Dec 142023
 

I wanted to check something on IMDB. I looked up the film. I was confronted by an unfamiliar user interface. Now unfamiliar is okay, but the UI I saw is badly organized, key information (e.g., year of release, country of origin) difficult to find, with oversized images at the expense of useful content. And no, I don’t mean the ads; I am comfortable with relevant, respectful ads. It’s the fact that a lot less information is presented, taking up a lot more space.

Fortunately, in the case of IMDB I was able to restore a much more useful design by logging in to my IMDB account, going to account settings, and making sure that the Contributors checkbox was checked. Phew. So much more (SO MUCH MORE) readable, digestible at a glance. Yes, it’s smaller print. Of course. But the information is much better organized, the appearance is more consistent (no widely different font sizes) and the page is dominated by information, not entertainment in the form of images.

IMDB is not the only example. Recently, after I gave it a valiant try, I purposefully downgraded my favorite Android e-mail software as its new user interface was such a letdown. At least I had the foresight to save the APK of the old version, so I was able to install it and then make sure in the Play Store settings that it would not be upgraded. Not that I am comfortable not upgrading software but in this case, it was worth the risk.

All this reminds me of a recent discussion with a friend who works as a software professional himself: he is fed up to his eyeballs with the pervasive “Agile” fad at his workplace, with its mandatory “Scrum” meetings and whatnot. Oh, the blessings of being an independent developer: I could tell him that if a client mentioned “Agile” more than once, it’d be time for me to “Scrum” the hell out of there…

OK, I hope it’s not just grumpy ole’ complaining on my part. But seriously, these trendy fads are not helping. Software becomes less useful. Project management culture reinvents the wheel (I have an almost 50-year old Hungarian-language book on my shelf on project management that discusses iterative management in depth) with buzzwords that no doubt bring shady consultants a lot more money than I ever made actually building things. (Not complaining. I purposefully abandoned that direction in my life 30 years ago when I quietly walked out of a meeting, not having the stomach anymore to wear a $1000 suit and nod wisely while listening to eloquent BS.) The result is all too often a badly managed project, with a management culture that is no less rigid than the old culture (no fads can overcome management incompetence) but with less documentation, less control, less consistent system behavior, more undocumented dependencies, and compromised security. UI design has fads that change with the seasons, united only by results that are about as practical as a Paris fashion designer’s latest collection of “work attire”.

OK, I would be lying if I said that only bad things come out of change. Now that I use AI in software development, not a day goes by without the AI teaching me something I did not know, including tools, language features and whatnot that can help improve the user experience. But it would be so nice if we didn’t take three steps back for every four steps forward.

 Posted by at 10:21 am
Aug 082023
 

For the longest time as developers, we were taught not to reinvent the wheel. “There is a library for that,” we were told, so instead of implementing our own solutions for common, recurring tasks, we just imported and linked the library in question.

And sure, it made a lot of sense. Countless hours of development time were saved. Projects were completed on time, within budget. And once the system worked, it, well, worked. So long as there was a need to maintain the software, we just kept the old development tools around for the occasional bug fix and recompile. I remember keeping a Visual Studio 6.0 configuration alive well into the 2010s, to make sure that I could offer support to a long-time customer.

But then… then came the Internet. Which implied several monumental paradigm shifts. One of the most fundamental among them is that a lot of software development no longer targeted cooperating users in a closed environment. Rather, the software was exposed to the public and, well, let’s face it, not all members of the public have the best intentions in mind when they interact with our systems.

Which means that third-party code turned from an asset into a substantial liability. Why? Because of potential security issues. Using old versions of third-party libraries in public-facing systems is an invitation for disaster. Those third-party components must be kept up-to-date. Except…

  • Updating a component may break other things. There is a need for extensive regression testing, especially in complex systems, to ensure that an upgrade does not result in unintended consequences.
  • Updates are not always available. The third-party code may no longer be supported. Source code availability can mitigate this to some extent, but it can still result in a disproportionate level of effort to keep the code secure and functional.
  • Long-term reliance on third-party code implies long-term reliance on the integrity and reliability of the vendor. Code ownership can change, and the new owners may have different objectives. In extreme cases, once reliable third-party code can end up being used as Trojan code in planned cyberattacks.

