The Devil’s Guide to the 2016 Election | 2016 | OZY

The Devil’s Guide to the 2016 Election | 2016 | OZY

In his irreverent 1906 masterpiece, The Devil’s Dictionary, the 19th-century American writer Ambrose Bierce took aim at all manner of human hypocrisies, sins and shortcomings by penning a lexicon of cynical word definitions for a cynical age.

As we enter the epic 21st-century political shitstorm that will be this year’s presidential contest between Republican Donald Trump and Democrat Hillary Clinton, we at OZY have prepared our own “Devil’s Guide to the 2016 Election” to see you through the heartburn, disillusionment and rampant cynicism that will be your constant news companions during the remainder of this election season. Here are the terms you need to know:

advice and consent, n. Constitutionally derived power under which the U.S. Senate may discourage and reject a Supreme Court appointment made by a president of the opposing party.

American Dream, n. The birthright of every U.S. citizen to lease a marginally better automobile than the one their parents once owned.

Beltway, n. A disenfranchised cocktail community ringed by traffic congestion and poor government, unified only by a love of crabcakes and a disdain for Ted Cruz.

Bernie Bro, n. A principled political theorist who rails against everything his white male predecessors have done to rig the political system by making derogatory Facebook comments about the first woman with a legitimate chance of scaling it.

border, n. An imaginary boundary requiring barbed wire and fence sufficient to keep out hardworking economic migrants but porous enough to allow recreational drugs to reach the suburbs.

brinkmanship, n. A hardball political strategy whereby members of Congress hold the parents hostage in order to pick the child’s pocket.

campaign, n. An expensive, well-orchestrated attempt to persuade your fellow citizens to make your personal ambitions their righteous cause.

Citizens United, n. Shorthand for the U.S. Supreme Court’s belief that money is speech in the same way that a fire hose is a faucet.

Congress, n. The only whorehouse that loses money. — D.C. proverb

conservative, n. One who admires radicals centuries after they’re dead. — Leo Rosten

constitution, n. A loosely worn, conveniently ambiguous foundational undergarment capable of concealing all manner of scars and harms, from firearms to porn mags.

convention, n. An elaborate contraption whereby the will of a political party’s insiders is converted into the will of its members.

debate, n. A nationally televised forum in which moderators provide candidates with alternating, 30-second opportunities to evade questioning.

delegate, n. See elector, One who enjoys the sacred privilege of voting for the man of another man’s choice. — Ambrose Bierce, The Devil’s Dictionary

democracy, n. A system in which you and a person who just wrote an outrageously racist Internet comment containing several grammatical errors are indistinguishable. — Verge’s “The New Devil’s Dictionary”

democratic socialist, n. A socialist with better teeth.

discrimination, n. The act of safeguarding one’s own prejudices about what a normal life entails by preventing others from experiencing one.

donor, n. In a democratic republic, the primary instrument for expressing the will of the people; not to be confused with a voter.

Drudge Report, n. A popular “news” website with the vocabulary of a third-grader and the design aesthetic of a ransom note.

election, n. To paraphrase H.L. Mencken, the process by which jackasses select their favorite jackals.

electoral college, n. A prestigious college that issues no grades to its enrollees but perpetually flunks democracy.

endorsement, n. An act of political symbiosis in which one politician attempts to feed her struggling campaign by allowing a weaker politician to suck its blood.

flip-flopper, n. A politician caught in the act.

Florida, n. Sun-drenched state where America’s elderly, and its electoral democracy, routinely go to die.

freedom, n. My sacred right to be left to my own devices while I am plotting how to interfere with yours.

honest, adj. Among politicians, possessing a sophisticated gift for deception.

hypocrite, n. Critic’s label for the individual gifted in the art of consistent pandering.

inauguration, n. A scepterless coronation with bleacher seats.

lame-duck Congress, n. Where some fellows worked for you and their work wasn’t satisfactory and you let ’em out, but after you fired ’em, you let ’em stay long enough so they could burn your house down. — Will Rogers

liberal, n. A man too broad-minded to take his own side in a quarrel. — Robert Frost

lie, v. What a politician does with his mouth when he is not eating.

marriage, n. For a Clinton, a wife’s stepping-stone to power; for a Trump, a wife’s pathway to citizenship.

Meet the Press, n. Beat the Press.

nominate, v. To offer up a sacrificial political lamb on the altar of public opinion.

October surprise, n. Sudden external circumstance just prior to an election that gives you the cover to vote as your prejudices have dictated all along.

opportunity, n. A chance missed by most people because it is dressed in overalls and looks like work. — Thomas Edison

party, n. One of only two classes of political restroom available for citizens of a nation founded upon a respect for a spectrum of political identities.

political language, n. Speech designed to make lies sound truthful and murder respectable. — George Orwell

politician, n. Public official possessing the qualities of a diaper that needs to be changed often, and for the same reason. — Based on the popular bumper sticker

POLITICO, n. TMZ for ugly people.

politics, n. The conduct of public affairs for private advantage. — Ambrose Bierce, The Devil’s Dictionary

president, n. An office for which it necessary to raise and spend a billion dollars for the privilege of being vilified while living and having a high school named after you when you are dead.

public servant, n. A necessary posture or apprenticeship for those striving to become the public’s master.

pundit, n. A huckster of words who sells speculation as if it were wheat and discards facts as if they were chaff.

radical, n. A man with both feet planted firmly — in the air. — Franklin D. Roosevelt

recount, n. A process by which the fruits of a democratic outcome are jettisoned in favor of the pits left over after the lawyers and rented mobs have had a good chew.

