How Rob Dodson Does an Accessibility Audit

Rob Dodson is a Google developer advocate on the polymer team. In addition to that, he specializes in accessibility via his a11ycasts podcasts. In this episode, Rob shows us how an accessibility audit works at a high level. It is by no means exhaustive, but will help you get the so-called “low hanging fruit.”

Can you easily TAB through your user experience?

  1. Can you navigate around the site using the tab key?
  2. Are there discernible style as you tab around? (bonus points: is it animated?)
  3. Is there a skip link to main content?
  4. Can you ensure there is no off-screen content that can be focused on?
A good accessibility audit can catch selectable content hidden from view, like in menus.
A good accessibility audit can catch selectable content hidden from view, like in menus.

Can you navigate the site via a screen reader and a keyboard?

  1. Do your image have proper “alt texts?”
  2. Do you have any custom elements or javascript interactivity that is missed by a screen reader?
  3. Can you use your custom controls with the keyboard?
  4. Can your screen reader (and keyboard navigation) work with modals, dialogs, popups, and other dynamically added elements?

Is Your Page Structure Accessible?

  1. Are there proper page headings?
  2. Are there appropriate “landmark elements” on the page using the role attribute?
The Web Rotor will show you page structure based on HTML tags or role attributes
The Web Rotor will show you page structure based on HTML tags or role attributes

With these, you can open up the Web Rotor with Ctrl+Option+U to see how it uses the page structure to summarize and navigate the page.

Color and Contrast

  1. Are there any sections with too low contrast between background and text?
  2. Are there any combinations of colors that might cause difficulty to a user with color blindness?

The aXe chrome extension and the Accessibility Developer Tools extensions can help with these issues.

Accessibility Regression Testing

  1. As your front end changes, do you have a process in place that will catch regressions in accessibility?
  2. Is this part of your build and deployment process? (You can use aXe core for this)

Talk Notes: James Powell on How His Daughter Taught Him Social Engineering

James Powell is a senior software engineer at Cisco with a psychology degree. He has been fascinated with the mechanisms of social engineering and manipulation since a very young age. In this talk he compares and contrasts examples of how how daughter manipulates him into giving her chocolate and candy with examples of how companies, adversaries, and even pets manipulate victims.

You Are Always Being Manipulated.

Most of it is benign. This realization came from an unlikely source: his daughter. Children are amazing manipulators; they are goal-oriented and have the benefit of living somewhat outside of our societal moral/ethical framework. This extends to every moment in life. It all can be used as training because everybody is trying to use social engineering on you for better or worse.

The Good Guys?

These are your training partners and instructors. They will provide you the training while they try to get you to do good, or at least neutral, things, like give them candy or pet them.

  • Friends and Family
  • Pets
  • Corporations (sometimes)*

* James includes corporations here but really states they belong “on the fence”

The Bad Guys

These are people trying to find shortcuts and loopholes in your psychology to get you to do things you don’t want t

  • Scammers / Con Artists
  • Phishing, like the “whaling” attacks used against the DNC.
  • “Watering Hole” Attackers
  • Corporations (sometimes), by way of manipulative advertising

Attack One: Build Trust

This example social engineering begins by being cute and asking what seems to be a benign question.
This example social engineering begins by being cute and asking what seems to be a benign question.

His daughter asks “Papa, are you happy with me?” every day (building in repetition!) to which James will almost always reply, “Yes, of course!” His daughter says “Then I will have chocolate for dinner.”

Not a question. Just a statement and a conclusion. In the real world, this might look like the following:

This attempt is not so cute.
This attempt is not so cute.

“Dan from IT” is a great name to build trust. Dan sounds like a perfectly believable name. “IT” sounds trustworthy. Dan might say he’s here to help and upgrade security patches on your system. You might tell “Dan” that you already upgraded and he’d say “Great job!” to give you good feels, and then say “Just log into this website to verify.”

Defense 1: Be Cautious

This sounds like blanket advice but reminding yourself consciously of it will train you to take it as an active step. Be cautious. Slow down. Think about the situation you’re in. You’ve never logged into a website to verify your updates before, have you?

Defense 2: Trust but Verify

Just like James would ask his wife if it’s OK for his daughter to have candy for dinner, you should check with somebody else if you need to verify your updates via a website. Of course, they will tell you “you shouldn’t have to ask.” Ask anyway.

