Data Mining 101 slides

I gave a presentation on data mining at B-Sides MSP this weekend. The video isn’t up yet, but I’ve decided to share the slides online. I’ll definitely be tinkering with these slides to make my next version of this talk even better. If you have any feedback on my talk, or know of some interesting information that I missed, tweet at me or send me an email.

National Security Letters and the USA Freedom Act

Several sections of the Patriot Act were allowed to expire at midnight on May 31, 2015, including the controversial Section 215, which allowed for government collection of bulk phone records, among other things. All indications are that the collection of bulk records will resume under the USA FREEDOM Act, but with slightly different verbiage which should allow for greater oversight. It’s not a perfect solution, but making small steps in the right direction is progress, especially in a politically-charged legislative environment (seems like things get done when Presidential Hopefuls take an interest in showcasing their “leadership” skills on certain issues).

Other reforms which are unrelated to Section 215 have also been introduced by the USA FREEDOM Act. One overlooked reform effort relates to the use of National Security Letters (NSLs) during government investigations.

In the past, when a government agency such as the FBI has requested documents or information from a person or entity, the request is accompanied by a gag order which prevent the person who received the letter from disclosing its existence. Over 300,000 NSLs have been issued since 2004, making them a powerful investigative tool which can be used without any judicial oversight. Nick Merrill was the recipient of one such NSL, and he was technically not allowed to tell anyone, even his lawyer, about it (he did anyway and successfully sued the US government). A group of librarians also sued the US government after receiving requests for information on library patrons with such a gag order attached.

The new provision still allows for these gag orders, but opens the door slightly wider for a challenge, as recipients are now allowed to share their existence with their lawyer. It’s disappointing to admit that a law which allows sharing information with a lawyer is considered progress, but it’s a reminder of how backwards some Patriot Act provisions are.

Of course, the USA FREEDOM Act does not solve the actual problem, which is that the FBI can still issue NSLs without any judicial oversight. Police are required to go to judges with evidence before they are issued a warrant. If the FBI is not held to a similar standard, NSLs essentially act as unsigned warrants which allow for unchecked power and the abuse that comes with it. I believe we should continue to fight for the abolition of NSLs, as all law enforcement actions need to be accountable. Even the President’s Review Group on Intelligence and Communications Technologies suggested that NSLs be subject to more stringent oversight (p. 89).

VPN Security Issue Can Reveal True IP

I use a Virtual Private Network (VPN) on a regular basis.  There are many reasons to do so.  It helps keep my true IP address concealed; all my internet traffic appears encrypted to the ISP.   If I need to use Wi-Fi at a coffee shop, I can do so without fear that the owner of the access point could be snooping on me.  Some internet content is also geographically restricted, and my VPN provides me a choice of where I want my internet traffic to originate from.

As it turns out, a wee bit of Javascript magic will convince a web browser to reveal the originating IP.  While I’m connected to my VPN (through their provided applet, but this also works with other connection methods), here is what Google reports as my IP address:

my IP address

When I visit a site that is using some STUN Javascript:

myIPSTUN

Yes, that 50.*.*.* IP address is mine.  As noted by that demo above, the request will not show up in dev consoles and privacy-related browser extensions will not block it either (aside from NoScript, which blocks all Javascript).  You can read more about this security problem.

But there is good news.  This problem does not affect any web browsers in OS X.  It appears to only impact Windows machines, and only the Firefox and Chrome browsers.  Of course, we want all browsers to be secure, so how to fix this?

If you’re on Windows and using Firefox, type “about:config” in the address bar, and set “media.peerconnection.enabled” to False.

If you’re on Windows and using Chrome, type “chrome://flags/” in the address bar and check “Disable WebRTC device enumeration.”

The superior way to fix this is to force all traffic to go through your VPN, but my skills with Windows Firewall are a bit lacking.  If you control your own physical firewall, you probably already have a good idea on how to force web traffic to go over port 1194 (OpenVPN) during VPN sessions.  Properly implemented, that should also plug this data leak.

I advise anyone who cares about privacy who is using Windows to take the above steps to fix the problem.  There are lots of people out there who want to track you so they can spy on you and sell you things.  Why make it easy for them?

ThreatPost also has more on this.

