Farewell and Rest in Peace Alan Rickman

I was told a few hours ago that the actor of Severus Snape of Harry Potter has died. Seeing as how I am a fantasy fanatic and seeing as how I can draw so many parallels between Severus Snape and myself, I felt I should acknowledge his death and thank him for his acting career. On the one hand I enjoyed his performance of Severus Snape (even though I utterly reject the way movies are very different from the books including the Harry Potter books to movies, especially the last book… and even though I can’t follow movies without subtitles – and often even with them I can’t because of poor hearing – it can’t be denied the acting was good); on the other hand, he also played in Die Hard. I certainly don’t remember him playing in it but that was long before DVDs and DVDs are more than 20 years old (I must say I’m rather baffled that it really was that long ago …)! I only saw the first, second and third (maybe the fourth but I can’t recall now and I don’t know which of them Alan Rickman played in). Yet if it weren’t for his role as Severus Snape I wouldn’t have paid any attention to his death because it’s been so long that I watched Die Hard or even thought of it. But in the end, another wonderful actor is gone and while I don’t follow actors (or really movies, plays or the like) it’s still a loss (… and then there are friends and family who all must be grieving).

Farewell Sev and rest in peace.

Signing DNSSEC Zones Under Different BIND Views

In the popular Berkeley Internet Name Domain (BIND) implementation of the DNS protocols there is a concept called ‘views’; it is a method of allowing some clients (e.g. local network) to see some zones (or versions of the same zones as other clients) whereas other clients (e.g. external network) have a different view of the zones. This would allow for resolving hosts to local IPs instead of the public IPs for one example of others. Last year I believe it was I enabled DNSSEC for my Xexyl websites (as well as some others I am involved in). There are (if I recall correctly) just two ways to deal with DNSSEC signing of zones in BIND (at least as far as how and when they are signed). Admittedly my memory is vague on this but the problem is simple enough to elaborate on – and these methods are irrelevant to the problem: how to use ‘rndc sign’ on a zone when you have multiple views in order to notify the slave DNS servers that the zone has been updated (serial numbers aren’t used in the same way as regular DNS). So instead of :

# rndc reload
… you might try :

# rndc sign <zone>
… where <zone> is replaced by the zone name. But if you have multiple views then the sign command won’t work; you’ll get something like this (assuming your zone is ‘example.com’):
# rndc sign example.com
rndc: 'sign' failed: not found

In order to solve the problem you have to specify the zone type and the view it is in:
# rndc sign <zone> IN <view>
… where <zone> is the zone, IN is the zone type and <view> is the view name. For instance, if your zone is example.com (as above) and the view you want to sign the zone in is called external, you would do:
# rndc sign example.com IN external

It should succeed (indicated by the command prompt; “no news is good news” as an old UNIX book puts it). I can’t recall exactly where I found this syntax except it was in a mailing list; I had a suspicion all along that it was to do with views and whilst I was correct I wasn’t sure how to fix it. While I can’t name the person who deserves the credit I am crediting them as much as I can. This is both to remind myself (I recently had to look it up and I had sent it to someone in an email so I checked sent) and help others who run into this problem (like the person who deserves credit here as well as myself).

‘Justice’ is a Manipulative, Dangerous Lie (and Encryption is Vital to Security)

I think it is time I finally discuss what I’ve long said: There is no such thing as a justice system; there are only legalities created and maintained by those who also are in a position to change the laws to fit their agenda – which is not at all to protect society (granted some of it is but it is done in a poor, inefficient, sometimes manipulative way and it isn’t their only agenda by any means). At the same time I will discuss (albeit only briefly because that’s all it takes) just how much encryption is a vital part to the security of the Internet and the security of everyone on planet Earth – including those who want to degrade encryption in the name of ‘national security’ (something that is a farce when you have the mentality that encryption is dangerous to security). Make no mistake: the manipulative, dangerous, power hungry, filthy, bloodthirsty bloodsucking cockroaches from hell that are politicians are not at all protecting their citizens; they serve no one but themselves in the vast majority of things. I have said I will not get into the cesspool that is politics and I have no intention of changing that. However, because of personal experience in the lack of justice (albeit not in a court setting justice shouldn’t only be about the court of law – yet it isn’t anything but a lie) I will discuss the ‘justice system’ and the way politicians abuse certain things in order to progress their agenda of mass control and inadvertent destruction of exactly what they claim to protect.

Justice is a farce for so many reasons. I will discuss some of them but it is impossible to discuss them all because there are so many variables and some of those variables are very dynamic in nature. I will then discuss how the mentality of politicians is dangerous, manipulative and destructive, as well as how encryption is vital to the security and therefore safety of everyone – including themselves and who they are supposedly protecting. This post will be brutal to anyone who is ignorant of just how much blood the United States of America has on its hands but it isn’t just about the United States of America.


‘Justice’ System a Dangerous Lie and Justice a Myth

Many nations in this accursed world guarantee a speedy, fair, unbiased trial in the court of law. This is a lie in order to make the vast majority of the citizens believe that the authorities really are protecting them, that every person that does ‘wrong’ will be brought to ‘justice’. Unfortunately for the civilians and fortunately for the authorities, most people do believe this absurd lie. ‘Justice’ typically means time in jail, a fine and/or community service (any combination of the three – and sometimes other things). In at least one case there is also a guarantee of no cruel or unusual punishment – including a bloody (literally and figuratively) and accursed nation called the United States of America that still has not outlawed execution. Yes, I will be discussing that indeed. But I won’t get ahead of myself. I’m going to discuss each of these claims one by one. I am not at all going to define these terms under the legal definition because the lawyers speak in their own language (a mutant version of gobbledygook, perhaps?) which deliberately allows for loopholes and other abuses. I won’t even begin to discuss stupid laws because that they exist is unsurprising to say the least (and there are many stupid laws throughout this world).

What is a speedy trial? One might think it is a trial that isn’t delayed (e.g. there actually is a trial), a trial that doesn’t linger on unnecessarily and one that benefits the defendant (but usually benefits the one with the best lawyer – which often means the plaintiff or otherwise the prosecutor in a trial brought forth by the city, state, county, and whatever other jurisdictions might exist). But yet a speedy trial could equate to a hasty trial and being hasty is being incomplete, not at all thorough and that is not at all justice. Indeed, this tactic is exactly what happened during witch hunts. This absolutely happened in the Salem Witchcraft Trials – one of the only fascinating times in United States of America specific history to me. When you combine this with the fact they allowed all sorts of ‘evidence’ that could implicate anyone you can see that this was the exact opposite of ‘justice’ (and no matter how many were charged and executed the affliction continued). Indeed, on June 29 of 1692, the one accused-‘witch’ declared innocent called Rebecca Nurse was shortly after declared guilty because the moment she was declared innocent the afflicted girls started to thrash around, howl and more or less make a dramatic scene. Certainly, a speedy trial here did not benefit anyone – and many innocent people were executed from the mass-hysteria affecting Salem Massachusetts at the time.

Yet sometimes trials aren’t even started; a very good example of this disgrace is the prisoners of Guantanamo Bay, Cuba. As I recall, some prisoners weren’t even charged with anything at all (which is mostly to delay so-called justice and because there wasn’t enough evidence to charge them – at least until tortured enough but torture results in inaccurate evidence and is still unethical and immoral). This is obviously the complete opposite of a speedy trial because there isn’t any crime in the first place (the only crime is that done by the blessed United States of America). I will return to this place again in the no cruel or unusual punishment part.

Unbiased? There is no such thing as unbiased. Even this article has some bias in it no matter how much effort I try to be unbiased. We all see things through our own experiences and we all have different experiences. How can someone have experiences as if they weren’t their own? But I’ll extend this: first impressions. If someone were unknown, accused of a heinous crime in front of jurors and they looked different (long hair, afraid to look at people, blunt or flat affect, distant, a perfect description of me) what would the jurors think? Prejudice exists everywhere in some form or another and surely if I am not showing much emotion, can’t look at people, don’t have much emotion in the voice, it must be true what the prosecutors are saying? There doesn’t need to be any evidence besides how I look! You call that justice? You call that scientific? It isn’t justice and it isn’t scientific – not even close.

No cruel and unusual punishment? That is complete bollocks and it is an utter disgrace for a nation such as the United States of America to spout as if it were even close to true. Innocents have been executed! Is that justice? Is that kind? Is that compassionate? Is that anything else the United States of America claims to be? Absolutely not. Yet the US also calls out other nations for similar things. Hypocrisy to the extreme. The fact pharmaceuticals are denying executioners medications for use in execution (as they should!) only makes these worthless, arrogant bastards more desperate for a solution (literally and figuratively, perhaps!) to execute prisoners while still being humane! Execution isn’t humane! But even if it is humane, the fact the United States Supreme Court backs the use of the sedative midazolam for execution says a lot. Yet it is worse than that. The botched execution in Oklahoma last year as described here:

He is reported to have writhed on the execution table, attempting to lift his head and speak. He eventually died of a heart attack, but not until after the administering authority had decided to suspend the execution and attempt to revive him. Oklahoma quickly issued a two-week stay for Charles Warner, who was scheduled to be given a lethal injection later the same night.

They actually tried to revive him? I can only presume that they wanted to try it again. Indeed, there is this inherent mentality of officials (like executioners) should have the final way of how someone who supposedly deserves death by state should die; if they die by self-inflicted gunshot then that would be less desirable than execution; is a life not a life? If it is really about ‘justice’ then it doesn’t matter if they commit suicide or are executed. No. It isn’t about ‘justice’; execution is about revenge – nothing else. Yet what that person went through is beyond incomprehensible; really, the state of Oklahoma did that to someone? If murder is illegal – as he was executed for – then why is the state of Oklahoma (or any state declaring murder is illegal) executing – i.e. murdering – a man? Why did they torture a man to death (if the executioner were to torture someone outside of their death chamber then it would be decried as heinous but in his death chamber it is undesirable but still acceptable – and in some people’s opinion the torturous death is not at all a problem) if they are executing the condemned for murder (torturous or otherwise)? Revenge. But yet, some actually approve of such a disgusting act, for example in the tweet from Bill Hobbs:

An execution that ends with the thug dead is NOT a “botched execution.”

And responding to the Drudge Report headline “Oklahoma inmate dies after execution botched”, conservative commentator Ann Coulter tweets:

Isn’t that what’s supposed to happen?

A website about the death penalty in the United States even shows that some states allow the use of the gas chamber and others the firing squad (one for each also is used in case lethal injection is outlawed and/or if the drugs aren’t available). Tell me, Americans that approve of all of this (perhaps Bill Hobbs, Ann Coulter or the governor of Oklahoma or Utah?). Doesn’t America condemn the mass extermination of Jews during the Holocaust (or for that matter any other genocide in the history of mankind)? Does it matter if it was through gas (which was used) or by gun (which they did including at a Potters Field and even killing two with one bullet by way of tying the two condemned back to back and shooting in one mouth so that it goes through one skull and then into the skull of the other)? Don’t bother answering; I’ll answer instead. No, it doesn’t matter how it is done so much as if it is done – unless it is being done by the United States of America, in which case it is perfectly acceptable. This is not unlike the Nazis modelling their eugenics on the United States of America eugenics (which included Jews and other life unworthy of life). We can’t forget, either, about Project Paperclip (other places called Operation Paperclip) where the United States of America covered up the crimes of Nazi scientists in order to learn from them! The reasons are potentially many but amongst them is to keep them away from the Soviet Union. I quite like the last sentence of the BBC article I linked to:

But, while celebrating the undoubted success of Project Paperclip, many will prefer to remember the thousands who died to send mankind into space.

The fact the US also tortured prisoners at Gitmo (in addition to not charging with crimes, etc.) only makes this all the more worse. Then there are the experiments in torture, other human experiments (a scary amount of experiments that have been documented in various places; for instance here) and much more. While Americans tend to believe the lies America spreads about being the most caring, most compassionate nation in the world, the actions of the nation and the mentality of many Americans demonstrate the exact opposite. That many are in fact caring, compassionate and do their best to be ethical and moral is fine and well (the actions of a man who is paralysed from a sniper attack is a humbling example[1]) but that doesn’t excuse the others.

No, no, no. Justice is a lie. Even if the person convicted truly is guilty without a doubt, and with full intention, it doesn’t take away the victims suffering. There is no justice in a world led by humans because humans on a whole are inhumane, unethical and immoral. It doesn’t matter if it is the treatment of animals or the treatment of humans; it is all the same on a whole.

