Ridiculous and Stupid Computer Prophecies

I’m including this in general because it fits in several different categories all to do with computers. I’d actually go so far as to say that this happens outside of technology. But regardless of where it is, it is almost always utterly ridiculous and completely stupid. The idea goes that something will die out. Yet these statements are claimed over and over again, ad infinitum, despite the fact they are all illogical. Maybe it is because these would-be fortune tellers want there prophecy to come true but that doesn’t make it any more realistic.

This will not be in any specific order but for each I will give my thoughts on said prediction and why it is ridiculous, stupid and illogical. Some predictions I am especially bemused by and it is is quite obvious from what I wrote below.

Eradication of Spam

The first one is from 2004 when Bill Gates predicted that spam will be wiped out in two years time. I remember reading this at the time but I saw it recently by chance. It would be nice but as I’ve written about before, as long as there exists one person that responds to the spam in some way, it is worth it to the spammers. But let’s be honest: more than one person does exactly this just like more pay up for ransomware attacks. The reality is spam isn’t going anywhere. Tactics will change to account for ways to try to help mitigate spam but spam itself is still strong. The mitigation methods aren’t exactly that successful, either. Spam filtering is the best of the lot in the matter and it is impossible to get right 100% of the time (and this is with text mails; then consider the tricks of the entire message being in an image or images). HTML in email makes this even worse (and it is unfortunately something that is rather commonplace) in what it allows (hyperlinks themselves is one thing but embedded HTML is another entirely).  No Bill, spam isn’t going anywhere,  I’m sorry to say. The prediction that it would go away is like predicting littering will be defeated. It just won’t happen.

Computer Mice Will Die

I seem to recall this, anyway, and all I can think of is that these predictors believed that with pens (whatever those input devices are called) there would be no need for the mouse. But that’s not how it works. Not everyone will want the alternative input methods and not every input method is appropriate for all types of input, funnily enough. The mouse will never be abandoned and that’s all there is to it. The sole exception is if manufacturers work together to ensure that mice can’t function and no mice will be replaced. But yet nowadays mice are often USB enabled and so good luck with getting rid of that capability.

Keyboards Will Become Obsolete

I really, really, really, and I do mean really, get laughs out of this one. It is so utterly stupid and ridiculous it is hard to believe anyone would make this claim. But it has been claimed many times over the years, and each time it is equally as stupid. Let’s see why that might be, shall we?

Typists can somehow type faster than they can speak. This is rather obvious to anyone who has spent much time around computers, but it apparently isn’t enough. If I were to speak at the rate I type, I would be considered manic and frankly it would be extremely difficult to follow my thoughts (the reality is my thoughts are already hard to follow, especially if spoken but through typing I can look back at it and fix any mistakes at another time – you can’t not say something you already said, can you? Granted you can’t change archives but you can at least fix any unfair thoughts and you can improve upon what you wrote before – this is sometimes called ‘editing’). This is despite the fact that my typing has gone bad in recent years. The reality is my fingers are a lot faster, accurate and more efficient than speaking. But then you have people that enter data in to databases. The syntax might not be easily spoken. Then there is the example where thoughts flow naturally in a persons’ head but not if spoken. This might occur when writing a book, for example, or perhaps the thoughts aren’t completely there (enough to speak) but are still there in some form (enough to put down in order to develop later). Oh, and yes, I’ve left two things out. First, to get rid of keyboards one would have to speak and yet software isn’t perfect (and never will be) and so it won’t get things right all the time (and without keyboards what do you do to fix these mistakes?). While this might not be for many people, my mother works at her computer and watches TV at the same time. She’s also watched TV, crocheted and read a book all at once. No, that isn’t a fabrication, and yes she was able to follow everything and what she was crocheting had no problems, either. The TV is important: people on TV tend to be so rude as to talk (sometimes more than one person at the same time). Obviously that is sarcasm. Forget the fact that it would be hard to speak the letter you’re typing in while watching TV, how would the software discern what is being said by what person (or thing)? No, voice recognition won’t solve the problem with 100% satisfaction. My doctor recently showed me his dictaphone (that could input to a computer) and unsurprisingly it was very easy to make the input turn to gibberish. After I demonstrated this he even said that he has to tell patients this fact (he  showed me after I laughed at his inability to find the keys on the keyboard, even though I was far enough away for my poor vision to discern things well, I knew what he was trying to type and I knew his fingers were in the wrong place – by a lot). Then there is the best part. Computer programming. Oh yes, no keyboards would be a killer to this important task. Many will say that some of it can be automated but I challenge them to look at more advanced C code until it sinks in a bit. No, no and no, keyboards aren’t ever going to be obsoleted. Anything to the contrary is ridiculous and stupid.

Passwords Will Be Obsoleted

This is another fun one. The theory goes that passwords are the weakest chain in the link (hint: they aren’t; what is the weakest link is those who create passwords, reuse, share with others, write them down and list goes on and on – i.e. humans are the weakest link, not passwords) and there have been so many problems with them over the years. Or another one I’ve read is that they are no longer sufficient. Well sorry to break it to these bogus fortune tellers but they were never sufficient by themselves! They were always a weak part of the security chain. But that doesn’t mean they don’t have uses. They do. And people suggesting emojis as the replacement are completely blind – literally and figuratively. Tell me, how is a blind person going to know the difference? Tell me also, what about those who can’t really distinguish one image from another (faces being the common example even if the name of the problem is at my fingertips but not quite available, it is a known phenomenon), or has an easier time remembering text over images? And what about password managers which allow for (when used properly in the right environment) far more safe passwords than some stupid combination of images (I might remind you of shoulder surfing). Any organisation that removes passwords outright is woefully naive and is risking security. This is just like how passwords are limited in what characters are allowed, or only allowing a length of 16, say, characters. It’s stupid. Funny story: once upon a time I was making an account on a website and when forced to enter a password hint/question I put something like: ‘password questions/hints are insecure’ in it. Then, when creating a password, I got an error. I tried it twice before it occurred to me what the problem was: they were only allowing alphanumerical characters. I’m thrilled I had made the remark about password hints at this time but I was not at all thrilled in such weak password policies (passwords are weak as it is and by removing non-alphanumerical characters you make it much weaker).

Biometrics Will Take Over

Yes, well all I can say is this: your DNA is your DNA and it has already been demonstrated that fingerprints (and maybe even images of) left on something can actually be used to compromise the supposedly safer system (‘protected’ by biometrics). Oh, and just to throw out another problem: some people (rarity is irrelevant) have more than one DNA. No, this is not a lie. It’s called genetic chimeras, named after the mythological creature. Only a fool would assume it will never be a problem.

Anti-Virus Software and Firewalls Will Be Obsoleted

I saw this just today. The scary thing is that the person writing this at Tripwire is actually suggesting the possibilities based on incorrect perceptions of what security is (it is always a multi-layered thing):

If the decline in antivirus use happens, it will largely be from greater use of whitelisting, or application control, on computers and mobile devices. While whitelisting is a capability many computers have had for years, only recently has it become a default setting. Whitelisting basically works by preventing programs with certain identified harmful signatures from running on a piece of equipment.

No, the reason anti-virus isn’t used is because people seem to believe that it isn’t needed – a theory you are conveniently improving the chances of survival. Whitelisting isn’t used by default you say? That might be for Windows and MacOS but the reality is those aren’t the only operating systems around, and just because something is the default doesn’t mean it stays that way. Not addressing the issue is being irresponsible (even if through ignorance) and to use irresponsibility as evidence is idiotic. But here’s the most ironic thing: what you’re describing with whitelisting with respect to computer programs is exactly what anti-virus software does! What do you think the virus signature databases are? I’ll go further, though: you’re not talking about whitelists; you’re talking about blacklists and those defy the wisdom of: that that which is not explicitly permitted is forbidden. No, a whitelist would be deny everything by default and only allow what is explicitly allowed (hence whitelist, not blacklist). As an afterthought, maybe you’re trying to say that whitelisting only allows software which isn’t known to be malicious, but that then is a poor choice of wording (something we all are guilty of). But this concept is irrelevant to anti-virus software as a whole because anti-virus software also has heuristics (for example) which protects against unknown malware by examining what the potential malware does (and how it does it). This is why software that generates keys to some product is sometimes flagged as malicious when it only is using techniques that viruses also use (of which there are many). Yes, that means it is a false positive but it could have been malicious software that wasn’t a known virus. You see, this is why it is a multiple-layered concept.

Companies like Apple and Microsoft haven’t used whitelisting as a default setting to give users the freedom to run any program on their machines, but that attitude is quickly changing.

Yet here you’re describing whitelist correctly. I’ve not seen evidence to support whitelisting or blacklisting being the default under these operating systems, one way or another but I will say this: saying you can only use software that is flagged as valid will cause upset and potentially backfire in that people will find workarounds. You see, convenience and security are mutually exclusive (or otherwise don’t mix well) and it is why you have to find the right balance (which can be really hard). When you don’t find the right balance the security becomes worse because of people being annoyed by the inconvenience of it all. Yes, people really like convenience. This shouldn’t be surprising. Incidentally, I’m going to point out also that Apple’s Gatekeeper has been circumvented by malware and has been described completely broken by a researcher. Perhaps you see now why your supposed method isn’t a replacement for anti-virus? One hopes so.

Similar to antivirus programs, firewalls may soon become obsolete thanks to advances in other technologies.

Augment, not replace. No, firewalls are not becoming obsolete and any claim to the contrary is stupid and harmful. Yet you don’t really talk about the supposed replacements. I return to your thoughts:

While firewalls still persist to this day, many aren’t even configured and feature far too permissive rules to be of much use. Firewalls are proving to be outpaced by the use of HTTPS network connections. In addition to that, many of the attacks firewalls are best designed to stop have ceased to be much of a problem. Plus, firewalls do a poor job preventing attacks from social engineering and unpatched software.

Yes, many are permissive. I would like to think then that you understand whitelisting versus blacklisting but you demonstrated otherwise (or you have a very different idea of what black and white is). And indeed, a poorly configured firewall is in many respects worse for security. But for some strange reason, a properly configured firewall is better for security! Now the obvious question: what the hell does HTTPS have to do with replacing firewalls?! That is such a scary statement it is something I don’t want to believe was stated (but was). You note that not all servers have web servers. You note also that they still have firewalls. You note that clients also use firewalls!! There are other protections in place, too, because once again it is a many layered thing! And no, the attacks have not ceased to be problems (but it seems you don’t understand what firewalls are designed for in the first place, as below) but even if they have, only a foolish, reckless administrator would say: “Well this attack is hardly ever seen in the wild nowadays so we’ll not even worry about it!” – that is completely stupid and counter-productive! Oh, and for the record: firewalls were never designed to prevent social engineering and vulnerable software! Those are different problems entirely. To think that you would use this as reasons they aren’t good is just crazy scary.

With fewer reasons to use firewalls, they will likely become obsolete sometime in the future.

There aren’t fewer reasons to use firewalls. There is a reason to not follow your advice, though.

These security technologies have served some good uses in the past but holding onto outdated technology only increases the risks you’ll face in the future.

No, they are not outdated and not using them will increase the risks “you’ll face in the future”!

Hackers change up their tactics with incredible frequency, and companies need to be on top of that by adopting better security technology. There’s no reason to hold onto a ten year old server when converged infrastructure is a reality, and there’s no reason to think passwords are the best way to keep cyber attackers out when better measures are available.

I’m ignoring the first word of that paragraph. Yes, attackers change tactics. Obviously. Who would think otherwise? Is this any different from non-cyber crime? Of course not. But getting rid of these so-called obsoleted technologies is a disaster waiting to happen. Once again you fail to understand that security is a many-layered thing. Better security would be accomplished by remembering these things work together, are not obsolete, are still very relevant, and they are all part of a much bigger picture. The fact you also (presumably an honest mistake, again something we’re all guilty of) refer to passwords in this topic makes your points even more questionable (as if there isn’t enough reason to question them).

No, better technology is not available, and there isn’t a single way to keep attackers out. There never has been and never will be. It’s as simple as that.

All businesses should consider carefully where they go with security in the years to come

No. Everyone should consider carefully security in general, not only in the future but right now. Living in the future is just as stupid as living in the past (and it also means you miss out on things happening now).

Artificial Intelligence, Aliens and Computer Viruses

Okay, to be fair, Watson (that defeated the champions of the US trivia show Jeopardy) did have to interpret the questions in order to answer them, but without all that information it was fed its chance of winning would have been a lot lower. Storage capacity is huge compared to what it used to be (and it is a lot cheaper too) and more generally, technology and its power is advanced enough that it makes things like this less significant. I’m all for the evolution of technology but it is a mistake to not have serious, very long, very thorough discussions about AI – of every single concern at every level (technical, ethical and moral included). Yes, this means trying to find potential problems instead of ignoring the reality that we haven’t thought of everything (and no, we haven’t thought of everything – this is shown over time, repeatedly, when something new does come up).

I admit this might be childish of me but I readily admit that I can be childish. Whatever. It seems that a so-called AI machine was given an IQ test. The results, however, say a lot of just how good AI is (not). Maybe I’m so amused because I’ve stated many times that devices are not at all smart and maybe it is because I’ve pointed out the stupidity that many humans exhibit. But in any case, the intelligent machine scored the IQ of a four year old child. Yes, people, that is how intelligent AI really is and still people have faith, despite the fact some AI already has shown scary implications (as I refer to the OpenWorm project). No, feeding a robot (e.g. Watson) information in order to beat masters of trivia does not count as being smart but instead capable of retaining information. But since the machine got the result of a four year old, I’m going to childishly refer to a quote of mine that essentially likened human intelligence to that of artificial intelligence. Certainly, only fools will call themselves intelligent without any questioning and this is unfortunately something humans tend to excel in (and revel pointing it out as if it makes them superior than other species).

