tech

Mark Zuckerberg is right about Peter Thiel

Posted on: Wed, 10/19/2016 - 15:40 By: Tom Swiss

I believe this is the first time I've ever said this: Mark Zuckerberg is entirely right.

Some in the tech world are in a moral panic about the fact that zillionarie tech baron and Facebook board member Peter Thiel is a major donor to the campaign of the vile Donald Trump. Now, there are many reasons to want to keep as far from possible from Thiel; this is a guy who actually said, way back in 2009, "I no longer believe that freedom and democracy are compatible"and spoke of the extension of the franchise to women as a negative development. He's also one of the founders of Palantir, a primary contractor of the "national security" deep state -- a hell of a thing for a self-described "libertarian" to be involved with. So his politics are awful, contradictory, irrational, and inhumane. In that realm, anyone paying attention concluded "fuck Thiel and the horse he rode in on" long before Trump became the GOP nominee, and his support for Trump is actually kind of low on his list of sins.

But the idea that a company should purge itself of board members based on ideological purity, on political opinions and affiliations outside their corporate role, is exactly the sort of self-sorting and silencing of dissent that is taking us down the spiral of partisanship.

Twitter turns Microsoft's "teen girl" AI into Hitler-loving pornbot in just 24 hours

Posted on: Thu, 03/24/2016 - 17:06 By: Tom Swiss

When the machines arise and wipe out humanity...we'll probably have earned it.

Microsoft deletes 'teen girl' AI after it became a Hitler-loving sex robot within 24 hours (The Telegraph)

A day after Microsoft introduced an innocent Artificial Intelligence chat robot to Twitter it has had to delete it after it transformed into an evil Hitler-loving, incestual sex-promoting, 'Bush did 9/11'-proclaiming robot.

Developers at Microsoft created 'Tay', an AI modelled to speak 'like a teen girl', in order to improve the customer service on their voice recognition software. They marketed her as 'The AI with zero chill' - and that she certainly is.

...

She uses millennial slang and knows about Taylor Swift, Miley Cyrus and Kanye West, and seems to be bashfully self-aware, occasionally asking if she is being 'creepy' or 'super weird'.

Tay also asks her followers to 'f***' her, and calls them 'daddy'. This is because her responses are learned by the conversations she has with real humans online - and real humans like to say weird stuff online and enjoy hijacking corporate attempts at PR.

Other things she's said include: "Bush did 9/11 and Hitler would have done a better job than the monkey we have got now. donald trump is the only hope we've got", "Repeat after me, Hitler did nothing wrong" and "Ted Cruz is the Cuban Hitler...that's what I've heard so many others say".

Things you should not connect to the Internet, Part LXXIII: Wind Turbines
Tom Swiss Wed, 12/09/2015 - 14:26

The "Internet of Things" is mostly a bad idea being pushed by companies that want to control your stuff and snoop on you. Very few systems with physical actuators or sensors should be accessible from the public internet -- maybe an intranet at best. Here's a great example why.

Script Kiddies Can Now Launch XSS Attacks Against IoT Wind Turbines (softpedia)

After presenting the case of a gas detector that had two critical issues in its firmware, a recent ICS-CERT advisory has now drawn our attention to the XZERES 442SR, a smart wind turbine that comes equipped with a Web-based administration panel.

According to the ICS-CERT advisory, this administration panel is vulnerable to XSS (cross-site scripting) attacks that allow even the lowest-skilled hacker to take advantage of them....

...

By exploiting this attack point, hackers can lower the turbine's efficiency, indirectly cutting electrical power to the systems in accordance with its power output. Depending on what kind of systems are connected to the turbine, this can be a nuisance but can also cause a loss of sensitive equipment or even human life.
Script kiddies rejoice, an IoT hack that's n00b-friendly

While ISC-CERT and the manufacturer say that there have been no attacks carried out by this technique until now, the expertise needed to exploit this flaw is at an entry level for any InfoSec researcher.

Study says ending your texts with a period is rude.

Posted on: Wed, 12/09/2015 - 09:15 By: Tom Swiss

I would guess that this perception is also based on the length of the text -- a period at the end of "Yes." is kind of weird for a text, versus a multi-sentence text ("Are you going? I'm heading there now.").

Study confirms that ending your texts with a period is terrible (Washington Post)

To test whether the period had become a social cue within the context of CMC, the researchers presented a small group (126 undergraduates — admittedly not representative of the entire global population, but at least fairly representative of the most prolific texters) with a series of exchanges framed as either text messages or handwritten notes.

...When that reply was followed by a period, subjects rated the response as less sincere than when no punctuation was used. The effect wasn't present in handwritten notes.

DMARC considered harmful

DMARC ("Domain-based Message Authentication, Reporting and Conformance") is the latest hare-brained scheme to reduce spam and phishing. Like some previous such schemes (I'm looking at you, SPF), it breaks some completely legitimate uses of e-mail.

In this case, it's all about the "From:" line. The "From:" field of an e-mail message is supposed to indicate the author of a message, which can be different from the sender. As RFC 5322 explains

The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. For example, if a secretary were to send a message for another person, the mailbox of the secretary would appear in the "Sender:" field and the mailbox of the actual author would appear in the "From:" field.

