vttoth

I am a software developer and author of computer books. I also work on some problems in theoretical physics. For more information, please visit my personal Web site at http://www.vttoth.com/.

Jan 132015
 

The Moroccon-born, Muslim mayor of the city of Rotterdam, Ahmed Aboutaleb, has a message to Muslim extremists:

“But if you don’t like freedom, for heaven’s sake pack your bags and leave. If you do not like it here because some humorists you don’t like are making a newspaper, may I then say you can fuck off.”

He reportedly said this on live TV, and it wasn’t bleeped.

Thank you, Mr. Mayor.

 Posted by at 1:47 pm
Jan 122015
 

The cover art of the upcoming issue of Charlie Hebdo has been leaked. Unlike many of their cartoons that were deliberately gross and provocative, this one depicts a grieving Mohammed:

I have a suspicion (make it a hope) that even among Muslims, few will find this cover offensive, especially in light of last week’s events.

But even if I am wrong… I said it before and I will be saying it again: as a citizen of a liberal democracy, it is my fundamental right to ridicule other people’s beliefs. At the same time, it is my fundamental duty to defend, risking life and limb if it comes to that, the rights of other people to believe, no matter how ridiculous those beliefs appear to me. After all, Ahmed Merabet, the Muslim policeman who was first at the Charlie Hebdo scene, died defending the magazine’s right to ridicule his beliefs.

 Posted by at 6:27 pm
Jan 112015
 

OK, these pictures from Paris are starting to look amazing:

I guess this is not exactly what the murderers at Charlie Hebdo hoped to accomplish: a rally bringing together a million people or more, along with world leaders like Netanyahu and Abbas, marching together.

It gives me hope that despite the best efforts of Islamists and Islamophobes alike, the world may remain sane, at least for the time being.

 Posted by at 10:07 am
Jan 072015
 

For years, I’ve been using the online TV guide provided by ZAP2IT to check what’s on TV. Generally speaking, I’ve been satisfied with their service.

Until last year, when they introduced a whole new layout. Which, in my considered opinion, was a significant downgrade (makes me wonder if they were perhaps inspired by Windows 8).

Today I noticed, to my considerable pleasure, that the old layout is back. I now have the option to “Switch to Classic View”. Which I promptly did, without hesitation and with no plans to change my mind.

Now I am no usability or ergonomics expert, but I do have 30-odd years of experience in IT, and I know a thing or two about user interface design. Here are two illustrations that show why, in my considered opinion, the old format is far superior to the new one. First, the new version, with some of its shortcomings highlighted:

And now here are the same shows, in the old format:

So much easier to view! So much easier to find things of interest!

When they switched to the new format, I wrote an e-mail to complain. I did not expect a meaningful response. Noticing the link today, inviting me to switch back to the old format, was a most pleasant New Year’s surprise. I wrote to them again, thanking them for making the old format available. I hope it stays that way.

I know, I know, let this be the biggest problem in my life, when people are suffering and dying in various corners of the world. For what it’s worth, I never for one moment forget how lucky I am to be able to enjoy the luxury of life in a country like Canada. But this stupid TV guide still bugged me :-)

 Posted by at 9:17 pm
Jan 072015
 

Cartoonists are frustrated. Muslims are frustrated. A collection of fresh cartoons express the frustration of a world, hijacked today by extremism. Here are two that illustrate these feelings most profoundly.

This drawing by Sudanese political cartoonist Khalid Albaih from Doha, Quatar depicts how many Muslims must feel today:

And the anger of cartoonists (and journalists and, well free people) around the world is captured by Manjul, Chief Cartoonist at the Mumbai-headquartered Daily News and Analysis:

Thank you and all other cartoonists for not letting yourselves be intimidated by murderers. I just hope that the rest of us have the courage not to blame all Muslims for the crimes of a demented few.

Kind of funny, by the way, in the wake of the SONY/The Interview farce how there is a common theme between religious zealots and atheist despots: they both hate humor and freedom of expression.

 Posted by at 7:16 pm
Jan 072015
 

Today, the Web site of the French satirical magazine Charlie Hebdo features only the words, JE SUIS CHARLIE, which link to a single PDF file containing seven images:

It expresses the way I feel better than any words I could come up with on my own.