So. Saturday, September 12, I was made aware of a most amusing, ridiculous concern from scientists at Oxford University – that we have to be careful because we might send computer viruses to our friendly aliens in outerspace. Graham Cluley has an amusing video on the matter here. Yes, they genuinely believe we might spam and/or send viruses to the computers of aliens. One argues that we already spam the universe with reality soaps and I can’t say I disagree there; but that’s a different story. But I’m going to take this as an opportunity to discuss:

  • The pros, the cons and the risks of AI
  • The treatment of (‘against’) animals, the abuse of the environment, the destruction of planet Earth (and all its lifeforms) and the ethics of trying to find replacement planets because we’re too fucking stupid to take care of the planet we have
  • The possibility of aliens and the mentality humans tend to have about it (and them)
  • Alien computers and computer viruses (here versus there, wherever or whatever there might be)

Artificial Intelligence: The pros, the cons and the risks humans are subjecting themselves to.

I fully admit that I am mostly against AI but yet I do appreciate that there are legitimate uses of it. No good comes without bad and no bad comes without good. We all have dark and light in ourselves despite what many will say about certain figures in the history books.


  1. By experimenting with AI we learn more. Perhaps not enough to understand and appreciate the risks (but this is just like history), but the more we learn, the better things can be (perhaps with the exception of military advances – but even that is better for the military, I guess).
  2. A robot could be designed (or improved upon) to help rescue people trapped under rubble after a natural disaster (for instance, the 8.8 earthquake in Chile earlier this month?).
  3. A robot could do other things that are impractical for humans to do. Whether thinking is one of those things or not is another matter entirely (I would argue yes but only if AI really takes off).


  1. This is something I’ve never quite understood. So many people want AI to be advanced in order to do tasks that these same people consider tedious. But yet, if this is accomplished the robots will succeed the humans doing these tedious tasks, therefore taking their job (and that includes actual activity – of the brain and the body, both of which are part of slowing deterioration). Machinery doesn’t need money to live (an arcade machine isn’t alive even though it expects money) but humans do need some way to barter. There is just no getting around it.

The sceptic might look at the above lists and point out that despite the fact I’m against advancing AI, I’ve given less cons than pros. But besides the fact the list is not at all complete (and some pros might be cons to some and the same with cons as pros to others), there is something worse than cons: the many dangers that AI poses to mankind.


Rather than include a list of risks, I’m going to remark on some things I find concerning. Most would know I’m not at all the only one to warn these things, and some might claim I’m just another coward who is afraid of machines. But there is a reason I’m not the only one: there are actually very legitimate concerns. There is also the subject of ethics and morals (which in my view is equally important).

The fact that some countries want to develop killer robots should say enough to most people. I’m not sure if it does but it definitely says enough – far too much – to me. It shows an extreme and disgraceful disregard for human life and it shows just how far people are willing to go to for their own benefit. I’m going to call it as it is: those (nations recognised by the UN) who go so far as to develop (and/or buy into or fund) killer robots are selfish cowards to the absolute extreme. Then there is the Israeli Harpy drone that decides itself whether to shoot or not. The proponents will say things like they wouldn’t launch the ‘fire and forget’ device into the area if they didn’t think there was an enemy (does the fact humans aren’t perfect come to mind? It should) but besides the fact that the more advances with this technology, the fewer choices humans will have (I refer to a project in a bit that demonstrates this), and besides the fact a tank is still a tank (see also the concept ‘friendly fire’), a life is a life, is it not? If a remote controlled drone kills innocents, what makes any rational person believe a drone controlling itself, will do any better? An indiscriminate weapon is still an indiscriminate weapon and a life is still a life! (Yet, as an Israeli historian says, Israel has not learnt the full humanitarian lesson of the Holocaust as [they] should and [they] do manipulate the Holocaust but [they] also feel very, very deeply about it.) But I’m not trying to lecture anyone on this matter (there are plenty of resources and there are faults on all sides but the closest thing – that I’m currently aware of – to a killer robot, is the Harpy drone) – it would be futile and counter-productive, anyway; the bottom line is that AI has real risks to mankind and just like history it is being ignored by foolish people (which indeed includes military and government officials), AI is too (it is inevitable but there really needs to be far more discussion on the ethics and the implementations of). Yes, yes, I know many Americans and (all?) Israelis will condemn me to hell for these statements but I also imagine they would LOVE the technology in the hands of Hamas and Hezbollah! But you know something? Just like there is no going back after the splitting of the atom, there is no going back on this type of thing. Choose your poison and choose it well. However, if you ignore history for a moment (and not a moment more) and look at a telling experiment called the OpenWorm Project (pay particular attention to: Wriggle room; Silicon Immortality; and note Moore’s Law), then you should be able to understand exactly why killer robots are a horrible idea (besides the blatant disregard for life, life that could be your own or someone you care for deeply). Some would point out the Fighting Fate section and make the assumption that someone like me would agree with fighting death. Well, I don’t agree with fighting death any more than I agree with the blatant disregard for life that many humans exhibit: we’re all mortal and this is completely different from improving the lives (which includes health) of others. The section brings up a valid point, though – Mother Nature doesn’t care what humans are capable of (or have supposedly cured); the event they refer to is a good example (a specific solar flare). There are more examples than solar flares – for instance, supervolcanoes. Another example is the Tunguska explosion in Siberia in 1908. The bottom line is that artificial intelligence could overtake humans. Whether that is a problem to anyone or not is another matter entirely.

Planet Earth: The treatment of animals, the harm to the environment and the ultimate destruction of the planet.

I was going to write about this in more detail but after attempting it a few different ways, I see this is impossible for me to do – this subject is one I feel very strongly about and it is one of the things that most disgusts me about humans. The treatment of wildlife, the damage to the environment (and things like deforestation), and the fact humans can’t even respect themselves is just beyond comprehension. Last year, it was reported that in the past 40 years, 50% of world wildlife populations have been destroyed. (For some populations it was more than 50%.) Yet some claim that because there are difficulties with establishing these statistics, they aren’t statistically valid. This claim only proves just how out of touch (or unconcerned?) humans are with the amount of damage they cause.; humans cannot respect themselves so they certainly cannot respect anything else. What I will say is this: the planet will be devoid of all life, long before the Sun dies. One of the species will deserve it and the rest will not. The species that deserves it is the species that causes it – homo sapiens (whether directly or indirectly, mankind will destroy the world).

The possibilities and implications of extraterrestrial life.

I’ve long felt that humans need to stop looking for other planets to one day occupy. The reasons should be clear already, but I’ll reiterate it anyway: we cannot take care of our own planet, so do we really have the right to populate other planets – only to destroy it as well (not that those doing so really care if they have the right or not; humans tend to believe they inherently have the right to do whatever the hell they want)? The reality is if we can’t take care of the planet we have, we won’t be able to take care of other planets. It is one thing if mankind wants to destroy each other (and ultimately Earth) – and this is bad enough – but it is another entirely to find more planets to destroy. While not all humans are this way, the overall impact humans have on the world makes me truly question whether we deserve another planet. I don’t think we do even though some will suffer – and are suffering – because of those that don’t care about anyone or anything. But that’s not what this is about. The issue is quite simple:

If there are other lifeforms out there, and they are actually intelligent (at least in what humans call intelligence and in which case they will probably be more intelligent) and capable of contacting (or travelling to) us, then there are two likely outcomes:

  • They would have the capability to completely destroy us. I will not express my opinion on this matter other than say it would be cruel irony.
  • They will stay clear the hell away from Earth. This would seem plausible unless the first possibility is true. Humans cause so much damage to each other and the world, and humans destroy the unknown (hence the hunts for big foot and the stories of killing it; there are other examples though), why would aliens – who are intelligent enough to contact us – want to contact us? A Twilight Zone (or so I think it was) episode highlighted this quite well; I can’t recall the episode name but the idea was a town was inhabited by what they thought was an alien. In the end, someone was dead and they then understood that the alien was themselves; indeed, one of the humans killed another human they thought was an alien. That is sadly a rather accurate depiction of how humans behave.

Realistically, if they were capable of travelling here, they would probably be capable of destroying us, so the fact this hasn’t happened yet (unless they’re secretly mating with humans, silently taking over? I imagine some would like to believe – if not fantasise about – that) could possibly answer both questions at once (there are lifeforms that are intelligent enough to hide and there aren’t other lifeforms capable of travelling to Earth). I wish we’d stop looking though, I really do, because of the tendency to destroy the unknown.

Alien Computer Viruses.

What to say on the matter. There are so many things it is hard to know where to begin or even what to include. Let’s start with the technical aspects. It is true that computer malware has been accidentally sent to the International Space Station (though off hand I don’t have references, it has happened). That is scary enough and it is yet another reason nations writing malware (and abusing exploits; I’m looking at the US especially) is just a very reckless and stupid idea. But whether there are computers on other planets is another matter entirely.

There is this inherent belief that just because life on planet Earth requires certain things (carbon, hydrogen, oxygen and nitrogen for four examples), it should be the same for other forms of life on other planets (or all species), and therefore if a planet doesn’t have the same requirements we require, it cannot possibly have life. This is just stupid and arrogant. What makes anyone here believe life on other planets have the same restrictions we do? They could have more restrictions, they could also have less restrictions (or maybe none? At least one scientist believes that intelligent lifeforms on other planets will be machines) or it is entirely possible they can live under different restrictions (e.g. carbon, hydrogen, oxygen and nitrogen does not harm them but they don’t need any of it, either). They might live in fire instead of water; they might live underground instead of above ground. The reality is we just do not know and anything else is assuming – and assuming does nothing to settle matters (aside from settling who is made an ass of).

Similarly to how we don’t know what lifeforms on other planets might require (or if there are lifeforms at all), we also can’t say that if they had computers (I doubt it but I also don’t think we will ever know; not in our lifetime) they would have the same requirements. They might even be capable of real magic (including things humans have yet to accomplish – and probably will never succeed in – without illusions e.g. invisibility). We simply do not know! Let’s assume that there is life on other planets. Let’s also assume that they have computers. For fun we’ll also consider they have the same life requirements as we do. What sane person would think they will have the same operating systems (and software for!) we have? What really makes anyone (these scientists that are making jokes of themselves, for instance) think these aliens will run Microsoft Windows, Mac OS X, any of the Linux distributions, BSD Unix (any of them), or even DOS, VMS or something else we have? To worry about sending viruses… it is just absolutely absurd. Hilarious but an absurd way of reminding us that we should really worry about resolving the way we abuse Earth before we worry about life on other planets. Space exploration is important (many things people take for granted were discovered through it) – but that is different from trying to find a planet to inhabit (which I’ve seen references to).

US Navy in About-face on Exploit Black Market?

2015/09/23: Several additions (+ fixes and clarified some points).


It seems that the United States of America’s Navy is working on an Internet defence system for their ships – attacks which could affect its controllers. This is obviously a good idea, and my understanding is they are implementing (whether they have succeeded in this yet I do not know nor do I really care much) it so that the same attack will not work against more than one controller. That seems a good idea too, regardless of how well it will work in the end (some might consider it layered defence but I would extend this to be specifically subnetting and firewalling only in this case the hosts are the controllers on the ship instead of servers and/or other types of nodes).

It certainly isn’t unheard of for governments working on improving security; in fact, it is quite common (as I pointed out on June 21 of 2014, the NSA is directly involved in SELinux which is – in my opinion – quite ironic). But wouldn’t it be nice if they worked on their part for the global security of the Internet and not ever consider exploiting others (or consider it but not act on)? I think the answer to that question is yes. Yet sadly that isn’t the case, is it? As I wrote about in June of this year, the US Navy already has demonstrated this fact. But even if they weren’t soliciting for exploits (0-days included), the government isn’t innocent in the matter.

I would really like to see governments behave as one would expect them to – setting a good example; an example of how they expect other nations and their own citizens to act. Is this move by the US Navy an about-face? I seriously doubt it. I would really like to be proven wrong here, I really, really would, but I doubt I ever will. Meanwhile, there are often US accusations that other nations (China is probably the most common example) are breaking into United States government and corporation systems (and networks). And you know what? Maybe some from China are doing those things. But proving that the attacks are state sponsored is another matter entirely – it is an incredibly difficult thing to do (especially when the ‘evidence’ is the IP addresses). But let’s say you (e.g. the United States) know for 100% sure for some reason. Are the countries (e.g. the United States) making these accusations completely innocent? The fact the US Navy solicited 0-day exploits earlier this year says a lot in the matter, doesn’t it? That fact makes this defence system they’re working on rather ironic; how would they feel if someone (or a nation) was devising ways to compromise it (and also sell it to others)? That would be more like cruel irony. Regardless, the countries making these claims that are doing the exact same things should worry about themselves before telling other nations off for whatever those nations might – or might not – be doing. It should be made known that China too is a victim of computer crime. In fact, China has executed people for computer crime! Yes, really, they have. I remember reading this at the time (and possibly other things at other times). The rarity of the matter and the circumstances per incident are irrelevant (and they conveniently ignore my points and the reality of the situation).

