What the recent Facebook/WhatsApp announcements could mean

Ever since Facebook acquired WhatsApp (in 2014) I have wondered how long it would take before we found that our supposedly “end to end encrypted” messages were being mined by Facebook for its own purposes.

It has been a while coming, but I think it is now clear that end to end encryption in WhatsApp isn’t really the case, and will definitely be less secure in the future.

Over a year ago, Gregorio Zanon described in detail why it was that end-to-end encryption didn’t really mean that Facebook couldn’t snoop on all of the messages you exchanged with others. There’s always been this difference between one-to-one messages and group messages in WhatsApp, and how the encryption is handled on each. For details of how it is done in WhatsApp, see the detailed write-up from April 2016.

Now we learn that Facebook is going to be relaxing “end to end encrypted”. As reported in Schneier, who quotes Kalev Leetaru,

Facebook’s model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.

 


 

Some years ago, I happened to be in India, and at a loose end, and accompanied someone who went to a Government office to get some work done. The work was something to do with a real-estate transaction. The Government office was the usual bustle of people, hangers-on, sweat, and the sounds of people talking on telephones, and the clacking of typewriters. All of that I was used to, but there was something new that I’d not seen before.

At one point documents were handed to one of the ‘brokers’ who was facilitating the transaction. He set them out on a table, and proceeded to take pictures. Aadhar Card (an identity card), PAN Card (tax identification), Drivers License, … all quickly photographed – and this made my skin crawl (a bit). Then these were quickly sent off to the document writer, sitting three floors down, just outside the building under a tree at his typewriter, generating the documents that would then be certified.

And how was this done: WhatsApp! Not email, not on some secure server with 256 bit encryption and security, just WhatsApp! India in general has a rather poor security practice, and this kind of thing is commonplace, people are used to it.

So now that Facebook says they are going to be intercepting and decrypting all messages and potentially sending them off to their own servers, guess what information they could get their hands on!

It seems pointless to expect that US regulators will do anything to protect consumers ‘privacy’ given that they’re pushing for weakening communication security themselves, and it seems like a foregone conclusion that Facebook will misuse this data, given that they have no moral compass (at least not one that is functioning).

This change has far-reaching implications and only time will tell how badly it will turn out but given Facebook’s track record, this isn’t going to end well.

The importance of longevity testing

airbus_a350_1000I worked for many years with, and for Stratus Technologies, a company that made fault tolerant computers – computers that just didn’t go down. One of the important things that we did at Stratus was longevity testing.

All software errors are not detectable quickly – some take time. Sometimes, just leaving a system to idle for a long time can cause problems. And we used to test for all of those things.

Which is why, when I see stuff like this, it makes me wonder what knowledge we are losing in this mad race towards ‘agile’ and ‘CI/CD’.

Airbus A350 software bug forces airlines to turn planes off and on every 149 hours

The AWD reads, in part

Prompted by in-service events where a loss of communication occurred between some avionics systems and avionics network, analysis has shown that this may occur after 149 hours of continuous aeroplane power-up. Depending on the affected aeroplane systems or equipment, different consequences have been observed and reported by operators, from redundancy loss to complete loss on a specific function hosted on common remote data concentrator and core processing input/output modules.

and this:

Required Action(s) and Compliance Time(s):

Repetitive Power Cycle (Reset):

(1) Within 30 days after 01 August 2017 [the effective date of the original issue of this AD], and, thereafter, at intervals not to exceed 149 hours of continuous power-up (as defined in the AOT), accomplish an on ground power cycle in accordance with the instructions of the AOT .

What is ridiculous about this particular issue is that it comes on the heals of Boeing 787 software bug can shut down planes’ generators IN FLIGHT, a bug where the generators would shutdown after 250 days of continuous operation, a problem that prompted this AWD!

Come on Airbus, my Windows PC has been up longer than your dreamliner!

The GCE outage on June 2 2019

I happened to notice the GCE outage on June 2 for an odd reason. I have a number of motion activated cameras that continually stream to a small Raspberry Pi cluster (where tensor flow does some nifty stuff). This cluster pushes some more serious processing onto GCE. Just as a fail-safe, I have the system also generate an email when they notice an anomaly, some unexplained movement, and so on.

And on June 2nd, this all went dark for a while, and I wasn’t quite sure why. Digging around later, I realize that the issue was that I relied on GCE for the cloud infrastructure, and gmail for the email. So when GCE had an outage, the whole thing came apart – there’s no resiliency if you have a single-point-of-failure (SPOF) and GCE was my SPOF.

WhiScreen Shot 2019-06-05 at 7.17.17 AMle I was receiving mobile alerts that there was motion, I got no notification(s) on what the cause was. The expected behavior was that I would receive alerts on my mobile device, and explanations as email. For example, the alert would read “Motion detected, camera-5 <time>”. The explanation would be something like “NORMAL: camera-5 motion detected at <time> – timer activated light change”,  “NORMAL: camera-3 motion detected at <time> – garage door closed”, or “WARNING: camera-4 motion detected at <time> – unknown pattern”.

