Last evening, I decided to update my rooted Samsung Galaxy S3 smartphone.
I did not expect to stay awake for much of the night, struggling to revive a “bricked” phone.
In the end, though, all is well: my phone is alive and once again, for the first time since the 4.3 update, it is both rooted and encrypted.
Curse my suspicious nature.
Here I am, reading a very nice letter from a volunteer who is asking me to share a link on my calculator museum Web site to cheer up some kids:
And then, instead of doing as I was asked to do, I turned to Google. Somehow, this message just didn’t smell entirely kosher. The article to which I was supposed to link also appeared rather sterile, more like an uninspired homework assignment, with several factual errors. So I started searching. It didn’t take very long until I found this gem:
Then, searching some more, I came across this:
Or how about this one:
Looks like Ms. Martin has been a busy lady.
So no, I don’t think I’d be adding any links today.
I hate software upgrades.
It is one of the least productive ways to use one’s time. I am talking about upgrades that are more or less mandatory, when a manufacturer ends support of an older version. So especially if the software in question is exposed to the outside world, upgrading is not optional: the security risk associated with using an unsupported, obsolete version is quite significant.
Today, I was forced to upgrade all my Web sites that use the Joomla content management system, as support for Joomla 2.5 ended in December, 2014.
What can I say. It was not fun. I am using some custom components and some homebrew solutions, and it took the better part of the day to get through everything and resolve all compatibility issues.
And I gained absolutely nothing. My Web sites look exactly like they did yesterday (apart from things that might be broken as a result of the upgrade, that is.) I just wasted a few precious hours of my life.
Did I mention that I hate software upgrades?
Today, I successfully hacked one of my Rogers cable decoder boxes. No, not to do anything illegal, just to get composite video and demultiplexed stereo audio out of them, to make them more usable with the dual-tuner TV card that is in my desktop workstation.
This is the first time ever that I used the services of a custom printed circuit board manufacturer. My design worked on the first try. I am mighty proud of myself.
While much of the media is busy debating how the United States already “lost” a cyberwar with North Korea, or how it should respond decisively (I agree), a few began to discuss the possible liability of SONY itself in the hack.
The latest news is that the hackers stole a system administrator’s credentials; armed with these credentials, they were able to roam SONY’s corporate network freely and over the course of several months, they stole over 10 terabytes (!) of data.
Say what? Root password? Months? Terabytes?
OK, I am going to go out on a limb here. I know nothing about SONY’s IT security, the people who work there, their training or responsibilities. And of course it wouldn’t be the first time for the media to get even basic facts wrong.
Still, the magnitude of the hack is evident. It had to take a considerable amount of time to steal all that data and do all that damage.
Which could not have possibly happened if SONY’s IT security folks actually knew what they were doing.
Not that I am surprised. SONY is not alone in this regard; everywhere I turn, corporations, government departments, you name it, I see the same thing. Security, all too often, is about harassing or hindering legitimate users. No, you cannot have an EXE attachment in your e-mail! No, you cannot install that shrink-wrapped software on your workstation! No, we cannot let you open TCP port 12345 on that experimental server!
Users are pesky creatures and most of them actually find ways to get their work done. Yes, their work. This is not about evil corporate overlords not letting you update your Facebook status or watch funny cat videos on YouTube. This is about being able to accomplish tasks that you are paid to do.
Unfortunately, when it comes to IT security, a flawed mentality is all too prevalent. Even on Wikipedia. Look at this diagram, for instance, illustrating the notion of defense in depth:
This, I would argue, is a very narrow-minded view of IT security in general, and the concept of in-depth defense in particular. To me, defense in depth means a lot more than merely deploying technologies to protect data through its life cycle. Here are a few concepts:
SONY’s IT department probably failed on all these counts. OK, I am not sure about #1, as I never worked at SONY, but why would they be any different from other corporate environments? As to #2, the failure is obvious: it must have taken weeks if not months for the hackers to extract the reported 10 terabytes. They very obviously failed on #3, and if the media reports about a system administration’s credentials are true, #4 as well.
Just to be clear, I am not trying to blame the victim here. When your attackers have the resources of a nation state at their disposal, it is a grave threat. But this is why IT security folks get the big bucks. I can easily see how, equipped with the resources of a nation state, the attackers were able to deploy zero day exploits and other, perhaps previously unknown techniques that would have defeated technological barriers. (Except that maybe they didn’t… the reports say that they stole user credentials and, I am guessing, there is a good chance that they used social engineering, not advanced technology.) But it’s one thing to be the victim of a successful attack, it’s another thing not being able to detect it, mitigate it, or recover from it. This is where IT security folks should shine, not harassing users about EXE attachments or with asinine password expiration policies.
