A Spam Tweet That'll Crash Twitter App

I saw something I have never seen before today. No, it's not unusual to get "@ replies" from Spambots after I've been retweeted or mentioned something like Yoga, Women or iPhone on Twitter - I've seen that a thousand times. (as an aside, how does Twitter not auto-recognize an account that has no followers and only sends @replies not as spam?)

But, today after I tweeted about my support for Planned Parenthood in the midst of the Susan G. Komen foundation dropping funding for mammograms and breast exams at Planned Parenthood - I was retweeted.

I then got a bunch of spam followers and a few spammy @replies. As per usual, I clicked on the tweets, selected the various user names and reported them as spam.

But that didn't work for one tweet. It looked like this on my Twitter App on my iPhone:


Every time I clicked on it, the app crashed. When I looked at it on my desktop computer, it looked like this:



Not the first time I've seen this type of tomfoolery on the Internet, but the first time I've seen a tweet that will crash the twitter app.

Joinging the Lyric Carolers this year!

As I'm not quite up to dancing, yet, I was excited to find another venue for getting to perform - The Lyric Carolers!

The Lyric Theatre typically performs Gilbert and Sullivan light operas, or other similar period type pieces, but what to do after their fall show closes and their spring show opens? Why, sing holiday carols!

I successfully auditioned and joined the group this year. What an honor to be with such amazing singers! I even have a wonderful Victorian costume and bonnet to wear for the season. The bonnet's got a bird on it. Yes, a bird! :-)

We're still available for booking large groups of singers and small. Whether you're looking for a simple quartet to lighten up your holiday party, or the full choir for your corporate event - we can do it all!

To book, simply fill out the booking form, or send mail to ask any questions.

All proceeds go to supporting the theater's regular efforts.

GHC: Anita Borg Social Impact Award Winner

This year's ABI Social Impact Award winner is Anne Ikiara, from NairoBits.

What If More African Women Had More Access and Use of ICT Skill?

Anne Ikiara started the talk by telling us about her background as an African woman, not unlike others. She was the youngest of ten children - 6 brothers and 3 sisters. Once men are circumcised, they no longer do chores. And these aren't like American chores you give children. Ikiara had to cook. To cook, she first had to go to the forest and get firewood. Then she had to go to the well and pump water. Nothing is simple.

Forty percent of the women do not have access to any education - they aren't even functionally literate. If you cannot read or write, how can you possibly interact with technology? There is so much violence against women that just surviving is their number one task. The only time you can get online is to go to a cyber cafe, usually a long walk, which a woman can only do after she's finished her house work, and sometimes at great peril.

Making matters worse, as soon as a young girl starts to develop breasts, she can be married - as young as eight years old - to a man as old as eighty. How can she get an education then?

Still today, in Africa, women are discouraged by their teachers from pursuing math and science.

Women do 80% of the agricultural work, but only own 5% of the land. Nearly 50% of women in the sub Sahraran Africa are married by the time they turn 18!
Ikiara was lucky and didn't marry until she was 22 and her husband didn't rush her to have children. Her mother, and others, thought there must be something wrong with her, that she needed a doctor, as she hadn't had any children by the age of 26. So much pressure to just be a mother.

A recent contested political election resulted in riots - most of the dead were women.

Women in Africa need more access to education, more role models, more equality!

What has Nairobits done? They target youth from non-formal settlements - very impoverished people. No running water, living 10 people in a 10x10 shack, etc.

Originally this started in Nairobi and was meant to be a one time event - but the interest was so ovewhelming, they needed to do more.

In order to encourage women, they accept much older girls and have flexible times to come for the training. They know these 16 year olds, many of them are mothers, cannot commit to 8AM-5PM for training. Nairobits asks the girls when they cam come for training, and work with that.

This type of training is now being replicated in Uganda, Tanzania, Zanzibar and Ethiopia. Nairobits has trained more than 6,000 youths, mostly women, in Kenya alone.

Training starts slow - they may have to introduce the youths to things like indoor plumbing. What a different world. Can you imagine?

Continuing this is difficult, as donor funding is down, and there is an overwhelming need for services. So many students have to be turned away.

Nairobits has centers where the students can come and use their skills after their graduation and get access at times convenient for them.

