Craig Constantine

The bullshit web

September 5, 2018

The vast majority of these resources are not directly related to the information on the page, and I’m including advertising. Many of the scripts that were loaded are purely for surveillance purposes: self-hosted analytics, of which there are several examples; various third-party analytics firms like Salesforce, Chartbeat, and Optimizely; and social network sharing widgets. They churn through CPU cycles and cause my six-year-old computer to cry out in pain and fury. I’m not asking much of it; I have opened a text-based document on the web.
~ Nick Heer from, https://pxlnv.com/blog/bullshit-web/

slip:4upobo2.

This is a long, in-depth read. You will be an immensely more well-informed user of the Interwebs after you read it— about six times.

Meanwhile, have you heard of the magical analysis tool that is http://gtmetrix.com ? You have now! Start dropping your favorite web sites into its analysis magic, sit back and weep at what we’re using the Internet for.

These screenshots are just the tip of the iceberg. GTMetrix shows an insane amount of detail.

This. Shit. Has. To. Stop.

Election hacking

May 14, 2018

Security is never something we actually want. Security is something we need in order to avoid what we don’t want. It’s also more abstract, concerned with hypothetical future possibilities. Of course it’s lower on the priorities list than fundraising and press coverage. They’re more tangible, and they’re more immediate.
~ Bruce Schneier from, https://www.schneier.com/blog/archives/2018/05/the_us_is_unpre.html

slip:4usebo5.

I think the only thing “protecting” us from someone successfully hacking an election, is the sheer number of polling places. You’ve voted, right? Sure, it’s a busy spot with maybe a dozen machines and hundreds of poeple… but there are thousands and thousands of polling places, and the voting machines are not networked. Yet.

Don’t misunderstand: This is security through obscrurity, is not actually security at all, and is a recipe for disaster.

Data ethics

April 18, 2018

This is like lashing a rope around the cracking foundation of a building. What we need is for an ethics of data to be engineered right into the information skyscrapers being built today. We need data ethics by design. Any good building must comply with a complex array of codes, standards and detailed studies of patterns of use by its eventual inhabitants. But technical systems are today being built with a minimal concern for compliance and a total disregard for the downstream consequences of decades of identifiable data being collected on the babies being born into the most complicated information ecology that has ever existed.
~ Colin Koopman from, https://www.nytimes.com/2018/03/22/opinion/democracy-survive-data.html

slip:4unyoi6.

Presented without commentary.

So obscure it confused _ME_

April 17, 2018

I think the problem is more subtle. It’s an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we’re going to see a lot more of these. And like this Google/Netflix interaction, it’s going to be hard to figure out who to blame and who — if anyone — has the responsibility of fixing it.
~ Bruce Schneier from, https://www.schneier.com/blog/archives/2018/04/obscure_e-mail_.html

slip:4usebo12.

I had to read the entire thing twice.

I’m on a “security” tirade here for a few days, so here’s my strategy for security: Get off the peak of the bell curve.

If someone wants your stuff, they will take it. Actors can always, if sufficiently motivated, apply more resources than you have available for defense. Therefore, one should not bother defending (worry, spending crazy amounts of resources,) against a “motivated” attacker. Instead, deploy defense in depth and then make incremental improvements everywhere.

https://en.wikipedia.org/wiki/Defence_in_depth

Don’t give away details about yourself

April 16, 2018

I hope readers don’t interpret this story as KrebsOnSecurity endorsing secret questions as a valid form of authentication. In fact, I have railed against this practice for years, precisely because the answers often are so easily found using online services and social media profiles. But if you must patronize a company or service that forces you to select secret questions, I think it’s a really good idea not to answer them truthfully. Just make sure you have a method for remembering your phony answer, in case you forget the lie somewhere down the road.
~ Brian Krebs, from https://krebsonsecurity.com/2018/04/dont-give-away-historic-details-about-yourself/

slip:4ukedo1.

“Two Factor” authentication (2FA) is best. “Two Factor” means two DIFFERENT methods of interacting with you — so a web site login, which requires also sending you a code via a message to your phone is “Two Factor”.

…and 2FA via your phone is a TERRIBLE idea, because you can easily lose it or have it stolen. There are better methods of 2FA, but I won’t bore you here.

So asking you “security questions” does not in fact increase security. But you’re stuck with it because you have no power of the entities you have to interact with. So what to do?