Lastly, going back briefly to the Salem Witchcraft Trials, there is an amusing little final words of a condemned ‘witch’. Taken from (with me changing the spelling to haemorrhage) salemwitchtrials.com:

At the hangings, the Rev. Nicholas Noyes asked Sarah Good to confess. “I am no more a witch than you are a wizard, and if you take away my life God will give you blood to drink.” was her reply to him. Twenty-five years later, the Rev. Nicholas Noyes died of a haemorrhage, choking on his own blood.

I changed my mind. That is an example of justice. Or maybe it is just cruel but well-deserved irony. Nonetheless, the reverend deserves what happened.

[1] At one point in recent years (I can’t find the reference at this time) an American Jew attempted to stop an execution of the sniper who paralysed him to the extent of requiring a wheelchair by suing the state. Despite being unsuccessful it shows extremely positive character. The saddest part is, if I am recalling correctly, the attacker was paranoid schizophrenic and unfortunately read Mein Kampf which definitely fed into any of his paranoia. But this is yet another problem with execution (and in general mentally ill are treated with less respect, less dignity and as inferiors; ironically the Nazis would have considered him an inferior himself but that doesn’t take away the unnecessary loss of a life, does it?). He put it quite well (I don’t have the exact quote but it is close enough for now): He doesn’t think a state where it is illegal to murder should be in the business of killing. He adds that he has had many years in a wheelchair to think about this exactly. Despite this many states still disagree – and it is quite hypocritical to say the least.


Encryption

So US politicians are making claims that encryption really needs to be weakened in order to properly detect bombings (etc.) in advance. The reasons this has come up is obvious and not one I really care enough to get into because it is frankly irrelevant. Without encryption e-commerce would be made more unsafe (it isn’t safe now …); commerce in any form would be unsafe; online banking would be unsafe; authentication in general would be unsafe. Weaker encryption would be going back to the dark ages – if not before mankind! Even Julius Caesar used a form of encryption (commonly called ROT-13 because it was a rotation of the letter by 13)! There is a reason we migrated from TELNET to ssh (for one example of many more). But here we have idiots in power wanting to weaken security to … improve (!?) security! That makes no sense at all. This is very basic but something politicians just don’t get due to their greed, lust for power and their inherent stupidity: the more information someone has the easier it is to launch an attack and the more personal information someone has, the easier it is to steal the ID of a victim. There is but one exception here: you cannot steal the identity of a politician because politicians are so exceedingly arrogant and infernally stupid, demonic maniacs hell-bent on world domination and destruction, that no identity thief could fool anyone into believe they really are who they claim (and if they considered trying they are probably seriously ill). But you could cheat them out of money (even if they have far more than they deserve) or cheat their family (including those who were unfortunate enough to be born in a cesspool). No; encryption is not a threat to the security of the west; weak encryption is but more than anything else, the west is its biggest enemy simply because the leaders ignore history and are misguided morons.

As for what inspired me to finally get around to writing about justice being a farce (and it admittedly went beyond that – a lot more than I expected but I feel is more than worth the time and effort) is this article entitled: When Phone Encryption Blocks Justice

No, encryption doesn’t block justice; mankind blocks justice and this is why justice is a lie. That’s the brutal truth of the matter despite what many claim and many more will believe.

Linux.Encoder.1: Hilariously Pathetic but Offers an Important Lesson

This will be a short post because there isn’t much to say, really. Many have claimed over the years that Unix and its derivatives (and really, Linux is only not a ‘proper’ Unix in the sense of licensing) are immune to malware, despite this being shown false again and again and again (I’ve certainly cited examples before and I will continue to do where it fits what I’m writing). But they are woefully naive if not stupid (ignoring the truth because you don’t want to deal with it is quite lazy and very stupid – even for humans). It has come to my attention that a ransomware attempt on Linux has affected some servers.

Yet it is so primitive you would think that the programmer only just learned to program (having a long way to go) and/or is very ignorant of how seriously inadequate the C pseudo-random number generator (pRNG) is; indeed, you can get the same results as long as you have the same seed – which they conveniently kept by way of the (I presume) modification timestamp of the affected files. Complete failure; it is an ineptitude that you would never want a programmer of legit software to have. Of course it would be easy to fix that flaw and it would be easy to fix the flaw of using rand() but I’m obviously not going to point out how because it would be unethical to do so (and anyone worth their salt would be able to fix it in a heartbeat). So yes, I guess you could say I’m mocking the author for an extremely pathetic attempt at writing software (but mostly it is to once again stress that malware isn’t only a Windows problem; to backup and to use privilege separation as it was meant to be used). It is amusing to note that virus writers of old actually had really good programming skills and now the malware authors of today typically do not (that isn’t to say it is always the case; indeed there were some authors that were also inept – however, there certainly was art to it before whereas now it is just causing harm in some form or another). This is amusing because even amateur programmers know just how inadequate rand() is for random numbers of any kind. But make no mistake: the fact of the matter is it will likely be fixed and it can cause a lot of problems. Even if it doesn’t affect you directly, the reality is it can affect others – and indirectly you. The fact they made this error is amusing for the reasons I cited but it doesn’t have to be this way – and often isn’t.

This is summarised as the following by Bit Defender Labs (they also have a decryption tool with a caveat that some systems have had the files encrypted twice which is yet another reason the lesson I was going to point out anyway, is so critical):

We mentioned that the AES key is generated locally on the victim’s computer. We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab. We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s operator(s).

As for the lesson. I don’t understand why people don’t get this but it really is so simple: BACKUP YOUR DATA! Not every once in a while; not when you feel like it. EVERY SINGLE DAY! Not just files that have changed; not only some data files; all files and in a cycle (ask your local administrator about backup options). If you don’t do this, you will eventually be sorry. Even if you can recover files from some file systems easily enough, what if something else goes wrong? What if the drive is completely toast (literally or figuratively)? Where will you be? What if you lose photos or videos of lost loved ones? What if you lost a story or even a book you wrote? There are a lot of risks and why suffer the consequences when you can simply backup? As I recently put in my fortune file, backing up is simple which makes it all the more ironic that so many people don’t backup:

Humans are inherently lazy and weak. This is why they tend to do what is easiest instead of what is right – even ethically and morally so. It is rather ironic, then, that so many people refuse to implement proper backup and recovery systems – which would save them time, money and much grief – when it is also much easier than trying to recover lost or corrupted data.
— Xexyl

Remember that and follow up on it. You’ll save yourself so much grief when disaster strikes. And let me remind you that a backup that does not work is useless; yes, this means you must TEST recovery. Yes, this means you must TEST EVERYTHING about it (including making sure your backup medium is error free). CDs, DVDs, Bluray discs do not work well for daily backup because of the burning nature but they do work for the occasional extra backup (e.g. you want to have a second copy of all your photos and videos). Just note that you should replace those discs every so often; I’m not sure actually what the time frame is but there is a time frame and if you rely on optical discs then make sure you consider this. That isn’t to say other mediums are error-resistant (errors eventually happen) so much as just because the data is burnt into the disc, does not mean it never will have a problem (this isn’t even considering scratches, snapping in half, and so on). Redundant backups are a good thing and NO, the cloud is NOT a backup system! It is fine if it is in addition to your regular backups but it is NOT a backup system by itself! These rules (and actually more) apply regardless of your OS of choice.

Actually, make that lessons (and reminders). In addition to backups:

Make use of privilege separation; don’t use root unless you have to, don’t run programs as root unless it is absolutely required (the program complains for ALL operations that it is required). Similar goes for other OSes.

There exists malware that targets OSes other than Microsoft Windows; the fact Windows has a much larger user base is only relevant in that more malware targets Windows because the return on investment is – oddly enough – higher. But that doesn’t mean malware doesn’t exist anywhere else; it does and this very post gives an example of it. Only recklessly naive and ignorant people would claim otherwise; of course, many people are recklessly naive and ignorant (as well as being carefully naive and ignorant) but it doesn’t change the reality of the situation that malware is cross-platform.

Security Through Obscurity

I was on the fence of whether to call this ‘Insecurity through Obscurity’ or ‘Security Through Obscurity’ but I’ve opted for the latter because that is how the rationale usually goes. However, while it is true it isn’t a sound security policy by itself, it doesn’t mean obscurity is useless. People tend to think on either extreme while calling out others for also being extreme. We’re all guilty of it to some degree but the subject of security through obscurity is one where you typically see either extreme (the negatives) but much less of the moderate (the positives). That is because too many people are pendulum thinkers.

In order to understand this, one must ask what security through obscurity and security by obscurity means. It is basic language but through and by implies that you’re attempting to make it secure through obscurity or by making something obscure. By itself is the key point. Regardless of whether someone interprets it that way or not, though, the point is still the same, and that point is what matters. Nothing is secure by itself. Security is a many-layered thing and this has always been known. No single thing by itself is secure. This will never change. But that doesn’t mean obscurity is useless; it isn’t.

As I am quite open about fantasy being a significant part of my life, I’m going to bring up a very relevant quote to security from the Harry Potter and the Half-Blood Prince, where Professor Severus Snape talks about the Dark Arts:

The Dark Arts are many, varied, ever-changing, and eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible.

(As a note: I don’t have the book in front of me, so I copied that from the Harry Potter wiki; unfortunately I’ve noticed a lot of mistakes there – made much worse by the movies being very wrong in many things. If there are any slight differences or mistakes, that is why. It seems about right, though, as I seem to recall that when I recently reread the books)

That is exactly the same as computer security! When you replace ‘The Dark Arts’ with ‘Cyber-attacks’, the analogy is perfect. What might seem secure might later be deemed quite weak and/or broken (this has been shown many times, including recently; SHA-1, anyone?). Or an attacker might have a new tool or has different insight which led them to discover a flaw in your otherwise carefully planned, so-called perfect security policy. The list of possibilities goes on ad infinitum. The bottom line is this: no matter what you think is possible or impossible with security, it won’t stay that way (even if you are correct at the time being). I’m obviously excluding things like there is no 100% security; that is true and it is absolute – this will never change. No matter what protections are in place, and no matter what policies are deployed, it will eventually be breached. That’s why the quote above is so perfect for computer security – it is equivalent.

Now, with that in mind, obscurity does have a positive effect on security. But only when used with other layers. I will be citing an example of where it was taken too far because it highlights the point quite well. Yet sadly some people professing security are completely missing this point, while also defeating their own logic without realising it because – wait for it – it is too obscure for them to see. The irony is incredibly amusing and simultaneously shows exactly how obscurity can be of value; they don’t even know that they rely on exactly what they’re calling out, because it is obscure enough to hide from them. In that case, it is convenient to them because they can still see themselves as correct. But they aren’t.

About a year ago Fedora proposed to require all files under /usr to be world-readable. The very first response starts out:

Yes, yes, yes! Down with security by obscurity!

Which is quite ironic because the proposal doesn’t even bring up security directly (it only brings it up in the list of some of the offenders). But never mind that irony; it demonstrates exactly what I mean. The theory goes that if something isn’t world-readable, then it is more obscure (true) and therefore it is less secure (false) or is irrelevant to security (false). Except that, again, security is a many-layered thing.

My question to those on that page – as well as others who use similar logic to justify any number of things that are in their mind, related to security – is this: When will it be recommended that we make /etc/shadow 0444 (u=r,g=r,o=g) or anything other than 0000 (as it is now)? Never? Do you know why? I’ll tell you why. Even in the 90s it was far too easy to take a copy of /etc/passwd off a server (which is world-readable and has – that is, had – the salted hashes of all the logins of the system), perhaps because of the Apache 1.3.x (as I recall, that was the tree) phf bug, and run a password cracker on the file, and giving you passwords to logins of that server. And once you have shell access, you’re a local user (the difference being connectivity problems including because the system – or an administrator – detected you and cut your connection) and local users are a lot closer to root access. Then consider that much weaker standards, policies and practises were accepted and in place (r* services which could lead to the system being compromised without a password, TELNET, insufficient filtering, etc.), on top of the login/password matches, and it makes things very ugly indeed. It didn’t even take much computer power to run a dictionary attack and now we have a lot more computer power (not only through CPUs but also GPUs as well as parallel computing – all helped by the fact computers are far cheaper these days; anyone who was around then will know exactly what I’m talking about because it is a drastic difference). Don’t forget password policies, reuse, sharing, amongst other things, are still terrible. You note that this form of obscurity is the same as the /usr discussion suggests (whether anything in /usr should or shouldn’t be world-readable is detracts from the point). Oh, and by the way, here is yet another way obscurity can be of use, cited at blackhat.com. It works together with other defences. Is it really that hard to understand?

