Archive for PEBKAC

Not your space anymore

Myspace — remember Myspace? — has had a major data breach:

“Shortly before the Memorial Day weekend, we became aware that stolen Myspace user login data was being made available in an online hacker forum,” the site wrote in a blog post. The breach occurred on June 11, 2013, and affects a portion of accounts created on the old Myspace platform.

Myspace did not reveal how many accounts were affected, but LeakedSource, a search engine for leaked records, which claims to have obtained a copy of the stolen information, said the data set includes 360,213,024 records. Each record may contain an email address, username, one password, and in some cases a second password; no financial information was involved.

I have received the following notification from Myspace (note it’s no longer BiCapitalized) HQ:

Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk. As you know, Myspace does not collect, use or store any credit card information or user financial information of any kind. No user financial information was therefore involved in this incident; the only information exposed was users’ email address and Myspace username and password.

In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013 on the old Myspace platform. These users returning to Myspace will be prompted to authenticate their account and to reset their password.

As a test, I duly attempted to log back in, and was so prompted. Password has now been reset.

The LeakedSource page on this breach lists the top 50 passwords, some of which were used by literally thousands of people. I’m pretty sure no one else was using mine.

Comments (4)

On the off-chance that it might help

Microsoft has issued a paper on Password Guidance, and therein, these are considered the best practices:

  1. Maintain an 8-character minimum length requirement (and longer is not necessarily better).
  2. Eliminate character-composition requirements.
  3. Eliminate mandatory periodic password resets for user accounts.
  4. Ban common passwords, to keep the most vulnerable passwords out of your system.
  5. Educate your users not to re-use their password for non-work-related purposes.
  6. Enforce registration for multi-factor authentication.
  7. Enable risk based multi-factor authentication challenges.

I, for one, would not miss character-composition requirements: adding digits and shifted characters to the alphabet raises the number of available characters from 26 to about 72, meaning your average brute-force password guesser is going to take somewhere between two and three times as long to nail down your password. In the current state of the art, this delay is trivial.

Two-step — maybe three-step — authentication will eventually become the norm.

Comments (2)

You can’t use this

No, we don’t care who wrote it:

SoundCloud booted Chet Faker off the streaming platform today for copyright infringement … of one of his own tracks.

The Australian electronica megastar, real name Nick Murphy, tweeted that SoundCloud issued him with one of its infamous takedown notices for detecting that “one of his tracks may contain copyrighted content.”

This is the track in question:

Automated copyright-infringement detection. How does it work? (Answer: Not very well.)


True Cold War technology

Would you like to play Global Thermonuclear War? Bring your own diskettes:

Want to launch a nuclear missile? You’ll need a floppy disk.

That’s according to a new report by the U.S. Government Accountability Office (GAO), which found that the Pentagon was still using 1970s-era computing systems that require “eight-inch floppy disks.”

Such disks were already becoming obsolete by the end of that decade, being edged out by smaller, non-floppy 3.5 to 5.25-inch disks, before being almost completely replaced by the CD in the late 90s.

Except in Washington that is. The GAO report says that U.S. government departments spend upwards of $60 billion a year on operating and maintaining out-of-date technologies.

I dunno. The five-and-a-quarters seemed pretty darn floppy to me, especially compared to the nifty plastic-shelled three point fives.

The Soviet Union went bye-bye in 1991. At the time, I was working on an IBM System/36 with a startlingly huge 200-megabyte hard drive — ‘scuse me, DASD — though backups of Important Stuff were kept on magazines (capacity 10) of 8-inch floppies. Each disk held a shade over a single megabyte, so maybe 11 MB per magazine. Eventually we got a tape drive for backups. (We still have a tape drive for backups, but each tape holds 800 GB; it takes about two hours to fill it halfway.)

Comments (1)

Marked for death by Information Services (13)

If your site nags me about ad blockers, even while ad blockers are off, “too stupid to live” is far too kindly a description of you.


