Software developer, cyclist, photographer, hiker, reader.I work for the Library of Congress but all opinions are my own.Email:
7481 stories

ImperialViolet - Security Keys

1 Comment

Se­cu­rity Keys are (gen­er­ally) USB-con­nected hard­ware fobs that are ca­pa­ble of key gen­er­a­tion and or­a­cle sign­ing. Web­sites can “en­roll” a se­cu­rity key by ask­ing it to gen­er­ate a pub­lic key bound to an “appId” (which is lim­ited by the browser based on the site's ori­gin). Later, when a user wants to log in, the web­site can send a chal­lenge to the se­cu­rity key, which signs it to prove pos­ses­sion of the cor­re­spond­ing pri­vate key. By hav­ing a phys­i­cal but­ton, which must be pressed to en­roll or sign, op­er­a­tions can't hap­pen with­out user in­volve­ment. By hav­ing the se­cu­rity keys en­crypt state and hand it to the web­site to store, they can be state­less(*) and ro­bust.

(* well, they can al­most be state­less, but there's a sig­na­ture counter in the spec. Hope­fully it'll go away in a fu­ture re­vi­sion for that and other rea­sons.)

The point is that se­cu­rity keys are un­phish­able: a phisher can only get a sig­na­ture for their appId which, be­cause it's based on the ori­gin, has to be in­valid for the real site. In­deed, a user can­not be so­cially en­gi­neered into com­pro­mis­ing them­selves with a se­cu­rity key, short of them phys­i­cally giv­ing it to the at­tacker. This is a step up from app- or SMS-based two-fac­tor au­then­ti­ca­tion, which only solves pass­word reuse. (And SMS has other is­sues.)

The W3C stan­dard for se­cu­rity keys is still a work in progress, but sites can use them via the FIDO API today. In Chrome you can load an im­ple­men­ta­tion of that API which for­wards re­quests to an in­ter­nal ex­ten­sion that han­dles the USB com­mu­ni­ca­tion. If you do that, then there's a Fire­fox ex­ten­sion that im­ple­ments the same API by run­ning a local bi­nary to han­dle it. (Al­though the Fire­fox ex­ten­sion ap­pears to stop work­ing with Fire­fox 57, based on re­ports.)

Google, GitHub, Face­book and Drop­box (and oth­ers) all sup­port se­cu­rity keys this way. If you ad­min­is­ter a G Suite do­main, you can re­quire se­cu­rity keys for your users. (“G Suite” is the new name for Gmail etc on a cus­tom do­main.)

But, to get all this, you need an ac­tual se­cu­rity key, and prob­a­bly two of them if you want a backup. (And a backup is a good idea, es­pe­cially if you plan on drop­ping your phone num­ber for ac­count re­cov­ery.) So I did a search on Ama­zon for “U2F se­cu­rity key” and bought every­thing on the first page of re­sults that was under $20 and avail­able to ship now.

Yu­bico Se­cu­rity Key

Brand: Yu­bico, Firmware: Yu­bico, Chip: NXP, Price: $17.99, Con­nec­tion: USB-A

Yu­bico is the leader in this space and their de­vices are the most com­mon. They have a num­ber of more ex­pen­sive and more ca­pa­ble de­vices that some peo­ple might be fa­mil­iar with, but this one only does U2F. The sen­sor is a ca­pac­i­tive so a light touch is suf­fi­cient to trig­ger it. You'll have no prob­lems with this key, but it is the most ex­pen­sive of the under $20 set.

Thetis U2F Se­cu­rity Key

Brand: Thetis, Firmware: Ex­celsecu, Chip: ?, Price: $13.95, Con­nec­tion: USB-A

This se­cu­rity key is fash­ioned more like a USB thumb drive. The plas­tic inner part ro­tates within the outer metal shell and so the USB con­nec­tor can be pro­tected by it. The but­ton is in the axis and is clicky, rather than ca­pac­i­tive, but doesn't re­quire too much force to press. If you'll be throw­ing your se­cu­rity key in bags and worry about dam­ag­ing them then per­haps this one will work well for you.