Attack Two: Developing Reciprocity

It's only a matter of second before she asks for candy. You'll see.
It’s only a matter of second before she asks for candy. You’ll see.

When people do something for you, it creates an imbalance and pressure for you to do something else in return. Reciprocity is the act of restoring this balance. This all holds true for children as well as adversaries.

James’ daughter will “clean,” reinforce by saying “look how clean I made it!” and then she will finally ask “Can I have candy?”

Defense One: Ask Yourself: “Do I Know This Person?”

Do you know them? In real life? How well do you know them? What are their motivations? Why should you trust what they’re giving you?

Defense Two: Beware More Give Than Take

Infomercials are superb examples of manipulation via "more give than take" with this one simple phrase.
Infomercials are superb examples of manipulation via “more give than take” with this one simple phrase.

From there, ask if this situation is more give than take? If so, then be even more cautious.

Attack Three: Create a Sense of Urgency

The infomercial above might end with a phrase like “you won’t find a better deal than this!” This may be true, but the function of such a claim is to create urgency. Bringing this back to James’ daughter, it might look a little more like this:

Creating a sense of urgency gets people to panic and respond because they want the alarm to stop. James tells a story of his daughter crying in public. When he rushes to her aid, first she consoles HIM, and then starts asking for things vaguely. “Can you get it for me?” While he’s still panicked, she can get candy, toys, chocolate, whatever.

In the “cyber” world, creating urgency might look more like this:

Lesson 1: Follow a Process

Do you have one? If so, start there by making one. Got it? Good.

Lesson 2: Remember Lesson 1

Seriously, all it takes is one person making one stupid mistake to bring everything crashing down.

Rules of Thumb against Social Engineering

Train Like You Fight

Bringing the talk full circle, remember the assertion at the beginning: Every moment in life is an opportunity to train yourself against social engineering. Luckily, most of life is a low-risk environment.

Reward Your Training Partners

In James’ case – if she successfully tricks him, she gets a piece of candy. All it takes for her to win is if he moves before he thinks – not even following through on fulfilling the request. The exception here is advertising and marketing. They’re already getting paid 😉

James ends the talk by reminding the audience that they are physically in the city of Las Vegas –  “one of the most well-oiled machines to get you to do things.” They’re also at DEF CON. The perfect training ground.

Talk Notes: Wesley George The Limits of the ORM

Wesley George is a Technical Lead for a Startup in Canada called Clearbanc. The impetus from this talk came from his trying to use the ORM for a complex query and marveling at how slow it was. Thus, he put together this talk based on his adventures in deeply diving into SQL.

An ORM is Cool, but…

ORMs shine when they remove boilerplate code. They provide decent aggregation, but generally only for single table solutions. However, for more complex tasks, using complex SQL queries in a relational database allows you to create extremely powerful and performant aggregations.

Example 1: Simple Signups by Month

You might start with some code that looks like this:

This would run extremely slow against a sufficiently large or complex dataset, so it behooves us to dive into the SQL to run the computation. However, writing complex SQL allows us to do this in a much more performant way.

The WITH keyword allows us to essentially create ephemeral tables for use in a query. They are similar to subqueries, except they result in a much simpler final SELECT statement at the end.

Example 2: User Engagement Change Segmented by Campaign

For this example, we won’t even attempt to use the ORM.

Annotators note: Sorry, I’m not gonna type out the SQL for all this…

Concerning Efficiency and Managing Complexity

The technology inside of a relational dataase represents decades of computer science research. However, as your data grows into the terabyte and petabyte range, you will need to manage your complexity. Wesley describes a method and a mentions a tool for this.

  • Data Warehousing is the process of storing intermediate aggregations or representations of the data on a periodic basis (hourly, daily, weekly, etc).
  • SQLAlchemy is a lower-level SQL python package, allowing a comfortable code-based medium between an ORM and raw queries.
SQL Alchemy provides an alternative to an ORM, allowing you to represent SQL-like queries in your code.
SQL Alchemy provides an alternative to an ORM, allowing you to represent SQL-like queries in your code.

Talk Notes: Andrew Goodwin on Django Channels for the Real Time Web

Andrew Godwin is a Django core developer who works at Eventbrite. In this talk he talks about Django for the Real-Time web, otherwise known as Django Channels.