I had to ask Ikiara how she got out of this poverty: her brother. One of her brothers recognized that she was smarter than he was, and was able to get her into boarding school where she had six years to learn in peace, with no house work. She has taken this gift, and is passing it on to others. The women she trains in technology, they, too, tell others.

The women who are trained can then get real jobs and increase the financial well being of their entire family, so parents, in the end, are usually very happy to have an educated daughter.

The most limiting thing for Nairobits is money. They need sponsors, they need funds. To put one student through six months of training - it merely costs 10,000 Kenyan Shillings - $107 USD.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Anita Borg Denice Denton Emerging Leader Award Winner

This year's ABI Denice Denton Emerging Leader award winner is Tiffani Williams from Texas A&M University.

Discovering Relationships in the Tree of Life

Dr Williams has been studying phylogentic trees to discover relationships. She opens with the example of the Dentist in Florida in 1990 that gave HIV to one of his patients. Even though HIV can mutate from person to person, phylogentic trees can show that the source of the virus and could prove that the dentist did indeed give the virus to his patient. It was also used in a court case to identify a man that intentionally gave HIV to 6 women - he is deservedly spending the next 70 years in prison.

There is some more work in this area is used for studying big cats - to see which cats are most related. For example, the lion, leopard, jaguar, tiger and snow leopard are part of the same group, but clouded leopard is not. By studying this, they can try to help save the species.

Dr. Williams did a great job showing that some of the most interesting is cross disciplinary - you need computer science, genetics and statistics to help save species!

But, these trees can be very large, expensive to store and impossible to easily transfer. Compressed files help, but you might lose useful data.

Storage is cheap, in theory, but upgrading and adding storage to your laptop is not easy and sometimes simply not possible.

Phylogentic trees are represented in Newick formatting, a notation based on balanced parentheses. something like this: (((A,B),D),C,(E,F))); It was actually pretty clear when Dr. Williams used the laser pointer :-)

The problem: one simple phylogentic tree can have 32 Newick patterns! This makes it hard to both compress and identify relationships. Dr. Williams came up with a way to store a unique tree as a unique binary code - then a simple hash algorithm can identify related trees.

The hash table can be further compressed with shorthand, like a special symbol that means "all trees have this relationship", and another for relationships when there are fewer items that share a relationship that do. And this can all be compressed using Tree Zip and stored in plain text!

As much fun as compression is, Dr. Williams advises against using it on humans - we don't like to be compressed into a group, especially when it comes to negative stereotypes.

I learned so much today - I'd love to take an entire class from her!
This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Plenary Session: Partnering with Executive Leaders for Shared Vision and Career Growth

The plenary sessions always seem a bit mislabeled to me - this one is about partnering in executive leadership, and, yes, there are executive type people on the panel - but their advice is actually useful in any level of your career.

Moderator: Linda Apsley (Microsoft)

Panelists:

Microsoft Partnership: Bill Laing and Betsy Speare

CA Technologies Partnership: Gabby Silbermann and Carrie Gates

Harvey Mudd College Partnership: Marie Klawe and Christine Alvarado

Bill Laing and Betsy Speare started out the discussion by introducing each other. At first I thought this was odd, as most people can introduce themselves the best, right? But, it was so interesting to hear the words they chose to describe each other - much more glowing than most people would use for themselves.

Both Laing and Speare again reiterate that if you're seeking advancement, you need a sponsor. And sponsors and mentors are not the same thing. When looking for a sponsor, you need to choose someone you admire and has something that you want (skills, connections, etc). But, you can't just say, "Hey, be my sponsor!" Laing suggests also looking for people you can have an authentic connection with, as that will be the most successful advocate for you.

Marie Klawe, President and Professor at Harvey Mudd, and Christine Alvarado, Assistant Professor at Harvey Mudd, met when Klawe joined Harvey Mudd as president. Alvarado was surprised to discover that Klawe had already heard about her, a measly second year associate professor. Klawe had heard of Alvarado, because of her energy and the women's programs she was starting.

When Alvarado joined Harvey Mudd in 2005, their CS department was only 12% women - not unlike the rest of the US. Between her efforts, and Klawe putting them in overdrive when she joined, they are now up to 40% women!

Some of the things that they do - they bring first year undergraduates to this conference, even non-CS majors. This encourages more women to join the department and helps to retain them, as they are able to build a network.