For a while, there was a great need for third-party code in Web development. HTML4 had limitations, and browser implementations varied wildly. Widely used third-party libraries like jQuery made it possible to prepare code that ran well on all major platforms. But this really is not the case anymore. “Out of the box” HTML5, CSS3 and modern JavaScript are tremendously capable tools and the implementation across major browsers is quite consistent these days, with only minor idiosyncrasies that can be easily dealt with after a modest amount of testing.

So really, my advice these days to anyone developing a new Web application is to avoid third-party libraries when possible. Especially if the application is intended to have a long life-cycle. Third-party code may cut down development time slightly, but the long-term costs may far exceed those savings. And there will still be more than enough to do just to keep up with other changes: witness the changes over time that occurred in browser security models, breaking once functioning Web applications, or the changes between, say, PHP5 and PHP7.

And of course there are still valid, legitimate use cases for specialized third-party libraries. For instance, in a recent project I used both MathJax (for rendering mathematical formulas) and markdown (for rendering displayed code). Developing something like that from scratch is just not an option.

Why am I harping on all this? I am currently facing a minor crisis of sorts (OK, that may be too strong a word) as I am trying to upgrade my Web sites from Joomla 3 to Joomla 4. Serves me right, using a third-party content management system instead of writing my own HTML! Worse yet, I used some once popular extensions with Joomla, extensions that are no longer supported, and which are wholly incompatible with Joomla 4. Dealing with this is difficult and time-consuming.

It would be a lot more time-consuming were it not for the help I get from our LLM AI friends. Thankfully, these tools, GPT-4 in particular, are immensely helpful. E.g., one third-party Joomla extension I used offered a nice way to present images as clickable thumbnails. This extension is now badly broken. However, GPT-4 already helped me write a clean, functional alterative that I’ll be able to use, and thus avoid having to redesign some important pages on my site.

 Posted by at 2:16 am
Sep 282021
 

I began to see this recently. Web sites of dubious lineage, making you wait a few seconds before popping up a request to confirm that you are not a robot, by clicking “Allow”:

Please don’t.

By clicking “allow”, you are simply confirming that you are a gullible, innocent victim who just allowed a scamster to spam you with bogus notifications (and I wouldn’t be surprised if at least some of those notifications were designed to entice you to install software you shouldn’t have or otherwise do something to get yourself scammed.)

Bloody crooks. Yes, I stand by my observation that the overwhelming majority of human beings are decent. But those who aren’t are no longer separated from the rest of us by physical distance. Thanks to the Internet, all the world’s crooks are at your virtual doorstep, aided by their tireless ‘bots.

 Posted by at 2:59 pm
Apr 172021
 

Yesterday it was hardware, today it was software.

An e-mail that I sent to a bell.ca address was rejected.

Perhaps I am mistaken but I believe that these Bell/Sympatico mailboxes are managed, handled by Yahoo!. And Yahoo! occasionally made my life difficult by either rejecting mail from my server or dropping it in the recipient’s spam folder. I tried to contact them once, but it was hopeless. Never mind that my domain, vttoth.com, is actually a few months older (July 1, 1994 as opposed to January 18, 1995) than Yahoo!’s and has been continuously owned by a single owner. Never mind that my domain was never used to send spam. Never mind that I get plenty of spam from Yahoo! accounts.

Of course you can’t fight city hall. One thing I can do, instead, is to implement one of the protocols Yahoo wants, the DKIM protocol, to authenticate outgoing e-mail, improving its chances of getting accepted.

But setting it up was a bloody nuisance. So many little traps! In the end, I succeeded, but not before resorting to some rather colorful language.

This little tutorial proved immensely helpful, so helpful in fact that I am going to save its contents, just in case:

https://www.web-workers.ch/index.php/2019/10/21/how-to-configure-dkim-spf-dmarc-on-sendmail-for-multiple-domains-on-centos-7/

Very well. It is time to return to more glamorous activities. It’s not like I don’t have things to do.

 Posted by at 2:57 pm
Sep 162019
 

Very well, I’ve been had. I lost all my bitcoin savings.

Don’t worry, it was not much. Approximately 0.0113 bitcoins. Just over a hundred US dollars at current exchange rates. And it’s not like I didn’t know from the onset that something fishy was going on. Of course I was not planning to hand over my hundred bucks to a scam artist, but I figured the learning experience was worth the risk. I had no idea how things would play out, except for one thing: I knew I was not going to get richer, but my risk was limited to my meager bitcoin holdings.

