Sunday, January 31, 2016

Saturday Morning Phishing Call

Fairly early Saturday morning, my phone rang. Although I didn't recognize the number, I answered, learning during this election period that if I ignore the pollsters attempts to contact me, they just call back, again, and again...(I don't know if it is that my opinion is extremely valuable or if there are just lots of pollsters that I receive so many calls. I suspect the latter.)

“Hello?”
“Yes, hello, Lee. My name is Marcus, and our servers have detected some hacking in your computer, and I am calling to help you.”

I don't know about you, but it always throws me off a little when a stranger calls me by name. However, I was instantly alert, mostly due to the use of a verb (hacking) in place of a noun, and the accent. I would place Marcus in India. I would expect his servers to find a virus or malware – the results of hacking. Not completely certain how they would detect the act of hacking without detecting the results of hacking.

“Marcus, please tell me my computer IP address where you detected the hacking.”
“Lee, I don't have your IP address, but I do have the ID of your Windows computer.”
“Continue, Marcus. What is my computer's ID, and please, which version of Windows am I running?”

The version question was just to string him along a little. I realized as I asked it that there was a good chance he could guess correctly – I think there are only 3 versions remaining in widespread use. I chuckled, thinking of the scene in the movie Elf where Elf asks the department store Santa, who he believes is fake and wants to prove it, “Yeah? If you're the real Santa, what song did I sing for you on your birthday?” “Why, Happy Birthday, of course!”

I was really intrigued, and a little concerned, that he might actually have my computer ID. So, I wanted to play along just to see. While we continued talking I was busy pulling up the two values that he might have: My computer ID and my Windows ID, just to see which he might give me as 'proof' that his servers had indeed detected hacking on my machine.

Marcus was pretty slick, too. He didn't attempt to answer the Windows version question, deflecting with “I'm not talking about your OS. I'm talking about your computer ID”

“I'm ready, Marcus. Please, give me my computer ID.”
“888DCA60-FC0A-11CF-8F0F-00C04FD7D062”

Whew. That was neither my windows ID nor the number on the back of my computer. Didn't match my MAC address, either. But what was it, and why would Marcus think I would accept it as my number?

“That's not my computer ID, Marcus.”
“Sir, it is your CLSID. Please, press your windows key, and then 'r', and type the command 'assoc'”

Some more time occurred as I acted stupid and had him explain several times where the windows key was and how to recognize it. (For humor imagine a non-English speaker attempting to describe what that key looks like – nothing I was hearing made any sense!) I know well what windows+r would give me the command prompt, and I wasn't going to start running unfamiliar commands that some caller asked me to. So, while he was busy attempting to get through to me what to do, I was searching (I don't 'google', since, #1, Google is a noun, and should not be used as a verb, and #2, I don't use Google has my search engine, having switched to DuckDuckGo) for 'Assoc scam'. Which I found, here.

I also typed help assoc in the command window, and realizing that the assoc command by itself was only Marcus' attempt to 'prove' his legitimacy, I typed it. And sure enough, there is the CLSID that matches the string Marcus gave. Fortunately, the CLSID is not unique to any particular computer, and so I now knew that Marcus possessed no identifying information on my computer.

It was time to end this phishing call. “Marcus, that value is not unique. In fact, that is a known scam, and that makes you nothing more than a common thief, a worthless piece, a horrible human being, and a waste of resources. You should find something constructive and productive to do rather than attempt to steal.”

I suspect that Marcus did not want my (well meant) advice: He hung up on me! Oh well...

But my taking this call had become a useful teaching opportunity for me. My children had been following along wondering just what was going on. They were very excited by the conclusion, but we were able to go back over the details: How I had revealed nothing to the caller, not answering any of his questions, asking my own to stall, searching details, being very suspect of his motives. We talked about good security – I absolutely didn't run any command he asked me to, and that I could have just ended the call early (which is probably best) – and that legitimate companies will not call and ask you to allow a connection to your computer.