Treat those questions just like passwords — MAKE THEM UP!

However you are storing your passwords — that’s an entire other discussion — just ALSO record the questions they asked, and the REAL-SOUNDING BUT TOTALLY FAKE ANSWERS.

I repeat…

MAKE UP FAKE ANSWERS AND STORE THEM WITH YOUR PASSWORDS.

You might be AMAZED to discover my mother happens to have 42 different maiden names.

You might be AMAZED to discover how many different cars I learned to drive stick on.

…or the 42 different names for my first dog.

…you see where this is going?

Normally, I try to keep these ramblings succinct, but here’s a fun story…

Many moon ago, Tracy and I had a Blockbuster account. We were in the store, in the check out line, and the cashier says to me, “Oh, can I have your phone number?” We had been customers so long, it was before Blockbuster figured out people just keep the DVDs, and so they wanted to be able to start calling people. Someone expanded their customer database fields, added a new data field to the checkout screen and then trained or prompted the poor cashiers to gather this data. (This is called “compliance” in the industry — getting the people at the point of sale terminals to comply with the database marketing strategies of the home office.)

Anyway. Here’s this nice high school girl just doing her summer job, and of course, I can simply say “No.” But then they’re probably going to ding her “compliance” score with corporate. (In some cases, your pay, bonus and even employment are tied to compliance scores.)

So without missing a beat, I help both her (compliance) and I (privacy) and I give her my phone number with two digits flipped. I just immediately smiled and said 6 – 1 – 0 – 8 – 6 – 7 – 5 – 0 – 3 – 9 (shoulda been 5309 — you know I’m making numbers up right :)

…and Tracy says, “wait, that’s not our number,” thinking she’s being helpful.

“Exactly,” I say with a smile.

The cashier realizes I had just plainly lied to her. (Technically, I was trying to lie to her corporate overlords.)

…and I said, “oh sorry, 6 – 1 – 0 – 8 – 6 – 7 – 0 – 5 – 3 – 9”. (Same crap, just with two other numbers flipped. I always loved those ‘remember this string of numbers games’.)

“Is that really your number?”

“oh! Sorry, 6108675123… wait, no, 610876432178 … hmmm, you don’t seem to like these digits I’m saying… how about 6105551212?”

Now she’s like, “You’re weird.” (Unrelated ad hominem attack, but alas, true. But probably explains why girls IN high school never asked for my number.)

“…and Blockbuster still doesn’t have my phone number.”

At which point, she [I presume] took the compliance ding and didn’t enter any numbers.

To this day, (we have the same phone number,) Blockbuster — and whomever eventually bought their customer data because that’s the only thing they had in the end worth money — does not have my home phone number.

So there’s a little glimpse into Craig’s head.

Maybe you just realized why 2FA with your phone is really REALLY bad? You’re also giving away your phone number.

Wait, you read this far? Great, here’s how you REALLY do 2FA properly:

https://en.wikipedia.org/wiki/Google_Authenticator

The filter bubble

March 30, 2018

Well, personalization is sort of privacy turned inside out: it’s not the problem of controlling what the world knows about you, it’s the problem of what you get to see of the world.
~ Eli Pariser from, https://www.brainpickings.org/2011/05/12/the-filter-bubble/

slip:4ubate1.

There are thousands — that’s not a typo — of companies which trade (buy, sell) data about users. We’ve reached a point where it is no longer possible to hide. You might also be interested in reading this:

https://www.schneier.com/blog/archives/2018/03/facebook_and_ca.html

I struggle with distractions

February 16, 2018

To say that I “struggle” with distractions is a HUGE understatement.

Some time ago, I saw the following idea — sorry, I forget where — and I wanted to share it. (I’ve no idea if/how you would do this on non-Apple-IOS devices, sorry.) Ready?

Move EVERYTHING off of the home screen.

This is not the lock screen on my phone — THIS IS THE HOME SCREEN. When I unlock the phone, this is what I see. Nothing. The frequent-apps/dock is empty, and all the apps are ‘rightward’ in other screens. And they’re just in a jumbled mess because I never swipe off this screen.

Instead, I swipe down and type in the search field.

Perhaps you’re thinking, “so what?”

It changes your life. I spent weeks (after making this change) waking up my phone, staring at this screen and thinking, “wait, why did I wake up my phone?” Now I think, “what’s the weather going to be?” wake the phone, swipe down, type ‘w-e’ touch weather app. Etc. Wake the phone, do exatcly what I want, close phone.