I now realize that the reason was that the email notification, and the pattern detection relied on GCE and that SPOF caused delays in processing, and email notification. OK, so I fixed my error and now use Office365 for email generation so at least I’ll get a warning email.

But, I’m puzzled by Google’s blog post about this outage. The summary of that post is that a configuration change that was intended for a small number of servers ended up going to other servers, shit happened, shit cleanup took longer because troubleshooting network was the same as the affected network.

So, just as I had a SPOF, Google appears to have had an SPOF. But, why is it that we still have these issues where a configuration change intended for a small number of servers ends up going to a large number of servers?

Wasn’t this the same kind of thing that caused the 2017 Amazon S3 outage?

At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended.

Shouldn’t there be a better way to detect the intended scope of a change, and a verification that this is intended? Seems like an opportunity for a different kind of check-and-balance?

Building completely redundant systems sounds like a simple solution but at some point the cost of this becomes exorbitant. So building completely independent control and user networks may seem like the obvious solution but is it cost effective to do that?

Try this DIY Neutral Density Filter for Long Exposure Photos

I have heard of this trick of using welders glass as a cheap ND filter. But from my childhood experience of arc welding, I was not sure how one would deal with the reality that welders glasses are not really precision optics.

This article addresses at least the issue of coloration and offers some nice tips for adjusting color balance in general.

https://digital-photography-school.com/diy-neutral-density-filter/

Automate everything

I like things to be automated, everything. Coffee in the morning, bill paautomatoryment, cycling the cable modem when it goes wonky, everything. The adage used to be, if you do something twice, automate it. I think it should be, “if you do anything, automate it, you will likely have to do it one more time”.

So I used to automate stuff like converting DOCX to PDF and PPTX to PDF on Windows all the time. But for the past two years, after moving to a Mac this is one thing that I’ve not been able to automate, and it bugged me, a lot.

No longer.

I had to make a presentation which went with a descriptive document, and I wanted to submit the whole thing as a PDF. Try as I might, Powerpoint and Word on the Mac would not make this easy.

It is disgusting that I had to resort to Applescript + Automator to do this.

I found this, and this.

It is a horrible way to do it, but yes, it works.

Now, before the Mac purists flame me for using Microsoft Word, and Microsoft Powerpoint, let me point out that the Mac default tools don’t make it any easier. Apple Keynote does not appear to offer a solution to this either, you have to resort to automator for this too.

So, eventually, I had to resort to automation based on those two links to make two PDFs and then this to combine them into a single PDF.

This is shitty, horrible, and I am using it now. But, do you know of some other solution, using simple python, and not having to install LibreOffice or a handful of other tools? Isn’t this a solved problem? If not, I wonder why?

Monitoring your ISP – Fun things to do with a Raspberry Pi (Part 2)

In Part 1 of this blog post, I described a problem I’ve been facing with my internet service, and the desired solution – a gizmo that would reboot my cable modem when the internet connection was down.

The first thing I got was a PiRelay from SB Components. This nifty HAT has four relays that will happily turn on and off a 110v or 250v load. The site claims 7A @ 240V, more than enough for all of my network gear. See image below, left.

Next I needed some way to put this in a power source. Initially I thought I’d get a simple power strip with individual switches on the outlets. I thought I could just connect the relays up in place of the switches and I’d be all set! So I bought one of these (above right).

Finally I just made a little junction box with four power outlets, and wired them up to the relays.

The software to control this is very straightforward.

  1. It turns out that the way Microsoft checks for internet connectivity is to do a get on “http://www.msftncsi.com/ncsi.txt&#8221;, and that returns the text “Microsoft NCSI”. OK, so I do that.
  2. I also made a list of a dozen or so web sites that I visit often, and I make a conn.request() to them to fetch the HEAD.

If internet connectivity appear to be not working, power cycle “relay 0”, which is where my cable modem is running. And this is a simple cron job, runs every 10 minutes.

Works like a champ. Another simple Raspberry Pi project!

If you are interested, ping me and I’ll post more details. I intend to share the code for the project soon – once I shake out any remaining little gremlins!

The relationship between accuracy, precision, and relevance

OK, this is a rant.

graph1It annoys me to no end when people present graphs like this one. Yes, the numbers do in fact add up to 100% but does it make any sense to have so many digits after the decimal when in reality this is based on a sample size of 6? Wouldn’t 1/2, 1/3, 1/6 have sufficed? What about 0.5, 0.33 and 0.67. Do you really really have to go to all those decimal places?

Excel has made it easy for people to make meaningless graphs like this, where merely clicking a little button gives you more decimal places. I’m firmly convinced that just having more digits after the decimal point doesn’t really make a difference in a lot of situations.

Let’s start first with some definitions

accuracy is a “degree of conformity of a measure to a standard or a true value“.

precision is the “the degree of refinement with which an operation is performed or a measurement stated“.

One can be precise, and accurate. For example, when I say that the sun rises in the east 100% every single day, I am both precise, and accurate. (I am just as precise and accurate if I said that the sun rises in the east 100.000% of the time).

