Category: news-chum

🇮🇱 So, About Israel

Posted onAuthorcahwyguyLeave a comment

With all the discussion about what is happening in the Middle East, and all the discussions about Israel and Palestine, I thought I should make some things clear:

  • unequivocally  support Israeli’s right to exist as a nation, and as a space where Judaism can be practiced safely. The land where Israel is located is the traditional homeland, going back to biblical days. We can quibble on the exact borders, but the current borders — which exclude Gaza and portions of the West Bank, are as reasonable as any.
  • Many — but not all — of the Arab and Palestinian groups that are involved in these battles have as a fundamental tenet that Israel does not have the right to exist. At all.  A Hamas member stated today, “Israel is a country that has no place in our land. We must remove that country because it constitutes a security, military and political catastrophe to the Arab and Islamic nation and must be finished.” You can not negotiate with organizations and nations from a position where they deny your right to exist. Simple as that. Were they to recognize Israel’s right to exist in some form, a solution can be achieved. While they refuse to do so, a solution is not possible. Note that Israel has recognized the right for some form of Palestinian nation to exist, by ceding the land of Gaza and portions of the West Bank. Note that other Arab nations have not provided land for the Palestinians, even though the land was part of the same British mandate.
  • Hamas is behaving much like ISIS did on 9/11: They specifically attacked civilians to create terror, and have specifically located their facilities in civilian areas because of the PR benefit they gain when their military facilities are attacked and civilians are harmed. Hamas has specifically made the decision to put their population in danger. Israel’s war is with Hamas, not the civilian population. Hamas has made it nearly impossible, however, to root out the terrorists without collateral damage.
  • That said: Support for Israel does not mean I always agree with the actions of the Israeli government. Judaism is not the same as Zionism; support for the nation of Israel is not the same as supporting their government. I love and support America; I despise Donald Trump (especially when he was President). I do not agree with all the actions taken by Netanyahu, although I do agree that Israel has the right to go against Hamas, just as America went against ISIS.
  • Israel has not always treated its Arab population well. It didn’t treat the established population of Gaza and the West Bank well when it governed those lands. That fact cannot be changed, just as America has no excuse for its abuses in the areas of slavery, or in the abuses of the internment camps, or in any other form of racism that has occurred. That can only be corrected moving forward (and is unlikely to be corrected under Netanyahu, alas); and will only be corrected once said population is not trying to wipe Israel off the map. That really is the fundamental problem.
  • There is no excuse for antisemitism.  Period. End of story. In particular, Jews throughout the world are not the individuals who have governed the Palestinian areas. That treatment is not what Judaism believes in. Dislike or even hate the current and past Israeli governments if you feel that way, but do not take it out on Jews throughout the world. The same is true, by the way, for anti-Muslim hate. Hate Hamas and these terrorist organizations. Do not hate the Palestinians or Muslims, who outside of those organizations are peaceful and kind people.

Let us all hope for the day, when each side recognizes the other’s right to exist in the Middle East, and we can work to negotiate a settlement based on that recognition, and the fact that beneath it all, we are all monotheistic siblings with a shared basis.

Share

🗯️ Thoughts on a Breach

Posted onAuthorcahwyguy2 Comments

I haven’t written a real blog post in a long time, but this one is floating around in my head and insisting to come out.

For the last few months, I’ve been following closely the breach that occurred at Lastpass. You may have heard about it. It’s been all over the technical news feeds, with lots of fear, uncertainty and distrust. It was of particular interest to me, as a long time Lastpass user. These articles make it sound like Lastpass is the most insecure password manager out there. They advise everyone that their “vaults have been stolen” (not making clear it was the encrypted vaults, and the purpose of encryption is to protect information if it does get stolen). They advise everyone to change every password. They advise people to run screaming away from Lastpass to other password managers.

Their tone strikes me as off. It reminds me of the days when everyone piled on Microsoft for what we later learned was probably no good reason, for Microsoft had been moving in the right direction. Their tone — to me — sounds like risk-adverse panic. They are scaring people away from this product because of a risk that really isn’t as bad as they make it out to be.  There are times I wonder if there is an agenda behind those articles (and my mind even wonders at some times if a competing password manager wasn’t behind the attack — after all, you don’t have to do anything with the vaults to damage the market leader — the attack is sufficient).

