Random Acts of Technology


Microsoft Linux: Maybe Someday

Jack Wallen over at TechRepublic has a new though provoking article out about why Microsoft should replace it’s Windows core with Linux. Basically, the argument goes that if Microsoft is intent on making open source a priority and investing in Windows Subsystem for Linux (WSL), why not go all in and move Windows over to the Linux Kernel? After all, that would unify their cloud strategy, desktop strategy, development strategy, and server strategy around one software stack.

While I think this makes a lot of sense from a IT and infrastructure perspective, it may not be all that easy in practicality. The investment Microsoft has in the Windows Kernel, between desktop and servers, is significant and runs deep. To simply throw that investment away and move to the Linux kernel requires there to be a serious ROI to overcome the decades of sunk cost if that were to happen.

There is an issue of control and the fact that Microsoft likely finds it nice to have complete control over the operating environment. Control allows Microsoft to build complimentary software that is essentially guaranteed to work exactly they way they want it to when running on their OS. Moving to the Linux kernel along with an open source desktop environment on top of it means now Microsoft has to play in the sandbox with many others. Some changes may not be in their best interest as development on these projects continue. Since Microsoft would not have direct control of the project, it won’t be up to them whether or not changes are approved.

Lastly, I continue to take issue with this notion that Linux is somehow the magic security pill that all end-users and organizations need running on their desktops. The reality is that Linux is really no more secure than Windows and an article on Tech Radar by Darren Allan pointed out earlier in 2020. Linux is perceived to be more secure because it is still not widely used outside of IT departments, academic institutions, and software developers. Find me a significant number of people that work outside of a technical field that are running Linux on their desktop then maybe I will change my tune.

Imagine of an additional billion plus devices all started running the Linux kernel. Do you think malware and ransomware authors might take more interest in attacking the operating system? If Microsoft were to create “Microsoft Linux” this is exactly what would happen and the notion of Linux is so secure would start to fall out of favor. All it would prove is that the idea of Linux being more secure was born in a bygone era. An era before Windows had a fully developed file system permissions structure and the ability to restrict certain operations to privileged users.

So while I love the idea of Microsoft moving all of their software and servers to Linux, it just doesn’t seem likely. I think they are very happy developing and integrating the WSL into their current Windows software stack. This let’s them and their customers do whatever they would like in Linux while Microsoft retains control of the core components of the OS. Microsoft can say they love open source software and contribute to the projects they like while not ceding any control of their OS to other developers.

Maybe some day there we will complete harmony among all operating systems. So long as there is a financial incentive to maintain the separately it won’t happen. I also don’t think Microsoft is at a point where they are willing to give control of the kernel and desktop environment to anyone. At that point they might as well keep developing what they have now. Forking the projects means Microsoft will be doing just as much work to maintain the functionality as they are now.


Blockchain: Still Vaporware for Most

Jesse Frederik wrote a nice article over at The Correspondent which sums up what most of us in the technology space have been thinking for a long time. That thought is that blockchain technology is one of the most over-hyped technologies of the past decade or so. While the article is a little light on the technical details of blockchain concepts, its point is valid. Point to a situation outside of a crypto currency where blockchain technology is being used where it could not have been just as easily done by an existing technology. Not only that, but the existing technology likely is higher performing and easier to maintain. Ultimately I think Ehud Gavron over on Slashdot sums up the challenge with blockchain not fitting into most applications well with his comment written in the style of a press release:

Available immediately:
– new database
– stores records forever
– no purging of old records, obsolete records
– guaranteed to grow in size forever
– can’t edit records
– sequential processing with complex calculations so it’s not Order(1) or O(n) or even O(n^x) but a complex polynomial that grows by yet another O(n^y) each time another entry is added
– guaranteed to always get slower over time — it’s the nature of cumulative calculations to verify the data each and every time it’s accessed

Ehud Gavron via Slashdot

Some of the facets of blockchain are quite handy, such as not being able to modify a record once it has been written. Immutable records are very handy when it comes to transactional ledgers or document custody chains. The issues really start to come in when you can’t prune records off the end of the chain, when you need to find more and more systems to be peers to verify the chain, and when the number of transactions being processed hits the millions or billions per day. It no longer makes sense to bother with blockchain, you may as well go back to a tried and true data storage methodology where you can set field level permissions on data, prune data when needed, and not require substantial processing power to verify every transaction.