Recently, I had to fill out some security-related forms with the Canadian government. To do so, I had to log on to a government Web site and create an account using a preassigned, unmemorizable user ID.
While I was doing that, I had to set up a password. It seems that the designers of the government Web site are familiar with XKCD, because their password policy (which also includes frequent password expiration and rules to prevent the reuse of old passwords) seemed like an exact copy of the policy ridiculed here:
Once I managed to get past this hurdle, I had to complete some forms that were downloadable as PDFs. Except that the forms (blank forms!) were in the form of encrypted PDFs, which made it impossible for me to load them with my old copy of Acrobat 6.0 for editing. The encryption was trivial to break (print to PostScript, remove encryption block using an editor, convert back to PDF) but it was there just as an annoyance.
If they invited me to audit their security policy (of course they wouldn’t), I’d ask them the following questions:
I suspect that the real answer to the last question is a no. Security theater is not about protecting systems or preventing attacks; it’s about protecting incompetent hind parts from criticism.
Having been annoyed by a Firefox crash a few weeks ago, I decided to give Google’s Chrome browser a serious try on my Windows desktop. I am, after all, using Chrome on my Android phone and tablet, so I figured I might as well swear allegiance to our Google overlords on my desktop as well…
But it’s not going to happen, not just yet. Yesterday, after I managed to close a tab in Chrome by accident one too many times, I Googled for ways to disable the “X” in tabs other than the active tab… only to find that Google years ago declared that they don’t consider this a problem and they would not solve it. Indeed, I find Chrome’s customization features rather limited compared to what is available in Firefox under about:config.
So, I switched back. I shall be using Firefox for the time being. I am still keeping Chrome on standby, just in case Mozilla goes berserk (their recent UI changes were not exactly welcome with open arms by much of the user community, myself included; who knows what new insanity awaits us in the pipeline.)
And, it seems that I am not alone.
I just saw a report on CTV about Ubisoft’s new game, Watch Dogs.
It appears to be a fascinating game. And it’s available on the PC.
Yet, I won’t be playing it anytime soon. The reason? Stupid DRM.
People who opted to purchase the game, including people who preordered it, were unable to play because DRM servers crashed and were unavailable. The illogic of screwing paying customers while doing very little to hinder the actual pirates (who, after cracking the game, will have a hassle-free playing experience unencumbered by stupid DRM schemes) baffles me.
I refuse to use pirated copies but I also refuse to pay good money for something that is designed to treat me as a potential thief. Thief I am not, but neither am I an idiot.
Maybe a few years down the line, Watch Dogs will be made available DRM-free on GOG. Until then, there are more useful things to do than wasting my time with a stupid game anyway!
A few months ago, I upgraded my rooted Samsung Galaxy S3 (SGH-I747M) smartphone. In the process, I lost root, which was rather annoying. I was able to re-root the phone using CF-Auto-Root, but only after decrypting its memory first. When I tried to re-encrypt the phone afterwards, the process failed. The log (adb logcat) showed that it was unable to unmount the /data partition.
I have since tried several approaches to encrypt the phone while retaining root, but to no avail. Here are the things I tried over the past few months:
OK, I give up. I don’t really need to encrypt the stupid phone.
The other day, I watched a delightful 30+ year old movie that I never saw before, The World According to Garp. In one scene, the protagonist decides to buy a house after a small airplane crashes into it, explaining that it is unlikely to ever happen again; that house has been “pre-disastered”. (Yes, it’s a logical fallacy, but the scene was still funny.) I think it was this movie that inspired me today, when I finally managed to talk to a human representative at Scotiabank, after being endlessly and needlessly frustrated by a voice recognition answering system.
Voice recognition systems infuriate me. I am not alone, and this should come as no surprise. The phenomenon when something that looks, feels (or in this case, sounds) almost, but not quite, human creeps out people is so well known, it even has a name: Uncanny Valley. I am perfectly comfortable with answering systems that ask me to make menu choices by pressing buttons on my phone. Yet I am filled with blind fury and rage by voice response systems that, usually in an overly friendly and syrupy-sweet voice, ask me to explain, in words, what I am calling about. “I WANT TO TALK TO A FREAKING HUMAN YOU STUPID MACHINE!”
