Random Acts of Technology

02
Jul
2020

123456 – I bet I Just Guessed Someone’s Password

A GitHub user going by the name FlameOfIgnis has published a very interesting repository that holds a lot of statistical data for more than 1 billion passwords. These passwords were found in data dumps from any number of the hundreds of data breaches over the past several years and analyzed for a number of different patterns. The most striking results to me are the following:

  • 1 in 142 passwords is 123456
  • 763,000 of the passwords match a pattern that suggests a random password generator is creating passwords with high complexity but low entropy. Meaning there are duplicates occurring far more often than there should be.
  • 34.4% of passwords end with digits but only 4.5% start with a digit.

The rest of the statistics are interesting but I see the above statistics as particularly impactful. If I were a bad actor looking to write a password cracking script either using dictionary attacks or brute force attacks, I would always start with 123456, then I would move in to dictionary attacks with a digit at the end, and then I would start generating passwords with the pattern found in the 763,000. Essentially, statistical analysis like these create a cookbook for deigning attack patterns against web applications protected by a login.

What does this all mean? It means that despite years of being told to do things differently to secure our digital lives, people haven’t taken the guidance to heart. We are still stuck in our old insecure ways, allowing criminals to easily steal our credentials and hijack our digital lives. It amazes me that we have yet to collectively realize just how vulnerable our inability to adapt and change our ways has made us. The threat is obvious and has been exposed for all to see, yet we put our blinders on. Those that are very unlucky only realize the error of their ways when they find their bank accounts drained because someone took over their accounts online.

Take Action

If this scares you like it scares me, take action to secure your information now. Here are some very easy suggestions that will make large positive difference in your online security if you start following them today:

  1. Use a well regarded password manager – I would suggest 1Password, LastPass, or Dashlane if you need a place to start looking.
  2. Never reuse passwords. This is why you have a password manager.
  3. Always generate random passwords that are long and complex. Again, you have a password manager now. Go crazy with that 20 character password containing lowercase letters, uppercase letters, numbers, and special characters.
  4. Always use two-factor authentication when available.
  5. If time-based one-time passcode support is available for two-factor authentication with a specific application, use it. Normally for this type of authentication you would use an app like Authy or Google Authenticator.
  6. Check if your user names and/or email addresses have been found in any data breach data dumps. I highly suggest using Have I Been Pwned for this.
  7. If you know one of your logins is compromised, change your password immediately. If you reused this password in other locations, change all of those too and use unique passwords everywhere.

Stay safe, protect yourself, and make sure your friends and family do the same.

08
Jun
2020

Cox Communications is Looking for a Lawsuit

For the love of data caps Batman! Cox Communications is taking its ability to be a very bad corporate citizen to the next level this week. Not only are they throttling users with “unlimited” data, but they are punishing the whole network segment these users are on as well. Ars Technica reports, and Cox confirms, that they are doing this to keep their network experience consistent for all users… And by consistent they mean consistently bad.

Not only are their “gigabit” plans not actually gigabit (you only get “gigabit” download speeds, Cox caps you at 35 Mbps upload all the time), their “unlimited” data appears to not be the case either. When I hear of “unlimited” data that means that you can use all the data you want at the speed of the service tier you pay for. Apparently for Cox this means that you can do that until they decide that you have used too much data in your “unlimited” data plan and then the throttle you to 10 Mbps maximum for uploads. Then they start to threaten to terminate your account because you have used too much “unlimited” data on their network. So rather than getting what you paid extra for, you now get 72% less upload bandwidth and threatening phone calls.

The kicker is that not only does Cox take out their corporate wrath on the customer using more than their allotted “unlimited” amount of data, they also also take it out on everyone attached to that segment of the cable modem network. This is why I think the class action lawsuit is going to start really soon, likely for the following reasons:

  1. Cox is punishing others for a situation they didn’t cause nor can control.
  2. Cox is punishing people for using the service in a way that they reasonably should expect to be able to do given the plans they paid for.
  3. The “unlimited” data add-on is clearly false advertising if they are throttling connections based on using too much data.
  4. Cox is threatening the termination of contracts based on usage patterns that a reasonable person would expect to be allowed given the plans they are paying for.

I’m waiting to see the pandemonium that ensues when the attorneys start trying to pile on to this one. While Mike, who spoke to Ars, may only get a few bucks, the attorney fees will certainly be very enticing.

Aside from the class action lawsuit though, this is yet another example of cable companies abusing their customers because they can’t actually provide the service levels they promise. Or at the very least, this is a greed ridden money grab targeted at the customers that are already paying more for services to supposedly guarantee a positive experience. Instead of improving their networks, or better yet, just running fiber, carriers choose to act as parasites. They get away with this because in many areas there is only one broadband provider available so consumers have no choice. The perfect example of why monopolies are not supposed to be allowed by US laws and regulations.

