The Chinese are Attacking!

screen-shot-2016-12-11-at-11-06-55-am
Every once in a while I check the logs of the server that hosts this blog, to see if there are any shenanigans going on. And every time I check, there ARE shenanigans. The Chinese have been slowly, patiently poking at this machine for a long, long time. The attacks will not succeed; they are trying to log in as “root”, the most powerful account on any *NIX-flavored computer, but on my server root is not allowed to log in from the outside, precisely because it is so powerful.

But the attack itself is an interesting look at the world of institutionalized hacking. It is slow, and patient, only making an attempt every thirty seconds or so. Many attack-blockers use three tries in a minute to detect monkey business; this will fly under that radar. Trying fewer than 200,000 password guesses per day limits the effectiveness of a brute-force attack, but over time (and starting with the million most common passwords), many servers will be compromised.

And in the Chinese view, they have all the time in the world. Some servers will fall to their attacks, others won’t. The ones that are compromised will likely be loaded with software that will, Manchurian-Candidate style, lie dormant until the Chinese government decides to break the Internet. And although servers like mine would provide excellent leverage, located as it is in a data center with high-speed access to the backbone, the bad guys have now discovered that home invasion provides a burgeoning opportunity as well. Consider the participation of refrigerators and thermostats in the recent attack on the Internet infrastructure on the East Coast of the United States and you begin to see the possibilities opened by a constant, patient probing of everything connected to the Internet.

I’ve been boning up on how to block the attack on my server; although in its current form the attack cannot succeed, I know I’ve been warned. The catch is I have to be very careful as I configure my safeguards — some mistakes would result in ME not being able to log in. That would be inconvenient, because if I’m unable to log in I won’t be able to fix my mistake. But like the Chinese, I can take things slowly and make sure I do it right.

Apple, Machine Learning, and Privacy

There’s a lot of noise about machine learning theses days, and the obviously-better deep-learning machines. You know, because it’s deep. Apple is generally considered to be disadvantaged in this tech derby. Why? Because deep learning requires masses of data from the users of the system, and Apple’s privacy policies prevent the company from harvesting that data.

I work for Apple, just so you know. But the narrative on the street comes down to this: Apple can’t compete with its rivals in the field of machine learning because it respects its users too much. For people who say Apple will shed its stand on privacy when it threatens profit for the company, here’s where I say, “Nuh-uh.” Apple proved its priority on privacy.

A second nuh-uh: ApplePay actively makes it impossible for Apple to know your purchase history. There’s good money in that information; Apple doesn’t want it. You think Google Wallet would ever do that? Don’t make me laugh. That’s why Google made it — so they could collect information about your purchasing habits and sell it. But in the world of artificial intelligence, respect for your customers is considered by pundits to be a negative.

But hold on there, Sparky! Getting back to the actual subject of this episode, my employer recently announced a massive implementation of wacky math shit that I think started at Stanford, that allows both aggregation of user data and protection of user privacy.

Apple recently lifted their kimono just a little bit to let the world know that they are players in this realm. Have been a long time. They want to you to know that while respecting user privacy is inconvenient, it’s an obstacle you can work around with enough intelligence and effort.

This is a message that is very tricky for Apple to sell. In their advertising, they sell, more than anything else, good feelings. They’re never going to say, “buy Apple because everyone else is out to exploit you,” — that makes technology scary and not the betterment of the human condition that Apple sells.

But to the tech press, and to organizations fighting for your privacy, Apple is becoming steadily more vocal. It feels a wee bit disingenuous; Apple wants those other mouths to spread the fear. But it’s a valid fear, and one that more people should be talking about.

From where I sit in my cubicle, completely removed from any strategic discussion, if you were to address Apple’s stand on privacy from a marketing standpoint, it would seem our favorite fruit-flavored gadget company is banking on one of two things: Than people will begin to put a dollar value on their privacy, or that the government will mandate stronger privacy protection and Apple will be ahead of the pack.

Ah, hahaha! The second of those is clearly ridiculous. The government long ago established itself as the enemy of privacy. But what about the first of those ideas? Will people pay an extra hundred bucks on a phone to not have their data harvested? Or will they shrug and say “If my phone doesn’t harvest that information, something else will.”