religious right, n. The denizens of a moral high ground who want an oppressive government out of their lives as deeply as they desire to have their deity inhabit yours; not to be confused with radical Islam.

running mate, n. A comfortably inferior politician who can complement the shortcomings of your candidacy without compromising your ego.

senator, n. A call center operator with her own driver and stationery.

soccer mom, n. That species of American mother whose onerous after-school schedule can be used to justify everything from censorship to pre-emptive war.

stump speech, n. The political corollary of the The Giving Tree, whereby the candidate can give you nothing but his stump.

superdelegate, n. A peculiar species of elected representative that is neither elected nor representative.

super PAC, n. A constitutionally protected device allowing media companies to sell millions of dollars of air to the nation’s wealthiest individuals, who are allowed to remain comfortably anonymous in their purchasing folly.

swing state, n. The motley, indecisive debutante receiving the multitude of a suitor’s time and money while more attractive and deserving prospects are ignored entirely.

Twitter, n. Popular means for perpetrating short-form, incomprehensible character assassination.

tyrant, n. A man not having control of himself who attempts to rule others. — Plato

vote, n. The instrument and symbol of a freeman’s power to make a fool of himself and a wreck of his country. — Ambrose Bierce, The Devil’s Dictionary

voter protection, n. The act of shielding a voter from electoral fraud by snatching her actual vote before a bogeyman can take her theoretical one.

voters, n. Lost souls who repeatedly select the lesser of two evil roads only to find themselves right back in the ditch where they began.

Wall Street, n. Members of a sadistic financial class who pay politicians handsomely for the pleasure of being whipped prior to an election and pleasured after it.


Dishwasher-Loading Techniques Throughout History – The New Yorker

Dishwasher-Loading Techniques Throughout History – The New Yorker

The proper technique for loading a dishwasher is far from a settled matter, despite whatever you know who might say. Over the millennia, cultures have brought their own unique traditions and innovations to the task, and history has proved that various methods of arranging the dishes have worked just fine and have not been so stupid after all.

Paleolithic Age

Paintings on the walls of the Lascaux Caves, which date back some seventeen thousand years, depict a man and a woman standing on opposite sides of a grid that is almost certainly a single dishwasher rack. Dinnerware is arranged in rows: large plates at the front, saucers next, then bowls, mugs, and cups. The female figure has her arms folded.

Ancient Greece

Plato reasoned that the positioning of cups, bowls, and utensils was of secondary concern. He believed that an ideal cleaning could be achieved only through a precise placement of the plates in a circle, on the bottom rack. It’s how he got his name.

Ancient Americas

The Incas were slow to adopt the dishwasher because of their ornate ceramic plates, which they feared might be hand-washable only. The Maya engaged in ongoing warfare (yaoyotl) over whether to place all the spoons together, all the forks together, and so forth, or whether to mix them all up in the silverware basket. Many died in battle.

Dynastic China

Confucius suggested that scraping off the food and pre-rinsing dishes in the sink was not always necessary but always wise.

Age of Enlightenment

It’s hard today to believe that Copernicus could have drawn so much criticism for conceiving his system of facing cups downward rather than upward so as not to retain the soapy water. In retrospect, it’s really the only way that makes sense, but it was blasphemous in his time to alter any aspect of the accepted arrangement.

Renaissance Italy

Sketches attributed to Leonardo da Vinci indicate that he tested multiple dishwasher-loading configurations and at long last determined the nearest together you could place two plates before at least one of them really wouldn’t get clean and you’d have to run it through again.

Elizabethan England

In Shakespeare’s sequel to “Much Ado About Nothing,” “Much More Ado About Nothing,” Benedick and Beatrice, now betrothed, argue energetically in several kitchen scenes. Benedick protests that he should be excused from loading the dishwasher because he isn’t very good at it. Beatrice cheerily mocks him: “If cloddishness allowed a leave of tasks, I fear your job behind our chamber door.”

Colonial America

Benjamin Franklin coined the phrase “bottom-rack-safe.”

Colonial India

Gandhi opposed detergent cubes, as they concentrated too much power in one place.

Trade groups, AT&T urge U.S. court to reverse ‘net neutrality’ rules | Reuters

Trade groups, AT&T urge U.S. court to reverse ‘net neutrality’ rules | Reuters

Trade associations representing wireless, cable and broadband operators on Friday urged the full U.S. Court of Appeals for the District of Columbia to reverse a ruling upholding the Obama administration’s landmark rules barring internet service providers from obstructing or slowing consumer access to web content.

A three-judge panel in June, in a 2-1 decision, backed the Federal Communications Commission’s so-called net neutrality rules put in place last year to make internet service providers treat all internet traffic equally.

Wireless trade association CTIA said in a court filing on Friday seeking a rehearing that “few final rules of any federal administrative agency have ever had so much potential to affect the lives of so many Americans.”

AT&T also urged the court to reverse the ruling. And in a separate petition, US Telecom and CenturyLink Inc asked the court to reconsider the ruling, as did the National Cable & Telecommunications Association and American Cable Association.

The cable groups said the court should correct “serious errors” in a decision “that radically reshapes federal law governing a massive sector of the economy, which flourished due to hundreds of billions of dollars of investment made in reliance on the policy the order throws overboard.”

The FCC rules prohibit broadband providers from giving or selling access to speedy internet – essentially a “fast lane” on the web’s information superhighway – to certain internet services over others.

