April 9 – Corporate Open Source: Developing Industrial Software the Open Source Way – Vijay Gurbani

This information is also on the Chapter website at: http://chicagoacm.org/

A joint Chicago Chapter ACM / Loyola University Computer Science Department meeting

Corporate Open Source: Developing Industrial Software the Open Source Way

Speaker: Vijay Gurbani

Wednesday, April 9, 2014
5:45 pm – Social Time, light refreshments
6:30 pm – Presentation

Loyola University Water Tower Campus (Chicago/Michigan Area)

111 E. Pearson Street, Chicago IL 60611
Beane Ballroom (13th Floor, Lewis Towers)

Admission: Free, Reservations Requested, General Admission, open to the publicRSVP on the Chicago ACM meetup site

Level the playing field for SAT prep

Exciting news: Khan Academy is partnering with the College Board so that all students who want to go to college can prepare for the SAT at their own pace, at no cost.

The College Board just announced that they’re redesigning the SAT for 2016, and we’re partnering with them to make free, world-class prep materials. Know anyone preparing for the SAT? Let them know:

Share on Facebook

By spring 2015, you’ll have access to state-of-the-art, interactive learning tools that give you deep practice and help you diagnose your gaps. All of this will be created through a close collaboration with the College Board specifically for the redesigned SAT. Stay tuned.

In the meantime, if you are taking the SAT in 2014/15, you can start practicing today with hundreds of previously unreleased Math, Reading, and Writing questions from real SATs and more than 200 videos that show step-by-step solutions to each question:

Learn more about our SAT prep

www.khanacademy.org/sat

International Women’s Hackathon 2014

If interested, Safia Abdalla from Northside Prep is organizing a team. You can reach her at seabdalla [at] gmail [dot] com.

April 25–27, 2014 | Worldwide on university campuses and live at the USA Science & Engineering Festival, Washington DC

International Women's HackathonThe International Women’s Hackathon is a crowdsourcing event to empower young women leaders in computer science. By providing a fun and safe environment in which to explore computing, the hackathon encourages and supports university women around the world to become producers of future innovations in technology and help solve challenges in the world today. After much success last year and many requests to hold the event again this year, we are pleased to announce that the next event is planned for the weekend of April 25 to 27, 2014, on university campuses all over the world. We will connect via Skype from our live event at theUSA Science & Engineering Festival with all worldwide sites during the hackathon.

We want to ensure that the 2014 hackathon meets the needs of university women. To that end, we enlisted the help of a group of NCWIT (National Center for Women & Information Technology ) Aspiration in Computing Winners to help us organize the upcoming hackathon and challenges, and re-examine the rules and regulations and the toolkit. Thank you to the leads and planning committee members:

Leads:

  • Halie Murray-Davis, Franklin W. Olin College of Engineering
  • Jinisha Patel, New Jersey Institute of Technology
  • Safia Abdalla, Northside College Preparatory High School

Team members:

  • Ashika Ganesh, West Windsor Plainsboro High School North
  • Aishwarya Borkar, San Jose State University
  • Diem-Nhi Tran, University of Texas at Dallas
  • Heather Huynh, University of Georgia
  • Kylie Moden, Trinity University
  • Nishtha Oberai, University of Colorado Boulder
  • Veronica Wharton, Rochester Institute of Technology

We are excited that the following nonprofit organizations are sponsoring this year’s challenges: UN Women, Hindsight Group, Boys & Girls Clubs of Calgary, and Teens Against Distracted Driving. This year, there will be a challenge focused on increasing more women in STEM fields and a challenge to stop people from texting while driving.

The event is supported by Microsoft Research, National Center for Women & Information Technology, Association for Computing Machinery Committee on Women, Institute of Electrical and Electronics Engineers Women in Engineering, UN Women, Hindsight Group, Boys and Girls Club of Calgary, Teens Against Distracted Driving, Million Women Mentors, Microsoft Bing for Schools, Microsoft Learning Experience, Microsoft Citizenship-Youth Spark, and Microsoft Skype.

Women’s Hackathon planning

Young women in computer science, electrical engineering, and informatics—as well as women student groups on universities campuses around the world—are encouraged to host local hackathons. Last year, we had 14 events in 7 countries with more than 600 young women hacking computing solutions to help human trafficking victims. Many of them contacted local hacker spaces, computing communities, developers, and women organizations for support of their local event. The event was open to women of all skill levels—from those who haven’t programmed at all to the best women programmers out there. The individual worldwide hackathons helped inspire women to learn, invent, and create the future.

To help hosts plan their hackathon, we assembled the International Women’s Hackathon Kit, which provides useful information for event hosts like checklists, suggested schedule, sample menu, activities, the challenge projects, and judging guidelines. It also includes a customizable poster and email message that organizers can use to promote individual events to local university women. Event organizers may also choose to invite high school women.

