Facebook’s Offensive Advertising Profiles

Avatar
by Lisa
As a programmer, I assumed Facebook used some sort of statistical analysis to generate advertising categories based on user input rather than employing a marketing group. A statistical analysis of the phrases being typed is *generally* an accurate reflection of what people type, although I’ve encountered situations where their code does not appropriately weight adjectives (FB thought I was a Trump supporter because incompetent, misogynist, unqualified, etc didn’t clue them into my real beliefs). But I don’t think the listings causing an uproar this week were factually wrong.
 
Sure, the market segment name is offensive; but computers don’t natively identify human offense. I used to manage the spam filtering platform for a large company (back before hourly anti-spam definition updates were a thing). It is impossible to write every iteration of every potentially offensive string out there. We would get e-mails for \/|@GR@! As such, there isn’t a simple list of word combinations that shouldn’t appear in your marketing profiles. It would be quite limiting to avoid ‘kill’ or ‘hate’ in profiles too — a group of people who hate vegetables is a viable target market. Or those who make killer mods to their car.
 
FB’s failing, from a development standpoint, is not having a sufficiently robust set of heuristic principals against which target demo’s are analysed for non-publication. They may have considered the list would be self-pruning: no company is going to buy ads to target “kill all women”. Any advertising string that receives under some threshold of buys in a delta-time gets dropped. Lazy, but I’m a lazy programmer and could *totally* see myself going down that path. And spinning it as the most efficient mechanism at that. To me, this is the difference between a computer science major and an information sciences major. Computer science is about perfecting the algorithm to build categories from user input and optimizing the results by mining purchase data to determine which categories are worth retaining. Information science teaches you to consider the business impact of customers seeing the categories which emerge from user input. 
 
There are ad demo’s for all sorts of other offensive groups, so it isn’t like the algorithm unfairly targeted a specific group. Facebook makes money from selling advertisements to companies based on what FB users talk about. It isn’t a specific attempt to profit by advertising to hate groups; it’s an attempt to profit by dynamically creating marketing demographic categories and sorting people into their bins.
This isn’t limited to Facebook either – any scenario where it is possible to make money but costs nothing to create entries for sale … someone will write an algorithm to create passive income. Why WOULDN’T they? You can sell shirts on Amazon. Amazon’s Marketplace Web Service allows resellers to automate product listings. Custom write some code to insert random (adjectives | nouns | verbs) into a template string then throw together a PNG of the logo superimposed on a product. Have a production facility with an API to order, make the product once it has been ordered, and you’ve got passive income. And people did. I’m sure some were wary programmers – a sufficiently paranoid person might even have a human approve the new list of phrases. Someone less paranoid might make a banned word list (or even a banned word list and source one’s words from a dictionary and look for the banned words in the definition too). But a poorly conceived implementation will just glom words together and assume something stupid/offensive just won’t sell. Works that way sometimes. Bad publicity sinks the company other times.
 
The only thing that really offends me about this story is that unpleasant people are partaking in unpleasant conversations. Which isn’t news, nor is it really FB’s fault beyond creating a platform to facilitate the discussion. Possibly some unpleasant companies are targeting their ads to these individuals … although that’s not entirely FB’s fault either. Buy an ad in Breitbart and you can target a bunch of white supremacists too. Not creating a marketing demographic for them doesn’t make the belief disappear. 

Basic Security Or Paranoia

Avatar
by Lisa

We have Amazon’s smart speakers, so I don’t know if this is true for Google or Apple digital assistants. But the Alexa series of speakers has a default wake word and several non-default options you can elect to use instead. Never use the default — that’s a good general security maxim. We had other factors in our wake word decision – a friend of Scott’s has a daughter whose name is quite close to Alexa and I foresaw the speaker going crazy if they’d speak of her. But the fact is, day 0 of the device … I expected advertisers to incorporate “Alexa, give me more info on product XYZ” in their ads. Aaaand now we have South Park season 21’s first episode.

This is just goofy stuff – maybe words you don’t want replaying at inopportune moments, maybe an alarm way too early in the morning for you. Remember TV commercials that asked kids to hold the telephone handset up to the screen and then played DTMF to ring the order hotline? Alexa, call 800-###-####. Hell, they could order Amazon products on your credit card. Something like ShopSafe (a unique card number with a low limit that actually rejects purchases over that limit) can be tied to your account. It’s extra work to keep updating the card on your account, but I’d rather Alexa buy 12$ of something I didn’t want than 250$. Then our speakers do not have unfettered access to my credit card – there’s a pin required to make purchases. I’m sure that won’t stop your kid who overhears the code from using it, but it prevents television programs, radio shows, and party-goers from buying random junk as a joke.

Checking Supported TLS Versions and Ciphers

Avatar
by Lisa

There have been a number of ssl vulnerabilities (and deprecated ciphers that should be unavailable, especially when transiting particularly sensitive information). On Linux distributions, nmap includes a script that enumerates ssl versions and, per version, the supported ciphers.