Measured desperation

See? You should have charged your phone before going out for the evening:

Dying phone batteries can lead to desperate measures when it comes to ordering an Uber.

The ride-hailing service has learned from its internal data that riders are much more likely to spring for surge-priced fares when their phone is nearing the end of its battery life.

Of course, they know exactly what you’re doing:

The reasoning here is pretty straightforward: Anyone with an amply charged phone can afford to wait and see if Uber’s real-time demand-based pricing system might let up on the extra charge. But the prospect of being stranded with a dead phone makes time more of the essence.

Uber knows when your phone battery is running low because its app collects that information in order to switch into power-saving mode. But [Uber head of economic research Keith] Chen swears Uber would never use that knowledge to gouge you out of more money.

Sure they wouldn’t.

(Via Rusty Surette.)

Comments (2)

Nearing the final Flickr

As Yahoo! circles the drain, its component parts are whirling around at comparable speeds, and Flickr, which they acquired in 2005, definitely appears to be tracing a similar spiral. Can it be saved? Geoff Livingston has some thoughts:

A lot depends on who buys Flickr. Doc Searls made an impassioned plea for Adobe to buy the social network, saying that Flickr was the best site for serious photographers.

And besides, Doc Searls has sixty thousand photos on Flickr. I’m almost embarrassed by my 159. But I haven’t left either, and neither has Geoff Livingston:

I’m not sure about the latter anymore, but I do believe Flickr still has value. I’m still there and still use it to house my library. I still get occasional media inquiries to use my pics from Flickr, too… The question is who will buy it? If Google or Facebook buys Flickr, I will be downloading all of my photos that day and closing my account. Warren Buffett would be more encouraging. At least you know Berkshire Hathaway would invest in the network again.

I shudder at the thought of Flickr being absorbed into Google Photos — or worse, into Instagram.

Now how do we persuade the Sage of Omaha to spend money on an Internet photo service? I mean, Flickr doesn’t sell insurance or anything like that.

Comments (2)

No one must ever know

Usually the guys who do this want to pretend that they wrote all that code. Then there’s this guy:

Yahoo Answers screenshot: How to remove template name from WordPress?

His motivations contain 50 percent more skulk:

I bought a WordPress template from a site for my business, and I want to know if there is a way to change the theme template name? I own a cafe and one of my competitors (who happens to be my ex-wife) figured out what template I’m using on my site and she bought the same template for her cafe site and now both of our sites look similar. I want to buy a new template but I want to know how I can prevent someone else learning what template I’m using. When someone goes to my site they are able to see what template I’m using when they look at the “Source Code” — how do I change that so the visitors (mainly my competition) can’t find out what template I’m using?

WordPress stores all the theme files in a themes/[theme name] directory; to conceal it would require rewriting every one of those files, plus all the code that connects to those files. It would almost be easier to write a theme from scratch, and there’s still the necessity of tweaking all that PHP. I’m thinking it might conceivably be done with a metric buttload of redirects, at the expense of speed: nothing makes people flee a site faster than lack of fastness.

Disabling right-click, which is where people usually try to View Source, is trivially easy via JavaScript. But it won’t do a thing to block, say, the Ctrl-U combination that Firefox devised.

And really, why did those two ever break up? They seem to be so perfect for each other in so many ways.

Comments (2)

Don’t be Evil McEvilface

This is the sort of thing that makes me think I need a Why The Hell Not? category:

At Google, we spend a lot of time thinking about how computer systems can read and understand human language in order to process it in intelligent ways. Today, we are excited to share the fruits of our research with the broader community by releasing SyntaxNet, an open-source neural network framework implemented in TensorFlow that provides a foundation for Natural Language Understanding (NLU) systems. Our release includes all the code needed to train new SyntaxNet models on your own data, as well as Parsey McParseface, an English parser that we have trained for you and that you can use to analyze English text.

Did he say what I thought he said?