We learned from last year that many young women want to start early, so we have included training materials and will give local hackathon organizers the option to have teams formed starting as soon as this month. Teams can plan, storyboard, and determine what they want to do and how they will go about building their solution. The only caveat is that no programming is allowed until the day of the event. Teams will judge winners locally and the winner of each challenge will have their application and pitch video published on the Microsoft Research website and the US Science and Engineering Festival website. We will provide a small gift for every participant. The winning teams receive Skype gift cards.

We look forward to the possibility of hundreds of events around the world as the future women innovators help us solve some big challenges! If you have any questions, feel free to contact Mic<a href=”mailto:MSRWICos<a href=”mailto:MSRWICf<a href=”mailto:MSRWICResea<a href=”mailto:MSRWICc<a href=”mailto:MSRWICdive<a href=”mailto:MSRWICsit<a href=”mailto:MSRWIC.

Comcast Discount for Students and Families

See information below regarding a Comcast discount for students and their families:

  • The Comcast program allows families that meet need requirements to get free internet for 6 months and then after that equals $9.95 a month. Plus a low cost computer for $149.99 +tax.
  • The sign-up is between March 4 and March 18th.
  • Your family may qualify for up to six months of complimentary Internet service if you apply and are approved for Internet Essentials service, their low-cost, $9.95 a month, Internet service from Comcast.
  • To qualify, your household must meet all of these criteria:
  • Be located where Comcast offers Internet service
  • Have at least one child eligible to participate in the National School Lunch Program
  • Have not subscribed to Comcast Internet service within the last 90 days
  • Not have an overdue Comcast bill or unreturned equipment

Apply between March 4th and 18th at

  • 1-855-846-8376, online at lnternetEssentials.com
  • 1-855-SOL0-995 online at lnternetBasico.com (FOR SPANISH SPEAKERS)

Choosing Secure Passwords

Author: Bruce Schneier

As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy.

The best way to explain how to choose a good password is to explain how they’re broken. The general attack model is what’s known as an offline password-guessing attack. In this scenario, the attacker gets a file of encrypted passwords from somewhere people want to authenticate to. His goal is to turn that encrypted file into unencrypted passwords he can use to authenticate himself. He does this by guessing passwords, and then seeing if they’re correct. He can try guesses as fast as his computer will process them — and he can parallelize the attack — and gets immediate confirmation if he guesses correctly. Yes, there are ways to foil this attack, and that’s why we can still have four-digit PINs on ATM cards, but it’s the correct model for breaking passwords.

There are commercial programs that do password cracking, sold primarily to police departments. There are also hacker tools that do the same thing. And they’re really good.

The efficiency of password cracking depends on two largely independent things: power and efficiency.

Power is simply computing power. As computers have become faster, they’re able to test more passwords per second; one program advertises eight million per second. These crackers might run for days, on many machines simultaneously. For a high-profile police case, they might run for months.

Efficiency is the ability to guess passwords cleverly. It doesn’t make sense to run through every eight-letter combination from "aaaaaaaa" to "zzzzzzzz" in order. That’s 200 billion possible passwords, most of them very unlikely. Password crackers try the most common passwords first.

A typical password consists of a root plus an appendage. The root isn’t necessarily a dictionary word, but it’s usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords, things like "letmein," "temp," "123456," and so on. Then it tested them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!," and so on. It recovered about a quarter of all passwords with just these 100,000 combinations.

Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: "$" for "s", "@" for "a," "1" for "l" and so on. This guessing strategy quickly breaks about two-thirds of all passwords.

Modern password crackers combine different words from their dictionaries:

What was remarkable about all three cracking sessions were the types of plains that got revealed. They included passcodes such as "k1araj0hns0n," "Sh1a-labe0uf," "Apr!l221973," "Qbesancon321," "DG091101%," "@Yourmom69," "ilovetofunot," "windermere2313," "tmdmmj17," and "BandGeek2014." Also included in the list: "all of the lights" (yes, spaces are allowed on many sites), "i hate hackers," "allineedislove," "ilovemySister31," "iloveyousomuch," "Philippians4:13," "Philippians4:6-7," and "qeadzcwrsfxv1331." "gonefishing1125" was another password Steube saw appear on his computer screen. Seconds after it was cracked, he noted, "You won’t ever find it using brute force."

This is why the oft-cited XKCD scheme for generating passwords — string together individual words like "correcthorsebatterystaple" — is no longer good advice. The password crackers are on to this trick.

The attacker will feed any personal information he has access to about the password creator into the password crackers. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has. Postal codes are common appendages. If it can, the guesser will index the target hard drive and create a dictionary that includes every printable string, including deleted files. If you ever saved an e-mail with your password, or kept it in an obscure file somewhere, or if your program ever stored it in memory, this process will grab it. And it will speed the process of recovering your password.

Last year, Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break as many as possible. The winner got 90% of them, the loser 62% — in a few hours. It’s the same sort of thing we saw in 2012, 2007, and earlier. If there’s any new news, it’s that this kind of thing is getting easier faster than people think.

Pretty much anything that can be remembered can be cracked.

