Why “Force Awakens” will suck
JJ Abram’s movie “Super 8” is an underrated masterpiece. It leads me to believe that he actually “gets it”. But then, everything else JJ has done convinces me he really doesn’t. He destroyed Star Trek, and I’m convinced he’ll do the same to Star Wars. I thought I’d list the things he almost certainly gets wrong in the “Star Wars: Force Awakens” movie.The movie hangs on spoilers
The original Star Wars was known for the way that people repeatedly saw it in theatres. There were no spoilers. Sure, they blow up the Death Star, but knowing this ahead of time detracts not a whit from the movie. In Episode I, most of us know that Palpatine is the Emperor. Knowing this spoiler doesn’t detract from the movie, but adds to it. Sure, the original series had the “Luke I am your father” spoiler, but knowing that ahead of time detracts nothing from the movies.
But JJ loves the big reveal. It’s like Lost, where season after season we didn’t know what was going on. Worse yet, it’s like his second Star Trek movie, where we weren’t supposed to know it was really Khan. It Continue reading
NSA needs more EFF hoodies
A few months ago, many stories covered "intelexit.org", a group that bought billboards outside NSA buildings encouraging moderates to leave intelligence organizations. This is a stupidbad idea.For one thing, it's already happening inside the intelligence community. Before Snowden, EFF hoodies were tolerated. From what I hear, they aren't anymore. Anybody who says anything nice about the EFF or Snowden quickly finds their promotion prospects reduced. And if you aren't being promoted, you are on track to be pushed out, to make room for new young blood.
The exit of moderates is radicalizing the intelligence community. More and more, those who stay want more surveillance.
In my own experience, the intelligence community is full of pro-EFF moderates. More than anybody, those inside the community can see the potential for abuse. For all that mass surveillance is unacceptable, the reality is that it's not really being abused. It really is just focused on catching evil terrorists, not on tracking political activists in America. All this power is in the hands of people who use the power as intended.
A mass exodus of moderates, though, will change this, creating a more secretive and more abusive organization. The NSA is nowhere near Continue reading
First Internet ecommerce was at least 1990
This article from FastCompany claims that the first Internet e-commerce transaction was 1994. This isn't true. The site "cdconnection.com" was selling CDs online since 1990. Well, they claim 1990, I don't know what evidence they have. But I personally can remember buying CDs on their site for over a year before I switched jobs in mid-1994 (so probably at least 1993).I write this up because it's apparently an important concern when Internet e-commerce was "invented", so I'm writing up what I witnessed. It's a silly competition, of course, since Internet e-commerce is such an obvious idea that nobody can "invent" it. Somebody probably accepted payments for things online even before that. But, as of 1993 when I purchased music, CDconnection was a well-honed business, a "site", with an interface, with a wide selection, using Telnet with V100 commands to format the screen.
Some notes on the eDellRoot key
If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications. I suggest "international first class", because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.
I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic.
Note that Dell's spinning of this issue has started, saying that they aren't like Lenovo, because they didn't install bloatware like Superfish. This doesn't matter. The problem with Superfish wasn't the software, but the private key. In this respect, Dell's error is exactly as bad as the Superfish error.
We should all follow Linus’s example
Yet another Linus rant has hit the news, where he complains about how "your shit code is fucking brain damaged". Many have complained about his rudeness, how it's unprofessional, and part of the culture of harassment in tech. They are wrong. Linus Torvalds is the nicest guy in tech. We should all try to be more like him.The problem in tech isn't bad language ("your shit code"), but personal attacks ("you are shit").