 Posted by at 12:17 pm
Jan 042015
 

Courtesy to a two-part article (part 1 and part 2, in Hungarian) of the Hungarian satirical-liberal magazine Magyar Narancs (Hungarian Orange), I now have a much better idea of what happened at Hungary’s sole nuclear generating station, the Paks Nuclear Power Plant, in 2003. It was the most serious nuclear incident to date in Hungary (the only INES level 3 incident in the country.)

At the root of the incident is a characteristic issue with these types of Soviet era nuclear reactors leading to magnetite contamination of the fuel elements and control rods. To deal with this contamination and prolong the life of fuel elements, cleaning ponds are installed next to the reactor blocks, where under roughly 30 feet of water, in a specially designed cleaning tank, fuel bundles can be cleaned.

As the problem of contamination became increasingly acute, the power plant ordered a new type of cleaning tank. On April 10, 2003, this cleaning tank was used for the first time on fuel bundles that were freshly removed from the reactor. The cleaning of the fuel bundles was completed successfully by 5 PM in the afternoon; however, the crane that was supposed to replace the fuel bundle in the reactor was used for another task and was not going to be available before midnight. The situation was complicated by language issues, as the technicians attending the new cleaning tank were from Germany and could not speak Hungarian. Nonetheless, the German crew assured the plant’s management that the delay would not represent a problem and that cooling of the fuel bundle inside the cleaning tank was adequate.

Shortly before 10 PM, an alarm system detected increased radiation and noble gas levels in the hall housing the cleaning pond. Acting upon the suspicion that a fuel rod assembly was leaking (the German crew suggested that the fuel bundles may have been incorrectly placed in the cleaning tank) the crew proceeded with a plan to open the cleaning tank. When the lid of the cleaning vessel was unlocked, a large steam bubble was released, and radiation levels spiked. Indeed, the crane operator received a significant dose of radiation contamination on his face and arms. The hall was immediately evacuated and its ventilation system was turned on. However, as the system had no adequate filtering systems installed (despite a regulation that six years prior mandated their installation) some radiation was released into the environment.

As it turns out, the culprit was the new type of cleaning tank. A model that, incidentally, was approved using an expedited process, due to the urgency of the situation at the power plant. The fact that the supplier was a proven entity also contributed to a degree of complacency.

Both the new and the old tank had a built-in pump that circulated water and kept the fuel bundle cool. However, in the old tank, the water inlet was at the bottom, whereas the outlet was near the top. This was not the case in the new tank: both inlet and outlet were located at the bottom, which allowed the formation of steam inside the cleaning vessel near the top. Combined with the lack of instrumentation, and considering that the fuel bundle released as much as 350 kW of heat, this was a disaster in the making.

And that is exactly what happened: due to the delay with the crane, there was enough time for the heat from the fuel bundle to cause most of the water inside the vessel to turn into steam, and the fuel elements heated to 1,000 degrees Centigrade. This caused their insulation to crack, which led to the initial detection of increased radiation levels. When the cleaning tank’s lid was opened, a large bubble of steam was released, while cold water rushed in causing a minor steam explosion and breaking up the fuel elements inside, contaminating the entire pond.

It took another ten years before the last remaining pieces of broken-up fuel elements were removed from the power plant, taken by train through Ukraine to a reprocessing plant in Russia. The total cost of the incident was in the $100 million range.

As nuclear incidents go, Paks was by no means among the scariest: after all, no lives were lost, there was only one person somewhat contaminated, and there was negligible environmental damage. This was no Chernobyl, Fukushima or Three Mile Island. There was some economic fallout, as this reactor block remained inoperative for about a year, but that was it.

Nonetheless, this incident is yet another example how inattention by regulatory agencies, carelessness, or failure to adhere to regulations can lead to catastrophic accidents. Despite its reputation, nuclear power remains one of the safest (and cleanest!) ways to generate electricity but, as engineers are fond of saying, there are no safeguards against human stupidity.

 Posted by at 4:25 pm
Jan 012015
 

2014 was not necessarily my favorite year. But it could have been worse.

I had some interesting projects. I traveled to places that I have never been to. We lost a beloved cat, but then we were adopted by another. The world became a somewhat scarier place, but so far, it’s still holding together. And we’re alive, in good health.

What do I expect from 2015?

