Archive

Archive for the ‘Software’ Category

Trust

12 March 2012 Leave a comment

It’s been a long time since I posted here. With blogging, you need to keep the momentum going, and I didn’t.

I’ve been involved in a new project. After leaving Luxembourg, I’ve come back home and started working for a company in Hong Kong. I was approached via a recruiter who’d found my profile on LinedIn, we talked, I spoke to two of the people in the startup, and we agreeded terms.

When I was explaining this to one of my colleagues in Luxembourg, he was perplexed. Why have you done this? How do you know they will  pay you? If they don’t, what can you do to reclaim the money?

I just laughed.  Maybe I’m a trusting fool, but everyone I’d spoken to were totally well-behaved, and I immediately developed a rapport with them. They thought I was good, I thought they were good, we’d do cool things together.

Am I old-fashioned, stupidly naive, normal? Different people would give different answers. I just didn’t worry about it until it became a problem, which it didn’t.

Categories: Real Life, Software

Google+ spotted in the wild

16 November 2011 Leave a comment

When Google plus hit in typical Google beta-fashion, some people put up an “I’ve moved” profile picture on Facebook, and left, or so their status update said.

Everyone that I saw do this is still active on Facebook. The trouble is that they have 300 contacts on Facebook, 200 on LinkedIn, and ten on Google+. (Actual values may vary, contact your friends for details.)

Forgetting the personal/social point of view, from a fan/corporate point of view, there are lots of “follow us on Twitter” or “like our Facebook page” links on websites, but none that say “Join our circle on Google+.” Until, that is, today, when my favourite motor racing team, Force India (I’m not sure I should put the sponsor’s name in front of that) *tweeted*

Join our circle on Google+ to share even more plus.google.com/i/1x6CO0EiYkI:…

This is the first time I’ve seen this in the wild. And the irony that they used another social media to inform us of their circle is not lost on me. I’m pretty sure that there will be no extra content for me, only extra work for the admins that run the team’s social media, as they now need to tweet, post on Facebook, possibly update blogs or websites, and now update Google+ as well. I’m not sure that Google+ is worth that effort at the moment.

The thing is, that I get overloaded with info. To me, there is no point in liking your Facebook page, if I get all your updates via RSS. And if I get your data from Facebook, I don’t need to see it in Google+.

One thing that really annoys me about messages from Google+ are that they don’t give a useful subject. Instead of saying “Alistair McDonald shared a post entitled ‘The red mist descends'” they just say “Alistair McDonald shared a post with you.” I’m NOT going to click that link, ‘cos I’m pretty sure if it was important, I’ll find out eventually. But, if the subject piqued my interest, then I might click. But clicking into a black hole – no way.

Another way I’m really going off Google is that now so many services require a unified email address/ID. I’ve stopped putting any information into YouTube (Favourites, subscribing to channels, etc.) because they want a Google ID. I already have one – well actually three – but I don’t want to join my email to my videos to my news page, maps page, or news alerts. (I know that Google can, and probably do, track my usage of these sites via cookies or embedded scripts, the point here is not privacy, but convenience for me. For example, I set my home location on maps.google.co.uk to be a zoomed in shot of my home. But since I needed to “unify” my Google accounts, now when I visit maps.google.fr or maps.google.lu, my home page is *still* in the UK. If you are viewing a UK map, then your searches default to the UK – so you get Birmingham, West Midlands, not Birmingham, Alabama. That’s a good feature. BUT, if I’m visiting the French map site, why on earth would I want to start from the UK, where all my searches are crazily misinterpreted. So, to work around this, I end up first searching for Paris, or Luxembourg, so that Google maps displays the correct country so that my searches will work. [Google pay for bandwidth and processing power, I don’t, so I lose time and they lose money. ] )

Getting back to the subject of Google+, as I said before, they need to get some client apps out there – there are dozens of Twitter clients – and that means that they need to stop trying to be so controlling over data and APIs. Part of the problem is that they are playing catch-up, and many competing services (this is business, it makes money, and so there is a real competitiveness to it) are much more free with, and, remember, Google see the usage data it collects as the most important thing that they have.

Why not take part in a little experiment: inspect the cookies that the browser(s) you use have collected. Maybe even try to delete them and see (a) how many similar ones reappear without you visiting the sites mentioned, and (b) see just how many services you can use after a single login.