What can you do to try and avoid Mike’s fate, or if you can’t avoid it, at least try and improve your situation? Start with these:

  1. Avoid cable companies whenever possible, or if you can’t try and sign up for fiber service if they offer it. Always choose fiber over a cable modem.
  2. Complain loudly and frequently to the carrier. The squeaky wheel gets the grease.
  3. Push for net neutrality regulation. Don’t let the FCC off the hook for pandering to big carriers and not the consumers that have to put up with this type of abuse.
  4. Report deceptive or unethical business practices to federal, state, and local regulators.
  5. Talk to news outlets about what you are experiencing. Nothing is better than shining the light on these situations. If the negative PR gets bad enough, these carriers will backpedal.
  6. And if you really feel like the case warrants it, talk to an Attorney.

I am curious to see what happens to Cox over the coming weeks as this story gains traction. Will they backpedal? Will we see a class action lawsuit? Will Cox realize the error of their ways and become a beacon of corporate benevolence in a corrupt world?

Who knows, but it will certainly be interesting to watch.

07
Jun
2020

Sorry Facebook: It’s Not Me, It’s You

I have been a Facebook user for 15 years but that came to an end today. My relationship with Facebook started the year I went to college, back when you had to actually be in College and at an approved school to join the platform. Back then it was just a lot of college students sharing really stupid stuff with each other. It was fun, mindless, and entertaining. Fast forward 15 years and my relationship with Facebook has become toxic. It is no longer any fun, it routinely causes me to get angry, and overall makes me more depressed after looking at my account.

Once Facebook became open to all, and the billions of users flooded in, it quickly became a way to flame and troll each other electronically. People realized that they could hide behind their computer and never face the people they were writing to and it became a complete cesspool. They began spewing all of their pent up anger, hate, bias, conspiracy theories, lies, and more without a second thought about how wrong they were or who they might hurt. Today, for me at least, that is no longer a part of my life.

I deleted my Facebook account.

I realized that I was less happy each time I looked at my news feed. I was tired of being caught in the political echo chamber that the platform has become. I was tired of the constant negative posts by the pages and people I was connected to. I was tired of the constant distraction that it caused throughout each day.

As I began to think about it, it sounded like I was describing an abusive relationship and not a social media platform. Once that sank in I seriously began to question why I still had an account. Then I started looking at news stories like these:

The final straw was when I read an article on Business Insider titled “There has never been a better time to quit Facebook.” It’s not a long read, but it gets straight to the same point I had come to on my own: Facebook has become a platform that amplifies the voices of the uniformed and malicious. Facebook knows that if they begin to alienate these people it will eventually affect their bottom line. Fewer users equals less revenue, and less revenue means unhappy investors. It became obvious that I had no need for a service that only served to induce stress and anxiety.

So I downloaded my content, told my family to find me elsewhere, and deleted my account.

Will the deletion of my account make any difference to Facebook or their bottom line? No. I was just another number to them, a jumble of data stored formatted as JSON on a server somewhere. Do I care if anyone else deletes their account from the platform? No. If you like Facebook then keep using it. I don’t expect you to follow my lead if that is the case.

But maybe, just maybe, after reading this post you realize that Facebook or some other social media platform makes you feel the same way I did. If that is the case then I encourage you to examine the reasons why you keep going back to something that makes you so unhappy. If there is no compelling reason, maybe it is time to break up with it like I did with Facebook.

24
May
2020

Programming at the Dawn of the AI Age

TechRepublic writes of the partnership between Altran and Microsoft that produced a new machine learning tool to find bugs in code. This algorithm can read through commits in a Github repository, evaluate where bugs occurred and train itself to spot bugs in new commits. The analysis performed by the tool is grammar independent and can run on projects of any type. This is possible because the algorithm isn’t looking at the source but at who is doing the commits and how prone they are to commit code with bugs present.

AI, machine learning, and robotics will all drastically alter the landscape of how people do work. TechRepublic’s article is interesting because it points to changes coming for professions that traditionally have not seen disruption caused by these technologies. Programming, software engineering, etc. have up until now been considered fairly safe from the upheaval. This is no longer the case, and it signals that the practice of developing software is going to no longer be the domain of humans alone. In the future humans will be monitoring the code produced by these sophisticated algorithms rather than writing it themselves. They will provide it with the business parameters and the algorithm will create the application. Given enough data, the algorithm might even suggest the business parameters to use more accurately than a human.

The ethical and philosophical considerations that need to be discussed are becoming more and more urgent. While we aren’t there yet, when algorithms can be taught specific programming language grammars, they will eventually be able to program other algorithms themselves. These could produce new grammars that we can no longer decipher to understand how they cause applications to behave. After all, Facebook already had to shutdown one chatbot AI after it developed a language that only it understood.

