jducoeur: (Default)

Just came across an article on Ars Technica (yes, I'm behind): The intelligent intersection could banish traffic lights forever. It's neat stuff: basically, a researcher has designed a traffic-control system for autonomous vehicles, and demonstrated that by using such technology we could enormously reduce how often you have to stop at intersections -- not only speeding up travel times, but improving fuel efficiency quite a bit.

All of which is great, but my Security Architect senses are pinging here. This is postulating an external server that talks to the cars on the road and tells them what to do. That is absolutely terrifying if you understand the typical state of Internet-of-Things security.

But let's put a positive spin on this. This system is at least 1-2 decades from deployment as described (since it assumes only autonomous vehicles on the road). We might be able to head off disaster by figuring out the obvious hacks in advance, so they can be designed around.

So here's the challenge: name ways that a hacker could abuse this system, and/or ways to ameliorate those weaknesses.

I'll start with a few obvious ones:

  • Base story: I (the hacker) send out signals spoofing the controller for traffic intersection T, allowing me to cause nightmarish havoc. Possible solution: traffic controllers are listed in some well-known registry, signed with public keys, so that their signals can be authenticated to prevent spoofing.
  • Assuming the above hacking isn't prevented: I time the signals sent to the cars, telling them all to hit the intersection at the same moment. Crash! Solution: as a belt-and-suspenders thing, cars must not completely trust the signal controllers. Their autonomous checks have to override those signals, to prevent crashes.
  • Reverse of the previous: I send out signals telling all the cars, in all directions, that the intersection is currently blocked by opposing traffic. The entire city quickly devolves into gridlock. Solution: good question. I got nothing.

What else? I'm sure we can come up with more nightmarish scenarios, and possible solutions.

Yes, this may seem like overkill to think about now, but history says that, if you don't design the system around abuses, you will hurt forevermore. Security isn't something you add later: it should be baked into the designs from the get-go. (Which is why it accounts for a large fraction of Querki's architecture, despite the fact that we only have a couple hundred users yet...)

jducoeur: (Default)

Just came across this sobering article from a few weeks ago. Summary: LiveJournal has been sued, possibly successfully, over their ONTD group -- apparently somebody posted copyright-infringing material there, and because ONTD is vaguely official and (volunteer-)moderated, there's a strong suggestion that the traditional "safe harbor" provisions may not apply.

Suffice it to say, this is not good news. The precise details of how this falls out will determine how much (if at all) it damages the assumptions of zillions of websites, but a broad interpretation of it could be hugely damaging. One to keep an eye on...

ETA: Okay, it's worth reading the actual appellate decision, at least the summary at the top. (Much of this decision is nicely readable.) This clarifies several things:

  • First and most important, this wasn't a decision against LJ per se. Rather, it was the reversal of a summary judgement in favor of LJ. That is, the district court had simply dismissed the case on the grounds that LJ was clearly protected by the DMCA. The appellate court is essentially saying, "No, this one is kind of complicated -- let it go to trial".

  • Second, the key reason why this is muddy is that the moderation team of ONTD is apparently led by an LJ employee. ("Although users submitted Mavrix’s photographs to LiveJournal, LiveJournal posted the photographs after a team of volunteer moderators led by a LiveJournal employee reviewed and approved them.") So it's not just "the users" involved: LJ has a quasi-official presence in the group, so they might be legally liable. That's not actually surprising -- I could have told LJ that that's a legally dumb policy.

    (This is why Querki is designed to be strictly self-policing by the users, and why it's intentionally difficult (at the technical level) for company employees to mess with user Spaces: the line between "official" and "user-directed" needs to be crisp and sharp in order to enjoy solid DMCA protections.)

  • Third, ONTD isn't a normal LJ group. "In 2010, LiveJournal sought to exercise more control over ONTD so that it could generate advertising revenue from the popular community. LiveJournal hired a then active moderator, Brendan Delzer, to serve as the community’s full time “primary leader.” By hiring Delzer, LiveJournal intended to “take over” ONTD, grow the site, and run ads on it." So claiming that this group is run by "users", and therefore is protected by DMCA, is a bit disingenuous.

Overall, I'm somewhat less worried about it, having skimmed the decision. My read of this is that LJ got way too casual about DMCA, and did something strikingly stupid; Mavrix' claim that ONTD is not sufficiently independent to enjoy DMCA protection seems at least somewhat plausible on its face. The court is simply saying that, in this case, it is not obvious that LJ is covered by the DMCA.