A minor nit is that the at­tes­ta­tion cer­tifi­cate is signed with SHA-1. That doesn't re­ally mat­ter, but it sug­gests that the firmware writ­ers aren't pay­ing as much at­ten­tion as one would hope. (I.e. it's a brown M&M.)

Feit­ian ePass

Brand: Feit­ian, Firmware: Feit­ian, Chip: NXP, Price: $16.99, Con­nec­tion: USB-A, NFC

This one is very much like the Yu­bico, just a lit­tle fat­ter around the mid­dle. Oth­er­wise, it's also a sealed plas­tic body and ca­pac­i­tive touch sen­sor. The dif­fer­ences are a dol­lar and NFC sup­port—which should let it work with An­droid. How­ever, I haven't tested this fea­ture.

I don't know what the op­po­site of a brown M&M is, but this se­cu­rity key is the only one here that has its meta­data cor­rectly reg­is­tered with the FIDO Meta­data Ser­vice.

U2F Zero

Brand: U2F Zero, Firmware: Conor Patrick, Chip: Atmel, Price: $8.99, Con­nec­tion: USB-A

I did bend the rules a lit­tle to in­clude this one: it wasn't im­me­di­ately avail­able when I did the main order from Ama­zon. But it's the only token on Ama­zon that has open source firmware (and hard­ware de­signs), and that was worth wait­ing for. It's also the cheap­est of all the op­tions here.

Sadly, I have to re­port that I can't quite rec­om­mend it be­cause, in my lap­top (a Chrome­book Pixel), it's not thick enough to sit in the USB port cor­rectly: Since it only has the “tongue” of a USB con­nec­tor, it can move around in the port a fair bit. That's true of the other to­kens too, but with the U2F Zero, un­less I hold it just right, it fails to make proper con­tact. Since op­er­at­ing it re­quires press­ing the but­ton, it's al­most un­us­able in my lap­top.

How­ever, it's fine with a cou­ple of USB hubs that I have and in my desk­top com­puter, so it might be fine for you. De­pends how much you value the cool­ness fac­tor of it being open-source.

KEY-ID FIDO U2F Se­cu­rity Key

Brand: KEY-ID, Firmware: Feit­ian(?), Chip: ?, Price: $12.00, Con­nec­tion: USB-A

I pho­tographed this one while plugged in in order to show the most ob­vi­ous issue with this de­vice: every­one will know when you're using it! When­ever it's plugged in, the green LED on the end is lit up and, al­though the sat­u­ra­tion in the photo ex­ag­ger­ates the sit­u­a­tion a lit­tle, it re­ally is too bright. When it's wait­ing for a touch, it starts flash­ing too.

In ad­di­tion, when­ever I re­move this from my desk­top com­puter, the com­puter re­boots. That sug­gests an elec­tri­cal issue with the de­vice it­self—it's prob­a­bly short­ing some­thing that shouldn't be shorted, like the USB power pin to ground, for ex­am­ple.

While this de­vice is branded “KEY-ID”, I be­lieve that the firmware is done by Feit­ian. There are sim­i­lar­i­ties in cer­tifi­cate that match the Feit­ian de­vice and, if you look up the FIDO cer­ti­fi­ca­tion, you find that Feit­ian reg­is­tered a de­vice called “KEY-ID FIDO® U2F Se­cu­rity Key”. Pos­si­bly Feit­ian de­cided against putting their brand on this.

Hy­per­FIDO Mini

Brand: Hy­per­FIDO, Firmware: Feit­ian(?), Chip: ?, Price: $13.75, Con­nec­tion: USB-A

By ob­ser­va­tion, this is phys­i­cally iden­ti­cal to the KEY-ID de­vice, save for the colour. It has the same green LED too (see above).

How­ever, it man­ages to be worse. The KEY-ID de­vice is high­lighted in Ama­zon as a “new 2017 model”, and maybe this an ex­am­ple of the older model. Not only does it cause my com­puter to re­li­ably re­boot when re­moved (I suf­fered to bring you this re­view, dear reader), it also causes all de­vices on a USB hub to stop work­ing when plugged in. When plugged into my lap­top it does work—as long as you hold it up in the USB socket. The only sav­ing grace is that, when you aren't press­ing it up­wards, at least the green LED doesn't light up.

