Oct 142015
 

I finished this weeks ago but never had the time to post. My previous attempt to hack a Rogers cable decoder was only partially successful, so I gave it another try, with better results.

By “hack”, I don’t mean illegally obtaining cable signals or anything like. I was simply looking for a way to get composite video and stereo audio out of the “free” cable boxes that Rogers provides, as opposed to just a plain RF signal on channel 3. The reason is pretty mundane: I’ve been using a dual-tuner TV card in my computer for years, which allowed me to record one program while watching another. The transition by Rogers to full digital cable messed this up: the TV card has only one RF input, so it is impossible to attach two decoders that could supply two signals simultaneously. But the TV card does have two independent composite video inputs. So if only the decoders had the corresponding output…

Well, they do, sort of: the only problem was that the audio was an undecoded (multiplexed) stereo signal. To decode it, I first built a standard stereo decoder circuit, but that was before I learned that the NTSC standard for stereo also includes noise suppression.

Hence my second attempt, using an appropriate chip.

Once again, I used a custom printed circuit board of my own design, and once again, it worked like a charm. The only fly in the ointment is that this larger board no longer fits inside the original decoder casing without some “plastic surgery”; so chances are that if it ever comes to returning these boxes to Rogers, I’ll be paying for them instead. Oh well.

 Posted by at 12:38 pm
Sep 212015
 

Today, I spent a couple of hours trying to sort out why a Joomla! Web site, which worked perfectly on my Slackware Linux server, was misbehaving on CentOS 7.

The reason was simple yet complicated. Simple because it was a result of a secure CentOS 7 installation with SELinux (Security Enhanced Linux) fully enabled. Complicated because…

Well, I tried to comprehend some weird behavior. The Apache Web server, for instance, was able to read some files but not others; even when the files in question were identical in content and had (seemingly) identical permissions.

Of course part of it was my inexperience: I do not usually manage SELinux hosts. So I was searching for answers online. But this is where the experience turned really alarming.

You see, almost all the “solutions” that I came across advocated severely weakening SELinux or disabling it altogether.

Since I was really not inclined to do either on a host that I do not own, I did not give up until I found the proper solution. Nonetheless, it made me wonder about the usefulness of overly complicated security models like SELinux or the advanced ACLs of Windows.

These security solutions were designed by experts and expert committees. I have no reason to believe that they are not technically excellent. But security has two sides: it’s as much about technology as it is about people. People that include impatient users and inadequately trained or simply overworked system administrators.

System administrators who often “solve” a problem by disabling security altogether, rather than act as I have, research the problem, and not do anything until they fully understand the issue and the most appropriate solution.

The simple user/group/world security model of UNIX systems may lack flexibility but it is easy to conceptualize and for which it is easy to develop a good intuition. Few competent administrators would ever consider solving an access control problem by suggesting the use of 0777 as the default permission for all affected files and folders. (OK, I have seen a few who advocated just that, but I would not call these folks “competent.”)

A complex security model like SELinux, however, is difficult to learn and comprehend fully. Cryptic error messages only confound users and administrators alike. So we should not be surprised when administrators take the easy way out. Which, in a situation similar to mine, often means disabling the enhanced security features altogether. Unless their managers are themselves well trained and security conscious, they will even praise the administrator who comes up with such a quick “solution”. After all, security never helps anyone solve their problems; by its nature, it becomes visible only for its absence, and only when your systems are under attack. By then, it’s obviously too late of course.

So the next time you set up a system with proper security, think about the consequences of implementing a security model that is too complex and non-intuitive. And keep in mind that what you are securing is not merely a bunch of networked computers; people are very much part of the system, too. The security technology that is used must be compatible with both the hardware and the humans operating the hardware. A technically inferior solution that is more likely to be used and implemented properly by users and administrators beats a technically superior solution that users and administrators routinely work around to accomplish their daily tasks.

In short… sometimes, less is more indeed.