[lisa@linuxbox ~]# nmap -P0 -p 25 –script +ssl-enum-ciphers myhost.domain.ccTLD

Starting Nmap 7.40 ( https://nmap.org ) at 2017-10-13 11:36 EDT
Nmap scan report for myhost.domain.ccTLD (#.#.#.#)
Host is up (0.00012s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
25/tcp open smtp
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) – A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) – A
| TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) – A
| TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) – A
| TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) – A
| TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (rsa 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) – A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) – A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) – A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 144.67 seconds

Security Standards For Financial Information

Avatar
by Lisa

A long time ago, processors of credit card information didn’t have any standards. And they’d lose your data. People didn’t like that, and some type of regulation had to be put on the industry. The credit card processors got together and formed an initiative to form their own regulations – PCI. They were a lot more concerned with the regulation’s impact on profitability than government regulations would have been. The PCI standards were fairly effective.

And now one of the credit bureaus has lost a huge amount of personal data – including social security numbers and account numbers that I don’t get why were stored in anything other than a one-way hash in the first place. But the bigger question is how are these credit bureaus able to operate with standards that are less strict than the industry-association generated PCI standards? My guess is that there will be a credit bureau industry association writing security standards in the next week or so. If there isn’t an industry association forming to ensure my social security number and account numbers aren’t stored in clear text on web-accessible servers at credit bureaus … I should hope the government would intervene and mandate a certain level of security.

Revisiting Court Decisions

Avatar
by Lisa

In 2008, Miami-Dade enacted Ordinance 08-34 requiring cranes be able to withstand load from 140 mph winds. Construction companies objected — they’d need to spend more money ensuring public safety, and really how often are 140 mph winds ripping through Miami? Courts deemed the local regulation to cover worker safety and not public safety; the OSHA requirement, which is something like 90 mph, superseded the local government’s Ordinance (I think the 11th Circuit decision actually said it was a multi-purpose regulation … but since the requirement touched on workplace safety, OSHA wins). I wonder, as cranes come crashing into buildings in downtown Miami, if the court would revisit that decision.

I worked for a company that operated each regional area as an independent entity. Each had their own set of rules, regulations, processes … they just shared a common HR staff and all of the money rolled up to the same ledger. Their “sell” to this approach was that it allowed different regions with different requirements to make rules that met their customer’s needs. The unfortunate example that got cited, though, was a military base out in Virginia. *That* region had a policy where, upon being deployed overseas, a military family could have their account flagged as forward deployed. The the account would not be suspended for non-payment and no collections attempts would be made. Which is nice – but why weren’t military bases in other regions afforded the same courtesy? Or customers stationed at the base in Virginia who happened to retain their cell phone from their family’s home in Kansas? Essentially, I could never understand what about cellular service could need to be customized for a specific region where it was a completely unreasonable policy in other regions. There are areas where a single nation-wide regulation makes sense.

Construction regulations, on the other hand, seem very location specific. And a area where a nationwide minimum standard would be far more reasonable. I doubt there’s a lot of concern about coastal flooding in Denver. Snow load regulations for equipment in South Texas is silly, but I wouldn’t want to sleep next door to a crane in NYC that didn’t fall under some snow load reg. Builders in Maine don’t need to worry too much about tornado damage, but construction sites between OKC and Tulsa can reasonably be required to lash down their materials at the end of each day to avoid debris being flung all over the countryside. And, yeah, cities in Southern Florida can reasonably want large pieces of equipment to have higher wind load ratings than a crane in Seattle.

Furthermore — why is it “states rights” people only support the state’s rights to be *more* Republican? Why should Cali need a waiver to have stricter air quality and fuel efficiency rules? Why should Miami be unable to have higher standards for wind force? It isn’t like Washington needed a waiver to set their minimum wage above the federal set-point.

Equifax Hack

Avatar
by Lisa

First of all, saying half the population of the United States has had their personal information stolen might be accurate, but it’s the good marketing spin. 2016 numbers had 249,485,228 adults in the United States. That’s 57% of people over 18 who have had their personal data stolen. Now there are people with no credit history. It’s a bit of a thing when you first want to rent a flat or get a credit card … you have no credit history, and can’t get credit until you have one. Last I read, it was something like 14% of adults who have no credit record — meaning Equifax gave up information on 66% of the credit-having population.

Leaving aside the marketing spin on numbers, though, why the hell is a credit bureau storing my personal information in a retrievable format instead of a one-way hash? Performance, I assume … so I guess my question really is why were a couple of clock cycles considered more important than the security of my data? Some of the data is probably maintained in clear text because they use heuristic matching to link incoming data to entities. I’m guessing my info comes in with a name, address, creditor name, and account number. And they’ve got to be able to match up the thirty different iterations of my address to ingest the data. But there’s no reason for the account number to be stored unhashed – store the last two or three digits in a new column for display (Your XYZ account ending in ###). And there’s sure as hell no reason for the SSN to be stored unhashed – even if they’d have to store the full one hashed and the last four in another hash because some data doesn’t come in with full SSNs.