At the other end of the spectrum, you have vendors (or organisations) keeping vulnerable software (and/or configurations) installed because any bugs in it are obscure enough, or the service is so rare that surely no one will know of it. That’s not how it works, though. If you’re attempting to secure a service through this, you’re making a terrible mistake. One hopes that you are using other layers too, but if you aren’t – or your other layers aren’t sufficient – you are potentially walking on thin wires just below reaching space (and if you are indeed knowingly allowing bugs to exist, you are walking on thin wires). Hope you don’t fall (but if you do please don’t hit anyone or anything). I should point out, lastly, that to not fix bugs for any reason is silly, it defies what a good programmer does, and it is especially stupid if you don’t fix it because you have a workaround, you add sanity checks (used only to try to prevent the bad code from executing) or you think it isn’t a problem – security wise or not. That is where obscurity is not helpful. Not that it really is obscure: if you think a bug is obscure enough that it won’t be a problem, then you’ve not encountered enough users with the right mindset (or they abused it and you don’t even know it) and you don’t have the right mindset, either. As I’ve put it before, if you are a master at troubleshooting, then you understand how problems arise in the first place, and therefore you can easily cause them. I know this because I’ve done this exactly; I know what checks to put in place, I know what to guard against, and I know how to find bugs in programs that I am testing. As I’ve also put it, using workarounds does not equate to a fix and you will eventually be bitten – again and again – by the bugs until they are fixed properly. Recompiling the source with a bigger sized array instead of dynamically allocating it (or using a language that does this for you) is not a fix; it isn’t even a hack – it is an ugly workaround (if that) due to laziness and nothing else (workarounds and checks are fine until you can fix it but those do not take the place of fixes in a properly working program – that’s the difference).

Speaking of workarounds, here is another amusing example of one, going back to Fedora and the world-readable /usr issue again. This is from the logs (or as they call it, ‘journal’) of the oh-so-precious systemd:

systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.

Amusing, isn’t it? I never touched that file in any way. Yet despite what they ‘require’, it isn’t true, and this is one example of littering the logs with useless crap. Useless, unless you are looking for an example (e.g. for documenting purposes like this) of stupid ideas and their equally stupid workarounds required. The fact APIs allow access when the access mode does not, says a lot – and nothing positive. But you know what this is? That’s right, it’s a workaround. If it wasn’t for the fact I constructed this the way I did, I would say the irony is perfect. But it is still ironic that they would use a workaround on something that some say improves security. Yes, removing obscurity would improve security but only if you incorrectly believe obscurity is never helpful to security; but it doesn’t because obscurity is useful to security when used in addition to other defences.

The Dangers of External Media (floppy diskettes, USB, etc.)

I’ve written about master boot record/boot sector infecting viruses before, albeit not specifically how they work (though I am familiar enough to do so if I really wanted to). I’ve reminded people of the similarity to floppy diskettes and USB drives in how they are a source of viruses (and malware more generally), as well as how systems can boot off of both of these (as well as CDs/DVDs and other devices) – while simultaneously installing malware. I believe I’ve made references to BadUSB and I’ve written about more of all this under Bring Your Own Demon (BYOD) and the Internet of Things (IoT). I also strongly criticised Fiat Chrysler for encouraging people to use USB sticks they receive in the mail. But now I have more to write on the matter. Because besides viruses (and I include BadUSB in that category) there is a new version of USB Killer. It actually kills computers (and it seems USB Killer v1.0 also did this). Yes, I of all people would find it odd that a non-sentient thing could die; I would also have argued it is literally speaking, impossible.

But I’ve changed my mind. I’m also reminded of some old issues that many are probably not aware of. To those who don’t remember the old AT power supplies (or those who have never heard of them or what dangers lurked inside them), if you plugged the power cable (referring to the 20-pin cable) in the wrong way[1] then you would have a very nasty power problem.

Then there is the old trick of sending a PSU (power supply unit) to a friend overseas or even a friend in the same country (therefore using the same line voltage) with the incorrect voltage set on the PSU. Or if you forget to change the voltage (as a long time friend from the Republic of Ireland did, when another friend sent him a PSU from the US), you would also be very unhappy indeed. But he was able to laugh about it, at least.

And then there is USB Killer v2 (video of USB Killer v2.0 on a laptop). There is another version – a remake of v1.0 (I guess it is) which in my opinion is worse than what v2.0 does – unsure what it would do to a laptop but the PSU catches fire and the internals of the computer are charred. He was going to attempt to salvage it but he didn’t expect it to be as bad as it turned out to be.

Yet, even though a version of USB Killer was released on April 1 (a comment at the video of one of the videos links to a website that I have used translate.google.com on) of this year, it was no joke. I should have linked to that in my article on the lie of security being of utmost importance but I had forgotten about it (I only remembered BadUSB and others, and I hadn’t seen the video of USB Killer v1.0 – I’m glad I have now). Chrysler really should be absolutely ashamed with themselves, especially for dismissing the risks as hypothetical.

People that also participate in that game (I can’t remember what it is called) where they look for items (based on coordinates that are published, maybe?) including USB sticks, should seriously reconsider doing so. While I’ve always been against destruction of data, I could still see just how amusing it would be to do this (even though I would never do this even if I were to participate in such games) – I mean, after all, anyone playing this game is asking for trouble (on the other hand, the fact people might test it on another person’s computer is reason enough to not do it) and games are meant to be amusing (and you can’t deny destruction amuses a lot of people). Still, with BadUSB and USB Killers, not to mention other malware and associated risks, it really shows just how reckless people are (same goes for older floppy diskettes; just leaving it in by accident or through forgetting, could lead you to being infected by a MBR/BS virus, perhaps even a multipartite – which is MBR/BS virus which also infects files). It might be due to unawareness but how does someone who is unaware become aware if they don’t know there is a problem?

Everyone who thinks the Internet of Things (IoT) or Bring Your Own Device (BYOD, which I have said the D is for Demon) are good ideas, really, really, and I do mean really, needs to wake up to the risks. These are very bad ideas. It is bad enough at home – it is worse in certain professional settings (social services or medical settings come to mind especially). Be aware, people. Stay vigilant or you will run into problems (you might run into problems even if you are vigilant but the chance goes up a lot when you aren’t vigilant). Be suspicious. Be concerned and careful. No, no, no, this is not paranoia. Paranoia involves no evidence that you are being targeted – it might involve evidence to the contrary. This is being intelligent. There. I’ve finally said it. I said there is such a thing as intelligence. Who knew?

[1] It was two different male connectors that you placed (together) into the female port on the motherboard. But you could put them in the wrong order (if coloured you wanted black to black, as I recall). If you didn’t do this correctly you would be very sorry.

Ridiculous and Stupid Computer Prophecies That Simply Won’t Die

I’m including this in general because it fits in several different categories all to do with computers. I’d actually go so far as to say that this happens outside of technology. But regardless of where it is, it is almost always utterly ridiculous and completely stupid. The idea goes that something will die out. Yet these statements are claimed over and over again, ad infinitum, despite the fact they are all illogical. Maybe it is because these would-be fortune tellers want there prophecy to come true but that doesn’t make it any more realistic.

This will not be in any specific order but for each I will give my thoughts on said prediction and why it is ridiculous, stupid and illogical. Some predictions I am especially bemused by and it is is quite obvious from what I wrote below.

Eradication of Spam

The first one is from 2004 when Bill Gates predicted that spam will be wiped out in two years time. I remember reading this at the time but I saw it recently by chance. It would be nice but as I’ve written about before, as long as there exists one person that responds to the spam in some way, it is worth it to the spammers. But let’s be honest: more than one person does exactly this just like more pay up for ransomware attacks. The reality is spam isn’t going anywhere. Tactics will change to account for ways to try to help mitigate spam but spam itself is still strong. The mitigation methods aren’t exactly that successful, either. Spam filtering is the best of the lot in the matter and it is impossible to get right 100% of the time (and this is with text mails; then consider the tricks of the entire message being in an image or images). HTML in email makes this even worse (and it is unfortunately something that is rather commonplace) in what it allows (hyperlinks themselves is one thing but embedded HTML is another entirely).  No Bill, spam isn’t going anywhere,  I’m sorry to say. The prediction that it would go away is like predicting littering will cease to occur (and sadly this will never happen because as I’ve recently pointed out, humans have a serious disregard for the planet). It just won’t happen.

Computer Mice Will Die

I seem to recall this, anyway, and all I can think of is that these predictors believed that with pens (whatever those input devices are called) there would be no need for the mouse. But that’s not how it works. Not everyone will want the alternative input methods and not every input method is appropriate for all types of input, funnily enough. The mouse will never be abandoned and that’s all there is to it. The sole exception is if manufacturers work together to ensure that mice can’t function and no mice will be replaced. But yet nowadays mice are often USB enabled and so good luck with getting rid of that capability.

Keyboards Will Become Obsolete

I really, really, really, and I do mean really, get laughs out of this one. It is so utterly stupid and ridiculous it is hard to believe anyone would make this claim. But it has been claimed many times over the years, and each time it is equally as stupid. Let’s see why that might be, shall we?

Typists can somehow type faster than they can speak. This is rather obvious to anyone who has spent much time around computers, but it apparently isn’t enough. If I were to speak at the rate I type, I would be considered manic and frankly it would be extremely difficult to follow my thoughts (the reality is my thoughts are already hard to follow, especially if spoken but through typing I can look back at it and fix any mistakes at another time – you can’t not say something you already said, can you? Granted you can’t change archives but you can at least fix any unfair thoughts and you can improve upon what you wrote before – this is sometimes called ‘editing’). This is despite the fact that my typing has gone bad in recent years. The reality is my fingers are a lot faster, accurate and more efficient than speaking. But then you have people that enter data in to databases. The syntax might not be easily spoken. Then there is the example where thoughts flow naturally in a persons’ head but not if spoken. This might occur when writing a book, for example, or perhaps the thoughts aren’t completely there (enough to speak) but are still there in some form (enough to put down in order to develop later). Oh, and yes, I’ve left two things out. First, to get rid of keyboards one would have to speak and yet software isn’t perfect (and never will be) and so it won’t get things right all the time (and without keyboards what do you do to fix these mistakes? In fact, how will you write the software to interpret the spoken words to translate into text?! That itself should say enough). While this might not be for many people, my mother works at her computer and watches TV at the same time. She’s also watched TV, crocheted and read a book all at once. No, that isn’t a fabrication, and yes she was able to follow everything and what she was crocheting had no problems, either. The TV is important: people on TV tend to be so rude as to talk (sometimes more than one person at the same time). Obviously that is sarcasm. Forget the fact that it would be hard to speak the letter you’re typing in while watching TV, how would the software discern what is being said by what person (or thing)? No, voice recognition won’t solve the problem with 100% satisfaction. My doctor recently showed me his dictaphone (that could input to a computer) and unsurprisingly it was very easy to make the input turn to gibberish. After I demonstrated this he even said that he has to tell patients this fact (he  showed me after I laughed at his inability to find the keys on the keyboard, even though I was far enough away for my poor vision to discern things well, I knew what he was trying to type and I knew his fingers were in the wrong place – by a lot). Then there is the best part. Computer programming. Oh yes, no keyboards would be a killer to this important task. Many will say that some of it can be automated but I challenge them to look at more advanced C code until it sinks in a bit. No, no and no, keyboards aren’t ever going to be obsoleted. Anything to the contrary is ridiculous and stupid.

Passwords Will Be Obsoleted

This is another fun one. The theory goes that passwords are the weakest chain in the link (hint: they aren’t; what is the weakest link is those who create passwords, reuse, share with others, write them down and list goes on and on – i.e. humans are the weakest link, not passwords) and there have been so many problems with them over the years. Or another one I’ve read is that they are no longer sufficient. Well sorry to break it to these bogus fortune tellers but they were never sufficient by themselves! They were always a weak part of the security chain. But that doesn’t mean they don’t have uses. They do. And people suggesting emojis as the replacement are completely blind – literally and figuratively. Tell me, how is a blind person going to know the difference? Tell me also, what about those who can’t really distinguish one image from another (faces being the common example even if the name of the problem is at my fingertips but not quite available, it is a known phenomenon), or has an easier time remembering text over images? And what about password managers which allow for (when used properly in the right environment) far more secure, longer, complex passwords than some stupid combination of images (I might remind you of shoulder surfing). Any organisation that removes passwords outright is woefully naive and is risking security. This is just like how passwords are limited in what characters are allowed, or only allowing a length of 16, say, characters. It’s stupid. Funny story: once upon a time I was making an account on a nameless website like http://movietickets.com and, when forced to enter a password hint/question I input something like: ‘password questions/hints are insecure’. Then, when creating a password, I got an error. I tried it twice (removed one class then the next) before it occurred to me what the problem was: they were only allowing alphanumerical characters. I’m thrilled I had made the remark about password hints at this time but I was not at all impressed in such weak password policies (passwords are weak as it is and by removing non-alphanumerical characters you make it much weaker).