Here is how it began. I became acquainted with an Neale H. Spark* on Quora. At first, we exchanged some private messages, in part about some of the answers I wrote. But soon, he started talking about the business he is in, cryptocurrency. He seemed legit: I looked him up. A cryptocurrency expert, member of a listed cryptocurrency company’s advisory board. He asked if I wanted to invest some bitcoins into cloud mining, because supposedly, I can make “8% a day”.

OK, red flags are up. Nobody, and I mean nobody, is paying you 8% daily interest. That this was a scam, of that I had no doubt, but I just couldn’t resist: I had to understand how the scheme worked.

It so happened that I actually had some bitcoins, those 0.0113 BTC, in a bitcoin wallet. So what the heck… let’s play along.

As soon as I agreed to become his victim (not that he called me that, mind you), this Mr. Spark kindly set up a “mining enabled” bitcoin account for me at blockchain.com. He provided me with all necessary details and soon enough, I was able to manage the account. I then transferred my bitcoin holdings from my other wallet to this one.

And within 24 hours, I received about 0.0008 bitcoins. And again, 24, 48, 72 hours later. I was told by Mr. Spark that this money is not completely free money: that there will be a “mining fee”, which sounded odd because how can they charge any fee to my bitcoin account? But you know what, let’s see what happens. Indeed, after about a week of regular, daily payments, four days ago I actually got charged about 0.0008 bitcoins. But the payments continued: after two more payments, my bitcoin holdings were getting close to double my initial investment.

Meanwhile, Mr. Spark called me several times on the phone. It was always a bad connection, suggesting to me that he was using a VoIP phone, but for what it’s worth, his calls came from a California number consistent with his place of residence. He was advising me that I should invest a lot more; that investors who put in a full bitcoin or more (that would be $10,000 US) are doing much better. I told him that I’d think about it. He asked when I might make my decision. I said he’d be the first to know. He did not sound happy.

Indeed, the phone calls stopped and for the past two days, I received no e-mail notification of payments in my bitcoin wallet either. So earlier today, I went to check the wallet, and whoops: all my bitcoins are gone. The wallet has been zeroed out two days ago.

I sent this Mr. Spark a Quora message but I am not expecting a reply. On the other hand, I think I can reconstruct what actually happened, so my bitcoins were, after all, well spent: I did learn some intriguing details.

For starters, I am pretty certain that the Quora account doesn’t actually belong to the real Neale H. Spark. I tried to find information online about Mr. Spark but I was unable to locate a valid e-mail address or social media account. The person is undoubtedly real, mentioned in a 201█ press release by G█████ T███████████ as a newly minted member of their advisory board. But Mr. Spark seems like a rather private person with little visible online presence.

The Quora account was only created about a month ago. It has very low activity.

The aggressive sales tactics seemed odd from a noted expert, and represented another indication of fraud. But how exactly was the fraud committed?

Here is how. It all started when “Mr. Spark” kindly set up that “mining-enabled” Bitcoin wallet for me on blockchain.com. I knew something was not kosher (what exactly is a “mining enabled” account, pray tell?) but in my ignorance of the technical details of cryptocurrency wallets, I could not quite put my finger on it. When I received the account info, everything checked out and I was able to secure the account, restricting transactions with two-factor authentication and even by IP address.

However, unbeknownst to me, “Mr. Spark” must have copied down the blockchain.com wallet backup phrase: twelve words. The company warns me: Anyone with access to my backup phrase can access my funds. What I didn’t know is that the backup phrase can be used anywhere. They need not access the wallet through blockchain.com; with the appropriate cryptocurrency software, they can recreate the wallet and empty it.

Which means that my entire blockchain.com wallet was compromised from the onset. Never mind the steps that I took, setting up two-factor authentication and all… It was never really my wallet to begin with.

The big warning sign was when the crook first processed a “mining fee”. I did not understand the details, but I knew that something was wrong. No third party can take money from your bitcoin wallet, “mining enabled” or otherwise. Yet at the same time, I continued to receive small payments, so I was still waiting for the other shoe to drop.

I guess eventually “Mr. Spark” decided that I am unlikely to invest more into his scheme, but more likely, I was not his only or biggest victim. You don’t set up an elaborate scam like this, with a fake social media account, fake phone number and all to just steal a hundred bucks from someone. (That would be a less effective, and certainly more risky, way of making money than working at minimum wage.)

There is the usual, “if it’s too good to be true” lesson here: Nobody is going to pay you 8% interest a day. OK, I knew that. I also knew that cloud mining is a very risky proposition, the returns are not spectacular and fraud is rampant. I didn’t have to spend a hundred bucks to learn this.