Honestly, I don’t think it’s likely that Apple will ever make a lot of money by standing up for privacy. It may even be a losing proposition, as HomeKit and ApplePay are slowed in their adaptation because they are encumbered by onerous privacy protection requirements. Maybe I’m wrong; maybe Apple is already making piles of cash as the Guardians of Privacy. But I suspect not.

So why does Apple do it? I don’t know. I’m not part of those conversations. But I do know this: If you were to ask CEO Tim Cook that question, he’d look at you like you’d grown a second head and say, “Because it’s the right thing to do.” Maybe I’m being a homer here, but I really believe Tim when he says stuff like that. Tim has told the shareholders to back off more than once, in defense of doing the right thing.

And as long as Tim is in charge of this company, “Because it’s the right thing to do” will float for me. So as long as Tim’s in charge, I know Apple will continue to respect the privacy of its customers. Maybe to you that’s not such a big deal, but it is to me. I won’t work for anyone I don’t respect.

Email Security 101: A Lesson Yet Unlearned

So it looks like the Russians are doing their best to help proudly racist Trump, by stealing (and perhaps altering) emails passed between members of the Democratic National Committee. It seems like the Democratic party preferred the candidate who was actually part of the party over a guy hitching his wagon to the Democrats to use that political machine as long as it was convenient to him.

But that’s not the point of this episode.

The point is this: Had the Democrats taken the time to adopt email encryption, this would not have happened. When the state department emails were hacked, the same criticism applies.

It is possible to:

  1. Render email unreadable by anyone but the intended recipient
  2. Make alteration of emails provably false

But nobody does it! Not even people protecting state secrets. I used to wonder what email breach was going to be the one that made people take email security seriously. I’m starting to think, now, that there is no breach bad enough. Even the people who try to secure email focus on the servers, when it’s the messages that can be easily hardened.

There is no privacy in email. There is no security in email. But there could be. Google could be the white hat in this scenario, but they don’t want widespread email encryption because they make money reading your email.

Currently only the bad guys encrypt their emails, because the good guys seem to be too fucking stupid.

1,000,003 Words!

Screen Shot 2016-02-24 at 2.23.02 PM
It has happened. Muddled Ramblings and Half-Baked Ideas has rolled over the odometer and has blasted well beyond the 1,000,003-word line. I decided to celebrate by taking the day off work to throw out a bit of a redesign here; the old code simply did not support some of the cool new WordPress features I’ve been wanting to leverage. A ground-up rebuild is long overdue.

Even when you start with a fairly clean off-the-shelf theme, however, a great deal of fiddling and tweaking ensues. Some of the old widgets, like the colorful tag cloud and the sweet-o-meter, seem to be awol right now, and I’m not sure about the typography for reading my longer-winded treatises.

Also missing, and a little more difficult to bring back, is the poetry feed that was playing in the header. I’d like to bring it back, but at this moment I’m not sure where to put it.

What do you think? Too dark? Please leave comments here on the blog, while I work on getting the styling of the comments on the blog looking right.

Later tonight, after the celebratory single malt, I will compose the Inevitable Retrospective Episode.

1

Assembling an iomega Mac Companion Enclosure

One of the big-ass hard drives we use for backup has started to make scary noises. Not the kind of sounds you want to hear from a drive that holds important data for our family and for a few of friends around the country as well. It was time to start looking for a replacement drive. One thing I wanted to do was have a clear upgrade: with the new setup I will not have to fear the catastrophic consequences of a single drive failing.

A note on levels of catastrophe: some might think that losing backup data is an inconvenience. In the same way you could think that losing the co-piolot of an airplane is an inconvenience. But with the backup compromised, risk of disaster has gone up exponentially. At Muddled Ramblings and Half-baked Ideas we take that shit seriously as we skulk in our secret bunker, buried deep beneath a trailer park next to a sprawling cemetery, ready for the Zombie Apocalypse to begin.

There are fancy enclosures that hold several drive units and use a variety of schemes that fall under the general acronym RAID to protect data from the failure of a single drive. Most of those enclosures have loud fans, and all of them cost a lot of money. Where does a cheap bastard go when he wants RAID 5, quiet and cheap? He buys a bunch of inexpensive but high-quality disks, puts them in inexpensive but high-quality quiet enclosures, and uses SoftRaid to turn them into a single virtual disk with reasonable protection from disaster.