And no, I’m not in cahoots with China or the Chinese; I’m in cahoots with no one. I am, however, an individual who looks at everything with perspective (and context) kept (or attempts to), one who sees the good and the bad in everyone (or at least is aware that there is both good and bad in everyone, and even if I can’t currently see it, I know both exists in them, somewhere, no matter how hidden it might seem), as well standing up (where and how I can) for people (or corporations) when they are unjustifiably wronged – even if I am also critical of them. A good example of this is Microsoft.

The Americans That Cry ‘Terrorist’

2015/09/21: Apparently no charges were brought in the first place. Changed the below to account for this. It is also reported that it wasn’t his teacher who was concerned but instead another teacher. But a teacher is a teacher nonetheless and discrimination is still discrimination – for an adult to do so to a 14 year old is pathetic but one I’m (and I’m sure many others) not unfamiliar with, sadly. It is humbling to see that many have jumped to the support of this kid – including a movement on Twitter by a 23 year old psychology student called Amneh Jafari. I for one appreciate this as a general thing – too many ignore discrimination and bullying, and it causes all sorts of problems down the road for everyone (that most people never think about, understand or even care enough to do anything about it).
2015/09/20: More fixes, adjustments and clarifications.
2015/09/19: Clarified some points and added a few thoughts. Additional links and several fixes.

This is a very contentious topic – and one that I have included parts of, in other areas. For instance, there is irony that governments tend to scaremonger about terror itself. What terror is is (perhaps extreme?) fear and fear is an emotion. Emotion is easy to manipulate and strong emotions (fear is a very strong and powerful emotion) more so: if you know what terrifies someone or people, it is incredibly easy to instil that fear. You don’t need to be violent to terrorise people. You can terrify someone by making them think you’re planning something horrible against them (even if the only horrible thing you’re doing is making them believe you will be doing something horrible). The fact nations take away liberty to offer ‘safety’ shows just how easy it is to manipulate human emotion (I’m looking at the United States of America here). Terrorism is simply an ideal and therefore you cannot ever defeat it; it is impossible: this has been shown again and again (even though it should be obvious without any proof) – the so-called ‘war on terror’ only adds fuel to the fire; if someone declares war on you or someone (or something) you care about, it gives them all the more reason to believe you are indeed against them, and therefore they do indeed have an enemy that they must defend themselves from. Why would you want them to think that? Maybe so you can justify interrogation through torture or some equally inhumane, unethical and immoral thing that you would bitch about if it was done (for any reason at all) by a country like, say, North Korea? Perhaps it wasn’t planned as such but that is exactly what happened anyway! Which is incredibly stupid, isn’t it, when you consider how desperation (e.g. from torture) quite obviously affects people as well as the story of Hanns Scharff of the Luftwaffe of Nazi Germany (who treated POWs with kindness and got much more intelligence from it)? All of what happened at Guantanamo Bay is made worse because innocents were detained and detainees weren’t necessarily charged with a crime at all! The reality is that terrorism as it is typically abused[1] as, is, has always been and always will be a state sponsored thing (whether everyone sees it or not doesn’t change the fact).

But what comes along with it, typically? Xenophobia. To be completely honest, however, a phobia is a fear and people do the craziest, most stupid things ever, when they are afraid (I’ve witnessed the same with love but not from personal experience). For instance, taking away liberties in attempt to gain security and safety but which actually only tells ‘terrorists’ – is it a terrorist or is it a terrorist? – they won. Congratulations America, on ignoring history (Benjamin Franklin perhaps?) and the ‘Patriot Act’.  And people hate the unknown. Look up xenophobia, think about it a bit more and you can see that it isn’t just a fear; it is a hate of foreigners (maybe because of fear but it still results in prejudicial hate). And because of this, it is easy to spread fear (hence it being a tactic by politicians); it comes in a variety of forms but it is always a very powerful – and incredibly easy – way to manipulate others into getting your own way. This is visible throughout the world. I just came across a very sad, very real example of this (specifically xenophobia and more specifically Islamophobia), though. A pathetic example of it.

A 14 year old was arrested in Texas for bringing his teacher a home made clock! Yes, a 14 year old brought his teacher a clock he made and was arrested! And what is his faith? The one that many associate as ‘terrorist’ and only ‘terrorist’: he is a Muslim. The fact he was released is irrelevant; he shouldn’t have been arrested in the first place – he should have been praised for his intelligence and creativity but instead of impressing the teacher (which is what should have happened) it terrified (actually, I’m not sure this is really true – I admit I could be wrong but I suspect it is more than fear) her enough to have him arrested. There is nothing but prejudice and stereotyping here, both of which come from weakness, fear and ultimately hate (and I used to have a huge amount of hate, anger and spite for the world and yet… I see this). There is no reason to be scared of a 14 year old because they made a fucking clock. If this boy was a white Christian I seriously doubt he would have been subjected to this bullshit. If he was black he probably wouldn’t have been subjected to this bullshit, either. I would imagine an atheist would also be praised instead of condemned. I would go further and say that if he wasn’t a Muslim he probably wouldn’t have had any problem at all. Maybe I’m wrong – always a possibility – but in this case I seriously doubt it. And yes, it is fucking bullshit.

And I have news for those claiming Muslims are by definition terrorists (even ignoring the definition of terror). A neighbour of mine (or they were at one point) had a large family from Saudi Arabia and Pakistan. They were Muslim. Yet they were the most kind, most open family – certainly religious family – I have ever met. Some will claim that they were good at hiding their obvious malice but they’re saying this out of ignorance and/or prejudice. We had a dog of pure bone and muscle weighing in 110lbs (as I recall, bigger than the average American grey wolf) – a dog that was very kind and protective, but a dog you wouldn’t want to be on the wrong side of (indeed every dog that was foolish enough – sometimes more than once – to attack her was taken down like a tank would against a snail, including a pitbull that charged my dog and me; the same went for humans – you did not cross that dog). But here’s the thing. They were terrified of dogs in general, yet they got over their fear to enter our house. No, they weren’t hiding anything at all. And they were treated like shit after the attacks on September 11 of 2001. Besides, did it ever occur to you that the Irish Republican Army (which most would call ‘terrorists’) aren’t Muslims? There are other examples, of course. Does the Reign of Terror in the French Revolution mean anything at all?

Just because a X is Y doesn’t mean all Y is X. That is a logical fallacy and nothing else.

Shame on you Texas police, and shame on the teacher. It is incredibly sad when stereotypes do not let others see anything else – the good and the bad that everyone has (and yes we all have good and bad). This story is taking human stupidity to exponential proportions.

[1] And yes, it is abused. Terrorist this, terrorist that, terrorist here, terrorist there and terrorist everywhere! Not all violent attacks are terrorism and not all terrorism is violence. Furthermore, you lose the credibility – at least to any decent, logical person – when you cry ‘terrorist’ for so many things, much like the Boy Who Cried Wolf (ironically there is the term ‘lone wolf’ to describe what they call terrorists acting on their own rather than part of an organisation). The reality is there has never been a time when people haven’t been terrified of something (including illnesses!). Similar is that the September 11 2001 attacks were not the first plane hijackings to occur but many tend to ignore this for some reason or another. It wasn’t even close to the first. Thank you very much Wikipedia for your excellent list of this very thing (there are far more examples than I knew of which just goes to show no matter how much you know, there is so much more you do not know!).

rsyslogd: log entry pattern (non)matching ‘quirk’

There actually isn’t anything odd here but it is something that initially baffled me when I (shouldn’t have been it at the time, clearly) was adding a filter (to move a log pattern to another file) to a file under ‘/etc/rsyslog.d’. The regex should have worked but it wasn’t working (obviously already reloading rsyslogd). So why was it not working?

The reason is this: when you’re filtering by log message, what is the message and what is the service (or program) is requesting the log? More generally, what part of the log entry is part of the program/service and what part is the system logger? The system logger adds the service/program name (passed into the openlog function as ‘ident’) to the log file (as well some other information like the time and date) but does that mean it is part of the log message itself? No: the message is what the program/service is logging, so when you want to match (through regex or contains) you mustn’t include the name of the program/service (the ident). This means if you’re wanting to match an entry by named then you shouldn’t include ‘named’ but only include the actual log message itself.

On a slightly related note, on a hunch, I tested whether I needed ‘contains’ after the ‘regex’ line and it seems I do not. This makes sense, of course (it is redundant) but for some reason in another post here, I included both (maybe it was in some documentation or maybe I was being thick). I’ve not yet modified that post but I might at some point (just noting it as a reminder to myself to consider looking into it another time).

The Corporate Lie of Security Being of Utmost Importance

Apparently Experian is a credit checking agency for T-Mobile customers. There is a certain amount of irony in that but I suppose that’s irrelevant to the sincerity of any apologies. It seems also that they (Experian) might be using a weak cipher (I’ve only read this – I’ve not confirmed it and I have no intention to) on their server (https). If this is the case, then it changes things – at least with Experian. Yet, still, they at least have the notice at the top of their page. There will always be mistakes but the biggest mistake is not accepting this fact; nothing is perfect in this world and those that can accept it will improve and those who cannot will not improve. It’s really that simple. There certainly were faults here (because faults are everywhere) but yet at least they still have it on their front page. That’s something that far too many corporations neglect.


I now have an example case where security really is taken seriously by a corporation that has discovered a breach. There always could be a better job but that is how everything is in this world; what matters is they are taking it seriously, they are investigating it and they are doing everything they can to make sure it is known. T-Mobile has made public that some of its customers might have been affected by a breach at a credit agency called Experian which T-Mobile uses to process (certain – not sure what exactly) information on subscribers. The credit agency has a note at the top of their main page that links to a thorough document on the breach (which I linked to directly). T-Mobile also has a note on their main website (they could probably have it above the rest of their page but the note itself seems to be sincere enough to use as an example). This is how a security breach should be addressed. It is unfortunate it happened but it is also inevitable – yet they are making the best of it (and certainly are concerned about the breach and its impact). They should be commended for their upfront, transparent approach in the matter.


I’ve thought about this for a very long time, and something inspired me to finally write about it (even though it took several days to finish it). If a corporation has a product that fails security (or any part of their network is compromised) in a critical way (or is otherwise made public), there are at least four typical responses (plus a combination) you might hear (there certainly are others). They go something like this:

  1. We fixed the flaw within hours of being made aware of it.
  2. We fixed the flaw as soon as we were made aware of it.
  3. We are almost positive that it is of limited impact and very few will be affected by the breach.
  4. We’re still investigating but we’re confident that they did not access confidential information.
  5. A combination of the above.

In all of the cases, they make the claim that the security and safety of their product(s) and customers are of utmost importance. That’s ultimately what this is about. But as for the above list:

The first is sometimes true but it often isn’t enough.

The second is such a pathetic lie (or exaggeration) that even the most gullible person would be able to determine the absence of truth (or how absurd the claim is). No, you did not fix it immediately – not unless you actually knew of the flaw (put it in deliberately?) and were waiting for someone to find it first (in which case you are completely negligent in security if the word ‘security’ is in your vocabulary at all); it is a lie and nothing else: you did not fix it immediately so stop claiming you did. To be fair, it could be that they fixed it before it was made public (because the flaw was reported to the vendor before the public) but that isn’t the same thing. Of course, this could be called semantics by some, but this claim is made often enough where I feel it is different (ironically a day or two after I started wrote about this claim, I read this exact claim by some web service – don’t know what it was of any more).

The third is snubbing those who are affected by it; they really couldn’t care less about everyone else – and you’d understand this if you actually thought about those who are affected rather than how you feel fortunate that more haven’t been affected (which means  you feel less burdened than you might could have been [something that is always possible]).

The fourth is utterly absurd: you’re still investigating but you’re confident the attackers did not access confidential information? Then why was the attack successful and why are you still investigating, if you’re that sure? Why is it that difficult to be honest and upfront? The reality is you’re not confident of these claims; instead you’re insincerely trying to cover up your – forgive me – major fuck up, and it actually shows how dishonest and unethical you are – you only care about your business and its reputation.

Well, here is one of the very few valuable lessons I learned in school – very few valuable lessons because when an education institution is poor, it is really, really poor. And when it fails some students (this includes neglecting those with disabilities, neglecting any of the different or abnormal – typically positively different – students and ignoring bullying), they fail so much that the student ends up having wasted years of learning very little perhaps with the exception of just how much the education system is an utter failure. And the education system, really, really failed me in every way imaginable (and they caused great harm – with impunity). Whatever. I don’t usually think about that or them – I’d rather live in the present (and I’ve always loved learning and therefore consider everything – and make use of it as – a chance to learn something new); the point is, this is valuable enough to remember and live by. The irony is it is so incredibly simple that you would think more people would understand it. The lesson is about reputation. It was something to the effect of:

A good reputation is hard to keep but a bad reputation is hard to lose.

I learned that at age five or six but it stuck with me because it is a really good piece of wisdom (something that governments and corporations woefully lack). Yet these corporations are so afraid of ruining their reputation that they will put themselves above everything else – exactly the thing that would give them a bad reputation in the first place (and remember, losing a bad reputation is extremely difficult – something that many have found out the hard way). Customer service is really important and if you’re willing to delay or manipulate the truth (if not directly lie) then you’re betraying your customers in a most disgraceful way (and you deserve the tarnished reputation). And remember, even if many customers accept the fault (and indeed some will), that doesn’t mean would-be customers will (they don’t know you except by what they hear or are told – including by those who don’t accept your dishonesty).