But there is also a valuable technical lesson. I had zero experience with cryptocurrency wallets in the past, and thus I did not realize that anyone setting up the wallet basically has a permanent, irrevocable key to that wallet. And when a sum, however small, goes missing from your bitcoin wallet, it is a guaranteed indicator that the wallet is compromised.

There is also another other thing that I did not realize until today. Namely that the Spark account on Quora is almost certainly a fake, an impersonation. In fact, it was not until I actually asked myself, “how can this chap commit such fraud under his own name?” that I came up instantly with the obvious answer: he didn’t. Rather, a scamster used the name and credentials of a respectable but social media shy expert to set up shop and rip off his victims. That I did not think of this possibility earlier is a consequence of my prejudice. I had very low expectations to begin with, when it comes to people in the speculative cryptocurrency business. So neither the cheap VoIP line nor the pushy behavior raised additional red flags: I was wondering what scam the real Neale Spark was dragging me into, I did not expect to be dealing with an impostor.


*Name altered to protect the privacy and reputation of the person who was impersonated.

 Posted by at 7:49 pm
Aug 212019
 

I am reading an article in The Register about a major Internet outage that occurred last December, when a handful of rogue packets managed to clog up a backbone network for more than a day and a half, blocking even VoIP 911 calls.

There are two rather frightening aspects of this fiasco. Both rather horrifying, as a matter of fact.

First, that in this day and age, in late 2018, a backbone service provider can still be brought to its knees by something as simple as a malformed packet. What on Earth are you doing, people? Have you heard of penetration testing? Fault tree analysis? Auditing your equipment and system software? Or have these essential steps been dropped just so that you can report some cost savings to your shareholders?

But it really is the second point that I find particularly upsetting. To quote, “the nodes along the fiber network were so flooded, they could not be reached by their administrators”.

Say what? Are you telling me that you had no alternate means to access your nodes? Like, you know, something as crude and simple as a dial-up port with a command-line based management interface? I mean, this is something even my little home office network used to have, and when I dropped it last year, reacting to rising landline costs and the fact that I no longer used that data/Fax phone line at all, I did so because I have dual network connections. To learn that a major backbone provider doesn’t have the kind of redundancy that I take for granted for my own little network is disconcerting, to say the least.

I suppose I should stop rambling now, though. Truth to tell, I am ignorant as to how CenturyLink’s actual network is configured, and I certainly never managed a fiber optic backbone network. I am simply reacting to the main points of The Register‘s article even though I cannot independently confirm its veracity. In my defense, The Register‘s articles tend to be well written and accurate. Even so, criticizing from a position of ignorance is never a smart thing to do.

Nonetheless, if The Register is correct, this really is not how a transcontinental data network should be configured and managed. This also seems to be the FCC’s conclusion.

 Posted by at 5:04 pm
Jun 132019
 

The news this morning is that former PM Jean Chrétien suggested that Canada should stop the extradition proceedings against Huawei CFO Meng Wanzhou, as a means to win back the freedom of the two Canadian hostages in China, Michael Kovrig and Michael Spavor. (Yes, I called them hostages.)

The case against Huawei runs a lot deeper, however, than the financial fraud Ms. Meng is alleged by US authorities to have committed.

There is also the question of espionage, including the possibility that Huawei’s 5G equipment cannot be trusted because of firmware or hardware level backdoors.

I repeatedly encountered the suggestion that this issue can be trivially remedied by using end-to-end encryption. Unfortunately, end-to-end encryption, even if properly implemented (ignoring for the moment our own Western governments’ recurrent pleas to have built-in backdoors in any such encryption algorithms), solves only part of the problem.

It still allows Huawei to steal metadata, such as where calls are routed or the amount and nature of data traffic between specific endpoints. Worse yet, no encryption prevents Huawei from potentially sabotaging the network when called upon to do so by the Chinese government.

For this reason, I reluctantly came to the conclusion that the US ban against Huawei is justified and appropriate. It must, of course, be accompanied by a suitable increase in spending on researching 5G communications technologies, because otherwise, we risk shooting ourselves in the foot by banning the use of equipment that is technologically superior to the available alternatives. This is a new situation for the West: The last time the West faced a great power adversary that matched Western scientific and technological capabilities was in the 1930s, with Nazi Germany.

As for Ms. Meng, I think the suggestion to suspend the extradition process is wholly inappropriate. It would signal to the world that Canada is willing to suspend the rule of law for the sake of hostages. However strongly I feel about Messrs. Kovrig and Spavor, however strongly I desire to see them released, this is not a price Canada should be willing to pay.