A good example is Brendan Eich, who was fired from his position as Mozilla CEO because people disagreed with his political opinions. Another example is Nobel prize winner Tim Hunt who was fired because people took his pro-feminist comments out of context and painted him as a misogynist. Another example is Pax Dickinson, who was fired as CTO of Business Insider because of jokes he made before founding the company. A programmer named Curtis Yavin* was booted from a tech conference because he's some sort of monarchist. Yet more examples are the doxing and bomb threats that censor both sides of the GamerGate fiasco. The entire gamer community is a toxic cesspool of personal attacks. We have another class of people, the "SJW"s, Continue reading
The Godwin fallacy
As Wikipedia says:Godwin's law and its corollaries would not apply to discussions covering known mainstays of Nazi Germany such as genocide, eugenics, or racial superiority, nor to a discussion of other totalitarian regimes or ideologies, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate, in effect committing the fallacist's fallacy, or inferring that an argument containing a fallacy must necessarily come to incorrect conclusions.An example is a discussion whether waving the Confederate flags was "hate speech" or "fighting words", and hence undeserving of First Amendment protections.
Well, consider the famous march by the American Nazi party through Skokie, Illinois, displaying the Swastika flag, where 1 in 6 residents was a survivor of the Holocaust. The Supreme Court ruled that this was free-speech, that the Nazi's had a right to march.
Citing the Skokie incident isn't Godwin's Law. It's exactly the precedent every court will cite when deciding whether waving a Confederate flag is free-speech.
I frequently discuss totalitarianism, as it's something that cyberspace can both enable and defeat. Comparisons with other totalitarian regimes, notably Soviet Russia and Nazi Germany, are inevitable. They aren't Godwin hyperbole, they are on point. Continue reading
Prez: Rick Perry selling his mailing list
I created separate email accounts to receive email from each of the 25 presidential candidates (and donated money to all them). This allows me to track their behavior -- or misbehavior.Rick Perry exited the race 50 days ago. Today, I got two emails to my special Perry address. One email was from Ted Cruz, another presidential candidate. The other was from Paul Ryan, the new Speaker of the House.
Here's Ted Cruz's email, sent to my Perry account. It's actually identical to one I received on my Cruz account. (I've hidden the To: address, except for the 'rick' part).
The email headers look like:
Received: from mail3.postup.targetedvictory.com (mail3.postup.targetedvictory.com [69.56.54.35])
by projectp (Postfix) with ESMTP id 1266C26041B
for; Fri, 30 Oct 2015 16:28:59 +0000 (UTC)
Rick Perry uses the company "TargetedVictory" for his mass emailings, where Ted Cruz uses another company. This shows that Perry didn't give his address list to Cruz, but instead let Cruz use the address list.
I saved a copy of Perry's privacy policy when I made the donation. It implies that he won't give out my private information to somebody else, but nothing in the Continue reading
Prez: donation numbers
I've given $10 to every candidate to monitor what they do. As I blogged before, just before the quarterly filing deadline, I got emails from all the candidates begging for money, to impress people how much money they've gathered. Well, here are amount each candidate received last quarter:| Hillary | 29,921,653.91 |
| Bernie | 26,216,430.38 |
| Carson | 20,767,266.51 |
| Jeb! | 13,384,832.06 |
| Cruz | 12,218,137.71 |
| Walker | 7,379,170.56 |
| Carly | 6,791,308.76 |
| Rubio | 5,724,784.46 |
| Kasisch | 4,376,787.95 |
| Christie | 4,208,984.49 |
| Trump | 3,926,511.65 |
| Rand | 2,509,251.63 |
| O'Malley | 1,282,820.92 |
| Huckabee | 1,241,737.51 |
| Graham | 1,052,657.62 |
| Lessig | 1,016,189.22 |
| Webb | 696,972.18 |
| Jindal | 579,438.39 |
| Santorum | 387,985.42 |
| Perry | 287,199.29 |
| Pataki | 153,513.89 |
Of course Hillary and Bernie are at the top, since they are the only two major contenders on the Democrat side, so split the pool between them.