The reality is that almost always these corporations can’t even say they are sorry. “Sorry” by itself doesn’t cut it and neither does “We’re sorry for the inconvenience”. That isn’t a genuine apology (it is as sincere as a robot who was programmed to say the same words – and only those words [perhaps they make use of such a robot?]) and it is an insult to those who are affected by what would be understandable but is instead a dishonest, insincere attempt to make others think the responsibility doesn’t lie upon your errors. But it does lie on you whether you accept the responsibility or not. It is also an insult to your customers – and the corporations that actually do apologise properly! Many corporations also don’t have the information about the breach in a very obvious place, as it should be – on the front page of its website(s) in big letters (linking to a separate page if necessary). This happens even when it affects your customers in a bad way and that is taking your customers for granted. What are you without customers?

To make matters worse, many corporations – let’s say those making devices that are part of the Internet of Things (‘IoT’) – claim they fixed the issues even when they haven’t done anything more than (if even) a workaround for a single problem without resolving the source of the problem (it is still connected to the Internet, is it not? Does it need to be? Did you design it with security in mind?). No, Chrysler, you do not consider the safety and security of your customers above all else as you suggest here. I quote from Wired.com:

When WIRED reached out to Chrysler, a spokesperson responded that the USB drives are “read-only”—a fact that certainly wouldn’t protect users from a future spoofed USB mailing—and that the scenario of a mailed USB attack is only “speculation.”

Denial – even from ignorance – is not an excuse when you’re attempting to (supposedly) fix a problem you caused. Maybe it escaped your notice while you were busying allowing cars to remotely have their engines shut off or their brakes disabled and refusing to recall your Jeeps while they were at risk of fuel tank fires (and who knows what else), but social engineering is an incredibly efficient tactic, so much so that it is probably the first choice of many attackers (Mitnick’s speciality, isn’t it Kevin? At least you’re upfront about your lying, unlike these corporations who hide behind lies, if that is something to commend). Perhaps you also missed the potency of BadUSB? Perhaps you never knew about other external media and viruses? Did you know that through basic techniques the old boot viruses would move the master boot record to another sector – sometimes encrypting it – which had the implications of the virus itself knew where from and how to load it (and therefore the OS), but if someone tries to ‘fix’ the virus by rewriting a new (default) MBR (e.g. through the DOS command fdisk /mbr that was often suggested for removing MBR/BS viruses), they would now (essentially) have no loader for their OS (and it might be that their old sector is now encrypted with nothing to decrypt it)? No? Well I wouldn’t blame you because you’re not in the computer (including security) industry and therefore you wouldn’t be expected to work with USB – or anything like it – but that’s exactly what you decided to use to ‘fix’ the major flaws of your Jeep anyway. Yet you call the concern speculation? You actually have the boldness, the arrogance, the idiocy to call the statements – made by those who would know more than you about security – speculation? I’m also calling your read-only claim naive ignorance but let’s say you had a brilliant idea here (and implemented it successfully, including preventing any circumventions) – the fact is it is encouraging people to use USB devices they get in the mail (not bought as a USB device itself in its original packaging – and even that has risks). It gets better though, because you also have the typical response that almost every corporation makes, as I described above (after a successful attack, of course), don’t you?

“Consumer safety and security is our highest priority,” the spokesperson added. “We are committed to improving from this experience and working with the industry and with suppliers to develop best practices to address these risks.”

Such lies Fiat Chrysler. Your best attempt for fixing a serious security vulnerability (with rather terrifying implications) of A JEEP is to make a VOLUNTARY recall, offer a fix ON YOUR WEBSITE, and to mail USB sticks? But to make it better, you then have the stupidity to state that the risks of these methods – which are once again something you are causing – stated by others who know more than you are just speculation? It isn’t speculation; it is a risk and it encourages dangerous practises (and makes the assumption that victims – yes, they are victims, victims of your irresponsible fuck ups – will know to check your website and also know how to use the fix once they have it on a USB flash drive). You’ve already proven you’re not able to make wise decisions when it comes to security (which would be understandable if you didn’t act the way you are acting – your industry is indeed very different) so why should anyone believe you now? If security is your highest priority then it is much more severe than you initially demonstrate.

Why can’t you suggest they go to a service centre where it can be done properly, by someone who should know what they’re doing (though there is the obvious question of whether they do know what they are doing, given your approach so far)? Lazy? Irresponsible? Ignorance? Because you feel it must be done the ‘IoT way’ or through something they receive in the mail (with the theory that the method of delivering the fix to the vulnerability isn’t vulnerable to anything itself – I return to this momentarily)? All of the above?  No, you do not place customer safety and security at your highest priority. Stop lying Chrysler. All corporations should take your disastrous attempt of disaster recovery as how to not do disaster recovery (which they’ll need in time, inevitably), though they should also improve upon it even more (disaster recovery isn’t a process that never changes and testing is always important). All corporations should also stop lying about what priority security is to them, when they clearly demonstrate otherwise (the rare exceptions aside). They should also learn to apologise correctly (and this includes being upfront about the problems so that everyone that goes to their website will see it without having to know to dig for it) and they should also think about security before – not after – designing phases. The reality is this: an IoT device isn’t fixed as long as it is on the Internet. There is not a single justified reason for a car to be connected to the Internet; some will refute this and give reasons but those reasons are wants and not necessities. The cars of yesteryear did perfectly fine not connected to the Internet and oddly enough, those cars are still doing fine (until it is totalled or parts stop dying – both of which will eventually happen to Internet connected cars, too, perhaps even before non-connected cars). The cars that haven’t jumped on (or become) the bandwagon are still doing fine. (And no, the difficulty of the attack isn’t relevant; the attack is possible and that’s all that matters.) An article I linked to earlier has an amusing point and I’m going to quote it:

And yes, you’ve no doubt spotted the irony that security researchers are able to overwrite cars’ software with their own home-grown code via the Internet – but Fiat Chrysler requires that the update is applied by someone with physical access to your vehicle.

The fact they can modify the code remotely is exactly what I described in another article: a car should only be controlled by the driver, not others outside of it (and this goes back to the fix itself might potentially be vulnerable to another flaw). But Chrysler criticises the way the researchers operate when they should be looking at themselves first. I’m actually shocked that politicians (especially because it is the politicians of the United States of America) are concerned about the issue that Chrysler – and other car manufacturers – are demonstrating. That they actually could do something positive – especially when it comes to the safety of others – is nothing short of amazing, impressive and they should commended for it (however rare that actually is). Ironically, while Chrysler criticises the researchers in how they raise the issue – an issue that really needs to be correctly and promptly addressed –  Chrysler is being criticised by many – as they should be – for their poor handling of the situation. And if it wasn’t for the researchers demonstrating it (it should be noted that the driver of the Jeep agreed to the experiment; yes, they did it on an open road but it brought much more attention to the situation and clearly that is needed) in this way, the issue would be standstill, much like a Jeep in a vast pool of mud (or tar pit) would be.

The worst of it here is that Fiat Chrysler (and any other car – or dangerous machinery – manufacturer that neglects the fact that cars – or other machinery – are dangerous tools, not toys, and dismisses risks as speculation or other immaterial) is taking the lives of (a life is still a life, is it not?) their customers for granted, and worse still the lives of others (passengers, pedestrians, those in other vehicles) for granted (and otherwise of little concern). That you, Chrysler, don’t have a (working) moral compass, that you lack ethics and that you actually lie about this, is shameful to say the least.

How To Annoy Users

This is a general issue but one that many programmers – it seems more and more these days but maybe it is just me – have a habit of doing. It is true that it is fairly easy to annoy most people throughout their lives but I’m talking about a specific problem in services. This service might be a real life service (e.g. an utility) or even a computer program (or an Internet service of some kind). It is really simple to understand:

People assume that other people are just like themselves which means that if they implement a feature in [whatever], then all the users will want it too; why else would I put it in if it wasn’t wanted?!

Except that many of your users might think the idea is stupid, annoying, dismissive, is an invasion of privacy or simply don’t like your supposedly brilliant idea (others might like it but you can’t guarantee it). It is worse when the ‘feature’ cannot be turned off or changed in some way, but even if it can, it places the burden on the user, and that is taking the users for granted. It is free and if they want to use something else, they’re more than welcome to, you say? Well yes, you’re right: they are. And they might. But rather than making arrogant assumptions and still think you deserve nothing but the utmost respect and appreciation (after all, I’m doing it on my own time for free; they should be thankful I exist!), why don’t you instead do something to earn that respect and appreciation? Why don’t you care about your users? You know, if they were to send useless bug reports (or report the same bug multiple times), it would likely annoy you. So why not be reasonable to them, even if that means having to be the more mature one (should you feel they’re not being mature)?

But still, many programmers (and organisations) decide they know best. Not only do they know best, they know what their users want and anything to the contrary is disrespectful, unhelpful whining. Yes, they go so far as to think they know what their users WANT. Ironically developers like this are those who know far less than other developers. In their arrogance they assume that people are just like themselves but they are mistaken (Or worse, they don’t actually care what others think – this sadly is not unheard of).

This comes down to one thing: too many services are opt-out and not opt-in, and those making the decision of which way it is, are the ones that don’t know – they’re the developers, not the users and the users are those that decide in the end. True, development involves taking risks, and yes there will be some things that users won’t like. I know this well. But that is how everything works in this world – and it is something else entirely. There are problems here:

  • Many ‘features’ are hidden or subtle enough that the users don’t know about them. However, if they did know about them, they wouldn’t be impressed at all. For example, Microsoft Windows 10 and its privacy invasion in recent news (and my understanding is they pushed similar updates to Windows 7 and 8). You can’t resolve a problem if you don’t know there IS a problem. If you’re going to make it opt-out at least have the common decency and ethics to make it known to the users! This especially goes for paying customers.
  • Even when there is a way to opt-out, it isn’t always intuitive. If it is intuitive it might be to some users (because they might have experience enough to work it out, or they know how the specific program works, for two examples) but not to others. Programmers don’t want their time wasted and neither do the users. If you want respect then try earning it rather than demanding it.
  • Those that are sure they know the most about something – or indeed someone – are the ones that often know the least (especially when they are so sure of it that they refuse to accept they might not be correct). Therefore, developers that claim they know what their users need and want (more than the users themselves), are those who know the least in the matter. I’ll elaborate next.

There is a specific quote that I have listed at random on the top of this site. I just now discovered that it wasn’t the full quote (and I’ll fix it in some way or another, when I get a chance) – probably deliberately by the person who quoted it (and I don’t recall from the time – I’m sure I saw it but I don’t remember anything much about it) – which does change things (quotes are often taken out of context and that is wrong – context changes everything!; I’m pretty sure they do it exactly for that reason). What I have is this:

“There are no significant bugs in our released software that any significant number of users want fixed.” — Bill Gates, Chairman of Microsoft, Focus Magazine, 1995


Apparently the full quote is:

There are no significant bugs in our released software that any significant number of users want fixed. … I’m saying we don’t do a new version to fix bugs. We don’t. Not enough people would buy it. You can take a hundred people using Microsoft Word. Call them up and say “Would you buy a new version because of bugs?” You won’t get a single person to say they’d buy a new version because of bugs. We’d never be able to sell a release on that basis.

The latter is better than the first but it is still somewhat presumptuous. He’s probably right – many people (but keep in mind that 100 is a very small sample size for Microsoft customers, even then – although not nearly as small as it is now) wouldn’t buy a new version of software simply to fix bugs. Some might think they mean bug fixes in addition to new features, but that is up to interpretation – something that will vary. In any case – they shouldn’t have to buy a version to fix bugs; it should be part of the deal (end of life of a product is another issue entirely). Should and reality is of course very different but it is besides the point of: There are a lot of differences in people and it is the reason mankind has as much as it has in the fields of science, medicine and technology (even if all three have much room for improvement). But just because I think a certain way doesn’t mean others think the same way. Similarly, just because I like reading, computer programming and music, doesn’t mean everyone else does: they might like some of those things but they might not. Don’t assume that your users want a specific feature, especially a feature you have running in the background with no mention of it anywhere! When in doubt, make it opt-in and not opt-out.

Users can also help: bug reports along the lines of “it crashed” or “it doesn’t work properly” are useless, frustrating and to some (hint) it is infuriating. This all comes down to communication, and even if some developers (I’ll not name anyone like GNOME or systemd developers…) disregard your views, it doesn’t mean all developers will. The more cooperation the easier it will be – for everyone.