I have some project concepts. As I still have to work for a living, I hope some of them will work out. I have some research ideas. I hope I will have more time this year to work on physics. As for the world, hopefully sanity will prevail. In 2014, we celebrated the 100th anniversary of the Great War (to end all wars) in relative peace and prosperity. Hopefully, we will be able to celebrate the 100th anniversary of the Armistice the same way in 2018.

These year numbers, by the way… I will never be able to shake off the feeling that they are surreal. When I was growing up, “1999” was the year of Moonbase Alpha. “The Year 2000” was synonymous with the distant future. “2001” was about a Space Odyssey. Then there was “2010”, the Second Odyssey, but that’s about it… beyond 2010, it was all vague, a future as distant as the days of the dinosaurs in the past.

And yet, it’s 2015. Weird.

 Posted by at 11:27 pm
Dec 302014
 

German author Jürgen Todenhöfer recently returned from an incredible visit to the Islamic State.

His experiences and his conclusions are sobering. He believes that the threat represented by ISIS (which he considers a legacy of George W. Bush’s illegal war in Iraq) and the strength of the Islamic State are greatly underestimated. He also believes (and I tend to agree) that ISIS cannot be defeated by bombs; that unless a viable, credible alternative is offered to the Sunni population, ISIS will prevail.

I disagree with his conclusion, though, that ISIS is the greatest threat to world peace. It is a threat, to be sure, but apart from random attacks by ISIS sympathizers (which, thankfully, are few and far between) I don’t think ISIS represents a serious security challenge to the West. If I went looking for the greatest threat to world peace, I’d be more concerned about a potential conflict between nuclear-armed adversaries in Asia, or about a Putin presiding over a failed Russian oil state, whining to the world that because he has so many nukes, he must be taken seriously and be treated with more respect.

 Posted by at 10:01 am
Dec 272014
 

It appears that an Indonesian AirAsia flight with over 160 souls on board vanished a few hours ago.

Here is the last track of the flight from flightradar24.com:

I don’t know if the tracking ended because the flight vanished at that point, or perhaps it just flew out of range of ground-based facilities and had no appropriate satellite service subscription like ADS-B. I guess we shall find out in the coming hours or days.

 Posted by at 11:19 pm
Dec 262014
 

So tonight, my wife and I watched the infamous movie, The Interview, for the princely sum of 7 Canadian dollars, courtesy of YouTube.

Chances are that without the SONY hack and the subsequent decision to pull the film from theaters, we would never have seen it. To be honest, it is a rather crappy movie. And I chose that word with care, as much of the so-called humor was really lower body humor. There were perhaps a few decently funny movements (though none that would make me laugh uncontrollably, not even close.)

Still, let that be a lesson to pisspot dictators: clumsy attempts to censor the West’s entertainment industry only provide invaluable free publicity. An entirely forgettable piece of Hollywood trash this way became an instant immortal icon, mentioned along with classics like Chaplin’s The Great Dictator.

It appears though that the film found a receptive audience in China of all places. Great! Perhaps it will give Beijing’s communist government some food for thought as they consider the consequences of their continuing support for one of the world’s most totalitarian, most abusive regimes.

 Posted by at 11:07 pm
Dec 242014
 

Year after year, I can find no better way to wish Merry Christmas to all my family, my friends, and all good people on Earth, than with the immortal words of Apollo 8 astronaut Frank Borman from 46 years ago: “And from the crew of Apollo 8, we close with good night, good luck, a Merry Christmas and God bless all of you – all of you on the good Earth.

 Posted by at 3:57 pm
Dec 232014
 

It’s Christmas so it’s bejgli time.

Bejgli is Hungarian (well, actually, the word comes originally from German but let’s not be pedantic at Christmas) for a (walnut or poppy seed) nut roll that is typical Christmas fare in Hungary. This is what they looked like, (nearly) fresh out of the oven earlier this afternoon:

Oh yes, the picture was taken with my thermal camera.

 Posted by at 9:21 pm
Dec 182014
 

While much of the media is busy debating how the United States already “lost” a cyberwar with North Korea, or how it should respond decisively (I agree), a few began to discuss the possible liability of SONY itself in the hack.

The latest news is that the hackers stole a system administrator’s credentials; armed with these credentials, they were able to roam SONY’s corporate network freely and over the course of several months, they stole over 10 terabytes (!) of data.

Say what? Root password? Months? Terabytes?

OK, I am going to go out on a limb here. I know nothing about SONY’s IT security, the people who work there, their training or responsibilities. And of course it wouldn’t be the first time for the media to get even basic facts wrong.