The final point is the most important: Your bank, your doctor, your credit card company, none will initiate a call to you and ask you for personally identifying information or a connection to carry out their business. Neither will the FBI or any other legitimate institution.

It is interesting, with all the high profile stories in the news about hacking, the majority of theft of ID or financial information still occurs through phishing – one person talking to another, and manipulating the victim into giving out the necessary information. As we've become more sophisticated in our understanding of phishing, so the phishers have gotten more clever at presenting 'proof' they are who they represent to be.

The stakes keep growing, too, as more and more personal information is gathered on us and stored on Internet connected devices. As we've seen, through the breach of Target, Home Depot, and Sony, large companies are not up to keeping our data safe.

Which poses the question: Should they even be allowed to maintain data on us? Should it even be a possibility that Marcus could have obtained (perhaps through a hack of a major computer reseller) my actual computer ID? Or my user profile as stored up by Google, Microsoft, Yahoo, Amazon, etc.?

Security expert Bruce Schneier thinks about this a lot. Through reading his book 'Data and Goliath' and rebuffing attempts like this morning, I've started thinking about it more, too.

Sunday, January 3, 2016

Neal Stephenson's Anathem

I was struck by the depth of this book – both ideas and its insightful prose. Let's begin with a piece of prose:

So I looked with fascination at those people in their mobes, and tried to fathom what it would be like. Thousands of years ago, the work that people did had been broken down into jobs that were the same every day, in organizations where people were interchangeable parts. All of the story had been bled out of their lives. That was how it had to be; it was how you got a productive economy. But it would be easy to see a will at work behind this: not exactly an evil will, but a selfish will. The people who'd made the system thus were jealous, not of money and not of power but of story. If their employees came home at day's end with interesting stories to tell, it meant that something had gone wrong: a blackout, a strike, a spree killing. The Powers that Be would not suffer others to be in stories of their own unless they were fake stories that had been made up to motivate them. People who couldn't live without story had been driven into the concents or into jobs like Yul's. All others had to look somewhere outside of work for a feeling that they were part of a story, which I guessed was why Saeculars were so concerned with sports, and with religion. How else could you see yourself as part of an adventure?

[ mobes = cars
  concents = university, but cloistered with outside contact only once every ten years
  Yul = main character, his job is as a wilderness guide – think Alaska, Nepal
  Saecular = the world most people inhabit
]

Good Science Fiction is always part social commentary – by constructing another world that is often the same but subtly different, the author is allowed the freedom to make observations about the way people live and what gives life meaning. Stephenson does this by inverting some of our social institutions (the cloistered university), and changing the terms for many things which forces the reader to consider what exactly he is getting at, with the added insight he intends.

But all this is hung around the main story which is what really makes Anathem worth reading: Stephenson takes us on a romp through current theoretical physics which asks the following questions: Is ours the only universe, our could there be multiple? We can only see to the edge of our universe, which is the distance light has been able to travel since the formation – so anything beyond that boundary is invisible to us at this time. That doesn't preclude there being other 'universes' that are currently beyond that boundary...

Would other universes be the same as ours? Supporting this would be the observation that there is only a finite number of atoms (Hydrogen through Uranium, plus the few short-lived lab made ones). If there are an infinite number of universes, and finite types of atoms, then arrangements of atoms would necessarily repeat, and there would be virtual copies of the entities in this universe in other universes.

Throwing a monkey-wrench into this is the idea that the constants we observe (the charge of an electron, for example) needn't all be the same everywhere. This is where the anthropic principle comes into play: We could necessarily find ourselves only in a universe where the constants are very close to what they are – too large of deviations and 'we' wouldn't be present to observe them. But within some narrow boundaries, we, or beings very much like us, could exist and observe. Stephenson makes very good use of this last point late in the story...

