Weak Interface
When the computer people meet the other side

Your typical “computer person”  if they have 5 minutes in the industry or 5 years, ends up being first line tech support for their family, friends, and even friends of friends.  That is if they let it get there.  Unfortunately this can be a “damned if you do damned if you don’t situation”.  If I say no I am mean because I can help but won’t if I say yes I am working for free for a long time.  Niether is fair to me but that’s how it gets seen.Now because of the diversity of my friends I will reply, “Hey can I have hours of free legal advice?”  or “You’re a dentist I’ll trade you the perfect smile for a virus free machine.”  That usually gets folks to an understanding of what they are asking.So before you ask anyone for computer help remember they are doing you a hug favor….There’s a who thread on it at Reddit- http://www.reddit.com/r/technology/comments/ards1/why_i_dont_fix_computers_for_free_and_you_can_too/Read through that it’s TOO TRUE!Until next time.

Be careful what kind of security you use…

 So I usually write about industry events but today it’s about you.  This is a personal warning for you, not a company, or your job, YOU.

Have you heard of the Conficker worm?  It started sometime in 2008 and persists today.  The reason you need to be aware is because of how it spread initially.  It was bundled in fake security software.  You would be at some website or using some software, email, etc and a message would popup that you have a virus and should download this free software to get rid of it. 

So thinking, “Hey it’s free and will help…” You download it.  Only there was no virus. Now there is you just downloaded it.  Now it will make every effort to block actual antivirus software from removing it.

I must admit it’s insidiously clever to have a virus masquerade as antivirus software.  Unfortunately the user will suffer for not checking on the software.  In this case you don’t necessarily need an expert to review the software before you install it. 

I advise before you install anything on your computer and I do me anything, from Microsoft products to shareware, a quick web search will give you some insight into whether it’s a good idea or not.  The few minutes it might take is worth it to protect yourself.  Somewhere an expert has reviewed the software and likely blogged about it.

There have always been scam artists and thieves.  Online they can reach more people, farther and faster than ever before.  Be careful out there.

Until next time.

BTW one of my New Year’s resolutions is to blog more, at least once a week.  So stay tuned….

This a story from a co-worker.  He’s older and has been in the computer industry since the era of huge IBM mainframes(early 70’s).  The guy, “Bit”, was working on a huge new mainframe that was just built with a shiny new building constructed around it.  It’s main purpose was to show off the company’s technology.  This was opening day and Murphy’s laws would rule.

The press were invited for the grand unveiling of the huge computer mainframe, this meant cameras and interviews all around.   The event was high profile and management was VERY nervous, should anything go wrong heads would roll and careers -terminated-.  Of course 30 minutes before the opening in front of a nationwide audience, everything crashes.  The big bright shiny new system was now an expensive paper weight.  No processing, no data, nothing!  In the ensuing panic in walks the ‘Cool Kat’, the hero of this tale.

Now Cool Kat was known as a hero, the ace up your sleeve, the guy you call when the chips are down, the best.  In the past no matter the problem he could fix it in some creative way no one thought of.  And he never broke sweat about anything.  Now in these days it took mainframes a few hours to boot up and actually become functional, useful machines.  As soon as he walks in, Cool Kat is assaulted with panicked voices crying about the system crash and how everyone should polish off their resumes because of the impending embarrassment for the company.  Cool Kat does not even flinch for a second and tells everyone to calm down he’s got it handled.  Just before the opening with TV cameras and other press ready to interview him and see the system in action, Cool Kat gets on the huge machine and  <i>minutes</i> later the system is up and running like nothing ever happened.  Lights blink, the tape reels spin, there are a few beeps and noises.  The whole hour goes by without a single incident, the media is impressed and go on to give glowing reports about the amazing working of the machine.

Shortly after the press leave, Cool Kat is asked how he fixed a machine that takes hours to boot in minutes.  He lets everyone know that he never fixed it, all he did was put it into a test mode that tests all lights, sounds, and motors.

Bit let me know that no one in the press was ever the wiser about the deception.  In other words they thought the faked presentation, the “movie”, was real.
(by the way I laughed ALOT at the end of the story)

Always get someone who can see a trick to evaluate a demo for you.  Part 3 will talk about a trick that’s not so amusing.