One can be precise, and inaccurate. For example, when I say that the sun rises in the east 90.00% of the time, I am being precise but inaccurate.

So, as you can see, it is important to be accurate; the question now is how precise does one have to be. Assume that I conduct an experiment and tabulate the results, I find that 1/2 the time I have outcome A, 1/3 of the time I have outcome B, and 1/3 of the time I have outcome C. It would be both precise, and accurate to state the results are (as shown in the pie chart above) 50.0000%, 16.66667%, and 33.33333% for the various possible outcomes.

But does that really matter? I believe that it does. Consider the following two pictures, these are real pictures, of real street signs.

2018-08-16 18.18.09

This sign is on the outskirts of Mysore, in India.

2018-09-08 10.37.06

This sign is in Lancaster, MA.

In the first picture (the one from Mysore, India), we have distances to various places, accurate to 0.01km (apparently). Mysore Palace is 4.00 km away, the zoo is 4.00 km away, Mangalore is 270.00 km away. What’s 0.01km? That’s about 10m (about 33 feet). It is conceivable that this is accurate (possible, not probably). So I’d say this is precise and may be accurate.

The second picture (the one from Lancaster, MA) is most definitely precise, to 4 places of the decimal point no less. The bridge is 3.3528 meters (the sign claims). It also indicates that it is 11 feet. A foot is 12 inches, an inch is 2.54 centimeters, and therefore a meter (100cm is 39.3701″) is exactly 3.2808 feet. Therefore 11 feet is 3.3528 meters exactly. So this is both precise, and accurate (assuming that the bridge does in fact have a 11′ clearance).

The question is this, is the precision (4.00km, or 3.3528m) really relevant? We’re talking about street signs, measuring things with a fair amount of error. In the case of the bridge, the clearance could change by as much as 2″ between summer and winter because of expansion and contraction of the road surface (frost heaves). So wouldn’t it make more sense to just stick with 11′, or 3.5 meters?

So back to our graph with the 50.0000%, 16.66667% and 33.33333%. Does it really matter to the person looking at the graph that these numbers are presented to a precision of 0.000001%? For the most part, given the fact that the experiment had a sample size of 6, absolutely not.

So please, when presenting facts (and numbers) please do think about accuracy; that’s important. But please make the precision consistent with the relevance. When driving a car to the zoo, is the last 33′ going to really kill me? or am I really interested in the clearance of the bridge accurate to the thickness of a human hair, or a sheet of paper?

 

Android in a virtual machine

Very often, I’ve found that it is an advantage to have Android running in a virtual machine (say on a desktop or a laptop) and use the Android applications.

Welcome to android-x86

Android runs on x86 based machines thanks to the android-x86 project. I download images from here. What follows is a simple, step-by-step How-To to get Android running on your x86 based computer with VMWare. I assume that much the same thing can be done with some other emulator (like VirtualBox).

Install android-x86

The screenshots below show the steps involved in installing android-x86 on a Mac.

android-x86-1

Choose “Create a custom virtual machine”

android-x86-2

Choose “FreeBSD 64-bit”

android-x86-3

I used the default size (for now; I’ll increase the size later).

android-x86-4

For starters, we can get going with this.

android-x86-5

I was installing android v8.1 RC1

android-x86-6android-x86-7

Increased #cores and memory as above.

android-x86-8

Resized the drive to 40GB.

android-x86-9

And with that, began the installation.

Options during installation.

The options and choices are self explanatory. Screenshots show the options that are chosen (selected).

android-x86-10android-x86-11android-x86-12android-x86-13android-x86-14android-x86-15android-x86-16android-x86-17android-x86-18android-x86-19android-x86-20android-x86-21android-x86-22android-x86-23android-x86-24

One final thing – enable 3D graphics acceleration

Before booting, you should enable 3D graphics acceleration. I’ve found that without this, you end up in a text screen at a shell prompt.

android-x86-26

And finally, a reboot!

android-x86-25

That’s all there is to it, you end up in the standard android “first boot” process.

Daylight Saving Time isn’t worth it, European Parliament members say

I have long suspected that this was the case, especially when no one could give a simple explanation why we did this.

  • For the farmers
  • For the farm animals
  • To save energy

Those are just some of the explanations I have heard.

But I get it, in countries that are wide (west to east) you need more time zones. That is the real solution.

https://arstechnica.com/tech-policy/2018/02/daylight-saving-time-isnt-worth-it-european-parliament-ministers-say/?amp=1

This article appeared almost a month ago

This article appeared almost a month ago, and I just got to reading it. It almost looks like it was written looking in the rear view mirror! Are there any of these seven trends that isn’t already a hot topic?

7 #Cloud Computing Trends to Watch in 2018

http://ow.ly/dcG830ihigd

Don’t use a blockchain unless you really need one

Now, that’s easy to say.

But, blockchain today is what docker was 18 months ago. 

Startups got funded for doing “Docker for sandwiches”, or “Docker for underpants” (not really, but bloody close).

