain(void){printf("Hello, world!\n");return0;}

publicclassHelloWorld{publicstaticvoidmain(String[]args){System.out.println("Hello, world!");}}

packagemainimport"fmt"funcmain(){fmt.Println("Hello, world!")}

Plus, having the articles as flat files would allow me to keep the entire website in a git repository really easy.

Faster page loads

Because there is no need to build the web page each time upon serving it, page load would be faster. I made a test of a page load before and after the switch.

Page load speed for Wordpress

Page load speed for static website

Not bad, a whole second. Yes, it’s not really a fair comparison, I also changed the theme to a much simpler one which is a big boost too, but still.

Github pages

I could host my page for free using Github pages, which is a free hosting for static pages offered by Github, using git repositories for file storing. No, I’m not killing the little curious sysadmin in me, it’s just that for my humble page administration is starting to feel like a hassle.

The geek factor

In the end, why not? I keep this website to toy around with it and this would allow me to play around more with Python, Jinja2 and reStructuredText plus I could test a new flow for writing articles.

PATH='content'PAGE_DIR='pages'ARTICLE_DIR='articles'

$ pelican-import --wpfile -o content/ wordpress-export.xml

STATIC_PATHS=['files']EXTRA_PATH_METADATA={'files/CNAME':{'path':'CNAME'},}

"Sunlight is said to be the best of disinfectants;
electric light the most efficient policeman."
— Louis D. Brandeis

As long as the federal courts continue breaking the law (specifically, the E-Government Act of 2002) by requiring the general public to pay for public information, to which it is entitled free of charge on PACER, we will not be allowing employees of the federal courts to access easy-to-use, cleaned-up, valuable information on PlainSite. The courts' policies harm the public and make PlainSite harder to run.

PACER, advertised widely by the courts as well-liked by its users, remains available as an alternative.

If access to PlainSite is absolutely necessary, feel free to contact us at help@plainsite.org. We look forward to re-opening PlainSite to the courts once PACER is legally compliant.

Published December 23, 2013 by Guest Author

The following is a guest post by Philip Walton (@philwalton). Philip recently went through a slew of interviews for front-end jobs at tech companies in the Bay Area and found them to be not what he expected.

A few months ago I started casually looking for front-end gigs in the San Francisco Bay Area. I liked my current job, but I felt I was outgrowing the tech scene in my town. I wanted to leave my small pond and see how I'd fare in a big one, with some of the best developers in the world.

When I started looking I knew I wanted to work at a place where I wouldn't be the expert, so I only applied to big name companies. The whole experience ended up being quite valuable, and through it I got a chance to meet some of my heroes and visit the offices of some of my favorite companies.

But it wasn't all good. In fact, after looking back on the process I can't help but feel like there is something fundamentally wrong with the way tech companies interview their front-end candidates.

Before continuing, I want to offer this disclaimer. Parts of this article are going to be critical, so I think it would be best to keep the names of these companies anonymous. After all, who they are is not relevant to my overriding point.

The only details I will share is that I applied to and had phone interviews with six companies, four of which invited me to interview on-site. In total I had 23 different interviews, all of them technical.

The other thing worth mentioning is that these were all well-known companies. Companies I'm 100% sure you've all heard of, and I mention that not to brag, but to suggest that since they're the ones who set the bar where it is, the experiences I had were probably pretty close to the norm.

My Experience

Overall, my experience was quite good. Some of these companies have a reputation for their excruciating interviews, but what I went through was not nearly as bad as the stories I'd heard. Everyone was nice, everyone was professional, and if I didn't know the answer to something, I never felt belittled. Most of the time it just seemed like a simple conversation about technology between two people discussing the best way to solve a problem.

But there was something obvious missing: front-end specific questions!

Now, I'm no interviewing expert. And I'm sure most hiring managers would disagree over how to best measure the effectiveness of any particular set of interview questions. But one thing I'm sure everyone can agree upon is that the questions you ask should be questions that will be best answered by the most qualified people for the job.

To put that another way, if a talented computer science grad, fresh out of college, with almost no front-end experience can outshine a great front-end engineer in your interview, you're probably asking the wrong questions.

This basically sums up my criticism. The overwhelming majority of my interview questions were logical puzzles, generic coding challenges, and algorithm design problems — things that are necessary but nowhere near sufficient.

What Was Missing

I know several people who do a lot of interviewing, and I hear the same line from them over and over: I'd rather hire a smart person and teach them X then hire someone who knows everything about X but lacks creativity, logic, and reasoning.

I get that. The problem is that front-end development is a domain specific skill set. It's not just about mental ability, it's also about knowledge and experience.

Front-end engineers, at their most basic level, are developers who write code that runs on the user's browser. Today that means someone who writes HTML, CSS, and JavaScript and knows the various APIs that browsers expose. The difference between the general term "programmer" and specific term "front-end engineer" is simply the domain where one's knowledge exists. A superstar front-end engineer is probably also a superstar programmer, but the reverse is not necessarily the case (often not).