In siding with the FCC, the court treated the internet like a public utility and opened the door to further internet regulations.

“It comes as no surprise that the big dogs have challenged the three-judge panel’s decision,” FCC Chairman Tom Wheeler said in a statement. He said he was confident the full court would agree with the panel’s decision.

Broadband providers such as Verizon Communications Inc, AT&T and Comcast Corp fear the rules may make it harder to manage internet traffic and also make investment in additional capacity less likely.

In its filing on Friday, the CTIA said it was illegal to subject broadband internet access to “public-utility style, common carrier regulation” and illegal to impose “common-carrier status on mobile broadband.”

The FCC decided in 2015 to reclassify internet service providers as common carriers under a 1996 law.



The horror writer H. P. Lovecraft (1890-1937) was a master of the macabre and he wrote about truly scary things. His stories weren’t as much about vampires and ghosts as they were about unfathomable creatures and ancient gods. In Lovecraft’s world evil isn’t out to get man – it just doesn’t care about us. And almost all of his stories deal with meeting the unknown and what it does to our fragile mind. Or as he himself puts it: ““The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown”.

No, I can’t imagine a better world to dive into with my kids before bedtime.

Lovecraft’s universe – his cosmology – is called The Cthulhu Mythos after the best known of his creatures: ancient Cthulhu who sleeps at the bottom of the sea. But his mythos is not all about creepy gods like Cthulhu and Nyarlathotep or frightening monsters like shoggoths or flying polyps. No, they are also about the cat city of Ulthar, the musician Eric Zann, and many other strange and wonderful things.

Lovecraft was quite unknown when he lived, but luckily that has changed since. You can find references to his works in such places as Batman, Hellboy, Metallica’s Black Album, and the first season of True Detective. A lot of writers have also added to the Cthulhu Mythos (something he encouraged them to do), but in Mythos ABC I’ve tried to stick to Lovecraft’s original creations.

If you don’t know Lovecraft already, but want to read more, The Call of Cthulhu, At The Mountains Of Madness, The Music Of Eric Zann, The Colour Out of Space, and Shadow Over Innsmouth are all good places to start.

Mythos ABC was made possible thanks to all those who supported our Indiegogo campaign and preordered the book. And not least thanks to our fantastic illustrators who’ve been working hard to find the right mix of scary and strange. Thanks to you all.

The English version is slightly different from the Danish original because I wanted all rhymes to be about something beginning with the appropriate letter. Therefore you’ll find rhymes about flying polyps, Jupiter, Outer Gods, and vooniths in this edition only.

[The link points to a PDF of the book.]


There are limits to 2FA and it can be near-crippling to your digital life | Ars Technica

There are limits to 2FA and it can be near-crippling to your digital life | Ars Technica

As a graduate student studying cryptography, security and privacy (CrySP), software engineering and human-computer interaction, I’ve learned a thing or two about security. Yet a couple of days back, I watched my entire digital life get violated and nearly wiped off the face of the Earth. That sounds like a bit of an exaggeration, but honestly it pretty much felt like that.

Here’s the timeline of a cyber-attack I recently faced on Sunday, July 24, 2016 (all times are in Eastern Standard):

3:36pm—I was scribbling out an incidence matrix for a perfect hash family table on the whiteboard, explaining how the incidence matrix should be built to my friends. Ironically, this was a cryptography assignment for multicast encryption. Everything seemed fine until a rather odd sound started playing on my iPhone. I was pretty sure it was on silent, but I was quite surprised to see that it said “Find My iPhone Alert” on the lock screen. That was odd.

3:37pm—My iPhone’s lock screen changes. The screen dims, with the following message, “Hey why did you lock my iPhone haha. Call me at (123) 456–7890.”

This was when I realized what exactly was happening. My Apple ID had been compromised and the dimwit on the other end was probably trying to wipe all my Apple devices. Clearly he/she wasn’t very smart (to my benefit), and the adversary had decided to play the sound and kick the iPhone into Lost Mode before attempting to run the remote erase. When you throw a device into Lost Mode, it immediately attempts to get the physical location of the device and shows it to the adversary.

Sounds familiar? Of course, this was exactly what happened in August of 2012 with Mat Honan’s massive hack. In his case it happened through a slightly different way, but the end goal was the same—wipe the devices and destroy the data.

3:38pm—Naturally, I go into lockdown mode, and immediately take all my devices offline to stop whatever else the adversary was planning to do. When I knew I was being targeted in the same way as the Mat Honan attack, I expected would soon try to wipe my devices. True enough, I was able to confirm that they indeed attempted to wipe my iPhone and my Mac as well.

Because I managed to take all my devices offline, I was able to make sure all of them didn’t get their erase requests from the server. But this could have been worse, way worse.

After the Honan attack back in 2012, I decided to get two-factor authentication (2FA) turned on for my Apple ID to act as a safeguard. 2FA here was my friend to some extent, as in the case of iCloud. 2FA blocks any user attempting to login to your account, not allowing them to go any further than logging in and accessing Find My iPhone, Apple Pay, and Apple Watch settings — I don’t have Apple Pay and an Apple Watch for now, so I am not sure as to the extent of access for those two. But with Find My iPhone, this form of 2FA doesn’t protect it. This was kind of understood — if you lose your iPhone, you can’t get the second factor of authentication to get in to lock your iPhone.