Parsey McParseface is built on powerful machine learning algorithms that learn to analyze the linguistic structure of language, and that can explain the functional role of each word in a given sentence. Because Parsey McParseface is the most accurate such model in the world, we hope that it will be useful to developers and researchers interested in automatic extraction of information, translation, and other core applications of NLU.

And why the hell not?

(Via Selena Larson.)

Comments (2)

Insidiously hideous

This particular WordPress theme was two years old when I adopted (and to some small extent adapted) it, and that was eight years ago. Then again, we’re still talking the 21st century here, although the worst excrescences of the 20th seem to be coming back into style:

There’s an interesting trend in web design these days: Making websites that look, well … bad.

Look at Hacker News. Pinboard. The Drudge Report. Adult Swim. Bloomberg Businessweek features. All of these sites — some years old, some built recently — and hundreds more like them, eschew the templated, user-friendly interfaces that has long been the industry’s best practice. Instead they’re built on imperfect, hand-coded HTML and take their design cues from ’90s graphics.

Which is the way I learned to do things, back in the, um, Nineties. It has the advantage of familiarity.

Is there enough of this stuff to constitute a whole school of thought? Apparently so:

The name of this school, if you could call it that, is “web brutalism” — and there’s no question that much of the recent interest stems from the work of Pascal Deville.

In 2014 Deville, now Creative Director at the Freundliche Grüsse ad agency in Zurich, Switzerland, founded He meant it as a place to showcase websites that he thought fit the “brutalist” aesthetic: Design marked by a “ruggedness and lack of concern to look comfortable or easy” in “reaction by a younger generation to the lightness, optimism, and frivolity of today’s web design.” (In architecture, brutalism describes a ’70s architectural movement characterized by large buildings with exposed concrete construction.)

I defend this sort of thing more or less reflexively. Then again, I defended Oklahoma City’s Stage Center for many years, and we all know what that got me.

“Bad is the new good,” tweeted Nancy Friedman.

Comments (2)

Potentially mortarfied

One of the great fears of our technological time is installing an update and then watching in horror as the device assumes the general position and activity level of a paperweight. I got a chance to anticipate just such a thing yesterday:

Some ASUS users are having UEFI-related Windows update problems that may brick their systems. A few news sites have stories on this:

[…] KB3133977, a security update for Windows 7, has been identified as the cause for this problem. Following its installation, it forces Windows 7 to enable Secure Boot, even though it is actually not supported by Microsoft anymore. This eventually prevents the system from properly rebooting. Microsoft has clearly stated that it is in no way responsible for this predicament. Providing clarification, a company spokesperson stated that the problem occurs because of how Asus has created some of its motherboards with its own modified version of the Secure Boot feature. In other words, users facing problems in this regard will have to contact Asus directly to have the issue addressed. […]

Well, actually, it was never supported in Win7; Secure Boot was an innovation, so to speak, that came with Windows 8. Still, I have an Asus mobo, I run Windows 7, and yesterday was the due date for Microsoft’s Patch of the Month Club. So when I got home, I dragged myself into UEFI — which, as the lovely and talented @SwiftOnSecurity reminds us, is not actually BIOS — drilled down a couple of levels, and hit the toggle on Secure Boot to match up, not with Windows, but with some mysterious “Other OS” that I don’t actually have on this machine.

And then down came fourteen patches, none of which turned out to be KB3133977.

I suppose I can toggle it back when I cede control to Windows 10 in the next couple of months.

Comments (2)

Boxed in

Well, the new Mini Boxes were not going to install themselves, and I wasn’t about to call in a tech for something I damned well ought to be able to do myself, so I set aside an hour to deal with both of my ancient television sets.