 Posted by at 5:56 pm
Mar 302019
 

Content management software that I use, Joomla! and WordPress in particular, have been complaining for a while now that the PHP version that runs on my servers is outdated and potentially unsecure. Not exactly true, as PHP 5.4 remains part of the official Red Hat/CentOS release, but it would certainly be prudent for me to attempt an upgrade.

I tried to do just that last night, on a test server. And it was a miserable failure, a waste of many hours that I will never get back, to make no mention of the heightened risk of cardiovascular disease due to my elevated blood pressure caused by all that frustration.

The relatively easy part? PHP 7 complaining that its just-in-time compilation feature ran out of memory. Easy-peasy, I can disable JIT. Check.

But then: several of my Joomla! sites refused to run, with a cryptic and ultimately meaningless error message and nothing in the logs. And at least one Joomla! site just got itself into an infinite redirect loop. But why?

I tried many things. I kept looking for answers on Google. Nothing worked. Eventually I took two of my Joomla! sites that are very similar in nature, and began comparing their settings, side-by-side. One worked, the other didn’t. Why?

I then stumbled upon a custom Joomla! module, one that I wrote to support some ads that appear on my sites. This module was installed on the site that failed, but not used on the other. I disabled the module and, presto, the site was working with PHP 7. I re-enabled the module and the site was dead again. So… why?

Well, the module contains some PHP code. Which, after some preamble that allows it to connect to the internal data structures of Joomla!, begins the real work by accessing the MySQL database that contains the actual ads:

$conn = mysql_connect("localhost");
mysql_select_db("www");
$res = mysql_query("SELECT PAGEID,ADTEXT FROM ...

Oops.

You see, mysql_ calls have been deprecated and REMOVED from PHP starting with version 7.

And I have hundreds, if not thousands of lines of legacy code* (including, e.g., my calculator museum at rskey.org) that rely on this old library.

So I guess that PHP 7 upgrade will have to wait a while longer. Looks like I have no choice but to rewrite the affected pieces of code everywhere, as there is no other long-term solution. (Even if I find a third-party PHP plugin that re-enables mysql_ codes, how long will that continue to work? How reliable will it be?)

What a muckup. Grumble. And I do have other work to do.

 Posted by at 10:40 am
Mar 282019
 

Even as Facebook is battling white supremacism and fighting accusations of racial profiling, there is more nonsense going on.

In the past few days, I received several Facebook requests from accounts purportedly owned by young women, whose profiles contain sexually explicit, rather pornographic images and videos.

Here is one of the mildest ones (the majority of the images in this and other accounts from which I received friend requests were far, far more explicit in nature, including images depicting intercourse):

I do not wish to be a prude here; I am, after all, a middle aged male in relatively good health, and certainly not immune to, ahem, shall we say, visually stimulating images (though I admit I was never a fan of hard-core pornography. Not my cup of tea.)

But these Facebook accounts are obviously not accounts owned by bona fide young women trying to seduce older, happily married males like myself. They are probably overweight middle-aged male scam artists doing their shady business from their parents’ basements. Or worse yet, organized crime operating out of shady boiler rooms somewhere in Eastern Europe or Asia.

Thanks but no thanks. I have presently no desire to break my marital vow, but even if I did, there are better, safer ways.

As for these friend requests, I just block them and report the accounts to Facebook.

 Posted by at 2:08 pm
Jun 162018
 

When I was a teenager, the classic novel, The Count of Monte Cristo by Alexandre Dumas, was one of my favorites.

And one of my favorite chapters in that book was a chapter with an uncanny (not to mention unusually long) title: “How a Gardener May Get Rid of the Dormice that Eat His Peaches”. In it, Dumas describes a classic hack: exploiting the human in the system. By bribing an operator of France’s early optical telegraph network, the book’s protagonist is able to plant a false message, which ultimately contributes to the downfall of one of his mortal enemies. In short: a targeted cyberattack on a telecommunications network.

What I did not know, however, is that this chapter may have been inspired by real life events. About ten years before Dumas published his novel, the brothers François and Louis* Blanc managed to hack the telegraph network in a manner even more sophisticated than the hack described in Dumas’s book. Yes, the real-life hack relied on bribing operators, too, but it also involved a case of steganography: inserting a coded message that would piggyback on the original telegraph transmission. Not only did the scheme succeed, like any good hack it remained in place and undetected for two years. And when it was finally detected, the Blanc brothers were charged but never convicted; there were, after all, no laws on the books back in the 1830s against misuse of data networks.