Biometrics Will Take Over

Yes, well all I can say is this: your DNA is your DNA and it has already been demonstrated that fingerprints (and maybe even images of) left on something can actually be used to compromise the supposedly safer system (‘protected’ by biometrics). Oh, and just to throw out another problem: some people (rarity is irrelevant) have more than one DNA. No, this is not a lie. It’s called genetic chimeras, named after the mythological creature. Only a fool would assume it will never be a problem.

Anti-Virus Software and Firewalls Will Be Obsoleted

I saw this just today. The scary thing is that the person writing this at Tripwire is actually suggesting the possibilities based on incorrect perceptions of what security is (it is always a multi-layered thing):

If the decline in antivirus use happens, it will largely be from greater use of whitelisting, or application control, on computers and mobile devices. While whitelisting is a capability many computers have had for years, only recently has it become a default setting. Whitelisting basically works by preventing programs with certain identified harmful signatures from running on a piece of equipment.

No, the reason anti-virus isn’t used is because people seem to believe that it isn’t needed – a theory you are conveniently improving the chances of survival. Whitelisting isn’t used by default you say? That might be for Windows and MacOS but the reality is those aren’t the only operating systems around, and just because something is the default doesn’t mean it stays that way. Not addressing the issue is being irresponsible (even if through ignorance) and to use irresponsibility as evidence is idiotic. But here’s the most ironic thing: what you’re describing with whitelisting with respect to computer programs is exactly what anti-virus software does! What do you think the virus signature databases are? I’ll go further, though: you’re not talking about whitelists; you’re talking about blacklists and those defy the wisdom of: that that which is not explicitly permitted is forbidden. No, a whitelist would be deny everything by default and only allow what is explicitly allowed (hence whitelist, not blacklist). (As an afterthought, maybe you’re trying to say that whitelisting only allows software which isn’t known to be malicious, but that then is a poor choice of wording  – something I have admittedly been guilty of). But this concept is irrelevant to anti-virus software as a whole because anti-virus software also has heuristics (for example) which protects against unknown malware by examining what the potential malware does (and how it does it). This is why software that generates keys to some product is sometimes flagged as malicious when it only is using techniques that viruses also use (of which there are many). Yes, that means it is a false positive but it could have been malicious software that wasn’t a known virus. You see, this is why it is a multiple-layered concept.

Companies like Apple and Microsoft haven’t used whitelisting as a default setting to give users the freedom to run any program on their machines, but that attitude is quickly changing.

Yet here you’re describing whitelist correctly. I’ve not seen evidence to support whitelisting or blacklisting being the default under these operating systems, one way or another but I will say this: saying you can only use software that is flagged as valid will cause upset and potentially backfire in that people will find workarounds. You see, complete convenience and security are mutually exclusive (and the more convenience there is, the less security there is) and it is why you have to find the right balance (which can be really hard because humans will go to any lengths to make things even a little bit easier). When you don’t find the right balance the security becomes worse because of people being annoyed by the inconvenience of it all. Yes, people really like (if not require) convenience. This shouldn’t be surprising. Incidentally, I’m going to point out also that Apple’s Gatekeeper has been circumvented by malware and has been described completely broken by a researcher. Perhaps you see now why your supposed method isn’t a replacement for anti-virus? One hopes so.

Similar to antivirus programs, firewalls may soon become obsolete thanks to advances in other technologies.

Augment, not replace. No, firewalls are not becoming obsolete and any claim to the contrary is stupid and harmful. Yet you don’t really talk about the supposed replacements which makes your statements much worse. I return to your thoughts:

While firewalls still persist to this day, many aren’t even configured and feature far too permissive rules to be of much use. Firewalls are proving to be outpaced by the use of HTTPS network connections. In addition to that, many of the attacks firewalls are best designed to stop have ceased to be much of a problem. Plus, firewalls do a poor job preventing attacks from social engineering and unpatched software.

Yes, many are too permissive. That goes for things other than firewalls, too. I would like to think then that you understand whitelisting versus blacklisting but you demonstrated otherwise (or you have a very different idea of what black and white is). And indeed, a poorly configured firewall is in many respects worse for security. But for some really odd reason, a properly configured firewall is better for security! Now the obvious question: what the hell does HTTPS have to do with replacing firewalls?! That is such a scary statement it is something I don’t want to believe was stated (but was). You note that not all servers have web servers. You note also that they still have firewalls. You note that clients also use firewalls!! There are other protections in place, too, because once again it is a many layered thing! And no, the attacks have not ceased to be problems (but it seems you don’t understand what firewalls are designed for in the first place, as below) but even if they have, only a foolish, reckless administrator would say: “Well this attack is hardly ever seen in the wild nowadays so we’ll not even worry about it!” – that is completely stupid and counter-productive! Oh, and for the record: firewalls were never designed to prevent social engineering and vulnerable software! Those are different problems entirely. To think that you would use this as reasons they aren’t good is just crazy scary.

With fewer reasons to use firewalls, they will likely become obsolete sometime in the future.

There aren’t fewer reasons to use firewalls; any statement to the contrary would only make attacks easier (and this isn’t restricted to pentests!) – something I’m sure attackers would like a lot!

These security technologies have served some good uses in the past but holding onto outdated technology only increases the risks you’ll face in the future.

No, they are not outdated and not using them will increase the risks “you’ll face in the future”!

Hackers change up their tactics with incredible frequency, and companies need to be on top of that by adopting better security technology. There’s no reason to hold onto a ten year old server when converged infrastructure is a reality, and there’s no reason to think passwords are the best way to keep cyber attackers out when better measures are available.

I’m ignoring the first word of that paragraph. Yes, attackers change tactics. Obviously. Who would think otherwise? Is this any different from crime other than cyber crime? Of course not. But getting rid of these so-called obsoleted technologies is a disaster waiting to happen. Mark my words. Once again you fail to understand that security is a many-layered thing. Better security would be accomplished by remembering these things work together, are not obsolete, are still very relevant, and they are all part of a much bigger picture. The fact you also (presumably an honest mistake? I’m sure I’ve done similar) refer to passwords in this topic makes your points even more questionable (as if there isn’t enough legit reason to question them).

No, better technology is not available, and there isn’t a single (the keyword!) way to keep attackers out. There never has been and never will be. It’s as simple as that.

All businesses should consider carefully where they go with security in the years to come

No. Everyone should carefully consider security (and other disasters and disaster-recovery!) in general, not only in (or rather for) the future but right now. Living in the future (preparing for the future is different) is just as stupid as living in the past (and it also means you miss out on things happening now e.g. a live probe or attack).

Artificial Intelligence, Aliens and Computer Viruses

2015/10/08:
Okay, to be fair, Watson (that defeated the champions of the US trivia show Jeopardy) did have to interpret the questions in order to answer them, but without all that information it was fed its chance of winning would have been a lot lower. Storage capacity is huge compared to what it used to be (and it is a lot cheaper too) and more generally, technology and its power is advanced enough that it makes things like this less significant. I’m all for the evolution of technology but it is a mistake to not have serious, very long, very thorough discussions about AI – of every single concern at every level (technical, ethical and moral included). Yes, this means trying to find potential problems instead of ignoring the reality that we haven’t thought of everything (and no, we haven’t thought of everything – this is shown over time, repeatedly, when something new does come up).


2015/10/07:
I admit this might be childish of me but I readily admit that I can be childish. Whatever. It seems that a so-called AI machine was given an IQ test. The results, however, say a lot of just how good AI is (not). Maybe I’m so amused because I’ve stated many times that devices are not at all smart and maybe it is because I’ve pointed out the stupidity that many humans exhibit. But in any case, the intelligent machine scored the IQ of a four year old child. Yes, people, that is how intelligent AI really is and still people have faith, despite the fact some AI already has shown scary implications (as I refer to the OpenWorm project). No, feeding a robot (e.g. Watson) information in order to beat masters of trivia does not count as being smart but instead capable of retaining information. But since the machine got the result of a four year old, I’m going to childishly refer to a quote of mine that essentially likened human intelligence to that of artificial intelligence. Certainly, only fools will call themselves intelligent without any questioning and this is unfortunately something humans tend to excel in (and revel pointing it out as if it makes them superior than other species).


So. Saturday, September 12, I was made aware of a most amusing, ridiculous concern from scientists at Oxford University – that we have to be careful because we might send computer viruses to our friendly aliens in outerspace. Graham Cluley has an amusing video on the matter here. Yes, they genuinely believe we might spam and/or send viruses to the computers of aliens. One argues that we already spam the universe with reality soaps and I can’t say I disagree there; but that’s a different story. But I’m going to take this as an opportunity to discuss:

  • The pros, the cons and the risks of AI
  • The treatment of (‘against’) animals, the abuse of the environment, the destruction of planet Earth (and all its lifeforms) and the ethics of trying to find replacement planets because we’re too fucking stupid to take care of the planet we have
  • The possibility of aliens and the mentality humans tend to have about it (and them)
  • Alien computers and computer viruses (here versus there, wherever or whatever there might be)

Artificial Intelligence: The pros, the cons and the risks humans are subjecting themselves to.

I fully admit that I am mostly against AI but yet I do appreciate that there are legitimate uses of it. No good comes without bad and no bad comes without good. We all have dark and light in ourselves despite what many will say about certain figures in the history books.

Pros

  1. By experimenting with AI we learn more. Perhaps not enough to understand and appreciate the risks (but this is just like history), but the more we learn, the better things can be (perhaps with the exception of military advances – but even that is better for the military, I guess).
  2. A robot could be designed (or improved upon) to help rescue people trapped under rubble after a natural disaster (for instance, the 8.8 earthquake in Chile earlier this month?).
  3. A robot could do other things that are impractical for humans to do. Whether thinking is one of those things or not is another matter entirely (I would argue yes but only if AI really takes off).

Cons

  1. This is something I’ve never quite understood. So many people want AI to be advanced in order to do tasks that these same people consider tedious. But yet, if this is accomplished the robots will succeed the humans doing these tedious tasks, therefore taking their job (and that includes actual activity – of the brain and the body, both of which are part of slowing deterioration). Machinery doesn’t need money to live (an arcade machine isn’t alive even though it expects money) but humans do need some way to barter. There is just no getting around it.

The sceptic might look at the above lists and point out that despite the fact I’m against advancing AI, I’ve given less cons than pros. But besides the fact the list is not at all complete (and some pros might be cons to some and the same with cons as pros to others), there is something worse than cons: the many dangers that AI poses to mankind.

Risks

Rather than include a list of risks, I’m going to remark on some things I find concerning. Most would know I’m not at all the only one to warn these things, and some might claim I’m just another coward who is afraid of machines. But there is a reason I’m not the only one: there are actually very legitimate concerns. There is also the subject of ethics and morals (which in my view is equally important).

The fact that some countries want to develop killer robots should say enough to most people. I’m not sure if it does but it definitely says enough – far too much – to me. It shows an extreme and disgraceful disregard for human life and it shows just how far people are willing to go to for their own benefit. I’m going to call it as it is: those (nations recognised by the UN) who go so far as to develop (and/or buy into or fund) killer robots are selfish cowards to the absolute extreme. Then there is the Israeli Harpy drone that decides itself whether to shoot or not. The proponents will say things like they wouldn’t launch the ‘fire and forget’ device into the area if they didn’t think there was an enemy (does the fact humans aren’t perfect come to mind? It should) but besides the fact that the more advances with this technology, the fewer choices humans will have (I refer to a project in a bit that demonstrates this), and besides the fact a tank is still a tank (see also the concept ‘friendly fire’), a life is a life, is it not? If a remote controlled drone kills innocents, what makes any rational person believe a drone controlling itself, will do any better? An indiscriminate weapon is still an indiscriminate weapon and a life is still a life! (Yet, as an Israeli historian says, Israel has not learnt the full humanitarian lesson of the Holocaust as [they] should and [they] do manipulate the Holocaust but [they] also feel very, very deeply about it.) But I’m not trying to lecture anyone on this matter (there are plenty of resources and there are faults on all sides but the closest thing – that I’m currently aware of – to a killer robot, is the Harpy drone) – it would be futile and counter-productive, anyway; the bottom line is that AI has real risks to mankind and just like history it is being ignored by foolish people (which indeed includes military and government officials), AI is too (it is inevitable but there really needs to be far more discussion on the ethics and the implementations of). Yes, yes, I know many Americans and (all?) Israelis will condemn me to hell for these statements but I also imagine they would LOVE the technology in the hands of Hamas and Hezbollah! But you know something? Just like there is no going back after the splitting of the atom, there is no going back on this type of thing. Choose your poison and choose it well. However, if you ignore history for a moment (and not a moment more) and look at a telling experiment called the OpenWorm Project (pay particular attention to: Wriggle room; Silicon Immortality; and note Moore’s Law), then you should be able to understand exactly why killer robots are a horrible idea (besides the blatant disregard for life, life that could be your own or someone you care for deeply). Some would point out the Fighting Fate section and make the assumption that someone like me would agree with fighting death. Well, I don’t agree with fighting death any more than I agree with the blatant disregard for life that many humans exhibit: we’re all mortal and this is completely different from improving the lives (which includes health) of others. The section brings up a valid point, though – Mother Nature doesn’t care what humans are capable of (or have supposedly cured); the event they refer to is a good example (a specific solar flare). There are more examples than solar flares – for instance, supervolcanoes. Another example is the Tunguska explosion in Siberia in 1908. The bottom line is that artificial intelligence could overtake humans. Whether that is a problem to anyone or not is another matter entirely.