Still, the magnitude of the hack is evident. It had to take a considerable amount of time to steal all that data and do all that damage.

Which could not have possibly happened if SONY’s IT security folks actually knew what they were doing.

Not that I am surprised. SONY is not alone in this regard; everywhere I turn, corporations, government departments, you name it, I see the same thing. Security, all too often, is about harassing or hindering legitimate users. No, you cannot have an EXE attachment in your e-mail! No, you cannot install that shrink-wrapped software on your workstation! No, we cannot let you open TCP port 12345 on that experimental server!

Users are pesky creatures and most of them actually find ways to get their work done. Yes, their work. This is not about evil corporate overlords not letting you update your Facebook status or watch funny cat videos on YouTube. This is about being able to accomplish tasks that you are paid to do.

Unfortunately, when it comes to IT security, a flawed mentality is all too prevalent. Even on Wikipedia. Look at this diagram, for instance, illustrating the notion of defense in depth:

This, I would argue, is a very narrow-minded view of IT security in general, and the concept of in-depth defense in particular. To me, defense in depth means a lot more than merely deploying technologies to protect data through its life cycle. Here are a few concepts:

  1. Partnership with users: Legitimate users are not the enemy! Your job is to help them accomplish their tasks safely, not to become Mordac the Preventer from the Dilbert comic strip. Users can be educated, but they can also be part of your security team, for instance by alerting you when something is not working quite the way it was expected.
  2. Detection plans and strategies: Recognize that, especially if your organization is prominently exposed, the question is not if but when. You will get security breaches. How do you detect them? What are the redundant technologies and methods (including organization and education) that you use to make sure that an intrusion is detected as early as possible, before too much harm is done?
  3. Mitigation and recovery: Suppose you detect an intrusion. What do you do? Perhaps it’s a good idea to place a “don’t panic” sticker on the cover page of your mitigation and recovery plan. That’s because one of the worst things you can do in these cases is a knee-jerk panic response shutting down entire corporate systems. (Such a knee-jerk reaction is also ripe for exploitation. For instance, a hacker might compromise the open Wi-Fi of the coffee shop across the street from your headquarters before hacking into your corporate network, intentionally in such a way that it would be discovered, counting on the knee-jerk response that would drive employees in droves across the street to get their e-mails and get urgent work done.)
  4. Compartmentalization. I don’t care if you are the most trusted system administrator on the planet. It does not mean that you need to have access to every hard drive, every database or every account on the corporate network. The tools (encrypted databases, disk-level encryption, granulated access control lists) are all there: use them. Make sure that even if Kim Jong-un’s minions steal your root password, they still wouldn’t be able to read data from the corporate mail server or download confidential files from corporate systems.

SONY’s IT department probably failed on all these counts. OK, I am not sure about #1, as I never worked at SONY, but why would they be any different from other corporate environments? As to #2, the failure is obvious: it must have taken weeks if not months for the hackers to extract the reported 10 terabytes. They very obviously failed on #3, and if the media reports about a system administration’s credentials are true, #4 as well.

Just to be clear, I am not trying to blame the victim here. When your attackers have the resources of a nation state at their disposal, it is a grave threat. But this is why IT security folks get the big bucks. I can easily see how, equipped with the resources of a nation state, the attackers were able to deploy zero day exploits and other, perhaps previously unknown techniques that would have defeated technological barriers. (Except that maybe they didn’t… the reports say that they stole user credentials and, I am guessing, there is a good chance that they used social engineering, not advanced technology.) But it’s one thing to be the victim of a successful attack, it’s another thing not being able to detect it, mitigate it, or recover from it. This is where IT security folks should shine, not harassing users about EXE attachments or with asinine password expiration policies.

 Posted by at 9:57 pm
Dec 172014
 

If you thought that the scary news from yesterday was the mass murder of 145 people at a Pakistani school, think again. Tragic as that event was, it has zero effect on your security or well-being unless you happen to live in northern Pakistan.

But what happened in Russia yesterday may threaten the security of us all. The Russian central bank’s decision to hike rates by a whopping 6.5% overnight is a sign that the Russian economy is in deep trouble. Worse yet, it is unlikely that Putin will change course, since his popularity is based mainly on his newfound nationalism, not his economic performance.