Talks were accepted at conferences because of the title “Docker, Docker, Docker, Docker, Docker” (really).

And today it is blockchain.

https://www.coindesk.com/dont-use-blockchain-unless-really-need-one/

I hope you weren’t counting on Project Fi …

Google’s Project Fi international data service goes down.

One of the things I have come to realize is that it is not a good plan to depend on services provided by the likes of Google.

They work 99.9 or 99.95% of the time. And they work well. But depend on them for five 9’s, that’s dumb.

https://www.engadget.com/amp/2018/01/13/google-project-fi-international-data-outage/

Mysore School of Architecture

I happened to be at the Mysore School of Architecture, in Mysore, India and had a chance to walk around. And click some photographs 🙂 The building is bright and airy, and the pictures below show some views of this. There was a lot of art all around the campus, all of it created by the students. Some modern art under the stairs. Modern art in the courtyard. A nice painting which shows two views, depending on where you stand. A nice mural on the wall. Some lovely photos; the sun and the wind weathered the display, but the display and the captions are lovely. Many of the class rooms have nice caricatures of famous architects. And finally, some lovely origami under the stairs! I loved my short trip to the college and will surely be back when there are some students there.

How do you answer this interview question, “what do you make in your current job?”

A couple of months ago, a former co-worker called me and asked if I would provide a reference for her in a job search (which I readily agreed to). Then she went on to ask me this, “This company wants to make me an offer and they called and asked me what I currently make, and asked for a copy of a paystub. What should I do?”

Personally, I find this question stupid. I’ve been asked it many times (including quite recently) and in all instances I’ve been surprised by it (doh!) and I’ve answered in what I now consider to be the wrong way.

Every hiring manager has a range of salaries that they are willing to pay for a position, and they have a range of bonuses, a range of stock options and other incentives. And then there’s the common incentives that everyone gets (401(k), vacation, …). So why even ask the question? Why not make an offer that makes sense and be done with it?

If you are a hiring manager / HR person on the hiring side, do you ask this question?

If you are a candidate, how do you handle this question?

In any event, here’s what I recommended to my friend, answer the question along these lines.

  • I’m sure you are asking me this so you can make me a competitive offer that I’ll accept
  • I’m also sure that you have a range for all the components of the offer that you intend to make to me; base pay, bonus, stock options, …
  • So what I’ll tell you is what I am looking for in an offer and I’ll leave it to you to make me an offer based on the standard ranges that you have
  • I am looking for a take-home pay of $ _____ each month
  • Since you offer a 401(k) plan which I intend to contribute $ _____ to, that means I am looking for a total base pay of $ ______ per year.
  • I am looking for a total annual compensation of $ ______ including bonuses
  • In addition, I am looking for ______ days of vacation each year.

That’s it. When asked for a copy of current pay-stub or anything like that, I recommend that you simply decline to provide it and make it clear that this is not any of their business.

Now, whether one can get away with this answer or not depends on how strong your position is for the opening in question. Some companies have a ‘policy’ that they need this paystub/W-2 stuff.

Not providing last pay information and following their ‘process’ could make the crabby HR person label you ‘not a team player’ or some such bogus thing and put your resume in the ‘special inbox’ which is marked ‘Basura’.

In any event, this all was fine and my friend told me  that she was given a good offer which she accepted.

How do you approach this question?

Blockchain is an over hyped technology solution looking for a problem

The article makes a very simple argument for something that I have felt for a while, block chain is a cool technology but the majority of the use cases people talk about are just bull shit.

http://www.coindesk.com/blockchain-intermediaries-hype/

Stratoscale acquires Tesora

Yesterday it was announced that Tesora had been acquired by Stratoscale, here are some of the articles that were published about this.

and this official announcement by Stratoscale

Thanks to all of you who emailed, texted, tweeted, called, and pinged me on IRC 🙂 I’m overwhelmed by the volume and all the good wishes. I’ll reply to each of you individually, sorry it may take a couple of days for me to do that.

To all of our investors and advisors, first in ParElastic and later in Tesora, thank you all for your help and support. To everyone at Tesora who is moving to Stratoscale, all the very best to you. It has truly been a wonderful six years working with you and I thoroughly enjoyed it.

Doug: It’s been especially awesome working with you these past six years. You are a great leader of people, and you have built and managed a truly exceptional team. People in your team like you, respect you, are comfortable approaching you with the strangest questions, and are willing to work with you over and over again. Not an easy thing to pull off over the extraordinarily long period that you’ve been able to do this. You were clearly not an easy taskmaster and your team consistently delivered miracles. But along the way you managed to ensure that everyone was having a good time.

Ken: No entrepreneur can have hoped for a better partner than you. It has been an extraordinary ride and it has been truly my honor and privilege to have taken this ride along with you. I think you were instrumental in building a company which was a very special place to work, where we built some excellent technology, got some marquee customers, and had a lot of fun doing it. I’ve learned a lot, about startups, about technology, about business, and about myself; thank you very much for this awesome experience.

