Knives Episode 26 Published!

With the Big Splash at the end of the last episode, it was time for Martin to take stock and do some planning. But not before contemplating just leaving everything and going back to his normal life as thief and assassin. But, well, there’s Elena.

On the patron front, it looks like my attempt to release more backstory was, well, unsuccessful. No worries — tomorrow I will do that first thing after taking down Christmas lights.

Episodes have been a bit slow lately, what with holidays and guests invading the Writing Bunker and whatnot, but episode 27 is forming up nicely and episode 28 is solidifying.

As always, thank you to all my generous patrons. You guys rock!

Read Knives.

Standing Rock and Internet Security

At the peak of the Standing Rock protest, a small city existed where none had before. That city relied on wireless communications to let the world know what was going on, and to coordinate the more mundane day-to-day tasks of providing for thousands of people. There is strong circumstantial evidence that our own government performed shenanigans on the communications infrastructure to not only prevent information from reaching the rest of the world, but also to hack people’s email accounts and the like.

Cracked.com, an unlikely source of “real” journalism, produced a well-written article with links to huge piles of documented facts. (This was not the only compelling article they produced.) They spent time with a team of security experts on the scene, who showed the results of one attack: When all the secure wifi hotspots in the camp were attacked, rendering them unresponsive, a new, insecure hotspot suddenly appeared. When one of the security guys connected to it, his gmail account was attacked.

Notably, a plane was flying low overhead – a very common model of Cessna, but the type known to be used by our government to be fitted with just the sort of equipment to do this sort of dirty work. The Cessna was owned by law enforcement but its flight history is secret.

What does that actually mean? It means that in a vulnerable situation, where communication depends on wireless networks, federal and state law enforcement agencies have the tools to seriously mess with you.

“But I only use secure Internet connections,” you say. “HTTPS means that people between you and the site you’re talking to can’t steal your information.” Alas, that’s not quite true. What https means is that connections to your bank or Gmail can only be monitored by someone endorsed by entities your browser has been told to trust completely. On that list: The US Government, the Chinese government, other governments, and more than a hundred privately-owned corporations. Any of those, or anyone any of those authorities chooses to endorse, or anyone who manages to hack one of those hundred-plus authorities (this has happened) can convince your browser that there is no hanky-panky going on. It shouldn’t surprise you that the NSA has a huge operation to do just that.

The NSA system wasn’t used at Standing Rock (or if it was, that effort was separate from the documented attacks above), because they don’t need airplanes loaded with exotic equipment. But those airplanes do exist, and now we have evidence that state and local law enforcement, and quite possibly private corporations as well, are willing to use them.

The moral of the story is, I guess, “don’t use unsecured WiFi”. There’s pretty much nothing you can do about the NSA. It would be nice if browsers popped up an alert like “Normally this site is vouched for by Verisign, but this time the US Government is vouching for it. Do you want to continue?” But they don’t, and I haven’t found a browser plugin that adds that capability. Which is too bad.

Edit to add: While looking for someone who perhaps had made a browser plug-in to detect these attacks, I came across this paper which described a plugin that apparently no longer exists (if it was ever released). It includes a good overview of the situation, with some thoughts that hadn’t occurred to me. It also shows pages from a brochure for a simple device that was marketed in 2009 to make it very easy for people with CA authority to eavesdrop on any SSL-protected communication. Devices so cheap they were described as “disposable”.

Shower Coma

You know how sometimes in the shower you kind of lose your place, and you’ll be washing your face and remember you’ve washed it already? This evening I was washing my face and I remembered remembering that I had already washed it before.

My face is very clean at this time.

2

My Gingerbread House

I’m one of those people who heads for the shadows when “fun group activities” are afoot. While I imagine fun ways I could participate, I simply don’t. So when it was announced that this year’s winter-festival-of-your-choice party at work would include a gingerbread house decorating contest, I immediately decided that I would not be participating.

But… I had an idea. I’m one of the only engineers in my group, and I started to think about how a gingerbread house could be expressed abstractly, the way it would look in software. I got some pretty grand ideas.

Still, when the contest organizers were patrolling the area, trying to get people to accept the kit and commit to participating, I demurred. My arm was not twisted. For the next half-hour I heard other arms being twisted, and a loud-for-the-workplace lament that not enough people were participating. “I’ll do it!” I called across the office. “Bring me a kit.” [“Feel the wrath of the arm not twisted!” I didn’t add.]