Until next time

     Although I focus on the weak interface in computers and software, it also has great affect on the “physical” world.  The life of the average person in the US is intertwined with computers.  If you doubt the go to any hospital, bank, restaurant, etc and you will find computers so integrated with the business that they could not operate without them.  Not understanding computers and modern technology is not just risky it’s flat out DANGEROUS.

What does the headline “US bank loses unencrypted data on 4.5m people”  mean to you?    (http://www.theregister.co.uk/2008/06/02/ny_bank_lost_data_flap/)

If you are on the more techie side of things hearing this about your bank would have you looking into your accounts and/or changing banks.  Unfortunately for those on the other side of the weak interface the headline might be harder to understand.  The term “unencrypted data” needs explained.

For the sake of the less techie audience it’s like this - The bank wrote everything needed to empty your account on computer then lost that computer.  Someone out there can take all your money, open credit cards in your name and max them out, ruin your credit, and steal your identity. Had the bank encrypted your data you might be safe, but they didn’t.  To make it even worse they hid the fact that this happened until the government discovered it so who ever has the data had 3 months to have fun without anyone being the wiser.

The bank could have protected the data or the physical media it was on or both but it didn’t.  The days of a guy with a gun sticking up a bank are over, it’s MUCH easier electronically.  In this case the criminal may never be seen or caught. Bank of America is going to court over someone who is suing them after being electronically robbed. (http://searchfinancialsecurity.techtarget.com/news/article/0,,sid185_gci1294358,00.html)

Knowledge is your best defense. Knowledge will remove the weak interface for you.  IN other words learn about computers and software PLEASE.  This is the equivalent of telling you to be aware of who’s around you in a bad neighborhood.  Pay attention to the environment you are in.  The internet is an amazing tool and place to work through but there are also wolves out here.

You can find out if your bank of state has potentially lost your information search here:
-=      http://datalossdb.org/      =-

Let me know what you think.  I’m looking for comments to improve the blog, and motivate my lazy arse to write more often.

Thanks for reading.

Until next time.

I was critical about DRM in a previous post.  Worse than failed DRM is the means of enforcing it.  This involved lawsuits and a lot of hurt feeling.  Well now there’s good news and bad news:

The Good news:

The Recording Industry Association of America(RIAA) has decided to stop suing people.
If you don’t know the RIAA are the ones who have dragged people into court for downloading music.  They don’t know what they are doing.  This is classic weak interface issue.  The ones who are downloading know how to use the internet but the group chasing them has no idea how to find them.  Instead of intelligently asking a person who knows how the internet and downloading work they decided to sue anyone they thought they could find.

Suing everyone they could find included:
- a teenager
(src: http://www.1010wins.com/pages/193237.php?contentType=4&contentId=298727)
- an 83 year old DEAD woman
(src: http://www.theregister.co.uk/2005/02/05/riaa_sues_the_dead/)
- even XM radio!
(src: http://yro.slashdot.org/article.pl?sid=06/05/17/0250238&from=rss)

There’s even a blog of lawyer who specifically deals with the RIAA nonsense I suggest you give it a read: http://recordingindustryvspeople.blogspot.com/

Even if you win a RIAA lawsuit, as almost everyone has, the time, money, and energy you put into it are irreplacable.

So the idea that they are going to stop suing people is great.  After millions of dollars waste and countless hours of the judicial system down the drain they have stopped.  Yeah.

Why am I not more excited well be cause of…

The Bad News:

The Recording Industry Association of America(RIAA) has decided to conspire with internet service providers(ISP).
Your ISP, the folks you pay for internet access are going to police you.  I don’t know how this will play into privacy but you should know that the RIAA has asked them to watch you.  Here’s why it is bad.  VERY BAD.

“The new plan circumvents the law, and puts the power directly into RIAA’s hands, which means that more innocent people than ever will get harassed by the RIAA.”
(src: http://techgossip.net/2008/12/riaas-new-piracy-plan-cuts-off-people-without-a-fair-trial/)

In the near future the intrnet you pay for will now be watched for what “looks like” illegal activity.
Knowing how computers work I suspect some of the speed you pay for will go towards watching you.  As for me if I pay for it I should own it.  If you cut my speed to watch me you better charge a lot less.
And who knows what they will flag as suspicious?  What about get large emails from friends who send pictures? (this happens often) Or what about large files I send my self from my job?  The very subjective standard of “suspicious activity” is a slippery slope towards controlling what you are allowed to see and do online.