 Posted by at 7:17 pm
Aug 212015
 

Looks like just as I was about to heap more praise on Microsoft’s latest operating system, I ran into an issue of almost showstopper quality: half my programs don’t show up in the Start Menu, and the Start Menu itself is confusing, dare I say broken, even when it works as intended.

One of the Big Deals about Windows 10 was that it restored the Start Menu, taken away by the brain-dead design decisions that went into Windows 8.

But it is a different kind of a start menu. It combines the traditional Start Menu functionality with the tiles of Windows 8. But that’s okay… the tiles can be quite nice, once you get used to them.

What is a bit harder to get used to is how programs vanish from the Start Menu’s All apps option, or never show up there in the first place. Oh, and you cannot search for them either.

The cause: supposedly, some programming genius at Microsoft hard-coded a 512-program limit into the cache database that feeds this new Start Menu. (I say supposedly because some folks report issues even with fewer programs than 512.) What a …

A fix may or may not be on its way. It certainly hasn’t been released yet. I hope it will be released soon, but it still does not solve another, rather major annoyance associated with the new Start Menu: how it flattened multi-level menus.

In the old Start Menu, you may have had a folder named Games, under which you had, say, a folder named Betrayal at Krondor, with a command “Graphic mode setup”. Next, Myst Uru, with “Graphic mode setup”. Or Redneck Rampage, with “Graphic mode setup”. (These are some actual GOG.com game examples.)

In the new Start Menu, you have the Games folder, under which you get

with no indication as to which is which.

What kind of a moron thought that this would be a good idea?

I have used Windows 8 and Windows 8.1 on a laptop for over two years now and I put up with its Start Menu-less nonsense, resisting the urge to install a third-party product that restores this functionality. But I am beginning to realize that a broken Start Menu is worse than no Start Menu at all. So… classicshell.net, here I come.

 Posted by at 2:32 pm
Aug 152015
 

In the last few days, I upgraded two of my laptops to Windows 10. So far, I have been most impressed by the results.

The first laptop is my current “travel” laptop, an ASUS X202E. It is a touchscreen notebook that originally came with Windows 8. I got it real cheap just over two years ago. It turned out to be a much better machine than I expected (despite Windows 8!) so I invested a little extra money and upgraded it with a solid state drive. I also upgraded it to Windows 8.1 when it became available.

The second laptop is closer to five years old I think, an old LG netbook with an Intel Atom processor and only 1 GB RAM, with Windows 7 Starter. I bought it because it was tiny (I like small machines) and real cheap. I used it for a few years as my travel laptop, great for presentations, e-mail, or connecting back to my main desktop via Remote Desktop, but not much else.

The Windows 10 upgrade became available on both machines a few days ago (although I had to fight with the LG netbook a little bit to make it happen; the reasons were unrelated, a bad driver that interfered with the machine in other ways, too.)

To make a long story short: the upgrade ran flawlessly on both machines.

On the ASUS, after the upgrade my touchpad was not responding, but before I could begin investigating the reason, a dialog popped up and informed me that the touchpad driver is being upgraded and indeed, after a reboot, the touchpad was working fine again. All my settings were properly preserved, including an add-on (8GadgetPack) that restored the Windows VISTA/Windows 7 style on-screen gadgets that I have become quite fond of, and which Microsoft removed from later versions of Windows, ostensibly for security reasons.

Encouraged by this, I also started the upgrade process on the netbook. My expectations were not high: I was quite prepared for it to fail on this somewhat obsolete machine. But no… it did not fail. It completed the upgrade sooner than I expected and once again, everything worked just fine. The netbook, of course, remains an underpowered machine, but after it finished configuring itself and its initial indexing tasks ran to completion, the machine became reasonably responsive.

All in all, kudos to Microsoft. This upgrade process through Windows Update far exceeded my expectations. And Windows 10 finally corrects the misguided design decisions of Windows 8. The best way to summarize my Windows 10 impressions is this: on a machine without a touch screen, you don’t miss the touch screen.