After a little research, I found the right drives (Seagate bulletproof datacenter-rated blah blah blah) and the right enclosure: the iomega Mac Companion. What is great about this enclosure is that it has TWO firewire connectors, so you can daisy-chain them and connect many drives to a single firewire port on the host computer. Music to cheap-bastard ears, and not found on other enclosures at any price. Plus, you can buy them cheap on eBay in any quantity you might want, while supplies last.

There’s a catch, of course: iomega is defunct, and never officially sold this enclosure without a drive already installed. The packaging looks as though they might have been planning to sell empty enclosures, but the documentation (and even some of the text on the box) is clearly written with the assumption that the drive is already in there and everything is assembled.

So, you have packaging clearly designed to contain an empty, partially-disassembled hard drive enclosure, and instructions clearly for a pre-assembled unit. Weird. Perhaps some last, desperate attempt to sell an inventory of enclosures the company could no longer afford to fill. The only intern left to handle the packaging had no idea what to do about the instructions. We’ll never know the whole story.

But there’s a glut of quite capable hard drive enclosures out there now, and I bought some of them. As for assembly, there are no instructions. Not in the box, not online. You’re on your own, buddy. Until now! By my third enclosure, assembly was actually pretty easy. As a public service to anyone else who might have jumped on this deal, here are step-by-step instructions. You don’t have to thank me, it’s what I do.

Step 0: Survey the stuff.
When you open the box you will see parts in two groups: the top and the bottom. The bottom section includes the plastic base, the metal housing, and the circuit board, which is attached to the bottom of the aluminum inner shell. The top section has an aluminum inner shell top and the plastic lid for the enclosure.

Let’s take a moment to visualize the final product. A hard drive mechanism, inside a protective metal inner shell, inside a sturdy enclosure with lights on the front. With that in mind, we will be building from the middle out. (Yes, I thought of Silicon Valley when I wrote that.)

Step 1: Start by disassembling the bottom parts even further. Carefully pop the plastic base out of the outer metal housing, then slip the circuit board with inner shell off the plastic base. This is the step that took me three tries to learn. After this, everything is actually pretty obvious.

Step 2: Set the hard drive onto the white shield over the circuit board and slide it forward onto its connector.

Step 3: Slide the top inner shell over the drive unit with the little pigtail cable sticking out the slot in the side. At this point, you have something that looks like this:

IMG_0420

Step 4: If you look at the picture, you will see a screw holding the drive in place. The enclosure does not include the screws, but they are a standard size. I’m not sure what size, because I had some in my hardware collection, but you can figure that part out. In fact, in the first drive I assembled, I didn’t use any screws at all. I resolve to not use that drive as a maraca, and all will be well. But if I had it to do all over again, I’d screw those bad boys down.

Step 5: Slip your well-shielded hard drive assembly back onto the plastic base. Fiddle with things until the connectors line up with the holes in the base.

Step 6: The circuit board on the end of that pigtail cable hanging out the side actually has four LED’s on it. The tiny circuit board fits into a slot in the plastic base. Note that there is a wee indentation in the board at one end; that part goes DOWN, where it seats neatly on a plastic fin:

IMG_0415

Step 7: Now it’s time to put the outer metal housing on. There’s an odd plastic bit you set aside earlier with four little shafts sticking out. Those go into the holes in the front of the housing, and as you put the housing down over the plastic base the odd plastic bit will slide into the holder directly in front of the circuit board from step 6.

IMG_0422

Step 8: At this point, everything is connected and should be functional. Before passing the following Point of Maybe-No Return, I plugged in each unit and made sure it spun up happily.

Step 9: Snap on the lid. You’re finished! Woo!

I have no idea how to remove the lid again; and hopefully I’ll never have to learn. Now I have a lot of room for data. Setting up my poor-man’s RAID will likely have to wait until next weekend, and hopefully will be simple enough that I don’t need to write a how-to. In the meantime, I hope this is helpful to those who find themselves with a question mark hovering over their heads as they stare at the parts they have just received.

9

Could Someone Do a Quick Test for Me?

I wonder if any Microsoft IE/Edge browser users out there would mind taking five seconds to pop over to http://knives-the-novel.net and check the little red thermometer-thingie on the left. It should do an animation to show partial progress toward a goal. I’ll be trying to test it myself, but we don’t call our Windows machine “The Anger Box” for nothing.