What's interesting is that how Scott Walker exited the race, and Jeb! scaled back his spending, because their donations dropped precipitously. Even though they got huge donations last quarter, they spent the money as fast as they could. Presidential campaigns are like venture capital that way: you spend money aggressively in order to make more money. If you are right, this Continue reading
Yes, the CNBC moderation was biased
In anger over CNBC's left-wing bias, the Republican party has suspended them from moderating future debates. Is there something to this?Yes and no. CNBC, like most of the media, has a strong left-wing bias. On the other hand, the Republicans are quick to label legitimate criticism as examples of bias.
There is an easy way to detect improper bias. The principle of journalism is that there are two reasonable sides to any debate. One side may be wrong, of course, but both sides are reasonable. Partisan bias, however, involves arguing that one side in the debate is unreasonable. When the press calls somebody a "comic book clown", then it's bias. Merely saying they are "wrong" is not bias.
That's what happened many times during the CNBC moderated debate of Republican candidates, most egregiously when they called Trump a "comic book" version of a candidate. We all know that Trump is a demagogue, that he appeals to the ignorant masses more than intelligent people. But when you drill down on Trumps ideas, what you'll find is that he's usually merely wrong rather than irrational. For example, a couple months ago, Trump was attacked in the press for saying "the constitution Continue reading
OMG, the machines are breeding! Mankind is doomed! DOOMED!!!
My Tesla has the same MAC address vendor code as an AR Drone. These are two otherwise unrelated companies, yet they share the same DNA. Flying drones are mating with land-based autonomous vehicles. We are merely months away from Skynet gaining self-awareness and wiping out mankind.You can see this in the screenshot below, were we see the output of a hacking program that monitors the raw WiFi traffic. The AR Drone acts as an access-point so that your iPhone can connect to it in order to fly the drone's controls. The Tesla, on the other hand, is looking for an access-point named "Tesla Service", so that when you drive it in for service, it'll automatically connect to their office and exchange data. As you can see, both devices have the same vendor code of "90:03:B7" for Parrot SA.
Here is a picture of the AR Drone cavorting with the car. The top arrow points to the drone, the bottom arrow points to the car.
So why the relationship? Why does the Tesla look like a drone on WiFi?
The company Parrot SA started out creating kits for cars that contain WiFi, Bluetooth, and voice control. Since they were already Continue reading
Dumb, dumber, and cybersecurity
The reason you got hacked is because you listen to dumbasses about cybersecurity, like Microsoft.An illustrative example is this article on "10 steps to protect" yourself. The vast majority of cyber threats to a small business are phishing, password reuse, and OWASP threats like SQL injection. That article addressed none of these threats.
But it gets better.
At the bottom of that article is a link to this "Cyber Security IQ" quiz at Microsoft's small-business website. The first question asks about password sharing. I show their "right" answer here:
Their correct answer is "None of the above", meaning that it's not okay to share your passwords with anybody. But this is nonsense. For your work account, of course it's okay to share your password with your boss. In fact, it's often necessary.
There have been several court cases where IT administrators have been fired, where the companies later found that the fired employee is the only one with passwords to certain critical systems. The (former) administrators were prosecuted for refusing to give their former bosses the passwords.
If your boss demands your password to your corporate accounts, of course you must give them your password.
But it Continue reading
Ethics of killing Hitler
But it's the ethical question that comes up the most often, and it has real-world use. It's pretty much the question Edward Snowden faced: should he break his oath and disclose the NSA's mass surveillance of Americans?
I point this out because my ethical response is "yes, and go to jail". The added "and go to jail" makes it a rare response -- lots of people are willing to kill Hitler if they don't suffer any repercussions.
For me, the hypothetical question is "If you went back in time and killed Hitler, would you go to jail for murder?". My answer is "yes". I'd still do my best to lessen the punishment. I'd hire the best lawyer to defend me. It's just that I would put judgement of my crime or heroism in the hands of others. I would pay Continue reading
Car hacking is as fake as the moonlanding
 |
| How can the flag stay up? There's no wind on the moon!! #fake |
Of course, "hacking a car" probably doesn't happen as the public imagines. Delving into the details, you'll find things you didn't expect. It's like the stars in pictures at the moon landing. Because of contrast issues with the bright foreground, the dim stars disappear. This has led to crazies saying the lack of stars are proof that the moon landings were faked, because they don't understand this technical issue. Similarly, Pogue claims car hacking is fake because the technical details don't match his ignorant prejudices.