Hacked email

26 October 2011 Leave a comment

I get emails from people who have had their online email accounts hacked, and spam email is issued. Normally, I just send them an email and hear nothing of it. But today I got a message (via another mechanism) that they were going to trash their email account.

The rest of this post is my message back to them. On reflection, I should have considered that their password was leaked internally from their email provider (one of the “big few” – i.e. google, hotmail or yahoo). And that this could happen from a rogue employee ($0.10 per email, here’s a text file) or from hackers getting illegitimate access.

But here goes:

I don’t think you need to discard the email account, but there are a couple of things to consider

How did you get hacked? Was it malware on your PC (you can pick up malware infections just from things like Adobe Flash-based adverts if there’s a security problem in the flash plugin, for example) or was it someone picking up a session cookie if you were using unencrypted WiFi (coffee shop/hotel) (read this post on cookie hijacking to see how it works). Or did you use someone else’s computer (colleague, internet cafe?) These are the three main categories (I’m discounting you turning into a spammer.)

No matter how it happened, visit https://browsercheck.qualys.com/ on a weekly basis – or more frequently – to check your browser(s) and plugins are up to date – you need to do this for each browser that you use, on each computer that you use.

So, how do you tell which one happened to you? I’d get some anti-virus and scan your PCs and see if they detect anything. If you’re technical enough, then the SysInternals “autoruns” tool tells you *everything* that starts when you start your PC and log in. You can google the various process names shown in Task Manager and ensure they are benign too.

So, if you have malware, the only totally secure thing to do is to wipe and reinstall your OS and applications – although you might want to trust antivirus to detect and repair, it’s not guaranteed. And if you can, try more than one anti-virus product (free versions available for several) but you might have to install one, scan your PC, uninstall it and then install another – they might not co-exist nicely.

If you’re PC is clean, but you use public Wifi, chances are that you have been victim of a cookie hijack. The solution is to either always use HTTPS (which is encrypted so no-one can “sniff” your cookie.) (Most sites now offer it, and I expect your email provider is one of them; google is now offering HTTPS for searches, let alone email/calendar/etc.), OR, if you have one available, *always* use a VPN (Virtual private network), which encrypts everything (including normal unencrypted http traffic, although your VPN provider can “sniff” stuff). Maybe your employer has a VPN, otherwise you can buy the service, I believe. And, best of all, if it was a cookie hijack, you can just log on and change your password, the hijacked cookie will be invalid afterwards. Maybe ask where you were accessing the net in the days immediately before the spam started – can you correlate a location with the date/time.

And if you think you’re the victim of a keylogger, it should appear as malware. Let me tell you that one thing I do when I’m using someone else’s computer is to *not* enter my password in one go. I use the *mouse* to move the cursor between keypresses, and build up my password. So if my password was 12345678, I might start by entering “56” then click (don’t use the keyboard, keystrokes might be logged, including the cursor keys) at the beginning and add “23”, then at click the end and add 8, then between the 3rd and 4th character and add the 4. It takes a bit of mental juggling, and I rarely use a PC I don’t trust.

So, depending on how you were hacked, is anything else at stake? If it’s malware, chances are that a keylogger has been installed, and so every keypress might have been recorded and then might have been transmitted. If you use the same password for many things, e.g. online email, work email, online banking, then you are at greater risk than if you use a different one for each service – even if the usernames are different, your identity might be linked to an account via publically available search info.I use a three-tier system – one password for sites I really don’t care if someone impersonates me on, a second for a few other things (access to my server, and email, and so on), and a third tier, where I use a different password for each system – things like online banking, the UK Government Gateway, etc.

So, the bottom line is that
1: Stopping using the account might not be enough
2: Stopping using the account might not be neccesary

And that’s what I sent. Did I miss anything apart from the password-leak-from-provider?

Update: I added
3: change all your important passwords anyway. Consider a 2/3-tier system.

Categories: online, privacy, Real Life, Software

Maths, Comp. Sci, and Music

29 August 2011 1 comment

Ah, how I hate when reading and television screw up my perception! I remember reading (or seeing) something about maths and music being linked together. The current peak of this is Douglas Hofstadter’s book “Godel, Escher and Bach,” which (deep down) relates cognition and creativity emerge from the mind. He puts it better than I can, but there a number of common (i.e. I read about them elsewhere but forgot the details) thoughts.