On the seriousness of car-bike accidents

This morning, I got hit by a car while biking northbound down Hennepin toward Loring Park.  Residents in my neighborhood will surely recognize this craptastic intersection:

Hennepin and Oak Grove

It was lightly raining, so I was going slower than usual and had my lights on.  I was actually feeling good because unlike most mornings, there weren’t any cars inching forward into the crosswalk (the green stripe in the above photo, which of course is now faded), which means it’s easy to get onto the ramp and into Loring Park.  There was no traffic in either of the two lanes on my left as I approached the intersection, so everything seemed fine.

Then, out of my peripheral vision, I see a car on my left speeding ahead, and I can see that it’s signaling for a right turn – right into where I’m about to be.  I didn’t have even close to enough time to brake (even if it weren’t raining, but especially because it was), and considering how fast they were going, this person was clearly intending to take that corner as fast as they could before I made it into the intersection.

They weren’t fast enough, and so as I’m yelling at the top of my lungs, my bike clips their rear quarter panel and I’m sent sprawling into the street.  She drives off, pretending not to have heard either me or the loud thump when my bike hit her car.

So I’m not hurt too bad (of course I’m wearing a helmet and decided to put on gloves before I left too), but I decide to call the cops to at least report the accident, seeing as it’s a hit-and-run.  I give dispatch my location and a description of the car and which way it was headed.

While I’m waiting for the cops to show up, apparently some City of Minneapolis van which was behind her manages to track her down and “inform” her of what happened.  So this young woman walks over to the intersection a few seconds before the cops show up and tells me that she was the one who hit me and that she’s really sorry.

So an officer shows up, and I explain what happened and he basically tells me that I need to be more careful because it’s raining.  Thanks!  Meanwhile, the girl who drove off after the accident but who returned to the scene after being “busted” by a city employee – the officer doesn’t even ask her name, and her car is parked way up the road, so he sure isn’t getting her license plate info either.  The cop asks her what happened first, and she says “I didn’t see him!”  After I explain my version of events, this changes a bit to “I was trying to speed up to get around him!”

But the officer doesn’t really care either way.  Which is fine for her because she needs to get going because she’s “late for an appointment.”  So the twenty-something blonde (EDIT: I used those words to inform the reader of potential bias, not to myself be sexist/blonde-ist/etc.) just leaves, while the driver of the van tries to explain to the officer that indeed *I* was somehow at fault.  He thinks that cyclists are supposed to follow the crosswalk signs, and because it was flashing orange (according to him, anyway – I distinctly remember it being white for “walk”), I shouldn’t have been in the intersection, and this whole thing is my fault.  The officer nods his head in approval and I decide to leave rather than argue.  Hopefully that city employee is not a transportation engineer.

So anyway, the moral of the story is apparently this: if you are involved in a hit-and-run with a cyclist and someone catches you, just return to the scene of the crime.  This time around, no police report was written with anyone’s name in it, she got no ticket and can continue to drive recklessly.   And if she hits another cyclist and speeds off, no one will be the wiser.

UPDATE (10/2): I went down to City Hall to find a copy of the police report that was filed for this.  There was none filed – apparently cars running over cyclists is not a serious enough incident to warrant a report.  So I filed a complaint against the officer.  Here’s the text of my complaint:

On the morning of October 1, 2014, I was travelling via bicycle in the bike lane northbound on Hennepin Avenue approaching Oak Grove Street. As I approached the intersection, a car behind me sped up to overtake me and to take a right-hand turn onto Oak Grove. The car entered the intersection at the same time that I did. I struck the rear quarter panel of the car and was thrown off my bike, sustaining minor injuries.

The car did not stop. I called 911 to report a hit-and-run. Another driver (driving a city of Minneapolis van) who was travelling northbound on Hennepin witnessed the event and pursued the driver involved in the accident. The driver who was involved in the accident walked back to the scene (after presumably being “informed” of the accident by the van driver), where she said that she was the one who hit me, and if she could do anything to help.

Moments later, Officer Collier arrived on the scene. He asked what happened and the woman who hit me said that she did not see me as she was turning. I also gave my version of events, which were largely the same, after which the woman claimed that she did see me but was speeding up to get around me. After this brief interaction, the woman was allowed to leave without offering her name, license, or license plate information, let alone be given a ticket for reckless driving or leaving the scene of an accident.