Planet Earth: The treatment of animals, the harm to the environment and the ultimate destruction of the planet.

I was going to write about this in more detail but after attempting it a few different ways, I see this is impossible for me to do – this subject is one I feel very strongly about and it is one of the things that most disgusts me about humans. The treatment of wildlife, the damage to the environment (and things like deforestation), and the fact humans can’t even respect themselves is just beyond comprehension. Last year, it was reported that in the past 40 years, 50% of world wildlife populations have been destroyed. (For some populations it was more than 50%.) Yet some claim that because there are difficulties with establishing these statistics, they aren’t statistically valid. This claim only proves just how out of touch (or unconcerned?) humans are with the amount of damage they cause.; humans cannot respect themselves so they certainly cannot respect anything else. What I will say is this: the planet will be devoid of all life, long before the Sun dies. One of the species will deserve it and the rest will not. The species that deserves it is the species that causes it – homo sapiens (whether directly or indirectly, mankind will destroy the world).


The possibilities and implications of extraterrestrial life.

I’ve long felt that humans need to stop looking for other planets to one day occupy. The reasons should be clear already, but I’ll reiterate it anyway: we cannot take care of our own planet, so do we really have the right to populate other planets – only to destroy it as well (not that those doing so really care if they have the right or not; humans tend to believe they inherently have the right to do whatever the hell they want)? The reality is if we can’t take care of the planet we have, we won’t be able to take care of other planets. It is one thing if mankind wants to destroy each other (and ultimately Earth) – and this is bad enough – but it is another entirely to find more planets to destroy. While not all humans are this way, the overall impact humans have on the world makes me truly question whether we deserve another planet. I don’t think we do even though some will suffer – and are suffering – because of those that don’t care about anyone or anything. But that’s not what this is about. The issue is quite simple:

If there are other lifeforms out there, and they are actually intelligent (at least in what humans call intelligence and in which case they will probably be more intelligent) and capable of contacting (or travelling to) us, then there are two likely outcomes:

  • They would have the capability to completely destroy us. I will not express my opinion on this matter other than say it would be cruel irony.
  • They will stay clear the hell away from Earth. This would seem plausible unless the first possibility is true. Humans cause so much damage to each other and the world, and humans destroy the unknown (hence the hunts for big foot and the stories of killing it; there are other examples though), why would aliens – who are intelligent enough to contact us – want to contact us? A Twilight Zone (or so I think it was) episode highlighted this quite well; I can’t recall the episode name but the idea was a town was inhabited by what they thought was an alien. In the end, someone was dead and they then understood that the alien was themselves; indeed, one of the humans killed another human they thought was an alien. That is sadly a rather accurate depiction of how humans behave.

Realistically, if they were capable of travelling here, they would probably be capable of destroying us, so the fact this hasn’t happened yet (unless they’re secretly mating with humans, silently taking over? I imagine some would like to believe – if not fantasise about – that) could possibly answer both questions at once (there are lifeforms that are intelligent enough to hide and there aren’t other lifeforms capable of travelling to Earth). I wish we’d stop looking though, I really do, because of the tendency to destroy the unknown.


Alien Computer Viruses.

What to say on the matter. There are so many things it is hard to know where to begin or even what to include. Let’s start with the technical aspects. It is true that computer malware has been accidentally sent to the International Space Station (though off hand I don’t have references, it has happened). That is scary enough and it is yet another reason nations writing malware (and abusing exploits; I’m looking at the US especially) is just a very reckless and stupid idea. But whether there are computers on other planets is another matter entirely.

There is this inherent belief that just because life on planet Earth requires certain things (carbon, hydrogen, oxygen and nitrogen for four examples), it should be the same for other forms of life on other planets (or all species), and therefore if a planet doesn’t have the same requirements we require, it cannot possibly have life. This is just stupid and arrogant. What makes anyone here believe life on other planets have the same restrictions we do? They could have more restrictions, they could also have less restrictions (or maybe none? At least one scientist believes that intelligent lifeforms on other planets will be machines) or it is entirely possible they can live under different restrictions (e.g. carbon, hydrogen, oxygen and nitrogen does not harm them but they don’t need any of it, either). They might live in fire instead of water; they might live underground instead of above ground. The reality is we just do not know and anything else is assuming – and assuming does nothing to settle matters (aside from settling who is made an ass of).

Similarly to how we don’t know what lifeforms on other planets might require (or if there are lifeforms at all), we also can’t say that if they had computers (I doubt it but I also don’t think we will ever know; not in our lifetime) they would have the same requirements. They might even be capable of real magic (including things humans have yet to accomplish – and probably will never succeed in – without illusions e.g. invisibility). We simply do not know! Let’s assume that there is life on other planets. Let’s also assume that they have computers. For fun we’ll also consider they have the same life requirements as we do. What sane person would think they will have the same operating systems (and software for!) we have? What really makes anyone (these scientists that are making jokes of themselves, for instance) think these aliens will run Microsoft Windows, Mac OS X, any of the Linux distributions, BSD Unix (any of them), or even DOS, VMS or something else we have? To worry about sending viruses… it is just absolutely absurd. Hilarious but an absurd way of reminding us that we should really worry about resolving the way we abuse Earth before we worry about life on other planets. Space exploration is important (many things people take for granted were discovered through it) – but that is different from trying to find a planet to inhabit (which I’ve seen references to).

US Navy in About-face on Exploit Black Market?

2015/09/23: Several additions (+ fixes and clarified some points).


 

It seems that the United States of America’s Navy is working on an Internet defence system for their ships – attacks which could affect its controllers. This is obviously a good idea, and my understanding is they are implementing (whether they have succeeded in this yet I do not know nor do I really care much) it so that the same attack will not work against more than one controller. That seems a good idea too, regardless of how well it will work in the end (some might consider it layered defence but I would extend this to be specifically subnetting and firewalling only in this case the hosts are the controllers on the ship instead of servers and/or other types of nodes).

It certainly isn’t unheard of for governments working on improving security; in fact, it is quite common (as I pointed out on June 21 of 2014, the NSA is directly involved in SELinux which is – in my opinion – quite ironic). But wouldn’t it be nice if they worked on their part for the global security of the Internet and not ever consider exploiting others (or consider it but not act on)? I think the answer to that question is yes. Yet sadly that isn’t the case, is it? As I wrote about in June of this year, the US Navy already has demonstrated this fact. But even if they weren’t soliciting for exploits (0-days included), the government isn’t innocent in the matter.

I would really like to see governments behave as one would expect them to – setting a good example; an example of how they expect other nations and their own citizens to act. Is this move by the US Navy an about-face? I seriously doubt it. I would really like to be proven wrong here, I really, really would, but I doubt I ever will. Meanwhile, there are often US accusations that other nations (China is probably the most common example) are breaking into United States government and corporation systems (and networks). And you know what? Maybe some from China are doing those things. But proving that the attacks are state sponsored is another matter entirely – it is an incredibly difficult thing to do (especially when the ‘evidence’ is the IP addresses). But let’s say you (e.g. the United States) know for 100% sure for some reason. Are the countries (e.g. the United States) making these accusations completely innocent? The fact the US Navy solicited 0-day exploits earlier this year says a lot in the matter, doesn’t it? That fact makes this defence system they’re working on rather ironic; how would they feel if someone (or a nation) was devising ways to compromise it (and also sell it to others)? That would be more like cruel irony. Regardless, the countries making these claims that are doing the exact same things should worry about themselves before telling other nations off for whatever those nations might – or might not – be doing. It should be made known that China too is a victim of computer crime. In fact, China has executed people for computer crime! Yes, really, they have. I remember reading this at the time (and possibly other things at other times). The rarity of the matter and the circumstances per incident are irrelevant (and they conveniently ignore my points and the reality of the situation).

And no, I’m not in cahoots with China or the Chinese; I’m in cahoots with no one. I am, however, an individual who looks at everything with perspective (and context) kept (or attempts to), one who sees the good and the bad in everyone (or at least is aware that there is both good and bad in everyone, and even if I can’t currently see it, I know both exists in them, somewhere, no matter how hidden it might seem), as well standing up (where and how I can) for people (or corporations) when they are unjustifiably wronged – even if I am also critical of them. A good example of this is Microsoft.

The Americans That Cry ‘Terrorist’

2015/09/21: Apparently no charges were brought in the first place. Changed the below to account for this. It is also reported that it wasn’t his teacher who was concerned but instead another teacher. But a teacher is a teacher nonetheless and discrimination is still discrimination – for an adult to do so to a 14 year old is pathetic but one I’m (and I’m sure many others) not unfamiliar with, sadly. It is humbling to see that many have jumped to the support of this kid – including a movement on Twitter by a 23 year old psychology student called Amneh Jafari. I for one appreciate this as a general thing – too many ignore discrimination and bullying, and it causes all sorts of problems down the road for everyone (that most people never think about, understand or even care enough to do anything about it).
2015/09/20: More fixes, adjustments and clarifications.
2015/09/19: Clarified some points and added a few thoughts. Additional links and several fixes.


This is a very contentious topic – and one that I have included parts of, in other areas. For instance, there is irony that governments tend to scaremonger about terror itself. What terror is is (perhaps extreme?) fear and fear is an emotion. Emotion is easy to manipulate and strong emotions (fear is a very strong and powerful emotion) more so: if you know what terrifies someone or people, it is incredibly easy to instil that fear. You don’t need to be violent to terrorise people. You can terrify someone by making them think you’re planning something horrible against them (even if the only horrible thing you’re doing is making them believe you will be doing something horrible). The fact nations take away liberty to offer ‘safety’ shows just how easy it is to manipulate human emotion (I’m looking at the United States of America here). Terrorism is simply an ideal and therefore you cannot ever defeat it; it is impossible: this has been shown again and again (even though it should be obvious without any proof) – the so-called ‘war on terror’ only adds fuel to the fire; if someone declares war on you or someone (or something) you care about, it gives them all the more reason to believe you are indeed against them, and therefore they do indeed have an enemy that they must defend themselves from. Why would you want them to think that? Maybe so you can justify interrogation through torture or some equally inhumane, unethical and immoral thing that you would bitch about if it was done (for any reason at all) by a country like, say, North Korea? Perhaps it wasn’t planned as such but that is exactly what happened anyway! Which is incredibly stupid, isn’t it, when you consider how desperation (e.g. from torture) quite obviously affects people as well as the story of Hanns Scharff of the Luftwaffe of Nazi Germany (who treated POWs with kindness and got much more intelligence from it)? All of what happened at Guantanamo Bay is made worse because innocents were detained and detainees weren’t necessarily charged with a crime at all! The reality is that terrorism as it is typically abused[1] as, is, has always been and always will be a state sponsored thing (whether everyone sees it or not doesn’t change the fact).

But what comes along with it, typically? Xenophobia. To be completely honest, however, a phobia is a fear and people do the craziest, most stupid things ever, when they are afraid (I’ve witnessed the same with love but not from personal experience). For instance, taking away liberties in attempt to gain security and safety but which actually only tells ‘terrorists’ – is it a terrorist or is it a terrorist? – they won. Congratulations America, on ignoring history (Benjamin Franklin perhaps?) and the ‘Patriot Act’.  And people hate the unknown. Look up xenophobia, think about it a bit more and you can see that it isn’t just a fear; it is a hate of foreigners (maybe because of fear but it still results in prejudicial hate). And because of this, it is easy to spread fear (hence it being a tactic by politicians); it comes in a variety of forms but it is always a very powerful – and incredibly easy – way to manipulate others into getting your own way. This is visible throughout the world. I just came across a very sad, very real example of this (specifically xenophobia and more specifically Islamophobia), though. A pathetic example of it.