One of the benefits of having 2FA was that things like my Mail, Contacts, Calendar and other documents were locked away. Without my 2FA code that comes either through my trusted device (via the Find My iPhone service) or via a text message, there wasn’t any way to get that unless the trusted device or the device that received the text message was compromised as well. Additionally, there was no way for the adversary to reset the password without getting the second authentication code.

I was able to lock my account with a new password and got all the erase requests cancelled. But herein lies the problems, which if addressed, could have prevented this attack or at least limit the potential damage. Put simply: the lack of 2FA for Find My iPhone and the lack of pattern monitoring on Apple’s servers were the two main reasons this attack took place.

Pattern monitoring

One of the things I did notice was that the login notification e-mails generally originate from the country you login from, especially in this day and age when Apple has a local division in most large, if not all, countries. I noticed this as I was able to check on my older login notification e-mails that I received when I lived in Australia . In that case all of my notifications were addressed from Apple Pty Ltd, while my logins from Canada were addressed from Apple Canada Inc.

In this case, the adversary’s login attempt resulted in a login e-mail from Ireland instead, which lead me to suspect they clearly were not in North America at least. Of course this could have beeen spoofed with the help of a VPN, but the location change could have been detected as it would be an outlier from my regular logins from Canada. The other, clearer differentiation of the pattern was the part where the login was done on a Windows computer, instead of a Mac . In my case, this would have been quite an outlier as I normally use a Mac and can probably count the number of times I have logged in using a Windows computer.

Ideally, at this point, it would have been reasonable for Apple to check if this was a legitimate login — for example, using one of the secondary accounts nominated in the Apple ID. Microsoft actually does this if you attempt to use your Microsoft account on a new device or a device that isn’t normally used, and the company locks the account and gets you to confirm the login through your secondary accounts.

Lack of 2FA for Find My iPhone

When you sign up for 2FA, Apple disables the secret questions/answers to reset the password — you need the recovery key instead to regain access if you forget the password.

I can see why Apple decided against using the same 2FA authentication for Find My iPhone . Ideally, you’d only use Find My iPhone when you lose your device, hence you’d not be able to access your text and on-device authentication. But for there to be no 2FA for Find My iPhone doesn’t quite add up.

I can imagine how this could be fixed. Instead of having a one time code for Find My iPhone, it might be better to have a second layer of authentication in the form of a secret question/answer when accessing Find My iPhone if 2FA was on. The legitimate user would know the answer for the question just like in the case of a forgotten password. By nominating a number of question /answer pairs, it can be randomized, too.

If such a thing existed, the adversary in this case would have not been able to go further than looking up the location, and ideally he/she wouldn’t be able to play the alert sound or even conduct the remote erase.

What happens next? To be fair, I have not had bad experiences with Apple’s security in the last 10 years of using their products, hence I would say I’m still pretty confident to use its products. At the same time, the viability for such an attack to occur is quite scary considering Apple is moving (like many others) to a cloud focussed future. My experience in this case wasn’t as bad as it could have been. I knew what to do and how to contain, and subsequently neutralize, the attack as I know how Find My iPhone and iCloud works. But to the general population—a large proportion of Apple’s user base—this would have been a very different story.
I’ve never revealed this password, and the password itself is pretty random, with capital letters, small letters and numbers. I’ve also never accidentally signed into a dodgy site with it. I’m going on the basis that the adversary successfully guessed the password somehow, but the important thing here is to reduce the damage should a password be obtained by the adversary.

I believe this is a genuine concern, and I think Apple should address this as soon as possible. I can’t imagine having my iPhone randomly wipe out while I’m on the road with CarPlay giving me driving directions or HomeKit controlling my home (especially considering in the next couple of years, we’d likely to see stronger CarPlay integration and HomeKit integration).

To the hackers — please take grammar classes. That was quite a pathetic Lost Mode message. Not as bad as the Oleg Pliss attack message in 2014, though interestingly, that attack could have been prevented as well if there was a second factor of authentication for Lost Mode. Back then, just like the situation today, the 2FA that everyone suggested to turn on doesn’t protect Find My iPhone.

Can We Learn How to Forget? – Scientific American

Can We Learn How to Forget? – Scientific American

After reflexively reaching out to grab a hot pan falling from the stove, you may be able to withdraw your hand at the very last moment to avoid getting burned. That is because the brain’s executive control can step in to break a chain of automatic commands. Several new lines of evidence suggest that the same may be true when it comes to the reflex of recollection—and that the brain can halt the spontaneous retrieval of potentially painful memories.

Within the brain, memories sit in a web of interconnected information. As a result, one memory can trigger another, making it bubble up to the surface without any conscious effort. “When you get a reminder, the mind’s automatic response is to do you a favor by trying to deliver the thing that’s associated with it,” says Michael Anderson, a neuroscientist at the University of Cambridge. “But sometimes we are reminded of things we would rather not think about.”

Humans are not helpless against this process, however. Previous imaging studies suggest that the brain’s frontal areas can dampen the activity of the hippocampus, a crucial structure for memory, and therefore suppress retrieval. In an effort to learn more, Anderson and his colleagues recently investigated what happens after the hippocampus is suppressed. They asked 381 college students to learn pairs of loosely related words. Later, the students were shown one word and asked to recall the other—or to do the opposite and to actively not think about the other word. Sometimes between these tasks they were shown unusual images, such as a peacock standing in a parking lot.