Finally, would it be possible for us to experimentally determine if ours is a lone universe or if it is just one of many (or one of an infinite many)? Are there interactions that could be observed that would reveal the existence of multiple universes – of other ways of being? Part of what leads physicists down this path is the indeterminate-ness of quantum electrodynamics. Is Schrodinger's cat alive or dead? How, exactly, does the quantum field collapse into the state we observe? Is there a universe in which the cat is alive even though it is dead in this one? When world tracks come close together, could there be transfer of information?

Neal Stephenson spins a yarn of 'What If?' around all these ideas that creates a top-notch story set in an instance of top-notch world building where everything plays out as it could – somewhere. And that somewhere is Arbre which has eerie parallels to the world in which we live – and astounding differences.

Saturday, December 27, 2014

My Take on The Interview

I find myself fairly annoyed when someone says something patently stupid, or absurd, or hurtful (bigoted, misogynistic, racist), and, when called out for it, instead of retreating, apologizing, they double down, shouting 'Free Speech!' “I'm standing up for Freedom of Speech!”

Er, no.

When the First Amendment was penned, they were thinking of protecting the sorts of speech that could be silenced (and often had been, through imprisonment or worse) by those in power: Criticism of actions, Truth (that others wished to remain hidden), Alternative Viewpoints. They realized that a democracy could not long endure if potential candidates could be silenced before elections could take place.

Now, one of our improvements on the original thinking is the growing understanding that power also resides in locations other than our government: Corporations have power, Employers have power, Religions have power, even the Wealthy have power (although the Robert's Court seems intent on willfully ignoring this fact.) Protecting our ability to Speak Truth to Power, of bringing criminal activity to light, has led to a broadening of the sorts of speech that cannot be retaliated against. (Whistle-blower protections are a specific implementation that comes readily to mind.)

All of these thoughts have been rolling around in my mind as I've watched the unfolding brouhaha over the release, retraction, limited re-release of the movie “The Interview”. When Sony retracted the movie, many were shocked, claiming that it was a direct hit to artistic freedom, to free speech. Upon its limited re-release, many of those interviewed have acted like they are some sort of admirable patriot, standing up for freedom. I think they are wrong: Sony's actions vis-a-vis “The Interview” have nothing to do with freedom of speech. They have to do with ethics (or a lack thereof). An ethical person would not have made such a movie.

Have you ever noticed the disclaimer at the start of every work of fiction, or the end of every such movie? “The characters and events portrayed are fictitious, and any resemblance to actual persons or events is entirely coincidental...” By creating a work of fiction, artists are freed to explore actions that are taboo or criminal. By not tying the events or the characters to actual people, specific people are not called out, their reputations neither questioned nor harmed. Plus, there is a big difference between exploring the idea of killing an individual, with its attendant consequences, and writing about killing a specific, actual individual.

Here's where I have a beef with the movie and with the actions of those surrounding it. If someone were to text “I'm going to kill so-and-so”, we would not take that as something to be ignored under the guise of free speech. We would grow concerned, and probably call for a police investigation. If, upon investigation, the police uncovered detailed plans on how the first individual would carry out the deed, we would see that as proof of criminal intent, and call for prosecution.

I know. “The Interview” is not proof of Seth Rogan's intent to kill Kim Jung-un, nor proof that Mr Rogan has murderous thoughts. But, by calling out a specific world-leader, rather than a fictitious entity, Mr. Rogan has made it ambiguous. Those of us who believe assassination to be a criminal act expect any movie exploring such themes to take them seriously, (the upcoming movie American Sniper appears to take this tact), or, if satirized, to at least fictionalize the story enough that we can tell the creator agrees with us.

We certainly wouldn't stand by if, for instance, Bollywood were to release a movie depicting (even comically) an attempted assassination of President Obama. It would be much easier to see that has crossed a line, and is not the sort of movie we would like to see made.

Calling into question the ethics of “The Interview”, even motivating against its release (and hopefully, against anyone who would make such a movie in the future), is not an attack on either free speech nor artistic expression. It is simply indicating that there should be ethics that are adhered to, that there is a gulf between speaking truth to power and depicting (attempted) violence against an actual person.