Hy­per­FIDO U2F Se­cu­rity Key

Brand: Hy­per­FIDO, Firmware: Feit­ian(?), Chip: ?, Price: $9.98, Con­nec­tion: USB-A

This Hy­per­FIDO de­vice is plas­tic so avoids the elec­tri­cal is­sues of the KEY-ID and Hy­per­FIDO Mini, above. It also avoids hav­ing an LED that can blind small chil­dren.

How­ever, at least on the one that I re­ceived, the plas­tic USB part is only just small enough to fit into a USB socket. It takes a fair bit of force to in­sert and re­move it. Also the end cap looks like it should be sym­met­ri­cal and so able to go on ei­ther way around, but it doesn't quite work when up­side down.

Once in­serted, press­ing the but­ton doesn't take too much force, but it's enough to make the de­vice bend wor­ry­ingly in the socket. It doesn't ac­tu­ally ap­pear to be a prob­lem, but it adds a touch of anx­i­ety to each use. Over­all, it's cheap and you'll know it.

Those are the de­vices that matched my ini­tial cri­te­ria. But, some­times, $20 isn't going to be enough I'm afraid. These are some other se­cu­rity keys that I've ended up with:

Yu­bikey 4C

Brand: Yu­bico, Firmware: Yu­bico, Chip: NXP?, Price: $50 (di­rect from Yu­bico), Con­nec­tion: USB-C

If you have a lap­top that only has USB-C ports then a USB-A de­vice is use­less to you. Cur­rently your only op­tion is the Yu­bikey 4C at $50 a piece. This works well enough: the “but­ton” is ca­pac­i­tive and trig­gers when you touch ei­ther of the con­tacts on the sides. The vi­sual in­di­ca­tor is an LED that shines through the plas­tic at the very end.

Note that, as a full Yu­bikey, it can do more than just being a se­cu­rity key. Yu­bico have a site for that.

Many peo­ple lack­ing USB-A ports will have a Touch Bar, which in­cludes a fin­ger­print sen­sor and se­cure el­e­ment. One might spy an al­ter­na­tive (and cheaper so­lu­tion) there. GitHub have pub­lished Sof­t­U2F which does some of that but, from what I can tell, doesn't ac­tu­ally store keys in the se­cure el­e­ment yet. How­ever, in time, there might be a good an­swer for this.

Yu­bikey Nano

Brand: Yu­bico, Firmware: Yu­bico, Chip: NXP?, Price: $50 (di­rect from Yu­bico), Con­nec­tion: USB-A

An­other $50 se­cu­rity key from Yu­bico, but I've in­cluded it be­cause it's my pre­ferred form-fac­tor: this key is de­signed to sit semi-per­ma­nently in­side the USB-A port. The edge is a ca­pac­i­tive touch sen­sor so you can trig­ger it by run­ning your fin­ger along it.

It does mean that you give up a USB port, but it also means that you've never rum­mag­ing around to find it.

Read the whole story
Share this story
1 public comment
57 minutes ago
For security: do nothing else before you enable U2F for at least your primary email account
Washington, DC

When the cookie meets the blockchain

1 Share

Cryptocurrencies are portrayed as a more anonymous and less traceable method of payment than credit cards. So if you shop online and pay with Bitcoin or another cryptocurrency, how much privacy do you have? In a new paper, we show just how little.

Websites including shopping sites typically have dozens of third-party trackers per site. These third parties track sensitive details of payment flows, such as the items you add to your shopping cart, and their prices, regardless of how you choose to pay. Crucially, we find that many shopping sites leak enough information about your purchase to trackers that they can link it uniquely to the payment transaction on the blockchain. From there, there are well-known ways to further link that transaction to the rest of your Bitcoin wallet addresses. You can protect yourself by using browser extensions such as Adblock Plus and uBlock Origin, and by using Bitcoin anonymity techniques like CoinJoin. These measures help, but we find that linkages are still possible.