Yes, this does still require a small bit of discipline to not double-tap Home and swipe through the running apps, but I never was a big user of that anyway.

If you’re paying close attention, you’ll note my phone is in “do not disturb” mode at 1:30 in the afternoon. That’s another pro-tip. Add EVERYONE you’d ever want a call from to your VIP list. Disable the “ring through” feature (where multiple calls from the same number can push through do not disturb). Then schedule DND from 11:01 to 11:00 daily. <<= …read the ordering of those times carefully.

(…and sorry, no, that is not the one-secret-minute when you could actually call me.)

Any time I’m expecting a call from someone random — car’s in the shop, plumber is expected around 9am — I just turn off ‘do not disturb’. As a bonus, I immediately realize how many junk calls I used to get. I don’t have a problem remembering to turn it back on, and I get a fresh reminder of how delightful it is to have the phone screen my calls.

These days?

My phone now NEVER rings.

Except when it does! …and I discover that it is now always someone I would like to talk to.

One.
Tiny.
Success.
At.
A.
Time.

The King complex

January 14, 2018

That’s the reason it’s difficult for many individuals to leave the internet — even for as little as a few hours in the evening, over a weekend, or on vacation. In short, the internet makes us feel like kings. It is the ultimate concierge.
~ Blake Snow from, https://www.artofmanliness.com/2018/01/12/king-complex-makes-internet-hard-put/

slip:4uaoki1.

I’ve read a lot about how parts of the Internet are designed to hold your attention, how social media services are designed to beaddicting, and how using “game” theories can get everyone to want to interact more, and how all of that leads to a slippery slope. But this idea—thinking of how the Internet caters to your every whim, and why you then drool all over it to get more of that—this is a new twist I’d not seen before.

Burnout

June 30, 2015

http://itrevolution.com/karojisatsu/

slip:4uieka1.

Normally, I “pull quote” things and then include a link. But for this one I’m just going to say that this is a 5 minute read about burnout in the tech sector by John Willis.

Conspiracy theories on facebook

February 18, 2015

Do you believe that the contrails left by high-flying aircraft contain sildenafil citratum, the active ingredient in Viagra? Or that light bulbs made from uranium and plutonium are more energy-efficient and environmentally friendly? Or that lemons have anti-hypnotic benefits?

If you do, then you are probably a regular consumer of conspiracy theories, particularly those that appear on the Italian language version of Facebook (where all these were sourced). It is easy to dismiss conspiracy theories as background noise with little if any consequences in the real world.
~ Alessandro Bessi et al, from Science Vs Conspiracy: Collective Narratives In The Age Of (Mis)Information

It remembers for keeps

January 15, 2015

Anyone who works with computers learns to fear their capacity to forget. Like so many things with computers, memory is strictly binary. There is either perfect recall or total oblivion, with nothing in between. It doesn’t matter how important or trivial the information is. The computer can forget anything in an instant. If it remembers, it remembers for keeps.
~ Maciej Cegłowski from, http://idlewords.com/bt14.htm

slip:4uieaa1.

…from his talk at Beyond Tellerrand

Programming sucks

December 20, 2014

Every friend I have with a job that involves picking up something heavier than a laptop more than twice a week eventually finds a way to slip something like this into conversation: “Bro,1 you don’t work hard. I just worked a 4700-hour week digging a tunnel under Mordor with a screwdriver.”

System administration sucks too:

… And if these people stop, the world burns. Most people don’t even know what sysadmins do, but trust me, if they all took a lunch break at the same time they wouldn’t make it to the deli before you ran out of bullets protecting your canned goods from roving bands of mutants.
~ Peter Welch from, http://stilldrinking.org/programming-sucks

slip:4usipo1.

hear! hear!

Take back the Internet

May 21, 2014

This is not the Internet the world needs, or the Internet its creators envisioned. We need to take it back.

And by we, I mean the engineering community.

Yes, this is primarily a political problem, a policy matter that requires political intervention.

But this is also an engineering problem, and there are several things engineers can — and should — do.
~ Bruce Schneir from, https://www.schneier.com/blog/archives/2013/09/take_back_the_i.html

slip:4usebo4.