The kit included a fully-assembled gingerbread house and stuff to stick to it. But in software, that’s not what a house looks like. So my first task was to break the house down to its constituent parts, the same way a software engineer breaks a big problem down into a set of smaller, more manageable problems.
img_0022

It’s important to recognize here that the front of the house and the back of the house are the same, except for location and orientation. So in software, we define an end panel that works for both cases. Same with the sides, and for the roof panels. You break a thing down into its fundamental pieces, find what’s common between those pieces, and build your structure.

The challenge then, was to present those pieces in a meaningful way, and then create a language that would express how the parts were assembled and how they were decorated. When thoughts of poured-sugar virtual building elements with the parameters that defined them entombed inside gave way to reality, this is where I went:
img_0026

On a cookie sheet I staged visual representations of the various parts of the house. I included things like the color sequence of the gumdrops when used in series (a co-worker gave me a demerit for not following the Apple rainbow in my sequence. I should have thought of that.) Then there was the purely abstract assembly instructions. The final result looked like this:
ginger

But it’s not software without bugs, and the wreath that came in the kit was broken. I filed the error in the company’s bug-tracking system:
radar

Did I win? No. Of course not. Did I give my co-workers a little insight into how I think? I’d like to think so. I’m surrounded by creative people who view what I do as vaguely magic. Perhaps they understand me a little better now. Though to be honest it would take much more effort than one is likely to give at a holiday party to understand the intricacies of my gingerbread house.
tile

Then there was this conversation:

Me: I think I overdid the roof.
Guy I work with, squinting at my display: Oh?
Me: Piping and a gumdrop on every roof tile? Along with the candies all around the edge. It might be a bit much.
Guy: Where?
Me: It’s all there if you look, but you can only see it in your head.
Guy: Oooh.

And that is my job. I build things you can only see in your head.

3

The Chinese are Attacking!

screen-shot-2016-12-11-at-11-06-55-am
Every once in a while I check the logs of the server that hosts this blog, to see if there are any shenanigans going on. And every time I check, there ARE shenanigans. The Chinese have been slowly, patiently poking at this machine for a long, long time. The attacks will not succeed; they are trying to log in as “root”, the most powerful account on any *NIX-flavored computer, but on my server root is not allowed to log in from the outside, precisely because it is so powerful.

But the attack itself is an interesting look at the world of institutionalized hacking. It is slow, and patient, only making an attempt every thirty seconds or so. Many attack-blockers use three tries in a minute to detect monkey business; this will fly under that radar. Trying fewer than 200,000 password guesses per day limits the effectiveness of a brute-force attack, but over time (and starting with the million most common passwords), many servers will be compromised.

And in the Chinese view, they have all the time in the world. Some servers will fall to their attacks, others won’t. The ones that are compromised will likely be loaded with software that will, Manchurian-Candidate style, lie dormant until the Chinese government decides to break the Internet. And although servers like mine would provide excellent leverage, located as it is in a data center with high-speed access to the backbone, the bad guys have now discovered that home invasion provides a burgeoning opportunity as well. Consider the participation of refrigerators and thermostats in the recent attack on the Internet infrastructure on the East Coast of the United States and you begin to see the possibilities opened by a constant, patient probing of everything connected to the Internet.

I’ve been boning up on how to block the attack on my server; although in its current form the attack cannot succeed, I know I’ve been warned. The catch is I have to be very careful as I configure my safeguards — some mistakes would result in ME not being able to log in. That would be inconvenient, because if I’m unable to log in I won’t be able to fix my mistake. But like the Chinese, I can take things slowly and make sure I do it right.

1

Knives Episode 25 Published

keIr8jbMXxmru4jF8SmZgLewEQsJqeLDjbPX7mnqvHXuQ641S02V6HFty34Ricip_large_2This episode took a while to get out; there were several things working against it. November was a big one, but this episode resisted me every step of the way all on its own. Then in the middle of the night I figured out what was missing, tied things up, deferred a chunk of exposition to a later date, and here we are!

So what are you waiting for? Start reading already!

A couple of important things happen in this episode; Martin makes a decision about Elena and Bags has a couple of surprises. Happily, those surprises also allow me to release the rest of Bags’ backstory for my valued patrons. If I can remember how to do that.

I think it would be more fair to my patrons to commit to a regular release schedule, but I’m not sure yet what frequency I can commit to. We’ll figure that out in January; December is filled with house guests and general wassailing. I hope to get some good writing time in, but, well, the new year is all about resolutions, right?