If you agree with what I've just said, then you can understand my surprise at the absence of some of the following topics from all 23 of my interviews:

• I wasn't asked a single question about new or upcoming HTML APIs.
• I wasn't asked a single question about the differences between various browsers and browser versions or how to target/deal with those differences.
• I wasn't asked a single question about the differences between desktop and mobile browsers or about techniques for building webapps to run on both.
• I was asked just one CSS question (just one!), and it was "tell me the difference between inline and block", a question that even most non-front-end people know.
• I was only asked one question that had anything to do with the DOM, DOM events, or event binding.

What I was asked is a lot of questions like these:

• Write a function that takes two sorted lists of numbers and merges them into a single sorted list.
• Given an array of integers (positive or negative) find the sub-array with the largest sum.
• Determine if a given string is a palindrome.
• Given a large hash table whose keys are movie names and whose values are a list of actors in those movies, write a function to determine the Bacon number of a particular actor.

Again, I don't want to imply that there isn't value in asking these questions. The problem is they have nothing to do with front-end development. As I said before, most smart developers with a strong computer science background could answer all of these, even if they'd never built a website.

So What's Going On?

I'm sure part of the problem is the newness of the need for front-end only positions as well as the term "front-end engineer" itself. It's not a well-defined term and could mean very different things depending on who was using it. I'm willing to admit the possibility that my idea of a front-end role is different from those who were posting the job, but I suspect there's more to it than that.

Another likely causes is that the majority of my interviewers were not themselves front-end engineers. They were senior team members, hiring managers, VPs, founders, etc, but they were usually not front-end engineers. As a result, they stuck to what they knew, and they asked the same questions they always ask.

My Suggestions

Given my recent experience, I want to offer the following advice to anyone reading who might be interviewing a front-end engineer in the near future.

• Front-end candidates should be interviewed by at least one front-end team member (preferably more). If you don't have a front-end team member, find someone you know and trust and ask them to do it.
• Obviously topics like logic and algorithms are important, especially for certain companies, but if you're interviewing for a front-end position, a substantial portion of the questions should focus on the front-end.
• If you really want to ask questions about logic and algorithms, figure out a way to do so that combines your questions with front-end specific knowledge.

To illustrate that last point, instead of asking about the complexity of merge sort, ask about the complexity of this jQuery expression:

$("#nav a")
 .addClass("link")
 .attr("data-initialized", true)
 .on("click", doSomething)

A correct answer to this will demonstrate both an understanding of basic computer science principles as well as a deeper knowledge of what jQuery is doing behind the scenes.

Instead of asking someone to write a function that adds two dates, have them build a simple calendar widget to go along with it.

Instead of quizzing them on CSS trivia, give them two paragraphs of text and see how many ways they can think of to arrange them side-by-side as columns. Then ask them to describe the pros and cons of each method.

Finally, good front-end engineers tend to be very self-motivated. Since browser technologies aren't usually taught in schools, most front-end engineers learned this stuff on their own. So instead of asking them what they know (which is of limited value), ask them how they stay current, and how they keep from falling behind. What are they doing to make sure they'll be better in a year than they are today?

Conclusion

Interviewing is a tricky thing, and even some of the most innovative companies get it wrong sometimes. And interviewing for a front-end position can be even harder because of the ambiguity of the term and the range of expectations that come with it.

The impression I got from many of my interviewers was that most of these companies have only recently begun to realize the importance of dedicated front-end people. Their front-end code bases are starting to get massive and really hard to manage. And part of the problem is the people who manage them aren't well versed in front-end best-practices.

If you're looking to hire a front-end candidate, consider reexamining your interview process. If you're doing some of the things mentioned in this article, you may very well be missing out on some great people.

If you're looking for a job as a front-end engineer, you couldn't be looking at a better time, but if my experience is any indication, I would suggest brushing up on some of your computer science fundamentals. One resource I highly recommend is the MIT Open Courseware lecture series, specifically Introduction to Algorithms.

Lastly, I hope this article isn't just seen as a rant by someone who didn't like his interview questions. That is certainly not my intent. My hope is that I can do my part in raising the bar for front-end work in our industry. And I believe one of the best ways to make that happen is to help companies hire the right people for these jobs.

We, the constituents of Senator Dianne Feinstein, are dismayed and embarrassed by her decision to defend unconstitutional surveillance. As chair of the Senate Intelligence Committee, she is required to oversee data surveillance to protect her constituents and all Americans. Instead, she has decided to use this moment of crisis to expand surveillance powers to include all bulk data collection. Feinstein has betrayed our trust and support that has sustained her for decades. To regain that trust, she must make amends by resigning as chair of the Senate Intelligence Committee and withdrawing her NSA legalization bill.