A 14 year old was arrested in Texas for bringing his teacher a home made clock! Yes, a 14 year old brought his teacher a clock he made and was arrested! And what is his faith? The one that many associate as ‘terrorist’ and only ‘terrorist’: he is a Muslim. The fact he was released is irrelevant; he shouldn’t have been arrested in the first place – he should have been praised for his intelligence and creativity but instead of impressing the teacher (which is what should have happened) it terrified (actually, I’m not sure this is really true – I admit I could be wrong but I suspect it is more than fear) her enough to have him arrested. There is nothing but prejudice and stereotyping here, both of which come from weakness, fear and ultimately hate (and I used to have a huge amount of hate, anger and spite for the world and yet… I see this). There is no reason to be scared of a 14 year old because they made a fucking clock. If this boy was a white Christian I seriously doubt he would have been subjected to this bullshit. If he was black he probably wouldn’t have been subjected to this bullshit, either. I would imagine an atheist would also be praised instead of condemned. I would go further and say that if he wasn’t a Muslim he probably wouldn’t have had any problem at all. Maybe I’m wrong – always a possibility – but in this case I seriously doubt it. And yes, it is fucking bullshit.

And I have news for those claiming Muslims are by definition terrorists (even ignoring the definition of terror). A neighbour of mine (or they were at one point) had a large family from Saudi Arabia and Pakistan. They were Muslim. Yet they were the most kind, most open family – certainly religious family – I have ever met. Some will claim that they were good at hiding their obvious malice but they’re saying this out of ignorance and/or prejudice. We had a dog of pure bone and muscle weighing in 110lbs (as I recall, bigger than the average American grey wolf) – a dog that was very kind and protective, but a dog you wouldn’t want to be on the wrong side of (indeed every dog that was foolish enough – sometimes more than once – to attack her was taken down like a tank would against a snail, including a pitbull that charged my dog and me; the same went for humans – you did not cross that dog). But here’s the thing. They were terrified of dogs in general, yet they got over their fear to enter our house. No, they weren’t hiding anything at all. And they were treated like shit after the attacks on September 11 of 2001. Besides, did it ever occur to you that the Irish Republican Army (which most would call ‘terrorists’) aren’t Muslims? There are other examples, of course. Does the Reign of Terror in the French Revolution mean anything at all?

Just because a X is Y doesn’t mean all Y is X. That is a logical fallacy and nothing else.

Shame on you Texas police, and shame on the teacher. It is incredibly sad when stereotypes do not let others see anything else – the good and the bad that everyone has (and yes we all have good and bad). This story is taking human stupidity to exponential proportions.

[1] And yes, it is abused. Terrorist this, terrorist that, terrorist here, terrorist there and terrorist everywhere! Not all violent attacks are terrorism and not all terrorism is violence. Furthermore, you lose the credibility – at least to any decent, logical person – when you cry ‘terrorist’ for so many things, much like the Boy Who Cried Wolf (ironically there is the term ‘lone wolf’ to describe what they call terrorists acting on their own rather than part of an organisation). The reality is there has never been a time when people haven’t been terrified of something (including illnesses!). Similar is that the September 11 2001 attacks were not the first plane hijackings to occur but many tend to ignore this for some reason or another. It wasn’t even close to the first. Thank you very much Wikipedia for your excellent list of this very thing (there are far more examples than I knew of which just goes to show no matter how much you know, there is so much more you do not know!).

rsyslogd: log entry pattern (non)matching ‘quirk’

There actually isn’t anything odd here but it is something that initially baffled me when I (shouldn’t have been it at the time, clearly) was adding a filter (to move a log pattern to another file) to a file under ‘/etc/rsyslog.d’. The regex should have worked but it wasn’t working (obviously already reloading rsyslogd). So why was it not working?

The reason is this: when you’re filtering by log message, what is the message and what is the service (or program) is requesting the log? More generally, what part of the log entry is part of the program/service and what part is the system logger? The system logger adds the service/program name (passed into the openlog function as ‘ident’) to the log file (as well some other information like the time and date) but does that mean it is part of the log message itself? No: the message is what the program/service is logging, so when you want to match (through regex or contains) you mustn’t include the name of the program/service (the ident). This means if you’re wanting to match an entry by named then you shouldn’t include ‘named’ but only include the actual log message itself.

On a slightly related note, on a hunch, I tested whether I needed ‘contains’ after the ‘regex’ line and it seems I do not. This makes sense, of course (it is redundant) but for some reason in another post here, I included both (maybe it was in some documentation or maybe I was being thick). I’ve not yet modified that post but I might at some point (just noting it as a reminder to myself to consider looking into it another time).

The Corporate Lie of Security Being of Utmost Importance

2015/10/02:
Apparently Experian is a credit checking agency for T-Mobile customers. There is a certain amount of irony in that but I suppose that’s irrelevant to the sincerity of any apologies. It seems also that they (Experian) might be using a weak cipher (I’ve only read this – I’ve not confirmed it and I have no intention to) on their server (https). If this is the case, then it changes things – at least with Experian. Yet, still, they at least have the notice at the top of their page. There will always be mistakes but the biggest mistake is not accepting this fact; nothing is perfect in this world and those that can accept it will improve and those who cannot will not improve. It’s really that simple. There certainly were faults here (because faults are everywhere) but yet at least they still have it on their front page. That’s something that far too many corporations neglect.


 

2015/10/01:
I now have an example case where security really is taken seriously by a corporation that has discovered a breach. There always could be a better job but that is how everything is in this world; what matters is they are taking it seriously, they are investigating it and they are doing everything they can to make sure it is known. T-Mobile has made public that some of its customers might have been affected by a breach at a credit agency called Experian which T-Mobile uses to process (certain – not sure what exactly) information on subscribers. The credit agency has a note at the top of their main page that links to a thorough document on the breach (which I linked to directly). T-Mobile also has a note on their main website (they could probably have it above the rest of their page but the note itself seems to be sincere enough to use as an example). This is how a security breach should be addressed. It is unfortunate it happened but it is also inevitable – yet they are making the best of it (and certainly are concerned about the breach and its impact). They should be commended for their upfront, transparent approach in the matter.


 

I’ve thought about this for a very long time, and something inspired me to finally write about it (even though it took several days to finish it). If a corporation has a product that fails security (or any part of their network is compromised) in a critical way (or is otherwise made public), there are at least four typical responses (plus a combination) you might hear (there certainly are others). They go something like this:

  1. We fixed the flaw within hours of being made aware of it.
  2. We fixed the flaw as soon as we were made aware of it.
  3. We are almost positive that it is of limited impact and very few will be affected by the breach.
  4. We’re still investigating but we’re confident that they did not access confidential information.
  5. A combination of the above.

In all of the cases, they make the claim that the security and safety of their product(s) and customers are of utmost importance. That’s ultimately what this is about. But as for the above list:

The first is sometimes true but it often isn’t enough.

The second is such a pathetic lie (or exaggeration) that even the most gullible person would be able to determine the absence of truth (or how absurd the claim is). No, you did not fix it immediately – not unless you actually knew of the flaw (put it in deliberately?) and were waiting for someone to find it first (in which case you are completely negligent in security if the word ‘security’ is in your vocabulary at all); it is a lie and nothing else: you did not fix it immediately so stop claiming you did. To be fair, it could be that they fixed it before it was made public (because the flaw was reported to the vendor before the public) but that isn’t the same thing. Of course, this could be called semantics by some, but this claim is made often enough where I feel it is different (ironically a day or two after I started wrote about this claim, I read this exact claim by some web service – don’t know what it was of any more).

The third is snubbing those who are affected by it; they really couldn’t care less about everyone else – and you’d understand this if you actually thought about those who are affected rather than how you feel fortunate that more haven’t been affected (which means  you feel less burdened than you might could have been [something that is always possible]).

The fourth is utterly absurd: you’re still investigating but you’re confident the attackers did not access confidential information? Then why was the attack successful and why are you still investigating, if you’re that sure? Why is it that difficult to be honest and upfront? The reality is you’re not confident of these claims; instead you’re insincerely trying to cover up your – forgive me – major fuck up, and it actually shows how dishonest and unethical you are – you only care about your business and its reputation.

Well, here is one of the very few valuable lessons I learned in school – very few valuable lessons because when an education institution is poor, it is really, really poor. And when it fails some students (this includes neglecting those with disabilities, neglecting any of the different or abnormal – typically positively different – students and ignoring bullying), they fail so much that the student ends up having wasted years of learning very little perhaps with the exception of just how much the education system is an utter failure. And the education system, really, really failed me in every way imaginable (and they caused great harm – with impunity). Whatever. I don’t usually think about that or them – I’d rather live in the present (and I’ve always loved learning and therefore consider everything – and make use of it as – a chance to learn something new); the point is, this is valuable enough to remember and live by. The irony is it is so incredibly simple that you would think more people would understand it. The lesson is about reputation. It was something to the effect of:

A good reputation is hard to keep but a bad reputation is hard to lose.

I learned that at age five or six but it stuck with me because it is a really good piece of wisdom (something that governments and corporations woefully lack). Yet these corporations are so afraid of ruining their reputation that they will put themselves above everything else – exactly the thing that would give them a bad reputation in the first place (and remember, losing a bad reputation is extremely difficult – something that many have found out the hard way). Customer service is really important and if you’re willing to delay or manipulate the truth (if not directly lie) then you’re betraying your customers in a most disgraceful way (and you deserve the tarnished reputation). And remember, even if many customers accept the fault (and indeed some will), that doesn’t mean would-be customers will (they don’t know you except by what they hear or are told – including by those who don’t accept your dishonesty).

The reality is that almost always these corporations can’t even say they are sorry. “Sorry” by itself doesn’t cut it and neither does “We’re sorry for the inconvenience”. That isn’t a genuine apology (it is as sincere as a robot who was programmed to say the same words – and only those words [perhaps they make use of such a robot?]) and it is an insult to those who are affected by what would be understandable but is instead a dishonest, insincere attempt to make others think the responsibility doesn’t lie upon your errors. But it does lie on you whether you accept the responsibility or not. It is also an insult to your customers – and the corporations that actually do apologise properly! Many corporations also don’t have the information about the breach in a very obvious place, as it should be – on the front page of its website(s) in big letters (linking to a separate page if necessary). This happens even when it affects your customers in a bad way and that is taking your customers for granted. What are you without customers?

To make matters worse, many corporations – let’s say those making devices that are part of the Internet of Things (‘IoT’) – claim they fixed the issues even when they haven’t done anything more than (if even) a workaround for a single problem without resolving the source of the problem (it is still connected to the Internet, is it not? Does it need to be? Did you design it with security in mind?). No, Chrysler, you do not consider the safety and security of your customers above all else as you suggest here. I quote from Wired.com:

When WIRED reached out to Chrysler, a spokesperson responded that the USB drives are “read-only”—a fact that certainly wouldn’t protect users from a future spoofed USB mailing—and that the scenario of a mailed USB attack is only “speculation.”

Denial – even from ignorance – is not an excuse when you’re attempting to (supposedly) fix a problem you caused. Maybe it escaped your notice while you were busying allowing cars to remotely have their engines shut off or their brakes disabled and refusing to recall your Jeeps while they were at risk of fuel tank fires (and who knows what else), but social engineering is an incredibly efficient tactic, so much so that it is probably the first choice of many attackers (Mitnick’s speciality, isn’t it Kevin? At least you’re upfront about your lying, unlike these corporations who hide behind lies, if that is something to commend). Perhaps you also missed the potency of BadUSB? Perhaps you never knew about other external media and viruses? Did you know that through basic techniques the old boot viruses would move the master boot record to another sector – sometimes encrypting it – which had the implications of the virus itself knew where from and how to load it (and therefore the OS), but if someone tries to ‘fix’ the virus by rewriting a new (default) MBR (e.g. through the DOS command fdisk /mbr that was often suggested for removing MBR/BS viruses), they would now (essentially) have no loader for their OS (and it might be that their old sector is now encrypted with nothing to decrypt it)? No? Well I wouldn’t blame you because you’re not in the computer (including security) industry and therefore you wouldn’t be expected to work with USB – or anything like it – but that’s exactly what you decided to use to ‘fix’ the major flaws of your Jeep anyway. Yet you call the concern speculation? You actually have the boldness, the arrogance, the idiocy to call the statements – made by those who would know more than you about security – speculation? I’m also calling your read-only claim naive ignorance but let’s say you had a brilliant idea here (and implemented it successfully, including preventing any circumventions) – the fact is it is encouraging people to use USB devices they get in the mail (not bought as a USB device itself in its original packaging – and even that has risks). It gets better though, because you also have the typical response that almost every corporation makes, as I described above (after a successful attack, of course), don’t you?

“Consumer safety and security is our highest priority,” the spokesperson added. “We are committed to improving from this experience and working with the industry and with suppliers to develop best practices to address these risks.”