Several of you have asked me “what’s next for Amrith”. I don’t know yet, I’m trying to figure that out (thanks to all of you who have offered to help me figure this out, I will certainly take you up on that).

In the short term, I’m going to continue to work on Trove, finish up my term as the PTL for Ocata and continue to work on the project as we begin the Pike cycle.

What comes later, I have no idea but if you have ideas, I’m all ears.

The Acurite SmartHub and monitoring solution

I purchased an Acurite 10 sensor indoor humidity and temperature monitoring system and am surprisingly happy with it. I was expecting a generally crappy experience but I have to say I was wrong, and it wasn’t that I’d set my expectations so low; the system is truly quite good.

The system I purchased is this one.

You get a smartHub and 10 sensors. Pictured below is the hub and a sensor.

06044-800x800_2_2 09150rm-phone-800x800_7

The setup: smartHub

The smartHub comes with a little power adapter and an ethernet cable. Stick it into a wall outlet and connect the ethernet cable to your router and DHCP does its thing and the smartHub gets online.

It initiates a series of accesses to some locations and downloads firmware and the like. (I’ve captured network traces, if I find anything interesting, I’ll blog about that). In a couple of minutes the lights stabilize and you have to press a button that says “Activate”.

The setup: online

Then you create an online account at the Acruite site and once you are logged in, you associate your account with the device. You identify it by the number on the bottom (spoiler alert, the number is the MAC address of the device).

Within about a minute, the device shows up and you are good to go for the next step.

The setup: sensors

Each sensor takes two AAA batteries, pop them in and within a minute the web portal shows a new device which you can rename and mount wherever you want it. Very slick and easy.

Within about 15 minutes I had 10 sensors online and reporting.

I was so happy with this that I’ve purchased another smartHub and 10 more indoor/outdoor sensors; they don’t have the LCD display.

Enough of the happy talk

OK, so what did I not like?

  1. It has been years (literally, years and years) since I’ve purchased a gadget that requires batteries, and the batteries are not included. It’s a good thing that I purchase AAA’s in packs of 50. Like every other commodity piece of electronics these days, these sensors are made in China, so just stick two AAA’s in the box please.
  2. Once you power up a sensor, it takes under a minute to initialize and register with the smartHub. But, if you stick batteries in two of them in quick succession, there’s no way to tell (on the Web UI) which is which. There’s no number on the sensor, nothing which you can associate with what you see on the screen; just “Temperature and Humidity Sensor – NN” where NN is a number incrementing from 1 to 10.
  3. Once you get sensors on the Web UI, there is no way to re-order them. The will forever remain in the same order. So if you decide to move a device from one location to another, and you want to group your devices based on location, you are not able to do that.
  4. Wired ethernet, really? I’m sure the stupid cable they have to give you will cost about as much as it would to get wireless setup. But it would make the setup just a bit harder.
  5. The web app is just about OK. Fine, it sucks. It allows you to add alerts for each device. By default, low battery and loss of signal rules are added for each device. But, I want to add temperature rules for different devices. Yes, you can do that but you get to do it one device at a time. No copy/paste available.
  6. They claim to have an android application but it won’t work on a tablet; instead they expect you to use a full blown web app for the tablet. The android app won’t install on my android phone; lots of others seem to be complaining about this as well.

Closing thoughts

Acurite strikes me as a company that makes fine hardware and they appear to have done an absolutely bang up job on the initial setup and “getting started” part of the experience.

They are not a software company. The software part of the “after setup” experience is kind of horrible.

They offer no easy API based mechanism to retrieve your sensor data. Yes, on the web app, you can click a couple of buttons and play with date controls and get a link to some AWS S3 bucket mailed to you with your data as a CSV but really, advertise an API, get someone to write an IFTTT channel, then you’ll be cooking with gas.

Next post will be a deconstruction of the protocol, what you get when you point your web browser at the smartHub’s IP address, and those kinds of fun things.

One more thing

The people at Acurite Support are wonderful. I have (in the past three days) spoken with two of them, and interacted with one via email. The people I spoke with were knowledgeable, and very helpful.

The wait times on hold are quite bad. I waited 25 minutes and 15 minutes respectively on hold. There is the usual boring elevator music while you stay in line with an announcement every minute that you are “XX in line”. No indication of how long your wait will be but you are offered the option of getting a callback.

An odd thing though is that while I was in line and I heard the message “you are second in line” a couple of times, I suddenly ended up being “third in line”. How someone got ahead of me in line, I know not.

But, their support is great. 5 stars for that!

Amazon’s demented plans for its warehouse blimp with drone fleet 

Amazon’s demented plans for its warehouse blimp with drone fleet http://arstechnica.com/information-technology/2016/12/amazons-demented-plans-for-its-warehouse-blimp-with-drone-fleet/?amp=1

Shit like this is what gives patents a bad name!

Another look at IFTTT

In March 2012 (that’s a while ago) I wrote this article about a new service I’d discovered called IF-This-Then-That.

Now, almost five years on, IFTTT has come a long way. Just looking at the channels (they now call them services) it is amazing how far they’ve come. Quite amazing.