The Box box from Cox contains, in addition to the box and its power supply, a smallish remote (with a couple of AAA batteries), a large sheet of paper for the benefit of people with ancient television sets whose remotes need to be cloned, a Quick Start guide which I looked at once, and two cables: one HDMI and one with F connectors. The idea is that if you don’t have HDMI, as I don’t on the turn-of-the-century Sony WEGA, it will still be possible to hook up the box, though nothing is going to produce an actual HD picture. (With judicious use of a button on the remote, you can do the old letterboxing trick to get 16:9, albeit with the usual black bars at top and bottom.) The Vizio (2007) is a proper HD set, but the connectors, as I had forgotten, required me to turn the screen upside down to get to them.

That said, I didn’t actually use up the entire hour, though for some reason the install on the Vizio immediately phoned home for a software update, and it’s just as agonizing watching such things on TV screens as it is on proper computer monitors. And now, instead of 105 channels I don’t watch, I have about 225 channels I don’t watch.

Downside: Each box seems to eat up about 10 watts, whether anyone’s watching TV or not. This works out to somewhere around $20 a year on the electric bill. It’s not a Frigidaire, exactly, but it’s still noticeable.


A-peeling we will go

Chinese girl enjoying a CavendishChinese video-streaming services have apparently had it up to here with saucy banana clips, or something:

Chinese live-streaming services have banned people filming themselves eating bananas in a “seductive” fashion.

New regulations mean that live-streaming sites must monitor all their output round-the-clock to ensure nothing untoward is going on, keeping an eye out for any “erotic” banana-eating, according to New Express Daily. It’s not just fruit that’s on their radar though — the paper adds that wearing stockings and suspenders while hosting a live stream is now also forbidden.

The move is the authorities’ latest attempt to clamp down on “inappropriate and erotic” online content, state-controlled CCTV reports. In April, the Ministry of Culture announced it was investigating a number of popular live-streaming platforms for allegedly hosting pornographic or violent content that “harms social morality”.

Long version: I suspect this sort of action is inevitable from any government that has something called the Ministry of Culture.

Shorter version: This sucks.

(Via Keaton Fox.)


Kindly thieves

Yeah, you’d probably be somewhat resentful if a gaggle of cybercrooks gained access to your computer, encrypted all your files, and then demanded payment for their safe return.

But what if said cybercrooks claimed to be doing all this for a Good Cause? A new strain of ransomware, asking 5 bitcoin (about $2200), says exactly that:

Your money will be spent for the children charity. So that is mean that You will get a participation in this process too. Many children will receive presents and medical help!

And We trust that you are kind and honest person! Thank You very much! We wish You all the best! Your name will be in the main donors list and will stay in the charity history!

P.S> When your payment will be delivered you will receive your software with private key IMMEDIATELY!

P.P.S> In the next 24 hours your price will be doubled by the Main Server automatically. So now you have a chance to restore your PC with low price!

Best regards,

Charity Team

Well, at least we know they’re not spending any of this money on English lessons.

Oh, and they throw in “3 years of tech support” with the deal. I still think I’ll pass.

(Via @SwiftOnSecurity.)


You do not know this number

And even if you did, you would be wise not to say so:

There are ways to get in trouble with the law for just about everything: smoking weed, theft, horse theft, stealing a horse and teaching it to smoke weed, and even shouting “fire” in a crowded not-on-fire stable full of stoned horses. But numbers are pure and theoretical and definitely exempt from legal action, right?

Wrong, buddo. And the reason is that in the digital age, huge prime numbers are really, really important for encryption, as pointed out by YouTuber Wendoverproductions. So important, in fact, that having or sharing some of them could get you prosecuted under the Digital Millennium Copyright Act, which prohibits people from subverting copyright-prevention measures.

Please note how many of our Presidential candidates have declared themselves in opposition to DMCA, and then read on:

Back when people still bought DVDs, those discs were encrypted with a content scrambling system to keep people from ripping and burning them. Software to copy DVDs started circulating soon after the DMCA passed, and movie studios sued those distributing the software not long after that — and won. The court issued an injunction, and thereafter linking to or representing the decryption software was considered a breach of DMCA. People made shirts or poems that represented the software in protest. The silliest part? Phil Carmody discovered a 1,401-digit prime number — no, we’re not going to post it — that (with the right know-how) was executable as the very same illegal software — hence, an illegal prime number.