Although I am paid to be a software developer, I am also a musician, and, I’m pretty sure that if I’d chosen that career path and been given the perfect breaks I could have suceeded as a guitarist. Further research suggests that lots of computer scientists are also keen fans of music. Many key figures are musicians – <A HREF=”http://en.wikipedia.org/wiki/Richard_Stallman”>Richard Stallman<a> notably travels with a recorder.

I think an unusual proportion of computer programmers/scientists/experts have an unusual interest in music. But I can’t find a survey to confirm it. Any emirical results out there?

Categories: Real Life, Software

And the (l)user is . . .

29 June 2011 Leave a comment

The recent web site attacks by popular hacker group <a href="http://twitter.com/#!/lulzsec"lulzsec have shown two main things:

Firstly, it’s a jungle out there. The CIA, banks, governments, are all targets for an organised bunch of techies. Basically, whoever you bank with, if you are just covered by a password or two (PIN + password) then you are dangerously vulnerable. Vulnerable to brute-force hacking, vulnerable to phishing, or vulnerable to malware, which might track every key you type.

Secondly, security on the WWW sucks, in general. If banks, government agencies, and so on, can’t get it right, can you trust a friendly site like facebook to store your details properly? If you use the same password for your gmail account and for your your facebook account, if a leak in facebook allows hackers to learn your password, then your gmail account is vulnerable. And, if you use that password for online banking (or paypal, or anything that *knows* your payment card details) then you are looking at a security hole.

Lulzsec have shown that it is so easy to penetrate any web site that they choose, that it’s almost pointlesss to attempt to prepare against malicious attack. I disagree, and think that there are many things that we can do to mitigate any vulnerability.

Once, I had a credit card for less than 24 hours before it was withdrawn by the issuer – a shame, as it had five or six zeroes in a row, which I think is cool. Turns out, a major CD retailer in the UK had been compreomised and in that window I’d used my new card, which was not only useful to scrape the ice off my windscreen.

So, how to mitigate? Firstly, lie. Unless it’s a bank, if it asks your birthday, give your fathers, brothers, favourite pop-star, whatever – but change the year to suit your demographic. If it wants your mother’s maiden name, give it your first pet’s name, as another example.

Be consistent, so you can do this with many web sites – but do not do this with *important* accounts, like online banking. They should all have unique passwords. #separate accounts into groups – change-your-life important ones, major inconvenience ones, and low convenience ones. Use a different password policy for each one . . .

As the online world evolves, it’s important that us early adopters are aware of the current problems. We all need to wear a black-hat at times, because we cannot trust the banks and merchants to do this for us. We should all insist on personal key-generation devices (my Luxembourg bank gave me one by default), for example. These, when powered on, give a passcode to be used to authenticae you to the web site.

We should all use an up-to-date browser and plugins, we should regularly test the systems that we trust our personal details with, and we should have the skill to work out where the intrusion in the train is, when things go wrong. These days, I reckon that less than 1% of visitors to this blog, and less than 0.01% of online personas would know how to do these things.

Categories: Analogies, Real Life, Software

Length of working day

30 April 2011 Leave a comment

Someone I know recently posted on facebook that they only worked 10.5 hours in one day, and wanted to know if he should feel guilty. I’d say definitely, yes. But not for putting in only 10.5 hours, but for doing more than his contracted hours (in the US, I guess this is 8 hours, after subtracting breaks). He should feel guilty that he’s not spending those extra hours with his family. He should feel guilty that he’s creating an expectation in the workplace that everyone should work extra, unpaid hours.

I guess that there are two reasons to work extra hours. One is that there’s a corporate culture of this. I see this in the USA, and in India as well. I see it a little in the UK, too. When I worked for a bank in the city, I was at my desk for ten hours a day, and my manager mentioned that he just wanted to see me be there a little longer. I pointed out the 3.5 hours commute I had in addition to working, and the fact that I had a 15-minute window to see my kids at night, *if* the trains were on time, but he really didn’t understand: he was young, single, and striving for promotion.

I recently read Managing Humans: Biting and Humorous Tales of a Software Engineering Manager and one thing I noticed was the number of times that working the weekend was expected. Sure, the companies appeared to be mainly startups, and maybe everyone had equity share, but it seemed that these people were expected to work extra *days* as a matter of course. This seems so wrong to me – weekends should be sacred and for the family, not working.