I’ve read the latest blog post from Lastpass closely. I suggest that you do as well. Here’s what I take away from it.

First, this wasn’t a flaw in the product. The flaw — as it is so commonly — was on the human side. Social engineering was used to attack an employee’s home computer, and that employee hadn’t adequately patched their home computer. This is quite common, and to expect perfection in how people maintain their home machines is wrong. It also seems clear that this employee — and Lastpass itself — was targeted by an adversary. That tells me this wasn’t a typical “scoop up the data and sell it”. This was a targeted spearphishing attack, likely with some specific vaults in mind. That’s evident in how the attack went down, and the fact that the data exfiltrated hasn’t shown up elsewhere. For all we know, this was a government adversary targeting a specific individual they learned had a vault.

ETA: Could the breach have been stopped with a product patch? Possibly. But remember here that the attack was on a home computer, not a work machine managed by LogMeIn. On your home computer, do you install every patch on every third-party product? Most people don’t. There’s some hygiene and education to be done here, but it isn’t a product flaw.

The takeaways from this, for me, are:

  • The product is not inherently flawed. It uses a reasonable scheme to protect the vaults, and suffers from the same risks that any product that stores stuff in the cloud faces. The vaults are protected with a strength commensurate with the user chosen master password and iteration count.
  • The nature of the attack is something that could happen at any password manager product: targeting developers at home. That’s even true for open source products: open source products may still store user data in the cloud, and that data can be compromised.
  • Corporate training may be weak, but corporate training overall is weak, and people are often the weakest part in any company.
  • This was targeted attack. If you are a high-value target, I’d be worried. If you are the run of the mill user, I’d be much less worried. It is likely not worth the adversaries effort to attempt to decrypt your vault.

Second, should you change all your passwords? I think the clear answer here is “no”, not all. If you choose to change anything, you should make your determination based on what the password is protecting. Is it a bank or something vital, such as your domain configurations or DNS? Is it your social security account? Is it your email account? Change it. But you should be changing those passwords on a regular basis anyway, and enable MFA. But is the password for something like Slice or Lands End or Disqus. I wouldn’t worry. So they order a pizza on a credit card number they can’t see. You dispute the charge, unless they delivered it to you and you enjoyed it. The risk isn’t there. I’d venture you would only need to change about 20% of your passwords, if you have as many throwaway accounts as I do.

This, of course, is presuming you follow best practices. Create a unique account for each site; don’t rely on your Google or FB login. Have strong unique passwords for every site. Enable MFA where you can. These are all best practices you should know if you’ve been trained. You’re not that weak link, are you?

But do you need to change your passwords? The answer here is: it depends on you and your comfort level. They’ve already got the encrypted vaults. At minimum, you should change your vault master password to something long and strong (I recommend using xkpasswd or the pronounceable password generator and doing further conditioning), change the number of iterations to 600,000, and if you are using MFA, change the randomization seed. Details are in the Lastpass bulletin, and simply provide additional protection going forward. Should you be worried about what was stolen? I’d worry about adversaries using the non-encrypted information for phishing, so be extra careful with texts and emails (but then again, I believe that most of the data scraping attacks are collecting information for spearphishing, as it is easier to convince you to give me the data than to attempt to brute force it. See this XKCD). If you had a really weak master password and low iterations, change your key passwords and look for indications of attack. But remember: you’re likely not the target.

The takeaways here are:

  • You don’t need to change all your passwords
  • Change your vault passwords, iterations, and MFA seed on general principles.
  • If you had a weak master password, change key passwords protecting financial institutions, major accounts (email, FB), and DNS/domain related accounts.
  • Take a deep breath.

Third, do you need to run screaming away from Lastpass? Again, that depends on your comfort level. Although their latest communication was good and detailed, they sucked on communication up to this. I attribute that partially to timing, as they were being divested away from LogMeIn and that introduces a certain chaos in corporate communications. But they were also probably holding things close to the vest until they improved processes. Reading their longer term plans, I think they are significantly improving things and so their update product will be more secure. They are certainly retraining their development team. I particularly noted “Working to encrypt URL and URL-related fields in the vault BLOBs.” That’s a good thing.