EDIT: I almost forgot one thing: the much-criticized privacy settings in Windows 10. Unsurprisingly, “free” comes with strings attached: by default, Microsoft collects a lot of information from your computer. Many of these settings can be turned off (make sure that during the installation process, you don’t accept the defaults) but there are concerns that even with the settings off, Microsoft collects some information that they really shouldn’t. How concerned should we be? After all, if you turn on the “OK Google” feature in your Chrome browser, Google becomes an invisible listener to every conversation in the room. So perhaps it’s true that the era of privacy is over. Still… I turned most of those settings off. Even if it does not protect my privacy, at least it saves a little bit of network bandwidth…

 Posted by at 11:29 am
Jun 212015
 

Someone on Quora asked if hackers really need multiple computers. Well… I am not technically a hacker (in the bad sense of the word) as I do not use my skills for illicit purposes, but I certainly have multiple computers, as this panoramic picture taken from my home office chair demonstrates:

Here is what’s in this picture:

  1. Two older, dual-core workstations that I still keep hooked up for test purposes.
  2. A monitor (currently off) with a KVM connecting the four computers on this desk. Under the monitor, three laptops (my current travel laptop, a still more or less current netbook, and an older laptop that I don’t really use anymore.)
  3. Two more computers: my main server and its standby backup. On top, a wireless access point; behind (not visible) two network routers and several concentrators, as well as an older monochrome laser printer. Behind on the floor, there is also a UPS.
  4. Underneath it all: several cardboard boxes containing vintage calculators and various bits of computer parts.
  5. A filing cabinet. (On top, not seen, some radio frequency equipment, a multi-standard VHS VCR that I still occasionally use to digitize old videos, and a turntable record player.)
  6. Several pieces of radio frequency test equipment, owned by one of my clients. On top (not visible) my tablet.
  7. Underneath, my main workstation, with 2×24 TB (mirrored) external storage. A UPS is behind the workstation.
  8. My main monitor and keyboard. Under the monitor, a photo printer, and my old smartphone (still functional, with a data-only SIM card that I keep as a backup Internet connection. My current smartphone is the one I used to take this picture.)
  9. A laser printer and scanner. Underneath, under the desk, some boxes of paper, manuals, etc.
  10. My “hardware” desk, with boxes of parts, a soldering iron, a test power supply, a couple of multimeters and other equipment. Under the desk (not seen) more computer parts and more radio equipment.
  11. My secondary monitor and keyboard. An oscilloscope is sitting under the monitor.
  12. Two more computers: an older Windows 98 machine that I keep around as it can connect to legacy hardware (including the old “winprinter” style laser printer seen here, as well as an EPROM programmer) and a backup of my main workstation. A UPS is also visible.

Not seen in this picture (behind me and/or above) are bookshelves full of technical books and literature, folders containing MSDN subscription CDs/DVDs, three additional older computers (not hooked up, but functional) and additional computer parts, lots of cables, etc.

Most of this equipment is “in use”. Out of the 7 desktop computers shown, three are currently powered (but two are powered 24/7, a server and my main workstation.)

 Posted by at 6:35 pm
May 152015
 

Whenever I travel, I think a lot about Internet security. For purely selfish reasons: I do not wish to become a victim of cybercrime or unnecessarily expose my own systems to attacks.

The easiest way to achieve end-to-end encryption is through a virtual private network (VPN). Whenever possible, I connect to my own router’s VPN service here in Ottawa before doing anything else on the Interwebs. The connection from my router to the final destination is still subject to intercept, but at least my connection from whatever foreign country I am in to my own network is secure.

A VPN has numerous other advantages, not the least of which is the fact that to the outside world, I appear to have an Ottawa-based IP address; this allows me, for instance, to use my Netflix subscription even in countries where Netflix is not normally available.