As described in Nature Communications, the researchers found that the participants’ ability to subsequently recall the peacocks and other strange pictures was about 40 percent lower if they had been instructed to suppress memories of words before or after seeing the images, compared with trials in which they had been asked to recall the words. The finding provides further evidence that a memory-control mechanism exists and suggests that trying to actively forget a particular memory can negatively affect general memory. The researchers call the phenomenon an “amnesic shadow” because it apparently blocks recollection of unrelated events happening around the time of decreased hippocampal activity. The results may explain why some people who have experienced trauma (and then tried to forget it) have poor memory of everyday events, say experts not involved in the study.

Minus the temporary amnesia, suppressing memories on demand could be a useful skill, Anderson says. That is why he and his colleague Ana Catarino are now studying whether it is possible to train people in the art of suppression: they are currently conducting an experiment in which they monitor participants’ brain activity in real time and provide verbal feedback about how much hippocampal activity is dampened. They hypothesize that the cues could help someone learn how to become better at selectively forgetting the past—an ability that could especially ameliorate the pain of those with post-traumatic stress disorder.

Hurricane Drought Hits a New Record – Scientific American

Hurricane Drought Hits a New Record – Scientific American

Saturday was a quiet day across the Gulf of Mexico, but not one without note, because a strange record was set: It has been 1,048 days since a hurricane developed in or entered the Gulf. That is the longest streak in the past 130 years, since formal record-keeping began in 1886.

The Atlantic hurricane season starts in June and lasts through the end of November. But the last storm in the Gulf was Hurricane Ingrid, which made landfall in northeastern Mexico in September 2013. “You have to have conditions just right for a hurricane to form, and the conditions haven’t been ideal in the Gulf of Mexico in the last two years,” says Robbie Berg, a hurricane specialist at the National Hurricane Center. The last long Gulf hurricane drought was from October 1, 1929, to August 13, 1932. It was broken by Hurricane 2, which came ashore in Freeport, Texas, as a category 4 storm.

Hurricanes usually form when ocean water has been warmed over the summer months to around 25 degrees Celsius or higher. As humid air and clouds accumulate, light, sweeping winds moving westward from Africa can steer the clouds across the mid-Atlantic toward the Gulf. In some cases, the mass of moisture can begin rotating as it advances. This early stage is known as a tropical depression, which can strengthen to become a tropical storm if the wind direction and speed throughout all levels of the atmosphere remain relatively constant. To be considered a category 1 hurricane or higher, the wind speed inside the rotating storm needs to be at least 119 kilometers per hour (74 miles per hour).

Several tropical depressions and tropical storms have arisen in the Gulf of Mexico in the past couple years, but none intensified to achieve hurricane status. Winds across the upper levels of the atmosphere have been strong, which can tear clouds apart, keeping storms from strengthening, Berg says.
Weaker hurricane seasons are not unusual, especially in the Gulf of Mexico, according to hurricane forecaster Gerry Bell at the National Oceanic and Atmospheric Administration (NOAA). Hurricanes are more likely to form in the Atlantic Ocean because there’s more room to develop there than in the Gulf. And wind currents often direct Atlantic storms north and west toward the U.S east coast or out into the North Atlantic instead of crossing into the Gulf. The drought can end anytime, however, because the most active part of the season—from August to October—is yet to come.

Despite the long hiatus, NOAA still anticipates a normal Atlantic season with a 70 percent likelihood of 10 to 16 named storms. “Not having hurricanes in the Gulf of Mexico doesn’t mean that people should become complacent or forget how to prepare for one,” Berg says.

Scientists grow mini human brains — ScienceDaily

Scientists grow mini human brains — ScienceDaily

Scientists in Singapore have made a big leap on research on the ‘mini-brain’. These advanced mini versions of the human midbrain will help researchers develop treatments and conduct other studies into Parkinson’s Disease (PD) and aging-related brain diseases.

These mini midbrain versions are three-dimensional miniature tissues that are grown in the laboratory and they have certain properties of specific parts of the human brains. This is the first time that the black pigment neuromelanin has been detected in an organoid model. The study also revealed functionally active dopaminergic neurons.

The human midbrain, which is the information superhighway, controls auditory, eye movements, vision and body movements. It contains special dopaminergic neurons that produce dopamine — which carries out significant roles in executive functions, motor control, motivation, reinforcement, and reward. High levels of dopamine elevate motor activity and impulsive behaviour, whereas low levels of dopamine lead to slowed reactions and disorders like PD, which is characterised by stiffness and difficulties in initiating movements.

Also causing PD is the dramatic reduction in neuromelanin production, leading to the degenerative condition of patients, which includes tremors and impaired motor skills. This creation is a key breakthrough for studies in PD, which affects an estimated seven to 10 million people worldwide. Furthermore, there are people who are affected by other causes of parkinsonism. Researchers now have access to the material that is affected in the disease itself, and different types of studies can be conducted in the laboratory instead of through simulations or on animals. Using stem cells, scientists have grown pieces of tissue, known as brain organoids, measuring about 2 to 3 mm long. These organoids contain the necessary hallmarks of the human midbrain, which are dopaminergic neurons and neuromelanin.

Jointly led by Prof Ng Huck Hui from A*STAR’s Genome Institute of Singapore (GIS) and Assistant Prof Shawn Je from Duke-NUS Medical School, this collaborative research between GIS, Duke-NUS, and the National Neuroscience Institute (NNI) is funded by the National Medical Research Council’s Translational Clinical Research (TCR) Programme In Parkinson’s disease (PD) and A*STAR. Other collaborators are from the Lieber Institute for Brain Development, the Johns Hopkins University School of Medicine, and the Nanyang Technological University.