An illustration of the full scope of our attack. Consider three websites that happen to have the same embedded tracker. Alice makes purchases and pays with Bitcoin on the first two sites, and logs in on the third. Merchant A leaks a QR code of the transaction’s Bitcoin address to the tracker, merchant B leaks a purchase amount, and merchant C leaks Alice’s PII. Such leaks are commonplace today, and usually intentional. The tracker links these three purchases based on Alice’s browser cookie. Further, the tracker obtains enough information to uniquely (or near-uniquely) identify coins on the Bitcoin blockchain that correspond to the two purchases. However, Alice took the precaution of putting her bitcoins through CoinJoin before making purchases. Thus, either transaction individually could not have been traced back to Alice’s wallet, but there is only one wallet that participated in both CoinJoins, and is hence revealed to be Alice’s.


Using the privacy measurement tool OpenWPM, we analyzed 130 e-commerce sites that accept Bitcoin payments, and found that 53 of these sites leak transaction details to trackers. Many, but not all, of these leaks are by design, to enable advertising and analytics. Further, 49 sites leak personal identifiers to trackers: names, emails, usernames, and so on. This combination means that trackers can link real-world identities to Bitcoin addresses. To be clear, all of this leaked data is sitting in the logs of dozens of tracking companies, and the linkages can be done retroactively using past purchase data.

On a subset of these sites, we made real purchases using bitcoins that we first “mixed” using the CoinJoin anonymity technique.[1] We found that a tracker that observed two of our purchases — a common occurrence — would be able to identify our Bitcoin wallet 80% of the time. In our paper, we present the full details of our attack as well as a thorough analysis of its effectiveness.

Our findings are a reminder that systems without provable privacy properties may have unexpected information leaks and lurking privacy breaches. When multiple such systems interact, the leaks can be even more subtle. Anonymity in cryptocurrencies seems especially tricky, because it inherits the worst of both data anonymization (sensitive data must be publicly and permanently stored on the blockchain) and anonymous communication (privacy depends on subtle interactions arising from the behavior of users and applications).

[1] In this experiment we used 1–2 rounds of mixing. We provide evidence in the paper that while a higher mixing depth decreases the effectiveness of the attack, it doesn’t defeat it. There’s room for a more careful study of the tradeoffs here.

Read the whole story
Share this story

Places in Civil War History: Aerial Reconnaissance and Map Marketing

1 Share

This is part of a series of guest posts from Ed Redmond, Cartographic Specialist in the Library of Congress, Geography and Map Division, documenting the cartographic history of maps related to the American Civil War, 1861-1865. The posts will appear on a regular basis.

Aerial reconnaissance was first used in 1861 by the War Department using balloons tethered to the ground. Early balloon observers were civilian employees of the Army, sometimes referred to as “Aeronauts,” who ascended in baskets attached to the balloons to survey battlefields, make troop observations, and prepare maps based on those observations.

The following is a report from Union Aeronaut John La Mountaine forwarded to General Benjamin F. Butler concerning two balloon ascensions made near Hampton Roads, Virginia:

I have the honor to report that on the 11th of August I made two ascensions in which I attained an altitude of 8,872 feet and made observations as follows, about five or six miles north west from Hampton I discovered an encampment of the enemy but owing to the misty state of the Atmosphere caused by the recent rain I was unable to form a correct idea of their numerical force, but I would judge from four to five thousand. There were no vessels or encampments of any kind either on York or Back Rivers or at New Market Bridge…On the left bank of the James River about eight or nine miles from Newport News is a large encampment of the enemy from 150 to 200 tents, also an encampment in the rear of the Pig Point batteries of some 40 to 50 tents. At Norfolk, two large ships of war are lying at anchor in the stream one of which appeared ready for sea with sails ready…I illustrate what I saw by the accompanying hasty diagram…With respect, John La Mountaine, Aeronaut

John La Mountain's report on his aerial econnaissance operation, including letter to General Butler and map produced from operation.

“Aerial reconnaissance, August 10th, 1861 : [Sewells Point, Virginia]” John La Mountain, 1861. Geography and Map Division, Library of Congress.