The Traditional Method

The "old" way of sending and receiving requests, pre-WebSockets and Django Channels
The “old” way of sending and receiving requests, pre-WebSockets and Django Channels

Send a request, get a response. Even with HTTP2, you can still treat your code the same way in a WSGI-style request.

However, with Websockets, things change. You can send without receiving, receive without sending, leave sockets open for hours, whatever. It’s the “wild wild west.” In Andrew’s mind, the way Django should work with wesockets should follow the standard Django contract: Easy to use, secure by default, hard to break / deadlock, Python 2 & 3 compatible, and optional.

But… There Are Problems.

Python is… not good with concurrency, and Django is not asynchronous. At first glance, it might seem like the solution is something like message-passing via WSGI. However, WebSockets also have the additional features of events and broadcasting, which would require cross-thread or even cross process communication.

Enter Django Channels: Concepts

Channels sits between your user interface and Django and provides an asynchronous layer utilizing WebSockets.

Django Channels is a WebSockets package based on a few concepts.

  • Channels: named FIFO task queues
  • Groups: named sets of channels with add/remove/send operations
  • Messages: representations for HTTP and WebSocket operations.
This is new way - send a message and receive zero or more messages. Views become Consumers. Messages can also go to Sockets or Workers.
This is new way – send a message and receive zero or more messages. Views become Consumers. Messages can also go to Sockets or Workers.

With these concepts, you get 5 simple API endpoint operations:

  1. send('channel_name', {ponies: True})
  2. receive_many(['channel_one'], ['channel_two'])
  3. group_add('group_name', 'channel_name')
  4. group_discard('group_name', 'channel_name')
  5. send_group('group_name', {ponies: True})
Much like Consumers are views, we have, which is paralleled by
Much like Consumers are views, we have, which is paralleled by

Example: Live Blog

Suppose you want a blog where the readers can get new blog posts as they are published, without refreshing.

  1. The client opens a websocket when the page is opened, and that websocket is added to a group.
  2. When the BlogPost model is saved, we send the post to that group

Fully working example available on GitHub.

Example: Chat

The simplest chat: a person types a message, everybody gets it. This example is nearly identical to the above example but instead of using the save method on a model, we simply use the ws_receive method:

  1. The client opens a websocket when the page is opened, and that websocket is added to a group.
  2. When the BlogPost model is saved, we send the post to that group

Fully working example available on GitHub.

Other Cool Stuff!

The ASGI Specification

Now that there’s a WebSocket medium for Django, we need a standard way of structuring channels and messages. Enter ASGI. This is an API specification for channel layer backends, as well as a message format for HTTP and WebSockets. ASGI is perfectly compatible with WSGI, and a number of other technologies as well.


Interface servers scale horizontally, as do worker servers. Thus, the channel layer has to as well. Luckily Django Channels has consistent hash sharding built in. Andrew talks about how it will be part of Django soon, but it’s not quite mature enough yet.

JusticeBeaver on Discovering and Triangulating Rogue Cell Towers

JusticeBeaver (Eric Escobar) is a security engineer at Barracuda Networks. He started as a civil engineer and moved to all things wireless networking. In this talk he discusses how to detect and locate a rogue cell tower, or IMSI catcher.

What is a Rogue Cell Tower?

A rogue cell tower is device that allows somebody, usually an authority of some sort, to do an “evil twin” attack on your phone by posing as a cell tower. Also known as IMSI Catchers, or cell-site simulators. Otherwise they are known by the brand name Stingray. According to the ACLU, 66 agencies and 24 states own Stingrays.  They are also used abroad.

These allow you to collect metadata from phones, but in some cases they can also downgrade your connection and by doing so get your calls, SMS, and data,

IMSI stands for International Mobile Subscriber Identity and it is a unique identifier for your phone
IMSI stands for International Mobile Subscriber Identity and it is a unique identifier for your phone

Why You Should Care?

These devices are extremely invasive. They are essentially one big net that can capture you, as a small fish.  Your phone connects automatically to the device with the strongest signal. All transmitted data is suspect – even TFA keys sent through SMS.

How Do You Detect an IMSI Catcher?