As for why I decided to write about this: I have thought about it – opt-out is a poor way of handling something, especially if it is even slightly possible it will be controversial to some – for a long time (every so often), and I encountered something a while ago on my Fedora box (…Fedora is another subject entirely to me, of late). It occurred to me that my main system (Fedora) didn’t have logwatch installed. I don’t know why but it never did. All my other systems have had (and do have) it installed but this one didn’t. So I installed it. I had to remember how to change how to deliver the report (with logwatch you override configurations rather than configure everything) and once I sorted that, I tested it. And what do I find but a script adding a fortune to the end of the output. Some might suggest that it is absolutely ridiculous that it bothers me. They’re welcome to feel that but it won’t change the fact that I don’t want it (and I’m equally as welcome to be this way, thank you very much). Thankfully I have customised logwatch before, but even then, I had to find out where this script was. It wasn’t hard – the files under /etc/logwatch refer to the default location (so it is easy to find if you don’t know), and they break it down into configurations, scripts and services. But the fact is I had to go out of my way to find the file so that I could then add an empty one in the right place so that I don’t have the fortune added to the logwatch output. Importantly, logwatch isn’t for entertainment; it is to simplify one aspect of system administration – log analysis (as long as you have it configured for all services, of course)! As such, this isn’t something they should assume everyone would want; some might find it entertaining (e.g. because system administration can be tedious?), but announce the ability with instructions of how to enable it, rather than make anyone who doesn’t want it, to find a way to disable it (maybe they did announce it somewhere but I only have this under Fedora and whether this is a Fedora addition or not I don’t know). Or make it a sub-package/module/add-on. I suppose their theory is if fortune is installed, they must want to see fortunes of any theme even when they don’t invoke it directly (through a login script or the command line itself). But that is still an assumption and it clearly isn’t always correct; I’m sure they didn’t mean harm but the fact is not everyone will want it, and that should be kept in mind when developing software (because software is useless without users just like users are worthless without software). I’m using this as inspiration and nothing else (this is minor compared to many other opt-outs!).  Nevertheless, creating an empty file ‘/etc/logwatch/scripts/services/zz-fortune’ will prevent the fortune from being generated.

70 Year Anniversary of V-J Day

Just to clarify something. Japan’s surrender was not an immediate action (perhaps this isn’t surprising but you’ll find references to different days as being the day, but it was a many day process to be completely accurate). The official signing of the surrender was September 2. August 14th was the beginning of the surrender (more conflicts occurred between these dates). The speech below took place on the 15th. If you pay attention (which this year is probably much harder to not do) to current affairs, you’ll see references to V-J Day prior to September 2 (e.g. the 15th perhaps because the nation was addressed) but in the end, this was not an overnight event – it is – and always has been – a complicated war.


(Note: This most likely – I’m quite certain this is the case – includes some structural and/or disorganised flow of thoughts and as a result it might be harder to follow. I would delay this for another day but the day itself is significant enough to not consider this, at least for me.)

Earlier this year (May 2) I wrote about the end of the Battle of Berlin (and its surrender) which was shortly (May 8) followed by the surrender of Nazi Germany, resulting in V-E Day. I intended to write something about V-E Day but I never got around to it – which is unfortunate because I think there is a lot I could have written about. I also intended to write about ‘Little Boy’ (the name of the atomic bomb dropped over Hiroshima on August 6, 1945) and ‘Fat Man’ (the name of the bomb dropped three days after Little Boy, over Nagasaki). But I felt a loss of words for the bombings that – along with the Soviet Union declaring war on Japan – ultimately led Emperor Shōwa (more commonly known as Hirohito) of Japan to order an immediate surrender of Japan (a coup that followed was foiled). Perhaps silence is the best way: the utter devastation and suffering these bombs inflicted upon Japan – and the world – is hard to fathom to this day. I think Emperor Hirohito’s speech holds significant value to this day, and even eternally:

To our good and loyal subjects:

After pondering deeply the general trends of the world and the actual conditions obtaining in our Empire today, we have decided to effect a settlement of the
present situation by resorting to an extraordinary measure.

We have ordered our Government to communicate to the Governments of the United States, Great Britain, China, and the Soviet Union that our Empire accepts the provisions of their joint declaration.

To strive for the common prosperity and happiness of all nations as well as the security and well- being of our subjects is the solemn obligation that has been handed down by our Imperial Ancestors, and we lay it close to the heart.

Indeed, we declared war on America and Britain out of our sincere desire to ensure Japan’s self- preservation and the stabilisation of East Asia, it being far from our thought either to infringe upon the sovereignty of other nations or to embark upon territorial aggrandisement.

But now the war has lasted for nearly four years. Despite the best that has been done by everyone– the gallant fighting of the military and naval forces, the
diligence and assiduity of our servants of the state and the devoted service of our 100 million people–the war situation has developed not necessarily to Japan’s  advantage, while the general trends of the world have all turned against her interest.

Moreover, the enemy has begun to employ a new and most cruel bomb, the power of which to do damage is, indeed, incalculable, taking the toll of many innocent lives. Should we continue to fight, it would not only result in an ultimate collapse and obliteration of the Japanese nation, but also it would lead to the total extinction of human civilisation.

Such being the case, how are we to save the millions of our subjects, or to atone ourselves before the hallowed spirits of our Imperial Ancestors? This is the reason why we have ordered the acceptance of the provisions of the joint declaration of the powers. We cannot but express the deepest sense of regret to our allied nations of East Asia, who have consistently cooperated with the Empire toward the emancipation of East Asia.

The thought of those officers and men as well as others who have fallen in the fields of battle, those who died at their posts of duty, and those who met with death and all their bereaved families, pains our heart night and day.

The welfare of the wounded and the war sufferers, and of those who have lost their homes and livelihood is the object of our profound solicitude. The hardships and suffering to which our nation is to be subjected hereafter will be certainly great.

We are keenly aware of the inmost feelings of all you, our subjects. However, it is according to the dictates of time and fate that we have resolved to pave the way for a grand peace for all the generations to come by enduring the unendurable and suffering what is insufferable. Having been able to save and maintain the structure of the Imperial State, we are always with you, our good and loyal subjects, relying upon your sincerity and integrity.

Beware most strictly of any outbursts of emotion that may engender needless complications, and of any fraternal contention and strife that may create confusion, lead you astray and cause you to lose the confidence of the world.

Let the entire nation continue as one family from generation to generation, ever firm in its faith in the imperishableness of its divine land, and mindful of its
heavy burden of responsibilities, and the long road before it. Unite your total strength to be devoted to the construction for the future. Cultivate the ways of
rectitude, nobility of spirit, and work with resolution so that you may enhance the innate glory of the Imperial State and keep pace with the progress of the world.

All you, our subjects, we command you to act in accordance with our wishes.

There is criticism – both legitimate and illegitimate – on all sides, and the Emperor – perhaps more so after his death – receives criticism to this day. But the fact is Japan did not want to surrender (which I will discuss below), but they did. He took responsibility of the situation and if only everyone would heed his warning about nuclear weapons. Nuclear warfare exemplifies some of the worst of mankind (and this includes the only known uses of it in wartime) and it does so extremely well. His warning is 100% accurate. Of course, the atom was split and once done there is no going back. The Cold War worsened this with its nuclear arms race. But it also brought some good: the predecessor to the Internet – the arpanet – which was meant to be a network that could withstand a nuclear attack (which means that if a host is down, it won’t receive or send data, but other hosts will still be able to communicate with each other); and it brought the good out in some people – for instance, it motivated a woman called Lynne Cox to risk a dangerous swim across the Bering Strait between the United States and the Soviet Union in an attempt to bring friendship instead of conflict. At this time, we are in another cold war, even if it isn’t recognised as such. While a cold war is better than a real war, a conflict is a conflict, and there comes a point where any significant outbreak of war, will become a third world war, and that will likely be an apocalypse. Yet despite this, there are politicians in some countries that have no problem with war, and I dare say they even want war. That is a sign of extreme weakness and is the exact opposite of what a real leader should strive for – peace.

Japan didn’t want to surrender but neither did any other country (and there is the story of a soldier – Hirō Onoda – who thought for 29 years following the war’s end, that it was still going on; it is a fascinating story for those interested in the war, and it really shows just how much they wanted to win and could not lose). I personally feel that not giving up is a positive, productive and noble thing. There are no victors in war (which is ironic when you consider what the V stands for in V-E Day and V-J Day) but this goes beyond war; those who give up might never have what they could have, they might never accomplish great things (that they could otherwise accomplish), and they might be at a great loss. Winston Churchill himself stated that [we] will never, ever surrender. But imagine if the Allies had surrendered – the world would be very different. Imagine, also, if the Axis Powers surrendered earlier – the world would be different in another way entirely. But imagine still if Germany didn’t invade Poland on September 1, 1939 (or for that matter, take over and annex other countries prior to this).  How different would the world be today?

Despite these thoughts, too much blame is placed upon nations for their past. Punishing Germany at the end of World War 1 was an incredibly stupid decision and some recognised it then (basic logic explains why and how it was so stupid). Yet to this day some think that Germany is responsible for great harm in this world; I say that those punishing Germany at the end of World War 1 are equally responsible for harm. But that should not be the focus; consider this instead: the actions of Germany (and many other countries) might have caused great harm, but the world should learn from the past and not dwell on it.

70 years ago marked the end of a very dark chapter of mankind but the many lessons are still not taken to heart and that is equally as dark – if not darker – than the war itself. We should not only remember the impact of the war – we should also remember why it happened and what could have been done differently, to prevent it. Lastly, attention should be shifted to the present. If this is not done – and I’m afraid that history shows it isn’t – mankind is doomed to ultimately destroy itself (it already destroys the treasures of the world and that includes wildlife that has become endangered if not already extinct).

Windows 10: An example of DOA (Disaster of Automation)

I have to admit, when Microsoft first announced that Windows 10 would be the final release of Windows, I raised an eyebrow. Then, because Windows 10 was offered for free (as an upgrade for the first .. month?), I was more suspicious: if it is free, are they simply baiting the customer to upgrade, hoping to make a profit by some contract (literally or figuratively) of some kind (pay for some sort of subscription or otherwise future software or updates)? After all, some corporations (maybe even Microsoft?) have subscriptions for technical support and software, so how else could this work? I truthfully do not know but given that they are a for profit, there has to be something at play. But there is more to the story of Windows 10. When I first found out that Windows 10 Home edition would automatically be updated, I shuddered.

The fact remains that humans are not perfect, programmers are humans, therefore programmers are not perfect. If you remember, Microsoft at one point pushed out an update that was required in order to receive further updates (therefore encouraging customers to update), only for that update to prevent updates working (off hand I don’t have the information but it definitely happened and there are articles about it). That is scary when it is manual updates but it is even scarier when it is automatic. Yet, even without that mess, automatic updates is what will lead to what conveniently shares the abbreviation of Dead on Arrival  (DOA which is often used to refer to computer hardware – probably other things too – that failed quality control and therefore is ‘dead on arrival'[1]): Disaster of Automation. There are several things to consider.

Firstly, even an experienced system administrator can apply a patch (in binary distributions it would be an update to the package but the end result is the same), only to find out what was updated no longer works. I know in the past I have updated BIND (Berkeley Internet Name Domain) – which is a critical component given that it includes named (name daemon) and therefore is a DNS server – only to find it failing to start or having warnings upon restart (i.e. the postinstall script reloads the configuration file or restarts the service). What happened is as simple as ownership of files being changed. The administrator (a friend) of my slave DNS servers (second, third, fourth) has in the past had this exact same problem on his servers, and DNS failures can cause many problems.

But even if it didn’t cause problems, consider this: the update failed for some reason or another. What happens if it was automated and you’re not at the system? I won’t even get in to the problem that Windows installer is brain dead enough where you have to reboot for almost everything (or last I knew it is and I can’t imagine it is different now). Hopefully it only updates and waits for you to reboot manually.

The astute reader would point out that I’ve not given any examples so far (and Windows 10 is quite new, which makes what I’m about to show, even worse) of updates going afoul with Windows 10. For that matter, I’ve not pointed out Windows 10 problems at all (besides being created by Microsoft, that is). Well here goes.

Since Windows Updater also now considers drivers not optional, and since Windows 10 automatically installs updates, and since an Nvidia GPU driver has a bug (or bugs, maybe), people are having all sorts of problems as described on their forum. Problems like flickering (which is not at all good for eyes!) and even multi-head (more than one monitor) not working correctly (if at all).

Then there is ‘Windows Update Delivery Optimization’. What does it do? It theoretically allows you to not have to download updates from a remote (out of your network) server more than once. So for instance, you can update all your Windows 10 systems without having to download the updates more than once. Well, that is excellent that Windows has a concept similar to local repositories. Unfortunately, though, their method is presumptuous, arrogant and irresponsible. Here is what their FAQ says:

Download updates and apps from other PCs

In addition to downloading updates and apps from Microsoft, Windows will get updates and apps from other PCs that already have them. You can choose which PCs you get these updates from:

PCs on your local network. […]

PCs on your local network and PCs on the Internet. […]

You would like to believe they have a good design here. But the very fact they have on the Internet is disconcerting. From what hosts? My understanding is they now have update verification. But that should always have been in place. If they already have it, why bring it up (aside from maybe reminding people of it)? If they don’t, why the hell didn’t they have update verification?! I’ll return to this in a moment. The problem is worse, however:

Send updates and apps to other PCs

When Delivery Optimization is turned on, your PC sends parts of apps or updates that you’ve downloaded using Delivery Optimization to other PCs on your local network, or on the Internet, depending on your settings.

How is my PC used to send apps and updates to other PCs?

Delivery Optimization downloads the same updates and apps that you get through Windows Update and the Windows Store. Delivery Optimization creates a local cache, and stores files that it has downloaded in that cache for a short period of time. Depending on your settings, Windows then send parts of those files to other PCs on your local network or PCs on the Internet that are downloading the same files.

It would be one thing if it defaulted to off as it should be. Opt-out means you have to know it is enabled and it is poor design to assume the user knows everything about the system (or can remember what they know, even). Yet so many corporations (Google and Facebook to name two others with delusions of grandeur) are arrogant enough to make things opt-out instead of opt-in. But in this case, it is worse still! Not only is it defaulted on, it defaults to share updates to the Internet!:

Delivery Optimization is turned on by default for all editions of Windows 10, with the following differences:

  • Windows 10 Enterprise and Windows 10 Education: The PCs on your local network option is turned on by default.