While John La Mountaine’s aerial reconnaissance work was an innovative approach to wartime mapmaking, many of the maps used for military intelligence at the time were instead existing cartographic materials applied to new purposes. Among the most prolific commercial publishers of these kinds of maps during the Civil War was Northerner James T. Lloyd.

On August 19, 1861, the Confederate government voted to allow the state of Missouri into the Confederacy. For a brief time, the state of Missouri had, essentially, both a Confederate government and Union government. There were several skirmishes fought in the state in the late summer of 1861 but, for the most part, the major actions took place elsewhere. Lloyd did not, however, ignore the potential map market in the West, including Missouri. On his 1861 Map of Missouri, Lloyd prominently advertised his “Great Military Map of the Fifteen Southern States” which “cost over $5,000, [and] Sells for only 50cts.” He further describes the map as the “the only map deemed contraband by the Secretary of War and is prohibited from being sent South for their use.”

James T. Lloyd's map of Missouri, 1861.

“Lloyd’s Official Map of Missouri.” James T. Lloyd, 1861. Geography and Map Division, Library of Congress.

In addition to advertising, Lloyd freely used the work of others. In 1861, Lloyd published his “Lloyd’s official map of the state of Virginia from actual surveys by order of the Executive 1828 & 1859.” In fact, this map was based on Hermann Böÿe’s 1825 nine sheet map of the state of Virginia revised and reduced by Lewis von Buchholtz in 1859.

James T. Lloyd's official map of the state of Virginia, 1861.

“Lloyd’s Official Map of the State of Virginia” James T. Lloyd, 1861. Geography and Map Division, Library of Congress.

Herman Böÿe's 1959 map of Virginia.

“A map of the state of Virginia, constructed in conformity to law from the late surveys authorized by the legislature and other original and authentic documents.” Herman Böÿe, 1859. Geography and Map Division, Library of Congress.

Read the whole story
Share this story

Most companies getting Obamacare birth control waivers aren't religious groups

1 Comment and 2 Shares

Forty-five companies have received exemptions from the Affordable Care Act’s birth control mandate, new public documents show, and most of them aren’t religious nonprofits.

The majority of companies that have received permission not to cover contraceptives are for-profit, secular employers. These businesses include a lumber company in Pennsylvania, a Georgia-based construction firm, and an apartment rental company in Tampa, Florida.

The Affordable Care Act requires nearly all employers to offer health insurance that covers access to a wide array of contraceptive methods. Religious houses of worship are exempted from the mandate entirely, and certain employers can apply for exemptions. This includes religiously affiliated charities and hospitals and “closely held” private businesses that believe paying for contraceptives would violate their religious or moral beliefs.

The Trump administration has privately circulated regulations that would expand this exemption significantly. Women’s health advocacy groups expect the White House to release a public version of that regulation later this month.

Data on the companies receiving exemptions from the Affordable Care Act’s birth control mandate was obtained with a Freedom of Information Act request and provided to Vox by the Center for American Progress, a liberal think tank.

It shows that many of the employers seeking these waivers are not religiously affiliated. Of the 45 companies that have applied for and received exemptions so far, 24 were for-profit corporations, 12 were religiously affiliated nonprofits, and nine were religiously affiliated education institutions.

Obamacare requires nearly all insurance plans to cover birth control — a provision protested by religious employers

The birth control mandate is one of eight women's preventive health benefits that the Affordable Care Act requires health plans to provide without any cost to the patient. Other required benefits include breastfeeding equipment, HPV testing, and domestic violence screenings.

Obamacare directed the Institute of Medicine, an independent, congressionally chartered body, to define what medical services should be included as women's preventive health benefits. The health care law did not include a specific list of services.

The IOM's decision to include birth control as a preventive benefit set off a fierce political fight, with religious business owners, hospitals, and universities protesting the requirement to cover particular types of contraceptives, particularly intrauterine devices and emergency contraceptives.

Religious houses of worship were the only employers exempted from the mandate entirely. The Obama White House gave some relief to religiously affiliated hospitals and universities. The Supreme Court expanded the scope of that relief in Burwell v. Hobby Lobby, ruling 5-4 that it would allow “closely held” private businesses to also exclude birth control from their insurance plans if coverage would violate their religious beliefs.