THE LETTER

We, the undersigned organizations and individuals, write to you today to express our profound concern and outrage at your attempt to codify unconstitutional privacy violations by the National Security Agency (NSA) with the so-called FISA Improvements Act (S.1631). We demand that you withdraw the bill in its entirety and support legitimate legislation to bring the NSA and all other federal agencies engaged in data collection and surveillance into compliance with the U.S. Constitution. Additionally, your failure to meaningfully act on this issue has left us no choice but to demand your resignation from the chairmanship of the Senate Intelligence Committee because you have demonstrated a complete lack of accountability to the people who elected you to represent them.

The bill you have proposed to address these constitutional violations is wholly inadequate. It subverts the Constitution by effectively legalizing the conduct of the NSA. The spying operations of the NSA and other domestic intelligence gathering agencies have chilled First Amendment freedoms of speech and association at home and wounded the United States' reputation abroad. We oppose the FISA Improvements Act for the following reasons:

The FISA Improvements Act is not the kind of law the American people expect of the elected representatives tasked with protecting our interests and defending the Constitution. It fails on its own premise of regulating the practice of bulk data collection. We demand that you immediately abandon the bill and consider other legislation that meaningfully confronts the threats to American civil liberties posed by the intelligence community.

Other bills have been introduced in Congress that address the topic of unconstitutional government spying. Senator Leahy and Congressman Sensenbrenner have authored the USA Freedom Act (S.1599). This bill effectively confronts the threat bulk data collection presents to constitutionally protected privacy rights. Unlike the FISA Improvements Act, the USA Freedom Act presents an enforceable ban on the bulk data collection of domestic communications. It does not merely render the practice legal, as your bill does.

The USA Freedom Act creates a body specifically tasked with protecting privacy with appellate authority to challenge FISC warrants. This Act also makes FISC reporting mandatory, increasing Congress's ability to conduct oversight and making the decisions of the Court transparent and accountable to the people.

By contrast, the FISA Improvements Act does none of this. It includes distractions such as a specific provision further criminalizing the unauthorized disclosure of FISC holdings, conduct that is already illegal. The inclusion of this provision demonstrates a petty attempt to stifle the kind of whistleblowing that brought public awareness to the constitutional violations of the NSA. The FISA Improvements Act will continue to allow the FISC to operate in total secrecy, it will legalize domestic spying and it will continue to erode our country's ability to effectuate meaningful diplomacy abroad by compromising longstanding diplomatic relationships, with allies like Germany.

As the chair of the Senate Intelligence Committee you are tasked with providing "vigilant legislative oversight over the intelligence activities of the United States to assure that such activities are in conformity with the Constitution and laws of the United States." In this capacity, you have failed your country. Under your watch the NSA has shredded the Constitution by engaging in bulk data collection and spying on American people, on American soil. Your failure to act in your capacity as chair of the only committee tasked with overseeing federal intelligence programs has enabled these constitutional violations to continue. Your resignation is essential towards rebuilding the collapsed credibility of the oversight committee that is supposed to keep the intelligence community accountable.

For the above-mentioned reasons, we reiterate our demands that you:

Without real action on your part, you will have shown voters that you are unaccountable, lack transparency and believe yourself beyond the influence of those who democratically elected you to represent their best interest.

Respectfully,

Organizations: sign the letter using this link.

Also signed by some Californians.

The Walt Disney Company just announced that Jack Dorsey (co-founder and CEO of Square, as well co-founder and chairman at Twitter, as if you didn’t know) has joined its board of directors.

“Jack Dorsey is a talented entrepreneur who has helped create groundbreaking new businesses in the social media and commerce spaces,” said Disney CEO Robert A. Iger in the release. “The perspective he brings to Disney and its Board is extremely valuable, given our strategic priorities, which include utilizing the latest technologies and platforms to reach more people and to enhance the relationship we have with our customers.”

The company’s tech bets in the past few years have included the acquisition of gaming companies Tapulous and Playdom. But presumably Disney’s interest in technology goes beyond any one area of the company.

Plus, of course, it acquired Pixar back in 2006, a company that had its roots in technology, even if it wasn’t exactly a startup. The deal brought Apple’s Steve Jobs to the Disney board and made him the company’s largest shareholder — so this is another way that Dorsey is following in Jobs’ footsteps (who he clearly emulates).

Disney’s board also includes Facebook COO Sheryl Sandberg and John S. Chen, former CEO at Sybase.

Dorsey, meanwhile, has become one of the best-known executives in the tech industry and the startup world, with a recent New Yorker profile not just looking at his achievements at Twitter and Square, but also asking what he’s doing next (for one thing, Dorsey has mentioned repeatedly that he’d like to run for mayor of New York one day). He alluded to the Disney news in a tweet, where he quotes Walt Disney himself: “I only hope we don’t lose sight of one thing—that it was all started by a mouse.”