Silberman and Gates go all the back to when Gates was still in school, and they kept in touch. When he wanted to hire her, they actually met up at TGI Fridays in an airport. He hired Gates and has been her sponsor ever since.

Gates wanted to make it clear that Silberman wasn't just watching her and taking her to the next promotion level - she asked him. Now she's a Distinguished Engineer at CA technologies, but quipped that she's still not sure what she wants to do when she grows up. ;-)

An observation from the panel was that men and women don't necessarily think differently, but they do tend to act differently. Men have been conditioned since they were 5 to show off and try to top everyone around you. Some professors can find that type of thing annoying, when a student is constantly trying to one up them - but they are certainly noticed.

Speare recommends She Wins, You Win : The Most Important Rule Every Businesswoman Needs to Know and Overcoming the Five Dysfunctions of a Team: A Field Guide for Leaders, Managers, and Facilitators (J-B Lencioni Series), to learn more about fixing your teams and fixing them with women. :-)

A question from the audience asked about how you prevent things from looking like favoritism. Liang said this is why he recommends finding a sponsor that is not in your direct reporting line of management - they could even be at a different company! Another panelist noted that this is a reason to have more than one sponsor.

Klawe notes that she'll mentor just about anyone she has time for, but will only sponsor people that she truly believes in, so that when she tells everyone about the sponsored accomplishments, nobody will be able to deny the value of it.

This post syndicated from Thoughts on security, beer, theater and biking!

GHC: Anita Borg Change Agent Winners

This year's ABI Change Agent award winners are Marita Cheng (Robogals) and Judith Owigar (Akirachix). It's unusual to see two winners, but these young women are so fascinating, I can see how got two!

The Small Victories
Presenter: Marita Cheng (Robogals)

Marita Cheng graduated in the top 0.2% in her country from high school, and was sought after by many schools. Her parents wanted her to medicine, so she'd have a nice, steady job. Cheng wasn't interested, though, so she found she couldn't answer any of the questions during her biology review - but the reviewer did suggest she follow her passion, engineering, instead of what her parents wanted her to do.

So, her career as an engineering student began. Cheng only knew two other girls from her small home town entering engineering, and thought this must just be because she was from a small town. That view was shattered when she actually arrived at school and couldn't find any women.

Cheng surveyed friends and others to try to figure out why this was. Through all her research, she discovered that middle school aged girls are not getting enough exposure to engineering - and Robogals began!

Cheng and her volunteers started teaching 10-14 year old girls how to build robots using the Lego Mindstorms during Australian school holiday in July.
Robogals now has 17 chapters in 6 countries, has taught over 3000 girls about engineering and use 1000 student volunteers.

Why 10-14 years old? It's the best time to capture their interest so that they still have enough time to get the right pre-requisites to explore engineering in university.

The charity is fully student run! Right now just in Australia and New Zealand, UK and Europe - will be expanding to the US in 2012.

And, yeah, Cheng is still a student, too! Wow!

Where Did All the Girls Go?
Presenter: Judith Owigar (Akirachix)

Judith Owigar from Nairobi, and while studying in Kenya, discovered a great dearth of other African women studying engineering and she wanted to fix this.

Africa really lacks infrastructure - no land lines, DSL, etc. Mobile phone technology has really changed the picture - giving more people a chance to connect in Africa.

In Kenya alone, they have 25 million mobile subscribers (64% of the population), and 12.5 million Internet users - mostly accessed via mobile phones. So, anything AkiraChix wants to do needs to be accessible via mobile phones.

The organization seeks women already in tech to train them to do outreach, give them networking opportunities and set them up with with high school girls that they can mentor.

Owigar believes that having more technical women in Africa can help end poverty. Education is the key to a successful life ahead. I've heard so many other people talk about this - more educated women have more control over how many children they have and their ability to feed and educate their children. That's how you end the cycle!

AkiraChix has been training high school girls in Java - and some of their former students are already developing software for Android!

Owigar is seeing more results, girls are forming tech businesses, going into new higher paying jobs, more confident, expanding their network and staying in tech.

Both really inspired me! Small changes are making a big difference already!

This post syndicated from Thoughts on security, beer, theater and biking!

Exciting Crypto Advances with the T4+ processor and Oracle Solaris 11

I'm sure you all heard about the T4 launch in September, announcing the latest and greatest in the SPARC hardware line. These systems add a number of new features, but I'm going to focus on the ones that are related to cryptography.