The companies represented in this FOIA request data are those that have applied for these types of exemptions between January 2014 and March 2016.

The list includes some of the plaintiffs that have challenged the birth control mandate in court, like Conestoga Wood Specialties, a cabinetry-making company in Pennsylvania that sued the government over the birth control mandate in 2014.

But it also includes other companies from across the country and in different industries. Firms that specialize in human resources, industrial machinery, and wholesale trade have all applied for and received exemptions.

The Trump administration has mulled broadening the exemptions to a wider group of employers

The Trump administration has weighed expanding the exemption to allow any employer to request an exemption based on moral or religious objections.

In May, Dylan Scott and I obtained a draft copy of a regulation that would widen the exemption to apply to any company — from a small, family-owned businesses to large, publicly traded corporations. These employers could cite any religious or moral reason for their exemption.

The regulation still has not been released publicly, although women’s health advocacy groups are expecting the administration to propose it later this month.

In the draft, the Trump administration cited protecting religious liberty as well as the situation left unresolved by the Obama administration as reasons for issuing this new regulation with a wider exemption.

“Expanding the exemption removes religious and moral obstacles that entities and certain individuals may face who otherwise wish to participate in the healthcare market,” the administration stated in the rule, explaining its decision.

Employers seeking an exemption would not be required to notify the government, under the draft rule, though they would have to make clear in their health plan documents that they do not cover contraception and would be required to notify their employees of any change in benefits.

The rule, as drafted, would also allow health insurers to refuse to cover contraception for religious or moral reasons, though the administration noted it was not aware of any health insurers that have those objections. It would also allow individuals to object to participating in a health plan that covers birth control.

As the Trump administration itself notes, workers whose employers request an exemption from the mandate are no longer entitled to free birth control. They would potentially have to cover the cost themselves.

The Center for American Progress argues that the current pattern of exemptions suggests that if the Trump administration enacted this rule, it would lead to many larger secular firms seeking exemptions and placing a greater financial burden on women.

“Largely, the requests have been filed by for-profit companies,” said Jamila Taylor, a senior fellow at CAP, “suggesting that Trump’s new rule will open up the floodgates for nearly anyone to force women to either pay out of pocket or navigate hurdles to obtaining additional coverage for contraception — the most effective types of which can be over $1,000 out of pocket — and simply chalk it up to moral opposition.”

More than 20 percent of US woman of childbearing age had to pay out of pocket for oral contraceptives prior to the Obamacare mandate, according to the Kaiser Family Foundation. That shrank to less than 4 percent a few years after the mandate took effect.

If employers seek an immediate exemption from the mandate, they would be required to send a notice to their employees. If they instead choose to make the change at the start of their next plan year, employees would be notified through the usual summary of benefit changes that plans are required to provide.

Read the whole story
1 day ago
Boston, MA
Share this story
1 public comment
15 hours ago
Why is this not a convenient boycott list?
Washington, DC

When Jack Daniel’s Failed to Honor a Slave, an Author Rewrote History


The company had intended to recognize Green’s role as master distiller last year as part of its 150th anniversary celebration, Mr. McCallum said, but decided to put off any changes amid the racially charged run-up to the 2016 election. “I thought we would be accused of making a big deal about it for commercial gain,” he said.

It didn’t help that many people misunderstood the history, assuming that Daniel had owned Green and stolen his recipe. In fact, Daniel never owned slaves and spoke openly about Green’s role as his mentor.

And so the company’s plans went back on the shelf, and might have stayed there had Fawn Weaver not come along.

The daughter of Frank Wilson, the Motown Records songwriter who co-wrote “Love Child” and “Castles in the Sand” before becoming a minister in Los Angeles, Ms. Weaver began her career as a restaurant and real estate entrepreneur. She wrote the 2014 best seller “Happy Wives Club: One Woman’s Worldwide Search for the Secrets of a Great Marriage.”

As she tells it, she was looking for a new project when she picked up that newspaper in Singapore.