*Well, that’s what Wikipedia tells me. It appears that the twins are misidentified as Francois and Joseph in several English-language publications. Francois was later known as The Magician of Monte Carlo, a casino that he owned and where he first introduced the single-0 style roulette wheel.
 
 Posted by at 7:52 pm
Nov 102017
 

I’ve seen several news reports commenting on the fact that Donald Trump was using Twitter while visiting China. That despite the fact that Twitter is one of those Western services that are blocked by China’s “Great Firewall”. Some even speculated that Trump was using a military communications network or some other exotic technology to circumvent Chinese restrictions. (As if the US military was foolish enough to let this idiot of a president’s unsecure smartphone access their network.)

But reality is much more mundane, as I know quite well from personal experience in China.

When you are traveling with a phone registered to a foreign service provider, your Internet connection initiates from that provider’s network. So insofar as the Internet is concerned, you are not even in China. Your connection initiates from your home country. In my case, whenever I used my phone in China for Internet access, I accessed the Internet from an IP address registered with my Canadian cellular service provider, Rogers. I had unrestricted access to Google, Facebook, CNN and other news sites, with no Chinese restrictions.

Trump probably did exactly what I did, except that he probably worried about international data roaming charges and data caps a little less than I. He grabbed his phone, turned it on, and used it without a second thought. (OK, that’s not exactly like me. Trump was probably not surprised to see Twitter work on his phone in China, because he probably knows very little about the Great Firewall. I was mildly surprised myself, especially as I went there prepared for the worst, with multiple overt and covert VPN options prepared just in case I needed them. Which I did… but only when I was using the hotel Wi-Fi instead of the cellular network.)

 Posted by at 9:21 am
May 292017
 

Is your mother proud of you being a crook?

I have asked this question many times in recent months; basically, every time I receive a call from the “computer support department”, trying to tell me how my computer is full of viruses or whatever.

I usually don’t expect an answer; as a matter of fact, I usually just hang up, although more often than not, the other party hangs up first before I get a chance. Understandable… that’s what they are trained to do by their criminal masters.

Today, for some reason, I chose not to hang up. And the gentleman on the other and of the line asked me to repeat myself instead of hanging up on me. I obliged. After a moment of silence, I actually got an answer.

“Well, sir, I need the money.”

That was an unexpectedly candid admission, not that I was not aware of this basic truth. These callers, usually in boiler rooms somewhere in India or Pakistan, do this because they need to earn a living.

But it’s one thing to earn a living, it’s another to defraud vulnerable people, old ladies and whatnot. I told that much to this agent. He just repeated himself, defensively: “But I need the money.”

So I told him that I understand. That I, too, was a refugee once 30 years ago. (True.) But even when I had no money, I did not start defrauding people. I asked him to think about this, please; then thanked him and hung up.

Did I accomplish anything? I don’t know. Is it valid to compare my situation 30 years ago: granted, a refugee, but a refugee in a first world country (Austria) with no family to worry about and with guaranteed shelter and food at the Traiskirchen refugee camp, which I declined to take advantage of only because I found work (no fraud involved, but it’s true that I had no work permit) and I was able to afford better accommodations?

Yes, I read Les Misérables. No, I do not want the poor to be disproportionately punished, with no grace or mercy.

Still, I think there is an ethical line to be drawn here. No matter how great your need is, I still don’t think this moral justification applies when you work for a criminal enterprise, earning a living from defrauding vulnerable people halfway around the world.

 Posted by at 2:21 pm
May 062017
 

One of the major events during last year’s presidential campaign was the hacking of e-mails of the Democratic National Congress. In particular, the hacking of the e-mails of campaign chairman John Podesta.

How it happened is simple. Podesta received a bogus e-mail, purportedly from Google, that there was an unauthorized attempt to log in to his account, and that he should change his password. A helpful link in the form of a button was provided.

Podesta’s assistant was suspicious and asked for expert help. The expert inadvertently described the e-mail as “legitimate” (presumably, he meant to write “not legitimate” or “illegitimate”) but advised that Podesta should change his password, and provided the correct (Google) link for password changes.

The assistant forwarded the e-mail to Podesta, adding in her own words that “The gmail one is REAL”. This prompted Podesta to change his password… using the fraudulent link provided to him in the original message. By doing so, Podesta inadvertently disclosed his e-mail password to Russian hackers.