The downside of the VPN is that I am limited by the outgoing bandwidth of my own connections. But in practice, this does not appear to be a serious limitation. (I was able to watch Breaking Bad episodes just fine while in Abu Dhabi.)

Unfortunately, a VPN is not always possible, as some providers, for reasons known only to them, block VPNs. (I can think of a few workarounds, but I have not yet implemented any of them.) Even in this case, I remain at least partially protected. I have set up my mail server such that both incoming (IMAP) and outgoing (SMTP) connections are fully encrypted. This way, not only are my messages secure, but (and this was my main concern) I also avoid leaking sensitive password information to an eavesdropper.

When it comes to Web sites, I use secure (HTTPS) connections whenever possible, even for “mundane” stuff like innocent Google searches. I also use SSH if necessary, to connect to my servers. These days, SSH is an absolute must; the use of Telnet is just an invitation for disaster.

But of course the biggest security risk while one is on the road is the use of a public Wi-Fi network anywhere. Connecting to an HTTP (not HTTPS) server through a public Wi-Fi network and logging in with your password may not be the exact equivalent of telegraphing your password to the whole wide world, but it comes pretty darn close. Tools that can be used to scan for Wi-Fi networks and analyze the data are readily available not just for laptops but even for smartphones.

Once an open Wi-Fi network is identified, “sniffing” all packets becomes a trivial exercise, with downloadable tools that are readily available. Which is why it is incomprehensible to me why, in this day and age, most providers (e.g., hotels, airports) that actually do require users to log in use an unsecure network and just intercept the user’s first Web query to present a login page instead, when the technology to provide a properly secured Wi-Fi network has long been available.

In the future, no doubt I’ll have to take even stronger measures to maintain data security. For instance, the simple PPTP VPN technology in my router has known vulnerabilities. Today, it may take several hours on a dedicated high-end workstation to crack its encryption keys; the same task may be accomplished in minutes or less on tomorrow’s smartphones.

So there really are two lessons here: First, any security is bettern than no security, as it makes it that much harder for an attacker to do harm, and most attackers will just move on to find lower hanging fruit. Second, no measure should give you a false sense of security: by implementing reasonable security measures, you are raising the bar higher, but it will never defeat a determined attacker.

 Posted by at 2:46 pm
Mar 312015
 

Last evening, I decided to update my rooted Samsung Galaxy S3 smartphone.

I did not expect to stay awake for much of the night, struggling to revive a “bricked” phone.

In the end, though, all is well: my phone is alive and once again, for the first time since the 4.3 update, it is both rooted and encrypted.

 Posted by at 5:18 pm
Mar 252015
 

Curse my suspicious nature.

Here I am, reading a very nice letter from a volunteer who is asking me to share a link on my calculator museum Web site to cheer up some kids:

rachel1

And then, instead of doing as I was asked to do, I turned to Google. Somehow, this message just didn’t smell entirely kosher. The article to which I was supposed to link also appeared rather sterile, more like an uninspired homework assignment, with several factual errors. So I started searching. It didn’t take very long until I found this gem:

Then, searching some more, I came across this:

Or how about this one:

Looks like Ms. Martin has been a busy lady.

So no, I don’t think I’d be adding any links today.

 Posted by at 7:33 pm
Mar 142015
 

I hate software upgrades.

It is one of the least productive ways to use one’s time. I am talking about upgrades that are more or less mandatory, when a manufacturer ends support of an older version. So especially if the software in question is exposed to the outside world, upgrading is not optional: the security risk associated with using an unsupported, obsolete version is quite significant.

Today, I was forced to upgrade all my Web sites that use the Joomla content management system, as support for Joomla 2.5 ended in December, 2014.

Joomla-Logo

What can I say. It was not fun. I am using some custom components and some homebrew solutions, and it took the better part of the day to get through everything and resolve all compatibility issues.

And I gained absolutely nothing. My Web sites look exactly like they did yesterday (apart from things that might  be broken as a result of the upgrade, that is.) I just wasted a few precious hours of my life.

