miriku.com

Right now social media, security wise, is exactly where the internet was in the mid 90s: we’re excited, we’re adding functionality, we’re connecting to everyone, and we’re assuming that everyone else is as excited and good willed as us. In other words, we’re trusting.

Much like early websites, built by enthusiasts (in all the negative connotations of this word), our current approach to distributing information about us has very little security precautions. This is partly because we don’t really understand the scope of our actions, partly because what we’re writing is free content for the social media sites: the more we write and the more people read it, the higher the value of their website.

This isn’t an attack on any specific protocol, site, or network, though I will discuss a few, but rather a talk in the general about our attitude. I realize I’m writing this 1 day after the launch of Google Buzz, but all of these vulnerabilities existed previously as well, Google ubiquity and attempt to centralize all of it makes it more obvious.

One great example of trust is the hash tag mechanism on Twitter. Companies are using hash tags to foster conversation about themselves without any thought about the lack of moderation in the medium. A corporation that would instantly file a cease and desist against a website that in official looking type made claims in it’s name, is more than happy to lend legitimacy to “its” hash tag by having reps post it to it from their twitter account. This creates a trusted space with absolutely no access control as anyone can post using with any hash tag.

If an attacker waits for this company name hash tag to achieve legitimacy and a crowd of followers, all she has to do is to push enough posts quickly enough to cause a (pardon) buzz and an instant bad press rumor is launched. There are plenty of forums that can (and off the top of my head 4chan, digg, and reddit have) push enough posts to create a trending rumor out of the blue, especially as the retweets from confused readers begin and take over the process. Since Twitter provides an API, this could also be done by a bored single person who created a few thousand accounts for himself with a capcha breaker and can write scripts. By endorsing these open hash tags, companies are basically giving the world at large the ability to speak in their voice.

Companies also have taken to displaying screens with their hash tags displayed as scrolling searches in their lobbies (or in one case in San Diego, on a large TV behind the bar). The lack of moderation means that anyone can post ads for their competitors, or simply embarrassing content in order to hurt the brand name. There is no way to stop this content from being posted to the hash tag, and short of closing the feed, no way to remove it. Some of the software goes as far as displaying images inline, ways to prank this are left as an exercise for the readers.

On the complete opposite side of this target space be personal social media attacks. A casual glance at facebook, twitter, and buzz feeds shows that we treat these websites like personal conversation tools, not billboards for all to see. Things that we’d never plaster over our house, like “I’ll be gone on vacation for 7 days so no one is home”, we’re more then happy to put online on a site that also has our address. We fight like mad against the invasive nature of omnipresent cameras while tweeting our exact location every 30 minutes in order to get Foursquare points, with absolutely no sensation of irony.

Google Buzz, which by default appends map information if posting by phone, makes this even more obvious. A chatty person involved in a back and forth might leave a complete trail of where they were at near constant intervals in their day. While I grant that this lack of privacy is not catastrophic in and of itself, a criminal with a smart phone and access to the “local buzzes” feature would be able to have up to the minute reports of who is where, who just went to the atm, who is bringing home a new expensive TV (and where exactly are they plugging it in), and with a trip to the airport, a constant feed of people excited to be going away for a few days.

The last in particular highlights that we have not reached the point that caused the tip towards security on the net: automation of attacks enough to let every Joe the Script Kiddy do harm. Currently an attacker would have to go to the airport, set up a laptop, pull buzzes of people leaving or arriving, compare it to their previous buzzes and figure out their home address. However, all of the above can be converted into a simple application which performs all these steps in a few seconds, something which we’ll playfully call iBurglar. Once it’s an easy to use app, available for download, is the point where we might start to see action from the social media websites.

We also do not realize how permanent the things we write on these website are and how trivial searching them has become. A search on social sites for phrases related to drug use (try 420) shows people more than happy to discuss illegal actions in criminally implicating ways. And this time, unlike phone or txt messages, we can’t even begin to claim an expectation of privacy, we are literally posting it for everyone to see. There was recently a news story about a bail-hopper who was caught because cops recognized the resort in the background of his new Facebook profile photo. This didn’t even require a warrant, it was a public photo.

It’s easy to dismiss examples like that, and all the previous ones, as the fault of the users, but users assume privacy and assume good intention. Currently the social media is a giant space completely open to attack, and our current open-by-default approach is not sustainable. It is the responsibility of social media designers to create mediums that steer users into safe behaviors and quite literally to protect them from themselves, while at the same time balancing the needs of their shareholders and advertisers. It’s an interesting future, no doubt.

i went to college with the intent to major in computer science and design a computer that thinks. pretty ambitious, but computer power was and is flying up and after all, kurzweil says it’ll happen in 2030 or whatever is his hypothesis now, so it would be in my lifetime. as perfect time as there could be for it.

along the ways i ran into a single quote from the 70s that completely stopped me.