Such lies Fiat Chrysler. Your best attempt for fixing a serious security vulnerability (with rather terrifying implications) of A JEEP is to make a VOLUNTARY recall, offer a fix ON YOUR WEBSITE, and to mail USB sticks? But to make it better, you then have the stupidity to state that the risks of these methods – which are once again something you are causing – stated by others who know more than you are just speculation? It isn’t speculation; it is a risk and it encourages dangerous practises (and makes the assumption that victims – yes, they are victims, victims of your irresponsible fuck ups – will know to check your website and also know how to use the fix once they have it on a USB flash drive). You’ve already proven you’re not able to make wise decisions when it comes to security (which would be understandable if you didn’t act the way you are acting – your industry is indeed very different) so why should anyone believe you now? If security is your highest priority then it is much more severe than you initially demonstrate.

Why can’t you suggest they go to a service centre where it can be done properly, by someone who should know what they’re doing (though there is the obvious question of whether they do know what they are doing, given your approach so far)? Lazy? Irresponsible? Ignorance? Because you feel it must be done the ‘IoT way’ or through something they receive in the mail (with the theory that the method of delivering the fix to the vulnerability isn’t vulnerable to anything itself – I return to this momentarily)? All of the above?  No, you do not place customer safety and security at your highest priority. Stop lying Chrysler. All corporations should take your disastrous attempt of disaster recovery as how to not do disaster recovery (which they’ll need in time, inevitably), though they should also improve upon it even more (disaster recovery isn’t a process that never changes and testing is always important). All corporations should also stop lying about what priority security is to them, when they clearly demonstrate otherwise (the rare exceptions aside). They should also learn to apologise correctly (and this includes being upfront about the problems so that everyone that goes to their website will see it without having to know to dig for it) and they should also think about security before – not after – designing phases. The reality is this: an IoT device isn’t fixed as long as it is on the Internet. There is not a single justified reason for a car to be connected to the Internet; some will refute this and give reasons but those reasons are wants and not necessities. The cars of yesteryear did perfectly fine not connected to the Internet and oddly enough, those cars are still doing fine (until it is totalled or parts stop dying – both of which will eventually happen to Internet connected cars, too, perhaps even before non-connected cars). The cars that haven’t jumped on (or become) the bandwagon are still doing fine. (And no, the difficulty of the attack isn’t relevant; the attack is possible and that’s all that matters.) An article I linked to earlier has an amusing point and I’m going to quote it:

And yes, you’ve no doubt spotted the irony that security researchers are able to overwrite cars’ software with their own home-grown code via the Internet – but Fiat Chrysler requires that the update is applied by someone with physical access to your vehicle.

The fact they can modify the code remotely is exactly what I described in another article: a car should only be controlled by the driver, not others outside of it (and this goes back to the fix itself might potentially be vulnerable to another flaw). But Chrysler criticises the way the researchers operate when they should be looking at themselves first. I’m actually shocked that politicians (especially because it is the politicians of the United States of America) are concerned about the issue that Chrysler – and other car manufacturers – are demonstrating. That they actually could do something positive – especially when it comes to the safety of others – is nothing short of amazing, impressive and they should commended for it (however rare that actually is). Ironically, while Chrysler criticises the researchers in how they raise the issue – an issue that really needs to be correctly and promptly addressed –  Chrysler is being criticised by many – as they should be – for their poor handling of the situation. And if it wasn’t for the researchers demonstrating it (it should be noted that the driver of the Jeep agreed to the experiment; yes, they did it on an open road but it brought much more attention to the situation and clearly that is needed) in this way, the issue would be standstill, much like a Jeep in a vast pool of mud (or tar pit) would be.

The worst of it here is that Fiat Chrysler (and any other car – or dangerous machinery – manufacturer that neglects the fact that cars – or other machinery – are dangerous tools, not toys, and dismisses risks as speculation or other immaterial) is taking the lives of (a life is still a life, is it not?) their customers for granted, and worse still the lives of others (passengers, pedestrians, those in other vehicles) for granted (and otherwise of little concern). That you, Chrysler, don’t have a (working) moral compass, that you lack ethics and that you actually lie about this, is shameful to say the least.

How To Annoy Users

This is a general issue but one that many programmers – it seems more and more these days but maybe it is just me – have a habit of doing. It is true that it is fairly easy to annoy most people throughout their lives but I’m talking about a specific problem in services. This service might be a real life service (e.g. an utility) or even a computer program (or an Internet service of some kind). It is really simple to understand:

People assume that other people are just like themselves which means that if they implement a feature in [whatever], then all the users will want it too; why else would I put it in if it wasn’t wanted?!

Except that many of your users might think the idea is stupid, annoying, dismissive, is an invasion of privacy or simply don’t like your supposedly brilliant idea (others might like it but you can’t guarantee it). It is worse when the ‘feature’ cannot be turned off or changed in some way, but even if it can, it places the burden on the user, and that is taking the users for granted. It is free and if they want to use something else, they’re more than welcome to, you say? Well yes, you’re right: they are. And they might. But rather than making arrogant assumptions and still think you deserve nothing but the utmost respect and appreciation (after all, I’m doing it on my own time for free; they should be thankful I exist!), why don’t you instead do something to earn that respect and appreciation? Why don’t you care about your users? You know, if they were to send useless bug reports (or report the same bug multiple times), it would likely annoy you. So why not be reasonable to them, even if that means having to be the more mature one (should you feel they’re not being mature)?

But still, many programmers (and organisations) decide they know best. Not only do they know best, they know what their users want and anything to the contrary is disrespectful, unhelpful whining. Yes, they go so far as to think they know what their users WANT. Ironically developers like this are those who know far less than other developers. In their arrogance they assume that people are just like themselves but they are mistaken (Or worse, they don’t actually care what others think – this sadly is not unheard of).

This comes down to one thing: too many services are opt-out and not opt-in, and those making the decision of which way it is, are the ones that don’t know – they’re the developers, not the users and the users are those that decide in the end. True, development involves taking risks, and yes there will be some things that users won’t like. I know this well. But that is how everything works in this world – and it is something else entirely. There are problems here:

  • Many ‘features’ are hidden or subtle enough that the users don’t know about them. However, if they did know about them, they wouldn’t be impressed at all. For example, Microsoft Windows 10 and its privacy invasion in recent news (and my understanding is they pushed similar updates to Windows 7 and 8). You can’t resolve a problem if you don’t know there IS a problem. If you’re going to make it opt-out at least have the common decency and ethics to make it known to the users! This especially goes for paying customers.
  • Even when there is a way to opt-out, it isn’t always intuitive. If it is intuitive it might be to some users (because they might have experience enough to work it out, or they know how the specific program works, for two examples) but not to others. Programmers don’t want their time wasted and neither do the users. If you want respect then try earning it rather than demanding it.
  • Those that are sure they know the most about something – or indeed someone – are the ones that often know the least (especially when they are so sure of it that they refuse to accept they might not be correct). Therefore, developers that claim they know what their users need and want (more than the users themselves), are those who know the least in the matter. I’ll elaborate next.

There is a specific quote that I have listed at random on the top of this site. I just now discovered that it wasn’t the full quote (and I’ll fix it in some way or another, when I get a chance) – probably deliberately by the person who quoted it (and I don’t recall from the time – I’m sure I saw it but I don’t remember anything much about it) – which does change things (quotes are often taken out of context and that is wrong – context changes everything!; I’m pretty sure they do it exactly for that reason). What I have is this:

“There are no significant bugs in our released software that any significant number of users want fixed.” — Bill Gates, Chairman of Microsoft, Focus Magazine, 1995

 

Apparently the full quote is:

There are no significant bugs in our released software that any significant number of users want fixed. … I’m saying we don’t do a new version to fix bugs. We don’t. Not enough people would buy it. You can take a hundred people using Microsoft Word. Call them up and say “Would you buy a new version because of bugs?” You won’t get a single person to say they’d buy a new version because of bugs. We’d never be able to sell a release on that basis.

The latter is better than the first but it is still somewhat presumptuous. He’s probably right – many people (but keep in mind that 100 is a very small sample size for Microsoft customers, even then – although not nearly as small as it is now) wouldn’t buy a new version of software simply to fix bugs. Some might think they mean bug fixes in addition to new features, but that is up to interpretation – something that will vary. In any case – they shouldn’t have to buy a version to fix bugs; it should be part of the deal (end of life of a product is another issue entirely). Should and reality is of course very different but it is besides the point of: There are a lot of differences in people and it is the reason mankind has as much as it has in the fields of science, medicine and technology (even if all three have much room for improvement). But just because I think a certain way doesn’t mean others think the same way. Similarly, just because I like reading, computer programming and music, doesn’t mean everyone else does: they might like some of those things but they might not. Don’t assume that your users want a specific feature, especially a feature you have running in the background with no mention of it anywhere! When in doubt, make it opt-in and not opt-out.

Users can also help: bug reports along the lines of “it crashed” or “it doesn’t work properly” are useless, frustrating and to some (hint) it is infuriating. This all comes down to communication, and even if some developers (I’ll not name anyone like GNOME or systemd developers…) disregard your views, it doesn’t mean all developers will. The more cooperation the easier it will be – for everyone.

As for why I decided to write about this: I have thought about it – opt-out is a poor way of handling something, especially if it is even slightly possible it will be controversial to some – for a long time (every so often), and I encountered something a while ago on my Fedora box (…Fedora is another subject entirely to me, of late). It occurred to me that my main system (Fedora) didn’t have logwatch installed. I don’t know why but it never did. All my other systems have had (and do have) it installed but this one didn’t. So I installed it. I had to remember how to change how to deliver the report (with logwatch you override configurations rather than configure everything) and once I sorted that, I tested it. And what do I find but a script adding a fortune to the end of the output. Some might suggest that it is absolutely ridiculous that it bothers me. They’re welcome to feel that but it won’t change the fact that I don’t want it (and I’m equally as welcome to be this way, thank you very much). Thankfully I have customised logwatch before, but even then, I had to find out where this script was. It wasn’t hard – the files under /etc/logwatch refer to the default location (so it is easy to find if you don’t know), and they break it down into configurations, scripts and services. But the fact is I had to go out of my way to find the file so that I could then add an empty one in the right place so that I don’t have the fortune added to the logwatch output. Importantly, logwatch isn’t for entertainment; it is to simplify one aspect of system administration – log analysis (as long as you have it configured for all services, of course)! As such, this isn’t something they should assume everyone would want; some might find it entertaining (e.g. because system administration can be tedious?), but announce the ability with instructions of how to enable it, rather than make anyone who doesn’t want it, to find a way to disable it (maybe they did announce it somewhere but I only have this under Fedora and whether this is a Fedora addition or not I don’t know). Or make it a sub-package/module/add-on. I suppose their theory is if fortune is installed, they must want to see fortunes of any theme even when they don’t invoke it directly (through a login script or the command line itself). But that is still an assumption and it clearly isn’t always correct; I’m sure they didn’t mean harm but the fact is not everyone will want it, and that should be kept in mind when developing software (because software is useless without users just like users are worthless without software). I’m using this as inspiration and nothing else (this is minor compared to many other opt-outs!).  Nevertheless, creating an empty file ‘/etc/logwatch/scripts/services/zz-fortune’ will prevent the fortune from being generated.

70 Year Anniversary of V-J Day

2015/08/16:
Just to clarify something. Japan’s surrender was not an immediate action (perhaps this isn’t surprising but you’ll find references to different days as being the day, but it was a many day process to be completely accurate). The official signing of the surrender was September 2. August 14th was the beginning of the surrender (more conflicts occurred between these dates). The speech below took place on the 15th. If you pay attention (which this year is probably much harder to not do) to current affairs, you’ll see references to V-J Day prior to September 2 (e.g. the 15th perhaps because the nation was addressed) but in the end, this was not an overnight event – it is – and always has been – a complicated war.


 

(Note: This most likely – I’m quite certain this is the case – includes some structural and/or disorganised flow of thoughts and as a result it might be harder to follow. I would delay this for another day but the day itself is significant enough to not consider this, at least for me.)

