Terminally Incoherent

I know that I promised not to talk about politics on this blog. You get some of that in the form of politically charged funnies at /dev/random and short bursts of venom on twitter. I don’t really want to become too verbose about my frustrations with certain presidential candidates here. So this won’t be about politics - this will be about security or lack of thereof. I will try to restrain myself from political comments and only make comments about human stupidity which is quality that is equally distributed amongst the democrats and republicans.

I initially wasn’t going to comment on this, but people keep asking me for my opinion and I figured I should put together something more eloquent than “Palin got pwnd by /b/. She should totally invest in a dog.” And preferably something that is not as politically charged.

Let’s start from the top. Once upon a time, Gov. Palin had a Yahoo email account. Note that I’m using the past tense here. She no longer has it, because a /b/tard heard about it and took it over in 5 minutes. How was this feat of extremely 1337 hacking on steroids performed? From the horse’s mouth:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

As you can see, there was no hacking done here. In fact, the very act of taking over Palin’s email required no computer knowledge, and no skill. Hell, it didn’t even required intelligence. All it required was the ability to type in the word “palin” into google search box. Anyone in the world could have done this. It just happens that it was done by /b/ and for LULZ but it could have been just as easily perpetuated by someone with a much more malicious agenda to either monitor, intercept or forge Gov. Palin’s work related messages.

The obvious point of failure here is of course the password recovery system. Almost all online services use one of these, because remembering strong passwords is difficult and using weak passwords is dangerous. It is an age old problem, and the solution is to force people to use strong passwords, and allow them to go through a recovery process involving easy to remember questions in case they forget. Most services won’t actually allow you to reset your password on the spot, but instead will send a temporary password or a confirmation message to the email you used to the email you used to sign up for the service. So if someone tries to recover your Facebook password for example, and correctly guesses the name of your first dog and your zip code they still won’t get access to the account. Instead you will get an email notifying you about the recovery attempt. Not the most secure solution, but it works.

Of course in case of Yahoo mail this is apparently not the case which sort of makes sense. Requiring someone to use an email address sign up for another email account is a bit silly. As a result Yahoo apparently relies solely on the very insecure personal questions to verify your identity. These questions may often work for a private person. After all, how many people in the world know the zip code of your mom’s house, the name of your high school crush and the name of that pet goldfish you flushed down the toilet when you were 11. Even if you blab about yourself constantly, there is only a limited number of people who could potentially know these things - and these are the people who know you personally, and who you can track down slap around if you find out they have tried to read your email. This changes when you become a public person and you have your own detailed Wikipedia entry that gets vandalized 5 times a day. The flaw that is inherent to the password recovery system becomes a gaping security hole.

The lessons here are twofold:

1. Using a free email account when you are a public figure puts you at risk, even if it is purely for personal use. You really want to invest into something more robust. It’s fine if you want to keep your public email, and your private email separate but you should really look for a more professional solution. Perhaps something where you can confirm your identity by giving out the CC number associated with your account, and it’s security number. After all, that’s something a random /b/tard won’t be able to find on wikipedia.
2. We need to carefully reexamine the way we use the password recovery mechanisms. It’s obvious that Yahoo’s solution is very vulnerable to a common sense, logic based attack. This is unacceptable, and needs to be fixed for Yahoo and all the other services which use a similar recovery method.

The problem with password recovery is a serious one, because there is really no easy way to make it more secure. Let’s remember that the only reason people use this feature is because they can’t remember their 6-8 character password. If you make the recovery questions to obscure or complex, people will forget them as well. This is why most free online services insist that you sign up with a valid email address where they can send you a password recovery confirmation. The only way to ensure that you are not giving away the password to a bad guy is to hand over the job of confirming your identity to someone else - your email provider. Of course if you are trying to be a primary email provider for people who already have, but don’t want (or don’t know how) to use their ISP provided emails you don’t really have that option.

How do we resolve this? First off, don’t do what yahoo did. When you are a free online service, always deffer the job of confirming identity when attempting password recovery to someone else. This way, when account gets compromised it is not your fault. The easiest way of course is to require you user to sign up with a valid email account. But not necessarily - you can also become an OpenID consumer. Everyone and their mom is an OpenID provider these days, but no one ever wants to be consumer. However, using OpenID logins is a perfect way to defer trust to another entity without asking the user for another email address.

This way security issues cluster around popular OpenID providers, some of which are paid services (eg. Live Journal) which can ask the user to verify their CC# upon password recovery. Better yet - if you are a public figure you can roll out your own OpenID provider solely responsible for authenticating you, and only you on bunch of online services. If you forget your password you simply visit or call up “Joe” the guy who maintains your OpenID server and ask him to reset it for you. If someone hacks your account, you can personally kick Joe’s ass, and then fire him.

Of course there are many issues with actually implementing OpenID in a way that works. If you trust the wrong OpenID provider for example, you may find yourself overrun by spammers. Not an ideal solution, but a solution nevertheless. It does seem to work for Stackoverflow for example.

If you don’t want to defer authentication to someone else, and you want to remain free do something like Google did for Gmail registration - ask your users for a phone number and send them a text message with a security code when they try to recover a password. It is almost like a poor man’s two factor authentication. There are of course usability issues with this scheme as well - problems with sms transports across networks, and other random stuff. I’m not saying everyone should do it - I’m just saying it is a more secure option than asking for the name of a person’s dog. At least in theory.

At the very least, we should revisit the questions and answers the recovery process is using. Obviously things like DOB, zip code and spouse name are very easy to find out for a potential attacker. Perhaps a different kind of questions would be in order. Perhaps something among the lines of:

You’re in the desert, you see a tortoise lying on its back, struggling, and you’re not helping. Why is that?

Only don’t use a known quote, because 80% people who watched/read Blade Runner will invariably answer this one with “what is a tortoise?” and that’s not exactly what you want. Simply ask a personal question, and assume that the answer for a given question doesn’t change. Perhaps something among the lines of:

“You are walking in the park, alone. It is cloudy day but it is not raining. You smell wet leaves. What are you thinking about?”

Again not perfect, but it may trigger some rather personal memories, or incite a trivial response among the lines “better get home before the rain”. We would probably have to test this type of questions on a group of users, and then have them try to recover their passwords 6 months later and see if they are able to use the same responses. Also it would be interesting to see if this sort of emotionally charged questions prompt similar answers from many people. I have a hunch that the above question would end up with many responses among the lines of “I think of her/him” but again - it would take some testing. Assumption is that these questions would be harder to defeat by looking them up, but since we are all emotionally wired in a similar way they may be easy to guess by intuition alone.

Those are my 3 ideas. Feel free to suggest your solutions to the password recovery issue in the comments. Maybe there is a better way to do this.

Is it Gov. Palin’s fault that she got pwnd? Yes and no. Yes, because she should have known better than to use Yahoo. No because this would not have happened if it wasn’t for the un-elegant kludge that is the “password recovery question” mechanism employed by Yahoo. She is not the only person who had their account compromised this way - it’s just that content’s of most people’s Yahoo inbox is not a matter of national security and thus we don’t hear about it on the news.

The interesting thing is what will happen to the kid who did this. What’s his name? David, was it? Yes, it was David. Will he get a slap on the wrist, or will he be made an example of? Will he spend some quality time in a federal prison or will he get off with a fine, some community service and a nasty smear on his daddy’s reputation. Or will he doge all punishment by a small margin due to insufficient evidence?

What do you think?

I just figured out how to create an installation package in any of the popular formats (deb, rpm, etc..) in under 30 seconds. This method is probably not something you’d want to use for a serious project, but it is perfect for small scale things such as shell scripts, or various perl/python/ruby concoctions you want to distribute.

Before i start, I must confess that I never really made a deb package from scratch. I did create debs before with stuff like checkinstall. For example I do it every time I install ffmpeg on one of my machines because for some reason that package is horribly, horribly broken in the repos and half the features are disabled. If you want a working copy, you have to grab the source and roll up a deb yourself.

I never created a deb for one of my own scripts because I never needed too. Most of the time stuff that I write ends up being a single script or an executable, which I stick in /usr/local/bin or just keep it in the home directory. If I distribute it, I always figured someone else could do exactly the same - grab the binary and stick it somewhere in the path.

But the other day I was like “maybe I’ll just make a deb for this one script here since I already have like a whole project page for it“. And so I googled “How to make a deb” and got tons of excellent tutorials, each of which was at least 50 pages long. I figured I was doing something wrong because a simple thing like creating a package can’t be that complicated and the creators of these extremely detailed howto pages must simply be suffering from the common case of verbal diarrhea which seems to plague at least every third linux user.

I mean, it took me 10 minutes to write and debug this script. If wrapping it inside of a deb takes 3 hours, then we are in trouble. Fortunately I’m a very lazy individual, and instead of trying to follow one of these gargantuan howto articles, I decided to find a quicker way and installed the EPM package:

sudo aptitude install epm

EPM basically builds packages for you almost automatically. All you need to do in terms of setup is to create a single .list file in the same directory as your project. For example for Twimi I created the following file:

%product twimi
%copyright 2008 by Lukasz Grzegorz Maciak
%vendor Lukasz Grzegorz Maciak
%description A minimalistic, command line Twitter updater.
%version 0.4
%readme README
%license LICENSE
%requires curl
 
f 755 root sys /usr/bin/twimi twimi

I think the above is pretty much self explanatory. The first 8 lines are metadata which will be embedded in the deb - you know, the stuff that you can read when you do aptitude show. The last line specifies what to do with the project files during installation. The syntax for this command is pretty much this:

f  mode  user  group  destination  source

You can find more info about other prefixes (there is c for configuration files, d for creating directories and etc..) by running man epm.list. All I needed was to copy a single shell script to some directory in your path, and then make it executable, and that was accomplished with the single line above. No need for any other tinkering. I saved the file as twimi.list and created README and LICENSE files because apparently epm expects them. You can leave them empty, but they need to be there for some reason.

Once you have all of this set up, you can create a deb by running the following command (where you’d replace twimi with the name of your project naturally):

sudo epm -f deb twimi

KABLAM! The deb will magically appear in a subdirectory named after your platform and architecture - for me it was linux-2.6-intel. Added benefit is that you can use the same .list file to generate other types of packages. Observe:

sudo epm -f rpm twimi

In addition to basic linux packages can apparently also make osx and bsd ones as well - but you will need the prerequisite package management tools for those systems installed. So I couldn’t really create an osx package (and I don’t own a mac so I don’t know how would I test it), but the option is there if you need it.

Undoubtedly someone will probably tell me there is an easier and more straightforward way to do this kind of stuff. This method worked for me, but if there is another more proper, and equally straightforward way I’d love to hear about it.

Recently I plopped an old laptop running a stripped down version of Ubuntu onto my home network. I joined it to the local workgroup and gave it a NetBIOS name so I could ssh into it from the windows machines without having to remember the IP address. In the past this has always worked for me, but this time around I noticed something weird. When I tried to ping the machine from within windows the local address was resolving to some remote ip:

>ping elder
Pinging elder.hsd1.nj.comcast.net [208.67.217.132] with 32 bytes of data:

Initially I thought that I simply messed up the entries in smb.conf but this was not the case. To my dismay I realized that this was happening for EVERY machine on my network. I could not ping grendel, I could not ping eoran, I could not reach malekith and even myprecious (don’t ask - it’s not my machine) was out of reach! What the fuck in hell?

Quick whois lookup gave me the culprit: OpenDNS which I have been using as my primary DNS provider for quite a while now. I’m not sure why this issue started right now. I don’t remember seeing this problem ever before. Nevertheless it was there and I suspected it had something to do with the OpenDNS auto correction which fixes typos in your URL’s and redirects you to a search page whenever it fails a look-up. I was always a bit skeptical about that particular “feature” but I didn’t really mind it as long as it did not interfere with normal day to day operations.

This issue really boils down to the way Windows does domain name resolution. It works like this:

1. First it checks the HOSTS file.
2. Next it Queries the DNS server(s).
3. If all else fails it falls back on NetBIOS.

In my case, step 2 would never fail because it would successfully resolve to that weird remote ip I shown you above so it would never even try to use NetBIOS. This was an issue because I really did not feel like setting up a local DNS server just to be able to access local machines. I mean, I could but I don’t really have a spare box to devote to this task, and also it would be silly considering that up until now I was happily relying on NetBIOS names for this sort of stuff.

There only one quick solution could think of: stop using OpenDNS and switch back to the servers provided by my ISP. But I did not want to do that. There is a reason why I started using OpenDNS in the first place - not only is it faster, but also more reliable than whatever Comcast had to offer.

The Real Solution™ required some digging around in OpenDNS docs. Apparently you can disable the auto correct feature if you register your network on the OpenDNS website. The process is very straightforward - you create an account and then associate your external IP with it. Once you do that, you can disable, and reconfigure all the “questionable features” that come with the service.

I’m not terribly happy with putting my IP address in their database this way, but then again I have to remind myself that they already have my IP showing up many many times in their logs so there is probably no difference here.

The changes took effect some 5 minutes after I registered and disabled the typo correction. Now I can ping local machines again without any issues. So if you are using OpenDNS and you suddenly find yourself cut off from your local network consider registering, or dropping their service.

Sigh… I wish some of these features were opt-in instead of opt-out. But I guess they are trying to make their service idiot friendly and idiots do not opt into or opt out of anything that ever remotely relates to technology.

I usually don’t review short stories here but perhaps I should start. I recently read a very short piece by Janusz Cyran, a Polish SF writer that struck a cord with me. The story itself was not all that spectacular, and especially the ending didn’t really do much for me but the central concept was brilliant. Very original take on a rather common theme. The story is titled Faster (original title “Szybciej”) and it has appeared in the September issue of the Nowa Fantastyka magazine. I don’t think there exists an English translation so I will just tell you about it.

The story takes place in a distant future, when human race attained immortality by shedding their biological bodies and moving their consciousness into a virtual universe. This digital world is cohabited by two offshoots of the former homo sapiens race. The traditionalists live in a hyper realistic simulation of the world which they left behind. They still have bodies that seem physical, they can still eat, drink and make love and etc. The post-humans on the other hand moved on, shed the remaining shackles of simulated physicality and exist as purely abstract intellectual entities.

This virtual world naturally runs on “hardware” residing in the physical world. As the amount of data produced by the system is constantly growing, the hardware must expand to accommodate it. Over the countless centuries the post-humans have managed to harness almost every single atom of matter in the universe to be part of the gigantic quantum computer network which hosts their existence. There first crisis comes when they realize there is no more matter available to add additional processing nodes or more storage. The are suddenly strapped for resources. They’d love to get rid of the computationally intensive simulation used by the traditionals but the system was designed to prevent them from doing exactly that. So they do the second best thing - they offer various Faustian deals to the traditionalists or trick them to voluntarily relinquish mental resources. Such unfortunate individuals are reduced to functional imbeciles and their storage and processing resources are repossessed by the post-humans in order to facilitate continuous growth.

Then they discover a second, even more disturbing problem threatening the survival of the human race. The universe is expanding! In the physical world the hardware components are hurtling away from each other through space at ever increasing velocity and the imminent Big Rip will eventually pull apart the galaxies, solar systems and then even individual stars and planets and even the individual atoms at which point even the quantum level communication which drives the virtual world will become impossible.

Traditionalist who live in their simulation are completely oblivious to this impending doom. Many of them simply have a eerie feeling that the time flies by faster as they get older. That’s because it does. As the universe is expanding, the communication between the hardware nodes becomes slower. So for example a simple 5 minute conversation with your neighbor may actually take years of real-world time to calculate process and generate.

The protagonist, a traditionalist, finds out about this and gets a clock which shows him the passage of the real-world time. He puts it in his bedroom so that he can observe this phenomenon. At first the clock counts time in hours, which the character notes spin by at astonishing pace. Much later he notes that the clock no longer uses hours, but now counts time in months. Then it changes to years, hundreds of years, millions and etc. To cope with the increased transmission times the post-humans must adjust the simulation. First it becomes black and white, then grainy and low resolution. The traditionalist society falls apart as individuals become trapped in their own houses no longer able to reach cities and public places due to data transmission bottlenecks and poor state of the simulation. Eventually the protagonist decides to simply stay in bed and observe the clock because anything else is an enormous hassle. He knows that soon the virtual universe will grind to a halt, but the final thoughts of all of it’s inhabitants will be preserved for eternity in the quantum states of the particles that will continue hurtling through space into the unknown.

Brilliant, and striking concept! The image of a dying virtual world and the protagonist lying in bed observing a widely spinning clock and thinking until his mind comes to a slow halt really made an impression on me!

Cygan however managed to work in a semi-romantic subplot with a rather disturbing ending, and a rather disappointing twist ending. No it does not turn out to be a dream, but the story ends on an odd spiritual/religious note which IMHO didn’t really add anything to the story.

Anyway, I thought it was a really interesting idea for a distant future SF story so decided to share it with those of you who might not be able to read it. It really made me think. I’m not entirely certain that it will ever be possible to accurately digitize a human brain. I’m still hung up on that consciousness interruption thing. There is some interesting discussion on the topic in that thread, and I also had some really insightful email exchanges about it with few people (hey Sam, how is that book coming along?). I sort of figured out a way I could imagine digitization of human consciousness without the interruption and creating a mental twin. Here is what I wrote about it back then:

We talked precisely about the issue you describe - if you digitize a brain, and upload it to a cloned body (like in Cory Doctorows Down & Out in the Magic Kingdom) or a virtual simulation of some sort you are really creating a “twin”.

I also read an interesting short story on this topic, but for the life of me I cannot remember the title or the author. The basic premise is that a guy goes hiking in the mounties and gets hit by an avalanche. He is rescued but looses a leg and bunch of fingers, and his left hand suffers severe nerve damage due to the multiple fractures so it will never be functional. His family tries to convince him to simply abandon this crippled body and restore himself from a backup he made prior to his trip. He doesn’t want to do it because in his mind this will mean death. He will die, and some other guy who looks like him, and has all his memories will wake up somewhere else and go to live his life. But he himself will be gone. So he refuses. His family and doctors decide to build a case showing in court that due to head trauma and severe emotional distress he is not in the right state of mind to make that decision, and want the courts to authorize the procedure to restore him to the state of full mental competence and physical health. So the poor guy decides to spring himself out of hospital and run away.

I wish I remember who wrote that. But yeah, it’s an interesting problem. I don’t know whether an actual “transfer” is even possible. With Cylon’s maybe, because they are artificial beings. But with humans…

An idea I had a while ago was to make it a gradual, long term process. You would get implanted with a “transfer chip” and some nano tech. The chip would then gradually map your brain and create exact digitized functional copies. Once a part of your consciousness would be mapped, the nano machines would “re-wire” your brain to delegate that functionality/memories to the chip, and deactivate relevant area of the brain. At some point you would be running on a fully digitized mode - at that point the chip can be extracted, and your body with non-functional brain can be discarded. That’s the only way I can image actually imagine digitization of consciousness without that “you die, but your mental twin lives on” thing.

I admit that the mapping chip was heavily inspired by… Yeah, Farscape. I bet freelancer (my fellow Gigi Edgley fan) knew exactly where this was heading when I used the expression “brain mapping chip” instead of neural implant.

So anyway, lets say that digitizing your mind is possible and you can upload yourself into a virtual simulation or even attain higher state of awareness as one of those post-human things (virtual singularity?). Theoretically this would mean that our dream of immortality would finally come true. But Cyran’s story shook me by showing me that there is no such thing as immortality. You can’t defeat the destructive forces of entropy! And once you are a digital construct in a virtual world, an eternity may fly past you so fast you won’t know where did all these centuries go. There is a definite end to our existence in this universe, and we can do absolutely nothing to prevent it. Deep down it really disturbs me, even though I know perfectly well that:

1. None of us will live long enough to see this inevitable death of everything
2. Human race is more likely to die by supernova than or a meteor than via Big Rip
3. I always knew that universe would end - Big Rip, Big Crunch, the Heath Death - all are equally inevitable

I guess what I find disturbing in this story is the very fact that humans in it have achieved virtual immortality (pun intended) but had it insidiously snatched away from them by Lady Entropy. We face death every day so ultimately we are much better prepared to face the end of the world than this fictional race of immortals who know no death or sickness.

A blog without comments section is not a blog - it is a vanity page. To me blogging implies a conversation between the reader and the writer. Often comments may be better than the blog entries themselves. Especially when blogger poses a question, and the readers supply a solution. Most people (sans professional bloggers who have their heads firmly jammed up in their ass) get this, allow comments and engage readers in conversations.

I see a widespread and disturbing tendency lock old threads down after certain amount of time has elapsed. This means that if you find a very insightful blog post by following a link, or via Google you may not be able to add your input to the conversation. And it’s not that the issue is resolved or locked due to Godwin’s Law. It’s just that it’s been a month since the post was published and the author felt that no insightful input may ever be added to a post that is more than a month old.

People who do that claim it helps to cut down on spam, but I do not believe that. What helps to cut down on spam is the right combination of plugins. With WPSpamFree and Akismet I have yet to see a single spam comment to slip past the filters. The former filters out the bots based on behavioral patterns, and the later draws on a huge centralized database fueled by thousands of users to flag spam. Whatever slips through the first one gets caught by the second one. All my old threads remain open to comments and I never had an issue with them being spammed.

I believe that leaving the comments open indefinitely is beneficial for everyone. New readers who stumble over over from somewhere and see a post they agree or disagree with can add their input and I get to hear their opinions. Many issues that I brought up were left unsolved for months, and then suddenly someone would stop by and post a solution or an insightful advice. Comments are added value. Always. Be it entertainment, solutions, insightful discussions or simply jokes. A blog with comments is always better than one without.

When you close the comments on old posts, you are not preventing spam. Instead you not only alienate potential readers, but you also cheapen the value of your blog. So if you are one of these people, just enable comments on your old blog posts today. You will be pleasantly surprise to see that this will bring little new spam, but a lot of insightful and entertaining comments from new and regular readers alike.