Fortunately, my self-control prevailed this morning. When (after stabbing “0” more than a few times with my finger while shouting nonsense, finally convincing the voice recognition algorithm to give up) I was at last connected to an actual (very nice) human lady, I remained polite. However, at the end of our conversation, I could not refrain from asking her to please pass on my request to the Powers That Be at Scotiabank to get rid of this stupid voice recognition system. She agreed that indeed, many customers are annoyed like I was. I commented on the fact that it was usually people like her who become the victims of their callers’ anger… when they arrive, like I did, pre-high-blood-pressured. She laughed so hard… I think I made her day.
As I am writing this, I am thinking that there might be another way to climb out of the uncanny valley: better AI. This is, after all, 2014, the age of self-driving cars and Google Search that knows what you are about to type even before you do. I could easily imagine a voice recognition system that, instead of spoon feeding me instructions like I was mentally retarded, began a natural conversation: “Hello, this is the Scotiabank automated assistant. This call may be recorded for quality assurance. How can we help you today?” (Avoid talking like the caller was retarded. Avoid using “I” because you are not a self-aware person. Speak in a natural voice, not like you were talking to someone hard of hearing, not unless they indicate that they are, in fact, hard of hearing.) If this system could actually carry out a decent conversation instead of being a poorly thought-out replacement of a touchtone menu system, it might work a lot better… and, for that matter, may even reduce the need for human operators as I bet it could respond to many inquiries successfully without human intervention.
In light of the latest Internet security scare, the Heartbleed bug, there are again many voices calling for an end to the use of passwords, to be replaced instead by fingerprint scanners or other kinds of biometric identification.
I think it is a horrifyingly, terribly bad idea.
Just to be clear, I am putting aside any concerns about the reliability of biometric identification. They are not as reliable as their advocates would like us to believe, but this is not really the issue. I am assuming that as of today, biometric technologies are absolutely, 100% reliable. Even so, they are still a terrible idea, and here is why.
First, what happens if your biometric identification becomes compromised? However it is acquired, it is still transmitted in the form of a series of bits and bytes, which can be intercepted by an attacker. If this were a password, you could easily change it to thwart an attack. But how do you change your fingerprint? Your retina print? Your voice? Your heartbeat?
Second, what happens if you “lose” your biometric identification marker? Fingers get chopped off in accidents. People lose their eyesight. An emergency tracheotomy may deprive you of your normal voice. What then?
And what about privacy concerns? There have been rulings I understand, in the US and perhaps elsewhere, that imply that the same legal or constitutional guarantees that protect you from being compelled to reveal a password may not apply when it comes to providing a fingerprint, a DNA sample, or other biometric markers.
The bottom line is this: a password associating an account or a service to a unique piece of secret knowledge. This knowledge can be changed, passed on, or revoked, and owners may be protected by law from being compelled to reveal it. Biometric identification fundamentally changes this relationship by associating the account or the service with an unmalleable biometric characteristic of a person.
Please don’t.
Microsoft officially ended support for Windows XP today.
I hope someone will sue the hell out of them.
To be clear, I understand why they are doing this: they don’t want to continue supporting forever an obsolete, 14 year old operating system.
But something like one quarter or so of the world’s computers continue running Windows XP. One can argue that Microsoft is not responsible for the behavior of system owners who, for whatever reason, choose not to update their systems. But what about those who do everything right and still become the victims of cyberattacks that utilize networks of unpatched Windows XP computers? The decision to terminate support makes Microsoft a de facto accomplice of these cybercriminals.
My fearless prediction is that within a few months, Microsoft will quietly start releasing high priority security patches for Windows XP again.
Meanwhile, Microsoft began releasing a significant update to Windows 8.1. I noticed that when I updated my Windows 8.1 laptop, it booted directly into the Windows desktop. Wow! Now all we need is a decent Start menu and the ability to perform basic system configuration tasks without going through the touch-optimized “Modern UI” and all will be bliss again. One of these days, I might even upgrade one of my development workstations to Windows 8.1!
The computer game Myst is best known as the first “killer game” of the early CD-ROM era. A game that became the reason for many to purchase CD-ROM drives for their computers. A game that was played not just by geeks but by users who never touched a computer game before. Myst remained the all-time best-selling PC game for the better part of a decade.