Which raises the possibility that Putin will lash out and do something stupid. Not just in the Ukraine but, perhaps in a fatal miscalculation, in the Baltic region. If he has any reason to think that NATO would not respond to Russian aggression in places like Estonia, we are all in deep trouble, because I cannot see how NATO would not respond… and that, of course, is a nightmare scenario.

Meanwhile, Obama made the bombshell announcement of restoring diplomatic ties with Cuba. Long, long, long overdue. (To those who think this amounts to appeasing a communist regime, all I can say is, look how well the policy of isolation worked in the last 50+ years.) I also wonder what the Kremlin’s masters think about this. Cuba was one reliable ally in America’s backdoor that they could always count on… what is going to happen now?

We seem to be living in interesting times.

 Posted by at 9:10 pm
Dec 172014
 

Recently, I had to fill out some security-related forms with the Canadian government. To do so, I had to log on to a government Web site and create an account using a preassigned, unmemorizable user ID.

While I was doing that, I had to set up a password. It seems that the designers of the government Web site are familiar with XKCD, because their password policy (which also includes frequent password expiration and rules to prevent the reuse of old passwords) seemed like an exact copy of the policy ridiculed here:

Once I managed to get past this hurdle, I had to complete some forms that were downloadable as PDFs. Except that the forms (blank forms!) were in the form of encrypted PDFs, which made it impossible for me to load them with my old copy of Acrobat 6.0 for editing. The encryption was trivial to break (print to PostScript, remove encryption block using an editor, convert back to PDF) but it was there just as an annoyance.

If they invited me to audit their security policy (of course they wouldn’t), I’d ask them the following questions:

  1. What is the rationale of your password expiration/password strength policy, ignoring best advice from actual security experts who know the meaning of terms like “entropy”? What are the data supporting Draconian rules that, effectively, force infrequent users to change their passwords every time they log on to your system?
  2. What is the rationale behind your policy to encrypt PDF files unnecessarily? Exactly what threat is this supposed to address, and what is the anticipated outcome of employing this security measure?
  3. Now that you have successfully alienated your users, what are your plans for detection, analysis, mitigation and recovery in case a real attack occurs? Would you even know when it happens?

I suspect that the real answer to the last question is a no. Security theater is not about protecting systems or preventing attacks; it’s about protecting incompetent hind parts from criticism.

 Posted by at 8:55 pm
Dec 172014
 

The news tonight is that SONY has pulled The Interview from theaters, with no plans to release the movie at this time either through theaters or digitally.

This is wrong on so many levels.

Most importantly, because that grown up crybaby, that Eric Cartman from the land of dictators, should not have his way. Simply put, Kim Jong-un is not just a murderous jackass like his pa and his grandpa, he is also a vain little bully with a bloated ego who is throwing a hissy fit because someone dared to joke at his expense.

Dear little Kim Jong-un… grow up already. Right now, even South Park’s characters seem wise and mature in comparison.

 Posted by at 8:42 pm
Dec 132014
 

Meet Rufus, our newest cat.

I don’t usually like the idea of accessorizing kittycats, but Rufus is such an elegant creature, a bow tie seemed like an absolute necessity.

The cat who photobombed the shot in the background is our oldest kitty, Kifli.

And, since someone will inevitably ask for it, here is a picture of Rufus in the infrared (sans bow tie, this time):

 Posted by at 9:18 am
Dec 092014
 

Today, I became a proud owner of a new smartphone attachment: a thermal camera.

I long wanted to have a thermal camera, but the prices were frivolously high. One of the cheapest cameras from FLIR, for instance, the TG165, costs five hundred dollars and has a measly 80 x 60 pixel sensor resolution. FLIR has a smartphone thermal camera attachment that’s cheaper, but its resolution is also low, and it only works with the iPhone.

In contrast, the Seek Thermal camera attachment costs only two hundred bucks and has a 206 x 156 pixel sensor, which is quite decent, insofar as thermal sensors go. And it works with Android phones, notably my Samsung S3. Better yet, much to my delight I found out that the device is actually manufactured in the United States.

So I knew immediately what I wanted for Christmas. Okay, it arrived a little early, but that’s okay. It is a lovely little device, nicely packaged, looks very well manufactured, with a protective jewel case for safe storage when not in use.

And this is what I look in the infrared:

Lovely mugshot, isn’t it.

 Posted by at 10:33 pm