TIL Feb 26th

  • MRIs measure energy that is emanating from your brain in areas as small as a peppercorn. When you read about…say….penguins, the same part of your brain lights up when you watch a video with penguins, or talk to someone about penguins. The brains of people who do not speak your language light up in exactly the same places when they think about penguins, or whatever they call them.
  • Solar flares have a 22-year cycle and are generally not a big deal. The Carrington Event of 1859 was a very large solar flare that reached the Earth’s magnetosphere. Telegraph poles threw sparks and the Aurora woke northern people because it was bright as day. It’s assumed that our more wired world of today would have more problems during such an event. Observations of other stars similar to our sun show that these extraordinary flares have a cycle of about 200 years. Tick tock.
  • The movie Bladerunner is an adaption of a Philip K. Dick novel from 1968 titled “Do Androids Dream of Electric Sheep?”
  • “Browser Fingerprinting” is an identification technique used on the Internet (that part I knew). Taking steps to harden or lock down your browser in order to make yourself less susceptible to malware actually makes you more susceptible to fingerprinting. Anonymity or security: choose one.
  • There are different types of Cryptograms. I thought they were all simple letter exchanges, but there are also glyph-grams which use symbols instead of letters.

How to be a shitty customer 101

I’ve been interwebbing for a long time. I’ve had many roles over the years and some of them involved interaction with these quixotic things we call “customers” but I’ve only recently been involved in a role where those “customers” are not internal. My current role periodically exposes me to the unwashed masses of humanity that claw at my door moaning for relief from their busted gear. It didn’t take long to realize there are fairly easily identifiable categories of customers.

We all have disabilities. My particular disability is that I can’t see the colour grey. That means every customer looks like one of these to me:

  • The victim
  • The Passive-Aggressive
  • The psychopath
  • The guy who probably isn’t getting along to well
  • The normal human being

The victim

Crying stickman signifying a victimYou can easily identify the victim. The initial request for helps starts with blame. It begins with phrases like “Your service has broken my thing” or “I am loosing lots of money because of your service” or “YOU ASSHOLE I AM GOING TO SUE YOU”. You know, that type of thing.

I get that we’re selling a technical product and many people are not technical in nature. I can run the shit out of a Linux box, but I have almost no clue how my car works. I understand the frustration, but I’m also not a victim. When my car guy tells me the slarginator needs replacing I don’t fly off the handle and start screaming that he’s costing me $1000 a day because of his incompetence with slarginators. I am not restraining myself because I’m a great guy, I just honestly know that it’s not his fault. I don’t know how the victims of this world end up wandering through life feeling like things are being “done” to them but I can assure you that when you ask someone for help, yelling at them about your broken-ass slarginator ain’t the way to get that thing fixed.

The passive-aggressive

Continue reading “How to be a shitty customer 101”

The case for myopia in the search for extraterrestrial life.

Atlas Obscura recently reposted a video by The Atlantic entitled We’re probably imagining aliens wrong. I’ve included a link to it at the end of this post for reference. It’s a fairly terrible arrangement of bytes which is an unusual thing for Atlas Obscura to promote.

The video makes the valid point that when we search for alien life we’re looking for life like ours. Life like we understand it. Life that needs atmosphere. Life that needs water. It then goes on to point out the painfully juvenile point that if we only look for life like us, we’ll miss the life that’s not like us.

Continue reading “The case for myopia in the search for extraterrestrial life.”

Quick n’ dirty loop to check breaches against Have I Been Pwned API

Using Have I Been Pwned to see if your email address has been breached? Most of us have more than one email address which can make plunking each address into the site painful. But, fear not, there’s an API here

There’s a million ways to use it and a crappy little bash script works just fine.

Here’s mine:

File with email addresses

Create a text file with one email address per line. I called mine emailaddys. Something like:

The script

Write a one-liner like this. I called mine check_haveibeepwned.sh:

Loop it all together

Note: The rate limiting is not specified in the API docs, but I found that sleep 2 was necessary to avoid tripping it. A User Agent is also required.

Did it work?

Breaches look like this (that’s 4 separate breaches):

Clean addys return nothing at all.

Enjoy.

Using ExpressVPN with Ubuntu, Linux Mint or Debian Linux

ExpressVPN is one the highest rated and fastest VPNs. Debian strains of Linux such as Ubuntu, Linux Mint, and Debian itself are the most widely used desktop distros in the world. Putting these two things together provides fast downloads with a very high degree of anonymity and privacy.