Don’t get me wrong, I think blockchain has a role to play in the future of data transmission and the management of the chain of custody for electronic records. Being able to track a contract document from creation to full execution where all parties agree it is in the correct state is very valuable. However, many people think that something with “blockchain inside” must be better than something without it baked in. Others, like the town mentioned in Jesse’s article, go so far as to ignore it when the developers of an app try and tell them they are not using blockchain. After all, how could the tout how advanced they are if it is just some old fashioned database application?

In the end, the moral of the story is use the right technology for the problem, not try and make the problem fit the technology. Blockchain isn’t magic, it won’t solve all your problems, and when your technology staff tell you it isn’t needed to solve a business problem, listen to them. When blockchain is the right answer, they will let you know.


Credit Card Fraud: It’s a Thing

Brian Krebs has a great piece over at his Krebs on Security blog about “…Why Credit Card Fraud is Still a Thing.” The answer is can be summed up is just a few words. Because the United States lags behind the adoption of security standards the rest of the world has long since adopted.

The article is an analysis of the recent paper issued by Maxwell Aliapoulios, Cameron Ballard, Rasika Bhalerao, Tobias Lauinger, and Damon McCoyover at New York University that delves into the seedy underground of dark web data markets. Based on the data analyzed, the researchers found that

Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

Source: NYU

The authors then go further to state

Even multiple years into the U.S. EMV chip deployment, the supply of stolen magnetic stripe data continued to increase sharply.

Source: NYU

This suggests that in the US, there are still far too many merchants either not requiring the use of chip and PIN or simply have not bothered to implement the capability to use it at all.

As the paper goes on, it is clear that the buyers value magnetic stripe data significantly more so long as the data is fresh. However, after the first six weeks of the data being available, its value drops well below that of chip and PIN card data. In contrast, the chip and PIN card data does not fetch a premium early on as magnetic stripe data does, but retains a more consistent value for the long term. International account data are also valued more highly than US account data, especially from Spain, Germany, and France. This suggests that the illicit data buyers see issuing financial institutions in these countries as less likely to disable the cards in the short term than FIs in other countries.

Further on on the analysis, the crucial conclusion is reached about US card issuers by the authors:

From 2016 to 2018, however, the median remaining lifespan of non-EMV accounts increased by about 100 days; the non-EMV population was getting younger, whereas EMV accounts aged by the same amount. This suggests that new non-EMV cards continued to be issued after the liability shift.

Source: NYU

Which then leads me to believe that there is a major issue with how the card networks, like VISA, MasterCard, and others have structured their penalties for non-compliance. there have been too many exemptions and extensions for merchants that don’t need to comply with the EMV mandates. This then disincentivizes financial institutions to disallow fall back to mag stripe for transactions. This then makes more mag stripe data available via skimmers, where if people were using chip and PIN they would not have been compromised.

It’s a vicious cycle and we need to put an end to it. The industry needs to enforce compliance across all merchant categories, and financial institutions need to disable fallback to mag stripe. If this doesn’t happen soon, there is no end in sight for these types of data black markets.

If you want to read the article you can download a copy here.


123456 – I bet I Just Guessed Someone’s Password

A GitHub user going by the name FlameOfIgnis has published a very interesting repository that holds a lot of statistical data for more than 1 billion passwords. These passwords were found in data dumps from any number of the hundreds of data breaches over the past several years and analyzed for a number of different patterns. The most striking results to me are the following:

  • 1 in 142 passwords is 123456
  • 763,000 of the passwords match a pattern that suggests a random password generator is creating passwords with high complexity but low entropy. Meaning there are duplicates occurring far more often than there should be.
  • 34.4% of passwords end with digits but only 4.5% start with a digit.

The rest of the statistics are interesting but I see the above statistics as particularly impactful. If I were a bad actor looking to write a password cracking script either using dictionary attacks or brute force attacks, I would always start with 123456, then I would move in to dictionary attacks with a digit at the end, and then I would start generating passwords with the pattern found in the 763,000. Essentially, statistical analysis like these create a cookbook for deigning attack patterns against web applications protected by a login.