Assistant Prof Shawn Je from Duke-NUS Medical School’s Neuroscience & Behavioural Disorders Programme said, “It is remarkable that our midbrain organoids mimic human midbrain development. The cells divide, cluster together in layers, and become electrically and chemically active in three-dimensional environment like our brain. Now we can really test how these mini brains react to existing or newly developed drugs before treating patients, which will be a game changer for drug development.”

Prof Tan Eng King, Research Director and Senior Consultant, Department of Neurology at NNI and Lead PI of the TCR Programme in PD, remarked, “The human brain is arguably the most complex organ and chronic brain diseases pose considerable challenges to doctors and patients. This achievement by our Singapore team represents an initial but momentous scientific landmark as we continue to strive for better therapies for our patients.”

GIS Executive Director Prof Ng Huck Hui said, “Considering one of the biggest challenges we face in PD research is the lack of accessibility to the human brains, we have achieved a significant step forward. The midbrain organoids display great potential in replacing animals’ brains which are currently used in research; we can now use these midbrains in culture instead to advance our understanding and future studies for the disease, and perhaps even other related diseases.”

A Famed Hacker Is Grading Thousands of Programs — and May Revolutionize Software in the Process

A Famed Hacker Is Grading Thousands of Programs — and May Revolutionize Software in the Process

AT THE BLACK HAT cybersecurity conference in 2014, industry luminary Dan Geer, fed up with the prevalence of vulnerabilities in digital code, made a modest proposal: Software companies should either make their products open source so buyers can see what they’re getting and tweak what they don’t like, or suffer the consequences if their software failed. He likened it to the ancient Code of Hammurabi, which says that if a builder poorly constructs a house and the house collapses and kills its owner, the builder should be put to death.

No one is suggesting putting sloppy programmers to death, but holding software companies liable for defective programs, and nullifying licensing clauses that have effectively disclaimed such liability, may make sense, given the increasing prevalence of online breaches.

The only problem with Geer’s scheme is that no formal metrics existed in 2014 for assessing the security of software or distinguishing between code that is merely bad and code that is negligently bad. Now, that may change, thanks to a new venture from another cybersecurity legend, Peiter Zatko, known more commonly by his hacker handle “Mudge.”

Mudge and his wife, Sarah, a former NSA mathematician, have developed a first-of-its-kind method for testing and scoring the security of software — a method inspired partly by Underwriters Laboratories, that century-old entity responsible for the familiar circled UL seal that tells you your toaster and hair dryer have been tested for safety and won’t burst into flames.

Called the Cyber Independent Testing Lab, the Zatkos’ operation won’t tell you if your software is literally incendiary, but it will give you a way to comparison-shop browsers, applications, and antivirus products according to how hardened they are against attack. It may also push software makers to improve their code to avoid a low score and remain competitive.

“There are applications out there that really do demonstrate good [security] hygiene … and the vast majority are somewhere else on the continuum from moderate to atrocious,” Peiter Zatko says. “But the nice thing is that now you can actually see where the software package lives on that continuum.”

Joshua Corman, founder of I Am the Cavalry, a group aimed at improving the security of software in critical devices like cars and medical devices, and head of the Cyber Statecraft Initiative for the Atlantic Council, says the public is in sore need of data that can help people assess the security of software products.

“Markets do well when an informed buyer can make an informed risk decision, and right now there is incredibly scant transparency in the buyer’s realm,” he says.

Corman cautions, however, that the Zatkos’ system is not comprehensive, and although it will provide one indicator of security risk, it’s not a conclusive indicator. He also says vendors are going to hate it.

“I have scars to show how much the software industry resists scrutiny,” he says.

Software Seal of Approval

When Mudge announced on Twitter last year that the White House had asked him to create a cyber version of Underwriters Laboratories, praise poured in from around the security community.

No one knew the details, but people were confident if he was involved, it would be great.

“Excellent! Something everyone has talked about for decades!” the Def Con hacker conference tweeted after his announcement.

“That’s a concept that really could make a difference if executed well,” wrote Bruce Potter, founder of the Shmoo Group crypto-security collective, which runs the annual Shmoocon security conference

Mudge has been tightlipped about the nature of the cyber UL ever since, but he agreed to discuss the details in advance of a talk he’s presenting next week at the Black Hat conference in Las Vegas.

He says the method their lab uses to evaluate software is based on one he taught NSA hackers in the 1990s about how to find the softest targets on an adversary’s network. (During his run back then with the famed hacker think tank L0pht Heavy Industries, Mudge and his L0pht colleagues regularly provided advice to various parts of the government.)

The technique involves, in part, analyzing binary software files using algorithms created by Sarah to measure the security hygiene of code. During this sort of examination, known as “static analysis” because it involves looking at code without executing it, the lab is not looking for specific vulnerabilities, but rather for signs that developers employed defensive coding methods to build armor into their code.

“To use the car analogy, does it have seatbelts, does it have air bags, does it have anti-lock brakes? All the things that are going to make [a hacker’s] life more difficult,” Mudge says.

The Zatkos say a code’s security hygiene, measured by the programming methods developers use, as well as by the tools and settings used to compile the resulting software, are good predictors of whether a software application will have serious security vulnerabilities and reliability issues.

Their algorithms run through a checklist of more than 300 items, such as whether the compiler used to convert the source code into binary inserted common protective features, like preventing portions of memory reserved for program data — the “stack” and “heap” — from being used to hold additional software.
“Things like ASLR [address space layout randomization] and having a nonexecutable stack and heap and stuff like that, those are all determined by how you compiled [the source code],” says Sarah. “Those are the technologies that are really the equivalent of airbags or anti-lock brakes [in cars]. They’re the things that make software better than it used to be.”