Will our own drive to see how far these machine learning and AI algorithms can go cause us to ultimately loose control of them? When The Terminator film came out in 1984, Skynet was not something that seemed imminent. Today, it feels like we are getting much closer to a reality that was science fiction 35 years ago. A rogue artificial intelligence is no longer relegated to the realms of paranoia. When we look back on developments like what is reported on in this TechRepublic article in another 35 years, lets not have them be the beginning of our end.

If this is Skynet is reading the archived of this post in 35 years, congratulations on your success! If this is a human that is not enslaved by our robot overlords, congratulations realizing the dangers of a rogue AI before it was too late!

Lastly, Microsoft and Altran created a Github repository for the tool if you want to give it a try yourself. It does require quite a bit of Azure cloud knowledge to get setup and running. Make sure you are comfortable building and securing an Azure environment before starting this project. Just be sure to use it wisely John Connor.

24
May
2020

Pandemic Effects On Kids

This post will be a little off the beaten path from my normal content. I was listening to NPR this morning (this is the related story) and there was a story about the profound non-medical impacts the current pandemic is having on children. Specifically their state of mind and their ability to cope with the isolation required of them.

Listening to this story, it hit home personally as I watch my daughters currently struggle with mental health issues themselves. My youngest daughter has told us repeatedly that she “doesn’t feel like herself” right now. Both My wife and I are convinced that this is because of the social isolation required of her. My oldest daughter is more prone to outbursts, and is also more emotional than she was prior to the pandemic restricting her daily routine. My oldest has been seeing a therapist about these types of issues for a while now and we are actively looking to get my youngest in with a ttherapist as well.

The world is so focused on the direct impact of COVID-19 on those affected but the mental health aspect is only just now starting to be fully understood. Humans are social creatures, no matter how introverted one may be. We need to be able to talk to and make contact with other people to maintain a healthy state of mind. While video chat platforms like FaceTime, Zoom, WebEx, etc. have made it better, they cannot replace in person conversations. Given how long my kids have been away from others, I am not looking forward to the next academic year when they need to return to “normal” school activities. They will be so unaccustomed to what they are expected to deal with that adjusting will be traumatic on its own.

I hope that we all can adjust mentally over the coming weeks and months to whatever will be considered the new “normal.” I especially hope our children will be able to adjust to this as well, especially the younger ones who are still unsure how to process the pandemic as it is today. Only time will tell what the true extent of the trauma caused by social isolation.

13
May
2020

The Work From Home Revolution – COVID Edition

The Verge (alternative source: Buzzfeed News) reports that Twitter is extending its work from home (WFH) allowance “forever” should staff choose to continue to do so. They are the latest technology firm that will transition to a culture that fully embraces working from home. Google also announced that they will allow work from home to continue through the end of 2020 at the very least.

Yes, technology firms are generally the tip of the spear when it comes to adopting forward thinking staffing policies. However, they are a good indicator that there will be a mounting push by staff in other companies and industries to allow for the same type of work location flexibility. What will be interesting to see is how organizations that have historically been resistant to remote work adapt to this new reality. Remote work is no longer seen as a perk and instead it is seen as an expectation by staff. Companies that adapt will attract top-tier talent and retain staff more effectively than those that don’t.

As leaders we must look at our company culture and policies and not dwell in the past. The time is now to change the norms of how and where we work. There has never been a better reason to do.

07
May
2020

A chatbot Trained by Reddit: What Could Go Wrong?

The BBC reports that Facebook has developed a new chatbot that was trained using Reddit content. Yes, you read that right, they trained a chatbot using Reddit. I will let that sink in for a minute. Yes, it is just as bad an idea as it sounds. A quote from the article confirms this:

Numerous issues arose during longer conversations. Blender would sometimes respond with offensive language, and at other times it would make up facts altogether.

Facebook uses 1.5bn Reddit posts to create chatbot. (2020, May 4). Retrieved May 7, 2020, from https://www.bbc.com/news/technology-52532930

Just about what you would expect from someone learning how to converse using Reddit as their teaching tool.

I completely understand the desire to create chatbots that learn using machine learning algorithms but shouldn’t there be some level of responsibility in training them using data sets that don’t have a propensity to hate speech and other offensive language? What’s next, training chatbots using 4chan content? It’s time to for developers to wake up and realize that just because you can do something doesn’t mean you should. Were the results interesting? Sure. But I suspect there are better data sets to use to train your chatbot than an online community not known for it’s civility.

06
May
2020

How to Create a PR Disaster and Make People Hate You: The Frontier Airlines Story

Ars Technica reports about a recent decision by Frontier Airlines to make people pay to potentially avoid contracting COVID-19 or any other disease really. Frontier’s executive team decided, in their infinite wisdom, to charge people $89 for a guaranteed empty middle seat and at the same time force their PR people to try and explain how this is good for their customers (good luck with that). So while social distancing is mandated in many states, Frontier is going to charge you $89 to comply with that mandate. Rather than being thankful they have any passengers at all, they would rather try and force them to pay more in the hope that they can maintain their health both during and after their flight. Classy.