Pogue's craziest claim is that the Jeep hack is fake because Jeep fixed the issue. Nobody can hack a Jeep as the researchers claim. But that's because the researchers proved to Jeep that it was possible, and gave time for Jeep to fix the problem. It's like claiming the 9/11 terrorist attacks are purely hypothetical, because the Twin Towers of the World Trade Center no longer exist.
The Continue reading
Biden vs Risk Analysis
What we try to do in cybersecurity is "risk analysis". Most people get this wrong.
An example of this is today's announcement by vice president Joe Biden that he won't run for president. Many pundits have opined that it's because he can't beat Hillary Clinton. This is wrong.
The phrase "can't beat Hillary" makes no sense. It imagines a world were risk is binary, you either can or you can't. That's not how it work. Instead, we calculate the odds of beating Hillary. That number is not 0%. For one thing, a meteor might hit the earth and strike Hillary dead, so there's always some chance of beating her.
Responsible risk analysts ignore the rhetoric and try to calculate the odds. The easiest way of doing this are on the many betting websites, which have variously given Biden a 5% to 10% of winning the presidency. Given that the presidency is easily worth a billion dollars, and you don't spend your own money (just donations), these are great odds. Everybody who believes their chance is greater than 5% runs -- which is why we have over 20 candidates right now.
In other words, would you pay $10 for a 5% Continue reading
DEF CON drink-off — for science!
The DEF CON hacking conference is a mixture of techies and drinkers. I propose we exploit this for science. Specifically, we should take a look at vodka. Vodka is just ethanol and water with all taste removed by distillation and filtering. We can answer two important questions.- Poorly made, cheap vodka lets too much of the (bad) flavor through. Can this be improved by running it through a filter? (Such as a cheap Brita water filter).
- Well-made vodka should be indistinguishable from each other. Can people really taste the difference? Or are they influenced by brands?
We need to science the shit out of these questions with a double-blind taste test. DEF CON is a perfect venue for getting a statistically relevant number of samples. We should setup a table in a high-traffic area. We'll ask passersby to taste a flight of several vodkas and to rate them.
I suggest the following as the set of vodkas to test.
1. Smirnoff, by far the market leading vodka in America, a "mid-shelf" vodka at $22 for a 1.75 liter bottle.
2. Grey Goose, the third most popular vodka in America, a "top-shelf" vodka for $58 a 1.75 liter bottle.
Continue reading
DH-1024 in Bitcoin terms
The recent paper on Diffie-Hellman "precomputation" estimates a cost of 45-million core-years. Of course, the NSA wouldn't buy so many computers to do the work, but would instead build ASICs to do the work. The most natural analogy is how Bitcoin works. Bitcoin hashes were originally computed on CPU cores, then moved to graphics co-processors, then FPGAs, then finally ASICs.
The current hashrate of Bitcoin 460,451,594,000 megahashes/second. An Intel x86 core computes about 3-megahashes/second, or 153,483,864,667 CPU cores. Divided this by 45-million core-years for precomputing 1024bit DH, and you get 3410 DH precomputations per year. Thus, we get the following result:
The ASIC power in the current Bitcoin network could do all the necessary precomputations for a Diffie-Hellman 1024 bit pair with 154 minutes worth of work. Or, the precomputation effort is roughly equal to 15 bitcoin blocks, at the current rate.(Update: I did some math wrong, it's 154 minutes not 23 minutes)
Another way of comparing is by using the website "keylength.com", which places the equivalent effort of cracking 1024 DH with 72 to 80 bits of symmetric crypto. At the current Bitcoin rate, 72 bits of crypto comes out to 15 bitcoin blocks, Continue reading
Infosec is good people
For all that we complain about drama in our community, we are actually good people. At a small conference yesterday, I met "Kath". She just got her degree in advertising, but has become disillusioned. Her classes in web development and app development has shown her how exploitative online advertising can be. ("PHP has made me cry" -- yes, it's made all of us cry at some point).