Sorry, RSA, I'm just not buying it

I want to be extremely clear about three things. First, this is my personal opinion – insert full standard disclaimer. Second, this is not a condemnation of everyone at RSA, present and past. I assume most of them are pretty okay, and that the problem is confined to a few specific points in the company. However, “unknown problem people making major decisions at RSA” is a bit unwieldy, so I will just say RSA. Third, I'm not calling for a total boycott on RSA. I work almost literally across the street from them and I don’t want to get beat up by roving gangs of cryptographers at the local Chipotle.

RSA's denial published last night is utter codswallop that denies pretty much everything in the world except the actual allegations put forth by Reuters and hinted at for months by other sources. It makes pathetically weak excuses which make them look like Grade-A idiots if we take them at their word. The non-denial denial contains PR weasel words written in blinking neon lights that can be seen from the Asteroid Belt. Someone spent their weekend agonizing over every word of this to maximize its meaninglessness and they certainly succeeded.

There are three basic possibilities of what happened, and only one is “categorically denied.” They categorically deny being cartoon supervillains, and I suppose that's better than not denying that. The supervillain scheming to dishonestly subvert the world's security is reserved for the NSA itself. The other two possibilities are that: a) RSA understood at some point that something smelly was going on, but repeatedly chose to pretend they didn't notice to avoid angering the NSA b) the people in charge of these decisions are the same sort of people who, placed at the helm of the Titanic, would see an iceberg on the horizon and steer straight towards it. (I am now informed by the twittering public that maybe it would not have sank if it had collided at such an angle. OH WELL.)

Let's review what, exactly, happened:

• A long time ago: NSA issues changes to DES without much explanation. It is eventually shown by others that they improved it, not backdoored it.

• September 2001: the start of a fundamental change in what the NSA feels its mission and scope are, and everyone outside can see it happening over the next several years.

• June 2004: ANS X9.82, Part 3 draft published with Dual EC DRBG. (This is the earliest reference I can find to starting the standardization process. More documentation here.)

• ? 2004: NSA allegedly approaches RSA with an offer for ten million dollars to make Dual EC its default random number generator in the BSAFE library despite it being relatively new, a bit strange, and very slow. We do not know what reasons they gave or what terms may have been agreed to.

• January 2005: first interior-to-standards-group concerns Dual EC could be backdoored, according to Matthew Green.

• March 2006: Acknowledgements published that an adversary with special knowledge could subvert the proof of Dual EC’s security.

• June 2006: first edition of NIST SP 800-90A, containing Dual EC. It is now claimed by a Reuters source (perhaps someone can give me a cite of at-the-time discussion) that RSA already having deployed it was used as a reason to put it in this standard.

• August 2007: Claims published by Microsoft that Dual EC could contain a backdoor. Everyone eyes it warily and nobody, it seems, deliberately chooses to use it after this point. After all, it is broken in OpenSSL for years and nobody notices. It quietly remains the default in BSAFE.

• September 2013: Revelations derived from the Snowden leak show* that Dual EC is definitely deliberately backdoored by the NSA. RSA acts really surprised. RSA offers some weak excuse that elliptic curves were totally hip (literally in vogue) at the time. RSA does not mention anything about taking anyone’s money. Allegations are posted that an unspecified company accepted ten million dollars to make it their default. Everyone paying attention is pretty sure it's RSA. (* Full disclosure: smart people disagree with the smoking-gunness of Dual EC being called out specifically by the leak. It's complicated.)

• December 2013: Reuters points to RSA specifically regarding the ten million dollars. RSA issues a non-denial of such magnitude that I'm driven to rage blog.

It is abundantly clear that, yes, RSA crowned Dual EC the default before the first published concerns it could be a backdoor. (They also did it well before it became officially NIST standard, so if you see anyone use that as an excuse, don't let them get away with it.) So, yes, it is possible that, in 2004, nobody at RSA had any articulable suspicions about Dual EC. They may have taken it on faith that this was another DES situation where the NSA knew it was better but couldn't disclose why. Okay. Is that fair? I think that's fair.

If that were the end of the story, I would be standing here saying “poor RSA! How cruelly the NSA mistreated them!” But, guess what, it isn't. In 2007 the possibility of a backdoor was made very public, and after that “everyone knew” not to use it. None of us knew for sure it was backdoored (even if some people retroactively pretend they did) but that was kind of a crazy risk to take when there were other RNGs to pick from with no known risks and were faster to boot. The OpenSSL bug conveniently testifies to the idea that either no-one was using it or a few people tried, got a weird crash, shrugged and used a different RNG. This is where my problem with RSA is. They heard, just like the rest of us (I was a kid in college in 2007, and I certainly heard) that respectable researchers believed Dual EC could be backdoored. They knew, unlike the rest of us, that it had been worth cold cash money to the NSA to make Dual EC the default in BSAFE.