“My wife often thinks and acts as a single activity,” said her husband, Keith Weaver, an executive vice president at Sony Pictures. “As her husband, I knew, ‘Here we go again.’”

What was meant to be a quick trip to Lynchburg turned into a monthslong residency, as Ms. Weaver discovered an unwritten history, hidden in forgotten archives, vacant land and the collective memory of the town’s black residents.

Through dozens of conversations, local people, many of whom worked or still work for Jack Daniel’s, told her about learning Green’s story from their parents and grandparents, holding it as fact even as the company kept silent.

“It’s something my grandmother always told us,” said Debbie Ann Eady-Staples, a descendant of Green who lives in Lynchburg and has worked for the distillery for nearly 40 years. “We knew it in our family, even if it didn’t come from the company.”

Nothing stays quiet in Lynchburg (population 6,319) for long, especially when it involves the biggest employer in town, and by late March Ms. Weaver was meeting with Mr. McCallum, the brand president, in the makeshift office she had set up in a run-down house on her newly acquired farm.

With a sampling of her estimated 10,000 documents and artifacts spread across a table between them, it quickly became obvious that Ms. Weaver, who had no previous background in whiskey history, knew more about the origins of Jack Daniel’s than the company itself. What was supposed to be a preliminary meeting turned into a six-hour conversation.

Mr. McCallum says he left reinvigorated, and within a few weeks he had plans in place to put Green at the center of the Jack Daniel’s story line. In a May meeting with 100 distillery employees, including several of Green’s descendants, he outlined how the company would incorporate Green into the official history, and that month the company began training its two dozen tour guides.

At one point Jack Daniel’s proposed adding a Nearest Green bottle to its “Master Distiller” series, a limited-edition run of bottles that celebrate its former master distillers, but dropped the idea over concerns from inside and outside the company about appearing to cash in on Green’s name.

Instead, Ms. Weaver has released her own whiskey, Uncle Nearest 1856, which she bought in bulk from another distillery. She is planning to produce a second, unaged spirit, made according to her specifications, which she says will mimic the style of whiskey that Green and Daniel probably made.

Jack Daniel’s seems unfazed, for now, by the use of Green’s name on someone else’s liquor. “We applaud Ms. Weaver for her efforts to achieve a similar goal with the launch of this new product,” a Brown-Forman spokesman said.

Ms. Eady-Staples, who met privately with Mr. McCallum before the big meeting, said she was proud that her employer was finally doing the right thing. “I don’t blame Brown-Forman for not acting earlier, because they didn’t know,” she said. “Once they did, they jumped on it.”

And although there is no known photograph of Green, the company placed a photo of Daniel seated next to an unidentified black man — he may be Green or one of his sons who also worked for the distillery — on its wall of master distillers, a sort of corporate hall of fame.

“We want to get across that Nearest Green was a mentor to Jack,” said Steve May, who runs the distillery’s visitors center and tours. “We have five different tour scripts, and each one incorporates Nearest. I worked some long days to get those ready.”

Mr. May said that so far, visitor response to the new tours spotlighting Green’s contribution has been positive. It’s not hard to see why: At a rough time for race relations in America, the relationship between Daniel and Green allows Brown-Forman to tell a positive story, while also pioneering an overdue conversation about the unacknowledged role that black people, as slaves and later as free men, played in the evolution of American whiskey.

For her part, Ms. Weaver isn’t finished with her search for Green — and may never be.

“I’ve lost track of him after 1884,” the year when Jack Daniel moved his distillery to its current location, and Green disappeared from the fledgling company’s records, she said. She is still hoping to find Green’s gravesite, and has recently been traveling to St. Louis to meet with a branch of the family there.

“I could be doing this the rest of my life,” she said.

Follow NYT Food on Facebook, Instagram, Twitter and Pinterest. Get regular updates from NYT Cooking, with recipe suggestions, cooking tips and shopping advice.

Continue reading the main story
Read the whole story
1 day ago
New York, NY
Share this story

Craft beer names, invented by neural network

1 Comment and 3 Shares

With over 4,000 craft breweries in the United States alone, people are having trouble finding unique names for their beers. That’s a problem, because when two breweries accidentally use the same name, it results in potential confusion at best and at worst, a legal battle. Litigation over craft beer trademarks is noticeably on the rise.