Calculating Cost Of Material For Craft Projects — Crocheting and Knitting

Avatar
by Lisa

Calculating the cost of materials for a knitting or crocheting project is a little more complex than calculating soap material costs. Because there’s not a recipe. Your pattern may say 150 grams of a specific yarn, but you don’t use exactly 150 grams. You use what you use, and whatever is left over is left over.

As with soap oils, the price per skein of yarn may include a tax or shipping component. You can follow the same process to determine the yarn as a percentage of the order weight for prorated shipping and the yarn cost as a percentage of the order cost for prorated tax.

With yarn projects, though, you need to know how much yarn actually went into the project. How? Weigh the skeins. Weigh them before you use them or just accept the manufacturer’s weight as accurate. If you’ve got a little kitchen scale, weigh the yarns when you finish using it on the project (this assumes you don’t concurrently use the same yarn on multiple projects!). The difference is the amount of yarn in the project. You can then calculate the percentage of the yarn which was used ( (weight at start – weight at end) / weigh at start). The material cost is that percentage of the yarn cost (price per skein * number of skeins used). Add up the material cost for each yarn in the project, and you know the material cost for the project.

A spreadsheet is good for these sort of repetitive calculations. You can estimate a project’s total cost by entering 0 into column ‘G’ and basing column ‘C’ on the pattern’s yarn requirements.

The spreadsheet allows you to check out how different yarns will impact the project material cost too – what happens if I use a more expensive yarn? It’s nice to know before looking at your shopping cart total in absolute shock 🙂

Calculating Cost Of Material For Craft Projects — Soap

Avatar
by Lisa

Tax accounting doesn’t require you to track per-item cost of materials. Money for inventory on a shelf v/s money for inventory used in products  – same diff. But if you want to know how much you are profiting for each sale, it helps to track the cost of goods per item.

Soap is fairly easy because there’s a recipe — you know how much of a certain oil you’ve used in the end product because you weighted it out to the nearest tenth gram to start with. You still have to know how much you paid for that oil (well, close enough – prices change and I’m not interested in the level of accuracy which would require knowing from *which* order the oil I’m using *this* time came). But did you pay shipping and/or tax? If not, then the cost per gram is simply the price you paid divided by the number of grams purchased. If you *did* pay shipping or tax — then you need to calculate each item as a percentage of the order. You can do this just as a percentage of the total order cost ($ for item / $ for total order) and use that for both tax (accurate) and shipping (accurate if shipping is assessed by order value, probably close enough if shipping is assessed by weight). Or you can calculate the percentage of total order cost and the percentage of order weight (item weight / sum of weight of all items ordered). Use the order cost % for for tax calculations and the order weight % for shipping calculations. Then multiply tax and shipping charges by their respective % values.

A 35# pail of coconut oil for 43.78$ with no shipping but 3.28$ in tax as the only item ordered = 47.06$. 35# is 560 ounces (I trust the supplier’s scale here). Which is 0.084 cents per ounce. My 20% superfat coconut oil soap recipe uses 66 ounces. That’s 5.54$ of coconut oil.

Lye cost is a more complex calculation because I order it along with other specialty items. It was 50$ for the whole order of lye. The lye was 85% of the previous order’s weight. Shipping was 17.79. So the lye’s portion of the shipping was 0.85 * 17.79 = 15.12$. The lye was 61% of the order’s value. Tax was 6.19. The lye’s portion of tax was 0.61 * 6.19 = 3.78$. The sum of these (50+15.12+3.78) is 68.9. Each container is 27 ounces of lye and I got 5 containers — 27 * 5 is 135 ounces. Divide the lye cost by ounces received, 68.9/135, and I paid 0.51$ per ounce of lye. There are 9.6 ounces of lye in my recipe, which adds 4.90$ for lye.

Lavender essential oil was 33.54$ for 16.6 ounces. 16.07$ shipping, and the EO was 7% of the order weight. That’s another 1.12$ for shipping. Total cost for the EO is 34.66. Divide by ounces and it is 2.03$ per ounce. I used 4 ounces of the EO – 8.37$

The lavender scented, uncoloured batch of my coconut oil soap costs 5.54 + 4.90 + 8.37 = 18.82$ to produce. Now this is a 6# batch of soap, 24 3-oz bars. To calculate a per-bar cost, divide the total batch cost by the number of bars cut. 18.82 / 24 = 0.78$.

This is the sort of thing databases and spreadsheets are really good at doing. It’s the same formula over and over again. There are specialty accounting packages specifically for individual craft segments (i.e. a single piece of software that tracks inventory and unit cost thereof, recipes, sales and unit costs thereof and can analyze the data all sorts of ways). 100$ for the software, which is deductible against business income – it’s an investment in the business and saving yourself time. But for an initial foray into marketing a product, a simple spreadsheet will do. SoapCostCalculator is a spreadsheet I built to get an idea of how much each bar of soap was costing me.