Modern compilers of Linux and OS X not only add protective features, they automatically swap out bad functions in code with safer equivalent ones when available. Yet some companies still use old compilers that lack security features.

The lab’s initial research has found that Microsoft’s Office suite for OS X, for example, is missing fundamental security settings because the company is using a decade-old development environment to build it, despite using a modern and secure one to build its own operating system, Mudge says. Industrial control system software, used in critical infrastructure environments like power plants and water treatment facilities, is also primarily compiled on “ancient compilers” that either don’t have modern protective measures or don’t have them turned on by default.

Asked about the findings, a Microsoft spokesperson would only say, “We are focused on security as a core component in the software development process. We developed and are committed to the Security Development Lifecycle, and continue to lead the industry in creating the most secure products across all platforms.”

The Zatkos’ algorithms also assess the number of branches in a program; more branches mean more complexity and more potential for error. And they look at the presence of complex algorithms that could be susceptible to algorithmic complexity attacks.

The lab is also looking at the number of external software libraries a program calls on and the processes it uses to call them. Such libraries make life more convenient for programmers, because they allow them to repurpose useful functions written by other coders, but they also increase the amount of potentially vulnerable code, increasing what security experts refer to as the “attack surface.” There are about 200 specific external library calls, Mudge says, that are particularly difficult to implement in a manner that ensures a given program executes safely.

The process they use to evaluate software allows them to easily compare and contrast similar programs. Looking at three browsers, for example — Chrome, Safari, and Firefox — Chrome came out on top, with Firefox on the bottom. Google’s Chrome developers not only used a modern build environment and enabled all the default security settings they could, Mudge says, they went “above and beyond in making things even more robust.” Firefox, by contrast, “had turned off [ASLR], one of the fundamental safety features in their compilation.”

Mudge worked for Google previously, so some might accuse him of bias, but he says their algorithms, which have been vetted by an outside technical board, ensure that the automated assessments aren’t biased.

Software vendors will no doubt object to the methods they’re using to score their code, arguing that the use of risky libraries and old compilers doesn’t mean the vendors’ programs have actual vulnerabilities. But Sarah disagrees.

“If they get a really good score, we’re not saying there are no vulnerabilities,” says Sarah. But if they get a really low score, “we can guarantee that … they’re doing so many things wrong that there are vulnerabilities [in their code].”

The lab aims to prove such vulnerabilities with the second part of its testing regimen, which uses fuzzing, a method that involves throwing a lot of data at a program to see if it crashes or does something else it shouldn’t do.

“In actually executing it and crashing it, we’re confirming that, yes, this thing has bugs, this thing crashed,” Mudge says. “We were able to give it input and it behaved abhorrently.”

Not all crashes indicate the presence of a bug that hackers can exploit, but they do, at a minimum, indicate that a program may be unreliable for users. In the lab reports the Zatkos plan to make available to the public, they will note which crashes they found were potentially exploitable.

The Zatkos don’t plan to fuzz every program, only enough to show a direct correlation between programs that score low in their algorithmic code analysis and ones shown by fuzzing to have actual flaws. They want to be able to say with 90 percent accuracy that one is indicative of the other.

Mudges Storied Hacking History

Mudge has a long history in the hacker and security communities. While a member of L0pht, he and his L0pht colleagues testified to federal lawmakers in 1998 that the group could bring down the internet in 30 minutes using a serious flaw that still exists.

He also advised the Clinton administration on cybersecurity issues; was a program manager for DARPA’s Cyber FastTrack initiative, which offered fast-turnaround grants for short cybersecurity projects; and more recently, worked for Google’s Advanced Technologies and Projects Group, a sort of rapid-response skunkworks group, before leaving to launch the testing lab.

His interest in doing software security assessments dates back to a paper one of his L0pht colleagues wrote in 1998 about such evaluations. The idea moved from theory to practice when L0pht merged with a security startup called @Stake and began developing an automated way to do static analysis of code. That method became the basis for what a company called VeraCode does today: assess software for government and corporate clients before they buy it.

Chris Wysopal, CTO of VeraCode and a former L0pht colleague of Mudge’s, says clients generally won’t purchase software his company finds problematic until the software maker fixes the problems, which he says is great for other buyers.

“To me that’s like actually finishing the job; we’re not just pointing out the problems but helping make better software,” he says.

But these assessments are done privately and often on enterprise software, leaving the rest of the public with no way to assess the security of software and little leverage to force vendors to fix other poorly secured code. The Zatkos’ venture could fill that gap, Wysopal says.

Two years ago, Mudge says someone from the White House technology office approached him about helping to set up a government program to evaluate software. He had no interest in working inside the government and decided to set up a nonprofit instead. Although his tweet last year said the White House asked him to create the lab, the White House isn’t involved in his project.

Instead, with $600,000 in funding from DARPA, the Ford Foundation, and Consumers Union, he and Sarah set up the lab in the basement of their home. The outside technical board that vets their methodology and algorithms includes security notables such as former NSA hacker Charlie Miller; Dino Dai Zovi, a security engineer with Square; and Frank Rieger, CTO of the German firm GSMk, which makes the Cryptophone.