Cell towers broadcast data about themselves, and the values should remain constant. By comparing incoming data against a baseline over time,  If you detect deviations, it could be as simple as work being done on the network, OR it could be an IMSI catcher.


  • A new cell tower
  • Country code mismatch
  • Mobile network code mismatch
  • Frequency mismatch
  • Location area code mismatch

How Do You Locate a Tower?

Once you notice an anomalous tower, you might want to figure out what it is. The best way to do this is to combine all available cell tower data with receive power and location, using a single sensor that can be moved.

Some Math and GIS software can give you some fancy maps.
Some Math and free GIS software can give you some fancy maps to locate a potential IMSI catcher.

Trilateration vs Triangulation

These are similar concepts but often confused. Essentially: Triangulation is the practice of using the intersection of strongest-signal angles of three detectors to zero in on a location. Trilateration, on the other hand, uses indirect data like signal strenth of at least three detectors to determine the location of a cell tower.

How to Build a Detector?

JusticeBeaver walks us through how to build a detector with $52 worth of parts:

Mega-hacked IMSI Catcher detector for $52
It’s a hack, but it works!


Getting Cell Tower Data: SIM 900 or Field Test Mode

The SIM 900 is an inexpensive device that gives you the broadcast data from the top 7 nearby towers. Engineering mode requires no SIM card, and it does not sniff data. You can also achieve this using Field Test Mode with your phones.

Typically, the SIM 900 will return data in this format, and the GPS will return data in this format. You can parse and store that in SQL or NoSQL, or whatever medium of your choice.

Beware the TV Tuner!

Depending on where you are, listening to raw GSM frames can be very illegal.

Once you Locate a Tower

You can send yourself a notification using Email, Twilio, or PushOver. If you get a notification, turn off your phone. Then you can start looking at the data.

Irene Chen’s Beginner’s Guide to Deep Learning

Deep Learning, the endeavor to make computers as smart as humans, or even just its simpler cousin Machine Learning, can be incredibly overwhelming and daunting to learn. There’s either too much code or too much math. Luckily, Irene Chen wrote this talk for Beginners to learn the fundamentals of deep learning.

If these Talk Notes are useful to you, become a patron!

Deep Learning: Why Now?

Neural networks have been around since the 1970’s. Why the resurgence now? Three factors provide a new foundation for modern Deep Learning.

  1. Big data (aka the “fuel” of the rocket ship)
  2. Big processing power
  3. Robust neural networks  (aka the “engine” of the rocket ship)

 Because of this “perfect storm,” we are seeing a tremendous number of breakthroughs in ML / DL / AI. (i.e. AlphaGo)

Neural Networks: The Avocado Classifier

Neurons are the cells that comprise the human brain. Synapses connect neurons together. Computer scientists have modeled this with a simplified graph called a neural networks. In this graph, neurons are modeled with what are called nodes, and synapses are modeled with what are called edges.

Simple graph of a neural network, a crticial data structure to deep learning
Simple graph of a neural network


Note that some arrows are thicker than others – each edge has a weight which a measurement of the importance of data passing through. This is represented mathematically via a sigmoid function.

The hidden layers are everything between the input and output nodes.

Very simple example: Given an avocado and its height, “squishiness”, and the color of its skin, can you determine whether or not it is perfectly ripe? 

Forward Propagation is the standard execution model of the neural network, from input to output. Likewise, backwards propagation (or “backpropagation”) is when you work from output to input, changing weights and value of nodes and edges to improve your model.

Mathematical constructs used in deep learning
Mathematical constructs used in deep learning


To reduce errors, “tune” your parameters experimentally or by using the above math. Convergence is when your error rate is “good enough” based on the number of iterations.

Deep Learning Tools and Communities

  • Scikit-learn – very beginner friendly, contains a number of ML algorithms
  • Caffe – UC Berkeley’s computer vision library. Contains “Zoo,” a group of pre-trained models
  • Theano – Efficient GPU powered math
  • iPython Notebook (Jupyter) – great for interactive coding
  • Kaggle – Casual ML cooperative with contests and such

If these Talk Notes are useful to you, become a patron!

Guido van Rossom on the Python Language at PyCon 2016

25 years ago, Guido van Rossum released the Python programming language. Since then he’s been the “benevolent dictator” of the language. In this keynote talk from PyCon 2016, Guido (pronounced Gee-doh) walks us through a number of topics around this amazing and amazingly popular language.