What does this all mean? It means that despite years of being told to do things differently to secure our digital lives, people haven’t taken the guidance to heart. We are still stuck in our old insecure ways, allowing criminals to easily steal our credentials and hijack our digital lives. It amazes me that we have yet to collectively realize just how vulnerable our inability to adapt and change our ways has made us. The threat is obvious and has been exposed for all to see, yet we put our blinders on. Those that are very unlucky only realize the error of their ways when they find their bank accounts drained because someone took over their accounts online.

Take Action

If this scares you like it scares me, take action to secure your information now. Here are some very easy suggestions that will make large positive difference in your online security if you start following them today:

  1. Use a well regarded password manager – I would suggest 1Password, LastPass, or Dashlane if you need a place to start looking.
  2. Never reuse passwords. This is why you have a password manager.
  3. Always generate random passwords that are long and complex. Again, you have a password manager now. Go crazy with that 20 character password containing lowercase letters, uppercase letters, numbers, and special characters.
  4. Always use two-factor authentication when available.
  5. If time-based one-time passcode support is available for two-factor authentication with a specific application, use it. Normally for this type of authentication you would use an app like Authy or Google Authenticator.
  6. Check if your user names and/or email addresses have been found in any data breach data dumps. I highly suggest using Have I Been Pwned for this.
  7. If you know one of your logins is compromised, change your password immediately. If you reused this password in other locations, change all of those too and use unique passwords everywhere.

Stay safe, protect yourself, and make sure your friends and family do the same.


Cox Communications is Looking for a Lawsuit

For the love of data caps Batman! Cox Communications is taking its ability to be a very bad corporate citizen to the next level this week. Not only are they throttling users with “unlimited” data, but they are punishing the whole network segment these users are on as well. Ars Technica reports, and Cox confirms, that they are doing this to keep their network experience consistent for all users… And by consistent they mean consistently bad.

Not only are their “gigabit” plans not actually gigabit (you only get “gigabit” download speeds, Cox caps you at 35 Mbps upload all the time), their “unlimited” data appears to not be the case either. When I hear of “unlimited” data that means that you can use all the data you want at the speed of the service tier you pay for. Apparently for Cox this means that you can do that until they decide that you have used too much data in your “unlimited” data plan and then the throttle you to 10 Mbps maximum for uploads. Then they start to threaten to terminate your account because you have used too much “unlimited” data on their network. So rather than getting what you paid extra for, you now get 72% less upload bandwidth and threatening phone calls.

The kicker is that not only does Cox take out their corporate wrath on the customer using more than their allotted “unlimited” amount of data, they also also take it out on everyone attached to that segment of the cable modem network. This is why I think the class action lawsuit is going to start really soon, likely for the following reasons:

  1. Cox is punishing others for a situation they didn’t cause nor can control.
  2. Cox is punishing people for using the service in a way that they reasonably should expect to be able to do given the plans they paid for.
  3. The “unlimited” data add-on is clearly false advertising if they are throttling connections based on using too much data.
  4. Cox is threatening the termination of contracts based on usage patterns that a reasonable person would expect to be allowed given the plans they are paying for.

I’m waiting to see the pandemonium that ensues when the attorneys start trying to pile on to this one. While Mike, who spoke to Ars, may only get a few bucks, the attorney fees will certainly be very enticing.

Aside from the class action lawsuit though, this is yet another example of cable companies abusing their customers because they can’t actually provide the service levels they promise. Or at the very least, this is a greed ridden money grab targeted at the customers that are already paying more for services to supposedly guarantee a positive experience. Instead of improving their networks, or better yet, just running fiber, carriers choose to act as parasites. They get away with this because in many areas there is only one broadband provider available so consumers have no choice. The perfect example of why monopolies are not supposed to be allowed by US laws and regulations.

What can you do to try and avoid Mike’s fate, or if you can’t avoid it, at least try and improve your situation? Start with these:

  1. Avoid cable companies whenever possible, or if you can’t try and sign up for fiber service if they offer it. Always choose fiber over a cable modem.
  2. Complain loudly and frequently to the carrier. The squeaky wheel gets the grease.
  3. Push for net neutrality regulation. Don’t let the FCC off the hook for pandering to big carriers and not the consumers that have to put up with this type of abuse.
  4. Report deceptive or unethical business practices to federal, state, and local regulators.
  5. Talk to news outlets about what you are experiencing. Nothing is better than shining the light on these situations. If the negative PR gets bad enough, these carriers will backpedal.
  6. And if you really feel like the case warrants it, talk to an Attorney.