She's felt alone, as if it were only her who that those feelings, then she discovered the EFF, and privacy activists like Yan (@bcrypt) who have been fighting for privacy. Kath grew up in the middle of nowhere in Texas, and went to college in another middle-of-nowhere place in Texas. Being a muggle, she's never heard of infosec before -- but she got a ticket and flew to New York to attend this little infosec conference where Yan was speaking. (Well, that and also to apply for the NYU graduate program in media).
She found things she didn't expect. She found, for example, how she can contribute, using her skills in usability to make crypto and privacy better for users. She also found a community that was accepting and approachable. Advertising is a Continue reading
Jeb Bush is a cyber-weenie
Jeb Bush, one of them many 2016 presidential candidates, has numerous positions on "cyber" issues. They are all pretty silly, demonstrating that not only he but also his advisors profoundly misunderstand the issues.For example, his recent position opposing "NetNeutrality" regulations says this:
these rules prohibit one group of companies (ISPs) from charging another group of companies (content companies) the full cost for using their servicesUh, no, that's how Democrats frame the debate. ISPs charging content providers is actually a very bad thing. That we Republicans oppose NetNeutrality is not based on the belief that "charging content companies" is a good thing.
Instead, NetNeutrality is about technical issues like congestion and routing. Congestion is an inherent property of the Internet. NetNeutrality shifts the blame for congestion onto the ISPs. NetNeutrality means the 90% of Comcast subscribers who do not use Netflix must subsidize the 10% who are.
Or at least, that's one of the many ways Republicans would phrase the debate. More simply, all Republicans oppose NetNeutrality simply because it's over-regulation. My point is that Jeb Bush doesn't realized he's been sucked into the Democrat framing, and that what he says is garbage.
A better example is Jeb's position Continue reading
Prez: Candidate synchronization
So last week I gave $10 to all the presidential campaigns, in order to watch their antics. One thing that's weird is that they often appear to act in unison, as if they are either copying each other, or are all playing from the same secret playbook.The candidates must report their donations every quarter, according to FEC (Federal Elections Commission) rules. The next deadline is September 30th. Three days before that deadline, half the candidates sent out email asking for donations to meet this "critical" deadline. They don't say why it's critical, but only that's is some sort of critical deadline that must be met, which we can only do so with your help. The real reason why, of course, is that this information will become public, implicitly ranking the amount of support each candidate has.
Four days before this deadline, I didn't get donation pleas mentioning it. Three days before, half the candidates mentioned it. It's as if one candidate sees such an email blast, realizes it's a great idea, and send's out a similar email blast of their own.
Two days before the deadline, three of the candidates sent out animated GIFs counting down to the deadline. Continue reading
I gave $10 to every presidential candidate
What happens when your candidate drops out of the 2016 presidential race? What do they do with the roughly million names of donors they've collected?I've decided that somebody needs to answer this question, so I've donated $10 to each of the roughly ~25 current presidential candidates (yes, even the hateful ones like Trump and Lessig). By donating money, I've put myself on the list of suckers who they can tap again for more donations. After the election next year, we'll be able to figure out how each candidate has used (or misused) the email addresses I gave them.
For most candidates, the first two pieces of information they ask of your is #1 your email address and #2 your zip code. They need the zip code so that when there is a local rally in your area, they can contact you to get your to turn out. But as a side effect, it means being able to extract favors from local politicians.
Therefore, to do this right, I'd have to make a donation from every congressional/senate district in the country. I suspect one use of this information is when one Representative goes to another and says "If you Continue reading