If these Talk Notes are useful to you, become a patron!

The “State of Python”

  • Python 2.7. Until 2020 only security fixes, support for new OS versions, maybe bug fixes. See
  • Python 3.5
    • Native coroutine syntax with async / await. (PEP 492)
    • Matrix multiply: A@B, __matmul__
    • Unpacking Syntax: x = [1, 2, *y]
    • Bytes formatting is back: b"Hello %s, %d" % (b"world", 42)
    • gradual typing support: def gcd(a: int, b: int) (PEP 484)
  • Python 3.6 (code freeze in September 2016, released around Christmas)
    • f-strings: x = "world"; y = "42",  print(f"Hello {x}, {y}")
    • Underscores in numbers: 100_000_000
    • __fspath__ protocol, os.fspath() (for pathlib)
    • randbits(), token_hex(), etc…
    • Local time disambiguation: datetime(..., fold=1)
    • Moving to GitHub!
  • Beyond Python 3.6 is only speculation, thus not included here. 
    • However, one interesting thing is that Larry Hastings is working on removing the GIL.

What Else?

“Femail” Core developers

Guido still gets angry emails about this typo from last year’s talk, and at the time of the talk he still doesn’t have any female core devs 🙁

An Inspirational Story by Guido Van Russum

I won’t annotate this as it’s a very personal story, but you can watch it here.

If these Talk Notes are useful to you, become a patron!


WAT by Gary Bernhardt from CodeMash 2012

I’ll simply link to since it’s not on YouTube.

WAT Examples from Ruby:

(Imagine that I include an image from here after all of these:

WAT examples from JavaScript

Merry Christmas 2016



Jake Kouns at DEF CON 24 on Cyber Attribution and the Arrest Tracker

In this talk, Jake Kouns debuts Arrest Tracker after he walks us through a few examples of why attribution is hard. He then examines the data from the site and shows us what we can learn from it.

If these Talk Notes are useful to you, become a patron!

Frequency and intensity of data breaches aren’t getting better. 2015 was the most breaches ever tracked, with 77% of attacks originating from outside of the organization. 2016 isn’t looking much better with the highest amount of records breached at 1.1 billion thus far. The most common question asked is: who is behind all of this?

“Attribution is Power”

Attribution can mean a number of things depending on context, but in the “cyber” world, researchers like Jake want to know a few key facts:

  1. Who did this?
  2. What the hell did you just do?
  3. Why?

Case Study: 2014 Sony Hack

There were two major viewpoints here: North Korea vs. A Sony Insider. Credible sources backed both viewpoints: Crowdstrike and the FBI blamed North Korea, whereas Norse, Marc Rogers, and Kim Zetter from Wired blamed an insider. Much argument ensued.

Somebody had to be wrong. But, if you’re wrong in cybersecurity, especially with such bold claims, can you still be trusted?

Case Studies: 2016 DNC Hack

Most people agree that Russia was involved, this time by looking at code style, use of Russian keyboard, and timezone / holiday analysis. “Would have been a very elaborate scheme if it were anybody else” – Fidelis. However, a new question was raised: was it an individual, or an organization / government pulling the strings?

Additionally, the first state sponsored “hack back” occurred when the NSA allegedly counter-hacked Russia. This is all to say: attribution matters.

Why Can’t We Seem to Get Attribution Right?

  • Top firms can’t agree
  • Can’t believe people whom claim attacks
  • Typical detective / forensic work not possible
  • Easy to spoof attacks, and easy to embed other people’s work in your attacks to throw off trails
  • Lack of physicality that might otherwise provide clues

One Better Way: The Arrest Tracker is a data gathering service founded by Lee Johnstone. Tracks not only arrests but any reported hacking related incidents and raids. Fields include detailed Legal and Authority information about which court it was tried in, or if there was a paid informant involved.

Despite limitations with data,  there are a number of useful data collected by the site which improve statistical analysis and profiling, aka “The Face of a Hacker.” Cyber crime is undoubtedly on the rise based on time series data. Each incident tells a fairly compelling story.

What Does the Data Show?