I’d venture that the vast majority of regular, everyday people working in technology related jobs are not actively trying to do evil. People go to work, make the best decisions they can and then go home. If that’s true, then it’s going to be nigh impossible to change the momentum of how things (e.g., NSA surveillance) are going. Because in order for it to change, we need to start thinking bigger.

Hello App.net

April 15, 2014

App.net is WAY cool

What makes it cool, different and BETTER is:

They built the PLATFORM, (the heavy lifting behind-the-scenes that makes it all work)
They wrote the API, (the instructions for how to build things to USE the platform)

…and that’s all they wrote.

Aside: Yes, they did write sample applications. It’s hard enough to wrap your brain around it as it is, let alone if there were no apps to play with. So they built a web-based front end called “Alpha”, (for example.)

You, (dear reader) do not “look at” App.net, and you do not “use it”. You use APPLICATIONS which are built on the App.net platform/API.

App.net is different

App.net charges the developers: They’ve built a stable, powerful and feature-rich PLATFORM. They logically believe that developers will be willing to pay to use the platform.

Developers build applications: They pay App.net for access to connect their application to the platform. For example: Tapbot’s Netbot app is a superlative app using the platform. (App.net also maintains a directory of available apps.)

People use the applications: You, dear reader, choose your favorite application. You can use the free “Alpha”, (that’s it’s name) web front-end that App.net wrote. You can also download an app, (some are even free) from your favorite app store for your mobile device.

So, for example, how do you find me on App.net? Easy: Open your favorite App.net application and look for “cc1315”, my full name, or my email address. If you like to use the “Alpha” web-based application, then I’m /cc1315 . So there’s you using an App.net application! Another example is the application I wrote, (it required three mouse clicks) which enables this blog to push my posts into the App.net platform.

Wait. Wat?

The problem with all the big-name social networks is that they built, own and control the platform AND the application.

By “problem” I mean “things regular-users don’t like.” For example: Ads appearing; Weird algorithms that determine what I actually see and which strong-arm content-creators into paying money to boost viewership; Posts that look like posts but are really ads paid for by advertisers. And things that limit content creators, like: Not allowing posts at all into the platform; Weird rules that limit how posting is done because they don’t want the users leaving the platform to go read content directly.

This is exactly WHAT WE DESERVE. The companies that built the platforms get to create the rules because they own the platform, control the API and they control the applications. The people USING the social network are the product that gets monetized. So everyone shows up, for free, to socialize. But then the advertisers buy-in to get access to all the people. To the people socializing, it feels like the social club is letting weirdos into the club who roam around asking if we want to buy things.

Don’t believe me? Here are some search-result links:

“why Facebook sucks”
“why Twitter sucks”
“why Pinterest sucks”
“why Instagram sucks”

App.net fixes this how?

Let’s think through the “problem” scenarios…

First, you do still choose who to follow. So let’s assume for this discussion I’m following a couple hundred accounts. (My friends, some favorite businesses, etc)

I see a post from a business, but it’s actually an ad! …how do I make that go away? Current social networks? …you cannot.

Aside: Yes, some social networks let you kill that particular ad, but there are always more to follow. In reality, you’re just TUNING what ads they will show you, not blocking out ads.

With App.net it’s easy: Stop following that account. (Or maybe contact them and say, “yo, less ads please” if you really like their other posts.) App.net won’t let them send you further content, that would be a lousy platform that developers wouldn’t pay to use!

So maybe that ad you see is being shown by the application you’re using… it’s not really coming through the App.net platform… Easy: Don’t use that application. Or maybe pay them to turn the ads off. (Look! An application ecosystem where great apps win out.)

But, (you ask) what If someone tries to write an app to spam ads into the App.net platform? It turns out the platform doesn’t have that ability. (The current social networks have that ability BIG TIME — it’s how they make money.) But App.net makes money from the developers, so they don’t have a “spam everyone” feature in the platform. That’d be a lousy platform that developers would not pay to use.

content filtering

App.net delivers everything from all the accounts you’re following; That’s why developers want to pay to use the platform; It works well! So the applications might filter, or sort, or whatever. (Maybe, show me more posts from my friends whose posts I favorite.) But that’s a feature that you CHOOSE when you select what app to use. Don’t like how the app filters or sorts? …switch apps!

content posting into the platform

Current social networks want you to use their apps to post content. App.net simply moves the content through the platform. (Which is why it’s a great platform that developers want to pay to use.) So anyone can write any application to post content into the network.