While I do think Mavrix are kinda being assholes about it, by the spirit of the DMCA they may well have reasonable grounds for the suit. I'm not sure they're right, and I don't know how this will play out in court, but IMO the appeals court was probably correct in rejecting the summary judgement -- this one is messy, and does need to be properly litigated...

jducoeur: (Default)

Today in "boneheaded corporate moves", we have Verizon.

My mother has triple-play (Internet/phone/TV) service from Verizon; as such, her primary email address is currently through verizon.net, as you'd expect. She also has a Gmail address, that I nudged her into.

She got a letter yesterday, announcing that Verizon is terminating its email service. She has three weeks to decide whether to transition entirely to a third-party service, or switch to AOL.


Even Mom, who is, shall we say, not the most tech-savvy member of the family, had the reaction of, "Isn't AOL -- bad?". I've told her to just switch everything to her Gmail account: while Google may not be my favorite company in the world, this is yet more proof that getting your email through your ISP is just a bad plan.

But still -- AOL? Really? I mean, yes, they want to justify their ownership of the stupid company, but that's one of the most poisoned brands in the history of tech. Pushing all of their ISP customers over to it seems like a recipe to lose a lot of customers, with no obvious benefit.

Anybody have any insights into this apparently-foolish move?


Mar. 29th, 2017 08:42 am
jducoeur: (Default)

Here's an interesting article about "adtech" -- those automated algorithms that companies like Google and Facebook use to spy on you and serve up advertisements that they think you will respond to. The major upshots are:

  • Adtech is at best wildly ineffective, and at worst actively damaging, for brands that are trying to advertise.
  • The core precepts of adtech is going to be illegal in Europe starting next year.

I'm not sure how accurate all this is -- it sounds a tad self-serving in favor of traditional advertising, so I take it with a grain of salt -- but I suspect there's a substantial grain of truth in it. It clarifies a distinction that the tech world has been trying very hard to blur, between direct sales and branding. It appears to me that adtech works a little for direct sales, but I suspect the article is right that it's inappropriate for serious branding.

I find myself ever more glad that Querki's business plan is specifically not built on the "spy on the users for purposes of advertising" model, which is looking ever more rickety. Asking people to pay for a service is old-fashioned, but it at least makes sense...

jducoeur: (Default)

For the past week or two, Chrome has become surprisingly unstable -- it's been crashing on me about once a day. Weirdly, it is usually when I'm not using it that it crashes: typically, I wake my computer from idle and find that Chrome has gone splat.

Anybody else seeing anything like this? I'm mystified about where the problem is.

(And man, it is wonderful to know that DW now supports Markdown. Hadn't even occurred to me until they mentioned it in today's update. The custom entry URL thing is pretty neat, too...)

jducoeur: (Default)
[Trying out posting from DreamWidth. Let's see if everything is configured right.]

Just saw Rogue One.  Capsule Summary: not an epic for the ages, but a solidly good Star Wars movie, a good prequel with fine depth of appropriate detail.  While feeling like the main saga, this one has the freedom to be a more honest (and dark) war movie, which makes an interesting change of pace.  Worth seeing at the big Jordan's IMAX, which is why we didn't see it at Christmas.

But what I hadn't realized until I was there was that this movie was finally going to cross the Co-Starring A Dead Actor rubicon.  I've long known this was coming, and I had known that Grand Moff Tarkin appeared in the story, but I didn't realize he had such a significant part.  They didn't shy away from the challenge: he dominates several scenes.

Overall, it's a good effort, but they're not quite there yet.  It reminds me of starship battles before Independence Day -- while that was by no means a great movie, it was the first time I ever watched one of those scenes and couldn't perceive any seams: it just felt real.

Tarkin *doesn't* quite feel real here.  It's ever-so-close -- 90% of the way across the Uncanny Valley -- but something was still just a bit off.  I can't put my finger on what, but he looked like a character from a good videogame cut scene, not quite a person.

They'll get there.  Having done this in a major movie and not entirely fallen on their faces, I'm sure more movies will try this, and eventually somebody will get all the details right.  I wonder how many actors are already writing contracts that involve digital rights to their likeness.  (And what the eventual lawsuits are going to look like...)
jducoeur: (device)
[I'm mostly just posting links over in Facebook, but my more technical friends tend to be over here.]

Here is a really excellent collection of ideas about how to fight the Fake News problem -- the way that services like Facebook and Google have been used as propaganda tools by the people (on all sides) who are muddying truth by propagating bullshit. The article suggests a bunch of relatively plausible approaches, both technical and organizational, that these companies could use to ameliorate the problem without undermining their core missions.