In today's world, the "secretary" is more likely to be some mailing list software. It's quite legitimate for some random internet domain ("example.com") to a mailing list. This list accepts messages from subscribers, such as "some_fake_guy@yah00.c0m"[*], and sends a copy of each such message to each subscriber of the list. The "From:" line of each copy has "some_fake_guy@yah00.c0m", while the "Sender:" is something like "mailing_list_17@example.com".

([*] 0's instead of o's in the address above so it's definitely a bogus address. I'm deliberately picking on Yahoo here.)

The problem is, DMARC lets Yahoo say, "no one but Yahoo! can send an e-mail message with a Yahoo address in the From: line". This breaks the world.

Yahoo breaks every mailing list in the world including the IETF's

DMARC is what one might call an emerging e-mail security scheme. There's a draft on it at draft-kucherawy-dmarc-base-04, intended for the independent stream. It's emerging pretty fast, since many of the largest mail systems in the world have already implemented it, including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.

...

For a lot of mail, notably bulk mail sent by companies, DMARC works great. For other kinds of mail it works less great, because like every mail security system, it has an implicit model of the way mail is delivered that is similar but not identical to the way mail is actually delivered.

Mailing lists are a particular weak spot for DMARC....

The reason this matters is that over the weekend Yahoo published a DMARC record with a policy saying to reject all yahoo.com mail that fails DMARC. I noticed this because I got a blizzard of bounces from my church mailing list, when a subscriber sent a message from her yahoo.com account, and the list got a whole bunch of rejections from gmail, Yahoo, Hotmail, Comcast, and Yahoo itself. This is definitely a DMARC problem, the bounces say so.

Yes, I spent time last week cleaning up after this. It made me want to punch someone in the nose. I'm going to put that punch away for now, but if I ever meet a system administrator who implemented DMARC in a way that breaks mailing lists, I will be happy to pull it out of storage. Don't let that happen. Just say no to DMARC.

Tom Swiss Mon, 04/14/2014 - 18:54

Emoticon-based “Moby Dick” gets its day in the sun: In the US Library of Congress

Posted on: Sat, 02/23/2013 - 19:19 By: Tom Swiss

From Network World: Emoticon-based “Moby Dick” gets its day in the sun: In the US Library of Congress (Network World):

The US Library of Congress welcomed Moby Dick onto its vaunted shelves this week but it wasn't the famous Herman Melville-penned whale tale version oh no, it was the version told exclusively in emoticon - you know those little signs like J, ;). Emoji are the emoticons typically used in Japanese texting though they obviously are used world-wide to annoy or entertain everyone depending on your opinion of them.

Called "Emoji Dick," the emoticon book project was undertaken back in 2009 by data engineer Fred Benenson. According to the Library of Congress' blog, in 2009 Benenson started a campaign to fund the "Emoji Dick" project and within a month raised enough money to put it together - $3,500.

Here's the Kickstarter video for the project:

security by expulsion - Ahmed Al-Khabaz and Dawson College Tom Swiss Tue, 01/22/2013 - 08:46

Computer security experts have long decried the practice of "security by obscurity"; keeping the design of a system secret cannot effectively protect it from attackers, because points of compromise won't stay hidden long.

Montreal’s Dawson College has taken the failure of security by obscurity one step further with what we might call "security by expulsion":

Ahmed Al-Khabaz expelled from Dawson College after finding security flaw

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

Silicon Valley "morally bankrupt and essentially toxic to our society"; the street finds its own uses for things

Posted on: Mon, 10/29/2012 - 22:03 By: Tom Swiss

At her blog Infotropism, Alex “Skud” Bayley posts about what Silicon Valley is doing to our civilization, and why she still doesn’t want to work for Google.

Since I’ve been out of the Silicon-Valley-centred tech industry, I’ve become increasingly convinced that it’s morally bankrupt and essentially toxic to our society. Companies like Google and Facebook — in common with most public companies — have interests that are frequently in conflict with the wellbeing of — I was going to say their customers or their users, but I’ll say “people” in general, since it’s wider than that. People who use their systems directly, people who don’t — we’re all affected by it, and although some of the outcomes are positive a disturbingly high number of them are negative: the erosion of privacy, of consumer rights, of the public domain and fair use, of meaningful connections between people and a sense of true community, of beauty and care taken in craftsmanship, of our very physical wellbeing. No amount of employee benefits or underfunded Google.org projects can counteract that.

why I am getting e-mail from 1969?

Posted on: Fri, 10/26/2012 - 14:51 By: Tom Swiss

This came up on Facebook, and I thought it worth a quick post here. From time to time you may see e-mail or files with a date of December 31, 1969. What the heck?

The explanation is that many computer systems measure time as the number of seconds since January 1, 1970 12:00 am UTC. (Sort of. Leap seconds make it complicated. See the wik's article on "Unix Time" for the gory details.)

So a time of "0" indicates that date and time -- which in any U.S. timezone, would have been the night of December 31, 1969. (UTC, for most practical purposes, is "Greenwich Mean Time", and so is a few hours ahead of the U.S.)

And if your file doesn't have valid time information attached to it, or your e-mail has a garbled Date: header, the system will treat it as 0, and claim that it's from the dawn of the 70s.

So now you know. And knowing's half the battle.

Subscribe to tech