Moving away from Lastpass has certain costs. There is the friction in moving the vaults (and moving your vault does nothing to protect you from this breach, as the general user information and encrypted vault data was already stolen). Arguably, it puts your data in more places to be stolen, as it doesn’t delete data from backups and such. There are also usability issues (Lastpass is an extremely easy to use product), and with the paid product, the features of the Family plan were excellent.

The takeaways here are:

  • Lastpass sucked at communication during the process, but has now finally given good details. They lost trust due to how they handled this, which is a lesson we all should learn from.
  • The improvements they have made, and are making, are good and increases confidence in their product.
  • They could do more: increased training of employees, increased emphasis on awareness, and increased practical exercises on recognizing phishing are key. Increased restrictions on what computers can connect to them, combined with techniques to ensure those computers are configured properly. Those may be coming, or perhaps they weren’t explicitly mentioned.
  • Every user should balance their risk tolerance with their likelihood as a target and the value of the information being protected. Be realistic, and understand the frictional costs in moving platforms.

Am I going to abandon Lastpass? Probably not. But I have changed master passwords, increased iterations, and updated MFA seeds. I’ve also changed passwords on critical accounts, and enabled MFA in more places (using an authenticator app instead of SMS when I can). I’m also keeping an eye out for any anomalous activity, but then again, I always do that.

Share

👩🏼👨🏾👧🏾🧑🏼👩‍🦰 From Mistakes and Missteps Comes Learning and Realization

Posted onAuthorcahwyguy

For some reason, the whole mess at Gimlet Media related to the Reply All Test Kitchen series and its fallout, which I wrote about in my last post, has continued to fascinate me. I’ve been reading tweet threats by those involved and related: Eric Eddings, Starlee Kine, PJ Vogt, Sruthi Pinnamaneni, Alex Goldman, the Gimlet Union, Emmanuel Dzotsi, and others. As a long time listener, I never quite understood what the Union drive at Gimlet was about. One sees a company by the image they project, and I viewed Gimlet through the eyes of the Startup Podcast and Reply All, through Science Vs and Little Known Facts. This incident has made me realize that what I saw was a facade. More importantly, looking back, it showed they didn’t listen to what they were reporting.

As I noted in my last post, at the time of the starting of Gimlet, Alex Blumberg noted that there were major problems with diversity in Gimlet’s staff. They planned to do something about it. In an episode of Reply All that I cite to this day, they explored why diversity was so important in the workplace: when you hire people from the same background and the same institution, you always get the same view and the same answers. Yet even with that reporting, the recent Test Kitchen series and the subsequent fallout made clear that Gimlet didn’t learn. They hired the team and people from other podcasts they knew: from This American Life and Planet Money and NPR — all of whom had the same views and background and cliques. Just like the Bon Appetit situation they wrote about (at least from what I’ve been reading and hearing), they didn’t give spaces for the other voices. Well, perhaps they did for a short time, but they didn’t last. It was tokenization, not representation. At least, that’s from what I’m hearing and reading. I’m a long time listener, not a podcast. Just like with live theatre: I’m an audience member, which is vital for the industry.

But what is more disappointing is that this pattern of behavior is common across the podcast industry. Helen Zaltzman and the Allusionist podcast left Radiotopia. Why? Zaltzman cited a lack of racial diversity at the Radiotopia: “I have raised this fact repeatedly, recommended existing shows or potential showmakers to approach, questioned the excuses given for why the line-up stayed very white – small capacity and limited resources and insufficient money were frequently cited. So I offered money. And now, in case it makes more space and resources available, I’m removing myself.”

The problem is real. Stephanie Foo wrote a piece in 2020 about diversity problems in public media. It was her third time having to write the article, because people were not learning.  She first wrote it in 2015. In the introduction to that article, she noted: “It’s about time that public media came to terms with the fact that it does not serve the public as a whole. More hosts and program directors realize that a market of POC exists — and if they don’t cater to it, they’ll fail to grow their audience. And I’m glad the people in charge are realizing that when it comes to attracting minorities, throwing some hip-hop beatz as a transition between stories is about as effective and transparent as Mitt Romney’s spray tan. Finally, finally, it’s becoming abundantly clear that the solution to our diversity problem is hiring producers of color, and that diversifying your business is smart from a content perspective.” But did people listen? Did they really change their workplaces? Evidently not.