It's explicitly not trying to present a comprehensive solution, just some possibilities. But it's a fine rebuttal to the usual line that these services are nothing but pipes, and can't do anything about it. I commend it to everyone, but especially my friends *at* the various big tech companies, who should consider passing this link around as useful food for thought...
jducoeur: (Default)
... and all I can think is, "Oh, look -- they've reinvented Clippy".
jducoeur: (Default)
It says something about the way I'm connected to the Internet that, when I get a Facebook PM during the workday:
  • The phone in my pocket gives a distinctive "bing", which tells me it's Facebook;

  • I glance at my watch, and about a second later it vibrates and shows me the beginning of the message, so I can see who it's from and how much I care;

  • If it looks interesting and I'm not in the middle of something, I flip over to the open Facebook tab in Chrome, which has just popped open the message for me to read and respond to (with the real keyboard).

  • If I'm too distracted at the moment, I'll get an email in a little while, which serves as a reminder to get back to this conversation.
(Facebook is the extreme case, but this multi-way interaction is *very* common for me nowadays.)

Having all these different modes of interaction, each tuned differently but closely tied together, has *seriously* changed the way I deal with online, more than I would have guessed in the pre-Pebble days. And for all that FB is an annoying system in many ways, this workflow suits me quite nicely...
jducoeur: (Default)
I would be exasperated by this one, if I didn't expect this kind of idiocy by now.

Finally allowed my laptop to upgrade to Windows 10. (Yes, intentionally -- it's a touchscreen laptop, originally built to 10 specs, and was bought with the expectation of upgrading eventually.)

That went fairly smoothly. Well, aside from the 30-second bluescreen that just says "Your files have not been moved" in big letters (no other text or anything) and won't respond to *anything*, which is probably supposed to be reassuring but mostly left me wondering if the laptop had been bricked. And of course, having to go through all of the settings manually, because their "express" settings are almost entirely bad. But I was kind of wondering why I didn't get any sort of "Hi! Welcome to Windows 10!" tutorial on what had changed.

I just discovered that I *did* get that. In email. In my Spam box, because as Gmail puts it:
Why is this message in Spam? It has a from address in communication.microsoft.com but has failed communication.microsoft.com's required tests for authentication.
Yes, they are essentially *telling* Gmail to send the email to Spam, because they don't know how to use the protocol correctly.

So close. But I suppose it wouldn't be Windows if it had a good upgrade experience...
jducoeur: (Default)
Home from SCA 50 Year (I did a quick, 4-day trip for the first half of it), catching up on email, and just got to this little oddness, which starts with:
On Monday (June 20th, 2016), Francisco Partners and Elliott Management announced they have signed a definitive agreement to acquire the Dell Software Group. This transaction includes Dell’s Systems and Information Management (SIM), Security, and Advanced Analytics business units.
It appears to be legit (looking around, I find the deal on TechCrunch, so this isn't some pump-and-dump scheme), and I would normally just skim past it, except for one thing -- I got *six* copies of it, *all* of them to fake email addresses at waks.org.

I don't even know where these particular addresses originated. They all look relatively legitimate -- none are real addresses scraped off my pages, but they're not the usual made-up "mom294784@waks.org" that the spammers make up by computer to sell to other gullible spammers, either. They're things like "msutton", "rgordon", "howard", and so on. I've seen them from time to time, so they've been making the resale rounds, but they look like someone spent the time to handcraft fake email addresses, or at least to mix and match real account names from one domain onto another.

But mostly I'm amused and slightly puzzled. Bad enough that the new acquirers of Dell Software send out such a wide email blast announcing the sale. Doing so to such an unvetted list, making unambiguously clear that they are simply buying and blasting to spam lists, is just embarrassing.

And the cherry on top? When I Google for "Francisco Partners spam", my first hit is one of their portfolio companies, Barracuda Networks, which sells spam-fighting tech. Way to undermine the corporate message...
jducoeur: (Default)
One of the odd side-effects of having owned and used my own domain for a *long* time now is that I wind up with an interesting and sometimes annoying view into the world of Spam. I've had waks.org for well over 20 years, and I used it as my primary email for much of that, as did Jane.

More importantly, we were both great devotees of giving out bespoke addresses to anybody we didn't entirely trust. Hotels get *very* confused when I tell them to use, eg, "radisson@waks.org" as my email address, but it means that I've been able to detect who has bad email security and filter out anything to that address if it gets picked up by the spammers. If you sell your email address list, or are just careless about it, I will know. (As it turns out, political groups tend to be the worst.)