At this point, an alarm bell should have gone off within the company. DING A FREAKING LING. It could be backdoored and they knew the NSA had paid for it to be there and it was believed by everyone in the industry that the NSA was most likely expanding its digital spying capabilities in recent years.

Why, after the year 2007, did RSA leave Dual EC in place as the default generator despite all signs pointing to trouble?

Well, of course, there could be many reasons. The NSA could have painted them into a corner with legal obligations to keep it as the default and keep their mouths shut. I’m rather inclined to this theory as it fits neatly with their current PR efforts. It could be that the few people who knew about the arrangement had already left the company and there was a failure (unintentional or deliberate) to clearly propagate this knowledge, making it harder to put two and two together. In this case, I would still blame them for being dumb about leaving it as the default, however, as there was no sensible reason to do so.

A random number generator has the nice property that for almost all applications, you can silently swap one out for another and it makes no functional difference to the application. It only matters which algorithm you’re using (in functionality terms) if you need the ability to store seeds and later reuse them to generate the exact same stream again. This is the sort of thing one does in simulations, and not very often in cryptography. Therefore, switching the default algorithm from Dual EC to any of the otherequally standard and approved algorithms would not have a functional impact on the vast majority of customers; the few caught out would simply change from the new default back to Dual EC. As a bonus, all the other algorithms are apparently faster and that’s generally a desirable property.

RSA claims they did not do any of this because NIST did not drop the algorithm. However, NIST was not the reason the algorithm was adopted in the first place (see timeline) and this isn’t about removing the algorithm: they could have kept it on board as an option and I wouldn’t now have an issue with that. The issue is they left it as default. They had insider knowledge that the algorithm was of special interest to the NSA, which they did not disclose in the light of the backdoor hypothesis. They probably couldn’t disclose that, legally, I get that. I assume it was publicly documented at the time that BSAFE defaulted to Dual EC but this doesn’t really seem to have collectively “clicked” with those of us on the outside. Would we have cared more, in 2007, that Dual EC was the BSAFE default, had we known that RSA had accepted money from the NSA to make it so? I believe so. That would have made it a lot more obviously suspicious.

When the news about Dual EC broke a few months ago, a lot of people in the community said that, well, nobody used it anyway because everybody knew something was wrong with it. This both shows that nobody really realized it was the default in BSAFE and, critically, that RSA cannot really claim they never even suspected a thing at any point.

Therefore, I believe that from 2007 to 2013, RSA was in a state of negligence regarding their use of Dual EC as the default. I believe they had all the information necessary to deduce something was wrong and, for whatever reason, did not act. This has endangered all of RSA’s customers and their customers’ customers.

The reasons they did nothing are probably contractual and political. What do I know about politics? I’m just some firebrand kid. However, their current PR efforts are not doing any favors for their integrity. At all.

I’m willing to believe you were tricked in 2004, RSA. I’m not willing to believe that you were the only people on the planet too dumb to avoid Dual EC after 2007. At some point, you figured it out.

If there are any other skeletons in the closet, it’s probably a good time to air them out before we find out there’s other things you repeatedly did not disclose. Look on the bright side: can it really be any worse than that time you had to replace every single freakin’ token in the world?

For more than a decade, musicians have battled rampant music piracy that has put labels and record stores out of business at a rapid pace. Unlike the shift to Amazon that did in the book store chains, record stores are suffering from outright theft, and the migration to iTunes or Spotify streaming isn't making up the difference.

Between 2003 and 2009, about one-third of all independent record shops in the U.S. closed their doors, according to the Almighty Institute of Music Retail, a California-based marketing firm. That translates to 3,700 stores. The one bright spot is that the trend has slowed since 2008.

In England, it's worse, with 70 percent of independent record stores disappearing in the last decade.

Microsoft in 2013: Big changes, big surprises, and a unifying vision

But some bands are dealing with the issue in a unique way. A U.K. company called Growth Intelligence aggregates data on U.K. companies to offer them a real time snapshot of how their company is performing. They capture everything from real-world data, like hiring of employees, to online indicators like email to online discussion.

Its stats were compiled for the London Stock Exchange "1000 Companies That Inspire Britain" list. On that list were six music firms that outperformed the music sector, one of them being Iron Maiden LLP, the holding company for the venerable heavy metal band. (Another company on the list was Shazam, which we recently profiled.)

Enter another U.K. company called Musicmetric, which specializes in analytics for the music industry by capturing everything from social media discussion to traffic on the BitTorrent network. It then offers this aggregated information to artists to decide how they want to react. Musicmetric noticed Iron Maiden's placement and ran its own analytics for the band.