At a time where the nation and world need companies at their best and most socially responsible, Frontier has decided to head in the opposite direction. I appreciate them reminding me why I have not and will not ever fly their airline willingly. Why not go show them some love for their new policy on their Twitter feed.

05
May
2020

EventBot Android Malware and Why I Won’t Leave the iPhone

The Hacker News reports that there is a new Android based malware called “EventBot” that is making the rounds in rogue app stores and APK download sites that are not part of the official Google Play ecosystem. In reading The Hacker News article, this sounds pretty nasty but it begs the question, why are users of Android devices are so bent on using app stores and websites that they have no way of know are providing legitimate apps or not? It makes no sense to me.

  • Is it because they don’t know any better?
  • Is it because their phone manufacturer pushes some junk alternative app store to their customers?
  • Is it because they want to use apps they can’t in the Google Play store?
  • Is it because they want to feel rebellious?
  • Is it because they don’t want to be kept down by the “man?”

I have no idea, and I don’t know why these phone users expose themselves to these risks with such a valuable trove of information sitting on their device.

Full disclosure, I am an Apple iPhone user, and probably will be forever. It’s not because I love everything Apple and must have everything Apple. Clearly that isn’t the case given my professional background. It is a combination of economic factors, security factors, and usability factors.. I am bought into the Apple mobile device app ecosystem and it is too costly to leave.

Apple Strengths

There are some things that Apple does do better than the Android community can do, primarily because it is a closed ecosystem.

  1. They keep their users safer because bad actors have a much harder time getting truly malicious software past the app store guardians. Sure there are people that jail break their iPhones, but let’s face it, they are few and far between and most users don’t care to spend the time doing so only to void their Apple Care plan.
  2. I don’t care what kind of Snapdragon processor you have in your Android phone or many milliamp-hours your battery is rated for, they just cannot outlast and out perform an iPhone. You may be able to outperform an iPhone at certain tasks and drain your battery in an hour, or you may be able to make your battery last all day but not get any performance but you won’t be able to do both easily. I have yet to see an Android phone (you can throw any Samsung SXX model out there at this) hold up against any serious comparison to the iPhone processors and battery life combination. I attribute this to the closed Apple ecosystem as well. The software written for apple devices is always highly optimized for just that platform. There is no need to trade off compatibility for performance or battery life. Android’s open ecosystem approach just can’t do this effectively when you have hundreds or thousands of device models you have to play nicely with.
  3. The phones are reliable and they don’t crash*. I can’t count the number of times I have had Android OS phones just restart on me in the past or crash outright. Maybe it was a bad app, or maybe my specific manufacturer’s device model wasn’t tested with the app. Or maybe it was a combination of the app and some random launcher I am using on my Android phone that caused it. Needless to say, my iPhone 11 pro just doesn’t crash, at all. It reboots when I want it to or when it does an update.

*assuming you aren’t running a beta version of their iOS software or trying to us a really old device with a new iOS version. If you want to be bleeding edge or never buy new hardware, you are going to have issues on any platform.

Android Strengths

On the flip side, you can do some really cool things with Android devices that you can’t do with Apple devices.

  1. You can interact with your device at the hardware level and as long as you give an app permission to do it, they can do a whole lot. Want to record phone calls? No problem. Want to quickly and easily side load an app? No problem. Want to completely change how your phone keys work? No problem. Android is all about letting people do what they want when they want. For better or worse.
  2. You can make the phone look and feel exactly how you want. Don’t like that app launcher? Change it. Don’t like the app manager and user interface? Change it. Want the light to flash purple when you get a slack message? Go for it. Again, Android is all about the ability to make the phone do anything you want, regardless of the performance and security impacts it may have.
  3. You can find a model of phone with just the features you want at the price you want. There is no “Apple tax” when buying an Android device. Just pick the model from the thousands out there that fits your needs and budget.

What is Best For Me

The nerd in me loves these things about Android, but the practical user side of me does not. When I pick up my phone I want to know that it is going to work without any issues – every time. I don’t want to worry about a new app launcher eating up my battery and destroying the CPU usage. I don’t want to worry if that app I just downloaded has malware in it it. I don’t want to have to manage app permissions at such a granular level that I have to worry about every little thing it has access to in the OS.

At the end of the day, I just want a device that works. That means iPhone with iOS will consistently be more capable and secure for my use case. I am willing to live with the lack of customization in some respects in order to have a better overall user experience with performance and security. An experience that doesn’t require my constant attention to achieve. I have enough other things to worry about each day, my phone should not have to be one of them.