(NB: you can do this in Gmail, at least most of the time, by putting a "+" suffix onto your email address. So if you are actually "joe@gmail.com", you can give out "joe+radisson@gmail.com" -- it'll still go to you, and lets you do smart filtering based on the To: field. Some sites choke on the "+", but it usually works.)

The result is that I have given out hundreds, maybe thousands of email addresses on waks.org over the years, including my legitimate ones, the ones given to vendors, and specialized addresses I've put on websites, like "cookbook@waks.org". And it turns out, that makes waks.org a remarkably effective honeypot for spam.

A "honeypot", in computer security, is something you put out there to lure the bad guys in -- typically some fake data that looks real and appealing, that you use to draw them in and trap them. In this particular case, much of the content of my spambox is *wildly* obvious spam -- not so much because any individual email is conspicuously bad, but because I receive two dozen copies of it to two dozen email addresses.

So for instance, today's biggest example has the subject line "Image[some random number].pdf", and the body "Sent from my Sony Xperia™ smartphone", plus an attached "image" that is, of course, actually a virus. It's unlikely I would fall for such a thing anyway, but I'm certainly less likely to when I have multiple screenfuls of them. Google is smart enough to notice that these contain viruses, and put them into Spam -- I'm downright surprised that they aren't smart enough to notice that there are so many near-identical emails, and just trash-can them. I would far rather they did.

I've long been amused at the lack of honor among thieves -- it's been very clear for 10-15 years that some people are simply taking existing waks.org email addresses, modifying them in trivial ways, and reselling them in order to bulk up the lists. For example, caitlin@waks was a real email address, but about ten years ago I started to notice "caitlinn", and then "caitlinnn", or "aitlin" -- non-existent email addresses that somebody invented. (I rather like "ookbook", which sounds like I'm writing about monkeys.) I'd bet good money that that was done simply so that people could sell packages of "ten million email addresses!" and suchlike. Indeed, many of them are even less real -- addresses that look like nothing so much as a cat walking across the keyboard.

The really interesting thing I'm noticing this week, though, is a sudden spike in what I can only describe as industrial-scale spam. There's been an *enormous* uptick in the number of spams landing in my Spambox. Traditionally, I would get ten of something; now, I'm getting a hundred. And they are from all of the above categories -- addresses stolen from vendors, addresses from websites, and the various multilated forms that have gradually come into common use over the years.

I suspect somebody has gotten serious about selling Spam as a Service. This feels like some site has bought up *all* the lists they can find, and opened up an API for blasting out trivial variations of a template to umpteen million addresses at high speed. The virus-laden ones have a straightforward business plan behind them (one thing you learn in financial security is how much spam is all about stealing ACH credentials); the ones that are simply, eg, "Hi ekyz how are you?" are a bit more mysterious, but I assume are attempting to lure a victim into a conversation.

Anyway, just some food for thought. There is one sad consequence of all this: I think it's time for me to turn most of Jane's email addresses off. The various forms of "jane@waks", "caitlin@waks", and so on, have been coming to me over the years, but we're down to well under one legitimate email per year, and a fair number of spams per day. So I think it's time to filter those into the bit-bucket. I will admit, even knowing that it's the sensible thing to do, it's remarkably hard for me to set up those filters...
jducoeur: (Default)
[Context: Windows 7]

Garh; this is driving my crazy. For the past couple of weeks, the mouse on my desktop machine has been notably sluggish -- the pointer is "stuttering" a lot, not keeping up with me as I move the mouse. I've replaced the mouse's batteries (a common recommendation), and that doesn't seem to do it. Antivirus is up to date, and I believe the problem is happening a *little* even at system start, although it tends to take a while to become grotesquely annoying; none of my usual foreground processes seem to be involved. Likely related, I'm sometimes seeing difficulty with typing -- stuff I type takes a long time to register, and sometimes doesn't work at all. CPU is *not* pegging at all: moving the mouse around a lot barely registers on the CPU meter, even when it's stuttering and catching constantly.