Did I mention that I hate software upgrades?

 Posted by at 7:30 pm
Feb 172015
 

Today, I successfully hacked one of my Rogers cable decoder boxes. No, not to do anything illegal, just to get composite video and demultiplexed stereo audio out of them, to make them more usable with the dual-tuner TV card that is in my desktop workstation.

rog-decoder-8

This is the first time ever that I used the services of a custom printed circuit board manufacturer. My design worked on the first try. I am mighty proud of myself.

 Posted by at 7:57 pm
Dec 182014
 

While much of the media is busy debating how the United States already “lost” a cyberwar with North Korea, or how it should respond decisively (I agree), a few began to discuss the possible liability of SONY itself in the hack.

The latest news is that the hackers stole a system administrator’s credentials; armed with these credentials, they were able to roam SONY’s corporate network freely and over the course of several months, they stole over 10 terabytes (!) of data.

Say what? Root password? Months? Terabytes?

OK, I am going to go out on a limb here. I know nothing about SONY’s IT security, the people who work there, their training or responsibilities. And of course it wouldn’t be the first time for the media to get even basic facts wrong.

Still, the magnitude of the hack is evident. It had to take a considerable amount of time to steal all that data and do all that damage.

Which could not have possibly happened if SONY’s IT security folks actually knew what they were doing.

Not that I am surprised. SONY is not alone in this regard; everywhere I turn, corporations, government departments, you name it, I see the same thing. Security, all too often, is about harassing or hindering legitimate users. No, you cannot have an EXE attachment in your e-mail! No, you cannot install that shrink-wrapped software on your workstation! No, we cannot let you open TCP port 12345 on that experimental server!

Users are pesky creatures and most of them actually find ways to get their work done. Yes, their work. This is not about evil corporate overlords not letting you update your Facebook status or watch funny cat videos on YouTube. This is about being able to accomplish tasks that you are paid to do.

Unfortunately, when it comes to IT security, a flawed mentality is all too prevalent. Even on Wikipedia. Look at this diagram, for instance, illustrating the notion of defense in depth:

This, I would argue, is a very narrow-minded view of IT security in general, and the concept of in-depth defense in particular. To me, defense in depth means a lot more than merely deploying technologies to protect data through its life cycle. Here are a few concepts:

  1. Partnership with users: Legitimate users are not the enemy! Your job is to help them accomplish their tasks safely, not to become Mordac the Preventer from the Dilbert comic strip. Users can be educated, but they can also be part of your security team, for instance by alerting you when something is not working quite the way it was expected.
  2. Detection plans and strategies: Recognize that, especially if your organization is prominently exposed, the question is not if but when. You will get security breaches. How do you detect them? What are the redundant technologies and methods (including organization and education) that you use to make sure that an intrusion is detected as early as possible, before too much harm is done?
  3. Mitigation and recovery: Suppose you detect an intrusion. What do you do? Perhaps it’s a good idea to place a “don’t panic” sticker on the cover page of your mitigation and recovery plan. That’s because one of the worst things you can do in these cases is a knee-jerk panic response shutting down entire corporate systems. (Such a knee-jerk reaction is also ripe for exploitation. For instance, a hacker might compromise the open Wi-Fi of the coffee shop across the street from your headquarters before hacking into your corporate network, intentionally in such a way that it would be discovered, counting on the knee-jerk response that would drive employees in droves across the street to get their e-mails and get urgent work done.)
  4. Compartmentalization. I don’t care if you are the most trusted system administrator on the planet. It does not mean that you need to have access to every hard drive, every database or every account on the corporate network. The tools (encrypted databases, disk-level encryption, granulated access control lists) are all there: use them. Make sure that even if Kim Jong-un’s minions steal your root password, they still wouldn’t be able to read data from the corporate mail server or download confidential files from corporate systems.