  • All other editions of Windows 10: The PCs on your local network and PCs on the Internet option is turned on by default.

Yes, great idea, Microsoft. I’m sure your grandeur justifies it all, but did it ever occur to you that most homes don’t have high upstream rates? Did it ever occur to you that they might be capped or even throttled? Did it ever occur to you, in your complete brilliance, that when [you] download content from another host, the other host is uploading to [you]? Did it ever cross your mind that many homes have asynchronous connections (and fairly slow upstream specifically), and even if they didn’t, not pushing upstream to its limit is important for – irony! – optimising connections? Even more important, did you ever consider that not everyone will want this enabled and fewer still would want it being uploaded to the Internet (or downloading from servers other than Microsoft repositories)? As a vendor you shouldn’t burden the customer any more than is necessary, and clearly this idea is not necessary.

Going back to update verification. Microsoft insists the following:

Delivery Optimization can’t be used to download or send personal content.

Yet this claim has been made before and it has fallen down due to a variety of reasons. I really, really, really cannot wait for this to be abused; some of my demons actually want it to happen sooner than later. It isn’t a matter of will it be but instead when will it be. I’m eagerly waiting.

Finally, I have one more update issue to share. The one where Windows 10 update KB3081424 (which includes security fixes) is causing some computers to enter a reboot loop. Indeed, this really is a disaster of automation and it is a fatal design flaw, courtesy of Microsoft.

[1] Some times the product is fine but the user (‘builder’) makes a mistake (e.g. there is a short that prevents the core components of the computer to boot) and assumes it is the product rather than a mistake on their part. But there are times when it truly fails to .. well, deliver what it should.

HOWTO: Flood-fill transparency in GIMP

(Aside: This might work on other platforms too – I assume it does, even – but I only use Linux so I’m including it under Linux software. I intend to at some point have this – as well as other tips – as a simple document but for now it is only here.)

Problem: You want to flood fill an area of an image in GIMP to be transparent.
The solution is what appears to be an undocumented feature. First, make sure there is an alpha channel; to make one click Layer -> Transparency -> Add alpha channel (if you know the image already has an alpha channel you can skip that step). Next, select the bucket fill option. Then, configure the bucket fill mode to be ‘Colour erase’ (if you have American English it probably is ‘Color erase’). Then make sure that transparency is at 100%. Finally, execute the flood fill (called bucket fill in GIMP). By erasing the colour you’re making the area of the image transparent.

The Dangerous Twin of Bring Your Own Demon: The Internet of Things and ‘Smart’ Technology

Earlier today I was made aware that another exploit for another car allows remote controlling of a car, including halting the car (brakes) and even disabling the brakes! All it takes is sending a specially crafted SMS message. The device is called Metromile Pulse OBD-II. This is what Metromile’s advisory says:

At Metromile we take the security of our products and services very seriously.

The typical statement that nearly every organisation says after a successful exploit is found (or attack is executed). It is as dull as ever and it is a half truth if not an outright lie.

Recently, it was revealed to us that MDI, who makes our OBD-II dongle, the Metromile Pulse device, has a vulnerability that can remotely takeover these devices. We took immediate action and released updates to all devices in the field to resolve the discovered remote exploits and can confirm that most of the devices have successfully downloaded and applied the patch and we expect the remainder of devices to be patched by mid-August.

Immediate action that you shouldn’t have had to take in the first place because an SMS message shouldn’t be able to control a car – the driver should! Too little too late. The fact not all devices are patched when it endangers the lives of others is worse (and despite the fact it would take time, it still isn’t immediate action).

Connected telematics devices such as the Pulse are powerful because they have the potential to make many aspects of driving and owning a car simpler, less expensive, and more convenient. We ask that customers who are concerned about the security of Metromile systems contact us at security@metromile.com.

So the device is powerful because it has the potential to make many aspects of driving and owning a car simpler, less expensive, and more convenient, does it? Funny definition of convenient, isn’t it, seeing as how now the owners have to worry about a serious blunder you made. Perhaps you weren’t aware, but security conflicts with convenience. Yet you take security seriously, do you? Cars are heavy machinery that, while useful (to get where you need to), are deadly even under the best drivers in the best conditions. Driving a car requires discipline. There is a reason for driving licenses, there is a reason you need to maintain the car safety (how much so varying on the country), there is a reason for all these hurdles, and there is a reason you shouldn’t be driving under the influence! The reason is it isn’t a toy and it isn’t a game where you can start over! The fact a car can be manipulated through an SMS by an external party is irresponsible and it completely disregards the safety of people. To all those creating devices for the IoT, wake the hell up before you kill more people (which means they will never wake up again)!


Clarified (and added a link to) another vulnerable thing (as part of the Internet of Things) and added a few thoughts.

If a car is meant to be controlled by the driver in the car, how the hell is it being vulnerable to outside manipulation considered ‘smart’?

On February 17, 2012 I wrote a piece on the concept called Bring Your Own Device which I renamed Bring Your Own Demon, and just how stupid and dangerous it is. I’ve also written about so-called smart technology and how dangerous (and stupid) it is. I’m bringing up one because it is somewhat relevant to something I will bring up today (in that this has to do with the so-called smart technology). On September 3, 2013 I wrote a piece entitled ‘Smart’ Technology Is Still Dumb. In that piece, I highlighted an incredibly dangerous situation that would arise because of emergencies, be it medical, fire, or any other occasion where the rules of traffic must be broken by specific people (fire fighters, police officers, paramedics, etc.) in order to help the situation (which might include preventing the loss of life, loss of a home, or restoring peace). This warning still holds strong; the dangers still exist and they cannot ever be solved with automation: emergencies are unpredictable, unpredictable in every way. You cannot know when an emergency will occur and you cannot know what it will take to resolve it in the safest and quickest way possible! One seemingly minor variable can change things drastically! This is inherent to emergencies.

But then there is the Internet of Things (commonly IoT). Instead of bringing your own demon, you have many demons all around you. This includes medical equipment in a hospital and that is one of the things I will refer to today. First a brief understanding: the IoT is the idea that everything should be connected to the Internet in some way or another. This includes refrigerators, thermostats, cars, medical pumps, sniper rifles and even skateboards. I’m going to aim (and fire) at three of them now.

The Hospira LifeCare PCA Infusion System has serious flaws. Most recently is one that boggles my mind, boggles it because the flaw is so negligent, so amateurish, and has been that way for eternity. A remote attacker could login as root through TELNET without authentication! That is a very serious flaw and it is an utter disgrace for anything to be this way, but especially when it is medical equipment. But that isn’t the only problem. There are many other problems. Apparently this researcher also knows of the TELNET flaw and brief skimming of that page, it seems it might be more than one of the pumps (which is even worse). Disgraceful neglect is about as nice as it can be worded.

Then there is a skateboard that can be compromised. Yes, because a skateboard needs Internet connectivity, right? If you ask many, though, it seems they do truly believe this. Even if it isn’t need (which realistically it is not need) in their mind but instead a want, it shouldn’t take much intelligence (which might be part of the problem here?) to figure out it shouldn’t be connected to the Internet or for that matter, it shouldn’t have a computer at all. But at least one does exist. Quote from the researcher describing the problem:

Because the Bluetooth communication is not encrypted or authenticated, a nearby attacker can easily insert himself between the remote and the app, forcing the board to connect to his laptop. Once he achieves this, he can stop the skateboard abruptly, ejecting the rider, send a malicious exploit that causes the wheels to suddenly alter direction and go in reverse at top speed, or disable the brakes. An attacker can also simply jam the communication between the remote and the board while a driver is on a steep hill, causing the brakes to disengage.

So unencrypted, no authentication, and remote connection for a skateboard. Utter stupidity is putting it nicely.

Let’s now go to a sniper rifle. Yes, that is right: a sniper rifle as part of the IoT. This is from an interview given to Wired (I haven’t listened to it, I only have a quote).

The only alert a shooter might have to that hack would be a sudden jump in the scope’s view as it shifts position. But that change in view is almost indistinguishable from jostling the rifle. “Depending on how good a shooter you are, you might chalk that up to ‘I bumped it,’” says Sandvik.

As I’ve noted many times (of many more to follow, I’m sure), I strongly detest the misappropriation of the word ‘hack’ and ‘hacker’ but I can’t change that because of the influence the governments and the media have (a shocking amount of power, and it is quite scary) and this is a decades old problem. A problem that will never be resolved because the word is forever poisoned to have negative implications over positive. Which is a bloody shame, ungrateful and a damn disgrace, given what hackers have given society: without them we wouldn’t have the Internet and many other things we have today (and critically, the security problems would be worse by a lot). It used to be a good thing but now it is a bad thing, at least the perception many (if not most) people have [of hackers]. To add salt to the wound, governments couldn’t help but become hypocritical about yet another thing (there is never enough of this in their view, see?): poison the word and then do exactly what they poisoned all the while whining about others doing it (and arresting them for ‘breaking the law’). But to get away from a most touchy subject, if you look at their description, you can see the problem here. Except that there is a more serious problem. Apparently the device has a remote, root hole, and that means escalating to root (in this case it means adding an equally powerful user). Yes, that means whatever the interface allows, they have complete control. Why anyone wants a sniper rifle to have embedded Linux is beyond me. But they make it worse because then it is connected (through Wi-Fi). Then to make it worse still, they are so irresponsible that they feel they have no need to pay attention to security whatsoever. Thankfully pulling the trigger is still a manual thing. I really hope that stays that way forever.

Unfortunately, there are many more devices that have been compromised (or found holes that would lead to it), including researchers who remotely halted a Jeep going 70mph on a highway (or maybe more like a freeway, the US version of Germany’s Autobahn – which for those who like trivia, is in fact one of Adolf Hitler’s envisions). But that’s only in recent weeks. This isn’t a new problem and it won’t get better because more and more companies are creating what they call smart devices (also known as things) that just have to be connected to the Internet (hence Internet of Things). Yet people still think the IoT is a good idea (they say I’m batshit crazy but to think that some actually feel the need to have home appliances connected to the Internet …), and people actually believe these are smart devices (with equally a brilliant concept of it being connected to the Internet). If a car is meant to be controlled by the driver in the car, how the hell is it being vulnerable to outside manipulation considered smart? No, no, the above (and there are more examples and many more will follow) is a great example of human stupidity, something that this world is in excess of (the definition of homosapien perfectly demonstrates this given that the most foolish people of all others, are those that claim high intelligence and don’t challenge that claim whatsoever, whereas the most intelligent will challenge what they know and who have an insatiable appetite for learning and improvement, knowing that they can be a lot smarter than they are).

Yet despite this, the risk of self driving cars becoming the norm has not yet happened but when it does there will be problems. There are certainly other things in this world that are equally as dangerous but self driving cars is high up there on the list of dangers. I’ve warned about this before and I’ve also warned about automation in general (the less you concern yourself with thinking, the less capable you are of thinking when required or even desired) and I later (in admittedly an arrogant manner) wrote about my warning being real when a pilot relied on semi-automation, ending the life of two passengers (teenagers!). The pilot made multiple errors but the biggest error was assuming the plane would fix it for him. You’d like to believe a pilot would not be so negligent and stupid but instead to actually take care of problems he caused. But no. He couldn’t acknowledge this fact and two teenage girls died because of it. He might not be legally responsible but it is still his fault and he should forever feel badly about it (that is punishment enough and perhaps will remind him to be cautious about being too reliant on technology). But if semi-automation fails to account for emergencies, what makes any semi-sane person think full automation will work any better? If an emergency happens in a fully automated car, what will happen? Emergencies cannot be predicted and therefore there is no way to account for all outcomes (or solutions)! And if it can’t fix itself, how will it account for problems unrelated to itself (e.g. an ambulance on its way to the hospital)? It won’t, and this will only get worse. There are some things that require manual work in this world and operating heavy machinery is one of those things; cars are not toys – they are tools that are highly convenient but they are dangerous nonetheless.

The fact so many people are so glued to their bloody phones (and obsessed with social media and texting) that they walk in to people, walls, walk off piers (as I linked to in another post here, which it seems was not an isolated incident) says a lot. The fact Antwerp, Belgium, has for the time being, introduced text walking lanes (so they don’t walk in to sane people), says just how bad the problem is. The link there suggests that there are more mobile phones in this world than there are people; I find it hard to fathom but I’m not surprised either: nothing surprises me in this world because this is how the world works – it is evolution at play (if go back centuries very few would believe you if you claimed to them that one day there would be jets in the air, travelling from one place to another; they would probably think you’re mental, too).

Quick tip: logrotate yearly, log timestamping and logwatch confusions

Yesterday I noticed something odd in the logwatch report. It reported that many packages were installed and many others updated. It appeared to be a distribution major version update, actually. I wasn’t sure if I was reading it right (because of exhaustion), going so far as to thinking I was imagining it (or somehow a major version was now available) but I was reading it right (that I pondered the alternatives is another matter entirely, I admit). One concern is: was there foul play here? I wasn’t particularly concerned because it is highly unlikely (because of ingress and egress filtering on ssh) that there was unauthorised shell access but it would have been very foolish to not check (everyone can be bested and security is a constantly mutating thing). Looking at the tail of /var/log/yum.log I saw that there were no changes of the sort. Looking at the log entries, though, I remembered that syslog doesn’t have year as part of the output. I did wonder about this but I didn’t think beyond it. Until today.