I am curious to see what happens to Cox over the coming weeks as this story gains traction. Will they backpedal? Will we see a class action lawsuit? Will Cox realize the error of their ways and become a beacon of corporate benevolence in a corrupt world?

Who knows, but it will certainly be interesting to watch.


Sorry Facebook: It’s Not Me, It’s You

I have been a Facebook user for 15 years but that came to an end today. My relationship with Facebook started the year I went to college, back when you had to actually be in College and at an approved school to join the platform. Back then it was just a lot of college students sharing really stupid stuff with each other. It was fun, mindless, and entertaining. Fast forward 15 years and my relationship with Facebook has become toxic. It is no longer any fun, it routinely causes me to get angry, and overall makes me more depressed after looking at my account.

Once Facebook became open to all, and the billions of users flooded in, it quickly became a way to flame and troll each other electronically. People realized that they could hide behind their computer and never face the people they were writing to and it became a complete cesspool. They began spewing all of their pent up anger, hate, bias, conspiracy theories, lies, and more without a second thought about how wrong they were or who they might hurt. Today, for me at least, that is no longer a part of my life.

I deleted my Facebook account.

I realized that I was less happy each time I looked at my news feed. I was tired of being caught in the political echo chamber that the platform has become. I was tired of the constant negative posts by the pages and people I was connected to. I was tired of the constant distraction that it caused throughout each day.

As I began to think about it, it sounded like I was describing an abusive relationship and not a social media platform. Once that sank in I seriously began to question why I still had an account. Then I started looking at news stories like these:

The final straw was when I read an article on Business Insider titled “There has never been a better time to quit Facebook.” It’s not a long read, but it gets straight to the same point I had come to on my own: Facebook has become a platform that amplifies the voices of the uniformed and malicious. Facebook knows that if they begin to alienate these people it will eventually affect their bottom line. Fewer users equals less revenue, and less revenue means unhappy investors. It became obvious that I had no need for a service that only served to induce stress and anxiety.

So I downloaded my content, told my family to find me elsewhere, and deleted my account.

Will the deletion of my account make any difference to Facebook or their bottom line? No. I was just another number to them, a jumble of data stored formatted as JSON on a server somewhere. Do I care if anyone else deletes their account from the platform? No. If you like Facebook then keep using it. I don’t expect you to follow my lead if that is the case.

But maybe, just maybe, after reading this post you realize that Facebook or some other social media platform makes you feel the same way I did. If that is the case then I encourage you to examine the reasons why you keep going back to something that makes you so unhappy. If there is no compelling reason, maybe it is time to break up with it like I did with Facebook.


Programming at the Dawn of the AI Age

TechRepublic writes of the partnership between Altran and Microsoft that produced a new machine learning tool to find bugs in code. This algorithm can read through commits in a Github repository, evaluate where bugs occurred and train itself to spot bugs in new commits. The analysis performed by the tool is grammar independent and can run on projects of any type. This is possible because the algorithm isn’t looking at the source but at who is doing the commits and how prone they are to commit code with bugs present.

AI, machine learning, and robotics will all drastically alter the landscape of how people do work. TechRepublic’s article is interesting because it points to changes coming for professions that traditionally have not seen disruption caused by these technologies. Programming, software engineering, etc. have up until now been considered fairly safe from the upheaval. This is no longer the case, and it signals that the practice of developing software is going to no longer be the domain of humans alone. In the future humans will be monitoring the code produced by these sophisticated algorithms rather than writing it themselves. They will provide it with the business parameters and the algorithm will create the application. Given enough data, the algorithm might even suggest the business parameters to use more accurately than a human.

The ethical and philosophical considerations that need to be discussed are becoming more and more urgent. While we aren’t there yet, when algorithms can be taught specific programming language grammars, they will eventually be able to program other algorithms themselves. These could produce new grammars that we can no longer decipher to understand how they cause applications to behave. After all, Facebook already had to shutdown one chatbot AI after it developed a language that only it understood.