SONY’s IT department probably failed on all these counts. OK, I am not sure about #1, as I never worked at SONY, but why would they be any different from other corporate environments? As to #2, the failure is obvious: it must have taken weeks if not months for the hackers to extract the reported 10 terabytes. They very obviously failed on #3, and if the media reports about a system administration’s credentials are true, #4 as well.

Just to be clear, I am not trying to blame the victim here. When your attackers have the resources of a nation state at their disposal, it is a grave threat. But this is why IT security folks get the big bucks. I can easily see how, equipped with the resources of a nation state, the attackers were able to deploy zero day exploits and other, perhaps previously unknown techniques that would have defeated technological barriers. (Except that maybe they didn’t… the reports say that they stole user credentials and, I am guessing, there is a good chance that they used social engineering, not advanced technology.) But it’s one thing to be the victim of a successful attack, it’s another thing not being able to detect it, mitigate it, or recover from it. This is where IT security folks should shine, not harassing users about EXE attachments or with asinine password expiration policies.

 Posted by at 9:57 pm
Dec 172014
 

Recently, I had to fill out some security-related forms with the Canadian government. To do so, I had to log on to a government Web site and create an account using a preassigned, unmemorizable user ID.

While I was doing that, I had to set up a password. It seems that the designers of the government Web site are familiar with XKCD, because their password policy (which also includes frequent password expiration and rules to prevent the reuse of old passwords) seemed like an exact copy of the policy ridiculed here:

Once I managed to get past this hurdle, I had to complete some forms that were downloadable as PDFs. Except that the forms (blank forms!) were in the form of encrypted PDFs, which made it impossible for me to load them with my old copy of Acrobat 6.0 for editing. The encryption was trivial to break (print to PostScript, remove encryption block using an editor, convert back to PDF) but it was there just as an annoyance.

If they invited me to audit their security policy (of course they wouldn’t), I’d ask them the following questions:

  1. What is the rationale of your password expiration/password strength policy, ignoring best advice from actual security experts who know the meaning of terms like “entropy”? What are the data supporting Draconian rules that, effectively, force infrequent users to change their passwords every time they log on to your system?
  2. What is the rationale behind your policy to encrypt PDF files unnecessarily? Exactly what threat is this supposed to address, and what is the anticipated outcome of employing this security measure?
  3. Now that you have successfully alienated your users, what are your plans for detection, analysis, mitigation and recovery in case a real attack occurs? Would you even know when it happens?

I suspect that the real answer to the last question is a no. Security theater is not about protecting systems or preventing attacks; it’s about protecting incompetent hind parts from criticism.

 Posted by at 8:55 pm
Jun 212014
 

Having been annoyed by a Firefox crash a few weeks ago, I decided to give Google’s Chrome browser a serious try on my Windows desktop. I am, after all, using Chrome on my Android phone and tablet, so I figured I might as well swear allegiance to our Google overlords on my desktop as well…

But it’s not going to happen, not just yet. Yesterday, after I managed to close a tab in Chrome by accident one too many times, I Googled for ways to disable the “X” in tabs other than the active tab… only to find that Google years ago declared that they don’t consider this a problem and they would not solve it. Indeed, I find Chrome’s customization features rather limited compared to what is available in Firefox under about:config.

So, I switched back. I shall be using Firefox for the time being. I am still keeping Chrome on standby, just in case Mozilla goes berserk (their recent UI changes were not exactly welcome with open arms by much of the user community, myself included; who knows what new insanity awaits us in the pipeline.)

And, it seems that I am not alone.

 Posted by at 3:28 pm
Jun 012014
 

I just saw a report on CTV about Ubisoft’s new game, Watch Dogs.

It appears to be a fascinating game. And it’s available on the PC.

Yet, I won’t be playing it anytime soon. The reason? Stupid DRM.