Agreed: The actions of the hackers were particularly ham-fisted and criminal, and I would like to explore that (and its fall-out) in a little more depth (later). But just because someone acted criminally to call out the stupidity of some speech doesn't make the speech any better, any more legitimate. “The Interview” is still perverse, and not anything that should have been said.

Monday, March 31, 2014

It Only Takes A Few Facts To Refute Paul Ryan

This article by Michael Hiltzik in the LATimes caught my eye. He very carefully lays out the evidence that private charity is not the solution to the widespread problems of the needy, that, in fact (spoiler alert!) giving to private charity falls just when it is needed most. Compounding that, giving to private charity is just as likely to be beneficial to the giver (think of giving to the school your child attends) rather than beneficial to someone less fortunate in society.


Our society built the social safety net when it was needed most due in large part to the failure of private charity to meet the needs of a society facing the worst and most prolonged depression in its history. It appears that we need to be reminded often of our history to avoid destroying our useful institutions and repeating the errors of our ancestors.


And, it is worth noting: men like Paul Ryan, having won the economic lottery, don't care about people in general, nor about maintaining those institutions that support them. Note  how easily Hiltzik refutes Ryan's myths...leaving no doubt that Ryan says what Ryan believes will help Ryan, everyone else be damned.

Monday, October 14, 2013

Freedom vs. Technology

Quick: Which Amendment to the Constitution goes furthest in protecting our freedom?

Of course, there is no clear answer: The First, Fourth and Fifth all play a crucial role in maintaining that which we call freedom. The Fourth (unreasonable searches) and Fifth (self-incrimination) appear to be the most susceptible to changes from technology, and we are constantly forced to re-evaluate our stances and interpretation.

Every time we get an advance in electronic technology, it is easier for law enforcement to think, "Ah, what we could do to ferret out the criminals in our society!" However, there is usually a trade-off involving a loss of privacy for us, and it is these trade-offs that we constantly need to evaluate.

Very interesting article up at The New Yorker this morning concerning Lavabit's (Lavabit is a secure email service) brief to the 4th Circuit of Appeals to allow it to resurrect its secure email service. Lavabit was shut down by its owner and founder after the government asked that it 1) hand over its encryption keys 2) create an easily traceable system wherein every email could be used to identify sender and recipient.

While it is easy to think "but I don't do anything wrong, why should I care?" I think the analogy that the orders "constitute that a city give the police a key to every home in search of one man" places it in perspective. We routinely find criminals without going to such intrusive lengths, why should we trade our privacy? More importantly, we only have much to lose if we do so, with no proven gain to offset the loss.




Wednesday, April 24, 2013

Fun With Units (or I am 5.8 nanoseconds Tall)


The other morning over coffee my colleagues and I started talking about measurements, and it occurred to us that we could express our heights (or lengths) differently. All we needed were constants that would allow us to convert our commonly expressed height, in meters, into something else. Of course, we immediately thought of c, the speed of light in a vacuum, as one such constant.

Light is one of those intriguing things because its speed is a constant – no matter where you are in the universe, no matter how fast your are moving, within your (inertial) reference frame, you will always measure the same speed for light. This doesn't hold true for most other items that we measure: Sound, objects: the speed of each is always relative to our speed when we measure them. This makes light unique.

The International Bureau of Standards has defined the speed of light to be exactly 299,792,458 meters per second. As Neil Degrasse-Tyson wryly observes* 'if improvements to our means of measuring the speed of light lead to refinements, it is the length of a meter that will change, not our expression for the speed'.

So, taking my commonly expressed height in meters and dividing by c, (meters per second), the meters cross out, and you are left with a value of just seconds. 1.74 meters / 299,792,458 meters / second gives us the value of 5.8 nanoseconds (billionths of a second). This represents the time it would take a photon of light to travel from my head to my feet (or how much older my feet are by the time I observe them with my eyes.)