UPDATE 4/2016: Everything in this document additionally applies to Oracle Solaris 11.1, 11.2, and 11.3, and all of the Oracle SPARC chips we've released since T4! This includes our latest launch of Oracle SPARC M7/T7. While the underlying crypto instructions have been very stable we, of course, have continued to tune performance and tweak mode support.  Since 11.2 we have additionally supported Camelia, which is also optimized by Oracle SPARC T4 and newer platforms! I've updated the document throughout to note T4+.

The Cryptographic Framework feature of Oracle Solaris was first included with Oracle Solaris 10.
Our focus was always to provide highly optimized algorithms to the rest of Oracle Solaris, so that the entire operating system could take advantage of the best cryptographic performance available.

At that time of the initial release of Oracle Solaris 10, there were no standard CPUs with cryptographic cores, but as the SPARC T series chips were developed, we always made sure to have a driver plugged into the Cryptographic Framework that would give the Cryptographic Framework consumers access to these devices.

But things have changed with T4+. These chip sets have made crypto a part of the core instruction set, accessible via nonprivileged instructions. That means, there are no drivers required to enable hardware assistance for cryptographic operations. Applications just access these instructions just like any other basic CPU instruction. That's right, crypto is now just a basic service provided by the CPU.

What does this mean? Well, before, in order for an application to access hardware crypto on a T3 system, the stack would look something like this: application -> libpkcs11 -> pkcs11_kernel -> IOCTL interface -> n2cp (7D) -> hypervisor -> crypto unit.

Now the stack will look more like this: application -> libpkcs11 -> pkcs11_softtoken -> CPU.

The one notable exception for this is the hardware random number generator (HW RNG), which still is only directly accessible via hyper-privileged registers through the n2rng driver. You can access this via /dev/random and /dev/urandom, as well as through the Cryptographic Framework's libpkcs11. See random(7D), n2rng(7D), and libpkcs11(3LIB) for more details.

With all of these changes, we're able to even more highly optimize the performance of cryptography on Oracle Solaris 11 and newer.

Algorithms Included

A primary goal of the Cryptographic Framework is to provide Oracle Solaris with highly optimized algorithms, and we made no exception for this release.

In Oracle Solaris 10 Update 10 (08/11), AES, DES, DES3, MD5, SHA1, SHA2 (SHA256, SHA384, SHA512), RSA, and DSA are all accelerated by T4+ crypto instructions for all supported modes of operation. To access these via libpkcs11 (3LIB), you'd use the standard PKCS#11 mechanisms listed below [1].

If you additionally download patch 147159 for Oracle Solaris 10 Update 10, you'll get further optimizations for AES-ECB, AES-CBC, AES-CTR, AES-CFB128, and MD5, SHA1, and SHA2.

In Oracle Solaris 11, we have all of those optimizations, plus optimizations for DES and 3DES, as well as optimizations and support for AES-CCM and AES-GCM.

To access these optimizations on Solaris 11, you need change nothing. We've made all of the code changes necessary in the Cryptographic Framework for you. Your applications that use the Cryptographic Framework (see Consumers section below for many examples), will take advantage of our optimizations and the T4 hardware right out of the box.

OpenSSL engine

UPDATE 4/2016: The OpenSSL T4 engine no longer exists, since our friends at OpenSSL have inlined all of the T4+ instructions into the main source tree! Thank you! Misaki wrote up a great blog describing this.

In Oracle Solaris 11 on a T4 system, you'll notice a new OpenSSL engine called t4. The t4 engine allows OpenSSL to access the optimized T4 crypto instructions directly, without needing to go through PKCS#11. The t4 engine is on by default, if the processor below supports those instructions. Nothing for you to do.

If you're still running Oracle Solaris 10 Update 10, you'll still need to set up your application to go through the pkcs11 engine, and make sure you apply patch 147707.

For example, if you're using Apache Web Server on Oracle Solaris 10 Update 10, or on Oracle Solaris 11 (in order to get the RSA accelerations) you'll need to set this line in your ssl.conf:

SSLCryptoDevice pkcs11

Consumers and Performance

The consumers of the Cryptographic Framework includes: ZFS, IPsec, IKE, kerberos (user and kernel), libsasl, KSSL (in Kernel SSL), OpenSSL, SSH, Java JCE, libsnmp, lofi(7D), and the Oracle DB (11.2.0.3). As well as anything that accesses libpkcs11(3LIB).