Closing thought

The only thing more cool (in social networking) than App.net is Tent.io . With Tent.io, instead of having one centralized platform like current social networks and even App.net, you have one giant fabric which is composed of everyone’s PERSONAL data platform. So Craig’s posts are on Craig’s platform, etc. Then the Tent.io magic moves the messages around between the nodes, prevents anyone from impersonating anyone else, etc.

But that’s another post altogether… :*)

Heartbleed: For want of one nail, the kingdom is lost

April 8, 2014

The Heartbleed OpenSSL problem is big news ( http://heartbleed.com if you’ve been under a rock ). What’s wrong?

In short, Heartbeat allows one endpoint to go “I’m sending you some data, echo it back to me”. It supports up to 64 KiB. You send both a length figure and the data itself. Unfortunately, if you use the length figure to claim “I’m sending 64 KiB of data” (for example) and then only actually send, say, one byte, OpenSSL would send you back your one byte — plus 64 KiB minus one byte of other data from RAM.

Whoops!
~ Matt Nordhoff from, http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work

So this one, tiny-looking problem brings our entire sand-castle Internet kingdom down. “Secure” web sites turn out aren’t necessarily secure. Worse, they haven’t been secure for some uncertain amount of time. So, anything communicated insecurely, during some uncertain time-frame… is, uh, possibly snooped, stolen, etc. The system admins have to patch the fix in, then redo site certificates, then everything everyone has put to/from those sites, (your login and password for example!) has to all be considered stolen/tainted and has to be reentered.

Bonus: it’s even worse than I’m making it sound: Try this on…

http://security.stackexchange.com/questions/55116/how-exactly-does-the-openssl-tls-heartbeat-heartbleed-exploit-work

http://security.stackexchange.com/questions/55097/can-heartbleed-be-used-to-obtain-memory-from-other-processes

Also, people didn’t know to click on images

April 6, 2014

I distinctly remember:

When inlining of images happened; The first time it was possible to put an image directly INTO the page. And JPEGs man. JPEGs where coooooooooool.
Also, tables. Today, everyone loves to whine about how bad it is to use tables to layout pages. NOT having tables was much, much worse.
And image-maps; The idea that WHERE exactly you clicked on an image, could take you to different content. I won’t even get into what we had to do to make it work… (but it involved: convex polygon mathematics, C code, a compiler, and a DEC Alpha work station.)
…and we had to TELL people, “A lot of images in Skew are links… Click at will!” when we started e-publishing a magazine in December 1994.

So yeah, back in the day we had Mosaic. Then these guys hit it out of the park with:

Navigator was the way millions of people around the world were introduced to the web. Many web technologies and standards, such as as SSL, Java, Javascript, open APIs and support for online media, were innovations that Navigator made mainstream.
~ Brian McCullough from, http://www.internethistorypodcast.com/2014/04/on-the-20th-anniversary-an-oral-history-of-netscapes-founding/

slip:4uieoe1.

Stop data-mining me

January 8, 2014

Data brokers have pioneered advanced techniques to collect and collate information about consumers’ offline, online and mobile behavior. But they have been slow to develop innovative ways for consumers to gain access to the information that companies obtain, share and sell about them for marketing purposes. Now federal regulators are pressuring data brokers to operate more transparently.

In 2012, a report by the Federal Trade Commission recommended that the industry set up a public Web portal that would display the names and contact information of every data broker doing business in the United States, as well as describe consumers’ data access rights and other choices. But, for years the data brokers have been too busy to build a centralized Web portal for consumers. So, we decided to help them out and StopDataMining.me was born!
~ http://www.stopdatamining.me

Go there. Then, one by one, follow the links to the data mining companies “opt-out” forms. These companies ALREADY know who you are.

Control T for TENEX

December 8, 2013

This magic works via detection of a STATUS control character, Control-T, by the kernel tty driver, which then prints the load line via tty_info() on FreeBSD or ttyinfo_locked() on Mac OS X. It also sends a SIGINFO to the process, so it can run its own routine. See STATUS in the termios(4) man page.
~ Brendan Gregg from, http://dtrace.org/blogs/brendan/2013/10/05/control-t-for-tenex/

It is so freakin’ cool when I learn new Unix tricks. It’s like a maze of twisty passages, all alike; Except there’s… oh! A piece of candy! oh! A piece of candy! oh! A piece of candy.