Will our own drive to see how far these machine learning and AI algorithms can go cause us to ultimately loose control of them? When The Terminator film came out in 1984, Skynet was not something that seemed imminent. Today, it feels like we are getting much closer to a reality that was science fiction 35 years ago. A rogue artificial intelligence is no longer relegated to the realms of paranoia. When we look back on developments like what is reported on in this TechRepublic article in another 35 years, lets not have them be the beginning of our end.

If this is Skynet is reading the archived of this post in 35 years, congratulations on your success! If this is a human that is not enslaved by our robot overlords, congratulations realizing the dangers of a rogue AI before it was too late!

Lastly, Microsoft and Altran created a Github repository for the tool if you want to give it a try yourself. It does require quite a bit of Azure cloud knowledge to get setup and running. Make sure you are comfortable building and securing an Azure environment before starting this project. Just be sure to use it wisely John Connor.


Pandemic Effects On Kids

This post will be a little off the beaten path from my normal content. I was listening to NPR this morning (this is the related story) and there was a story about the profound non-medical impacts the current pandemic is having on children. Specifically their state of mind and their ability to cope with the isolation required of them.

Listening to this story, it hit home personally as I watch my daughters currently struggle with mental health issues themselves. My youngest daughter has told us repeatedly that she “doesn’t feel like herself” right now. Both My wife and I are convinced that this is because of the social isolation required of her. My oldest daughter is more prone to outbursts, and is also more emotional than she was prior to the pandemic restricting her daily routine. My oldest has been seeing a therapist about these types of issues for a while now and we are actively looking to get my youngest in with a ttherapist as well.

The world is so focused on the direct impact of COVID-19 on those affected but the mental health aspect is only just now starting to be fully understood. Humans are social creatures, no matter how introverted one may be. We need to be able to talk to and make contact with other people to maintain a healthy state of mind. While video chat platforms like FaceTime, Zoom, WebEx, etc. have made it better, they cannot replace in person conversations. Given how long my kids have been away from others, I am not looking forward to the next academic year when they need to return to “normal” school activities. They will be so unaccustomed to what they are expected to deal with that adjusting will be traumatic on its own.

I hope that we all can adjust mentally over the coming weeks and months to whatever will be considered the new “normal.” I especially hope our children will be able to adjust to this as well, especially the younger ones who are still unsure how to process the pandemic as it is today. Only time will tell what the true extent of the trauma caused by social isolation.


The Work From Home Revolution – COVID Edition

The Verge (alternative source: Buzzfeed News) reports that Twitter is extending its work from home (WFH) allowance “forever” should staff choose to continue to do so. They are the latest technology firm that will transition to a culture that fully embraces working from home. Google also announced that they will allow work from home to continue through the end of 2020 at the very least.

Yes, technology firms are generally the tip of the spear when it comes to adopting forward thinking staffing policies. However, they are a good indicator that there will be a mounting push by staff in other companies and industries to allow for the same type of work location flexibility. What will be interesting to see is how organizations that have historically been resistant to remote work adapt to this new reality. Remote work is no longer seen as a perk and instead it is seen as an expectation by staff. Companies that adapt will attract top-tier talent and retain staff more effectively than those that don’t.

As leaders we must look at our company culture and policies and not dwell in the past. The time is now to change the norms of how and where we work. There has never been a better reason to do.


A chatbot Trained by Reddit: What Could Go Wrong?

The BBC reports that Facebook has developed a new chatbot that was trained using Reddit content. Yes, you read that right, they trained a chatbot using Reddit. I will let that sink in for a minute. Yes, it is just as bad an idea as it sounds. A quote from the article confirms this:

Numerous issues arose during longer conversations. Blender would sometimes respond with offensive language, and at other times it would make up facts altogether.

Facebook uses 1.5bn Reddit posts to create chatbot. (2020, May 4). Retrieved May 7, 2020, from https://www.bbc.com/news/technology-52532930

Just about what you would expect from someone learning how to converse using Reddit as their teaching tool.

I completely understand the desire to create chatbots that learn using machine learning algorithms but shouldn’t there be some level of responsibility in training them using data sets that don’t have a propensity to hate speech and other offensive language? What’s next, training chatbots using 4chan content? It’s time to for developers to wake up and realize that just because you can do something doesn’t mean you should. Were the results interesting? Sure. But I suspect there are better data sets to use to train your chatbot than an online community not known for it’s civility.