Just a note about the Java, T4 and newer processors are treated the same way as on T2, T3 and Intel - you need to go through the Java JCE provider.  UPDATE 4/2016: Java has started taking advantage of SPARC T4+ crypto acceleration directly. Currently in JDK8u40, Java accelerates generic AES, SHA1 and SHA2.  Keeping up-to-date on JDK8 patches will provide the best out-of-the-box performance.

And the Oracle Database? Uses our optimized T4 functions right out of the box (v 11.2.0.3 and newer).

Do you want to see just how much our performance optimizations get you on T4? Click on any of the hyperlinked consumers above to see their specific performance gains on T4, or navigate on over to BestPerf to see the latest and greatest numbers.


With the exception of the extra steps required on Oracle Solaris 10 Update 10 for OpenSSL to obtain access to the optimized functions that use the T4+ instructions, there is nothing for the administrator to do to get access to this acceleration. It simply works right out of the box.

How do I know if I'm using this?

Accessing these instructions does not require a driver, so there are no kstats to indicate how often any of these instructions are being used. At this time, it is not possible to obtain data from the Operating System regarding execution counts for nonprivileged cryptographic instructions.

UPDATE 4/2016: There is a hardware counter, but it also includes a bunch of floating point operations as well. Dan Anderson wrote a blog about detection that has been updated since we removed the OpenSSL T4 engine (in favor of simpler inlined instructions).

[1] PKCS#11 mechanisms used for accessing T4+ crypto instructions via libpkcs11 (3LIB) in Oracle Solaris 10 Update 10 and Oracle Solaris 11:

CKM_DES_CBC, CKM_DES_CBC_PAD, CKM_DES_ECB, CKM_DES_KEY_GEN, CKM_DES_MAC_GENERAL, CKM_DES_MAC, CKM_DES3_CBC, CKM_DES3_CBC_PAD, CKM_DES3_ECB, CKM_DES2_KEY_GEN, CKM_DES3_KEY_GEN, CKM_AES_CBC, CKM_AES_CBC_PAD, CKM_AES_ECB, CKM_AES_KEY_GEN, CKM_BLOWFISH_CBC, CKM_BLOWFISH_KEY_GEN, CKM_SHA_1, CKM_SHA_1_HMAC, CKM_SHA_1_HMAC_GENERAL, CKM_SHA256, CKM_SHA256_HMAC, CKM_SHA256_HMAC_GENERAL, CKM_SHA384, CKM_SHA384_HMAC, CKM_SHA384_HMAC_GENERAL, CKM_SHA512, CKM_SHA512_HMAC, CKM_SHA512_HMAC_GENERAL, CKM_SSL3_SHA1_MAC, CKM_MD5, CKM_MD5_HMAC, CKM_MD5_HMAC_GENERAL, CKM_SSL3_MD5_MAC, CKM_RC4, CKM_RC4_KEY_GEN, CKM_DSA, CKM_DSA_SHA1, CKM_DSA_KEY_PAIR_GEN, CKM_RSA_PKCS, CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_X_509, CKM_MD5_RSA_PKCS, CKM_SHA1_RSA_PKCS, CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, CKM_SHA512_RSA_PKCS, CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE, CKM_MD5_KEY_DERIVATION, CKM_SHA1_KEY_DERIVATION, CKM_SHA256_KEY_DERIVATION, CKM_SHA384_KEY_DERIVATION, CKM_SHA512_KEY_DERIVATION, CKM_PBE_SHA1_RC4_128, CKM_PKCS5_PBKD2, CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN, CKM_SSL3_MASTER_KEY_DERIVE, CKM_TLS_MASTER_KEY_DERIVE, CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_MASTER_KEY_DERIVE_DH, CKM_SSL3_KEY_AND_MAC_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, CKM_TLS_PRF.

UPDATE 4/2016: As of Oracle Solaris 11.2, we also include the following hardware assisted mechanisms:  CKM_CAMELLIA_CBC, CKM_CAMELLIA_CBC_PAD, CKM_CAMELLIA_CTR, CKM_CAMELLIA_ECB, CKM_CAMELLIA_KEY_GEN.

This post syndicated from Thoughts on security, beer, theater and biking!