Time to go revisit IFTTT. It still amazes me that they are a free service.

Facebook at a Crossroads

Interesting article in MIT Technology review at https://www.technologyreview.com/s/603198/facebook-at-a-crossroads/.

More than half of the 3.4 billion people with Internet access log on to Facebook each month. Revenue in the first nine months of 2016 jumped 36 percent to $19 billion; profit nearly tripled, to $6 billion. Yet the company’s founder has spent the year talking up his plans to become something much larger and more meaningful.

With the election now over, the coming crackdown on fake news, and getting mired in the censorship controversy after blocking the video stream of Philando Castile after he was shot in Minnesota surely didn’t help.

I wonder how much all these things will affect Facebook, and how much that is driving the urge to do unnatural things.

Drones, Virtual Reality, get a grip …

The case(s) for and against PGP

When I read I’m throwing in the towel on PGP, and I work in security, which appeared as an Op-ed in ArsTechnica, I felt that it certainly deserved a response. While Filippo Valsorda makes some valid points about PGP/GPG, I felt that they were less about shortcomings in the scheme and rather usability issues that have been unfortunately ignored.

Then I read “Why I’m not giving up on PGP“,  an excellent article, also in ArsTechnica, and it does a much better job of refuting the article than I could ever have done.

Both are well worth the read.

May I please get whatever Windows version powers the Dreamliner?

It is being widely reported that the FAA has issued an Airworthiness Directive (AD) requiring that Boeing 787 Dreamliners must be rebooted every 21 or so days.dreamliner

This is not a hoax.

This is the AD issued by the FAA 0n 2016-09-24, I obtained a copy of this AD from here.

The AD states:

This AD requires repetitive cycling of either the airplane electrical power or the power to the three flight control modules (FCMs). This AD was prompted by a report indicating that all three FCMs might simultaneously reset if continuously powered on for 22 days. We are issuing this AD to address the unsafe condition on these products.
A little investigation indicates that this isn’t the first time the FAA has had to do this. The last time they had to do something like this was in 2015-09 when they issued this AD which I obtained from here. That AD was more specific about the reason for the problem, stating
This condition is caused by a software counter internal to the GCUs that will overflow after 248 days of continuous power.
It has been widely rumored that the present AD about the 21 day action is similarly motivated, and the logic is that a timer with millisecond precision which will overflow at about 24 days.
This is all very droll, and I hope to hell that they power cycle their planes on the ground regularly and all that. My only question is this, since they are in fact running Windows under the covers, how on earth are they able to keep the thing going for 21 days?
With Windows 7 that was a piece of cake but this new Windows 10 that I have wants to reboot every night and I don’t have any say in the matter.
So whatever Boeing did to keep the damn thing going 21 days, it would be great if they shared that with the world.

The Monty Hall problem

I’ve long wanted a simple explanation of the Monty Hall problem and I’ve never found one that I liked. Some I really detested like one that tried to make some lame analogy to baseball pitchers.

Anyway, here is what I’ve found to be the simplest explanation yet. First, what’s the problem.

In a game show, the contestant is shown into a room with three identical closed doors. He is informed that behind one door is a prize and behind the other two doors, there is nothing.

He is then asked to pick a door. Once he has picked a door, the host proceeds to open one of the other two doors (that he had not picked) and shows the contestant that there is nothing behind that door.

The host then offers the contestant the option of either changing his selection (picking the third remaining door), or sticking with his initial choice.

What should the contestant do?

The simplistic answer is that once the contestant has been shown that there is nothing behind one door, the problem reduces to two doors and therefore the odds are 50-50 and the contestant has no motivation to switch.

In reality, this is not the case, and the contestant would be wise to switch. Here is why.

image1Three doors, behind one of them is the prize, behind the other two, there is nothing.

The contestant now picks a door. For the purposes of this illustration, let’s assume that the contestant picks the door in the middle as shown below.

image2Since the prize is behind one of the three doors, the odds that the prize is behind the door that the contestant has picked is 1/3. By extension therefore the probability that it is behind one of the other two doors is 2/3 (1/3 for each of the doors).

So far, we’re all likely on solid footing, so let’s now bring in the twist. The game show host can always find a door behind which there is nothing. And as shown below, he does.

image3The game show host has picked the third door and there’s nothing there.

However, nothing has changed the fact that the probability that the prize was behind the door that the contestant chose is 1/3 and the probability that it is behind one of the other two doors is 2/3. What has changed is that the host has revealed that it is not behind the door at the far right. If then the probability that it is behind the far left door and the far right door (the two doors that the contestant did not pick) is 2/3, we can say that the probability that it is behind the far left door has to be 2/3.

With this new information therefore, the contestant would be wise to switch his choice.

Defining Success in OpenStack (With Heisenberg in Mind)

This article first appeared at http://www.tesora.com/defining-success-in-openstack/

I recently read Thierry Carrez’s blog post where he references a post by Ed Leafe. Both reminded me that in the midst of all this hand wringing about whether the Big Tent was good or bad, at fault or not at fault, and whether companies were gaming the system (or not), the much bigger issue is being ignored.

