You are currently browsing the monthly archive for July 2010.

Per previous posts, I am making some free software available here (although it’s somewhat niche): A Mac OS X Distributed Objects server for the Neurosky brain wave reading Mindset and a Quartz Composer plug-in client for the server. (If you have neither OS X nor the Mindset, you might want to wait for a future post where I talk more about how the brain wave art project is coming.)

This post will also serve as a brief introduction to what it would take for you to write your own Cocoa client for the server. But, If you just want the software, you can get it here:


  • To install the client for Quartz Composer, close QC and copy the .plugin file to: “/Library/Graphics/Quartz Composer Plugins”. When you next open QC, you should find it in your Patch Library listed as “MindSetQCClient”.  Usage of the patch should be obvious,
  • The server shouldn’t need to start first as long as the client periodically checks for a vended object, but when troubleshooting it’s probably a good idea to start the server, then the client.
  • The server needs the Thinkgear bundle in same directory as the server app. (I’m not including the Thinkgear bundle, it’s available from the Neurosky website for free as part of their developer stuff.
  • Neurosky documentation has instructions for how to figure out what serial port your mindset is on, iirc.  The default for the server is the one I use.
  • I’ve borrowed so heavily from a hodge-podge of tutorials and examples, that I’m not going to include a license for the code. Use it as you will.


So, onward to the tutorial/implementation details:


Distributed Object Mindset Server and Client

This server is intended to be a little easier to use than some of the connection methods Neurosky provides (at least in my mind). It grabs data from the Mindset and provides it to Cocoa client applications (such as my Quartz Composer plug-in) by using Objective-C / Cocoa’s Distributed Objects interprocess messaging capability.

To access the Mindset data, the client must create an NSConnection to “JacksMindsetServer”. This gives it access to a vended object which supports the following very simple protocol (this protocol will have to be included in your client header file):

@protocol PassingMindData

-(int) getDataCount;

-(NSArray *)getOldestData;



Creating the connection to the vended object which uses that protocol is simple and requires only a short bit of code:

if (!sharedObject)


NSString *_host = nil;

sharedObject = (id <PassingMindData>)[[NSConnection rootProxyForConnectionWithRegisteredName:@”JacksMindsetServer” host:_host] retain];


You should now have an object called “sharedObject” which allows all of the methods specified by the “PassingMindData” protocol created above and which will pass the data from the mindset server to your code. To do so, the primary method is “getOldestData”. Calling this method will return an array of the oldest line of values from the Mindset and getDataCount returns the number of lines currently queued.

The returned array contains ordered NSNumbers representing each type of value available from the mindset. The array elements can always be accessed in the following order:

  • Attention (0)
  • Meditation (1)
  • Raw (2)
  • Delta (3)
  • Theta (4)
  • Alpha1 (5)
  • Alpha2 (6)
  • Beta1 (7)
  • Beta2 (8)
  • Gamma (9)
  • Gamma2 (10)
  • SignalQuality (11)

The client is left to access these elements as it pleases from the NSArray object returned by getOldestData. The server also relies on the client to remove the original data from the server as soon as it grabs it by calling “removeOldestData” on “sharedObject”.  (If the client does not call this, there is no auto-cleanup by the server until it’s stopped or exits and the client will not be able to access new data.)

If multiple lines of data are queued, getOldestData and removeOldestData should be executed repeatedly. A simple example would be:

if ([sharedObject getDataCount] > 0)


mindDataLine = [NSArray arrayWithArray:[sharedObject getOldestData]];

[self setOutputAttention:[[mindDataLine objectAtIndex:0] doubleValue]];

[sharedObject removeOldestData];


That’s really it.  How to write a server is out of the scope of this post, but Neurosky has some great documentation and have provided examples from which I have –heavily–  borrowed.

Let me know if you have questions or need further explanation. I’m going to continue to work on the art project with this stuff and will post more about that later.

Longer, more detailed post to follow – with free code and everything – but I wanted to post a video of art being made with my brainwaves:

In this demo (which is a significant step further than my last), my project selects between a series of images, merges them, moves them, and adds various visual effects based only on input from my brain waves (as measured by a Neurosky Mindset). All images – both drawings and photos – were made by me.  Depending on when I run this, the images selected and how they’re merged vary significantly. In this case, only a small subset were selected. Other times, there is a wider variety. It’s important to note that often, this has created pairings and mergings that are fantastically cool looking.  The Next step, creating a self portrait video of me sleeping with a curved screen over top of me projecting what my mind does with this while I sleep.