I was disappointed in this response by Officer Collier, who also informed me that I was actually the one who needed to be more careful. I know exactly how careful I need to be, as I bike through this intersection almost every day. It is because of reckless drivers like the one who hit me that I exercise extreme caution. That no ticket was given for endangering my life indicates that MPD approves of the status quo: drivers are free to do what they want, and that cyclists need to figure out how to stay out of the way. My views on this were reinforced by the officer’s unwillingess to question why the driver was fled the scene – I find it difficult to understand how someone could just continue driving after hearing an object strike their car.

It has also come to my attention that no police report has been filed in this matter. I think a police report should be filed when cars strike cyclists or pedestrians. I also do not think it’s wise policy to allow hit-and-run drivers to go free without consequences, even if they later return to the scene of the crime. If it weren’t for the motorist who tracked her down, she would have gotten away without consequences. (Though in this case, even after returning to the accident scene, she was able to avoid any consequences.)

I live less than one block away from where a cyclist was struck and killed earlier this year. The ghost bike memorial there is a daily reminder of the fragile nature of riding a bike alongside cars and trucks. I would like the Minneapolis Police Department to show better judgment and impose serious penalties for reckless drivers when responding to car-bike and car-pedestrian accidents.

Letter to NY Times public editor

I’m trying to get in the habit of cc’ing the internet when I write to institutions, so here’s an email I sent to the New York Times public editor.  I’ll update with any response I receive.

To the Public Editor,

I am writing today about “Eyes Everywhere”, a Sunday Book Review of Glenn Greenwald’s recent memoir.  I found it on the web and am unclear on whether it has been published in the paper or not.
My primary criticism, which I will keep brief, boils down to the fact that this writer is clearly biased against Mr. Greenwald.  While I appreciate the candor of the reviewer – no attempt to conceal the bias is made – perhaps there is someone else who could review the book who doesn’t have such an axe to grind?  His sweeping generalizations (“Greenwald quotes any person or publication taking his side in any argument”), defense of weak journalism practices (“It seems clear, at least to me, that the private companies that own newspapers, and their employees, should not have the final say over the release of government secrets, and a free pass to make them public with no legal consequences. In a democracy (which, pace Greenwald, we still are), that decision must ultimately be made by the government.”), and assertions that Greenwald has been reckless with his reporting are all examples of a lazy review.
For the record, I’m currently a little over halfway through the book, and while it’s just a memoir and might only be interesting to a small group of people, I don’t think a book review is an appropriate place for the New York Times to continue its criticisms of Mr. Greenwald.  Furthermore, I hope that the editors of theNew York Times do not share Mr. Kinsley’s views regarding the role of journalism in modern society.  Expecting transparency from government institutions without the ability for journalists to publish government documents is a hopelessly naive position to take.

Open Letter to Katie Sieben on Ranked-Choice Voting (RCV)

I wrote an email to Senate Subcommittee Chair on Elections Katie Sieben (sen.katie.sieben at senate dot mn), and I encourage you to do the same if you want to encourage the possibility of ranked-choice voting in cities across Minnesota:

I was disappointed to read your quote in the Star Tribune editorial about ranked-choice voting.  Obviously your position means more than more others, as you are the Chair of the Senate Subcommittee on Elections.  Ranking preferences of candidates is not “too complicated” for voters.  In fact, it’s much easier than deciding whether to vote for the candidate I really want, or to vote for the candidate who is most likely to defeat someone I want out of office.  *That* creates a much more complicated scenario than it needs to be!

All cities in Minnesota should at least have the option of exploring whether RCV would work for them.  There must be a stronger argument against RCV than “it’s too complicated” and I would like to hear it.  Even grade schoolers know how to rank things.

One reason I am writing this letter today is the dismal turnout (six percent) at yesterday’s primary for Hennepin County Commissioner.  While it will always be challenging to encourage turnout at off-year primaries for special elections, RCV would eliminate the primary and allow Minnesotans to vote just once for important positions.  Minneapolis proved last year that RCV is a smart way to handle elections when many candidates are seeking office.

Please reconsider your position on ranked-choice voting.