  • Youngest Arrest: 12 years old
  • Oldest Arrest: 66 years old
  • Vast majority 18-35. Average of 27 years old
  • Almost all male (81%+)
  • US and UK top data, but this is arrest data.
  • Most that belong to a collective belong to Anonymous (of 58 known)
  • Most popular operations were OpPayBack and OpPayPal
  • Arrests are not inevitable. Average of 610 days between crime and arrest
  • Raids most likely to occur on Mondays, and in April
  • Longest jail time was 334 years
  • Average fine, $1M

So, what is the profile of a hacker?

From the slides:

Amalgamated data from Arrest Tracker of "The Face of the Hacker"
Amalgamated data from Arrest Tracker of “The Face of the Hacker”

What’s Next for Arrest Tracker?

  • Data quality and quantity
  • Bug fixes / bug tracking
  • Ability to track complex issues based on individual profiles, specifically motivation
  • Integration with FBI’s Most Wanted
  • “Where are they now?”

If these Talk Notes are useful to you, become a patron!

Talk Notes: Karyn Benson on Examining the Internet’s Pollution

Garbage men have reported that people often throw away interesting and valuable items. This raises two questions. First, how do we define “trash” on the Internet, and what interesting and valuable things can be found there? Karyn Benson, who spent the last 4 years working on her Ph. D in “internet trash,” otherwise known as Internet Background Radiation (IBR) answers these questions for us.

Note, this talk was so good and so relevant to cybersecurity that I decided to include it in the cybersecurity section of thie site as well.

If these TalkNotes are useful to you, become a patron!

What is Internet “trash?”

Internet Background Radiation, or Internet Trash is simply unsolicited packets sent to your own IP addresses. This includes:

  1. Scanning packets. Crawlers and probes send lots of unsolicited packets. has a working definition of what a scanner is.
  2. Backscatter. An attacker sends a sends a packet forged as one of your IP addresses, and the victim responds to you.
  3. Misconfigurations. A host erroneously believes that the wrong machine is hosting a service.
  4. Bugs. Bugs such as byte order bugs that simply send packets to the wrong destination.
  5. Spoofed Traffic. Attackers mask their IP addresses to appear as if they’re coming from a different source.
  6. Unknown. Just plain weird traffic like TCP non-standard ports or encrypted UDP packets.

How do we collect Internet Background Radiation

Researchers collect using “honeypots,” simply mock servers. You can configure your honeypot to respond like a normal host. You can also configure them not to respond at all and just collect one-way traffic. There are a number of specific ways to route incoming traffic internally that I won’t go into detail on here.

What Karyn and her team used was called a “Network Telescope,” which allowed all traffic in with no response, and stored all incoming packets for analysis. They collected a massive dataset from all over the world going back to 2008

Interesting and valuable items found in Internet Background Radiation

Revisiting the earlier list:

  1. Scanner traffic correlates heavily to vulnerability announcements

    The early data show worm releases such as Conficker on TCP port 455. In fact, the historical data show heuristically a probable test run of Conficker from a province in China, months before the worm was discovered.  Later traffic moved to TCP port 23 (telnet), which may correlate to Internet-of-Things devices.

  2. Backscatter data show that name servers are vulnerable to DDoS

    An open resolver is a DNS server that resolves any DNS request, not just that of its own internal network. Spood traffic to Open Resolvers can be used to attack an authorative NS (like, say, Dyn) with no response cost to the user. Amazingly, this talk was given in August, well before the Oct 21 Dyn attack.

  3. Misconfigurations, such as those caused by a BitTorrent Index Poisoning attack, can cause IBR.

    False hosts inside of a BitTorrent Distributed Hash Table can give incorrect locations for torrets, causing the internet background radiation on Benson’s network telescope. 95% of the malicious hosts were in China.

  4. Byte order bugs and careful packet inspection can reveal information.

    Using these techniques and coordination with UCSD, they were able to determine that many packets came from Qihoo, a popular Chinese security software package. Qihoo versions containing said bug sent traffic to incorrect hosts. Benson’s team notified them of the bug.

  5. By carefully inspecting the bytes of unknown packets, you can determine the source of traffic. Often times the source is a Botnet like Sality.


In addition to witnessing security related events, you can use techniques such as outage detection, DHCP lease duration analysis, and path change detection to further secure your systems.

If these TalkNotes are useful to you, become a patron!