Thanks!

It should end up looking like this.

It should end up looking like this.


A little more background for the curious:

It’s easy to put simple animations directly into SVG images, to scoot things around and whatnot. The embedded-in-SVG style of animation is based on SMIL. Microsoft has taken the position “we’re not going to support that, because there are better ways to do animations, like with CSS.” They’re right, for certain definitions of “better”, but to take full advantage of the better aspects of CSS animation one must jump through some hoops — especially if you want to adjust the animation at run-time. So, if “better” means “simpler”, then not so much.

But now my plugin’s hoops are through-jumped, and to my eye, animations are smoother in all browsers (hardware acceleration is more consistently available to CSS-based animations), so it’s a win all-round. Safari still leaves annoying trails in some circumstances, but overall things look pretty sweet in the mainstream browsers. Although, as mentioned above, to date I have no idea how it looks on Microsoft’s IE/Edge browsers. Any help in that regard would be welcome.

wp-cli, Where have you been all my life?

WordPress updates can be pretty insecure. FTP was invented back before there was an Internet, and when when no one thought that bad people might be on the same network you’re using (why even have a password if you let everyone see it?). Ah, for those naïve and simple times!

Yet even today most of the Web-site-in-a-box products you can get to run on your GoDaddy account use FTP. I control my own server, and you can bet your boots that FTP is turned right the hell off.

It can be a hassle setting WordPress up to allow its update features to work in a very secure fashion, however. I was wrangling rsa certificates when I ran across another solution: rather than push a button on a web page to run an update, log into the server and run a command there. Simple, effective, secure, without file permission fiddling and authorized_keys files.

wp-cli does way more than updates, too. It is a tool I’ve been pining for for a long time, without even knowing it. Want to install a plugin? wp plugin install "xyz" and you’re done. Back up the ol’ database? They have you covered. Welcome to my tool belt, wp-cli!

If you’re not afraid to type three commands to update your site, rather than trying to maintain a hole in your security in such a way that only you can use it, then this is a great option for you. Check it out at wp-cli.org.

An Internet Security Vulnerability that had Never Occurred to Me

Luckily for my productivity this afternoon, the Facebook page-loading feature was not working for me. I’d get two or three articles and that was it. But when it comes to wasting time, I am relentless. I decided to do a little digging and figure out why the content loader was failing. Since I spend a few hours every day debugging Web applications, I figured I could get to the bottom of things pretty quickly.

First thing to do: check the console in the debugger tools to see what sort of messages are popping up. I opened up the console, but rather than lines of informative output, I saw this:

Stop!

This is a browser feature intended for developers. If someone told you to copy-paste something here to enable a Facebook feature or “hack” someone’s account, it is a scam and will give them access to your Facebook account.

See https://www.facebook.com/selfxss for more information.

It is quite possible that most major social media sites have a warning like this, and all of them should. A huge percentage of successful “hacks” into people’s systems are more about social engineering than about actual code, and this is no exception. The console is, as the message above states, for people who know what they are doing. It allows developers to fiddle with the site they are working on, and even allows them to directly load code that the browser’s security rules would normally never allow.

These tools are built right into the browsers, and with a small effort anyone can access them. It would seem that unscrupulous individuals (aka assholes) are convincing less-sophisticated users to paste in code that compromises their Facebook accounts, perhaps just as they were hoping to hack someone else’s account.

I use the developer tools every day. I even use them on other people’s sites to track down errors or to see how they did something. Yet it never occurred to me that I could send out an important-sounding email and get people to drop their pants by using features built right into their browsers.

It’s just that sort of blindness that leads to new exploits showing up all the time, and the only cure for the blindness is to have lots of people look at features from lots of different perspectives. Once upon a time Microsoft built all sorts of automation features into Office that turned out to be a security disaster. From a business standpoint, they were great features. But no one thought, “you know, the ability to embed code that talks to your operating system directly into a Word doc is pretty much the definition of a Trojan Horse.”

So, FIRST, if anyone asks you to paste code into the developer’s console of your browser, don’t. SECOND, if you are in charge of a site that stores people’s personal data, consider a warning similar to Facebook’s. Heck, I doubt they’d complain if you straight-up copied it, link and all. THIRD, just… be skeptical. If someone wants you to do something you don’t really understand, don’t do it, no matter how important and urgent the request sounds. In fact, the more urgent the problem sounds, the more certain you can be that you are dealing with a criminal.