I decided to find out whether a neural network can help.

A neural network is a type of computer program that, among its many talents, can learn to imitate datasets just by looking at enough examples. I’ve used them to name kittens, metal bands, Pokemon, paint colors, and more.

I knew I wanted to train the neural network separately for different kinds of beers. Different categories of beers have their own distinct naming conventions; in theory, you should roughly be able to tell a stout from an IPA from a double IPA by the name alone. 

Ryan Mandelbaum of Gizmodo sparked this project by putting me in touch with Andy Haraldson, who very generously provided me with a huge dataset of hundreds of thousands of beer names that he extracted from There were over 90 types of beer in the full dataset (for example, black ales, belgian dark ales, euro dark lagers, schwarzbier, dark wheat ales, and english mild dark ales). To make the task manageable (and to combine a few datasets that only had a few hundred unique names) Eva Gulotty sorted them into broader groups. And then I set the neural network to work on each category.

It worked. The neural network produced unique names that were plausible, or weirdly awesome, or so outlandish that they sounded like the sort of beer you could only buy after a multi-day scavenger hunt involving hang gliding, codebreaking, and Fairbanks, Alaska.

I give you: craft beer names, invented by neural network.


Dang River
Earth Dock IPA
Bigly Bomb Session IPA
Binglezard Flack
Jain Is The Dog
Earth 2 Sanebus
Tower Of Ergelon
Toe Deal
Juicy Dripple IPA
Flying Rocks IPA
Yall In Wool
Earth Pump
Heaven Cat
Heart Compost
Wicked Geee
Text 5 Of The IPA
Cockamarin Hard IPA
Test Tha IPA
Widee Banger Fripper IPA
Oarahe Momnila Day Revenge Bass Cornationn Yerve Of Aterid Ale

Strong Pale Ales (Doubles, Triples, etc)

The Great Rebelgion
Trippel Lock
Thick Back
The Fraggerbar
Third Maus
Sip’s The Stunks Belgian Tripel
Third Danger
Track Of The Wind
Devil’s Chard
Spore Of Gold
The Actoompe
Brother Panty Tripel
The Oldumbrett’s Ring
The Vunker The Finger
Gunder Of Traz
Cherry Boof Cornester
Strange Fast
Humple La Bobstore Barrel Aged
Thrennt Rem Wine Barrel Aged Monkay Tripel

Amber Ales

Snarging Red
Warmel Halce’s Comput Ale
Fire Pipe
La Cat Tas Oo Ma Ale
Ole Blood Whisk
Frog Trail Ale
Ricias Donkey Brain
Sacky Rover
Gate Rooster
O'Busty Irish Red
Helusto’s Humpin’ Red
The Hunty
Rickin Organic Red Deaath
River Smush Hoppy Amber Ale
Rivernillion Amber
Special North Wish Leifstic Imperial Red
Ambre O Woo’s Omella Imperial Red Ale


I The Moon
The Bopberry Stout
Cherry Coconut Mint Chocolate Stout
Black Morning
Sir Coffee
Shock State
Take Bean
Single Horde
Whata Stout
Shany Lace
Black Sink Stout
Barrel Aged Chocolate Milksmoke
Morning Dave - Vanilla Coffee Stout
Dark Thomblan
Jrankers Java Stout
Spulgican’s Chocolate Coconut Pamper
Cherry Trout Stout
Bold Oot Stout
Pimperdiginistic The Blacksmith W/ Cherry Stout

Want more beer names? Want worse beer names? I had so many names that I couldn’t fit them all in this post. Sign up here and I’ll email you a pdf of about 100 more beer names. For these names I turned the neural network’s creativity variable higher and got results that can be described mainly as … interesting. And of course, there’s the inevitable beer named Fart. (It’s a stout. Of course it’s a stout.) 

(Beer label templates from

Read the whole story
1 day ago
Pint of Oldumbrett’s Ring and a shot of paint thinner, please.
7 hours ago
Washington, DC
Share this story
Next Page of Stories