 

Credit: MusicMetric

 

"Having an accurate real time snapshop of key data streams is all about helping inform people's decision making. If you know what drives engagement you can maximize the value of your fan base. Artists could say ‘we're getting pirated here, let's do something about it’, or ‘we're popular here, let's play a show’," said Gregory Mead, CEO and co-founder of the London-based firm.

In the case of Iron Maiden, still a top-drawing band in the U.S. and Europe after thirty years, it noted a surge in traffic in South America. Also, it saw that Brazil, Venezuela, Mexico, Columbia, and Chile were among the top 10 countries with the most Iron Maiden Twitter followers. There was also a huge amount of BitTorrent traffic in South America, particularly in Brazil.

Rather than send in the lawyers, Maiden sent itself in. The band has focused extensively on South American tours in recent years, one of which was filmed for the documentary "Flight 666." After all, fans can't download a concert or t-shirts. The result was massive sellouts. The São Paolo show alone grossed £1.58 million (US$2.58 million) alone.

And in a positive cycle, Maiden's online fanbase grew. According to Musicmetric, in the 12 months ending May 31, 2012, the band attracted more than 3.1 million social media fans. After its Maiden England world tour, which ran from June 2012 to October 2013, Maiden's fan base grew by five million online fans, with a significant increase in popularity in South America.

The ACLU has spent years in court trying to get a look at a top-secret FBI interrogation manual that referred to the CIA's notorious KUBARK torture manual. The FBI released a heavily redacted version at one point -- so redacted as to be useless for determining whether its recommendations were constitutional.

However, it turns out that the FBI agent who wrote the manual sent a copy to the Library of Congressin order to register a copyright in it -- in his name! (Government documents are not copyrightable, but even if they were, the copyright would vest with the agent's employer, not the agent himself). A Mother Jones reporter discovered the unredacted manual at the Library of Congress last week, and tipped off the ACLU about it.

Anyone can inspect the manual on request. Go see for yourself!

You'll Never Guess Where This FBI Agent Left a Secret Interrogation Manual [Nick Baumann/Mother Jones]

(via Techdirt)

(Image: FBI, a Creative Commons Attribution Share-Alike (2.0) image from 10542402@N06's photostream)

Take Control
Up, Up, Down, Down, Left, Right,
Left, Right, B, A, Start

Why restrict yourself to just the keyboard? Although it is not a requirement, OpenEmu is best used with a peripheral gamepad or controller to interact with your games.

Via the Controller Preferences, simply auto- magically assign buttons with any generic HID compliant USB or Bluetooth game controller.

Plug in your gamepad, select it from the list… and press start to begin your adventures!

Learn More

Conor Hails, head of the University of Pennsylvania’s Sigma Chi chapter, was in a Philadelphia hotel ballroom last month for a Barclays Plc (BARC) recruiting reception. A friend pointed out a banker from their fraternity. Hails, 20, approached with a secret handshake.

“We exchanged a grip, and he said, ‘Every Sigma Chi gets a business card,’” Hails recalled. “We’re trying to create Sigma Chi on Wall Street, a little fraternity on Wall Street.”

As students vie for 2014 internships in an industry where 22-year-olds can make more than $100,000 a year, interviews with three dozen fraternity members showed a network whose Wall Street alumni guide resumes to the tops of stacks, reveal interview questions with recommended answers, offer applicants secret mottoes and support chapters facing crackdowns.

That’s one reason men continue to dominate on Wall Street, where no woman has run a big bank. General Motors Co. (GM) announced Dec. 10 it would make Mary Barra the auto industry’s first female chief executive officer, the same day research firm Catalyst Inc. showed women holding about one in eight executive roles in U.S. finance.

The fraternity pipeline helps undergraduates beat odds three times steeper than Princeton University’s record-low acceptance rate, with Goldman Sachs Group Inc. (GS) choosing 350investment-banking interns this year from 17,000 applicants.

Penn’s Alpha Epsilon Pi, which gave up its charter in 2012 to escape sanctions for hazing, got a member into Morgan Stanley for the fourth year in a row. Dartmouth College’s Alpha Delta, an inspiration for the 1978 comedy “Animal House,” sent someone to the New York-based firm from the fifth consecutive class days after a New Hampshire court reprimanded the chapter for providing alcohol to someone underage, filings show.

‘Male Dominated’

Fraternities retain influence in the face of scrutiny by parents, politicians and police for binge drinking, hazing and at least 60 deaths in the U.S. since 2005. A freshman at Baruch College in New York died this month after suffering a blow to the head during a Pi Delta Psi hazing ritual, according to Monroe County, Pennsylvania, District Attorney David Christine.

The largest U.S. banks say they are meritocracies and run diversity programs to shift an industry that once only let women onto the New York Stock Exchange floor as clerks during wartime shortages. Goldman Sachs added 10 women last year to a partnership that had one when CEO Lloyd C. Blankfein was elected to it in 1988.