2

Muddled Ramblings Going Down for Maintenance

I’m not sure exactly when yet, but Muddled Ramblings & Half-Baked Ideas will be going down for some long-overdue maintenance shortly. You may have noticed occasional outages lately, and with not one, but TWO exciting new sites soon to be hosted on this hardware, it’s time for a little renovation. The Mac Mini behind this site has been running non-stop nigh-on five years, and it has a lot of old experimental junk on it that just needs to go away.

The outage will likely last a few hours, and when things come back up they should be zippier than ever.

Then if I could just move this site design forward by about a decade (the irony that the massive article about rounded corner support in modern browsers uses tiled images to create rounded corners is not lost on me) we’ll be in good shape!

2

Back to 28: A Heck of a Security Hole in Linux

In December of 2008, some guy made a change to a program used by almost every flavor of Linux, and he (probably he, anyway), made a simple mistake. The program is called Grub2, and it’s the part that manages the user password business. For seven years it was broken.

It turns out that due to careless programming, hitting the backspace key could cause Grub2 to clear a very important chunk of memory. Normally this would cause the machine to reboot, but if you hit the backspace key exactly 28 times, it will reboot in the rescue shell, a special feature to allow admins access to the computer when things are fairly badly broken.

In the rescue shell, one can perform all sorts of mischief on a machine, including installing spyware or just deleting everything. Yep, walk up to (almost) any Linux box, hit the backspace key 28 times, press return, and blammo. Its undies are around its ankles.

Worse, a long sequence of backspaces and characters can write all kinds of stuff into this critical memory area. Pretty much anything an attacker wants to write. Like, a little program.

Since, (as far as I know) the attacker has to have physical access to the machine to press the keys or attach a device that can send a more complex key sequence automatically, most of the world’s Linux-based infrastructure is not directly at risk — as long as the Linux machines people use to control the vast network are well-protected.

The emergency patches have been out for a couple of weeks now, so if you use Linux please make sure you apply it. The change comes down to this: If there’s nothing typed, ignore the backspace key. Magical!

You can read more about it from the guys who found it: Back to 28: Grub2 Authentication 0-Day. It’s pretty interesting reading. The article gets steadily more technical, but you can see how a seemingly-trivial oversight can escalate to dire consequences.

The lesson isn’t that Linux sucks and we should all use OpenBSD (which is all about security), but it’s important to understand that we rely on millions and millions of lines of code to keep us safe and secure. Millions and millions of lines of code, often contributed for the greater good without compensation by coders we hope are competent, and not always reviewed with the skeptical eye they deserve. Nobody ever asked “what if cur_len is less than zero?”

The infamous Heartbleed was similar. Nobody asked the critical questions.

Millions and millions of lines of code. There are more problems out there, you can bank on that.

Will the World Break in 2016?

Well, probably not. The world isn’t likely to break until 2017 at the earliest. Here’s the thing: Our economy relies on secure electronic transactions and hack-proof banks. But if you think of our current cyber security as a mighty castle made of stone, you will be rightly concerned to hear that gunpowder has arrived.

A little background: there’s a specific type of math problem that is the focus of much speculation in computer science these days. It’s a class of problem in which finding the answer is very difficult, but confirming the answer is relatively simple.

Why is this important? Because pretty much all electronic security, from credit card transactions to keeping the FBI from reading your text messages (if you use the right service) depends on it being very difficult to guess the right decoder key, but very easy to read the message if you already have the key. What keeps snoops from reading your stuff is simply that it will take hundreds of years using modern computers to figure out your decoder key.

That may come to a sudden and jarring end in the near future. You see, there’s a new kind of computer in town, and for solving very specific sorts of problems, it’s mind-bogglingly fast. It won’t be cheap, but quantum computers can probably be built in the near future specifically tuned to blow all we know about data encryption out of the water.

Google and NASA got together and made the D-Wave two, which, if you believe their hype, is the first computer that has been proven to use quantum mechanical wackiness to break through the limits imposed by those big, clunky atoms in traditional computing.