I noticed that today too there were some supposedly installed updates. Looking at the log file again, the cause of the problem came to me at once: I have /var/log/yum.log rotate on a yearly basis but with the additional restriction of a minimum size (which was far too high for this) before it rotates the log. Going back to last year, I see that indeed the packages referred to yesterday and today, were in fact installed and updated. This makes sense because of how the log is written (no year) and therefore logwatch disregards the year.

In my case, I removed the minimum size and forced (just because I wouldn’t trust myself to remember if minimum size was in addition to the rotation cycle or not, even if I was sure of how it worked – the above demonstrates why) rotation:

# /usr/sbin/logrotate -f /etc/logwatch.conf

Problem solved (if you feel the need to confirm then check that the log file has indeed rotated or, equally valid, run logwatch manually and inspect the report).

Nostalgia and Perspective: Arcades, Books and Record Stores

I’m not one to dwell on the past; I don’t find it healthy at all. It is a powerful coping mechanism for me. I can generally control my thoughts, in that I can empty my mind of all thoughts, at will, and I can focus on something specific, if necessary (the latter is perhaps somewhat fraught with peril because I’m unfortunately most familiar with negative thoughts and emotions). I can’t generally filter out other distractions but I can filter thoughts. But while I don’t dwell on the past, it doesn’t mean I don’t miss certain things. I’m just writing about some things I miss from the past, because one of those things is on my mind, and I have nothing else better to do. Some friends miss these things, too, as do people I don’t know, but this is – like always – first and foremost for me.

I’ll go in the order of the title, but I’ll also throw in some other things.

Video Games and the Arcades

I’ll not get in to my favourite type of game of all time (text adventures) because these still exist and arcades don’t (and I have no idea what happened to some of the old video game consoles I had).

The first video game console I played was the Atari 2600. I have many fond memories of the console and its games from Breakout to River Raid, to Outlaw to Adventure, and everything in between (Donkey Kong, Pac-man, Space Invaders, Frogger? Hell yes!). Next I went to the Nintendo Entertainment System, where perhaps my favourite game there would be Ninja Gaiden. That game is a true classic; it was the first game to introduce cinematic cut-scenes to progress the story. I loved the music of the game and I found it a lot of fun. Many seem to think the old games were hard but I never thought that; sure, there were some games that were harder (Ninja Gaiden wasn’t hard for me except the very end, right outside of the final boss The Jacquio; Ninja Gaiden II I beat and Ninja Gaiden III I won’t even discuss) than others, but I beat almost every game I played, repeatedly. Indeed, I knew some games better than the back of my hand (including the puzzles, mazes or whatever they might be). I spent many hours playing video games (more than the two consoles listed) at home, over the years (the last console I owned was the Sony Playstation 1), and also at what is mostly an artefact from the past: the arcades. I spent hours and hours at the arcades, and I have nothing but fond memories of the games I played, among them: Mario Brothers (note: what is on the gaming consoles is Super Mario Brothers; Mario Brothers was an arcade game!), Street Fighter, Teenage Mutant Ninja Turtles: The Arcade Game, Mortal Kombat (all of them), Pac-man, and perhaps especially pinball (and its Sonic the Hedgehog spinoff Sonic Spinball, although that was for the Sega Genesis/Mega game drive). There were many more I thoroughly enjoyed, far too many to mention (let alone remember). But I’ve not played a single arcade game in years. I miss that a lot. Nowadays games are connected to the Internet somehow (which I have no problem with, in fact, multi-user dungeons, aka MUDs – predecessors to the MMORPGs of today – are very much a part of me to this day) and otherwise are far superior in graphics (yet I’ve always felt that with all the hardware advances, the effects are far less impressive exactly because the hardware is so advanced; there isn’t nearly as many limitations to the hardware, and some games had rather decent graphics when you consider 8-bit versus what they have nowadays).

Book and Record Stores.

This is what inspired me to write this, actually. This past week I went to a real bookshop, something I hadn’t been in in far too long. It was wonderful. I always loved (even when I buy online I do, but it is different at a bookshop, at least for me and those whom I have talked about this) the smell of the books, the feel of the cover, the binding, the pages, everything about bookshops. You could sit down and read a book (or part of), you could browse different types of books (and genres) whether fiction, non-fiction (whether textbook or something else), and lose track of time (the same was true for record stores except there you might listen to some of the music and you would be browsing records, tapes and eventually CDs; I’ll return to this later). But mostly they are gone today. However, I want to point something out. Something I’ve long believed and now I have proof. See, many people (including employees and owners of book and record stores) believe that the world wide web (or as they would erroneously call ‘the Internet’) is the reason these stores have either gone out of business or have had to change their business model (or otherwise have drastically reduced profit). There is just one little problem with that theory. Amazon.com sells books for cheaper, even if you combine shipping costs. Meanwhile, when you buy in person, you don’t have shipping costs (which means you have less to spend). For instance, I finally got around to buying The Silmarillion (of course by J.R.R Tolkien). I buy hardcover where possible and it was possible for The Silmarillion, too. I spent 40 USD. However, earlier today I saw it at Amazon for 22.66 USD. That is a 43% difference! So here it is: if bookshops would actually change their pricing, they would be able to more easily compete (granted some don’t have the memories of going to an actual shop, but those who do, I know many miss them). Do I mind that I spent 43% more? No. But that is because it was an enjoyable day and I miss the older days here. Otherwise, yes, yes I would mind it.

As for other things, including the fact you don’t see records and tapes as much (I’m ignoring the revival of the vinyl scene because I’ve always thought records were better, more real and more collectible, than tapes and CDs, although nowadays tapes are far more collectible than CDs, DVDs and Audio DVDs; I’m deliberately ignoring bluray and other HD video and sound – I can’t see or hear the differences, anyway). There are many things I do miss. I have really old computer parts that I used years ago but I can’t throw out. The things that we had of yesteryear would surprise the youth of today. If they had any idea of how small hard drives were (in capacity) and how expensive they were (in comparison to what they are today, and considering the capacity differences), they would probably be floored. I still to this day have a hard drive less than 1GB. In this case it is at the ~540MB barrier (which some will remember it as that was as high as they could get it due to limitations that at the time they could not overcome). I also have a HDD that is ~2.5GB. I probably have other drives that are (guessing here) 20GB, 80GB, 120 or 200GB.

There is something else, here, though. It always greatly amuses me when kids tell adults things like “you don’t understand what it is like growing up these days .. it is so different now; we have social media, mobile phones, and we have the Internet!”. It amuses me because they wouldn’t really know anything else, so how would they know that it is so different? Of course, they wouldn’t. I’m going to elaborate just because I want to show how yes, things are different because of evolution (of technology and in general) but no, they aren’t any more complicated (with what we have and don’t have) than before. (Furthermore, things change for both better and worse. But realising this changes things significantly.) Indeed, the Internet is older than they are. For that matter, if you consider its predecessor (arpanet), it might be older than their parents (probably it is)! Certainly the arpanet is older than I am. Depending on what part of the Internet (it developed and extended itself over time) you think of, it is older than me; other parts of the Internet are younger than me. That brings me to social media and the Internet more generally: First, many erroneously believe that the World Wide Web IS the Internet but the Internet is much more than that. The WWW is a small part of the Internet, and without the lower layers, the WWW wouldn’t be ‘world wide’ at all (it might not even exist, we wouldn’t have email and we wouldn’t have many other things that people think of as a single technology). But no, the Internet isn’t new at all, and so this is not something that is all that different (the IoT – the Internet of Things – is another issue entirely, and one that has serious problems, but one that won’t be going away, unfortunately; still, this is technology evolving). As for social media: there were other ways of communicating with people. Let’s start with BBSes (bulletin board systems) and later on web based forums. Then you go to UNIX and you had the talkd (‘talk daemon’) which allowed to users (on the same system or different systems, as I recall) to ‘talk’ with each other (writing messages where one user was at the top and the other at the bottom; it showed characters as sent to the system, so you would see the actual sequences for backspace and the like but this was a matter of getting used to and then it wasn’t really a problem). Then there is IRC (‘internet relay chat’ which worked for the Internet and an internet; the latter simply being a network of networks but not necessarily connected to the global Internet). You also had (later on) ICQ, MSN, Yahoo Instant Message (and others). So no, social media isn’t all that new; it is only an extension of what we had before. I will point out some irony, though, something others have thought of individually, but something that I’ve thought of for a very long time:

Despite the ‘social media’ and the phenomenon of people looking at their bloody phone instead of where they are walking (or with whom they are eating with, sleep with, and who knows what else) and even more ‘connectivity’ (network connectivity only), we are more than ever disconnected. I’d like to say I was ahead of my time (because I wasn’t one who really socialised with peers) but I know I’m not in that way. I was (and am) just… different. I never identified with anyone (in person) and I never really associated with many people (and when I did it was only because of school; I didn’t spend time with them off campus).

Yes, I miss many things that are very different today (different is very loosely defined). But does that mean that I wish I lived in the past? No, absolutely not. It isn’t healthy to dwell on the past; you can’t change it either and the only way to stay somewhat sane (…if that is possible for me – but others can go mad by dwelling on the past, too) is to focus on right now. Even then, there are some things that are better; accept and learn from your mistakes and they aren’t mistakes. Continue to learn, evolve, grow, and you have more to experience, more to understand and more to appreciate. Similarly, if you look at what is here now, you can realise that while some things might be worse, other things are better. It can always be worse (this especially goes for your own health.. and yes, this is what it took for me to understand this though it took many years for me to do so). Always. It might not seem like it to some people but if they ever have long term hardships they will understand this (not to say you can’t understand it without hardships!). Not only will they understand this, they will be thankful for it, and it will give them strength and some sort of peace and acceptance of the world (and others).

Perspective is incredibly powerful; it changes everything!

US Navy in (0-day) Exploits Black Market

I’ve made the statement before that the US government is not merely a victim of cyber attacks but a perpetrator (to be fair, it isn’t just the US but this is about the US). I went further to point out that they provoke other nations. I seem to think I at one point wrote about how they participate in a black market, and how that would not at all help the situation. Even if I haven’t discussed the latter, I have the others. So it is most unfortunate that there is solid evidence (I know I’ve seen other evidence, though) of them wanting to buy 0-days. It isn’t even hearsay. No, not at all; it is a statement directly from the United States Navy.

The Electronic Frontier Foundation has a mirror of the document that was taken from Google cache. This, I might add, is another thing I believe I’ve written about and if I haven’t I know I meant to at one point. I’ll just give a quick summary here: you don’t simply erase something from the Internet. The people that believe Snapchat is a brilliant way to keep things safe are very ignorant, very ignorant indeed. It isn’t brilliant at all (in any way), and there has been more than one incident where many of these supposedly very temporary photos were archived elsewhere (that is not a link but FOUR unique links, two of which include a list of different exploits and results.. and there certainly are others out there). Then there is the Internet which is even more extreme here. That is another topic entirely, however, so I will refrain from going there. I’ll return to the issue of persistence again but for the moment all you need to know is the Navy has since removed their copy of the document. But it isn’t gone.

I’m going to highlight some points from the document, comment on them and bring them all together.

This is a requirement to have access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied on commercial software.

From the very mouth of the US Navy; they require binaries to exploit widely used and relied on commercial software. Software they almost assuredly will use themselves. It gets better though; I’ll return to the issue of who uses what in a bit.

– These include but are not limited to Microsoft, Adobe, JAVA, EMC, Novell, IBM, Android, Apple, CISCO IOS, Linksys WRT, and Linux, and all others. [sic]

While there are other things I could label with [sic] I won’t because I’m not trying to be critical here (I won’t at all suggest I don’t make mistakes in writing… I do. Often). However, I do want to point out that Linux isn’t commercial software. In addition, they want the exploits to exploit including but not limited to these products, and all others (is there a reason to list any at all, then? If there is, why ‘and Linux, and all others’?). But the important point here is that they don’t actually care what it is; if it is used they want exploits for it. Not just any exploits though, they want 0-days and also technical support, instructions and everything you would expect a legitimate vendor to provide. I’ll return to this again, too.

– The vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). This list should be updated quarterly and include intelligence and exploits affecting widely used software. The government will select from the supplied list and direct development of exploit binaries.

Interesting bit here: they will select from the list and direct development of the exploit binaries. Why then, pray tell, don’t you just go to a CVE website where they can find it all for free? You know, they exist for a reason, a good reason. But here they’re being used for anything but good. It isn’t bad enough that many home users have unpatched (or otherwise insecure) systems (often unknowingly) that are already infected by more viruses and worms (etc.) than a human body would likely experience in a life time (certainly in the amount of years computers are ‘alive’). No, of course not; but governments to the rescue! Yes, it will affect others: even systems that aren’t vulnerable can be affected indirectly. People are also affected. Including our saviours in the Navy. That’s the best part. This also goes for governments wanting to get rid of encryption; it’ll affect them, their family, their friends, the nation they state they say they are protecting (that’s why they need to get rid of encryption, see? It is a lie, however, that smells near as bad as septic tank.. which is to say can easily be sniffed out even for those without a strong sense of smell). It also is a risk to themselves. It has the potential to affect every device. And the more exposure a device has, the more risks can affect it. This is sort of like the immune system: the common cold is nothing for those with a healthy immune system but to those with a poor immune system, it can be very serious.