Think about all this and let me know what you think.

Till next time….

Technology moves lightning fast these days. Experts are becoming more knowledgeable faster than ever before, which leads to new technology becoming available faster. The problem is that some institutions we rely on are unable to cope with the new speeds. This is especially worrisome because criminals are abusing this part of the weak interface.

It is relatively easy to defeat a security CCTV with commercially available parts (no, I am not going to tell you how to do it so no links). The RFID chip in everything from bank cards to passports has been beaten
(http://www.schneier.com/blog/archives/2006/08/hackers_clone_r.html),
and the list goes on. Neither the law or law enforcement is able to cope no matter how sure they are because they fail to employ or listen to the experts.  In the case of RFID even before there was RFID in passports experts said it could be hacked
(http://money.cnn.com/2006/07/13/pf/rfid_passports/index.htm?cnn=yes)
now an expert hacked it in 2 weeks. Please, please, please listen when experts talk. The actually know something. Even wiretapping can be defeated easily with off the shelf parts. This was posted in a major engineering publication, including examples and experimental results but law enforcement has not yet deployed a solution.
(http://www.crypto.com/papers/wiretapping/)

I really can’t say it enough, when a subject matter expert tells you that technology has advanced too a point of concern, please listen. Talk to them and do what needs done.

Until next time.

One complication of being in an industry that is not well understood is explaining to those outside the industry what you do. Meeting new people gets a little complicated when you hear the simple ‘get-to-know-you’ question,
“So what do you do?”
I don’t like to say, “I work in computers.” That answer covers everything from ‘design national networks that millions rely on’ to ‘working IT at a small store’. Vastly different ends to the spectrum.

I have a friend, ‘Smiles’, who works in the search engine optimization business (think ‘Google’ if you don’t know). When she starts to explain her specific job, eyes glaze over as anyone who needs the explanation gets lost fast.
Another friend, ‘Beck’, is a programmer and he just tells his family he’s like a cable repairman. Not even close to what he does but it is a platitude that let’s him not have to try to explain writing software to people who don’t even understand what a computer is.

The best way I’ve found to explain my job is through analogy and I encourage anyone in the industry to create some that work for them. For example when I was working on guidance systems I merely said,
“I help the machine understand what it sees. Like explaining road signs to a new driver.”
not my favorite analogy but it allows for a very general idea of my job without having to explain the history of computers to someone. Here’s the problem with this solution. Since you don’t get very detailed with the analogy it can give the illusion that your job is easy. People tend to forget that it takes years of experience and a lot of knowledge to be able to do even “simple” programs on the computer. Please if you hear anyone in the computer industry describe their job in simple terms or via an analogy do not assume that the job is ACTUALLY simple.

The best advice I can give: if you’d like to understand the computer industry better would be to go to your local library and ask for some intro books to read. Then sit down and read them. Then sit at a computer and use that knowledge a little.

That’s all for now folks!
Take care.

   I’ve previously stated that the ‘war’ is on between those with knowledge and those without.  Some are using the weak interface for abuse. 

   The abused (you) may not even know they are being abused.  At least when a presentation or demo tricks someone into believing lies, you can see who is lying to you.  In this case, dear reader,it’s possible that what you see on the screen  was interfered with and you’ll had no clue about it! 

   Your ISP may already be doing this to you without your knowledge.  I could explain but someone has explained it better than I could.  he has written to a company who makes the tools of abuse you should really check it out here: http://www.ka9q.net/perfidy.html

Keep your ear to the ground and check out your ISP

Back and now sorry for the hiatus but I just had my first child!  (Tuesday 10/7, at 6:03p 9lb 4oz) anyway, on to the blog…

I have tried very hard to avoid too much talk about DRM(digital rights management).  For those who don’t know, DRM is used by companies to prevent sharing/distributing their software without paying them for the right.  This has cause users both legitimate and illegal problems.