“There obviously has been much progress since 20 years ago,” said Siegfried von Bonin, head of Dartmouth’s Alpha Delta chapter. “But the reality is that it’s still very much a male-dominated culture.”

Alpha Deltas

Fraternity inboxes help show why. One of the recruiting e-mails to Dartmouth’s Alpha Delta arrived last month from an alumnus working in a unit of Wells Fargo & Co. (WFC), the largest U.S. mortgage lender.

The e-mail, a copy of which was obtained by Bloomberg News, was his best chance at reaching the college’s top men for next year’s analyst class in a San Francisco office that has had Dartmouth grads for eight straight years and Alpha Deltas for four, he wrote. Students could e-mail their resumes to him directly, he added, and they’d go to the top of the pile.

Fraternity members who went to work for Goldman Sachs,Citigroup Inc. (C) and Bank of America Corp. said they were sent back to campus on recruiting trips, where they could tap people from their houses for interviews ahead of other candidates, some more qualified. One said he would sometimes invent endorsements to send to bosses that didn’t mention fraternity connections.

Spokesmen for the three banks, Barclays, Morgan Stanley (MS) and Wells Fargo declined to comment.

Secret Motto

When alumni don’t reach out, fraternity members know how to find them. Von Bonin, 21, asked two at one of the world’s largest banks for interview advice, he said. They taught him to describe the benefits of the firm’s U.S. growth, fast-paced environment and training program.

“They really gave me valuable advice,” said von Bonin, who got the internship this year. A job offer came later.

Students and graduates on Wall Street said they didn’t see much wrong with a fraternity path to finance. Even applicants with the right handshake need to show drive, dedication and diligence, they said, and many kinds of groups foster bankers, just as houses spawn surgeons and senators.

The network sometimes works so well that it can help accidentally. Jeff Librot, a former head of the University of Delaware’s Sigma Alpha Epsilon chapter, wasn’t looking to use its connections when he applied for a Bank of Montreal (BMO) equities internship, he said. A banker there sent him an e-mail with the frat’s secret motto, “Phi Alpha.” Librot was picked.

Drinking Buddies

That national fraternity has sent almost 3,000 men into finance, according to resumes on LinkedIn, which shows no other industry employing more than 1,800. One of its most successful members, 59-year-old billionaire hedge-fund manager Paul Tudor Jones, apologized in May after telling University of Virginia students that motherhood keeps women from being focused traders.

Research by Lauren Rivera, an associate professor at Northwestern University’s Kellogg School of Management, has shown bankers preferring fraternity heads or other potentialdrinking buddies to candidates with better grades.

“People like people who are like themselves,” said Rivera, who interviewed 120 professionals involved in hiring graduates for banking, law and consulting jobs.

College women don’t always grasp that men their age are assembling connections that can matter more than schoolwork, said Erica O’Malley, who heads a diversity program at Grant Thornton LLP. She quizzed her children’s friends as they passed through her home near Chicago over the Thanksgiving break.

‘Mom, Stop’

“My daughter will be like, ‘Mom, stop,’” said O’Malley, who also heads an audit practice at the accounting firm. “They don’t really understand it.”

Her company issued a report in March showing the U.S. with the eighth-lowest proportion of female business leaders out of 44 countries. Some of the students who could help boost that ranking find themselves struggling to land work after college.

“I wish I did have more networks,” said Emily Hendrix, who plans to graduate in May after three years at Rollins College in Winter Park, Florida. “It would maybe make finding a job a little easier, a little less stressful.”

A resume that includes the honor council, cross-country team and Kappa Kappa Gamma sorority along with internships for the CME Group Inc. (CME), owner of the world’s largest futures exchange, and Bank of America’s Merrill Lynch unit seems robust enough to land one. Without job offers for next year, or strong leads from friends, she’s been compiling potential options into a spreadsheet listing 123 companies she’d like to work for.

Winning Women

Even as women make up the majority of the industry’s support staff, filling 24,000 of 32,000 administrative positions at Citigroup according to its diversity report last year, they hold few of its top spots. Just two are on the firm’s operating committee with 22 men. The 11 Goldman Sachs executive officers and top dozen at Morgan Stanley include one woman each.

Evolution comes slowly, according to Jeff Urwin, head of investment banking at JPMorgan Chase & Co. (JPM) The firm’s Winning Women program has led to about 13 additional hires each year since 2004.

“You tend to think of an institution in a structured way, but it’s actually a big organic entity,” Urwin said. “Driving any kind of change that gets at the culture in an organism is hard because it tends to return to the original form, if you don’t maintain that consistent pressure to drive that change.”

JPMorgan employs 140 Sigma Phi Epsilon members, according to an article on job preparation in the fraternity’s magazine this year. It shows only Bank of America and Wells Fargo employing more.