Myst spawned its own mythology, and a series of three books. It also spawned five sequels, among them Uru, the company’s flawed yet hauntingly beautiful attempt to create a massively multiplayer online game. The final game in the Myst series was Myst V: End of Ages.
The other day, I pulled out my copy of Myst V, mainly to look at the wonderful worlds (or Ages, as they are called in the game) that I visited as a player. Perhaps the most breathtaking is the age called Todelmer. The player lands on top of a massive spire, towering high above the lower atmosphere of what appears to be a moon orbiting a ringed planet. Puzzles involve bringing some of the machinery back to life, reconnecting pieces of an ancient astronomical observatory.
Todelmer seems as beautiful as it was when I first saw it. Too bad it only exists in the imagination.
Second Tuesday of the month. Not my favorite day.
This is when Microsoft releases their monthly batch of updates for Windows.
And this is usually when I also update other software, e.g., Java, Flash, Firefox, on computers that I do not use every day.
Here is about half of them.
The other half sit on different desks.
Oh, that big screen, by the way, is shared by four different computers. Fortunately, two of them are Linux servers. Not that they don’t require updating, but those updates do not usually come on the second Tuesday of the month.
Here is something new: America’s ever watchful National Security Agency is not content with spying in all the real lands of the world. Their interests also extend to imaginary realms, like the virtual world of Second Life and World of Warcraft.
Ostensibly, their concern is that terrorists around the world might be using online games for secret communication. The idea is not, in fact, new; for what it’s worth, a similar idea exists as a plot device in Margaret Atwood’s superb, dystopian Oryx and Crake trilogy.
So I guess I should count it as a blessing that other aspects of Atwood’s nightmarish future have not become reality yet. Instead of corporatist anarchy, all we have is a benevolent superstate ever more keen on enforcing Pax Americana. And who knows… our freedoms and privacy may be somewhat curtailed in this New World Order, but if the Roman example is any guide, it may be a small price to pay for centuries of stable prosperity.
Anyhow, for what it’s worth, as far as I know there is no spying going on in MUD1/British Legends and MUD2. I can actually vouch for MUD1 personally; I, after all, wrote the code for the current implementation.
Is this a worthy do-it-yourself neuroscience experiment, or an example of a technology gone berserk, foreshadowing a bleak future?
A US company is planning to ship $99 kits this fall, allowing anyone to turn a cockroach into a remote controlled cyborg. Educational? Or more like the stuff of bad dreams?
For me, it’s the latter. Perhaps it doesn’t help that I am halfway through reading Margaret Atwood’s The Year of the Flood, sequel to Oryx and Crake, a dystopian science fiction novel set in a bleak future in which humanity destroys itself through the reckless use of biotech and related technologies.
A cockroach may not be a beloved animal. Its nervous system may be too small, too simple for it to feel real pain. Nonetheless, I feel there is something deeply disturbing and fundamentally unethical about the idea of turning a living animal into a remote control toy.
To put it more simply: it creeps the hell out of me.
So the NSA and their counterparts elsewhere, including Canada and the UK, are spying on us. I wish I could say the news shocked me, but it didn’t.
The level of secrecy is a cause for concern of course. It is one thing for these agencies not to disclose specific sources and methods, it is another to keep the existence of entire programs secret, especially when these programs are designed to collect data wholesale.
But my biggest concern is that the programs themselves represent a huge security threat for all of us.
First, the NSA apparently relies on its ability to compromise the security of encryption products and technologies or on backdoors built into these products. An unspoken assumption is that only the NSA would be able to exploit these weaknesses. But how do we know that this is the case? How do we know that the same weaknesses and backdoors used by the NSA to decrypt our communications are not discovered and then exploited by foreign intelligence agencies, industrial spies, or criminal organizations?
As an illustrative example, imagine purchasing a very secure lock for your front door. Now imagine that the manufacturer does not tell you that the locks are designed such that there exists a master key that opens them all. Maybe the only officially sanctioned master key is deposited in a safe place, but what are the guarantees that it does not get stolen? Copied? Or that the lock is not reverse engineered?
My other worry is about how the NSA either directly collects, or compels service providers to collect, and store, large amounts of data (e.g., raw Internet traffic). Once again, the unspoken assumption is that only authorized personnel are able to access the data that was collected. But what are the guarantees for that? How do we know that these databases are not compromised and that our private data will not fall into hands not bound by laws and legislative oversight?