Back in 2015, Wired wrote about the lack of diversity in podcast voices: “Don’t replicate the stale listenership of public radio, and offer yet another way for the same culturally dominant demographic to tell each other their ideas. Rather than build a wider network of white male voices and listeners, let’s take the momentum and support of networks to promote some podcasts featuring everyone else.” There was an article on this in 2016. This was pointed out again in 2017: “Diversity is another huge challenge faced by the podcast industry, according to the report. As of mid-2016, only a few of the top-100 iTunes podcasts — shows like “Code Switch” and “Snap Judgment” — were designed to amplify diverse voices. Most podcast hosts are also male.”

But just as with theatre: diversity in the hosts at the front is only the visible tip. Diversity needs to be throughout: from the researchers to those pitching the stories to those producing to those editing to those marketing to those … The Reply All podcast perhaps said it best back in 2016:

LESLIE says that Twitter’s lack of diversity doesn’t just affect the workplace atmosphere, but it goes straight to the heart of the product itself.

LESLIE: Obviously if you don’t have people of diverse backgrounds building your product, you’re going get a very very narrowly focused product that may do one or two things really well or just may not do anything really well. And if you look at Twitter as a product, it doesn’t a lot of the simple things. It doesn’t do direct messaging well. It doesn’t do media sharing well, right? And if you had people from diverse backgrounds, you may have been able to expand, you know, what what you thought was possible?

GOLDMAN. Let me ask you this how must of your desire to see diverse workplaces comes from the fact that it’s just morally correct to have diverse workplaces versus it will make your product much better.

LESLIE: Yes. The answer to that question is yes. It’s going to, you know, diverse teams have better outcomes, that is, there’s so much has been written on that in the last 30 years I don’t even know why we’re talking about it. And and I think, you know, I hate sounding like, you know, like a total socialist, but arising tide lifts all boats.

Looking back at this transcript, you know what stands out at me? Who did the interview. Alex Goldman. Not PJ.  And in the latest problems at RA, who was there arguing for diversity and its benefits and the union. Goldman.

As audience members — as listeners to podcasts — I’m starting to wonder if we are hearing but not listening. The problems with diversity have been there. People have been talking about them for years. They have been writing about them. But I’m not sure we have been hearing. But they have been coming to the foreground now. We are learning about the problems at Radiotopia and Gimlet. It is just like how in mid-2020, we because to learn and understand about the problems in the Broadway theatre, and that we needed the diversity throughout.

So what can we — as the audience — do. I think we need to let the podcasting companies — Spotify, Earwolf, NPR, etc. — know we want diversity throughout. Not a host here and there, but in the research, writing, producing, and technical staffs.  We need to find podcasts that exhibit those characteristics and make it know that we are going out of our way to listen to them, and that we want those diverse viewpoints. Although I’m pretty backed up on podcasts, I’m open to recommendations for podcasts that fit this mold.

I also hope that Gimlet uses this incident to do what it does best, and what it did when it started: Turn that microphone on itself. I’d like to see the remaining hosts at RA — Alex and Emmanuel — explore how diversity went wrong at Gimlet, going back to when the problem was first cited in 2015, to when RA touched on the importance of structural diversity back in 2016, exploring the diversity problem in the podcasting industry. They might even be able to salvage some of the Bon Appetit story. But most importantly, I hope they can talk about how the problem is being solved, and being solved in a permanent, long lasting way.

Share

📰 Diversity, Gimlet, and Hindsight

Posted onAuthorcahwyguy

As you know, I listen to a lot of podcasts. Fewer, since I’ve been working from home; but still, I listen to a lot of podcasts. Today on my walk, I made a special effort to listen to an episode of Reply All from Gimlet about the mess at Bon Appetit, the first episode of “Test Kitchen”. This came about because an article in the LA Times talked about how Reply All had discontinued this podcast after episode #2 of 4. Why? Here’s a quote:

The decision comes after a former Gimlet staffer accused two members of the “Reply All” team of creating a “toxic dynamic” at the company. Eric Eddings’ allegations went viral on Twitter earlier this month and prompted the departures of host PJ Vogt and senior reporter Sruthi Pinnamaneni.

After this, one of the remaining hosts Alex Goldman posted a 2 minute message that noted:

We now understand that we should never have published the series as reported. And the fact that we did was a systemic editorial failure.

So, although I had been waiting to listen to the episode for a while, thinking it would be similar to a series from The Sporkful, I now understood this was different. And listening to it with the benefit of the additional hindsight, it took on additional meaning.  But more importantly, it made me think back to an episode of Reply All from 2016 that I loved, about the importance of diversity in the workplace. It explored diversity at Twitter. It made me think of an episode of Gimlet’s Start Up podcast that explored diversity at Gimlet, where the host noted:

If you were to walk into Gimlet HQ, there are a few things you’d probably notice right off the bat. First, it’s crowded – like a grungy dorm room. Second, the lighting… it’s not great. Not many windows. Third, it’s white. Really white. 24 of Gimlet’s 27 employees are white. In this episode, we look at diversity (or lack thereof) at Gimlet. And we try to figure out what diversity should mean for the company going forward.

It goes to show: you can talk about diversity all you want, but if you don’t learn the lesson … if you don’t make that workplace better .. you fail.

I look forward to future Reply All episodes where they address this.

Share

📰 Returning to a Balanced Court – A Proposal

Posted onAuthorcahwyguy

Recently, the subject of “Court Packing” has been in the news, because of the Trump administration’s perceived “packing” of the court with Conservative justices, which itself was the byproduct of the Republican Senate refusing to process President Obama’s nominees for the court during his last term. The imbalance this created has led to the desire for a return to balance, which is the goal of what we hear called “court packing” (which, itself, is a pejorative term creating bias — the real goal is a “return to court balance” of having an even number of Justices from each side). There have been other approaches  floating around out there, most centered on the notion of getting rid of lifetime terms for judges, and instituting term limits. Here is my proposal:

  1. All nominees by a President for the Appellate or Supreme Court must be approved or rejected by the Senate within 90 days of nomination. Failure to act results in the nominated Justice receiving an automatic interim 2 year appointment to the position, after which the Senate must approve or reject for the Justice to continue in the position.
  2. All Appellate and Supreme Court Justices must have their positions reconfirmed by the Senate on every 11th anniversary of their starting in the position.
  3. All Appellate and Supreme Court Justices have a term limit of 31 years. At this point, a two-thirds vote of the Senate can extend their term for additional five year terms.

This would apply to new and sitting justices. This creates no new immediate openings, but does provide the opportunity for greater turnover in justices, and the ability to more easily remove weak or bad justices. By using odd numbers for the terms, this staggers the reconfirmation process across 8 year Presidential cycles, hopefully restoring balance as the political pendulum swings.

 

Share

📰 Inspired Miscellany: A Random Collection of Things I Found of Interest

Posted onAuthorcahwyguy

As I continue to review the collected links, here’s a random collection of articles that I found of interest:

  • Amazon’s streamlined plastic packaging is jamming up recycling centers. One area of interest to me is plastics, and the growing amount of plastics in our waste stream. They are hard to recycle, and even their presence makes things that are normally easy to recycle very difficult (think plastic tape on packaging). This article explores a recent change made by Amazon in their packaging. Amazon is an interesting case, for they require extra packaging as they ship everything. Over the last year, Amazon.com Inc. has reduced the portion of shipments it packs in its cardboard boxes in favor of lightweight plastic mailers, which enable the retailing giant to squeeze more packages into delivery trucks and planes. But environmental activists and waste experts say the new plastic sacks, which aren’t recyclable in curbside recycling bins, are having a negative effect. The problem with the plastic mailers is that they need to be recycled separately, and if they end up in the usual stream, they gum up recycling systems and prevent larger bundles of materials from being recycled.  It’s a really hard question. Cardboard is easier to recycle. But it is heavier, takes up more space, and requires more trucks, which have more environmental impact. Plastic takes less space and less trucks, but is harder to recycle and can contaminate the recycle stream.
  • Why your desk job is so damn exhausting. Think about it: Which is more exhausting: a job that requires physical manual labor, or a desk job behind a computer all day. You would think the former. This articleexplores one of the more hotly contested issues in psychology: What causes mental fatigue? Why is desk work so depleting? It presents the two main hypotheses for why we get so tired from work when we’re not physically active. Hypothesis 1: we get so tired because we deplete an internal store of energy. The problem is, increasingly, psychologists aren’t sure it’s real. Hypothesis 2: we get so tired because our motivation runs out. We become drawn to the things we want to do, rather than the things we have to do. And this tension possibly causes fatigue… and blog posts like this… did I type that with my public fingers?
  • How to Make Your Office More Ergonomically Correct. Here’s another thing that could be making you tired: Your office layout. At the end of last year, I moved offices — meaning a new desk and new monitor support, and it took me a while to make things comfortable. I’m still not 100% sure it is right. This article explores how to ensure that. Remember: About $1 billion a week is spent in the United States to deal with entirely preventable work-related musculoskeletal injuries, many of which are caused by small flaws in body positioning. You can do a surprising amount of damage to your body if you hold parts of it in strange positions for hours at a time, five days a week. But some research suggests that you can also prevent and even reverse damage by engineering your office work environment properly.
  • How to responsibly get rid of the stuff you’ve decluttered. Right now, society is on a decluttering trend. More and more stuff is being removed from closets and houses, and it has to go somewhere. You want it to go to the right place. Last thing you want to do is add it to the trash stream, especially for clothing. This article explores the best way to get rid of different classes of stuff you may be (shall we say) de-accessioning. For us, it will probably be participating in a multi-family estate sale in a few months.
  • Why so many financially independent adults are still on their parents’ phone plans. You would think, as you become financially independent and move out of your parent’s house, that you would financially separate from them. But that doesn’t always happen — and for good reasons. Kids stay on their parent’s health insurance until they are 26 because that’s often much cheaper (especially for insurance you get through work). Often Car Insurance is bundled if it makes financial sense. This article explores the reason that kids are on their parent’s phone plan — and it is often for the same reason: adding an extra line to your phone is much much cheaper than having a separate plan.
  • The periodic tables we almost had. Design is an area that fascinates me. This explores how we got the current design of the periodic table, exploring its evolution over time. It was surprisingly hit and miss, settling down as we began to learn more. But in many ways it is still imprecise, and not an accurate model. I tend to like the “Underground Map of the Elements” m’self.
  • The Aldi effect: how one discount supermarket transformed the way Britain shops. Yes, I know, I’m not in the UK. But this article — which looks at the evolution of Aldi as a market and its expansion into the British market — provides some fascinating insights into the US: especially the difference between Trader Joes (owned by Aldi North), and Aldi (owned by Aldi South). If you don’t know what I mean by Aldi North and Aldi South, you really need to read the article.
  • Community colleges can cost more than universities, leaving neediest students homeless. We’ve all been taught that it is cheaper for students to go to community college than a big university. But what if that is wrong? This article explores why it is wrong — and the answer is interesting. Community colleges do cost less tuition-wise. But because they have lower tuition, they also have lower financial aid — meaning that students get less support in paying for those units. There is also less to no housing aid, meaning students are on their own to find housing. This makes the total cost often higher than a mid-tier state university with aid.
  • Off the chart: the big comeback of paper maps. We often think mapping apps will be the death of paper maps, but that’s not the case. This article explores why. In a time when facts are to be treasured, perhaps paper maps have real significance, recording as they do a version of the truth less susceptible to tampering and fakery. The effects of the digital era on humans’ mental map abilities are becoming apparent. A recent study at the University of Montreal found that some video games that relied on non-spatial strategies could reduce growth in the hippocampus, an all-important region for mental mapping.

 

Share

📰 🔐 Complexity, Assurance, and Airplanes

Posted onAuthorcahwyguy1 Comment

Recent tweets from the President have brought the issue of complexity to the front of the news cycle. In response to the second crash of a Boeing 737 Max 8 Jet, the President tweeted:

Airplanes are becoming far too complex to fly. Pilots are no longer needed, but rather computer scientists from MIT. I see it all the time in many products. Always seeking to go one unnecessary step further, when often old and simpler is far better. Split second decisions are needed, and the complexity creates danger. All of this for great cost yet very little gain. I don’t know about you, but I don’t want Albert Einstein to be my pilot. I want great flying professionals that are allowed to easily and quickly take control of a plane!

So is the President right or wrong. Before I answer that, let’s explore the question of complexity and the risk that it brings. Any cybersecurity security expert worth their salt can tell you the three characteristics of a reference monitor:

  1. Always Invoked / Non-Bypassable.
  2. Tamper-proof.
  3. Never eat at a place called “Moms” Small enough to be easily understood and evaluated.

Why is that last point there? Simply, because complexity is the enemy of assurance. We’ve all heard of “feeping creaturism” — the way that software vendors keep adding in features to sell a product while not fixing known problems and making the product more reliable. This is because adding features sells products, while adding assurance does not. But the more and more features and capabilities you put into the code, the less assurance you have in its correctness. Logically, this makes a lot of sense: each feature has multiple inputs and options, each creating a new path through the code, and very quickly it becomes impossible to test all code paths. Simpler code means fewer code paths, meaning more reliability. Complex code means code that wasn’t completely tested in every possible situation, and as Hoare pointed out, once you find the first bug, you have an infinite number.

We are adding more and more complexity to the software we use every day. Remember the Toyota unintended acceleration problem? That turned out to be a software bug (which they claimed was a carpet mat problem, but they updated the software at the same time) from a rare complex interaction. Cars today have even more complex software, what with all the sensors monitoring things for safety. Most of the time these work, but there have been cases where problems have been identified due to software errors. Subaru, in fact, just had a recall to fix the software on the head unit related to the rear camera.

Airplane software is equally complex. When the Airbus Jets first came out, they were revolutionary in that they were “fly-by-wire”. In other words, instead of multiple physical hydraulic lines to control the rudders and wing surfaces, there was an electrical signal that went to the other end of the plane. Many people didn’t trust fly-by-wire and only flew the Boeing. It took multiple flights to convince the public of the safety of the systems, and now all modern jets use fly-by-wire.

So, are airplanes too complex to fly? Airplanes are controlled by software, and that software is very complex. But statistically, airplanes are safer than they were in the days when there were only simple physical controls. Similarly, cars are more complex, but they are statistically safer than vehicles from the 1950s and 1960s.

But that doesn’t mean the complexity doesn’t cause problems. In fact, it looks like Boeing is already adjusting the systems in the Max series: instead of just using one sensor to control nose down, they are using multiple sensors.

Now, let’s go to the second part of Trump’s statement: do you need a computer scientist from MIT to fly a plane? Flying a jet — even an older one like a Boeing 707 — is very different than flying a private two-seater Cessna. The number of systems that must be monitored are immense, and you need a strong understanding of the physics of flight. You don’t need to be a computer scientist — after all, you’re not programming the systems — but you do need to be comfortable with technology and have a strong understanding of physics. Given the choice, you want a pilot with lots of experience (and no mental problems) flying the plane; not a rookie MIT computer scientist. However, you might want that scientist writing the software.

Lastly, there is one other assertion in Trump’s tweet we need to address: “old and simpler is far better.” No, it isn’t. Old and simpler — both in technology and people — cannot grasp the complexity of today’s split second world. You want someone nimble, who truly has a deep understanding of the system. You want someone with years of experience with that technology at the helm.

Yes, those last two sentences were an allusion. As was the point that you need a pilot with no mental problems.

Share

📰 🔐 Cybersecurity: News and Sausage to Chew Upon

Posted onAuthorcahwyguy

I haven’t done a news chum posts in a while, and the articles of interest are accumulating. So here’s a collection of articles that caught my eye, all dealing with cybersecurity:

  • Password Managers. Recently, there was an article about vulnerabilities related to common password managers, the gist of which was: All password managers are vulnerable to attack. Many people took that as an excuse to trigger their risk aversion, and to run away from password managers. Bad thing to do. The attacks in question all required physical access to the machine in question. Vaults in the cloud were safe. Further, if you had physical access to the machine, then a complicated attack to look at a residual password in a buffer is the least of your worries. This is a clear example of people not understanding the risks. The upshot: Use password managers. They make it so that you have longer, more complex, passwords in use; they also encourage the use of one password, unpredictable, per site. They are much more secure than algorithmic generation by humans, or writing things down.
  • Choosing Good Passwords. Another password related article looked at the surprisingly common password “ji32k7au4a83”. This is a good example of why a password that looks strong might not be. In this case, the password turned out to be the ASCII representation of the characters you get when you type the Chinese for “My Password” on a specific Taiwanese keyboard. I could imagine similar problems for Hangul, or possibly other representations. This is yet another argument for using password generators (I recommend Lastpass, but other good tools are the XKpasswd generator and the nonsense word generator… and for good measure, the username generator from Lastpass, if you don’t want to have the same username everywhere).
  • I Am Not A Robot. Some of us remember the days when everyone used a CAPCHA that required you to recognize letters and enter them in order to prove that you were not a bot. But you don’t see those very much anymore. You may see tests that require you to recognize what is in images, but even those are getting fewer. That’s because it is getting harder and harder to prove you are not a robot, and CAPTCHAs are having trouble catching up. Somedays, it seems that the only thing computers can’t reliably recognize is porn (but then again, neither can humans, and imagine the CAPCHAs). What you do see is a simple checkbox that “I am Not a Robot”. But why does something simple work. There’s actually a great explanation, which involves all the information your browser collects, and all those cookies you don’t think about track, that a bot does not have. Who knew?
  • Forgetting the Past. Recently, Gene Spafford (a grey-beard I know well from the days of USENET) visited the RSA conference. His reaction was very interesting, and reflected the feeling that many of us grey-beards and CBGs and other professional old-codger terms have: the youth of the cyber industry have forgotten what was done in the past. I’ll note that luckily, the people behind the Annual Computer Security Applications Conference haven’t, and we are starting to plan the 2019 Conference (web pages should be updated soon) that will include both new research, and reach-back into the relevant history. We’ll be doing our 2nd year in San Juan PR in December; mark your calendars now.
  • Listening and Privacy. We often use our computers thinking we’re the only ones who see what we are typing, just as we talk out in public as if we are the only one listening. Both are pretty far from the truth. Hopefully, you know that most public wireless access is not secure, and the best way to secure it is through the use of a VPN. Virtual Private Networks make sure that communication between your computer and a trusted endpoint are secured, and claim to provide security from that endpoint to your ultimate destination on the web. How much can you trust them? It depends on the VPN you choose, as some are better for privacy than others. But what about the real world? When you discuss things on the bus or the subway, how secure are you? Not very. One instructor gave their students an interesting assignment: find out as much as you can about that stranger sitting next to you on the bus, using only public information. They found out quite a bit by listening to the public side of phone conversations, looking at visible screens, and noticing other aspects of the person. Sherlock Holmes in the wild. But that’s not the only risk. It turns out that your hard disk might be eavesdropping as well. Sound waves create movement in disk heads, which can be monitored by sensors in the disk. So when will those concerned about eavesdropping move to SSDs to get rid of that risk?
  • AntiVaxxers and Cybersecurity. A meme has been going around asking why we are willing to inoculate our computers against viruses and malware, but not our children? As memes go, it makes an interesting point — but misses some of the differences between computers and the human immune system. Vaccines are a great example of how we train our immune system to work for us by exposing it to the potential malware — in a neutered form — to train it to recognize the real thing. Traditionally, humans have been great at this: that’s why babies crawl around and put things into our mouths — the exposure makes our immune system stronger. In fact, our current antiseptic and germaphobic environment has both weakened our immune response, and trained it to overreact. So yes, pick your nose and eat it, but not in public where anyone can see you. But I digress. Think about this in terms of computers. We install an anti-virus or anti-malware program; this is the equivalent of installing an immune system in our computer. But the success of that system depends on the collection of malware signatures that it downloads regularly. These signatures are benign snippets of code DNA that allow for safe identification of dangerous code. Exposure to those benign snippets is vital if our computer immune systems are to work, and we don’t lose the system. Similarly, vaccines allow our natural anti-virus mechanisms to recognize the malware that try to invade us — and more importantly, they protect those systems that — due to specialized wetware — cannot install the anti-virus. In short: Vaccinate your kids and yourself to protect those around you, as well as yourself.

 

Share