Grand Smudge

Fraternities have become so good at filling Wall Street’s openings that firms can hire several alumni for each woman. There are at least four members among 14 associates at San Francisco-based private-equity firm Hellman & Friedman LLC, according to resumes posted to LinkedIn. Two of the 14 are female. Fraternity brothers outnumber women four to one in the analyst program at Peter J. Solomon Co., a New York investment bank founded by the former Lehman Brothers Holdings Inc. vice chairman. Spokeswomen for both companies declined to comment.

When those men and women make it to the top, Wall Street’s bosses have a secret society all their own with parties in Manhattan’s St. Regis Hotel. Kappa Beta Phi, founded before 1929’s stock-market crash, throws an annual bash where bankers and billionaires in tuxedos are entertained by neophytes who sometimes don ladies dresses and pumps. Officers called Grand Swipe, Grand Smudge and Grand Loaf lead revelers who’ve included former Goldman Sachs head Sidney J. Weinberg, American International Group Inc. CEO Robert Benmosche and Mary Schapiro, who ran the Securities and Exchange Commission until last year.

Cohen’s Pledge

The fraternity pipeline works in reverse, too, when those titans return to campus bearing gifts as large as billionaireSteven Cohen’s $2 million pledge to Penn’s Zeta Beta Tau. His SAC Capital Advisors LP pleaded guilty last month to insider-trading charges.

Donors rebelled when Trinity College in Hartford, Connecticut, made fraternities go co-ed after a drunk student broke his neck in a shallow Psi Upsilon pool, Bloomberg News reported in May. With a private-equity veteran, real estate investor and stock analyst among grads condemning the school’s efforts, Trinity President James Jones decided to resign a year earlier than planned.

Dissolving ZBT

Patrick Laterza, who works in wealth management for Citigroup, went to Binghamton University last year to try to preserve Zeta Beta Tau’s chapter there, e-mails obtained through public-records requests show. It lost recognition from the fraternity’s national organization and from the school, a State University of New York campus. A pledge complained he had been waterboarded, the e-mails show.

“The situation with the chapter that was there was from my understanding a financial one,” said Laterza, who manages $130 million according to his LinkedIn page. “We found out later that there were more issues which were then discussed, and in the end the fraternity was dissolved.”

The most valuable thing fraternities do to prepare their own for Wall Street isn’t controversial or secretive, according to some of the men who went from one to the other.

“It’s going to help you assimilate,” said Theta Chi alum Christopher Albrecht, who joined Deutsche Bank AG (DBK) after graduating from Lehigh University in 2007. Colleagues “want to hire people and bring up people you can get along with.”

Mock Interview

Matthew Benson, a senior at Penn, recalled last month how he was led through a mock interview in January by an older Alpha Epsilon Pi member while sitting near cabinets lined with empty whiskey bottles. The fraternity, now known as Apes, moved off campus in 2012 instead of complying with sanctions that followed hazing claims, according to a university official.

The senior timing Benson’s answers and telling him to smile more is now an analyst for a multibillion-dollar buyout firm. Benson landed an internship with a merger adviser, then a job offer for next year. He’s already doling out advice to younger fraternity members, including one preparing for a venture-capital interview.

“I was helping him craft his story,” he said. “The kids are actually very proactive.”

To contact the reporters on this story: Max Abelson in New York at mabelson@bloomberg.net; Zeke Faux in New York at zfaux@bloomberg.net

To contact the editor responsible for this story: Peter Eichenbaum at peichenbaum@bloomberg.net

The inventor of the Kalashnikov assault rifle, Mikhail Kalashnikov, has died aged 94, Russian officials say.

The automatic rifle he designed became one of the world's most familiar and widely used weapons.

Its comparative simplicity made it cheap to manufacture, as well as reliable and easy to maintain.

Although honoured by the state, Kalashnikov made little money from his gun. He once said he would have been better off designing a lawn mower.

Kalashnikov was admitted to hospital with internal bleeding in November.

He died on Monday in Izhevsk, the city where he lived 600 miles east of Moscow, an official there said.

Mikhail Timofeyevich Kalashnikov was born on 10 November 1919 in western Siberia, one of 18 children.

In 1938, he was called up by the Red Army and his design skills were used to improve the effectiveness of weapons and equipment used by Soviet tank regiments.

He designed the machine gun after being asked by a fellow soldier why the Russians could not come up with a gun that would match the ones used by the Germans.

Work on the AK47 was completed in 1947, and two years later the gun was adopted by the Soviet army.

Kalashnikov continued working into his late 80s as chief designer at the Izhevsk firm that first built the AK-47.

He received many state honours, including the Order of Lenin and the Hero of Socialist Labour.

Kalashnikov refused to accept responsibility for the many people killed by his weapon, blaming the policies of other countries that acquired it.

However, pride in his invention was tempered with sadness at its use by criminals and child soldiers.

"It is painful for me to see when criminal elements of all kinds fire from my weapon," Kalashnikov said in 2008.