Earlier this year (May 2) I wrote about the end of the Battle of Berlin (and its surrender) which was shortly (May 8) followed by the surrender of Nazi Germany, resulting in V-E Day. I intended to write something about V-E Day but I never got around to it – which is unfortunate because I think there is a lot I could have written about. I also intended to write about ‘Little Boy’ (the name of the atomic bomb dropped over Hiroshima on August 6, 1945) and ‘Fat Man’ (the name of the bomb dropped three days after Little Boy, over Nagasaki). But I felt a loss of words for the bombings that – along with the Soviet Union declaring war on Japan – ultimately led Emperor Shōwa (more commonly known as Hirohito) of Japan to order an immediate surrender of Japan (a coup that followed was foiled). Perhaps silence is the best way: the utter devastation and suffering these bombs inflicted upon Japan – and the world – is hard to fathom to this day. I think Emperor Hirohito’s speech holds significant value to this day, and even eternally:

To our good and loyal subjects:

After pondering deeply the general trends of the world and the actual conditions obtaining in our Empire today, we have decided to effect a settlement of the
present situation by resorting to an extraordinary measure.

We have ordered our Government to communicate to the Governments of the United States, Great Britain, China, and the Soviet Union that our Empire accepts the provisions of their joint declaration.

To strive for the common prosperity and happiness of all nations as well as the security and well- being of our subjects is the solemn obligation that has been handed down by our Imperial Ancestors, and we lay it close to the heart.

Indeed, we declared war on America and Britain out of our sincere desire to ensure Japan’s self- preservation and the stabilisation of East Asia, it being far from our thought either to infringe upon the sovereignty of other nations or to embark upon territorial aggrandisement.

But now the war has lasted for nearly four years. Despite the best that has been done by everyone– the gallant fighting of the military and naval forces, the
diligence and assiduity of our servants of the state and the devoted service of our 100 million people–the war situation has developed not necessarily to Japan’s  advantage, while the general trends of the world have all turned against her interest.

Moreover, the enemy has begun to employ a new and most cruel bomb, the power of which to do damage is, indeed, incalculable, taking the toll of many innocent lives. Should we continue to fight, it would not only result in an ultimate collapse and obliteration of the Japanese nation, but also it would lead to the total extinction of human civilisation.

Such being the case, how are we to save the millions of our subjects, or to atone ourselves before the hallowed spirits of our Imperial Ancestors? This is the reason why we have ordered the acceptance of the provisions of the joint declaration of the powers. We cannot but express the deepest sense of regret to our allied nations of East Asia, who have consistently cooperated with the Empire toward the emancipation of East Asia.

The thought of those officers and men as well as others who have fallen in the fields of battle, those who died at their posts of duty, and those who met with death and all their bereaved families, pains our heart night and day.

The welfare of the wounded and the war sufferers, and of those who have lost their homes and livelihood is the object of our profound solicitude. The hardships and suffering to which our nation is to be subjected hereafter will be certainly great.

We are keenly aware of the inmost feelings of all you, our subjects. However, it is according to the dictates of time and fate that we have resolved to pave the way for a grand peace for all the generations to come by enduring the unendurable and suffering what is insufferable. Having been able to save and maintain the structure of the Imperial State, we are always with you, our good and loyal subjects, relying upon your sincerity and integrity.

Beware most strictly of any outbursts of emotion that may engender needless complications, and of any fraternal contention and strife that may create confusion, lead you astray and cause you to lose the confidence of the world.

Let the entire nation continue as one family from generation to generation, ever firm in its faith in the imperishableness of its divine land, and mindful of its
heavy burden of responsibilities, and the long road before it. Unite your total strength to be devoted to the construction for the future. Cultivate the ways of
rectitude, nobility of spirit, and work with resolution so that you may enhance the innate glory of the Imperial State and keep pace with the progress of the world.

All you, our subjects, we command you to act in accordance with our wishes.

There is criticism – both legitimate and illegitimate – on all sides, and the Emperor – perhaps more so after his death – receives criticism to this day. But the fact is Japan did not want to surrender (which I will discuss below), but they did. He took responsibility of the situation and if only everyone would heed his warning about nuclear weapons. Nuclear warfare exemplifies some of the worst of mankind (and this includes the only known uses of it in wartime) and it does so extremely well. His warning is 100% accurate. Of course, the atom was split and once done there is no going back. The Cold War worsened this with its nuclear arms race. But it also brought some good: the predecessor to the Internet – the arpanet – which was meant to be a network that could withstand a nuclear attack (which means that if a host is down, it won’t receive or send data, but other hosts will still be able to communicate with each other); and it brought the good out in some people – for instance, it motivated a woman called Lynne Cox to risk a dangerous swim across the Bering Strait between the United States and the Soviet Union in an attempt to bring friendship instead of conflict. At this time, we are in another cold war, even if it isn’t recognised as such. While a cold war is better than a real war, a conflict is a conflict, and there comes a point where any significant outbreak of war, will become a third world war, and that will likely be an apocalypse. Yet despite this, there are politicians in some countries that have no problem with war, and I dare say they even want war. That is a sign of extreme weakness and is the exact opposite of what a real leader should strive for – peace.

Japan didn’t want to surrender but neither did any other country (and there is the story of a soldier – Hirō Onoda – who thought for 29 years following the war’s end, that it was still going on; it is a fascinating story for those interested in the war, and it really shows just how much they wanted to win and could not lose). I personally feel that not giving up is a positive, productive and noble thing. There are no victors in war (which is ironic when you consider what the V stands for in V-E Day and V-J Day) but this goes beyond war; those who give up might never have what they could have, they might never accomplish great things (that they could otherwise accomplish), and they might be at a great loss. Winston Churchill himself stated that [we] will never, ever surrender. But imagine if the Allies had surrendered – the world would be very different. Imagine, also, if the Axis Powers surrendered earlier – the world would be different in another way entirely. But imagine still if Germany didn’t invade Poland on September 1, 1939 (or for that matter, take over and annex other countries prior to this).  How different would the world be today?

Despite these thoughts, too much blame is placed upon nations for their past. Punishing Germany at the end of World War 1 was an incredibly stupid decision and some recognised it then (basic logic explains why and how it was so stupid). Yet to this day some think that Germany is responsible for great harm in this world; I say that those punishing Germany at the end of World War 1 are equally responsible for harm. But that should not be the focus; consider this instead: the actions of Germany (and many other countries) might have caused great harm, but the world should learn from the past and not dwell on it.

70 years ago marked the end of a very dark chapter of mankind but the many lessons are still not taken to heart and that is equally as dark – if not darker – than the war itself. We should not only remember the impact of the war – we should also remember why it happened and what could have been done differently, to prevent it. Lastly, attention should be shifted to the present. If this is not done – and I’m afraid that history shows it isn’t – mankind is doomed to ultimately destroy itself (it already destroys the treasures of the world and that includes wildlife that has become endangered if not already extinct).

Windows 10: An example of DOA (Disaster of Automation)

I have to admit, when Microsoft first announced that Windows 10 would be the final release of Windows, I raised an eyebrow. Then, because Windows 10 was offered for free (as an upgrade for the first .. month?), I was more suspicious: if it is free, are they simply baiting the customer to upgrade, hoping to make a profit by some contract (literally or figuratively) of some kind (pay for some sort of subscription or otherwise future software or updates)? After all, some corporations (maybe even Microsoft?) have subscriptions for technical support and software, so how else could this work? I truthfully do not know but given that they are a for profit, there has to be something at play. But there is more to the story of Windows 10. When I first found out that Windows 10 Home edition would automatically be updated, I shuddered.

The fact remains that humans are not perfect, programmers are humans, therefore programmers are not perfect. If you remember, Microsoft at one point pushed out an update that was required in order to receive further updates (therefore encouraging customers to update), only for that update to prevent updates working (off hand I don’t have the information but it definitely happened and there are articles about it). That is scary when it is manual updates but it is even scarier when it is automatic. Yet, even without that mess, automatic updates is what will lead to what conveniently shares the abbreviation of Dead on Arrival  (DOA which is often used to refer to computer hardware – probably other things too – that failed quality control and therefore is ‘dead on arrival'[1]): Disaster of Automation. There are several things to consider.

Firstly, even an experienced system administrator can apply a patch (in binary distributions it would be an update to the package but the end result is the same), only to find out what was updated no longer works. I know in the past I have updated BIND (Berkeley Internet Name Domain) – which is a critical component given that it includes named (name daemon) and therefore is a DNS server – only to find it failing to start or having warnings upon restart (i.e. the postinstall script reloads the configuration file or restarts the service). What happened is as simple as ownership of files being changed. The administrator (a friend) of my slave DNS servers (second, third, fourth) has in the past had this exact same problem on his servers, and DNS failures can cause many problems.

But even if it didn’t cause problems, consider this: the update failed for some reason or another. What happens if it was automated and you’re not at the system? I won’t even get in to the problem that Windows installer is brain dead enough where you have to reboot for almost everything (or last I knew it is and I can’t imagine it is different now). Hopefully it only updates and waits for you to reboot manually.

The astute reader would point out that I’ve not given any examples so far (and Windows 10 is quite new, which makes what I’m about to show, even worse) of updates going afoul with Windows 10. For that matter, I’ve not pointed out Windows 10 problems at all (besides being created by Microsoft, that is). Well here goes.

Since Windows Updater also now considers drivers not optional, and since Windows 10 automatically installs updates, and since an Nvidia GPU driver has a bug (or bugs, maybe), people are having all sorts of problems as described on their forum. Problems like flickering (which is not at all good for eyes!) and even multi-head (more than one monitor) not working correctly (if at all).

Then there is ‘Windows Update Delivery Optimization’. What does it do? It theoretically allows you to not have to download updates from a remote (out of your network) server more than once. So for instance, you can update all your Windows 10 systems without having to download the updates more than once. Well, that is excellent that Windows has a concept similar to local repositories. Unfortunately, though, their method is presumptuous, arrogant and irresponsible. Here is what their FAQ says:

Download updates and apps from other PCs

In addition to downloading updates and apps from Microsoft, Windows will get updates and apps from other PCs that already have them. You can choose which PCs you get these updates from:

PCs on your local network. […]

PCs on your local network and PCs on the Internet. […]

You would like to believe they have a good design here. But the very fact they have on the Internet is disconcerting. From what hosts? My understanding is they now have update verification. But that should always have been in place. If they already have it, why bring it up (aside from maybe reminding people of it)? If they don’t, why the hell didn’t they have update verification?! I’ll return to this in a moment. The problem is worse, however:

Send updates and apps to other PCs

When Delivery Optimization is turned on, your PC sends parts of apps or updates that you’ve downloaded using Delivery Optimization to other PCs on your local network, or on the Internet, depending on your settings.

How is my PC used to send apps and updates to other PCs?

Delivery Optimization downloads the same updates and apps that you get through Windows Update and the Windows Store. Delivery Optimization creates a local cache, and stores files that it has downloaded in that cache for a short period of time. Depending on your settings, Windows then send parts of those files to other PCs on your local network or PCs on the Internet that are downloading the same files.

It would be one thing if it defaulted to off as it should be. Opt-out means you have to know it is enabled and it is poor design to assume the user knows everything about the system (or can remember what they know, even). Yet so many corporations (Google and Facebook to name two others with delusions of grandeur) are arrogant enough to make things opt-out instead of opt-in. But in this case, it is worse still! Not only is it defaulted on, it defaults to share updates to the Internet!:

Delivery Optimization is turned on by default for all editions of Windows 10, with the following differences:

  • Windows 10 Enterprise and Windows 10 Education: The PCs on your local network option is turned on by default.

  • All other editions of Windows 10: The PCs on your local network and PCs on the Internet option is turned on by default.

Yes, great idea, Microsoft. I’m sure your grandeur justifies it all, but did it ever occur to you that most homes don’t have high upstream rates? Did it ever occur to you that they might be capped or even throttled? Did it ever occur to you, in your complete brilliance, that when [you] download content from another host, the other host is uploading to [you]? Did it ever cross your mind that many homes have asynchronous connections (and fairly slow upstream specifically), and even if they didn’t, not pushing upstream to its limit is important for – irony! – optimising connections? Even more important, did you ever consider that not everyone will want this enabled and fewer still would want it being uploaded to the Internet (or downloading from servers other than Microsoft repositories)? As a vendor you shouldn’t burden the customer any more than is necessary, and clearly this idea is not necessary.

Going back to update verification. Microsoft insists the following:

Delivery Optimization can’t be used to download or send personal content.

Yet this claim has been made before and it has fallen down due to a variety of reasons. I really, really, really cannot wait for this to be abused; some of my demons actually want it to happen sooner than later. It isn’t a matter of will it be but instead when will it be. I’m eagerly waiting.

Finally, I have one more update issue to share. The one where Windows 10 update KB3081424 (which includes security fixes) is causing some computers to enter a reboot loop. Indeed, this really is a disaster of automation and it is a fatal design flaw, courtesy of Microsoft.

[1] Some times the product is fine but the user (‘builder’) makes a mistake (e.g. there is a short that prevents the core components of the computer to boot) and assumes it is the product rather than a mistake on their part. But there are times when it truly fails to .. well, deliver what it should.