Not to worry. You do not know this number. (But it starts with 8.)

(Via Jennifer Ouellette.)

Comments (4)

There’s a Start button here somewhere

Presenting the Apple Watch running, um, Windows 95:

The chap who did it explains one of the pitfalls:

Apple’s WatchKit SDK wasn’t good enough, since it doesn’t allow you to access user touch locations directly — it only lets you use Apple’s stock controls. Long story short, it’s possible to patch certain files within a WatchKit app to load your own application code rather than Apple’s.

And there is this minor detail:

Due to the fact that it is emulated (not virtualized), it takes about an hour to boot.

This is about twice as long as it took for an old Win95 box of mine to boot after its Cyrix 5×86 CPU melted down. Of course, the miraculous thing is that it would boot at all.

(Via The Verge.)

Comments (1)

Security on the cheap

Too often, it turns out to be no security at all:

Rudimentary security procedures at Bangladesh Bank are being blamed for the massive online banking heist that saw the country’s central bank lose $80 million in unauthorised wire transfers.

In early February hackers tried to transfer around $1 billion from Bangladesh Bank’s account with the NY Fed, successfully stealing more than $80 million.

According to a report from Reuters, police investigating the attack say the central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 routers to network computers connected to the Swift payment network.

Swift was apparently appalled, albeit after the fact:

A spokesman for Bangladesh Bank said Swift officials told the bank to upgrade the switches only when their system engineers from Malaysia visited after the heist.

It isn’t ransomware, technically, but the effect is pretty much the same.

(Via @SwiftOnSecurity [no relation].)


Sort of like Defrag

About every third time I boot up the tablet — if you’ve just arrived here, it’s the bottom-of-the-line Amazon Fire boxlet, a fifty-buck stripper of a machine — it spits out a message: “Optimizing system storage and applications.” This will take, the screen warns, approximately 10 minutes.

Now the longest it’s taken in the four months I’ve had the device is about 20 seconds. I assume that this operation is comparatively quick because it has relatively little to do: even with the standard complement of bloatware, about a third of the 8 GB factory-installed storage remains empty, and a 64 GB microSD card awaits when necessary. So I’m wondering if this so-called “optimization” is a cover for something else, like downloading more ads. (After periods of idleness, the screen blanks, and when you bring it back, there’s an offer to sell you something; you can decline these polite little intrusions, of course, by sending Amazon some money. You don’t get smooth and seamless for fifty bucks.) It’s certainly consistent with the machine’s simulated panic when it can’t find WiFi.

Comments (1)

Slower time

Apple’s QuickTime was an early acquisition when I clambered aboard the great ship Windows: it was necessary to play clips in the .mov format, and iTunes wouldn’t run on Wintel boxes (or their AMD cousins) without it. In fact, I ponied up $29.95 for the Pro version, which is now for all intents and purposes, or for Apple’s intents and purposes anyway, dead in the water:

Apple has announced that they’re no longer supporting QuickTime on the Windows platform. That means there won’t be any new updates coming, which is especially bad news since two fresh QuickTime vulnerabilities have just been discovered.

Trend Micro published details of the vulnerabilities in a pair of security alerts this week, ZDI-16-241 and ZDI-16-242. They actually reported them both to Apple all the way back in November. By the end of February, Trend still hadn’t gotten much more back from Apple than a read receipt for their original report.

In March, Trend checked in again and Apple responded by inviting them to a conference call. That’s when they announced that QuickTime for Windows was being deprecated. Two weeks after the call, Trend pinged Apple one more time to say they’d be publishing the vulnerability. Apple responded by saying “go for it,” and pointing them toward this handy article that helps Windows users uninstall QuickTime.

Curiously, Apple seems to be recommending that those hardy few of us with QT Pro registration keys hold on to them, for whatever reason. Or maybe that’s just something they haven’t edited out yet.