So, with what is quite interesting timing, (and thanks, in no small part to Twitter), I just found out a couple of days ago that I’ll be giving a talk at EnergySec This year.  The tentative title is: “A Technologist’s Admission of Inadequacy: The executive’s role in National Cyber Security”.
I’d really like to use this opportunity as a platform for some of my concerns, as a technologist, about how we’re treating cyber security as a technical problem – at an operational level, at a strategic business level, and at a legislative level. I’ve touched on these concerns before in this blog, but I’m really excited about the chance to do it in person in front of a lot of other smart people who are actively working cyber security problems.

Thinking out loud, I wrote this earlier:

One of my interests, part of my future role, and with a perspective grounded in building/designing ways to detect badness / working on ICS-CERT, is in combating our habit of defining security in technical terms or on relying on technologists to “fix it”without ever defining what “it” is.  A secure system is one that does no more and no less than the people who have ownership and stake in it wish it to do- and that’s a business rule/decision/appetite.  As a technologist, if you ask me to secure your systems and let me define what that means, I’ll fail.  (ie: There is no “evil” flag in TCP). I’d like to make a plea for organizations to define security through risks to interrelated cross-sector business and social requirements (and associated appetites) before spending so much effort to create technical security plans, standards, controls, laws. An army without a defined mission can be potent just based on size and power, but one that has a mission and defined goals is much, much better.

I’m sure I’ll evolve what I actually want to say between now and September, but that’s where my head is now.

Well, I’ve been waiting awhile to be able to write this (see future post).  Finally, I can:

It’s always interesting dealing with the somewhat schizophrenic nature of government messaging.  While I understand the constraints, the risks, and the realities of trying to run a free-for-the-private sector service that actually DOES something in the government, it was always a little disheartening to hear (or read) people suggest that the government wasn’t doing anything for some of our cyber security problems, that it didnt have the services available, or “Well, I heard DHS started ICS-CERT, but I think they shut it down?” And, with the media so often just not getting it – and people so often not doing basic research – this happened more frequently than it should.  So, now that I’m in the role of customer here (and not on the floor there), I can finally say:

If you’re an asset owner, a vendor, a service provider, a customer, or otherwise a stakeholder in private sector or government critical infrastructure / key resources, you should be aware of CSSP and ICS-CERT (ICS-CERT has been functioning, in its current form, since earlier this year).

To start with: The Control Systems Security Program (CSSP) is an offering out of Homeland Security which:

“attempts to…reduce industrial control system risks within and across all critical infrastructure and key resource sectors by coordinating efforts among federal, state, local, and tribal governments, as well as industrial control systems owners, operators and vendors. The CSSP coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems through risk-mitigation activities.”

This includes providing a FREE cyber security assessment tool, onsite assessment visits, and the well-run Industrial Control Systems Joint Working Group (ICSJWG) and its associated conferences. CSSP also provides a variety of free-training in Control Systems Security, both locally in DC as well as, for it’s hands-on Red/Blue Team training,  in Idaho Falls.

Then, providing a tactical operational arm to the more strategic CSSP, ICS-CERT is a fully functioning free CERT service for your CIKR organizations. ICS-CERT will, as part of its mission:

  1. Provide onsite fly-away technical incident response
  2. Perform digital media analysis on media potentially affected by an incident
  3. Coordinate the responsible release of vulnerabilities (involving third party researchers, vendors, etc.)
  4. Provide timely situational awareness
  5. Coordinate national response, via its seats in the National Cybersecurity Communications and Integration Center (NCCIC), with US-CERT, NCC, Law Enforcement, and other organizations.

All you have to do, basically, is ask.  They’ve assisted, during my tenure, quite a few organizations – large and small – and continue to do so.

(Importantly, ICS-CERT has neither a law-enforcement NOR a regulatory function. Their mission is to assist you in defending yourselves and responding to incidents. Your data is, and remains, yours, in any interaction with them. )

And you thought the government doesn’t do anything for cyber security :)

To contact ICS-CERT:

  • Call the ICS-CERT Watch Floor: 1-877-776-7585
  • Email regarding ICS related cyber activity:

Their website is:

Follow me on Twitter

My Art / Misc. Photo Stream

phoenixhike - 4

phoenixhike - 3

phoenixhike - 2

phoenixhike - 1

phoenixhike - 7

More Photos