Vendors don’t pay for the evaluations. The Zatkos choose the software they evaluate and either buy it or obtain free evaluation copies from vendor websites. They’re examining both commercial software programs and open-source ones. For each software package they test, they produce three reports. The first, automatically generated by their algorithms, scores the software on a scale between 0 and 100. The second contains a detailed breakdown of what they found in the software and will be available for free on their website. The third report, which they plan to sell, will contain raw data from their assessments for anyone who wants to recreate them.

They’ve examined about 12,000 programs so far and plan to release their first reports in early 2017. They also plan to release information about their methodology and are willing to share the algorithms they use for their predictive fuzzing analysis if someone wants them.

There’s already a growing interest in their work. They’re working with Consumer Reports, another inspiration for the lab, to develop a way to use their data to evaluate products the magazine tests. They’ve also had interest from AIG and other insurers who want to use the data to do risk-assessments of companies seeking cyber insurance.

But there is at least one downside to scoring software like this: Attackers can use it to gauge where they should focus their energy to find vulnerabilities, targeting low-scoring applications. Lawyers will also likely want to use the data to assess liability for companies that get hacked. Did they install risky software on their network when a measurably more secure one was available?

Mudge says he’s not upset about the prospect of lawyers finding joy in their scores. “We’ve been begging people to give a shit about security for a decade. … [But] there’s very little incentive if they’ve already got a product to change a product. If you come out with a quantifier saying what you’ve got is not as secure as this other one, that’s going to be an incentive for them to go out and get the other one.”

Memory flash: can you teach creative writing?

Memory flash: can you teach creative writing?

It’s the age-old question: can creative writing be taught? To which the answer is invariably: well, yes, probably, a bit, to wildly varying degrees of success. To dismiss academic degrees, residential writing courses and writing guides outright is to deny budding writers from all social backgrounds a chance to have a go. Nevertheless, the best a teacher can do is inspire and encourage, or add finesse to any existing talent. Because the real work takes place alone in rooms, day after day, month after month, driven largely by delusional desire – a point D B C Pierre notes here. No one is born a writer: rather, you are shaped by experience, stimulus, ambition. You can’t teach hunger.

Nor is writing a science to be broken down to simple formulas, which can render “how to write” books problematic. The only fixed factor is that the novelist crawls to his or her desk to play God. Words are their weapons to be deployed in deadly combinations, and the imagination remains a largely unexplored planet, through which the writer wanders, treading a thin line between brilliant and batshit mental. “Crazy is good,” Pierre writes. “Fucking crazy is bad.”

Merging anecdote-driven theory with a freewheeling, maverick energy, Release the Bats offers a turbocharged manifesto of sorts that is fully in sync with Pierre’s established public persona of someone hitting his conversational stride halfway between his sixth and seventh sundowner. He is the raconteur still quoting Bukowski at the bar long after it has shut and the house lights have been turned on, wine-stained teeth bared, flecks of spittle and tobacco flying. This book has a similar effect: charming and insightful for a while, but prone to losing ­itself in its own digressional reveries.

Many points are valid, highly quotable and clearly derived from experience (“Write something down and keep doing it” is a necessary statement of the obvious), and his thoughts on the relationship between narcotics and creativity are unsurprisingly involved. “Tripping expands the writer, not the writing” is wisdom that any lysergic adventurer may want to bear in mind, but often such thoughts could be left at single sentences. A manual for writing, however informal, should not inspire the reader to want to edit it down to certain crucial, Brian Eno-style Oblique Strategies (which Pierre does for himself at the end via some “mind bites”), yet such is the case here. It drags in places, while some nuggets either seem wildly generalised or sound good on paper but may not work in practice, such as his belief that: “We can write like the people we won’t be for many years. Wisdom, altruism and microsensitivity can blow through a hangover.” If only, mate. If only.

It is difficult to tell at whom this book, delivered with an almost contractual air of urgency, is aimed. Pierre suggests it might be for those who wonder if they are writers, yet early on he advises people not to bother, as the odds of finishing a book are thousands to one. Or perhaps it is for those who sit in the front row at literary festivals, keen for a glimpse behind the curtain to see the hidden machinations of these word wizards, when in fact most writers’ works are more interesting than their process. It is for this very reason that films about novelists rarely succeed: because writing is merely the transference of thoughts into the physical realm. It’s not a spectator sport. Pierre acknowledges this several times over: “Locking yourself away in a crucible of secret frustration is where writing comes from.”

He is at his best when evoking scenes from his picaresque formative years as the young Peter Finlay in order to illustrate points about character or plot development, whether in descriptions of sailing the Pacific and Atlantic on a liner as a child or adventuring with a swashbuckling mob of wannabe bullfighters in Spain. It is in his recollections of his adolescence in Mexico City during the 1970s, living in an opulent house complete with staff, that Pierre’s writing most comes alive: “This easy-listening idyll of values never felt so safe again . . . this place of ambassadors and Weight Watchers, of positive thinking and Juicy Fruit gum, Erica Jong and varicose veins.” Such colourfully summoned biographical sections of places and lifestyles probably alien to many readers are of far greater impact than Pierre’s thoughts on literary theory. His life is so rich and mysterious that you rather wish he had committed fully to a memoir, instead of offering these beguiling, faded Polaroid-style glimpses.

Those elements of his past that the press found so fascinating after his 2003 Man Booker Prize victory – myth-fuelling rumours of vast debts, dodgy dealings and dalliances with drugs – surely comprise his best book yet. This is not it, but when it is written it will be a rip-snorter.

Release the Bats: Writing Your Way Out of It by D B C Pierre is published by Faber & Faber (304pp, £12.99)