People who opted to purchase the game, including people who preordered it, were unable to play because DRM servers crashed and were unavailable. The illogic of screwing paying customers while doing very little to hinder the actual pirates (who, after cracking the game, will have a hassle-free playing experience unencumbered by stupid DRM schemes) baffles me.

I refuse to use pirated copies but I also refuse to pay good money for something that is designed to treat me as a potential thief. Thief I am not, but neither am I an idiot.

Maybe a few years down the line, Watch Dogs will be made available DRM-free on GOG. Until then, there are more useful things to do than wasting my time with a stupid game anyway!

 Posted by at 6:56 pm
May 282014
 

A few months ago, I upgraded my rooted Samsung Galaxy S3 (SGH-I747M) smartphone. In the process, I lost root, which was rather annoying. I was able to re-root the phone using CF-Auto-Root, but only after decrypting its memory first. When I tried to re-encrypt the phone afterwards, the process failed. The log (adb logcat) showed that it was unable to unmount the /data partition.

I have since tried several approaches to encrypt the phone while retaining root, but to no avail. Here are the things I tried over the past few months:

  • Temporarily disabling SuperSU;
  • Disabling SuperSU using Triangle Away;
  • Wiping the phone (factory reset) while retaining root;
  • Turning off SuperSU logging;
  • Booting into Safe Mode;
  • Manually unmounting /data and most other partitions;
  • As above, in Safe Mode;
  • Unrooting, encrypting, and then rooting using Kingo Android Root (supposedly worked for some people; didn’t root the phone for me).

OK, I give up. I don’t really need to encrypt the stupid phone.

 Posted by at 9:12 pm
Apr 292014
 

The other day, I watched a delightful 30+ year old movie that I never saw before, The World According to Garp. In one scene, the protagonist decides to buy a house after a small airplane crashes into it, explaining that it is unlikely to ever happen again; that house has been “pre-disastered”. (Yes, it’s a logical fallacy, but the scene was still funny.) I think it was this movie that inspired me today, when I finally managed to talk to a human representative at Scotiabank, after being endlessly and needlessly frustrated by a voice recognition answering system.

450px-Sony_Qrio_Robot_2Voice recognition systems infuriate me. I am not alone, and this should come as no surprise. The phenomenon when something that looks, feels (or in this case, sounds) almost, but not quite, human creeps out people is so well known, it even has a name: Uncanny Valley. I am perfectly comfortable with answering systems that ask me to make menu choices by pressing buttons on my phone. Yet I am filled with blind fury and rage by voice response systems that, usually in an overly friendly and syrupy-sweet voice, ask me to explain, in words, what I am calling about. “I WANT TO TALK TO A FREAKING HUMAN YOU STUPID MACHINE!”

Fortunately, my self-control prevailed this morning. When (after stabbing “0” more than a few times with my finger while shouting nonsense, finally convincing the voice recognition algorithm to give up) I was at last connected to an actual (very nice) human lady, I remained polite. However, at the end of our conversation, I could not refrain from asking her to please pass on my request to the Powers That Be at Scotiabank to get rid of this stupid voice recognition system. She agreed that indeed, many customers are annoyed like I was. I commented on the fact that it was usually people like her who become the victims of their callers’ anger… when they arrive, like I did, pre-high-blood-pressured. She laughed so hard… I think I made her day.

As I am writing this, I am thinking that there might be another way to climb out of the uncanny valley: better AI. This is, after all, 2014, the age of self-driving cars and Google Search that knows what you are about to type even before you do. I could easily imagine a voice recognition system that, instead of spoon feeding me instructions like I was mentally retarded, began a natural conversation: “Hello, this is the Scotiabank automated assistant. This call may be recorded for quality assurance. How can we help you today?” (Avoid talking like the caller was retarded. Avoid using “I” because you are not a self-aware person. Speak in a natural voice, not like you were talking to someone hard of hearing, not unless they indicate that they are, in fact, hard of hearing.) If this system could actually carry out a decent conversation instead of being a poorly thought-out replacement of a touchtone menu system, it might work a lot better… and, for that matter, may even reduce the need for human operators as I bet it could respond to many inquiries successfully without human intervention.