ExpressVPN supports Windows, Linux, and macOS. The Windows and macOS versions are fairly similar for both, but the Linux version is a wide departure. It is a command line tool instead of a polished graphical application and comes in 32-bit and 64-bit flavours to accommodate both types of processors typically seen in PCs today. You can run the following command to see what the bitness of your Linux distribution is:

Anything with ‘64’ in the output is running a 64-bit Linux distribution and you should use the 64-bit ExpressVPN  download. If you’re running a 32-bit distribution you’ll likely see something with ‘i386’ in the output. For example, my 64-bit system looks uname output is this (note the 64):

While Ubuntu, Linux Mint, and Debian are all based on the same package manager system, there are some differences in installation. I used 64-bit versions of Ubuntu 16.10, Linux Mint 18, and Debian 8.6.0 for this article.

Installing ExpressVPN

ExpressVPN is available from http://expressvpn.com. You’ll need to login to your ExpressVPN account and navigate to the setup page.

ExpressVPN account

Linux should be preselected for you so you’ll just have to ensure you get one of the Ubuntu downloads.

ExpressVPN Linux download

Ubuntu 16.10 installation

Continue reading “Using ExpressVPN with Ubuntu, Linux Mint or Debian Linux”

Machines don’t guess.

It’s hard for many people to understand how account hacking works. “How can someone guess my password that’s comprised of my kids’ names? It would have to be someone who knows me, and I add a number at the end to make it even harder.” Using your kid’s names is sure to create a weak password but if I were to try to guess your password I wouldn’t have much luck so it’s hard to demonstrate that [4]. The basic problem at work here is the “faulty analogy” fallacy. Things that look alike must be alike.

We’ve all seen humans attempt to guess various things in our lives so we know guessing is error prone and inefficient. We therefore assign these difficulties to machine guessing and arrive at the incorrect conclusion that guessing is universally hard and therefore we don’t need strong passwords and we certainly don’t need to bother with having different passwords on different sites.

The specific fallacy here is that machines don’t guess.

Machines don’t need us

The implementation of a user interface (UI) is one of the last things that is done prior to a device shipping to market. The UI is the thing that we humans interact with to use the machine. It is the layer that gives the machine a way to send and receive data from us two-eyed, two-eared, 10-fingered life forms. It’s almost a pity layer. We’re so slow and limited that the eager machine has to add a slow and limited set of buttons put on it for us to interact. Slow and limited we may be, but we’re also the only one with money to buy things, so the machine grudgingly gets over it. Grudgingly, because it doesn’t give up its fast and smart machine layer when the human UI is bolted on. It lurks beneath working non-stop which infers that you can also choose to bypass the UI and communicate with the machine at its own level if you have the skills and desire.

In some sense, that is what hacking is. It’s the ability to subvert the intended interaction method (the UI) to get at the machine below. In the case of account hacking the goal is to copy account usernames and passwords from the machine. Most websites have protections at the UI level to prevent attacks such as repeated attempts to guess passwords. If you were to go to your bank website and input an incorrect set of credentials repeatedly your account would eventually be locked out and your IP address temporarily blocked. If machines had to use that same human UI with all its safeguards in place then they’d have the same problem. It’s much easier for me to try to steal a copy of the user database and download it to my own machine. I then have access to the user database without all those UI constraints and can just hack away at it at my leisure to try to derive all the username and password combinations within.

User database breaches are legendary these days. The Have I Been Pwned website verifies and catalogues these types of breaches and has almost 2 billion accounts listed so far. If you consider that only about 3.5 billion people even have access to the Internet, that’s a lot of data breaches [1]. And most of these breaches are for sale. Multiple times.

That brings us back to your password.
Continue reading “Machines don’t guess.”

Proper names in the top 10,000 most commonly used passwords

This post came from data I compiled for some other post and I thought it was interesting enough to keep. Out of the top 10,000 most commonly used passwords in this list at the time of this writing, in the top 100 are these 30 names.

Let me say that another way: 30% of the most common passwords on the entire planet are these proper names. Stop using names, people:

michael
jennifer
jordan
harley
hunter
buster
thomas
robert
george
charlie
andrew
michelle
jessica
daniel
joshua
maggie
william
ashley
amanda
nicole
ginger
heather
taylor
austin
merlin
matthew
martin
chelsea
patrick
richard

Slumped Over Keyboard Dead Glossary

I write about technology a lot. I don’t consider this a beginner tech blog, but I’m also keenly aware that many technology words and acronyms are not well known. I thought it prudent to build a glossary that I can link to when I use these terms so we can all learn together. I’ll try to keep it in alphabetical order; let’s see how that goes. I’ll add to this as life goes on and bump it back to the top whenever I do.

DDoS

Distributed Denial of Service attack. We generally drop the word “attack” today and just refer to a DDoS attack as “a DDoS” or “they were DDoSsed”. It’s pronounce Dee Doss, and not Dee Dee Oh Ess. I will go to the grave saying Dee Doss.