Now I’ve worked both computer security and physical security as well as a mix of both.  The core of the problem in both cases is that you need to make it very hard or impossible for the ‘bad guys’ to get in while making it easy for the good guys to get in.  So it comes down to telling the good and bad apart.  Unfortunately  I have not seen a single DRM solution that tries to do the basic task of knowing the difference between a legal user and an illegal one.  Instead EVERYONE gets treated like they are one of the ‘bad guys’.

Now I’m all for someone trying to protect their work, but when you treat customers like the enemy it makes no sense for business.  Unfortunately this is in essence a weak interface problem.  The people/companies don’t understand how things online work.  This is not like placing a small circuit inside a physical product so the alarm sounds when you leave the store without paying.  They REMOVE the circuit when you pay and it does not make it difficult to use the product or affect you in any way once you leave the store.  Software DRM on the other hand stays with the product, slows down your computer and may even collect private information about you.

In fact retailers are starting to resist the idea of DRM.  The UK’s largest retailer of online music has said that 3 out of 4 (75%!) of customer issues are about DRM causing computer problems.  (http://arstechnica.com/news.ars/post/20070318-75-percent-customer-problems-caused-by-drm.html)

In essence DRM is about treating everyone like a criminal.  In fact it punishes the ‘good guys’ and not the bad.  If you have any knowledge at all as a ‘bad guy’  you know how to remove the DRM or find illegal sources so only the good guys are punished.

Apple iTunes store has DRM and has caused all sorts of problems.  The DRM violate the customer’s rights and there are lawsuits about it (http://p2pnet.net/story/9003).  In short it’s as if you buy a TV and the store has the right to enter your house and turn it off if they want to and you have no power to stop them.

This article is self explanatory: “Wal*Mart shutting down DRM server, nuking your music collection — only people who pay for music risk losing it to DRM shenanigans” (http://boingboing.net/2008/09/26/walmart-shutting-dow.html)

As I said only the good guys end up being punished making it in the best interests of everyone to steal/share music.  DRM = “Follow the rules get screwed in the end”.

Dear reader if you have any influence at all, anywhere tell them to talk to me.  This can be done the right way to keep the ‘bad guys’ out but not hurt the good guys.  The problem comes down to the fact that a company asks for software to prevent file sharing but does not consider differentiating one person from the next.  What is really needed is new DRM that takes not only the retailers interests into account but also the customer.  Before every former customer does what is in their best interests and become a ‘criminal’

I’ve said it before, ask the experts.  Find a person or group who understands security, business, software, and the customers then get them to give you what you need.

Take care and Good Luck.

  I’ve mentioned demos and presentation before but now I’m going to focus on them a bit more as I recently had a few colleagues view this blog a they contributed their analogies an stories.  A younger more naive version of myself once asked while preparing for a demo,

  “Why are we working so hard on power point slides and pictures when the code is what matters?”  The answer was that no mater how god the actual code was it was boring and would likely get the project killed.  One older engineer shared with me this quote:    ‘A good plan with a bad presentation is doomed immediately, a bad plan with a good presentation is doomed EVENTUALLY…’ - source unknown  I have since seen that played out over and over again.  The group with the best demo/presentation often wins NOT the one with the best product.  Another person chimed in that since the only thing most users ever see is the graphic user interface  to them that IS the software, kinda like seeing the steering wheel of a car and thinking that IS the car, the engine, the brakes, everything!  As a guy on the ‘mechanic’ side of building the rest of the software it was a revelation that that’s the perspective of the user and most of the decision makers.  It let me understand why people are fooled by demos and pretty pictures.

  It’s like the movies or even a good magic trick only the difference being that in those situations you know it’s not real.  Think about if you convinced someone that the movie ‘Hackers’ was really a documentary?  Completely false impressions and ideas would be conveyed.  In the software world this is what happens at demonstrations/presentations.  Some honest people will give you a documentary of the software while others will give you a movie, but both will tell you it’s real. 

The solution and my advice:
Assume you are being lied to and get a software developer on your payroll with no stake in the project to let you know if you are seeing a real system or a clever trick.
Until next time