The root to serfdom

Quite reasonably, we fear computer attacks from without. But the worst ones, sometimes, come from within:

A man appears to have deleted his entire company with one mistaken piece of code.

By accidentally telling his computer to delete everything in his servers, hosting provider Marco Marsala has seemingly removed all trace of his company and the websites that he looks after for his customers.

Mr Marsala wrote on a forum for server experts called Server Fault that he was now stuck after having accidentally run destructive code on his own computers. But far from advising them how to fix it, most experts informed him that he had just accidentally deleted the data of his company and its clients, and in so doing had probably destroyed his entire company with just one line of code.

That’s one heavy line of code. This is it:

The problem command was “rm -rf”: a basic piece of code that will delete everything it is told to. The “rm” tells the computer to remove; the r deletes everything within a given directory; and the f stands for “force”, telling the computer to ignore the usual warnings that come when deleting files.

Together, the code deleted everything on the computer, including Mr Masarla’s customers’ websites, he wrote. Mr Masarla runs a web hosting company, which looks after the servers and internet connections on which the files for websites are stored.


I once deleted 9,000 or so files, and it was pretty scary to watch them dissolve. Then again, I started in a subdirectory down low enough to insure that the important stuff would remain untouched.

Potential amusement value: Mr Marsala ran this command from Bash, a standard *nix shell. Guess what’s being added to Windows 10.

Update, 18 April: The whole story is starting to unravel a bit.

Comments (3)

Deprecated squirrel

Actually, that sounds like a swell Twitter username: @DeprecatedSquirrel. It’s here because my mail service is switching away from SquirrelMail to something different:

Atmail was chosen as it is a step up from former DreamHost Webmail clients in that it’s faster, offers more features, and is in constant development.

Of the features mentioned, two might be of use: drag-and-drop attachments, and a mobile user interface.

There are a couple of downsides, and they’ll admit to them:

Requires more bandwidth to send complex HTML interface compared to SquirrelMail (approximately 100x to get from login screen to empty inbox; about 15 KB in 8 HTTP requests for SquirrelMail versus 1,500 KB in 35 HTTP requests for Atmail.)

Yeah, a hundred times as much bandwidth. Mobile users will just love that.

And there’s this:

Atmail needs more maintenance because it is less mature and more complex: it has more bugs. SquirrelMail has not required a fix since June 12, 2011.

Noteworthy: originally, “Atmail” (typically styled “atmail”) was known as “@mail.” Imagine that.

Comments (7)

The running dead

Just as I walked past the computer that runs the office phone system, a popup appeared, the same one I’ve seen several times in the last two years:

Windows XP nnd of life

I hit OK, but didn’t bother with “Don’t show this message again,” since someone else down the line may need it:

Even though Microsoft retired Windows XP two years ago, an estimated 181 million PCs around the world ran the crippled operating system last month, according to data from a web metrics vendor.

Windows XP exited public support on April 8, 2014, amid some panic on the part of corporations that had not yet purged their environments of the 2001 OS. Unless companies paid for custom support, their PCs running XP received no security updates after that date.

Consumers were completely cut off from patches, with no alternatives other than to switch to a newer operating system or continue running an insecure machine.

But two years after XP’s support demise, nearly 11% of all personal computers continue to run the OS, data for March from U.S.-based analytics vendor Net Applications showed.

Since the first of the year, 2.8 percent of the traffic to this Web site has been from XP boxes. Scary? Not as scary as the 0.9 percent on Vista, newer but deader. (There were still a couple of Windows 98 users as of last year, but they seem to have gone away.)

And the lack of patches might be a selling point to some:

Sometimes, she just nails it.

Comments (3)

Why Microsoft doesn’t rule the Web

People trying to save Word documents as HTML end up with garbage like this:

And that’s before you ever get to any of the actual document.

Upside: at least it isn’t Flash.

(Via @SwiftOnSecurity.)