We don’t incentivize people and organizations to do the things that will make OpenStack successful, and this shortcoming poses a real and existential threat to OpenStack.

Werner Heisenberg observed that the act of measuring the position of a sub-atomic particle affected its momentum and vice-versa. In exactly the same way(s) that Heisenberg said, the act of measuring an individuals (or organizations) performance in some area impacts that performance itself.

By measuring commits, lines of code, reviews and other such metrics that are not really measures of OpenStack’s success, we are effectively causing individuals and organizations to do the things that make them appear “good” on those metrics. They aren’t “gaming the system”, they are trying to look good on the measures that you have established for “success”.

At Tesora, we have always had a single-minded focus on a single project: Trove. We entered OpenStack as the DBaaS company, and have remained true to that. All the changes we have submitted to OpenStack, and the reviews and participation by Tesora have been focused on the advancement of DBaaS. We have contributed code, documentation, tests, and reviews that have helped improve Trove. To us, this single minded focus is a good thing because it has helped us advance the project, and to make it easier for people to deploy and use it in practice. And to us, that is the only thing that really matters.

The same thing(s) are, true for all of OpenStack. Actual adoption is all that matters. What we need from the Technical Committee and the community at large is a concerted effort to drive adoption, and to make it easier for prospects to deploy and bring into production, a cloud based on OpenStack. And while I am a core-reviewer, and I am the Trove PTL, and I wrote a book about Trove, and our sales and marketing team do mention that in customer engagements, we do that only because they are the “currency” in OpenStack. To us, the only things that really matter are ease-of-use, adoption, a superlative user experience, and a feature rich product. Without that, all this talk about contribution, and the number of cores and PTL’s is as completely meaningless as whether the Big Tent approach resulted in a loss of focus in OpenStack.

But, remember Heisenberg! Knowing that what one measures changes how people act means that it would be wise for the Technical Committee to take the leadership in defining success in terms of things that are surrogates for ease of installation, ease of deployment, the number of actual deployments, and things that would truly indicate the success of OpenStack.

Let’s stop wasting time defending the Big Tent. It was done for good reasons, it had consequences. Realize what these consequences are, perceive the reality, and act accordingly.

10 ways to make Windows computers safer

These days everyone knows someone whose computer was hacked; everyone has heard of others who have been hit by ransomware, and who have suffered significant losses as a result. The losses are sometimes financial, but often they are non-monetary, like losing all family photographs, music, files, and so on.

While it is not possible to entirely prevent these kinds of things, there are some easy steps that we can all take to considerably minimize the likelihood of this kind of thing. It is however equally the case that the majority of these things also make it a little harder to use our computers, and this is by design.

The primary reason why people fall victim to these attacks is complacency, or letting one’s guard down for just a moment. The simple tips below try to prevent that by making it just a little bit harder for you do yourself harm in this way. So here are some tips that I believe we can all take to improve our computers security. I write them from the perspective of a Windows user; if you are a user of a Mac, similar things apply to you but I don’t use a Mac so I don’t know what they are. And, if you are one of those few Linux users, you are likely a nerd anyway and probably can figure this stuff out for yourself.

There used to be a time when the #1 way to make Windows computers safer was to move to a Mac. That is unfortunately not true any longer. Macs are also vulnerable to many of the exploits that we see these days.

  1. Don’t login as an Administrator user; restrict administrator privileges

One of the horrible things that Windows does on initial installation is to ask you for your name, and setup an account for you. And it makes that user an Administrator. In my experience, most home computer users regularly login using that account.

When setting up a computer, always create a user who will be an administrator, and after the computer is setup, create a regular user who is a standard user. It should look something like this when you look at the users settings.

If the account(s) that are commonly used on your computer are Administrators, do this:

  • Create a new user on your machine with a name like “MyComputerAdministratorDingDong” and make that user an Administrator.
  • Login as “MyComputerAdministratorDingDong” and change the accounts that you regularly use to be a Standard User. If this is a shared computer, this means all users become Standard Users.
  • Ensure that the password MyComputerAdministratorDingDong is long and different from your own password; and don’t tell everyone what it is.
  • Update Windows User Account Control (UAC) to be paranoid and prompt you on all changes to the computer.

What have you accomplished here?

By making all common users Standard Users, you have made it harder for exploits which typically require Administrator privilege to, well, exploit.

When someone wants to install software, make changes to your computer, and so on they will need to be the Administrator, and will need the password to the “MyComputerAdministratorDingDong” account. This does make it mildly harder to use the computer, but it is a worthwhile safeguard.

  1. Look at all the software on your machine and uninstall things that you don’t recognize

Over time, computers accumulate cruft. And if your computer wasn’t secured as described above, you are likely to find lots of cruft. Uninstall anything that you don’t recognize, or don’t use now.

What have you accomplished here?

In addition to potentially making your computer quicker, you have also removed all potentially suspicious software from your machine. Should you need one of them later, you can certainly add it back.

  1. Get yourself a good Anti-Virus software package

It is amazing that this is still something one has to list. Most ISP’s offer Anti-Virus free, download and install one. If your ISP doesn’t purchase one and install it.

Windows 8 and 10 come with Defender. In my experience they are not quite as good as commercial Anti-Virus software packages. While Defender is free, it is worth getting something else at this stage; maybe someday soon Defender will be better.

What have you accomplished here?

Anti-virus software is an essential part of your protection plan.  Make sure you have one; and Windows Defender isn’t (today) the answer.

  1. Change your WiFi password and make it something that is hard to guess, preferably obscene

This should be self-explanatory but passwords like “password”, “homewifi”, and “xfinity” are just too easy to guess! Make it something that is hard to pronounce, uses numbers and punctuation.

My preference is to make it something obscene, that way you won’t be yelling it out to people you meet.

That last thing is something I advocate for all passwords, make them words that you will not utter in public; does wonders for password security.

What have you accomplished here?

Getting on a network with other computers is one of the ways in which a bad actor could infect your computers. By making it harder to get on your network, you have added a layer of protection to your network.

  1. Only allow secure computers on your homegroup, and your home WiFi network

Most households with more than one computer likely share a homegroup and share files, music, and pictures on the homegroup.

If you are not able to secure a computer (as described above) kick that computer off your homegroup, move them to a Guest WiFi network.

So, what do I do about my internet connected TV’s, phones, and other devices which I can’t secure in this way. You could do one of two things, either get another cheap WiFi access point for those, or put them on the Guest WiFi network as well.

What have you accomplished here?

Your homegroup should be a safe space. By eliminating all potentially unsafe actors from the homegroup, you have improved the level of safety there.

  1. No matter how you read email, don’t click on links that you don’t recognize

Phishing, link highjacking, and numerous other nasty things that cause harm to your computer are caused by clicking on links. So if you receive email that includes links, buttons, and other calls to action, think before you click. Hovering over a link or a button will typically reveal what the action will be.

There is no easy way to tell someone how to recognize a fake email message; scammers are quite sophisticated these days. So just be safe and don’t click on things unless you are really sure you know what you are doing.

But, you can remember these simple tips:

  • Banks, Financial Institutions, and most legitimate businesses will address emails to you by name; not “Dear Customer”. If the email does not address you by name, it is likely bogus.
  • If you get an email saying your account has been terminated, will be terminated, has been compromised and you need to take immediate action, don’t click on the link provided. Instead find the link to login to whatever account, institution, or website and login directly. If the link is real, that’s fine, you at least know where you are going. And if it is a fake, you will realize it very quickly when you find that your account is fine!
  • If you get email saying “someone in your contact list has shared a document with you” it is a fake; services like Dropbox will tell you who shared the file with you.

What have you accomplished here?

Many exploits require you to take an action that triggers the installation of the bad software. By taking these steps, you have made it harder for this to happen.

  1. Disable automatic downloads, disable automatic showing of images

Web browsers and email clients allow you to set these privacy options. And they are well worth setting.

Search for directions for your specific browser and email client and make these changes.

What have you accomplished here?

Many exploits require you to take an action that triggers the installation of the bad software. Automatic downloads and infection buried in some image file formats are one way in which bad actors get around this. By taking the steps described here, you have made it harder for this to happen.

  1. Enable a screen-saver (with a lock and a timeout)

This is particularly important for laptops and computers in shared areas. Enable a timeout and a lock screen. When you step away from the keyboard, lock the computer (Windows Key-L). Require a password to unlock the computer.

What have you accomplished here?

An unlocked computer is an invitation for someone to meddle. A locked computer (with a good password) is significantly harder for one to damage.

  1. Disable autoplay USB

One of the most common sources of malware, viruses, and other nasty stuff is shared USB drives. Disabling autoplay along with the steps above can significantly improve the security of your machine.

If you are given a USB drive, consider the source carefully. I prefer to just say “No” and ask people to email the document(s) to me, or to put them on a shared drive like Dropbox.

What have you accomplished here?

Recently a new breed of exploits merely require someone to plug in a rogue USB stick into your machine and the malware gets automatically installed because of autoplay. By disabling autoplay, you make this harder (not impossible).

  1. Disable USB ports

And if you want to be truly sure, here’s what I do with my laptop when I travel. Reboot the machine to BIOS and disable the USB ports.

That way, when the friendly gentleman comes along and gives you a document on a USB stick, you can safely say it doesn’t work (then blame your IT department for it). If the person insists that he can fix it, you are still safe because no matter how much he jiggles the USB stick in the port, it won’t work.

On one occasion, a particularly persistent (read: pesky) individual said he knew what was wrong, that the port was disabled in the BIOS. And he went to reboot the computer to BIOS and sure enough “My IT Department” had set a password on that and damn them because I don’t know what it is.

What have you accomplished here?

Similar to the earlier step, you make it much harder for bad actors to infect your computer using the USB port as the attack vector.

As you can likely see, each of these steps will make it just a little bit harder to use, and enjoy your computer. But as the adage goes, “no pain, no gain”.