How do we know that they are Russian? There are many reasons to believe this to be the case, but I just noticed another peculiarity. (It is possible that I am not the first to notice this, of course.) Look at the subject line of the Podesta e-mails:

Subject: Sоmeоne has your passwоrd

Now try searching for the word “Someone” on this page using your Web browser’s built-in search feature (hitting Control-F activates this feature in most browsers). Can you see (or rather not see) how nothing in this Subject line is highlighted?

That is because several of the o’s in this subject line were typed on a Cyrillic keyboard, and they are Cyrillic characters. A Cyrillic ‘о’ appears very much the same as a Latin ‘o’, but it has a different code (hexadecimal 043e as opposed to 006f):

Funny thing is… I got this subject line straight from Wikileaks. You know, the same Wikileaks who are protesting high and low that the e-mail dump is not from Russia. Yet on their very own Web site, the e-mails that resulted in the Podesta hack contain Cyrillic characters. Go figure.

 Posted by at 8:34 pm
Feb 022017
 

“After a second notices he ran it on db1 instead of db2″… This sentence (somewhat shortened, to make a fitting title) describes the beginning of a colossally effed up night at GitLab.com.

In response to a spike in system load, which resulted in lag on a replication server, the operator thought that maybe restarting the replication server with a clean slate is a good idea. So he decided to wipe the replication server’s data directory.

Unfortunately, he entered the command in the wrong window.

I feel his pain. I did make similar mistakes before, albeit on a much smaller scale, and the memories still hurt me, years later.

I have to commend GitLab for their exceptional openness about this incident, offering us all a valuable lesson. I note that others also responded positively, offering sympathy, assistance, and useful advice.

I read their post-mortem with great interest. In reaction, I already implemented something that I should have done years ago: changing the background color of some of the xterm windows that I regularly open to my Linux servers, to distinguish them visually. (“Create issue to change terminal PS1 format/colours to make it clear whether you’re using production or staging”).

Of course similar incidents and near misses also changed my habits over the years. I rarely delete anything these days without making a backup first. I always pause before hitting Enter on a command that is not (easily) reversible. I have multiple backups, and tested procedures for recovery.

Even so… as Forrest Gump says, shit happens. And every little bit helps, especially when we can learn from the valuable lessons of others without having to go through their pain.

 Posted by at 10:13 am
Dec 132016
 

This morning, when I woke up, the regular status e-mails that my servers greet me with told me that there is a major CentOS update (version 7.3). Cool. Unfortunately, it meant that I needed to upgrade as many as five servers. This includes my main server, its physical backup, my backup server in NYC, another “in cloud” backup, and yet another server that I help administer. I began this process shortly after 8 in the morning, after I finished breakfast.

And as usual, a major upgrade like this brings to the surface little problems, little annoyances such as folders that had incorrectly configured SELinux permissions. No big deal, to be sure, but several such little things can consume hours of your time.

And then, it was also Microsoft Patch Tuesday, the second Tuesday of the month when Microsoft releases scheduled updates to Windows and other products. As soon as I was done with CentOS, my attention turned to my Windows machines, including my main workstation, its backup (actually, the same physical machine that also acts as my server’s backup in a dual-boot configuration), my wife’s desktop computer, two laptops, and last but not least, my old desktop that I still keep around as a backup/test computer.

Moreover, I also decided to update three virtual machines (one running Windows 7, the other two, Windows XP) that I keep around both for test purposes but also to have older software, older configurations available if needed.

Furthermore, when I update Windows, I tend to check and see if any other software packages need updating. On some computers, I run Secunia PSI, which keeps track of many applications. But even on other systems, I had to update Java (if installed), Adobe Flash, Chrome and Firefox.

And on older hardware, the process can be painfully slow.

To make a long story short, by the time I finished the bulk of this work, it was 7:30 in the evening. And one computer (a really low powered old netbook) is still doing its thing, even though it’s well past 11 PM now.

No wonder I didn’t accomplish much today.

Of course all of this needed to be done. Since I am a one-man band, I don’t have an IT department to rely on, but it is still important for me to keep my systems secure and well-maintained.

Nonetheless, it feels like one hell of a waste of a day.

 Posted by at 11:22 pm
Nov 232016
 

This was a potential nightmare scenario. Imagine if we found out that the swing state results of the Nov. 8 election were altered by hackers. Imagine if an investigation found that Hillary Clinton won these states after all, and hence, won the electoral college.