“The question of whether a computer can think is no more interesting than the question of whether a submarine can swim” – Edsger Dijkstra

in one sentence it summarized for me that “thinking computer” is a just a language illusion. it’s not real and it will never be real.

a computer will never think in the same way a submarine will never swim. swimming is what living things do, a submarine instead ‘propels itself through water’. a computer will never ‘think’, it will ‘perform computations in order to arrive at conclusions’. which, guess what, they already do and have been for ages.

for people to agree that a machine is a “thinking computer” would be one that can feature a display of a pleasant cartoonish face that, when computing, would furrow it’s brow and make “hmm” noises. while an interesting task and a cognitive/behavioral challenge, it’s not a computer science problem.

the better goal i learned in compilers: we should be working to precisely define problem spaces where computers can help with decision making, and then writing better and more robust expert systems (by whatever buzzword they’re going by nowadays) that can read data about the situation, and suggest or perform actions in response. not as glamorous as ‘thinking’, but infinitely more useful.

this is process for rebooting the mac mini at my apt:

1. power on
2. enter username and password
3. you will get between 0 and 4 warnings about hard drives being corrupt (long story), just hit ‘Ignore’ for now.
4. your screen will suddenly switch from normal to all messed up. to fix it back, click offscreen to the right and up and find the pull down menu option to switch to 1244×768 resolution. long story.
5. next, networking. the built in wireless doesn’t work (long story) so it uses a usb wireless. the one that this mac has is not mac compatible (long story) so it uses spoofed windows drivers. run USBWirelessUtility to connect. in case it ate it’s configuration, you might need to re-enter WPA2 key.
6. networking part 2: since the computer shares network to the xbox you will need to put in custom command line routing rules (long story). first do “killall nadt” and wait about a minute (long story). after “ps -au | grep nadt” shows it died, run “./nads”.
7. next, storage. there are four usb drives which all have full disk encryption. start Disk Utility and count the devices. they sometimes don’t come up correctly (long story) so if one doesn’t show up, figure out which one it is by disk size and power cycle it until it shows up.
8. now open TrueCrypt and arrange the drives in correct order by size (‘Restore Favorites’ won’t work, long story) and mount them one by one using each of their unique passwords (all 30ish characters) which when entered together in the right order make a verse from a polish song from the 90s.

and you’re done. if you’re feeling proactive you can reestablish smb connections to other machines, verify dropbox and simplifymedia are running correctly, and check for patches. if there are patches, cross your fingers that they won’t require a reboot.

in one of umberto eco’s collections of writings he mentions seeing a man in a restaurant who during dinner would loudly talk on his cellphone about large (iirc mafia-related) business deals. the man’s intention was to communicate that he was an important person of significant power. eco then points out that the man got one thing precisely wrong: an important person would never be interrupted during dinner.

power is about being able to do what you want, when you want to, not simply being responsible for greater and riskier things.

i recently thought about this upon receiving a random internet alert. i spent a large chunk of my life thinking that to be more technologically advanced you need to be more hooked up, with all your programs reporting status updates to you constantly. in reality this does not empower you, just scatters your attention.

instead, i’ve now actually made an effort to disconnect myself and hide things away from myself. i have enough trouble concentrating without a periodic ‘beep’ that, upon investigation, will inform me that someone has become the mayor of a new eatery in foursquare. my phone and computer have no twitter/facebook/rss alerts at all anymore, instead i read those when i feel like it using web browser bookmarks. my phone now receives nothing that makes noise, except calls which still require immediate attention unfortunately.

my only exception is emails that go to my work account show up in my computer dock. that’s a work obligation. nothing else does.

technology should never interrupt you. technology should politely wait for you to look in it’s direction, then quickly, clearly, and efficiently say to you what it has to say, and when done move back and wait on the side.

if there is one thing that programmers can almost uniformly be accused of is coding for the best case: wanting to write programs designed around all things behaving correctly every time.

one random facet of this is the assumption that crowds and their voting can be trusted to behave in a productive way. let’s say you have a website where people vote on who is the best poster / reviewer / uploader / whatever, and rewards them in some way. simple to implement, simple to test, and you’re done, right?

well, never underestimate the willingness of crowds to behave maliciously. getting 1000 people to do a prank on a system like that is trivial, and it’s even easier to get one person with a bunch of zombie machines all over the planet.

attacks like this are really common: websites raid amazon review / recommendation pages for fun, 4chan obliterated a “person of the year” TIME poll, and twitter “trending topics” seem to be raids more often than not.

the last one in particular strikes me as funny. businesses are now using personal hash tags to let people talk about them using hashtags, and in some cases display the results real time in the lobby or on their page. i’m astounded at this. all it takes is one message board post asking everyone to twitpic porn to the hashtag and voila, instant PR disaster.

always program for the worst case, not the best case. unless you have some method to block them, assume that at any point in time there are thousands of bored suburban teenagers who would love to abuse any ranking system you have for laughs.

what i learned from the game Modern Warfare 2:

• the CIA is perfectly willing to slaughter hundreds of civilians as part of undercover op
• all brazilians are armed to the teeth
• the russian military gives each person a totally different brand and caliber gun
• heartbeat monitors can detect if you’re friend or foe
• and so can UAVs. they even mark foes with little red rectangles in real time
• specops can drive snowmobiles one handed while shooting and reloading an uzi, but is completely befuddled by chain link fences and barb wire
• it’s possible to get good consistant bandwidth in a remote mountain house (note! this one might not actually be true)
• russia can launch a full land invasion of america with 1 day prep

and that famous part to MW2, the “kill the civilians” bit, it’s funny to me that it’s that big a deal. you’re playing a shooter and have already shot dozens of random people, will continue to shoot hundreds more, and because some of them are unarmed it’s a big deal? yes, they get hit in “realistic” means (as much as that applies for computer games) but so does every other character

cmon now, you call in airstrikes in crowded cities and grenade marketplaces, but apparently all those are abandoned and/or no one cares about brazilians.

eh, whatevs.

a personal linux milestone: i now have hardware that works in linux, but not windows

the device in question is a generic linksys usb wireless card that works just fine in ubuntu, but windows refuses to let install any driver for it claiming they’re all the wrong one

best part? i’m using that wrong windows driver in linux to operate the card.

never forget that all the work paradigms that you’ve been ever taught or forced into (in case of programming, things like extreme programming or scrum) aren’t some sort of mathematically proven theorems or empirically checked models. they’re simply one guys idea of how a group should work, that happened to work in his group

if you find yourself constantly striving to match a paradigm, back up. maybe you’re not really meant to work that way. do you have something that works for you?

keep in mind though, some people really might not have a method that works, in which case anything that involves structure might be beneficial.

one random example from my own life: my email. i spent a stupid amount of time attempting to stay on top of sorting email because i was told at one point that organized email is important. i tried tags, rulesets in the hundreds, smart folders, all at the same time, and the results were dismal. best part? i never used it. i never once said to myself “oh, i need this communication from the prime minister of ukraine, let me look under “prime ministers”, tagged “ukraine” “. no, i’d just go to the search bar, click “From” and type ytymoshenko@gmail.com. ta-da.

new solution? 4 inboxes (i have 4 mail aggregating accounts), total of 2 regular folders marked “important” and “not”, and 1 smart folder. the rule for the smart folder is:
- if the email is unread, or the email is in folder important, show it.

the only folder i look at is the smart folder. all unread emails are in there and disappear after they’re read (technically, they disappear after i close the window, which i do as soon as i’m done looking at mail), unless they’re something relevant in which case i drag them to the “important” folder. once they’re solved/answered, they’re dropped in either “not”. every blue moon i drag all emails from the inboxes to the “not” bin, just in case things go bad if the inbox gets too large.

that’s really all i need from email, it works with my actual work flow, and actually uses that CPU power this machine has. i imagine this would work even better with gmail, but at work we have lolexchange so eh.

different example of this: i have a bizarre music writing method. i work in these bursts where i write and record for about 5 hours straight, in which time i like to be alone with no one listening, then when done, i leave it alone for a week while sending it to half the people on my IM list to ask for opinions on what they think of it and where it should go

somehow the conversation process is what lets me mentally decide where it needs to go. it’s silly, but songs which i don’t talk about end up piling up as minute long fragments that never went anywhere. songs i do, end up growing into actual songs. well, not immediately. they go through a bunch of cycles of this. some more than others.

(btw, apologies if you happen to be on the “hey can you tell me if this works? what do you think of the cut up trumpet loop?” and are annoyed by it. just let me know, i wont be offended)

in any case, yes, don’t get obsessed with following footsteps of others, just set a similar goal to what they had and find what manner of movement works best for you. but don’t use that as an excuse to be lazy either.

there’s some microsoft offer to sell windows 7 to students for $30, and since my email address looks rather studentlike, i briefly considered getting in on this.

i was just about to fill out the form when i suddenly remembered: i don’t have a single computer that runs windows anymore. work mac laptop, mac mini at home, and 2 old unix laptops. i guess i could upgrade my xp that runs in parallels but i’m too worried it’d blow away the rest of my partitions in the process. i only use it to test sites in obsolete IE versions anyways.

for the curious, the machines are:
- work laptop, macbook pro. i take it home though since the border between work and not-work is sorta vague in my life
- home mac mini. hulu, netflix, bluetooth keyboard that reaches the couch fine. it’s basically the cable box replacement. i just upgraded the ram on it so i should see if it can run games at all, i think i have an xbox controller hooked up to it with drivers installed. i should see what i can do with that
- circa 1999 thinkpad, running ubuntu. it can run terminal just fine, but attempting to run a modern gnome gui causes serious lag. i use it as an always on personal subversion server, and since it sits at work, to show most recent server errors from the logs in streaming format
- circa 2002 sony, running ubuntu. default home laptop, doesn’t run movies too well but is a pretty good machine otherwise. usb wireless since this was the last model laptop to not have a built in wireless card

i don’t have a gaming pc anymore. it’s fine, i don’t really have time to play games enough to justify the investment in one, and when i do game it’s usually just dwarf fortress, eve, or xbox, none of which require a omgwtfsuper pc.

besides, it’s not like there’s any space to put a gaming rig in the apartment. i’m still juggling to find a way to keep my clothes semi-organized