The problem almost has to be something to do with interrupts and a bollixed driver, but I have no idea where to look to diagnose it. Any pointers on how to track down the offending process, short of wiping and reinstalling the whole bloody computer, would be greatly appreciated. (Comments recommending that I change operating systems would not. Please don't; I'm not in the mood.)

jducoeur: (device)
Just for once, I actually posted something to The Art of Conversation -- here's the link, for those who are interested...
jducoeur: (Default)
Anyone interested in the startup industry should read this absolutely delicious article about the company's new valuation, and why it is just as valid a number as the ones being batted around for so many companies nowadays...
jducoeur: (querki)
[Mostly for the techies]

I was just reading this recent article in TechCrunch -- it's light on detail, but makes the likely-correct point that APIs are going to become ever more important in the industry in coming years. So I'm pondering: what should Querki be doing with them?

At the highest level, the notion's been around for a while -- I think Galen mentioned the idea of API integration a couple of years ago now -- but Querki's original architecture wasn't API friendly because the QL processing pipeline was too synchronous. Now that that's fixed, I don't think there's any reason we *can't* build API integration into Querki, allowing a Querki Space to call APIs of external services. I'm just not sure what it *means* yet, and my rule for Querki is that I don't build features until I have clear use cases.

(NB: I'm specifically talking about Querki Spaces calling external APIs here. Querki itself already exposes an extremely rich API -- the rewrite I've done over the past year effectively means that Querki is *entirely* API-based, and simply provides a standard Client for working with those APIs. They're nowhere near stable enough yet, and are completely lacking stuff like documentation, examples, validation suites and all those elements you need in order to make an API real, but under the hood everything is now driven by a straightforward JSON API that you can code to.)

Anyway: I'm looking for ideas. Querki by now makes it fairly easy to build Spaces for your data needs; my current Spaces include things like:Etc, etc, etc -- basically, small collaborative websites that let you collect, organize and share information about some topic.

The question is, in what ways would API access make this better? What could you do more easily in this world, if you could, reasonably easily, tell Querki to go out and do *something* with a particular API from some other service?

None of this is going to happen soon, mind -- I have lots of more-critical irons in the fire at the moment. But I'd like to add some examples to Querki's Use Cases, to help understand where we should eventually be going with API access.

So the floor is open for brainstorming. Anybody got suggestions? Anything data-centric you've always wanted to build, that would work best if you could mix in specific outside data?
jducoeur: (Default)
Okay, here's a question for the hive mind. From Google Maps in the browser, is there *any* way to get a simple effing list of the places I have starred? This is one of the most absolutely crucial features of Google Maps for me -- it's how I keep track of places where I expect to be going in the near future -- and they have systematically gotten rid of every way I can think of to get to a list of them. (.../maps/myplaces worked until today; now I'm stumped.)

I swear, there is a team at Google whose sole purpose in life is to make their apps *less* useful and *more* annoying: nearly every change over the past year has made things work less and less well for me, to the point where I'm starting to actively drop their apps solely because I'm starting to find them unusable...
jducoeur: (Default)
On a semi-regular basis, I get updates from IFTTT (If-This-Then-That, an app that lets you mash stuff up), mostly announcing their new channels. They've gotten pretty eyebrow-raising. Today's is kind of magnificent:

"The GE Appliances Cooking Channel lets your oven communicate with you, no matter where you are."

I'm not quite sure if I find that more creepy or ridiculous, but the real humor comes in the suggested mashups, such as "Post a tweet when dinner is ready", which may set a new bar for Annoying Twitaholism.

The tech industry is talking about The Internet of Things more or less nonstop nowadays, but I'm beginning to get the sense that 98% of it is solutions in search of problems. Which means a shakeout is due in 3... 2... 1...
jducoeur: (Default)
Just came across this nice little article from last week -- the Oatmeal got a chance to ride in one of Google's prototype self-driving cars, and gives his thoughts. It's an interesting and thoughtful read, and unusually for the Oatmeal, it's SFW. Well worth the read: he makes a compelling argument that while, yes, they're not perfect, they have the potential to make a lot of peoples' lives better, and it's worth rooting for the project to succeed...
jducoeur: (Default)
Very, very neat stuff -- according to this article in Ars Technica, they're getting to the point of demo'ing Skype Translator, which, no shit, does on-the-fly translation of spoken word for you while you're on a call. It's sounds like it's a bit slow and limited at this point (just English/Spanish for the full experience), but getting from a proof of concept to something generally usable for real is probably just engineering and data.

I have to agree with the article: the pieces have been there for a while, so this isn't *intellectually* astonishing, but still -- it's one of those "we're catching up with our science fiction kind of fast" moments. And it does remind one that Microsoft hasn't completely ceded the high-tech terrain...


jducoeur: (Default)

June 2017

456 7 8 910
18 192021222324
2526 2728 2930 


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags