Quotulatiousness

October 12, 2024

Government-mandated backdoor access – “weakening security for anybody weakens it for everybody”

Filed under: China, Government, Law, Technology, USA — Tags: , , , — Nicholas @ 03:00

After all this time, it’s no surprise to discover that unlike the police — who theoretically only use these government-required “backdoors” with a legal warrant — foreign hackers have been merrily using these “law enforcement tools” for their own purposes:

“I Hear You wiretapping poster, Mad Magazine, NYC” by gruntzooki is licensed under CC BY-SA 2.0 .

For as long as law enforcement has sought a way to monitor people’s conversations — though they’d only do so with a court order, we’re supposed to believe — privacy experts have warned that building backdoors into communications systems to ease government snooping is dangerous. A recent Chinese incursion into U.S. internet providers using infrastructure created to allow police easy wiretap access offers evidence, and not for the first time, that weakening security for anybody weakens it for everybody.

Subverted Wiretapping Systems

“A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests,” The Wall Street Journal reported last week. “For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data.”

Among the companies breached by the hacker group, dubbed “Salt Typhoon” by investigators, are Verizon, AT&T, and Lumen Technologies. The group is just one of several linked to the Chinese government that has targeted data and communications systems in the West.

While the Journal report doesn’t specify, Joe Mullin and Cindy Cohn of the Electronic Frontier Foundation (EFF) believe the wiretap-ready systems penetrated by the Chinese hackers were “likely created to facilitate smooth compliance with wrong-headed laws like CALEA”. CALEA, known in full as the Communications Assistance for Law Enforcement Act, dates back to 1994 and “forced telephone companies to redesign their network architectures to make it easier for law enforcement to wiretap digital telephone calls,” according to an EFF guide to the law. A decade later it was expanded to encompass internet service providers, who were targeted by Salt Typhoon.

“That’s right,” comment Mullin and Cohn. “The path for law enforcement access set up by these companies was apparently compromised and used by China-backed hackers.”

Ignored Precedents

This isn’t the first time that CALEA-mandated wiretapping backdoors have been exploited by hackers. As computer security expert Nicholas Weaver pointed out for Lawfare in 2015, “any phone switch sold in the US must include the ability to efficiently tap a large number of calls. And since the US represents such a major market, this means virtually every phone switch sold worldwide contains ‘lawful intercept’ functionality.”

May 4, 2024

Process optimization can definitely be taken too far

Filed under: Business, Economics, Food, Technology — Tags: , , , , , , — Nicholas @ 04:00

Freddie deBoer considers systems that have been overoptimized to the detriment of most users and the benefit of a small, privileged minority:

I know a guy who used to make his living as an eBay reseller. That is, he’d find something on eBay that he thought was underpriced so long as the auction didn’t go above X dollars, buy it, then resell it for more than he paid for it Classic imports-exports, really, a digital junk shop. Eventually he got to the point where, with some items, he didn’t ever have physical possession of them; he had figured out a way to get them directly from whoever he bought an item from to the person he had sold the item to, while still collecting his bit of arbitrage along the way. This buying and selling of items on eBay, looking for deals, was sufficient to be his full-time job and pay for a mortgage. But the last time I saw him, a few years ago, he had gotten an ordinary office job. He told me that it had become too difficult to find value; potential sellers and buyers alike had access to too many tools that could reveal the “real” price of an item, and there was little delta to eke out. He’s not alone. If you search around in eBay-related forums, you’ll find that many longtime sellers have reached similar conclusions. The hustle just doesn’t work anymore.

I don’t suppose there’s any great crime there — it’s all within the rules. And there does appear to still be an eBay-adjacent reselling economy; it’s just that, as far as I can glean, it’s driven by algorithms and bots that average resellers simply don’t have access to. It appears that some super-resellers have implemented software solutions to identify underpriced goods and buy them automatically and algorithmically. They have optimized the system for their own use, giving them an advantage, putting other sellers at a disadvantage, and arguably hurting buyers by eliminating uncertainty that sometimes results in lower-than-optimal-to-sellers prices. This is all in sharp contrast to the early years, when my friend would keep listings for lucrative product categories open – in separate windows, not tabs, that’s how long ago this was – and refresh until he found potential moneymakers. That sort of human searching and bidding work stands at a sharp disadvantage compared to those with information-scraping capacity and automated tools. It’s a good example of how access to data has left systems overoptimized for some users. One of the things that the internet is really good at is price discovery, and these digital tools help determine the “optimal” price of items on eBay, which results in less opportunity for arbitrage for other players.

My current working definition of overoptimization goes like this: overoptimization has occurred when the introduction of immense amounts of information into a human system produces conditions that allow for some players within that system to maximize their comparative advantage, without overtly breaking the rules, in a way that (intentional or not) creates meaningful negative social consequences. I want to argue that many human systems in the 2020s have become overoptimized in this way, and that the social ramifications are often bad.

Getting a restaurant reservation is a good example. Once upon a time, you called a restaurant’s phone number and asked about a specific time and they looked in the book and told you if you could have that slot or not. There was plenty of insiderism and petty corruption involved, but because the system provided incomplete information that was time consuming to procure, there was a limit to how much you could game that system. Now that reservations are made online, you can look and see not only if a specific slot has availability but if any slots have availability. You can also make highly-educated guesses about what different slots are worth on the market through both common sense (weekend evenings are the most valuable etc) and through seeing which reservations get snapped up the fastest in an average week. And being online means that the reservation system is immediate and automatic, so you can train a bot to grab as many reservations as you want, near-instantaneously, and you can do so in a way that the system doesn’t notice. (Unlike, say, if you called the same restaurant over and over again and tried to hide your voice by doing a series of fake accents.) The outcome of all this is that getting a reservation at desirable places is a nightmare and results in a secondary market that, like seemingly everything in American life, is reserved for the rich. The internet has overoptimized getting a restaurant reservation and the result is to make it more aggravating and less egalitarian.

As has been much discussed, nearly the exact same scenario has made getting concert tickets a tedious and ludicrously-pricy exercise in frustration.

September 27, 2023

QotD: Geeks and hackers

Filed under: Gaming, Quotations, Technology — Tags: , , , , — Nicholas @ 01:00

One of the interesting things about being a participant-observer anthropologist, as I am, is that you often develop implicit knowledge that doesn’t become explicit until someone challenges you on it. The seed of this post was on a recent comment thread where I was challenged to specify the difference between a geek and a hacker. And I found that I knew the answer. Geeks are consumers of culture; hackers are producers.

Thus, one doesn’t expect a “gaming geek” or a “computer geek” or a “physics geek” to actually produce games or software or original physics – but a “computer hacker” is expected to produce software, or (less commonly) hardware customizations or homebrewing. I cannot attest to the use of the terms “gaming hacker” or “physics hacker”, but I am as certain as of what I had for breakfast that computer hackers would expect a person so labeled to originate games or physics rather than merely being a connoisseur of such things.

One thing that makes this distinction interesting is that it’s a recently-evolved one. When I first edited the Jargon File in 1990, “geek” was just beginning a long march towards respectability. It’s from a Germanic root meaning “fool” or “idiot” and for a long time was associated with the sort of carnival freak-show performer who bit the heads off chickens. Over the next ten years it became steadily more widely and positively self-applied by people with “non-mainstream” interests, especially those centered around computers or gaming or science fiction. From the self-application of “geek” by those people it spread to elsewhere in science and engineering, and now even more widely; my wife the attorney and costume historian now uses the terms “law geek” and “costume geek” and is understood by her peers, but it would have been quite unlikely and a faux pas for her to have done that before the last few years.

Because I remembered the pre-1990 history, I resisted calling myself a “geek” for a long time, but I stopped around 2005-2006 – after most other techies, but before it became a term my wife’s non-techie peers used politely. The sting has been drawn from the word. And it’s useful when I want to emphasize what I have in common with have in common with other geeks, rather than pointing at the more restricted category of “hacker”. All hackers are, almost by definition, geeks – but the reverse is not true.

The word “hacker”, of course, has long been something of a cultural football. Part of the rise of “geek” in the 1990s was probably due to hackers deciding they couldn’t fight journalistic corruption of the term to refer to computer criminals – crackers. But the tremendous growth and increase in prestige of the hacker culture since 1997, consequent on the success of the open-source movement, has given the hackers a stronger position from which to assert and reclaim that label from abuse than they had before. I track this from the reactions I get when I explain it to journalists – rather more positive, and much more willing to accept a hacker-lexicographer’s authority to pronounce on the matter, than in the early to mid-1990s when I was first doing that gig.

Eric S. Raymond, “Geeks, hackers, nerds, and crackers: on language boundaries”, Armed and Dangerous, 2011-01-09.

September 10, 2023

Indigo today … Indigone tomorrow?

Filed under: Books, Business, Cancon — Tags: , , , — Nicholas @ 03:00

In the latest SHuSH newsletter, Ken Whyte discusses the financial woes of Canada’s quasi-monopoly book chain, Indigo after a series of misfortunes:

“Indigo Books and Music” by Open Grid Scheduler / Grid Engine is licensed under CC0 1.0

As we reported in SHuSH 197 and SHuSH 203, Indigo posted a ruinous 2023 (its fiscal year ends March 30), losing $50 million. That came on the heels of more than $270 million in losses the previous four years. The company’s share price, as high as $20 in 2018, has been floating around $1.30 this summer.

That dismal performance spelled the end of founding CEO Heather Reisman’s leadership at the chain. In June, her husband, Onex billionaire Gerry Schwartz, who has been Indigo’s controlling shareholder and chief financial backstop since the company’s launch in 1997, took the reins and elbowed Heather into the ditch along with almost every member of the board of directors who wasn’t beholden to Gerry personally.

The only non-Gerry director to survive was CEO Peter Ruis.

As I said at the time, Peter Ruis, “a career fashion retailer who landed in this jackpot from England two years ago”, is either “polishing his resume as we speak or negotiating a massive retention bonus to stick around and wield an axe on Gerry’s behalf. My money is on polishing.”

[…]

Meanwhile, I’m hearing that everyone in the publishing industry is being slammed with returns. Publishers usually get a lot of books back from retailers in the first quarter of the year as stores send back unsold inventory from the holiday season. This year, the returns were slower to start, probably because of Indigo’s cyberattack last fall, but they have kept coming right through the second and third quarters. This is coupled with lighter than usual buying for the fall.

The firm’s releases continue to claim that Indigo will keep books at its core, even as it loads its shelves with brass cutlery, dildos, and pizza ovens. According to Google, the core of an apple represents 25 percent of its weight. Books are now less than 50% of Indigone, suggesting more returns and light orders to come.

One final note. I corresponded this morning with a giant of Canadian businessman who has no special insight into the Indigo situation although he’s kept up with the news and, like everyone in Toronto commercial circles, he’s familiar with the Schwartz-Reismans.

He wonders just how involved Gerry is with Indigo these days. Apparently his health is not good. And while he’s still the lead shareholder at Onex, he’s no longer CEO and may not have access to the hordes of ultra-bright hirelings and menials that have long surrounded him.

My friend writes: “My guess is that suppliers are going to start to halt shipping and that a financial crisis is imminent, despite [Gerry’s] line of credit. But I don’t know anything.”

March 12, 2023

“Indigo is no longer a bookseller but a general merchandiser with a sideline in books”

Filed under: Books, Business, Cancon — Tags: , , — Nicholas @ 05:00

In the latest edition of the SHuSH newsletter, Ken Whyte looks at the dismal financial (and technological) picture for Indigo in the Canadian market:

“Indigo Books and Music” by Open Grid Scheduler / Grid Engine is licensed under CC0 1.0

As you’ve heard, the bookselling chain was hacked, its employment records held for ransom. Indigo (rightly) refused to pay and the hackers are now expected to release the employees’ personal data on the dark web.

This all started a month ago. The company’s website went down along with its in-store credit and debit systems. The payment systems came back after about ten days. A new website was built and launched at the beginning of March. It is a much-reduced site with a much reduced catalog of books.

The repercussions will be enormous for both Indigo and the publishing community.

One of the things overshadowed by the hacks was the release of Indigo’s third-quarter results, covering the crucial holiday season. As we’ve noted before, the company’s finances are unsettling. It lost $37 million in 2019, $185 million in 2020, and $57 million in 2021. Things looked somewhat better in 2022 with a $3 million profit, but the first two quarters of 2023 (Indigo has a March 28 year-end) showed a loss of $41.3 million, about $10 million worse than in the first two quarters of the previous year.

The hope was that a blockbuster holiday season would get Indigo’s year back on track.

It didn’t happen. Revenue for Q3 2022 came in at $423 million, down $8 million from last year, with pre-tax profits of $36 million, down from $45 million last year.

After three quarters, Indigo now stands at an $8 million loss. The company’s fourth quarter, covering the first three months of the calendar year, is usually terrible (all retail suffers in the deep of winter). If this fourth quarter goes like the last, Indigo will be looking at a $30 million loss for its full year. But this fourth won’t go like the last because of the hack. I have no idea what it will cost in terms of lost sales and unexpected expenditures (or what will be covered by insurance). It’s hard to imagine the company not doing worse than $30 million after such a catastrophic event.

Most of Canada’s mid-size to large publishers sell somewhere between 25 percent and 60 percent of their books through the chain. The outage will hurt revenue for both publishers and authors. If there’s a silver lining here, it’s that it occurred in a dead season. But the knock-on effects will be substantial. I’m told Indigo has no visibility into its store sales or current stock levels across the chain. It’s being very cautious about bringing in new books apart from the most in-demand titles. Publishers I’ve spoken to say sales to Indigo are down and they expect returns to be large and late. (Booksellers send unsold inventory back to publishers for full refunds and the bulk of these come in the months after the holidays).

By the way, the latest results showed that Indigo is no longer a bookseller but a general merchandiser with a sideline in books. Blankets and cheeseboards accounted for more than 50 percent of the company’s total revenue over the holidays. Print was 46 percent, down from 54 percent earlier in 2022 and 67.4 percent eight years ago. The movement away from bookselling is picking up steam. I hope you like Amazon because it and the few independent bookstores Chapters/Indigo hasn’t manage to kill will be all that’s left of Canadian bookselling before very long.

September 22, 2022

Why Electronic Voting Is Still A Bad Idea

Filed under: Government, Politics, Technology — Tags: , , , — Nicholas @ 04:00

Tom Scott
Published 9 Dec 2019

We still shouldn’t be using electronic voting. Here’s why.
(more…)

January 31, 2022

QotD: Weird attempts to violate the Efficient Markets Hypothesis

Filed under: Books, Business, Quotations — Tags: , , , , — Nicholas @ 01:00

There’s a lot more to this book, but it all seems to be pointing at the same central, hard-to-describe idea. Something like “All progress comes from violations of the efficient market hypothesis, so you had better believe these are possible, and you had better get good at finding them.”

The book begins and ends with a celebration of contrarianism. Contrarians are the only people who will ever be able to violate the EMH. Not every weird thing nobody else is doing will earn you a billion dollars, but every billion-dollar plan has to involve a weird thing nobody else is doing.

Unfortunately, “attempt to find violations of the EMH” is not a weird thing nobody else is doing. Half of Silicon Valley has read Zero To One by now. Weirdness is anti-inductive. If everyone else knows weirdness wins, good luck being weirder than everyone else.

Thiel describes how his venture capital firm would auto-reject anyone who came in wearing a suit. He explains this was a cultural indicator: MBAs wear suits, techies dress casually, and the best tech companies are built by techies coming out of tech culture. This all seems reasonable enough.

But I have heard other people take this strategy too far. They say suit-wearers are boring conformist people who think they have to look good; T-shirt-wearers are bold contrarians who expect to be judged by their ideas alone. Obviously this doesn’t work. Obviously as soon as this gets out – and it must have gotten out, I’ve never been within a mile of the tech industry and even I know it – every conformist putting image over substance starts wearing a t-shirt and jeans.

When everybody is already trying to be weird, who wins?

Part of the answer is must be that being weird is a skill like any other skill. Or rather, it’s very easy to go to an interview with Peter Thiel wearing a clown suit, and it will certainly make you stand out. But will it be “contrarian”? Or will it just be random? Anyone can conceive of the idea of wearing a clown suit; it doesn’t demonstrate anything out of the ordinary except perhaps unusual courage. The real difficulty is to be interestingly contrarian and, if possible, correct.

(I wrote that paragraph, and then I remembered that I know one person high up in Peter Thiel’s organization, and he dresses like a pirate during random non-pirate-related social situations. I always assumed he didn’t do this in front of Peter Thiel, but I just realized I have no evidence for that. If this advice lands you a job at Thiel Capital, please remember me after you’ve made your first million.)

Scott Alexander, “Book Review: Zero to One”, Slate Star Codex, 2019-01-31.

May 18, 2021

What is Maskirovka? Russian Military Deception #Military101

Filed under: History, Media, Military, Russia — Tags: , , , , — Nicholas @ 04:00

Military History Visualized
Published 5 May 2017

A short introduction into Russian Military Deception — called Maskirovka. “Maskirovka is most simply defined as a set of processes designed to mislead, confuse, and interfere with accurate data collection regarding all areas of Soviet plans, objectives, and strengths or weaknesses.” (Smith, Charles L.: “Soviet Maskirovka“, in: Airpower Journal – Spring 1988)

Military History Visualized provides a series of short narrative and visual presentations like documentaries based on academic literature or sometimes primary sources. Videos are intended as introduction to military history, but also contain a lot of details for history buffs. Since the aim is to keep the episodes short and comprehensive some details are often cut.

» HOW YOU CAN SUPPORT MILITARY HISTORY VISUALIZED «
(A) You can support my channel on Patreon: https://www.patreon.com/join/mhv

(B) You can also buy “Spoils of War” (merchandise) in the online shop: https://www.redbubble.com/people/mhvi…

» SOCIAL MEDIA LINKS «
twitter: https://twitter.com/MilHiVisualized
tumblr: http://militaryhistoryvisualized.tumb…

» SOURCES «

Maier, Morgan: A Little Masquerade: Russia’s Evolving Employment of Maskirovka
http://cgsc.contentdm.oclc.org/cdm/si…

Smith, Charles L.: “Soviet Maskirovko“, in: Airpower Journal – Spring 1988
http://www.airpower.maxwell.af.mil/ai…

Lindley-French, Julian: NATO: Countering Strategic Maskirovka. Canadian Defence & Foreign Affairs Institute. (2015)

Glantz: The Red Mask: The Nature and Legacy of Soviet Military Deception in the Second World War

https://en.wikipedia.org/wiki/Russian…

Keating, Kenneth: The Soviet System of Camouflage
http://www.dtic.mil/dtic/tr/fulltext/…

Krueger, Daniel: Maskirovka – What’s in it for us?
http://www.dtic.mil/dtic/tr/fulltext/…

» TOOL CHAIN «
PowerPoint 2016, Word, Excel, Tile Mill, QGIS, Processing 3, Adobe Illustrator, Adobe Premiere, Adobe Audition, Adobe Photoshop, Adobe After Effects, Adobe Animate.

» CREDITS & SPECIAL THX «
Song: Ethan Meixsell – “Demilitarized Zone”

December 4, 2018

Terry Teachout’s unhappy Twitter experience

Filed under: Media — Tags: , , — Nicholas @ 03:00

While I don’t follow him on Twitter, I’ve long subscribed to the RSS feed from Terry Teachout’s website. On Sunday, he posted about a recent unpleasantness on Twitter that I thought was worth sharing:

… my Twitter account, was hacked on Sunday morning as part of a cross-platform attack on my social-media presence. The objective, it seems, was ransom: I actually received a series of telephone calls from the culprits, who appear to reside in England. Needless to say, I hung up and immediately started changing passwords and building a higher security wall. Alas, several hours went by before the powers-that-be at Twitter took notice of my plight, and numerous obscene postings are still visible on my old Twitter page as of this hour, as well as on the Twitter module in the right-hand column of this blog.

So, as you’d expect, the crack Twitter security team sprang into action, right? Er, no:

I received this message from Twitter Support late last night:

    We’ve investigated the reported account and have determined that it is not in violation of Twitter’s impersonation policy. In order for an account to be in violation…it must portray another person…in a misleading or deceptive manner.

So that’s how Twitter Support responds when my verified account is hacked, obscene and racist messages are posted on it, and a ransom request is made to me by telephone. Is it any wonder that more and more people are getting fed up with Twitter?

September 11, 2018

Fear the Internet-of-Things

Filed under: Business, Technology — Tags: , , , — Nicholas @ 05:00

Martin Giles talks to Bruce Schneier about his new book, Click Here to Kill Everybody:

The title of your book seems deliberately alarmist. Is that just an attempt to juice sales?

It may sound like publishing clickbait, but I’m trying to make the point that the internet now affects the world in a direct physical manner, and that changes everything. It’s no longer about risks to data, but about risks to life and property. And the title really points out that there’s physical danger here, and that things are different than they were just five years ago.

How’s this shift changing our notion of cybersecurity?

Our cars, our medical devices, our household appliances are all now computers with things attached to them. Your refrigerator is a computer that keeps things cold, and a microwave oven is a computer that makes things hot. And your car is a computer with four wheels and an engine. Computers are no longer just a screen we turn on and look at, and that’s the big change. What was computer security, its own separate realm, is now everything security.

You’ve come up with a new term, “Internet+,” to encapsulate this shift. But we already have the phrase “internet of things” to describe it, don’t we?

I hated having to create another buzzword, because there are already too many of them. But the internet of things is too narrow. It refers to the connected appliances, thermostats, and other gadgets. That’s just a part of what we’re talking about here. It’s really the internet of things plus the computers plus the services plus the large databases being built plus the internet companies plus us. I just shortened all this to “Internet+.”

Let’s focus on the “us” part of that equation. You say in the book that we’re becoming “virtual cyborgs.” What do you mean by that?

We’re already intimately tied to devices like our phones, which we look at many times a day, and search engines, which are kind of like our online brains. Our power system, our transportation network, our communications systems, are all on the internet. If it goes down, to a very real extent society grinds to a halt, because we’re so dependent on it at every level. Computers aren’t yet widely embedded in our bodies, but they’re deeply embedded in our lives.

Can’t we just unplug ourselves somewhat to limit the risks?

That’s getting harder and harder to do. I tried to buy a car that wasn’t connected to the internet, and I failed. It’s not that there were no cars available like this, but the ones in the range I wanted all came with an internet connection. Even if it could be turned off, there was no guarantee hackers couldn’t turn it back on remotely.

Hackers can also exploit security vulnerabilities in one kind of device to attack others, right?

There are lots of examples of this. The Mirai botnet exploited vulnerabilities in home devices like DVRs and webcams. These things were taken over by hackers and used to launch an attack on a domain-name server, which then knocked a bunch of popular websites offline. The hackers who attacked Target got into the retailer’s payment network through a vulnerability in the IT systems of a contractor working on some of its stores.

July 21, 2018

Singapore suffers data breach from SingHealth

Filed under: Asia, Health, Technology — Tags: , , — Nicholas @ 03:00

In the Straits Times, Irene Tham reports on the data loss:

In Singapore’s worst cyber attack, hackers have stolen the personal particulars of 1.5 million patients. Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescriptions stolen as well.

The hackers infiltrated the computers of SingHealth, Singapore’s largest group of healthcare institutions with four hospitals, five national speciality centres and eight polyclinics. Two other polyclinics used to be under SingHealth.

At a multi-ministry press conference on Friday (July 20), the authorities said PM Lee’s information was “specifically and repeatedly targeted”.

The 1.5 million patients had visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018.

Their non-medical personal data that was illegally accessed and copied included their names, IC numbers, addresses, gender, race and dates of birth.

No record was tampered with and no other patient records such as diagnosis, test results and doctors’ notes were breached. There was no evidence of a similar breach in the other public healthcare IT systems.

Health Minister Gan Kim Yong and Minister for Communications and Information S. Iswaran both described the leak as the most serious, unprecedented breach of personal data in Singapore.

October 1, 2017

When network security intersects teledildonics

Filed under: Technology — Tags: , , , , — Nicholas @ 05:00

At The Register, John Leyden warns anyone using an internet-of-things sex toy that their device can be easily detected and exploited by (I kid you not) “screwdrivers” (below the fold, just in case you’re extra-concerned for potentially NSFW content):

(more…)

July 26, 2017

Sure-fire way to reduce the number of bugs reported – arrest the reporters

Filed under: Europe, Law, Technology — Tags: , , , , — Nicholas @ 03:00

The Budapest public transit authority has come up with a new technique to handle bug reports:

The tale started last week when an unnamed 18-year-old found that he was able to, when purchasing a ticket online, poke the BKK website in a particular way to modify the ticket’s price and buy it at that new price.

Rather than take advantage of virtually free travel in the country’s capital, however, he did the right thing and reported the security hole to the BKK, complete with a demo in which he was able to buy a $35 ticket for just 20 cents.

The response was not what he expected. Four detectives turned up at his door at 7:00am on Friday, photographed him and questioned him extensively over his actions. The BKK then held a press conference at which its CEO Kálmán Dabóczi proudly announced they had caught a hacker and had filed an official complaint against him. Dabóczi assured everyone that the website was now perfectly safe.

That version of events was immediately questioned by the teenager himself however, in a Facebook post.

“I am an 18-year-old, now middle school graduate,” he wrote in a message that has since been posted hundreds of times to the BKK’s Facebook page. “I trust that I can help solve a mistake.”

In the message, he says he informed the BKK “about two minutes” after he discovered the flaw. “I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it, and not to use it.”

He continued: “The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people – no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.”

He then asks others to help out: “I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report.”

And so they have shared the entry – in their thousands – putting the BKK on the back foot.

June 16, 2017

QotD: Cultural decline markers

Filed under: Education, History, Quotations, USA — Tags: , , , — Nicholas @ 01:00

In response to my previous post noting that the Flynn effect turns out to be a mirage, at least two respondents have suggested that average IQ has actually been falling, and have pointed to the alleged dumbing-down of politics and popular culture in the last fifty years.

I think both those respondents and the psychometricians are correct. That is, it seems to me that during my lifetime I’ve seen evidence that average IQ has risen a little, but that other traits involved in the “smart or stupid” judgment have eroded.

On the one hand, I’ve previously described the emergence of geek culture, which I take among other things as evidence that there are more bright and imaginative individuals around than there were when I was a kid. Enough of us, now, to claim a substantial slice of turf in the cultural marketplace. This good news is reinforced for me be the explosive growth of the hacker community, which today is easily a hundred times the size it was in, say, 1975 — and far larger than I ever dreamed it would be then.

On the other hand, when I compare Americans today to the country of my childhood there are ways the present comes off rather badly. We are more obese, we have shorter attention spans, our divorce rate has skyrocketed. All these and other indicators tell me that we have (on average) lost a significant part of our capacity to exert self-discipline, defer gratification, and honor contracts when the going gets tough.

To sum up, we’re brighter than we used to be, but lazier. We have more capacity, but we use less of it. Physically and mentally we are self-indulgent, flabby, unwilling to wake up from the consumer-culture dream of entitlement. We pursue happiness by means ever more elaborate and frenetic, diminishing returns long since having set in. When reality hands us a wake-up call like 9/11, too many of us react with denial and fantasy.

This is, of course, not a new complaint. Juvenal, Horace, and Petronius Arbiter wrote much the same indictment of their popular culture at the height of the Roman Empire. They were smart enough to understand, nigh on two millennia ago, that this is what happens to elites who have it easy, who aren’t tested and winnowed by war and famine and plague and poverty.

But there are important differences. One is that while decadence used to be an exclusive problem of the upper crust, we are all aristocrats now. More importantly, where the Romans believed that decadence in individuals and societies was inevitable, we know (because we’ve kept records) that as individuals we are taller, stronger, healthier, longer-lived and more intelligent than our ancestors — that, in fact, we have reaped large gains merely within the last century.

We have more capacity, but we use less of it. And, really, is it any surprise? Our schools are abandoning truth for left-wing bullshit about multiculturalism and right-wing bullshit about “intelligent design”. Our politics has become a wasteland of rhetorical assassinations in which nobody but the fringe crazies believe even their own slogans any more. Our cultural environment has become inward-turned, obsessed with petty intramural squabbles, clogged with cant. Juvenal would find it all quite familiar.

Eric S. Raymond, “People Getting Brighter, Culture Getting Dimmer”, Armed and Dangerous, 2005-08-28.

April 13, 2017

Microsoft buries the (security) lede with this month’s patch

Filed under: Technology — Tags: , , , — Nicholas @ 05:00

In The Register, Shaun Nichols discusses the way Microsoft has effectively hidden the extent and severity of security changes in this month’s Windows 10 patch:

Microsoft today buried among minor bug fixes patches for critical security flaws that can be exploited by attackers to hijack vulnerable computers.

In a massive shakeup of its monthly Patch Tuesday updates, the Windows giant has done away with its easy-to-understand lists of security fixes published on TechNet – and instead scattered details of changes across a new portal: Microsoft’s Security Update Guide.

Billed by Redmond as “the authoritative source of information on our security updates,” the portal merely obfuscates discovered vulnerabilities and the fixes available for them. Rather than neatly split patches into bulletins as in previous months, Microsoft has dumped the lot into an unwieldy, buggy and confusing table that links out to a sprawl of advisories and patch installation instructions.

Punters and sysadmins unable to handle the overload of info are left with a fact-light summary of April’s patches – or a single bullet point buried at the end of a list of tweaks to, for instance, Windows 10.

Now, ordinary folk are probably happy with installing these changes as soon as possible, silently and automatically, without worrying about the nitty-gritty details of the fixed flaws. However, IT pros, and anyone else curious or who wants to test patches before deploying them, will have to fish through the portal’s table for details of individual updates.

[…]

Crucially, none of these programming blunders are mentioned in the PR-friendly summary put out today by Microsoft – a multibillion-dollar corporation that appears to care more about its image as a secure software vendor than coming clean on where its well-paid engineers cocked up. The summary lists “security updates” for “Microsoft Windows,” “Microsoft Office,” and “Internet Explorer” without version numbers or details.

Older Posts »

Powered by WordPress