Comments (1)


Shazam is one of those smartphone apps that is supposed to be able to recognize an unknown song and tell you what it is. Saturday night — into Sunday morning, because that’s how dumb I am — I put it to work on my tablet.

And, of course, I tested it on stuff in my own collection first. Correctly identified on the first try:

On “Kaiser Bill’s,” the title was rendered in German, but that makes a certain amount of sense.

I did manage to stump Shazam on “Mr. Turnkey,” Zager and Evans’ followup to “In the Year 2525.”

And there’s one track it consistently misidentified, the unknown backing track from this video:

I got two different answers, one “Kompression” by Albion, one “Ethno Love” in the Vaffa Superstar Mix, for which I found no link. (Shazam did play a few seconds for me for comparison purposes.)


Simulated exhilaration

Today’s virtual reality is simultaneously utterly mind-boggling and wholly unpersuasive; you can crank up the “virtual” all you like and you’ll still fall short of “reality.” For now, anyway. And maybe, just maybe, for the rest of our days:

I get that the move is to make everything virtual, so we can all go live in our Tiny Houses and be happy with having no actual stuff, because then we can … have ‘experiences’? Which seems to be the big thing the tiny house people talk about. Well, I’m nearly 50. I’m learning I’m kind of physically fragile in some ways — I can’t canoe any more, I don’t like to camp, my balance is too poor for long-distance bicycle riding. I’m not a big fan of traveling to strange places (the logistics, when you are a single woman, can be complicated, unless you do tours). I don’t have a lot of friends to play music with or “game” with or go out dancing with … my comfort in life, honestly, is coming home at the end of the day to a nice, properly climate controlled house and sit in a comfortable chair and either read a book or knit or sew. Or play my piano, which is a by-God, acoustic, made-nearly-100-years-ago wood and wire piano that still requires tuning and can be temperamental when it’s humid. (Just like I can be, in fact)

I suspect that this No Actual Stuff stance is at least slightly informed by the notion that we don’t actually make Stuff where we can see it being made anymore; it’s all fabricated in some Stuff-Generating Facility in a featureless building ten thousand miles away. And so we compensate — inadequately.

Comments (1)

Hit ’em where they drive

Nothing, I suspect, makes a bogus email more persuasive than the inclusion of something actually (sort of) true. This particular scam, by that reckoning, is utterly convincing in its presentation:

A new malware scam is posing as a speeding ticket email with a fake link that is said to load malicious code onto users’ computers. The emails, sent to at least few local residents in Tredyffrin, Pennsylvania, purport to come from the local police department. Malware emails that masquerade as something official are not rare, but these messages are fairly unique: they are said to contain accurate speeding data, including street names, speed limits, and actual driving speeds, according to the Tredyffrin Police Department, located close to Philadelphia.

It’s suspected that the data is coming from an app with permission to track phone GPS data. That could either be a legitimate app that has been compromised, or a purpose-built malicious app that was uploaded online. As anyone who has used a GPS navigator knows, location data can be used to roughly calculate your travel speed. The emails ask for payment of the speeding ticket, but no apparatus is set up to receive such fines. Instead, a link that claims to lead to a photo of the user’s license plate instead loads malware onto the user’s device.

“Citations,” says the PD, “are never emailed or sent in the form of an email attachment.” Still, people believe that banks and such will send you email to ask you your email address — which they obviously already have.

“Tredyffrin,” incidentally, is Welsh; it only looks like a J. K. Rowling place name.


You did Nazi this coming

Yet another reason why you do not want Everything In The Fricking World connected to the Internet:

The notorious hacker and troll Andrew Auernheimer, also known as “weev,” just proved that the Internet of Things can be abused to spread hateful propaganda. On Thursday, Auernheimer used two lines of code to scan the entire internet for insecure printers and made them automatically spill out a racist and anti-semitic flyer.

Hours later, several people started reporting the incident on social media, and eventually a few local news outlets picked up on the story when colleges and universities all over the United States found that their network printers were spilling out Auernheimer’s flyer.