Pictures abound of the D-Wave (I stole this one from fortune.com, but the same pic is everywhere), which is a massive refrigerator with a chip in the middle. The chip has to be right down there at damn near absolute zero.

d-wave_exterior

The chip inside D-Wave two was built and tuned to solve a specific problem very, very quickly. And it did. Future generations promise to be far more versatile. But it doesn’t even have to be that versatile if it is focussed on breaking 1024-bit RSA keys.

It is entirely possible that the D-Wave six will be able to bust any crypto we have working today. And let’s not pretend that this is the only quantum computer in development. It’s just the one that enjoys the light of publicity. For a moment imagine that you were building a computer that could decode any encrypted message, including passwords and authentication certificates. You’d be able to crack any computer in the world that was connected to the Internet. You probably wouldn’t mention to anyone that you were able to do that.

At Microsoft, their head security guy is all about quantum-resistant algorithms. Quantum computers are mind-boggling fast at solving certain types of math problems; security experts are scrambling to come up with encryption based on some other type of hard-to-guess, easy-to-confirm algorithm, that is intrinsically outside the realm of quantum mojo. But here’s the rub: it’s not clear that other class of math exists.

(That same Microsoft publicity piece is interesting for many other reasons, and I plan to dig into it more in the future. But to summarize: Google wins.)

So what do we do? There’s not really much we can do, except root for the banks. They have resources, they have motivation. Or, at least, let’s all hope that the banks even know there’s a problem yet, and are trying to do something about it. Because quantum computing could destroy them.

Eventually we’ll all have quantum chips in our phones to generate the encryption, and the balance of power will be restored. In the meantime, we may be beholden to the owners of these major-mojo-machines to handle our security for us. Let’s hope the people with the power to break every code on the planet use that power ethically.

Yeah, sorry. It hurts, but that may be all we have.

Up… for now

Techno-troubles here at Muddled Ramblings and Half-Baked Ideas! The faithful little computer that has been serving up this site for the past years is not healthy right now. I didn’t realize how important this damg blog is to me until it stopped working. Just when I was getting some momentum, too.

I’m looking for the best answer now (MacMiniColo.net has a pretty spectacular special running right now), But in the meantime it’s proving tough to keep this thing up. So, sorry in advance for outages.

Junk Science — A Telltale Sign

The other day a friend of mine posted a link to a peer-reviewed scientific study concerning the effects of a vegetarian diet. He posted an excerpt from the paper’s abstract:

Our results revealed that a vegetarian diet is related to a lower BMI and less frequent alcohol consumption. Moreover, our results showed that a vegetarian diet is associated with poorer health (higher incidences of cancer, allergies, and mental health disorders), a higher need for health care, and poorer quality of life.

Before I even clicked the link, alarm bells were going off. Just in those two sentences, they list seven things measured. That’s not science, kids, that’s shooting dice in the alley. If you measure enough things about any group of people you’ll find something that looks interesting. Holy moly, I thought, how many things did this survey try to measure, anyway? (I believe the answer to that is eighteen.)

It’s possible that some of the correlations these guys found actually are significant, and not the result of random chance. It’s not possible to tell which ones they might be, as it’s almost certain that many of the conclusions are completely bogus.

And then there’s selection bias. I read elsewhere (link later) that in Austria, many vegetarians eat that way on Doctor’s orders, because they’re already sick. That will skew the numbers.

But the paper was peer-reviewed, right? I spent a little time trying to figure out who those peers might be, but there’s no sign of them I could find on the site where this paper is self-published. And, frankly, “peer-reviewed” doesn’t mean shit anymore. Peers are for sale all over the place. If you can’t see the credentials of the people who reviewed the work, it may as well not be peer-reviewed at all.

And none of the authors seem to have any credentials or degrees themselves. Perhaps they just didn’t feel compelled to mention them, but that strikes me as odd — especially for Europeans, who traditionally love to lay on the titles and highfalutin name decorations.

The site has 53 references to that article being mentioned in the media. Some of the places that quote this nonsense actually have “science” in their titles. Sigh. Apparently Science 2.0 is Science where you believe every press release that crosses your desk. Perhaps Muddled Ramblings and Half-Baked Ideas will make number 54 — although I suspect the keepers of PLOS ONE might not want this reference promoted. But to their credit they do show the link to an article in that Bastion of Science Outside Online, where at least one journalist took a sniff before pressing the “publish” button.