– Completed products will be delivered to the government via secured electronic means. Over a one year period, a minimum of 10 unique reports with corresponding exploit binaries will be provided periodically (no less than 2 per quarter) and designed to be operationally deployable upon delivery.

It is rather amusing, isn’t it, that they want it delivered in a secured manner. I suppose they hope no one else will have access to these exploits (which I have alluded to already and will get to further) and somehow it will be safer for everyone. Safer for themselves, actually, and that is incredibly naive: if the US government accidentally ships live anthrax to laboratories across the US and even in other countries (all of which has been reported recently.. and other similar incidents have happened), who is to think they could keep computer exploits under their control? Reality: malware tends to spread; there is a reason the words ‘virus’, ‘worm’, ‘trojan horse’ are used for naming said types of malware. Even if it isn’t malware itself it is incredibly stupid to believe it can’t directly affect the buyer (themselves). You don’t control exploits in the wild like that – you don’t nicely tell it that you are its master and it’ll suddenly obey your every command. Even then you have the reality of bugs in software: humans aren’t perfect (irony: because I thought I saw it earlier, and because I should rest my eyes soon, I checked spelling and what did I do but spell perfect as ‘prefect’ … a great example and I wouldn’t be surprised if more exist in this write-up), programmers are human, therefore programmers aren’t perfect: this leads to errors in software (commonly called ‘bugs’). I won’t even get in to simulators.

– Based on Government’s direction, the vendor will develop exploits for future released Common Vulnerabilities and Exposures (CVE’s).

This extreme naivety that comes close to delusion (and using that word is painful… I readily admit have been delusional in the past and much of their problem is extreme foolishness) they have, that they are in control, is rather scary. Unsurprising. But scary nonetheless.

– Once a product is transferred from the vendor to the government, the government maintains a perpetual license to use, modify or share at the buyer’s discretion.

Obviously. After all, Microsoft and all these other vendors you suggest (with the exception of open source software which you don’t mention many) sell their software and openly allow it to be modified and shared with others. The license also works for infinite devices. So of course you would have this right! Too bad you’re dealing with a black market, isn’t it? Governments create black markets. Stupidly, I might add. Yet in this case there is nothing else: this is to break the security of others, something the governments outlawed years ago. Creating black markets is also another example of not learning a bloody thing from history. Yet in this case it isn’t the same thing, is it? Not exactly. If a company hires (or better yet has on staff all the time) others to audit their security (maintain it), that’s fine. But if a company were to pay another company (or other third party) to break the security of another corporation – or states! – they would be in a lot of legal trouble. This is a triple standard: whine about being victims; pay others to help you do to others what you would whine about if others did it to you; and if anyone else were to do it to others, whine also. Global police.

– The vendor shall accept vulnerability data to include patch code, proof of concept code, or analytical white papers from the government to assist with product development. Products developed under these conditions will not be available to any other customer and will remain exclusively licensed to the government.

Gullibility to the extreme! To think that anyone would believe that an entity selling exploit code (especially since in the past, and likely still, much exploit code is still released for free.. but it doesn’t take much thought to figure out that some would have no problem to profit over it; can you blame them? Do corporations sell to only one customer?) is going to not profit from others that would be willing to also pay, is amusing, very amusing indeed. I’ll also point out there is a hypocrisy here: you have the right to do whatever the hell you want with the software, something that corporate vendors wouldn’t allow (and some free software doesn’t allow it!) with their software. At the same time, though, you have the boldness to state that you maintain the license here and not only do you state the licensing terms, you also state that the vendor can’t do what they wish with their own work! Licenses are only acceptable if you’re the one stating the terms, yes?

– All delivered products will be accompanied by documentation to include exploit description, concept of operation and operator instructions.

Pathetic. That’s being incredibly nice. That is the brutally honest truth. You really need documentation of how it works as well as how to use it? Weren’t you also the one wanting to direct the development? Usually the developers write the documentation (at least when they do document it which isn’t always)! Script kiddies demanding documentation. Highly impressive. I know, I know… you bought it all on your terms and since you state the terms, you can also demand the documentation. No dignity, no pride, no honour whatsoever.

– Technical support shall be provided by the vendor to the government for purposes of integrating, troubleshooting, bug fixes, feature enhancements, and OS and third party software compatibility testing. These services must be available Monday through Friday during normal working hours (0730 EST through 1630 EST).

You demand technical support.. on your own hours?! The amount of arrogance there is unfathomable.

Indeed, no pride, no honour, no respect for others (including themselves actually), no dignity. None at all. I’ve made clear that governments participating in cyber attacks are not just victims but perpetrators (and consequently provokers). Well here is solid proof that they really are doing exactly that. With no shame on their behalf (meanwhile everyone else will see their actions as only shameful). I’d like to lastly say this: they deleted it from their website for a reason. They finally realised the implications. If they didn’t mean harm they wouldn’t have removed it. But they did. There is only one reason for it. The tragedy here is they could do things to make things better. But instead they make things worse, worse for everyone. It is a cyclical process too. Indeed, just like mirroring, this will continue more and more.

The Facebook Law and Ethic

Fair warning: I’m in a mood and this is by its very nature going to be touchy (and there will be some bias but the points I’m trying to make are still valid). While I don’t at all find my points out of line, I know many would, especially with the amount of obsession if not outright lust for Facebook that many have. You could call this post somewhat unusual for here although I diverge slightly in to another issue – privacy. This post is motivated by something I saw yesterday, one of many other things I’ve read about before, that makes me think that Facebook truly believes that they can do whatever they want with impunity and no regard to any ethics that they clearly violate. I have a strong ethic, and while I am certainly not perfect, I find abuse and destruction unacceptable. But then there’s Facebook policies and what they allow.

Where to start? Right, we’ll start with what the BBC reported. It is a well known fact that child abuse is a huge problem in this world (much like abuse to the environment, to humans in general, to animals, even the air we breathe). It is also a well known fact that it unfortunately goes to the extreme cowardice (which is sadly cyclical – abuse leads to abuse, there’s some psychology behind it but I’ll not get in to that) of physical abuse including sexual abuse (and frankly it doesn’t matter what age but children is relevant to the discussion). It is also well known that it is illegal in many countries, definitely the country Facebook’s premise is (I’m not sure they live in it, though – some of them certainly don’t act as if they believe they do), to have videos, photos or any example of paedophilia (whether hard copy, on a computer or anything else) As it should be. But one would like to believe videos of child abuse in general is illegal. Let’s assume it isn’t though. What Facebook allows is unethical, it only adds to abuse and frankly it is an utter disgrace in general but especially when their age requirement is just 13. But how do they enforce that? Something like what year you were born in, probably (because it equates to less privacy and more ‘important’ information) your date of birth. Yes, that’s definitely going to be accurate, I’m sure of it. In any case, I dislike kids a lot. That is putting it quite nicely, to be blunt. But I dislike something more: abuse and neglect. Both neglect and abuse makes matters worse for everyone – the victim as well as the people the victim (when older) victimises because they are emotionally/ethically/morally damaged. But here it is, Facebook has what? A video of a baby being repeatedly dunked in to a bucket of water (upside down with arms twisted). Unsurprisingly the baby was crying and one would assume terrified. But what isn’t surprising, either, is that Facebook truly believes it doesn’t break any of their rules, and they only added a warning to the video after a complaint was escalated by the National Society for the Prevention of Cruelty to Children.

The following from the BBC:

“While the welfare of this child is naturally paramount we would also urge you to look at all available options which will ensure UK citizens, including millions of children, are no longer exposed to this kind of dreadful and disturbing content,” the National Society for the Prevention of Cruelty to Children’s chief executive Peter Wanless wrote.

“The NSPCC believes we have now reached the long overdue point where it is time for social networking sites to be held to account for the content on their sites and pay more attention to their safeguarding duties to protect children and young people, whether they are viewing the content or appearing in it.”

Facebook responded as such:

“In cases like these, we face a difficult choice: balancing people’s desire to raise awareness of behaviour like this against the disturbing nature of the video,” said a spokeswoman for the firm.

“In this case, we are removing any reported instances of the video from Facebook that are shared supporting or encouraging this behaviour.

“In cases where people are raising awareness or condemning the practice, we are marking reported videos as disturbing, which means they have a warning screen and are accessible only to people over the age of 18.”

Whether that means they allow referring to it to raise awareness but not allowing it when it is being encouraged, or if they removed this instance but generally feel that raising awareness is acceptable, I do not know. What I do know is that they often state that others should have the choice to watch it if they want, and especially because it will raise awareness (even though the videos they claim are for this go about it in the exact opposite of what would be done for awareness).

Yes, Facebook, because showing videos of atrocities, cruelty and who knows what else, will raise awareness (typically when you raise awareness for such things, there’s something of an explanation that goes along with it, and that includes warnings where relevant)? I imagine also that allowing the videos in some instances won’t actually encourage others to do similar under the guise that they’re raising awareness? I suppose, also, that having these videos won’t be harmful to those who unfortunately and unknowingly watch it without realising what it is they are to see (something I will return to)? That isn’t how you raise awareness: you’re raising awareness? Of what? Why? What should be learnt? What went wrong? Of course, your way will discourage others from these things, too, I’m sure (try telling that to victims of hate and see how far you get). Of course not, all of it is for the good of mankind. Except it isn’t – what you really mean is it is good for you because you have less responsibility to manage and less to worry about. Yet other organisations wouldn’t get away with this. It is only your user base and repeated lies and misdirection – both of which are very easy to sniff out – that allows you to worm your way out of trouble. Indeed, if I were to have such content on my server I could be in serious trouble – as it should be! This isn’t the first time and it isn’t the last time, that you have allowed things like this. Why is that? Because you don’t concern yourself with responsibility, ethics and even if you get away with it legally, it doesn’t mean it is necessarily legal: there’s a reason that child protection services exist and they will actually go after parents simply because their kids enjoyed having a lot of fun doing things that caused injuries needing emergency care (for instance, my brother, myself) fairly often. I’m sure the child in this video was asking for it too, though, so I suppose all is okay, right? Somewhat ironically, though, there’s also a link here – if that video was paedophilia, it would land you in serious legal trouble (as it should) and I would expect far more outrage (as there should be). When is abuse acceptable? It shouldn’t be. But there’s should/shoult not be, and there’s reality, I suppose. Yet there’s a huge problem with being too accepting of others, of things, of surroundings, something that many of your users don’t understand (and/or realise), and also do the same as you. It is even worse, for you, because of your mentality that the information is necessary, that privacy is a bad thing (even if this has lessened over time, it still exists) – you ignore the reality here in ignorance, arrogance and hypocrisy. So here it is:

If you’re too trusting, too accepting, you leave yourself incredibly vulnerable to harm and that means off the Internet (or is that ‘Facebook’ ?) and on. But people are this way and it is often to their peril. Lack of awareness is a real problem (an unfortunate part of being unaware of something includes being oblivious to the lack of awareness in the first place). No matter how aware you are, there’s more you can be aware of (and just like time, things change). Since Facebook has this requirement that you use your real name (although funnily enough, I once had a fake account with the name of a Disney character, one with a nose that grows when they lie – of course it was deliberate on my part), and since the default of many settings – as I’ve read for many different issues; I can’t say from personal experience – are opt out (instead of opt in, as it should always be), including those revealing what should remain private, a scary amount of information can be revealed and mapped (in what I’m about to explain it is literally). While many have probably been more public, I would like to note one that is a plugin to the Chrome browser (I’ll leave Google out of this discussion) and was called by the author the Marauder’s Map which is indeed a reference to the artefact in Harry Potter. You can find more information on how and why this works, what it does, and everything else the author reveals by following the additional links here (the link here is to a brief write up with some additional thoughts). For those who don’t know, in Harry Potter, the map plots out every person in any form (by real name) on the Hogwarts School of Witchcraft and Wizardry grounds, even if they are invisible, by location, with the exception of a couple places (there’s more than one possible reason and I don’t believe there’s ever been a confirmation on which of the reasons were the case though I would certainly like to know), even as they are travelling through the grounds (so it moves the person’s location on the map). Instead this is real and based on a feature of Facebook, that allows mapping out users – including those you aren’t ‘friends’ with – over time, to discover where they tend to be including where they sleep (so not over a period of time but patterns can lead to fairly accurate results). The problem besides it being scary? They could plot an attack even through social engineering (but otherwise too). This might be to rob your flat, your car, physically assault you, or it might be a cyber attack.

All of the latter part could be somewhat summarised as: be very careful of who you trust, ask yourself why you trust them, and whether what you think is harmless is really harmless. The argument that Zuckerberg likes to throw – that you have nothing to fear if you have nothing to hide – is a dangerous viewpoint that is both hiding true intent and ignoring the things they wouldn’t share to others (bank account, etc.), something I’ve explained before. As for ‘friends’ I have this to say: I once mocked a friend (which means in another country, one I’ve never met in person and probably won’t because that’s just part of my personality) about Facebook when he finally caved and joined. He knew I didn’t mean offence but in any case, it was about his so-called friends. Well, some time after that he told me of an occasion where he asked his ‘friends’ if any of them would want to spend time with him in person? Not one. Yes, folks, it is interesting, isn’t it, that the more connected we are too technology, the more aloof we are in person as a side effect, not much unlike how I choose to be.

The unethical issue is hard to summarise and it is rather hard to imagine that a corporation, especially a corporation that is about social networking, would accept it (even though it isn’t surprising).