Remember the hanging chads of the 2000 election?

Remember the hanging chads of the 2000 election?

Why is it a nightmare? Because it would likely lead to a constitutional crisis with unpredictable consequences. Donald Trump would be unlikely to concede. But even he did, tens of millions of his supporters would likely find the results unacceptable. Even the predictable disaster of a Trump presidency is preferable to a crisis of such magnitude.

And last night, the specter of just such a crisis was raised, in the form of a New York Magazine article (which was soon echoed by other news outlets), reporting on the doubts and suspicions of prominent scientists who noted a bias in the county-by-county results, more likely to favor Trump in counties where votes were counted electronically.

But not so fast, says fivethirtyeight.com. You cannot just compare the raw results without accounting for demographics. And once you take demographics into account, the apparent bias disappears. And while fivethirtyeight notes that it is difficult to validate the integrity of the voting system in the United States, nonetheless the burden of proof is on those who claim electoral fraud, and so far, the burden of proof has not been met.

I no more welcome a Trump presidency today than I did two weeks ago, but an orderly transition is still preferable to the chaos of a constitutional crisis.

Meanwhile, Clinton’s lead in the popular vote count increased to over two million votes (yes, they are still counting the votes in some states, including mighty California). This in itself is unprecedented: never in the history of the United States did a candidate win the popular vote with such a wide margin, yet lose the electoral college.

 Posted by at 6:31 pm
Nov 172016
 

It is rare these days that a piece of spam makes me laugh, but today was an exception. After all, it is not every day that I receive an e-mail notice, pretending (kind of) to be from UPS, informing me that my “crap” has been shipped:

Still trying to figure out though if the language was intentional, or simply a mistake made by a non-native English speaker unfamiliar with certain, ahem, idioms.

 Posted by at 1:16 pm
Nov 152016
 

I just came across this recent conversation with Barack Obama about the challenges of the future, artificial intelligence, machine learning and related topics. A conversation with an intelligent, educated person who, while not an expert in science and technology, is not illiterate in these topics either.

Barack Obama Talks AI, Robo-Cars, and the Future of the World

And now I feel like mourning. I mourn the fact that for many years to come, no such intelligent conversation will be likely be heard in the Oval Office. But what do you do when a supremely qualified, highly intelligent President is replaced by a self-absorbed, misogynist, narcissistic blowhard?

Not much, I guess. I think my wife and I will just go and cuddle up with the cats and listen to some Pink Floyd instead.

 Posted by at 11:35 pm
Nov 122016
 

If there was a single cause that sank Hillary Clinton’s bid for the presidency, it was undeniably the “e-mail scandal”.

Which is really, really sad because it was really no scandal at all. I just read a fascinating account (written back in September I believe) that offers details.

Some of what happened was due to ineptness (either by Clinton’s team or the State Department’s), some of it was a result of outdated, inconvenient, or unreliable technology, some of it was just the customary bending of the rules to get things done… most notably, there was no recklessness, no conspiracy, no cover-up, just the typical government or, for that matter, corporate bungling. (And as I noted before, Clinton’s e-mails were likely more secure on the “home brew” server sitting in a residential basement than on the State Department’s systems.)

 Posted by at 4:47 pm
Jul 132016
 

Today, I took the plunge. I deemed my brand new server (actually, more than a month old already) ready for action. So I made the last few remaining changes, shut down the old server, and rebooted the new with the proper settings… and, ladies and gentlemen, we are now live.

Expect glitches, of course. I already found a few.

The old server, of which I was very fond, had to go. It was really old, the hardware about 7 years. Its video card fan failed, and its CPU fan was also making noises. It was ultra-reliable though. I never tried to make this a record, but it lasted almost three years without a reboot:

$ uptime
 12:28:09 up 1033 days, 17:30, 4 users, load average: 0.64, 0.67, 0.77

(Yes, I kept it regularly updated with patches. But the kernel never received a security patch, so no reboot was necessary. And it has been on a UPS.)

This switcharoo was a Big Deal, in part, because I decided to abandon the Slackware ship in favor of CentOS, due to its improved security and, well, systemd. I know systemd is a very polarizing thing among Linux fans, but my views are entirely pragmatic: in the end, it actually makes my life easier, so there.

Anyhow, the new server has already been up 13 minutes, so… And it is a heck of a lot quieter, which I most welcome.

 Posted by at 12:45 pm