Outside Online, you do science better than Science 2.0. You have my admiration.

So is this research totally useless? Actually, no. It’s possible a grad student somewhere could find ONE of the claims made in the paper interesting enough to do REAL science to improve our understanding of nutrition and health. The study might be to test the hypothesis “a vegetarian diet increases the chances of lymphoma,” or something like that. A single question, while keeping the rest of the variables as controlled as possible in a human study (which is really tough).

That work would take years to accomplish and would not show up in The Guardian or probably even Outside Online. It would be a small brick in our edifice of understanding, a structure that has been growing for hundreds of years.

So when you read about “a study” that shows many things, look at it with squinty eyes and you’ll see behind it a group of people rolling the dice, and there’s often no telling who their master is. It’s not really a study at all, but a press release with numbers.

Sucky Irony

Today at work I was wrestling with a database connection that was defying all my attempts to make it play nice. I needed to type in a command that I couldn’t pull off the top of my head, but I knew where on this blog to find it.

So quick like a bunny I typed in muddledramblings.com to find the answer, and I was greeted with a screen that said, in big bold letters:

Error establishing database connection.

Sigh.

Obviously it’s fixed now, or you wouldn’t be reading this, but dang.

How Secure is Your Smoke Detector?

heartbleedYou probably heard about that HeartBleed thing a few months ago. Essentially, the people who build OpenSSL made a really dumb mistake and created a potentially massive security problem.

HeartBleed made the news, a patch came out, and all the servers and Web browsers out there were quickly updated. But what about your car?

I don’t want to be too hard on the OpenSSL guys; almost everyone uses their code and apparently (almost) no one bothers to pitch in financially to keep it secure. One of the most critical pieces of software in the world is maintained by a handful of dedicated people who don’t have the resources to keep up with the legion of evil crackers out there. (Google keeps their own version, and they pass a lot of security patches back to the OpenSSL guys. Without Google’s help, things would likely be a lot worse.)

For each HeartBleed, there are dozens of other, less-sexy exploits. SSL, the security layer that once protected your e-commerce and other private Internet communications, has been scrapped and replaced with TLS (though it is still generally referred to as SSL), and now TLS 1.0 is looking shaky. TLS 1.1 and 1.2 are still considered secure, and soon all credit card transactions will use TLS 1.2. You probably won’t notice; your browser and the rest of the infrastructure will be updated and you will carry on, confident that no one can hack into your transactions (except many governments, and about a hundred other corporations – but that’s another story).

So it’s a constant march, trying to find the holes before the bad guys do, and shoring them up. There will always be new versions of the security protocols, and for the most part the tools we use will update and we will move on with our lives.

But, I ask again, what about your car?

What version of SSL does OnStar use, especially in older cars? Could someone intercept signals between your car and the mother ship, crack the authentication, and use the “remote unlock” feature and drive away with your fancy GMC Sierra? I’ve heard stories.

You know that fancy home alarm system you have with the app that allows you to disarm it? What version of OpenSSL is installed in the receiver in your home? Can it be updated?

If your thermostat uses outdated SSL, will some punk neighbor kid download a “hijack your neighbor’s house” app and turn your thermostat up to 150? Can someone pull a password from your smoke detector system and try it on all your other stuff (another reason to only use each password once)?

Washer and dryer? The Infamous Internet Toaster? Hey! The screen on my refrigerator is showing ads for porn sites!

Everything that communicates across the Internet/Cloud/Bluetooth/whatever relies on encrypting the data to keep malicious folks away from your stuff. But many of the smaller, cheaper devices (and cars) may lack the ability to update themselves when new vulnerabilities are discovered.

I’m not saying all of these devices suck, but I would not buy any “smart” appliance until I knew exactly how they keep ahead of the bad guys. If the person selling you the car/alarm/refrigerator/whatever can’t answer that question, walk away. If they don’t care about your security and privacy, they don’t deserve your business.

I’ve been told, but I have no direct evidence to back it up, that much of the resistance in the industry to the adoption of Apple’s home automation software protocols (dubbed HomeKit) are because of the over-the-top security and privacy requirements. (Nest will not be supporting HomeKit, for instance.) In my book, for applications like this, there’s no such thing as over-the-top.

1