There’s still one scheme that works. Back in 2008, I described the "Schneier scheme":

So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m". That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence — something personal.

Here are some examples:

  • WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
  • Wow…doestcst = Wow, does that couch smell terrible.
  • Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
  • uTVM,TPw55:utvm,tpwstillsecure = Until this very moment, these passwords were still secure.

You get the idea. Combine a personally memorable sentence with some personally memorable tricks to modify that sentence into a password to create a lengthy password. Of course, the site has to accept all of those non-alpha-numeric characters and an arbitrarily long password. Otherwise, it’s much harder.

Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them. Password Safe includes a random password generation function. Tell it how many characters you want — twelve is my default — and it’ll give you passwords like y.)v_|.7)7Bl, B3h4_[%}kgv), and QG6,FN4nFAm_. The program supports cut and paste, so you're not actually typing those characters very much. I'm recommending Password Safe for Windows because I wrote the first version, know the person currently in charge of the code, and trust its security. There are ports of Password Safe to other OSs, but I had nothing to do with those. There are also other password managers out there, if you want to shop around.

There's more to passwords than simply choosing a good one:

  1. Never reuse a password you care about. Even if you choose a secure password, the site it's for could leak it because of its own incompetence. You don't want someone who gets your password for one application or site to be able to use it for another.
  2. Don't bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don't change it.
  3. Beware the "secret question." You don't want a backup system for when you forget your password to be easier to break than your password. Really, it's smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
  4. One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It's almost certainly a security improvement.

Chicago PD Believes It Can See The Future, Starts Warning Citizens About Crimes They Might Commit

Article Link

We’ve talked a lot over the years about the attempts to get out “ahead of crime” by using computer programs and algorithms to try and predict who might commit a crime. Predictive computing can then either target specific areas or specific people that might be in need of some extra law enforcement attention. Except as we’ve noted repeatedly, these programs are only as valuable as the data they use. Garbage in, garbage out, but in this case you’ve got a human being on the other end of the equation whose life can be dramatically impacted by law enforcement holding what they believe is “proof” that you’ll soon be up to no good.

With that in mind there’s growing concerns about efforts in Chicago to use predictive analytical systems to generate a “heat list” — or a list of 400 or so individuals most likely to be involved in violent crime. The Chicago efforts are based on a Yale sociologist’s studies and use an algorithm created by an engineer at the Illinois Institute of Technology. People who find themselves on the list get personal visits from law enforcement warning them that they better be nice. The result is a collision between law enforcement that believes in the righteousness of these efforts and those who worry that they could, as an EFF rep states, create “an environment where police can show up at anyone’s door at any time for any reason.”

Law enforcement and the code creators, as you’d expect, argue that it’s only the bad guys that need to worry about a system like this:

“A press liaison for the NIJ explains in an email: “These are persons who the model has determined are those most likely to be involved in a shooting or homicide, with probabilities that are hundreds of times that of an ordinary citizen.” Commander Steven Caluris, who also works on the CPD’s predictive policing program, put it a different way. “If you end up on that list, there’s a reason you’re there.”

Unless law enforcement makes a mistake, your data is wrong (which it often will be), or we decide to expand the program significantly, right? Another concern bubbling up in Chicago is that the programs are effectively using racial profiling to target already-troubled areas where crime naturally would be greater due to poverty, without anybody bothering to perform a deeper analysis of why those areas might be having problems (aka targeting symptoms, not disease):

“…how are we deciding who gets on the list and who decides who gets on the list?” (EFF staff attorney Hanni) Fakhoury asks…”Are people ending up on this list simply because they live in a crappy part of town and know people who have been troublemakers? We are living in a time when information is easily shareable and easily accessible,” Fakhoury says. “So, let’s say we know that someone is connected to another person who was arrested. Or, let’s say we know that someone’s been arrested in the past. Is it fair to take advantage of that information? Are we just perpetuating the problem?” He continues: “How many people of color are on this heat list? Is the list all black kids? Is this list all kids from Chicago’s South Side? If so, are we just closing ourselves off to this small subset of people?”

Chicago PD denies that there’s any “racial, neighborhood, or other such information” being used in their heat list calculations, but a FOIA request to actually confirm that was denied, under the pretense that releasing such information could “endanger the life or physical safety of law enforcement personnel or any other person.” So yeah, there’s great transparency at work here as well.

Predictive computing is excellent for a good many things, from improving traffic congestion to designing sewer networks, but calculating the future movements of highly complicated and emotional human beings is a bridge too far. It’s not particularly difficult to imagine a future where law enforcement (not always known for nuanced thinking or honest crime stat record keeping) starts using their belief in the infallibility of mathematics as the underpinnings for bad behavior, with the horrible experiences of the falsely accused dismissed as anecdotal experiences (“well shucks, most of the time the system is right, so its existence is justified”). It might just be time for a re-watch of Terry Gilliam’s Brazil with an eye on reminding ourselves what a simple clerical error can do to the Archibald Buttles of the world.