In some cases, it’s just being in the office, not how much work you get done. This is called “presenteeism.” For many, many years, I’ve noticed that I am edgy when involved in seemingly non-work related discussions, either at desks or at the water cooler. I’ve felt guilty that I’m not working. Now I’m doing more reading into management, and trying to develop my people skills (mildly aspergic), I don’t feel so bad about these conversations, at least I didn’t last month! But I suspect that in some places, the amount of time spent working is well below the amount of time *in*the*office*.

The second reason for working extra hours is that there is a crisis. A support issue that needs fixed to prevent the company going under. A last-minute show-stopper bug preventing a release going out. In my opinion, these are ligitimate reasons to work late. But it’s not, in my opinion, productive to work long hours for a long period. A week of extra half-days, even if fuelled with free pizza, is going to dull almost everyone, and productivity will drop so much so that everyone would be better off just working a normal day.

I’m working in Europe from next week, and one of the reasons I am going there is because there are strict labour laws where, in some cases, your manager can be fined if he lets you work more than 40 hours a week. This sounds like bliss!

That’s *my* association

23 April 2011 Leave a comment

I get really cheesed off with some software, always hijacking my file extension associations.

For the uninitiated, these link a file (normally the bit after the dot in a filename, ext in ThisIsAFile.ext) to an application. To do this, Windows (and other GUIs) keep a list: If the file is a .doc, open it with Word. If the file is a .xls, open it with Excel, if it’s a .frood, offer these choices . . . .

It’s easy for those files in my example, but there is a real, and constant battle for the audio and video world. Each time I upgrade an otherwise nice and wholesome piece of software, a video player called VLC media player, it insists on attempting to take over all my audio file extensions – like .mp3, aac, and even the playlist files .m3u, which it hides under a different menu to “audio files”. 1: it’s a video player – it’s in the bloody name and 2: every time it asks, and defaults to taking over the associations. Why can it not remember my choices from the last install? This is particularly important as the fantastic browser check from Qualys always points out when it’s out-of-date.

I need to point out that if every piece of software did this, and you didn’t respond appropriately, you’d probably not see the same application open a file twice. Yor browser would run around like an eager puppy, saying “I can deal wih that jpg; I can deal with that .bmp; I can deal with that .pr0n as well!” Thankfully, not all software is as self-centered as VLC, so the average user gets some consistency.

The popular browser, Firefox, was just as bad, I use the Heroes browser, Opera, but I also have IE and Firefox installed. I don’t use Chrome because Google are powerful enough already – actually I’d say they are too powerful, but I’ve got my 18th job interview with them lined up so I’m hoping to get in while ‘evil’ is still relatively cheap – I want a small throne, at least. But some sites do not work with Opera (despite it being the first browser to pass the ACID-3 test (stop yawning at the back!), so I need an alternative. I’d rather eat my own kidneys devilled with Tabasco sauce and onions than use IE, so I use Firefox. And Firefox was very naughty indeed, and when I upgraded it, it did not even *ask* if it could be my default browser, it just did it. As presumptuous as an Australian internet activist during a night of passion (allegedly).

So, I can understand that many, many people can get confused when they used to click on a file, and it would open in a particular app. Then, the install some more software (maybe more than one, people are fools like that) and next time they try the same action, they get an unfamiliar app thrown in their face, beause the new software has hijacked the file association.

As PC manufacturers are loading stacks of crappy software on new PCs for $$$, there is now another confusion – on my Dell Vista PC, every user (me, the wife, the kids) was hounded to buy some expensive software whenever we clicked on a particular file type – in this case, any image file at all. To put this in context, new user, new PC, plug in the new digital camera, click on the files, and the PC asks for money to install a full version of the software – that’s just wrong!

In my opinion, this is moving PCs away from being easy to use. I had this rosy idea that one day, PCs would be easy to use. They’d coaxs inexperienced users through configuration, and degrade gracefully when things went wrong. However, I think that in the immediate future (next ten years) PCs are going to be clogged down by more and more software that says it has the user’s best wishes at heart, but in reality it will recommend paid for options – and won’t even mention the free options that may be as good, or even better than, the commercial options.