But, is it valid to express my height thus? I think so. Light is the only entity that moves with constant speed, and, in recognition of this fact, we are constantly redefining our other expressions of measurement from the various facets of light (we use the number of wavelengths emitted by a cesium atom to determine time, for instance, emitted wavelengths being the inverse of the speed of light and the energy of the particular atom). So, although not common, expressing my height in seconds isn't ambiguous, which is what we would want to avoid.

It is also nice in that it gives us a reminder of just how fast light moves, but that it isn't instantaneous. We could apply this to other items as well: An average 6th grader is 5.1 nanoseconds tall, a 1st grader almost 4.1 nanoseconds. An Olympic Swimming pool is 167 nanoseconds, a soccer field twice that.
Hoover Dam is 221 meters tall, or 737 nanoseconds tall. So, the splashes of water you see while standing on top of the dam occurred, literally, 737 nanoseconds before you see them, and have already changed shape and location by the time you become conscience of them!

Henceforth, I am 5.8 nanoseconds tall – How tall (in seconds) are you?


* Tyson. 'Death By Black Hole and other Cosmic Quandaries'

Wednesday, April 17, 2013

Another Term?

I had an interesting conversation with a couple of co-workers today. We were discussing the potential for changes to our country's laws to eliminate the discrimination against gays and lesbians with regards to marriage.

Now, I've a long time felt that justice should be blind, and a blind application of our current marriage laws would not even ask the gender of the applicants – just the basics: Are you currently married? Are you of age? Do you consent? (Are you not too closely related?)

However, I've also felt that the term marriage is so embedded in our lexicon, in our society that we will have to continue to use it to describe the exclusive partnership that is two people coming together to share, care for and love each other. We will continue to go to the local government to obtain our Marriage License, we will still have the overseer of our ceremony sign the Marriage Certificate to show to all that we have publicly affirmed the required vows.

What was interesting in my co-workers' view was that the term marriage is not that central to our concepts: They maintained that the majority of America would be willing to jettison the term if it meant creating equality before the law for all. That instead of having marriage and 'skim milk' unions, we could simply (for the purposes of the law) replace 'marriage' with some other term, and re-write our current laws to eliminate the discrimination of asking the applicants if they represent one of each sex.

In this implementation, 'marriage' and 'wedding' would be non-legal terms reserved for use whenever and however people wished, but the set of laws that governed co-ownership, rights of survivorship, divorce, would collectively be referred to under a separate term – we would get a 'Legal Union' License, have a 'Legal Union' Certificate signed by the proper witness.

I find this intriguing for a couple of reasons. Number one, it eliminates the the arguments of many that 'marriage' is something that cannot be defined by our democratic legal system; i.e., if we take 'marriage' out of the legal lexicon and no longer use it to refer to a set of laws, they cannot argue that we have redefined it or dirtied it, etc. Want to use 'marriage' to refer to something specific? Fine. Our laws don't recognize 'marriage' as a legal construct, so use it as you wish.

Second, I find it intriguing simply because I had not considered that it would be a possibility – that Americans were ready to remove the term from our legal system and simply move on. My co-workers give more credit to the ingrained fairness and lack of historical concern to our fellow citizens. So I am curious: Are they correct? Are we ready to just drop this whole affair, rename our laws, restore the veil of blindness to justice, and move on?

One of the unsolved points will be, of course, what terms do we use to refer to the collection of laws that currently govern the union of two individuals? I used 'Legal Union' above as place-holders only, not suggested replacements. One co-worker suggested we appeal to our Latin roots, and use terms such as 'Nodus' (Knot), Ligo (Bind), or perhaps (and our favorite): Caveo (Beware)!

Try them out! Does it work? Imagine our children going to City Hall to get their Nodus License, signing their Ligo Certificate, or perhaps, exchanging their vows in an elaborate Caveo Ceremony (after presenting their license and completing with the solemn signing of the Caveo Certificate.)

Are we ready for that? Is this really a simpler solution to moving forward towards Equality Before The Law with regards to two-person joinings? If we just sweep aside the freighted term, can we achieve the fairness we seek and believe we should give to every member of society?