 Posted by at 9:09 pm
Apr 102014
 

In light of the latest Internet security scare, the Heartbleed bug, there are again many voices calling for an end to the use of passwords, to be replaced instead by fingerprint scanners or other kinds of biometric identification.

I think it is a horrifyingly, terribly bad idea.

Just to be clear, I am putting aside any concerns about the reliability of biometric identification. They are not as reliable as their advocates would like us to believe, but this is not really the issue. I am assuming that as of today, biometric technologies are absolutely, 100% reliable. Even so, they are still a terrible idea, and here is why.

First, what happens if your biometric identification becomes compromised? However it is acquired, it is still transmitted in the form of a series of bits and bytes, which can be intercepted by an attacker. If this were a password, you could easily change it to thwart an attack. But how do you change your fingerprint? Your retina print? Your voice? Your heartbeat?

Second, what happens if you “lose” your biometric identification marker? Fingers get chopped off in accidents. People lose their eyesight. An emergency tracheotomy may deprive you of your normal voice. What then?

And what about privacy concerns? There have been rulings I understand, in the US and perhaps elsewhere, that imply that the same legal or constitutional guarantees that protect you from being compelled to reveal a password may not apply when it comes to providing a fingerprint, a DNA sample, or other biometric markers.

The bottom line is this: a password associating an account or a service to a unique piece of secret knowledge. This knowledge can be changed, passed on, or revoked, and owners may be protected by law from being compelled to reveal it. Biometric identification fundamentally changes this relationship by associating the account or the service with an unmalleable biometric characteristic of a person.

Please don’t.

 Posted by at 10:27 am
Apr 082014
 

winxp-supportMicrosoft officially ended support for Windows XP today.

I hope someone will sue the hell out of them.

To be clear, I understand why they are doing this: they don’t want to continue supporting forever an obsolete, 14 year old operating system.

But something like one quarter or so of the world’s computers continue running Windows XP. One can argue that Microsoft is not responsible for the behavior of system owners who, for whatever reason, choose not to update their systems. But what about those who do everything right and still become the victims of cyberattacks that utilize networks of unpatched Windows XP computers? The decision to terminate support makes Microsoft a de facto accomplice of these cybercriminals.

My fearless prediction is that within a few months, Microsoft will quietly start releasing high priority security patches for Windows XP again.

Meanwhile, Microsoft began releasing a significant update to Windows 8.1. I noticed that when I updated my Windows 8.1 laptop, it booted directly into the Windows desktop. Wow! Now all we need is a decent Start menu and the ability to perform basic system configuration tasks without going through the touch-optimized “Modern UI” and all will be bliss again. One of these days, I might even upgrade one of my development workstations to Windows 8.1!

 Posted by at 10:21 pm
Mar 112014
 

The computer game Myst is best known as the first “killer game” of the early CD-ROM era. A game that became the reason for many to purchase CD-ROM drives for their computers. A game that was played not just by geeks but by users who never touched a computer game before. Myst remained the all-time best-selling PC game for the better part of a decade.

Myst spawned its own mythology, and a series of three books. It also spawned five sequels, among them Uru, the company’s flawed yet hauntingly beautiful attempt to create a massively multiplayer online game. The final game in the Myst series was Myst V: End of Ages.

The other day, I pulled out my copy of Myst V, mainly to look at the wonderful worlds (or Ages, as they are called in the game) that I visited as a player. Perhaps the most breathtaking is the age called Todelmer. The player lands on top of a massive spire, towering high above the lower atmosphere of what appears to be a moon orbiting a ringed planet. Puzzles involve bringing some of the machinery back to life, reconnecting pieces of an ancient astronomical observatory.


Todelmer seems as beautiful as it was when I first saw it. Too bad it only exists in the imagination.

 Posted by at 7:22 pm