These are not groundless concerns. As Edward Snowden’s case demonstrates, the NSA was unable to control unauthorized access even by its own contract employees working in what was supposedly a highly structured, extremely secure work environment. (How on Earth was Snowden able to copy data from a top secret system to a portable device? That violates just about every security rule in the book.)
So even if the NSA and friends play entirely above board and never act in an unlawful manner, these serious concerns remain.
I do not believe we, as citizens, should grant the authority to any state security apparatus to collect data wholesale, or to compromise the cryptographic security of our digital infrastructure. Even if it makes it harder to catch bad guys.
So, our message to the NSA, the CSE, the GCHQ and their friends elsewhere in the free world should be simply this: back off, guys. Or else, risk undermining the very thing you purportedly protect, our basic security.
What an ugly word: monetization. Never liked it.
I especially do not like it when it comes to games.
When it comes to computer games, my age shows I guess. The first computer game I ever played was an arcade version of Pong. And the first multiplayer world I participated in was British Legends, the Compuserve implementation of the original MUD, or Multi-User Dungeon. Eventually, I started hosting MUD’s successor, MUD2, and when CompuServe shut down British Legends, I began hosting my own port of MUD1 here as well. And for a while, I did charge MUD2 users a subscription fee but that’s just not a viable business model for a small gaming site these days, so eventually we dropped all such fees.
In any case, subscription fees are not what come to my mind when I think about game monetization. It is more insidious ways to compel players to cough up hard earned money.
And now I came across an intriguing article that offers a thorough review of several monetization tricks and schemes. The basic idea is to compel players to purchase in-game add-ons, “power-ups” and other improvements, and pay ever greater amounts as they progress through the game.
Of course it cannot be done as blatantly as that. As the article explains, a good monetization scheme does not destroy the player’s illusion that the game is skill-based. Paying may help a little, or help a player avoid losing prior achievements, but the player’s perception remains that the game is fundamentally rewarding skill, not big spending. Which, of course, is untrue, but the most successful monetization schemes can liberate hundreds of dollars from the pockets of devoted players each month.
I don’t like these schemes. They feel… dishonest. I do purchase the occasional game, both for my phone and for my PC (thanks to GOG.COM and DOTEMU.COM who offer great titles free of DRM). But I never pay for in-game features or upgrades as a matter of principle, and a good thing, too: as the article explains, once you pay, you end up paying more, in part to protect the investment you made earlier by paying real money to help your progress.
The NSA engaged in domestic surveillance on a massive scale. It collected information on both foreign nationals and US citizens. It collected large amounts of data indiscriminately. It did so in secret, with little oversight. It did so with the collaboration of major telecommunication companies.
Sounds familiar? Perhaps. But what I am describing is project SHAMROCK, an NSA program terminated in 1975 that collected telegrams sent to or from the United States.
Arguably, the situation is somewhat better today, as the NSA is now under Congressional oversight and it has (supposedly) internal procedures in place to prevent the unlawful use of data that they collect. That is, if you believe their statements. But then, they made similar reassuring statements back in 1975, too, before details about SHAMROCK came to light.
The bottom line, it seems to me, is that governments have the technological means, the capacity, and the willingness to engage in large-scale surveillance of their own citizens. No guarantees against an Orwellian nightmare can come from futile attempts to limit these capabilities. The genie cannot be put back into the bottle. Only the openness and transparency of our political institutions can guarantee that the capabilities will not be abused.
I have read about this before and I didn’t want to believe it then. I still don’t believe it, to be honest, but it is apparently happening.
Yahoo will recycle inactive user IDs. That is, if you don’t log on to Yahoo for a period of 12 months, your old user ID will be up for grabs by whoever happens to be interested.
Like your friendly neighborhood identity thief.
Yahoo claims that they are going to extraordinary lengths to prevent identity theft. But that is an insanely stupid thing to say. How can Yahoo prevent, say, a financial institution from sending a password confirmation e-mail to a hapless user’s old Yahoo ID if said user happened to use that ID to establish the account years ago?
That is just one of many scenarios that I can think about for Yahoo’s bone-headed decision to backfire.
And I can’t think of a single sensible reason as to why Yahoo wants to do this in the first place. They will piss off a great many users and likely please no one.
I hope they will change their mind before it’s too late. I hope that if they don’t change their mind, something nasty happens soon and someone sues their pants off.