The DDoS of today has its roots in a DoS meaning simply “Denial of Service” attack. The added D today is for the word “Distributed”. When the Internet was small and towney, we saw DoS attacks which were pretty easy to mitigate. A DoS attack is perpetrated by one or two IP addresses and is therefore very easy to mitigate. Just block that IP or two, and the attack is over. Today’s “Distributed” DoS attacks are much harder to mitigate because they come from a wide range of IP addresses. The attack stems from “Distributed” attacking IPs.

The first signifcant DDoS was recorded in 1999 when 227 servers were knocked offline for days. On October 21st 2016, over 10,000,000 IPs were recruited to attack the Dyn DNS servers which made thousands of websites unavailable for a few hours. These times, they are a’ changing.

IoT

Internet of Things. This term is kind of racist. It considers “proper” Internet devices to be computers, routers, and maybe smart phones. Anything else is a “thing” and the proliferation of these Internet-connected “things” have spawned the term Internet of Things.

I’ve heard this pronounced as both Eye Oh Tee and plainly spoken as “Internet of Things”. It works both ways now, mostly because it’s very new. Language is built on concensus and there may be a preferred way to pronounce IoT soon.

The list of things is almost endless now and I am sure it will grow to include every device on the planet within the next decade. Fridges, televisions, lightbulbs, and toasters are all available in wifi connected models for your amusement. The first Internet was populated by people. The current Internet forces us to share the Internet with things.

I’ve written more about the problems with IoT here.

Mirai botnets: the vanishing upper limit of DDoS attacks.

There is a lot of blame to go around in the aftermath of the Dyn DDoS attack on Oct 21st. A good chunk of the bots look like Internet of Things (IoT) devices that were recruited by the Mirai botnet code. Mirai has dropped the traditionally high costs of building a botnet to near zero which means we’re seeing progressively larger and more effective DDoS attacks each week.

Sucuri discovered the first IoT botnet using CCTV devices in June. It was not long after that we started to see significantly larger DDoSes occurring and breaking all existing records for DDoS volume to date.

Why is Mirai such a big deal?

Hacker Mirai botnetAs I eluded to in the introduction, the cost of building a botnet used to be high. All those spam and phishing emails we’ve become numb to over the years were part of that effort. Hackers had to painstakingly trick each of us to click a malicious link which installed their malware on our (usually Windows) PC. It would take thousands of emails to get one or two suckers to click the link. It often took months to build a really powerful botnet with hundreds or thousands of zombie computers. And once it was built, it had to be carefully guarded to ensure it did not get dismantled by anti-virus software and other measures.

The reason this was so hard is because it was a person-against-person attack. Hacker guy had an agenda to trick you into clicking the link and you had a very good reason to not do that. That is why it took so many attempts to net one or two clicks. These IoT botnets are a different beast altogether. It’s smart humans against painfully dumb machines that have no way to even know what is happening to them, much less any sentient desire to protect themselves. The most significant contributing factor is the sheer number of these devices that are deployed with the factory username and password which means they may as well have no authentication system at all.

Mirai makes composing a botnet of 10s of thousands of devices even easier by automating the process. Mirai will even find the devices out on the Internet. So, now we have a situation where millions of dumb devices can be successfully exploited en masse within a short time frame. It’s the perfect storm.

Why was the Dyn DDoS attack significant?

Continue reading “Mirai botnets: the vanishing upper limit of DDoS attacks.”

Remote work: the last meritocracy

The general idea of remote work is that you do the same job you would do in the office, but you don’t have to actually go to the office. This removes all the problems with people and politics of the office. That’s viewed as a huge benefit, but the reality is that many people only keep their jobs because of the people and politics of the office. Remote work strips all that away and leaves you standing naked in a meritocracy where only your skills matter.

I’ve worked remotely for 7 out of the last 9 years. For 4 years I was a remote contractor left to my own devices. I spent 2 years working as a remote worker for a non-remote company and I’ve spent the last year-ish working as a remote worker for a remote company. While sitting at home looks the same in all cases, each of those situations were very different from each other.

Here’s what I have learned from each of those situations:

Remote work as a contractor

StressedUnless you want to spend a lot of time chasing business, chasing cheques, and schmoozing on the phone, you’re screwed. The vast majority of remote “employers” are really just guys with ideas that want the cheapest possible labour to see if their idea has legs. They’re not invested in the idea of building a remote workforce for any reason other than they see it as the cheapest way to get going. They’ll work the shit out of you to see if you’re good “startup material” (which really means “I have no money because nobody but me believes in my idea”) and discard you when you’re so exhausted you trip. If they have no backers, be wary. Don’t know if they have backers? Google it; Angels and VCs love to talk about who they’re backing.

I spent about 25% of my time actually working and the rest of the time doing these tasks in no particular order:

  • Trying to find new work.
  • Trying to get paid for completed work.
  • Trying to figure out the best way to acquire gear and services (from a tax perspective).
  • Learning how to do my taxes properly.
  • Mourning the loss of my skill set because I was not using it.

Continue reading “Remote work: the last meritocracy”