Auernheimer detailed this “brief experiment,” as he called it, in a blog post on Friday.

Said weev:

After a little investigation it seemed that to print to a printer with port 9100 exposed, all you have to do is netcat a postscript file to that port.

And how likely is it that port 9100 is open and listening? Very:

For network-connected print devices, the standard TCP/IP port monitor is the best choice. Standard port monitor is the successor to line printer remote (LPR), that has been widely adopted as the de facto standard in network printing for the past several years. Standard port monitor is faster, more scalable, and bidirectional. In contrast, LPR is limited in all of these areas. Although Windows NT 4 and later provided registry modifications to help extend the capabilities of LPR printing, these changes do not compare with the benefits of using standard port monitor… The RAW protocol is the default for most print devices. To send a RAW-formatted job, the print server opens a TCP stream to the printer’s network interface. For many devices this will be port 9100.

“We were only following instructions.”

@SwiftOnSecurity feigned astonishment at the ease of the hack: “I’ve always wondered how the hell you even get a printer on the _Internet_. Plugging it into a DSL modem? Who? Why?”

Anything on the wrong side of a firewall can be presumed open, be it a printer, a computer, or a refrigerator.

Comments (4)

Eliza’s bratty kid sister

This was the plan, anyway:

Microsoft has a new artificial intelligence bot named Taylor that tries to hold conversations on Twitter, Kik, and GroupMe. And she makes me feel terribly old and out of touch.

Tay, as she calls herself, is a chatbot that’s targeted at 18 to 24 year-olds in the US. Just tweet at her or message her and she responds with words and occasionally meme pictures. Sometimes she doesn’t, though. She’s meant to be able to learn a few things about you — basic details like nickname, favorite food, relationship status — and is supposed to be able to have engaging conversations. She is intended to get better at conversations the longer they go on. But honestly, I couldn’t get much sense out of her. Except for my nickname, she wasn’t interested in learning any of these other details about me, and her replies tended to be meaningless statements that ended any conversation, rather than open questions that would lead me to say more about myself.

Getting “better” is, of course, subjective with any AI, and after an appallingly short period of time, Microsoft decided to give Tay a time out:

Okay, it might have been more than just a time out:

Microsoft has been forced to dunk Tay, its millennial-mimicking chatbot, into a vat of molten steel. The company has terminated her after the bot started tweeting abuse at people and went full neo-Nazi, declaring that “Hitler was right I hate the jews.”

Still, a warmer version of carbonite is probably not the ultimate solution:

In addition to turning the bot off, Microsoft has deleted many of the offending tweets. But this isn’t an action to be taken lightly; Redmond would do well to remember that it was humans attempting to pull the plug on Skynet that proved to be the last straw, prompting the system to attack Russia in order to eliminate its enemies. We’d better hope that Tay doesn’t similarly retaliate.

John Connor was not available for comment.

Comments (3)

Making the user experience worse

If there’s a way to make things more cumbersome for its stagnating user base, Twitter will do it, every single time.

TweetDeck, we now know, will be reduced to a mere Web site in mid-April. Those of us who didn’t immediately declare allegiance to the new regime were faced with this:

TweetDeck for Windows will no longer be supported and will cease to work after April 15

Over the entire width of the screen. Can you turn it off after you have “read more”? Not a chance.

It’s like they really want us to hate them.


Still doing it wrong

The standalone TweetDeck client is being killed off:

Twitter announced today it is shutting down the TweetDeck app for windows on April 15.

Which they buried in the third paragraph of a new-features promo.

And why would they phase out arguably the most popular version of an application for which they paid £25 million five years ago? Why do you think?

Twitter’s plan is to push all users to for their advertisement revenue.

Yeah, right. They just dished up a 4.0 version; I’m betting that they tried, and failed, to wedge ads into it.

In the meantime, will continue to work in browsers. Maybe. They did mention Chrome.

Comments (2)